fix(init): harden inline reviewer credentials

docs/init-config-surface.md

@@ -68,7 +68,7 @@ intentionally unsupported.
 | config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
 | config.profiles.<name>.reviewer_credentials | Optional reviewer credential section. Wizard supports skip, preserve, enable, edit, or clear reviewer config. | Existing `cr init --reviewer-credential-ref` and `--reviewer-auth-mode` own enable/edit. `cr init --disable-reviewer` owns scripted removal. | Omitted means posting uses Git credentials. Existing section is pre-populated. | Clear removes the whole section. Enable requires auth mode and credential ref. Ref must differ from Git and LLM refs. | #179 planner and #180 optional section tests. #181 secret ingress tests. |
 | config.profiles.<name>.reviewer_credentials.auth_mode | Reviewer wizard chooses PAT or GitHub App; `oauth_device` remains reserved. | Existing `cr init --reviewer-auth-mode`. | Current init defaults reviewer mode to `pat` when reviewer credentials are requested. Existing value is pre-populated. | Overwrite only to supported v1 modes. Switching modes re-plans key specs and preserves old secrets unless explicit overwrite/migration occurs. | #179 credential bundle tests for PAT and GitHub App. |
-| config.profiles.<name>.reviewer_credentials.credential_ref | Credential-ref planner chooses reviewer Git ref. | Existing `cr init --reviewer-credential-ref`; `cr set-credential` writes secrets. | New reviewer section defaults to `codereview/<profile>-reviewer`. Existing ref is pre-populated and preserved. | Flattened interactive init shows the effective reviewer storage label only when a separate reviewer entity is active. Leaving the field at its effective default means "follow the selected reviewer entity's default label" across later entity changes; entering a different value makes it a preserved custom override. Switching back to posting with the profile Git account clears the reviewer ref from config. | #179 planner tests collision handling. #181 secret ingress tests. |
+| config.profiles.<name>.reviewer_credentials.credential_ref | Credential-ref planner chooses reviewer Git ref. | Existing `cr init --reviewer-credential-ref`; `cr set-credential` writes secrets. | New reviewer section defaults to `codereview/<profile>-reviewer`, or `codereview/<label>-reviewer` when the user types a new reviewer entity label. Existing ref is pre-populated and preserved. | Flattened interactive init shows the effective reviewer storage label only when a separate reviewer entity is active. Label-derived defaults apply only while creating a new reviewer and before the user manually edits the storage label. Editing an existing reviewer label never migrates the credential ref. Switching back to posting with the profile Git account clears the reviewer ref from config. | #179 planner tests collision handling. #181 secret ingress tests. |
 | config.profiles.<name>.reviewer_credentials.display_name | Reviewer wizard lets the user set or clear a human-friendly label for a separate reviewer entity. | Interactive `cr init` only for now. No dedicated scripted owner yet. | Empty means chooser labels fall back to deterministic credential-ref/profile-derived text. Existing value is pre-populated. | Preserve on skip. Overwrite trims surrounding whitespace. Clear is valid and returns the entity to fallback labeling. Conflicting labels across profiles that share one reviewer identity do not create duplicate identities; the shared chooser entry falls back to deterministic identity text until one label wins. | #244 tests round-trip, validation, shared-identity conflict fallback, and chooser labeling. |
 | config.profiles.<name>.reviewer_credentials.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New reviewer sections omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. | Preserve-only regression in #177/#180. |
 | config.profiles.<name>.llm.provider | Core profile wizard chooses provider. | Existing `cr init --llm-provider`. | Current init defaults to `anthropic`. Existing value is pre-populated. | Overwrite validates provider and may require compatible auth/adapter/key specs. | #179 provider credential planning. #180 provider/auth/adapter compatibility tests. |
@@ -158,8 +158,8 @@ owns interactive secret ingress.
 | Purpose | Auth/provider | Ref default | Required keys | Optional keys | Keep/defer/overwrite semantics | Migration rule |
 |---------|---------------|-------------|---------------|---------------|--------------------------------|----------------|
 | User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing ref and key. Defer stores ref and prints follow-up `cr set-credential`. Overwrite writes `git_token` through keyring only. | Profile rename preserves ref. Regenerate only with explicit key migration or overwrite. |
-| Reviewer Git auth | `pat` | `codereview/<profile>-reviewer` | `git_token` | None | Same as user Git, but ref must differ from user Git ref. Clearing the reviewer section removes the ref from config but does not delete secrets. | Profile rename preserves ref unless #181 migrates or overwrites. |
-| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Defer stores ref and prints one follow-up command per key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide: never leave config pointing at a partially moved bundle. |
+| Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer ref. Keep preserves an unchanged existing ref. Clearing the reviewer section removes the ref from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing refs. No implicit ref migration. |
+| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer ref; optional installation ID may be left blank. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
 | Git auth | `oauth_device` | None | None | None | Unsupported in v1. The wizard must not offer it as a selectable mode. | Future OAuth work must amend this document. |
 | LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing ref. Defer stores ref only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through keyring. | Preserve custom refs on rename. Regeneration requires explicit migration/overwrite. |
 | LLM API key | `openai` + `api_key` | `codereview/<profile>-llm` | `openai_api_key` | None | Same as Anthropic API-key auth. | Same as Anthropic API-key auth. |
@@ -202,7 +202,8 @@ Scripted installs should remain readable. The intended shape is:
 
