First Principles

Security is not
an enterprise add-on.

The smallest nonprofit, the solo developer, the community sprint volunteer — they all deserve the same security architecture as a Fortune 500. Not a simplified version. The same one.

The Insight

Auth is a chain, not a user.

We are still stuck on the idea of a single named “user.” But any system making an access decision needs full context. Who is not enough. You need what, where, how, and why.

WHATBinary Attestation

What binary is running? Is it a signed release or a local dev build? Was it built by CI with attestation, or compiled on a laptop?

busbar v0.1.0 (local build) · Keychain: busbar-dev
WHEREMachine Context

Where is it running? A developer's Mac? A GitHub Action runner? A Kubernetes pod? The machine's identity is part of the chain.

jasonlantz@JasonsMacStudio · macOS 14.4.1 · SSH: SHA256:HiYt0tn...
WHOHuman Identity

Who set this in motion? Not just a username — the identity provider, the auth flow, the scopes granted, the session timestamp.

jlantz (github) · OAuth device_flow · Scopes: read:user, user:email
HOWAuth Method

How was the human identified? A GitHub App? Salesforce ECA? An API key? Each method carries different trust implications.

Busbar CLI · Client ID: Iv23li... · Bearer token · Persistent
TRUSTTrust Level

Given all of the above, what trust level does this chain earn? Development? CI-attested? Production? The chain determines the answer.

Level: Development · Production Access: No (requires CI build + auth)
The Status Quo

OAuth shouldn't be everyone's problem.

The complexity of OAuth has been left up to every developer, every admin, every team just trying to set up automation. And the fallback? Long-lived, full-admin credentials shared in plain text.

Long-Lived Tokens

Full admin credentials stored in CI environment variables. Rotated annually if you're lucky. Shared in Slack if you're not. One leaked secret compromises everything.

OAuth Complexity

Web Server Flow, JWT Bearer, Device Code, Client Credentials — each with different security implications. Most people pick the one that works, not the one that's secure.

Flat Identity

A username and a token. That's it. No context about what binary is running, where it's running, or what action it's trying to take. The access decision is blind.

The Identity Chain

Every request carries its full context.

Busbar's keychain tracks the entire identity chain — not just who you are, but what you're running, where you're running it, and what trust level the chain earns. Here's what it looks like before and after authentication.

beforebusbar whoami
⚡ Identity Chain
├─ Binary: busbar v0.1.0 (local build)
├─ Build Time: 2026-01-26T23:35:41
├─ Note: Development build — no attestation
└─ Keychain: busbar-dev (development)
├─ Machine: jasonlantz@JasonsMacStudio.localdomain
├─ OS: macOS 14.4.1
└─ SSH Fingerprint: SHA256:HiYt0tn...
├─ User: not authenticated
└─ Tip: Run 'busbar login' to authenticate
└─ Trust Summary
├─ Level: Development
└─ Production Access: No (requires CI build + authentication)
afterbusbar login && busbar whoami
⚡ Identity Chain
├─ Binary: busbar v0.1.0 (local build)
└─ Keychain: busbar-dev (development)
├─ Machine: jasonlantz@JasonsMacStudio.localdomain
├─ User: jlantz (github)
├─ Provider: github
├─ User ID: 1697127
├─ OAuth Session
├─ App Name: Busbar CLI
├─ Flow Type: device_flow
├─ Token Type: Bearer
├─ Scopes: read:user, user:email
└─ Expires: never (persistent token)
└─ Trust Summary
├─ Level: Development
└─ Production Access: No (requires CI build)

Notice what changed — and what didn't. The binary is still a local dev build. The machine is still the same Mac. So even though the human is now authenticated, the trust level stays at Development. Production access requires a CI-attested build. The chain is only as strong as its weakest link.

Architecture

The key never moves.

Busbar's keychain was inspired by over a decade of building CumulusCI's keychain and working with SF CLI's. The core principle: credentials live on the host. Plugins request actions through a barrier. The sandbox never sees secrets.

Host-Function Barrier

Modules execute inside WASM or sandboxed Python. When a module needs to make an authenticated API call, it requests the action through a host function. The host resolves the credential, makes the call, and returns the result. The module never touches the token.

Module → host_call("sf-rest", action) → Host resolves credential → API call → Result

Credential Sources

The keychain resolves credentials from the right source for the context. Local development uses the OS keychain. CI uses environment variables with attestation. Production uses vault integration. The module doesn't know or care which.

DEV → OS Keychain (macOS Keychain, GNOME Keyring)
CI → Env vars + build attestation
PROD → Vault / KMS + signed identity

Cedar Policies

Every action is authorized against Cedar policies that evaluate the full identity chain. A policy can say: “allow sf-metadata deploy only when binary is CI-attested, user is authenticated via GitHub App, and target org is in the approved list.”

permit(principal, action == Action::"deploy", resource) when { principal.trust_level == "attested" };

Audit Trail

Every credential usage produces a sealed audit frame. Who requested access, what binary was running, what trust level was evaluated, what action was taken, what the result was. The audit trail is the identity chain, captured at the moment of use.

Frame: blake3:7f8a... → WHO + WHAT + WHERE + WHEN + ACTION + RESULT
The Principle

Same architecture. Every scale.

If your security model requires a different architecture for different customers, it's not security — it's a pricing tier. The nonprofit admin who inherited a Salesforce org deserves the same credential isolation as a Fortune 500.

Solo & Nonprofits

It just works.

busbar login uses GitHub device flow. Credentials go to the OS keychain. No .env files, no tokens in Slack, no OAuth expertise required. The identity chain handles the rest.

ISVs & Partners

Zero credential sharing.

Ship managed packages to thousands of customer orgs without ever touching their admin tokens. Customers approve concrete, adapted deployment plans. The host-function barrier means your code physically cannot access their secrets.

Enterprise

Compliance by construction.

Cedar policies encode regulatory requirements. Immutable audit frames provide cryptographic proof of every access decision. Trust levels gate production access to CI-attested builds with signed identity chains.

The Urgency

Agents don't knock.

In the agentic present and future, the current approach will no longer cut it. An AI agent with a long-lived admin token is not automation — it's an open door. Agents operate at machine speed, make decisions autonomously, and chain actions across systems. Without a proper identity chain, every agent invocation is a blind trust decision.

Without identity chains

Agent gets a static API token with full admin scope
No way to know what binary triggered the action
Audit log says “API User” — not who, what, or why
One compromised token = full org access

With Busbar's identity chain

Agent requests action through host-function barrier — never sees the credential
Cedar policy evaluates full chain: binary + machine + user + action
Sealed audit frame captures exactly who, what, where, when, and result
Least-privilege enforcement — agent gets only what the policy allows

We will see more breaches if we don't adapt. But adapting shouldn't mean every admin becomes an OAuth security expert. It shouldn't mean every developer figures out credential management from scratch. It means building systems where security is the default — not the upgrade.

Security that scales down, not just up.

Built by the founder of CumulusCI, inspired by over a decade of hacking at OAuth with Salesforce CLI keychains. The identity chain isn't a feature — it's the foundation.

Start a PilotSee How It Works