Show local trusted auth controls

[alvarosanchez]

Summary

• Split Paperclip auth health handling into a shared policy that distinguishes board-access requirement from settings visibility.
• Show the Paperclip board-access setup section for authenticated and local trusted deployments, while only requiring it for sync on authenticated deployments.
• Keep GitHub token propagation visible and active regardless of deployment mode so selected agents receive the saved GITHUB_TOKEN secret ref.
• Update the disposable Paperclip smoke test, SPEC, and README to cover the local trusted behavior.

Root Cause

The UI used the strict boardAccessRequired flag as both the render gate for board access setup and the render/behavior gate for agent token propagation. That hid setup on local_trusted deployments even though some host API paths can still need board credentials, and it skipped propagation on non-authenticated deployment modes.

Validation

• pnpm typecheck
• pnpm exec tsx --test --test-name-pattern "Paperclip auth controls policy|fetchPaperclipHealth" tests/plugin.spec.ts
• pnpm test (255 passing tests)
• pnpm build
• pnpm test:e2e against disposable paperclipai@2026.517.0 in local_trusted mode
• git diff --check

Model Used

• Model: GPT-5 Codex in Codex Desktop
• Context window: not exposed by the Codex Desktop runtime metadata for this session
• Capabilities used: local shell, git/GitHub CLI, repository test/build commands, disposable Paperclip e2e host, Codex app automation support

[Copilot]

Pull request overview

This PR updates the GitHub Sync plugin’s settings UI to decouple “Paperclip board access is required” from “board-access setup controls are visible,” ensuring local trusted deployments can still configure board access while keeping GitHub token propagation available across all deployment modes.

Changes:

• Introduces a shared resolvePaperclipAuthControlsPolicy that separately drives board-access requirement vs. visibility, while keeping token-propagation visibility always on.
• Updates the settings UI to render board-access setup for authenticated and local_trusted (but only require it for sync on authenticated) and to keep agent token propagation active regardless of mode.
• Expands coverage across unit tests, smoke test, SPEC, and README to reflect the new local trusted behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/plugin.spec.ts	Adds policy-focused tests for local trusted visibility and always-on token propagation.
src/ui/index.tsx	Replaces board-access gating with policy-driven visibility; removes propagation gate tied to board-access requirement.
src/paperclip-health.ts	Adds PaperclipAuthControlsPolicy and a resolver to centralize auth-controls decisions.
SPEC.md	Updates requirements to reflect board-access visibility on local trusted and propagation visibility in all modes.
scripts/e2e/run-paperclip-smoke.mjs	Adjusts smoke assertions for local trusted board-access visibility and verifies propagation control appears.
README.md	Updates docs to describe board-access controls for local trusted + always-available agent token propagation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.