Skip to content

fix(installer): skip Step-5 pre-verify for freshly-minted credentials (→ v1.8.3)#293

Merged
saadqbal merged 1 commit into
developfrom
fix/skip-verify-minted-credential
Jul 1, 2026
Merged

fix(installer): skip Step-5 pre-verify for freshly-minted credentials (→ v1.8.3)#293
saadqbal merged 1 commit into
developfrom
fix/skip-verify-minted-credential

Conversation

@saadqbal

@saadqbal saadqbal commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Third R8 curl | bash install regression from the #279 reorder — found by running the installer end to end (Step 5 this time).

The bug

The reorder mints the credential (Step 3) and deploys the client pod (Step 4) before Step 5's verify_credentials. A freshly-minted client is "set to enroll" — it activates only once the deployed pod connects — so verify_credentials (same api-token-auth jobs-manager uses) returns 400/invalid and hard-fails a perfectly good install:

✖ TRACEBLOC_CLIENT_ID / TRACEBLOC_CLIENT_PASSWORD was rejected by tracebloc

(Confirmed on a real install: Step 3 provisioned client 1052, Step 4 Helm-installed, Step 5 rejected it.)

Fix (Option 1 — trust the mint)

A minted credential is valid by construction, so pre-verifying adds no correctness value and only races enrollment.

  • provision.sh: exports TRACEBLOC_CLIENT_MINTED=1 on the mint path (cleared up front; not set on adopt / dual-mode).
  • install_client_helm Step 5: when minted, skip verify_credentials — show non-fatal "Provisioned client N — it will connect and appear at ai.tracebloc.io/clients shortly". User-entered / dual-mode creds still verify (those can be wrong).

Chart 1.8.2 → 1.8.3; manifest.sha256 regenerated (both scripts are R8-pinned).

Tests

  • provision.bats: mint sets MINTED=1, adopt doesn't.
  • install-client-helm.bats: new — a minted credential skips verify and succeeds even when verify would return invalid (fails loudly if the skip regresses).
  • shellcheck clean; gen-manifest --check passes; provision.bats 12/12.

Lands on develop; a matching PR to main cuts v1.8.3.


Note

Medium Risk
Changes installer credential handling for the mint path only; user-entered and preset env creds still go through api-token-auth verification.

Overview
Fixes a curl | bash install failure where Step 5 verify_credentials rejects credentials that Step 3 just minted: new clients stay “set to enroll” until the pod connects, so api-token-auth returns 400 even when the install is valid.

provision.sh clears TRACEBLOC_CLIENT_MINTED at entry (so a stale env cannot skip verify), sets TRACEBLOC_CLIENT_MINTED=1 only on the client create mint path—not on adopt or dual-mode preset creds.

install_client_helm Step 5 skips verify_credentials when TRACEBLOC_CLIENT_MINTED=1 and shows a success message that the client will connect shortly; user-supplied / env creds without the mint flag still verify as before.

Helm chart 1.8.2 → 1.8.3; manifest.sha256 updated for the touched install scripts. Bats cover mint MINTED=1, adopt without it, and the minted skip even when verify would return invalid.

Reviewed by Cursor Bugbot for commit c9274fc. Bugbot is set up for automated code reviews on this repo. Configure here.

Third R8 install regression found running curl|bash end to end: the #279 reorder
mints the credential (Step 3) and deploys the client pod (Step 4) BEFORE Step 5's
verify_credentials. A freshly minted client is "set to enroll" — it goes active
only once the deployed pod connects — so verify_credentials (api-token-auth)
returns 400/invalid and hard-fails a perfectly good install:
  "TRACEBLOC_CLIENT_ID / TRACEBLOC_CLIENT_PASSWORD was rejected by tracebloc".

A minted credential is valid by construction (client create just made it), so
pre-verifying it adds no correctness value and only races enrollment. Trust the
mint; the deployed pod enrolls the client.

- provision.sh: export TRACEBLOC_CLIENT_MINTED=1 on the mint path (cleared up
  front, not set on adopt / dual-mode).
- install_client_helm Step 5: when minted, skip verify_credentials and show a
  non-fatal "Provisioned client N — it will connect shortly" instead of erroring.
  User-entered / dual-mode creds still verify (those can be wrong).
- manifest.sha256 regenerated (provision.sh + install-client-helm.sh are pinned);
  chart 1.8.2 -> 1.8.3.

Tests: provision.bats asserts the mint sets MINTED (adopt doesn't); install-client-
helm.bats adds a test that a minted credential skips verify and succeeds even when
verify would return invalid. shellcheck clean; gen-manifest --check passes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@saadqbal saadqbal self-assigned this Jul 1, 2026
@saadqbal saadqbal merged commit 8b4a429 into develop Jul 1, 2026
39 checks passed
saadqbal added a commit that referenced this pull request Jul 2, 2026
…vert #293 → v1.8.4) (#295)

#293 skipped verify_credentials for freshly-minted credentials on the premise
that a minted client is "set to enroll" and only goes active once the pod
connects, so the api-token-auth pre-verify would 400 on a valid credential.
That premise was wrong. The real reason verify 400'd was a CLI bug
(tracebloc/cli#125): `client create` wrote the numeric dashboard id — not the
UUID username — as TRACEBLOC_CLIENT_ID, which is the auth username. The
credential was genuinely invalid; verify_credentials was a correct canary that
#293 masked, letting the install "succeed" while the pod crash-looped on
"Unable to log in with provided credentials".

With cli#125 fixed (v0.5.1), a minted credential is valid and verify passes.
Restore the canary so a bad credential fails loudly at install time (Step 5)
instead of silently at pod runtime:

- install-client-helm.sh: drop the TRACEBLOC_CLIENT_MINTED skip branch; always
  verify_credentials in Step 5 (mint, adopt, and dual-mode alike).
- provision.sh: drop the TRACEBLOC_CLIENT_MINTED marker (now unused).
- tests + manifest.sha256: reverted to the pre-#293 state.
- Chart: 1.8.3 → 1.8.4 (forward; not a version rollback).

DEPENDS ON tracebloc/cli#125 (v0.5.1) being the latest CLI release — the
installer fetches the CLI fresh, so the canary only passes once v0.5.1 mints
the correct UUID username. Do not release this chart before v0.5.1 is out.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants