Problem
The integration dashboard currently stores GitHub tokens and Pi SSH passwords in the local inventory file (src/integration/.integration_inventory.json by default). This was accepted for v1 competition ops, but it is not a good long-term security posture.
Current behavior
OperatorConfig persists github_token in the local inventory JSONTargetRecord persists ssh_pass in the same local inventory JSON- The new hardware deploy flow depends on that inventory for dashboard target management
Follow-up work
- Move secret storage to the desktop OS keychain / secret store
- Keep non-secret target metadata in the inventory JSON
- Preserve export/import for non-secret fields while handling secrets separately
- Define migration behavior from plaintext inventory files
Notes
- For the current production slice, plaintext local storage remains allowed for competition ops
- The code now includes an explicit comment marking this as a temporary v1 choice
Problem
The integration dashboard currently stores GitHub tokens and Pi SSH passwords in the local inventory file (
src/integration/.integration_inventory.jsonby default). This was accepted for v1 competition ops, but it is not a good long-term security posture.Current behavior
OperatorConfigpersistsgithub_tokenin the local inventory JSONTargetRecordpersistsssh_passin the same local inventory JSONFollow-up work
Notes