14. Admin install: GitHub Apps and .fullsend credential surface (v1)
Date: 2026-04-05
Status
Accepted
Context
The admin CLI creates or reuses per-role GitHub Apps and must persist the minimum credentials for Actions and agents to authenticate as those apps. ADR 0012 (when accepted) will fix the org config repo’s files and layout; ADR 0013 (when accepted) will fix how repos are enrolled. This decision isolates app lifecycle outcomes and where secrets and variables live, so tooling and docs can stay aligned without bundling enrollment or repo file layout.
Decision
Adopt credential surface v1: expected app slugs and manifest/install behavior per role, and repository secrets FULLSEND_<ROLE>_APP_PRIVATE_KEY plus variables FULLSEND_<ROLE>_CLIENT_ID on the .fullsend repo, with uppercase role suffixes matching internal/layers/secrets.go and internal/cli/admin.go.
Consequences
- Any change to secret/variable names or install outcomes must update the implementation and this ADR together.
- Adopters can grep
.fullsendforFULLSEND_to audit stored app credentials without reading Go source. - Client secret and webhook secret from the manifest flow remain outside this v1 repo surface unless a future ADR extends the surface.