 1. Run `cr init --non-interactive` for the profile's core non-secret config and
    any secrets intentionally supplied through stdin/env ingress.
-2. Use `cr set-credential` for deferred or multi-key credential bundles.
+2. Use `cr set-credential` for scripted, deferred, or post-init credential
+   bundles.
 3. Use `cr config default`, `cr config route`, `cr config agent-source`,
    `cr config llm models`, and `cr config retention` for narrow idempotent
    mutations.

docs/init-ux-contract.md

@@ -144,18 +144,18 @@ Until the user chooses **Commit staged changes and exit**:
 
 Interactive `init` must offer both:
 
-- **Commit staged changes and exit**: validate the draft, collect or defer any
-  still-unhandled required secrets, then write config and keyring state in the
-  defined final commit order
+- **Commit staged changes and exit**: validate the draft, write any staged
+  secret values, then write config and keyring state in the defined final
+  commit order
 - **Discard staged changes and exit**: discard the draft and leave both config and
   keyring untouched
 
 Credential values may be collected inside the relevant subflow once the user has
-enough local context to understand why each secret is needed. For example,
-reviewer-entity setup may collect PAT or GitHub App reviewer secrets immediately
-after the reviewer settings are staged. Those values remain draft-local until
-commit; final commit still handles untouched or deferred Git, reviewer, and LLM
-credential refs.
+enough local context to understand why each secret is needed. Reviewer-entity
+setup collects the required PAT or GitHub App reviewer secrets inline on the
+reviewer details page before a new reviewer can be staged. Those values remain
+draft-local until commit; final commit still handles untouched or deferred Git
+and LLM credential refs.
 
 If the user cancels during credential collection, whether from a subflow or after
 choosing **Commit staged changes and exit**, any pending secret values remain
@@ -177,7 +177,9 @@ selected reviewer credential ref:
 - `staged` means a draft-local value will be written at final commit.
 - `skipped optional` means the user explicitly skipped an optional key in the
   current draft.
-- `deferred` means the user deferred a required key in the current draft.
+- `deferred` means the user deferred a required key in the current draft. New
+  interactive reviewer setup should not offer deferral for required reviewer
+  keys; they must be entered inline before staging.
 - `optional` means an optional key has no staged, skipped, or existing value.
 - `status unavailable` means the backend or key contract could not be inspected,
   so the UI must not claim a key is missing.
@@ -313,6 +315,10 @@ Primary-path users should not be asked for `credential_ref` values directly.
 Instead:
 
 - defaults should be generated automatically
+- new reviewer defaults may follow the typed entity label, for example
+  `rianjs-bot` becomes `codereview/rianjs-bot-reviewer`
+- changing an existing reviewer label must not migrate or rename the existing
+  credential-store ref
 - users who need an override may edit the relevant inline **storage label**
   fields for Git, reviewer, or LLM secrets
 - irrelevant reviewer/LLM storage-label fields should stay hidden when the