docs: design for AWS account rename during install

[royosherove]

Design Doc: AWS Account Rename During Lowkey Install

Renames AWS accounts to Loki-<original-name> during installation so users can identify Lowkey-deployed accounts in the AWS console switcher.

Key decisions

• Interactive: Prompt with Rename/Edit/Skip (default: Rename)
• Headless (-y): Skip by default (safe for CI); opt in with --auto-rename-account-enabled
• Non-fatal: All API failures warn and continue
• Uninstall: SSM-based restore with heuristic prefix-strip fallback
• Telemetry: New install.account_renamed event via /v1/ingest with renamed, auto_rename_enabled, skipped_reason props
• Backend changes needed: loki-dashboard must register the new event before installer ships

Files

• docs/design-account-rename.md — full design doc (333 lines)

Review history

• 22+ automated review loops
• Codex architecture review (P1 finding: flipped headless default)
• Final automated + architect review: clean pass

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 84584cde17

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce ASCII-only sanitization for account rename inputs

The sanitizer currently removes control characters and a small blacklist, but it still allows non-ASCII bytes to pass through. In interactive Edit name flow, inputs like Loki-テスト survive _sanitize_account_name and are later sent to put-account-name, which can be rejected by AWS account-name validation; this causes rename attempts to fail unexpectedly even though the function claims to enforce a safe printable-ASCII subset.

Useful? React with 👍 / 👎.

[royosherove]

Addressed Codex review 4206995015:

P2 — ASCII-only sanitization: AGREE, fixed in 44a4e2b.
_sanitize_account_name now strips the 0x80-0xFF byte range in addition to control chars and the shell-meta blacklist, under LC_ALL=C so tr operates byte-wise. Inputs like Loki-テスト now sanitize to Loki- client-side instead of reaching put-account-name and failing at the API.

Verified:

• Loki-テスト → Loki-
• Loki-Prod → Loki-Prod (unchanged)
• bad$name → badname
• Café → Caf

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 44a4e2b3eb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Detect account CLI support without help command

Using aws account help as the feature probe can falsely disable renaming on systems where AWS CLI is installed but help rendering dependencies are missing (AWS documents the common Could not find executable named 'groff' failure). In that case this branch emits cli_missing and skips rename, even though aws account get-account-information / put-account-name would otherwise work, so interactive users never see the rename prompt and headless opt-in is silently ignored.

Useful? React with 👍 / 👎.

[royosherove]

Addressed Codex review 4207036526:

P2 — probe account service without requiring groff: AGREE, fixed in 6910740.
aws account help needs groff, which is missing on AL2023-slim / distroless / many CI images \u2014 that was falsely producing cli_missing and silently skipping rename on systems where the service would actually work.

Replaced with a groff-free probe: run aws account (no subcommand) and match on Invalid choice: 'account' in stderr. Modern CLIs error with required: operation (service exists); old CLIs error with the invalid-choice string (service missing).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69107403ce

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Make CLI support check work with pipefail enabled

Because the script runs with set -o pipefail, the probe if aws account 2>&1 | grep -q "Invalid choice: 'account'"; then never evaluates true when aws account exits non-zero (which it does in both supported and unsupported CLI cases). Even when grep matches the unsupported-command message, the pipeline status stays non-zero due to pipefail, so the cli_missing branch is skipped and older AWS CLI installations fall through to the generic api_error path with misleading output/telemetry.

Useful? React with 👍 / 👎.

[royosherove]

Addressed Codex review 4207072526:

P2 \u2014 pipefail-safe probe: AGREE, fixed in 6c48bc4.
Correct catch. With set -o pipefail, aws account 2>&1 | grep -q ... always propagates aws's non-zero exit, so the if branch never ran even when grep matched. Switched to capturing output into a variable with || true and doing a bash string match:

local _acct_probe
_acct_probe=$(aws account 2>&1 || true)
if [[ "$_acct_probe" == *"Invalid choice: 'account'"* ]]; then
  ...
fi

Verified on a modern CLI: probe yields required: operation \u2192 no match \u2192 proceeds with rename. Old CLIs will yield Invalid choice: 'account' \u2192 match \u2192 cli_missing telemetry + skip.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4d1e58e0e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid emitting raw AWS account IDs in telemetry

Switching install.bootstrap_completed to include account_id sends a stable 12-digit AWS account identifier on every successful install, which is a significant privacy regression versus the previous instance-scoped identifier and conflicts with this repo’s stated telemetry guarantees. Because ACCOUNT_ID is sourced directly from aws sts get-caller-identity, this value is always the real account ID whenever telemetry is enabled and bootstrap completes.

Useful? React with 👍 / 👎.

[royosherove]

Triage of Codex review 4208137289:

P1 \u2014 "account_id in install.bootstrap_completed": DISAGREE / FALSE POSITIVE.

This PR doesn't emit account_id in any telemetry event. Searched the branch:

$ grep -nE '"account_id"|account_id[ =:]' install.sh
(no matches)

The relevant emitters:

• _telem_bootstrap_completed still only sends instance_id (validated via _telem_instance_id regex):

  _telem_bootstrap_completed() {
    local props
    props="$(_telem_props \
      "$(_telem_kv instance_id "$(_telem_instance_id "${INSTANCE_ID:-}")")")"
    _telem_event "install.bootstrap_completed" "$props"
  }

• _emit_rename_telemetry (the new install.account_renamed event) only sends renamed, allowed, auto_rename_enabled, and an optional hardcoded skipped_reason enum.
• The schema change to telemetry-v1.schema.json adds account_rename_enabled (boolean), not an account-id field.

ACCOUNT_ID is used in this PR only to construct a proposed account display name (Loki-${ACCOUNT_ID}) sent to AWS's own put-account-name API, which already holds the account ID. It is never passed into _telem_event, _telem_kv, or a telemetry HTTP call. No regression vs. the pre-PR privacy guarantees.

Happy to reconsider if Codex can point at a specific line where ACCOUNT_ID enters a _telem_* call path \u2014 otherwise closing this one out.