Dataface Tasks
    Heartbeat snapshot (JSON)

    GitHub integration auth for repo sync

    IDM2-CLOUD-003
    Statusnot_started
    Priorityp1
    Milestonem2-internal-adoption-design-partners
    Ownerui-design-frontend-dev

    Problem

    Cloud Suite needs GitHub-backed repo sync and integration access, but that is a different problem from end-user account login. If GitHub authorization is mixed into the primary app sign-in design too early, the product risks conflating identity, repo authorization, and org-installation concerns. That makes launch auth harder to reason about and complicates user onboarding, token storage, and permissions review.

    Context

    • This task depends on task-m1-suite-google-auth-permissions-sync.md completing first.
    • Google login should establish who the user is; GitHub integration auth should establish what repositories the app can access.
    • The app may ultimately use either GitHub OAuth or a GitHub App depending on the sync model.
    • This task is about integration authorization for repo sync, not about adding “Sign in with GitHub” as the primary user login.

    Possible Solutions

    • Recommended: Keep user login on Google/Okta and implement GitHub authorization as a separate integration flow.
    • Cleanly separates identity from repo permissions.
    • Leaves room to choose between GitHub OAuth and a GitHub App based on sync needs.
    • Better long-term fit for organization/repository access management.
    • Add GitHub as just another top-level login provider and reuse that token for repo sync.
    • Faster short term, but mixes app identity with GitHub integration scope and makes future permission handling messy.
    • Use only backend-managed GitHub App installs with no user-driven auth flow.
    • May be correct long term, but needs product and repo-ownership clarity first.

    Plan

    • Define the repo sync auth model:
    • GitHub OAuth app
    • GitHub App
    • or a staged path from OAuth to GitHub App
    • Implement the integration authorization flow separately from account login.
    • Store GitHub credentials/tokens with least-privilege handling and explicit revocation path.
    • Update onboarding and project-link flows to request GitHub authorization only when repo features are used.
    • Document the separation between account auth and GitHub integration auth.

    Implementation Progress

    • Blocked on the Google login foundation in task-m1-suite-google-auth-permissions-sync.md.

    QA Exploration

    • [ ] QA exploration completed (or N/A for non-UI tasks)

    Review Feedback

    • [ ] Review cleared