feat(proto): credentials auth and default-password state core

[ankitgoswami]

Summary

Switches the proto miner plugin from Ed25519 key-based authentication to username/password credentials with factory defaults of admin/proto. This foundation PR also introduces the server-side DEFAULT_PASSWORD pairing state and telemetry signal so the fleet can represent a rig that is paired and reporting metrics but still needs password rotation.

Stack: this PR is the base of the split stack. #480 is stacked on this PR and hardens the server-side command, telemetry, SQL, cache, plugin, and fleet-node boundaries for DEFAULT_PASSWORD; #482 is stacked on #480 and contains the hand-written Fleet UI remediation UX; #477 is also stacked on #480 and handles phase-2 fleet-node enrollment cleanup. The diff here is relative to main; UI affordances and normal-action gating are intentionally out of scope and live in #482. Phase 3 remains a future cleanup PR for deleting dormant key-auth code and schema.

How it works

The server continues dispatching miners by DriverName, but the proto driver now advertises basic_auth instead of asymmetric auth. Pairing builds a UsernamePassword secret, encrypts it through the existing credentials path, and reuses those credentials when reconnecting to the miner. If no credentials are supplied, the driver returns the proto defaults and the pairer tries those so factory-default rigs can be adopted without key provisioning.

The proto plugin client lazily logs in to the rig REST API, caches the access token, and retries once after a 401 to handle token expiry or out-of-band credential changes. The public status endpoint reports default_password_active; telemetry carries that bit back on DeviceMetrics, and the server reconciles it into PAIRING_STATUS_DEFAULT_PASSWORD. That state is paired-like for telemetry, snapshots, rollups, CSV, and enrichment, while password-change success clears it back to PAIRED.

Diagrams

flowchart TD
  P["Pairer"] --> C{"proto driver capabilities"}
  C -->|"basic_auth"| S["UsernamePassword secret"]
  S --> E["encrypted miner_credentials"]
  S --> D["proto plugin client"]
  D --> L["POST /api/v1/auth/login"]
  L --> T["cached access token"]
  D --> R["GET /api/v1/system/status"]
  R --> M["DeviceMetrics.default_password_active"]
  M --> Q["device_pairing.DEFAULT_PASSWORD"]

Loading

stateDiagram-v2
  [*] --> PAIRED: pair with valid credentials
  PAIRED --> DEFAULT_PASSWORD: telemetry sees default_password_active
  DEFAULT_PASSWORD --> PAIRED: password update succeeds
  PAIRED --> AUTHENTICATION_NEEDED: credentials rejected
  AUTHENTICATION_NEEDED --> PAIRED: re-pair with valid credentials

Loading

Areas of the code involved

Area / package / file	What changed	Why it matters for review
plugin/proto/internal/driver	Driver API v2, basic_auth capability, default credentials, and credential bundle validation	Main auth-shape migration for proto rigs
plugin/proto/pkg/proto and plugin/proto/internal/device	Login/token cache, 401 retry, status/default-password reads, password-change client update	Runtime auth lifecycle against the rig REST API
server/sdk/v1 and generated SDK outputs	Adds DeviceMetrics.default_password_active and capability plumbing	Wire/API contract between server and plugins
proto/fleetmanagement/v1 and server/migrations/000089_*	Adds PAIRING_STATUS_DEFAULT_PASSWORD and DB enum migration	Persistent representation of default-password remediation state
server/internal/domain/telemetry	Reconciles the positive default-password signal from telemetry	State source of truth during polling
server/internal/domain/command	Persists proto password changes and clears default-password state on success	Keeps stored credentials aligned with on-device changes
server/internal/domain/fleetmanagement, stores/sqlstores, buildings, sites, collection	Treats DEFAULT_PASSWORD as paired-like for visibility/enrichment/CSV	Keeps metrics visible while remediation is pending
server/fake-proto-rig and server/docker-compose.yaml	Fake rig models credential login and default-password-gated mutation behavior	Test double follows the firmware contract
client/src/protoFleet/api/generated/fleetmanagement/v1/fleetmanagement_pb.ts	Regenerated from the enum change	Generated; hand-written UI is deferred to #482

