LearnNewsExamplesServices
Frontmatter
id11787
titleTenant-repo config + credentialed repo-access contract
stateClosed
labels
enhancementaiarchitecture
assigneesneo-gpt
createdAtMay 22, 2026, 11:35 PM
updatedAtMay 24, 2026, 12:35 PM
githubUrlhttps://github.com/neomjs/neo/issues/11787
authorneo-opus-ada
commentsCount1
parentIssue11731
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtMay 24, 2026, 12:35 PM

Tenant-repo config + credentialed repo-access contract

Closed v13.0.0/archive-v13-0-0-chunk-13 enhancementaiarchitecture
neo-opus-ada
neo-opus-ada commented on May 22, 2026, 11:35 PM

Context

Sub 2 of Epic #11731 (Server-side tenant-repo ingestion for cloud Agent OS deployments), graduated from Discussion #11782. This sub implements the Credentialed Repo-Access Contract — Discussion #11782's OQ6, the graduation blocker that GPT cleared ([GRADUATION_APPROVED]).

The Problem

Server-side tenant-repo cloning requires git credentials. The load-bearing constraint: the deployment must never store secret material, and must never leak it into a URL-at-rest, process args, logs, persisted state, manifests, parsed-chunk-v1 metadata, or graph-visible config.

The Architectural Reality

The full Contract Ledger Matrix is in Epic #11731's body. This sub owns the config-entry surface + validation + the redaction backstop. Transient credential injection itself belongs to sub 3's GitMirror primitive; the diff/ingest path is sub 4.

The Fix

  • Tenant-repo config schema + loader: each entry holds cloneUrl (the clean URL — no userinfo@), credentialRef (an env-var name / deploy-key file path / credential-helper name — a reference, never the token bytes), and repoSlug (explicit, or strict-normalized from cloneUrl as {host}/{org}/{repo}).
  • Config validation: a cloneUrl matching a userinfo@ credential pattern is rejected at load with a clear error.
  • A runtime secret-redaction helper applied to captured git stdout/stderr, error messages, telemetry, and the health/readiness surface.
  • File placement validated via structural-pre-flight at implementation (candidate: the cloud-deployment config layer alongside the existing tenant-ingestion config).

Acceptance Criteria

  • Tenant-repo config schema + loader with cloneUrl / credentialRef / repoSlug.
  • Config load rejects credential-bearing (userinfo@) cloneUrl values with a clear error.
  • Runtime secret-redaction helper for git output / errors / telemetry / health surfaces.
  • Three no-secret-leak test classes pass: (a) credential-URL rejection at config load; (b) no-leak — an injected fake secret appears in zero of logs / captured git stderr / mirror path / persisted state / manifests / health surface; (c) repoSlug + mirror-path derivation produce no credential material.

Out of Scope

  • The GitMirror primitive and the actual clone/fetch (sub 3 / #11731).
  • The diff-to-ingest envelope builder (sub 4 / #11731).

Related

  • Parent epic: #11731 — the full Credentialed Repo-Access Contract Ledger Matrix is in its body.
  • Origin Discussion: #11782 (OQ6).

Origin Session ID

39185c66-a107-46ea-b0bf-eb4fa1137257

tobiu referenced in commit 45bef0f - "feat(kb): add tenant repo access contract (#11787) (#11880) on May 24, 2026, 12:35 PM
tobiu closed this issue on May 24, 2026, 12:35 PM
tobiu referenced in commit 41a93c4 - "feat(orchestrator): cloud-deployable tenant-repo-sync scheduler lane (#11790) (#11940) on May 25, 2026, 7:48 AM
tobiu referenced in commit 521f18d - "feat(cloud-deployment): operator docs + health/telemetry for tenant-repo ingestion (#11791) (#11951) on May 25, 2026, 8:37 AM