Marsa Auth

[G0maa]

Explanation

1. How can Marsa Operator (human) authenticate himself to use Marsa Dashboard.
2. That is to be able to deploy apps.

Out of context

1. How can deployed apps utilize Marsa OAuth for their own usage.

---

Decision (2026-06-07) — see AgDR-0004 & AgDR-0005

This issue is operator → dashboard login (the "deploy apps" repo access is #23; one GitHub App serves both).

v0.1 scope (this milestone)

• Direct GitHub login in Marsa-API (Passport passport-github2 / GitHub App user-OAuth) → session.
• Operator allowlist in Postgres. First admin = whoever runs the installer (via the first-run wizard); others invited by GitHub login.
• Key user records on the stable GitHub numeric user id (not username/email) so v0.2 federation maps the same operators with zero re-onboarding.
• No new infra — no Dex, no Zitadel yet.

v0.2+ (OIDC/SSO — tracked separately)

• Login moves behind Zitadel as the central IdP (federating GitHub), enabling OIDC/SSO across services (Grafana/LGTM monitoring first, object storage / others later). See the v0.2 IdP feature ticket.
• Only the v0.1 GitHub login strategy (~1 day) is discarded at the cutover; session/user/allowlist plumbing survives.

Why not Dex / build-our-own provider

• Self-hosted installs each have a different GitHub context (org or personal account) → can't gate access by GitHub org/team; authz must live in Marsa's DB.
• Choosing Zitadel for v0.2 retires Dex (Zitadel federates GitHub itself — Dex now would only be deleted later).
• The team will not own a custom OIDC provider's security-critical code.

Full reasoning + options table: AgDR-0004 (auth/IdP strategy), AgDR-0005 (GitHub App model).

[G0maa]

v0.2 follow-up filed: #56 (Central IdP & OIDC/SSO via Zitadel) — blocked by this issue. Decision in AgDR-0004 / AgDR-0005.