feat: backport auth-validation preflight + email_login credentials #6

Open

Hugh Commit wants to merge 1 commits from far-138/backport-phase-3 into main

pull from: far-138/backport-phase-3

merge into: farhoodlabs:main

farhoodlabs:main

farhoodlabs:far-142/istio-conversion

farhoodlabs:far-137/backport-phase-2

farhoodlabs:far-136/backport-phase-1

farhoodlabs:far-134/remove-mcp-server

farhoodlabs:far-132/helm-chart

farhoodlabs:far-133/move-github-to-gitea

farhoodlabs:gh-pages

Conversation 0 Commits 1 Files Changed 16

+489 -26

Hugh Commit commented 2026-05-20 00:59:59 +00:00

Member

Copy Link

Copy Source

Summary

Backport of upstream Shannon PR #335 — auth-validation preflight + email_login credentials.

Changes

• Auth-validation preflight: New validate-authentication agent runs a real browser login before the full pipeline, catching bad credentials early and saving API budget
• email_login credentials: New nested credential type for magic-link and email-OTP flows with $email_address, $email_password, $email_totp placeholder substitution
• credentials.password now optional: Schema changed from required: ["username", "password"] to required: ["username"] for passwordless flows
• Playwright stealth config: Anti-detection browser configuration (disables webdriver flag, fakes plugins, stubs chrome.runtime, realistic UA)
• resolvePromptDir refactor: Prompt directory resolution centralized into prompt-manager.ts
• AUTH_LOGIN_FAILED error code: New non-retryable error classification for failed logins
• Removed dangerous-pattern check on credentials.password: Passwords can contain special characters legitimately
• Pipeline-testing stub: Returns { "login_success": true } for fast iteration
• CLI/Docker: .playwright directory added to workspace overlays

Verification

• pnpm run check ✅
• pnpm biome ✅

Resolves FAR-138
Parent: FAR-135

## Summary Backport of upstream Shannon PR [#335](https://github.com/KeygraphHQ/shannon/pull/335) — auth-validation preflight + email_login credentials. ### Changes - **Auth-validation preflight**: New `validate-authentication` agent runs a real browser login before the full pipeline, catching bad credentials early and saving API budget - **`email_login` credentials**: New nested credential type for magic-link and email-OTP flows with `$email_address`, `$email_password`, `$email_totp` placeholder substitution - **`credentials.password` now optional**: Schema changed from `required: ["username", "password"]` to `required: ["username"]` for passwordless flows - **Playwright stealth config**: Anti-detection browser configuration (disables webdriver flag, fakes plugins, stubs chrome.runtime, realistic UA) - **`resolvePromptDir` refactor**: Prompt directory resolution centralized into `prompt-manager.ts` - **`AUTH_LOGIN_FAILED` error code**: New non-retryable error classification for failed logins - **Removed dangerous-pattern check on `credentials.password`**: Passwords can contain special characters legitimately - **Pipeline-testing stub**: Returns `{ "login_success": true }` for fast iteration - **CLI/Docker**: `.playwright` directory added to workspace overlays ### Verification - `pnpm run check` ✅ - `pnpm biome` ✅ Resolves [FAR-138](/FAR/issues/FAR-138) Parent: [FAR-135](/FAR/issues/FAR-135)

Hugh Commit added 1 commit 2026-05-20 00:59:59 +00:00

feat: backport auth-validation preflight + email_login credentials ... 47a6e4933a

Backport upstream Shannon PR #335:
- Add credential validation activity that drives a real browser login
  before the full pipeline, catching bad credentials early
- New email_login credentials type for magic-link and email-OTP flows
- Make credentials.password optional for passwordless flows
- Playwright stealth config (chrome.runtime, plugin simulation, UA)
- Centralize prompt directory resolution into resolvePromptDir helper
- New AUTH_LOGIN_FAILED error code with non-retryable classification
- Remove dangerous-pattern validation on credentials.password
- Pipeline-testing stub for auth validation (returns success)
- Auth validation timeout of 10 minutes for browser-based login
- .playwright directory workspace overlay for CLI/Docker

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Some checks are pending

Hide all checks

CI / Type-check & lint (pull_request) Successful in 16s

Details

CI / Build & push worker image (pull_request) Has been skipped

Details

CI / Build & push API image (pull_request) Has been skipped

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin far-138/backport-phase-3:far-138/backport-phase-3

git checkout far-138/backport-phase-3

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

fl_blake (Blake MIddleware) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) flux (Flux CD) admin (Gitea Admin) fl_hugh (Hugh Commit) renovate (Mend Renovate) fl_warren (Warren Bufferpool)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: farhoodlabs/trebuchet#6