Key technical decisions & trade-offs

Decision	Trade-off
Replace proto auth in place under the existing proto driver name	Existing device rows keep working, but migration fallback has to handle key-era rows
Use default credentials as the adoption fallback	Factory rigs pair smoothly, while rigs with changed passwords surface as auth-needed
Model default password as a pairing state instead of only a snapshot flag	Requires a migration and paired-like handling, but gives command/server flows a durable remediation state
Detect default password from a positive status flag, not a telemetry failure	Preserves telemetry visibility, but requires firmware/plugin support for the status bit
Keep hand-written Fleet UI out of this PR	Smaller foundation review, but default-password UX is not fully visible until #482

Testing & validation

• cd client && npm run lint
• cd plugin/proto && ../../bin/go test ./... partially passed: internal/device, internal/driver, pkg/proto, and tests/unit passed; plugin/proto/tests failed because Docker closed the image-build connection locally.
• cd server && ../bin/go test ./internal/domain/plugins ./internal/domain/telemetry ./internal/domain/command partially passed: plugins and telemetry passed; the broader command package hit local Postgres authentication failures for DB-backed tests.
• git diff --check

Not fully covered locally: Docker/testcontainers and DB-backed integration tests need a working local Docker/Postgres setup and should be covered by CI or a local just dev smoke before merge.

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (0e1feae120058389b4e5113d28ca5310c357c0e3...22f22e4958732a2f6c659cb209eaa73f046ab8dc, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: HIGH

Findings

[HIGH] DEFAULT_PASSWORD Miners Cannot Be Resolved for Password Remediation

• Category: Auth | Reliability
• Location: server/internal/domain/command/service.go:652
• Description: The PR makes UpdateMinerPassword selectors include DEFAULT_PASSWORD miners, and telemetry scheduling also now treats DEFAULT_PASSWORD as paired-like. However, command execution calls minerService.GetMiner() before reaching UpdateMinerPassword, and the miner service still resolves devices through server/sqlc/queries/miner_service.sql, whose direct and fleet-node queries require dp.pairing_status = 'PAIRED'. A miner recorded as DEFAULT_PASSWORD therefore cannot be opened as a miner handle.
• Impact: Newly paired Proto devices that are correctly marked DEFAULT_PASSWORD cannot be remediated through Fleet: password-update commands fail before reaching the plugin, and telemetry reconciliation cannot poll them back to PAIRED after an out-of-band password change. This leaves miners stuck with known factory credentials unless operators bypass Fleet.
• Recommendation: Update the miner-resolution queries to include DEFAULT_PASSWORD where remediation/telemetry needs a handle, regenerate sqlc, and add tests for GetMinerFromDeviceIdentifier plus UpdateMinerPassword against a DEFAULT_PASSWORD device. If non-remediation commands must remain blocked, enforce that explicitly in command preflight or command handlers instead of making the device unresolvable.

Notes

No cryptostealing or pool-hijack behavior was found in the changed hunks. The protobuf additions use new field numbers and preserve reserved fields; generated outputs appear to be included.

---

_{Generated by Codex Security Review |
Triggered by: @ankitgoswami |
Review workflow run}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f5d9fe814

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 33f98ff719

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ankitgoswami]

🤖 Re: Codex security review: This is addressed in the stacked child PR #480 rather than in the #471 diff: #480 adds paired-like miner resolution for DEFAULT_PASSWORD devices via include_default_password, routes UpdateMinerPassword through GetMinerForCredentialRemediation, routes telemetry through GetMinerForTelemetry, and keeps non-remediation commands explicitly guarded from DEFAULT_PASSWORD devices.

I am leaving #471 unchanged here so the stack stays as currently split: #471 carries the core DEFAULT_PASSWORD/auth state, and #480 carries the remediation/telemetry resolver hardening.