feat(cli): warn before keyless signing publishes identity to public log

[njhensley]

Summary

Add an interactive identity-disclosure gate before keyless evidence signing: when aicr is about to open a browser/device-code OIDC login, it prints an endpoint-aware banner explaining that the signer's identity (email + issuer) will be published permanently to the public Rekor transparency log, and on a TTY pauses for y/N confirmation. A --yes / AICR_ASSUME_YES bypass is added for interactive automation.

Motivation / Context

The evidence-signing paths (aicr validate --emit-attestation --push, aicr evidence publish --push, aicr bundle --attest) can fall through to an interactive OIDC login that mints a Fulcio cert from the user's identity. With public-good Sigstore, that identity — typically the signer's email plus the OIDC issuer — is written to the public, immutable Rekor log (permanently searchable, cannot be deleted) and attached to the pushed OCI artifact. Previously the only hint was a couple of slog.Info lines; there was no warning and no confirmation before the browser opened. This adds informed consent at the point of action plus the supporting docs.

Fixes: #1257
Related: N/A

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactoring (no functional changes)
• Build/CI/tooling

Component(s) Affected

• CLI (cmd/aicr, pkg/cli)
• Docs/examples (docs/, examples/)

Implementation Notes

• New pkg/cli/signing_disclosure.go:
  • keylessOIDCPathIsInteractive mirrors bundleattest.ResolveOIDCToken's source precedence exactly, so the gate fires on every interactive path (browser/device-code) and never on a non-interactive one (pre-fetched --identity-token, ambient GitHub Actions OIDC, KMS --signing-key).
  • buildKeylessSigningBanner is endpoint-aware: it names the Fulcio/Rekor URLs in effect and only claims "public, permanent, globally searchable" when the public-good Rekor is the destination; private endpoints get a softer, accurate message.
  • confirmKeylessSigningDisclosure: on a TTY it prompts y/N (default no, clean abort — no browser, non-zero exit, mirroring the existing confirmOverwrite TTY pattern); on non-interactive stdin it emits the banner and proceeds (fail-safe so CI/scripts are never wedged).
• Gate lives entirely in pkg/cli (business-logic packages stay non-interactive). It runs before the browser opens in all three commands: before selectAttester in bundle (lazy attester), before attestation.Emit in validate (only when --push), before attestation.Publish in evidence publish (always — push is required).
• --yes (alias --assume-yes, env AICR_ASSUME_YES) suppresses the prompt while still printing the banner.
• A declined prompt returns ErrCodeUnavailable, matching how the OIDC helpers classify a user-canceled login, so aborting at the consent prompt and aborting at the browser produce the same exit code.
• Refactored the inline ResolveOptions literal in selectAttester into a shared bundleOIDCResolveOptions so the gate and the real attester reason about identical token-source inputs (no drift).

Testing

# pkg/cli with race detector + lint (pinned golangci-lint 2.12.2)
go test -race ./pkg/cli/...
golangci-lint -c .golangci.yaml run ./pkg/cli/...
go build ./... && go vet ./pkg/cli/...

• All pkg/cli tests pass with -race; lint clean; full module builds/vets.
• New table-driven tests cover the issue's success criteria: TTY accept/decline (incl. empty/EOF default-to-no), non-TTY pass-through, --yes bypass, non-interactive token sources never gate, device-flow gating, and public-vs-private endpoint-aware banner. New file is ~98% covered.
• Note: pkg/bundler/attestation TestNewKeyVerificationIdentity_PEM fails in my local env on a blocked tuf-repo-cdn.sigstore.dev fetch — a network/environment issue unrelated to and untouched by this change.

Risk Assessment

• Low — Isolated, CLI-only change; non-interactive token/ambient/KMS paths and CI runs are unaffected; well-tested and easy to revert.

Rollout notes: Backwards compatible. CI and scripted signing (which use ambient/non-personal identities or pre-fetched tokens) never hit the gate. Interactive workstation signers see a one-time y/N prompt; --yes / AICR_ASSUME_YES restores the old no-prompt behavior.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: b0e45175-0fee-44eb-aa29-cc877a9f88fe

📥 Commits

Reviewing files that changed from the base of the PR and between c2ff1a3 and 1c67071.

📒 Files selected for processing (3)

• pkg/bundler/attestation/resolver.go
• pkg/bundler/attestation/resolver_test.go
• pkg/cli/signing_disclosure.go

---

📝 Walkthrough

Walkthrough

This PR adds a CLI-layer disclosure gate and documentation for keyless OIDC signing that publishes the signer's identity to Rekor. It introduces a shared --yes / --assume-yes flag, centralizes OIDC source classification, implements an endpoint-aware banner plus TTY-aware y/N prompt (with non-TTY and --yes bypass behavior), adds unit tests, and integrates the gate into bundle, evidence publish, and validate flows.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main feature: warning users before keyless signing publishes their identity to the public transparency log.
Description check	✅ Passed	The description is detailed and directly related to the changeset, explaining the motivation, implementation, testing, and risk assessment.
Linked Issues check	✅ Passed	The PR comprehensively addresses issue #1257: adds CLI disclosure gate, endpoint-aware banner, TTY confirmation, --yes bypass, documentation updates, and comprehensive tests covering all success criteria.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #1257 requirements: disclosure gate, banner, flag implementation, documentation, and tests. No out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mchmarny]

LGTM. Clean, well-tested, well-documented CLI-only change adding an informed-consent gate before keyless signing publishes an identity to the public Rekor log. Verified the core claims: keylessOIDCPathIsInteractive correctly mirrors ResolveOIDCToken/ResolveAttesterLazy precedence, the TTY handling matches the existing confirmOverwrite pattern, ambient OIDC fields are populated in both resolve-options helpers (so CI ambient runs bypass the gate), and none of the three commands read primary input from stdin so the scanner is safe. CI is fully green. Two non-blocking nits inline (resolver lock-step coupling, fail-open vs fail-closed asymmetry) — neither blocks merge.