Skip to content

Slice 12 — Personal Access Tokens for git over HTTPS #12

Open
Open
Slice 12 — Personal Access Tokens for git over HTTPS#12
Labels
afkImplementable without architectural decisionsready-for-agentTriaged and ready for an AFK agent to pick uptracer-bulletVertical slice through all integration layers
@safayavatsal

Description

@safayavatsal
safayavatsal
opened on May 9, 2026

What to build

PATs for environments where SSH is awkward (corporate networks, CI runners, etc.).

  • Web UI: profile section to mint a PAT (with a name and optional expiry), copy the token once at creation, list existing PATs (showing only metadata, never the secret), and revoke.
  • platform-api: PATs are stored hashed (never plaintext). On Git HTTPS auth, the username is the user's handle and the password is the PAT. PATs identify the user; permissions are still resolved via PermissionChecker.
  • Tokens carry an optional scope at this stage (git:read, git:write); finer-grained scopes are post-MVP.

Acceptance criteria

  • A user can mint a PAT, see it once, and use it as the password in git clone https://<handle>@forge.../....
  • PATs in the database are hashed; plaintext is never recoverable from the DB.
  • Revoking a PAT immediately denies subsequent Git operations using it.
  • An expired PAT is rejected with a clean error.
  • PATs can be listed in the UI with name, last-used timestamp, expiry — but never the secret.

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    afkImplementable without architectural decisionsready-for-agentTriaged and ready for an AFK agent to pick uptracer-bulletVertical slice through all integration layers

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions