.claude/skills/panda-install: document allowlist-failure mode + request template

Mark Holt · Mark Holt · commit 9187caead65e · 2026-05-10T19:30:58.000Z
When GitHub returns bad_verification_code during device-flow code
exchange (not a real expired-code, but Mark's GitHub identity
without panda-proxy app access), the skill should:

1. Recognize the symptom (immediate failure after device approval,
   distinguishable from genuinely expired codes which take minutes)
2. Give the user a ready-made request template with all the fields
   EthPandaOps needs (GitHub identity, service name, Dex issuer,
   OAuth client ID, reproducer)
3. Stop the local server (it flaps because the proxy embedding
   backend is unreachable without auth)

Discovered during the first install run on dev-bm-e3-ethmainnet-n4
when the user's GitHub identity was not on the panda-proxy allowlist.
diff --git a/.claude/skills/panda-install/SKILL.md b/.claude/skills/panda-install/SKILL.md
@@ -138,6 +138,37 @@ options:
   - Install CLI only
 ```
 
+**Recognising the allowlist failure mode**: the symptom is GitHub
+returning `bad_verification_code` during the code-exchange step.
+That's NOT an expired code — it's GitHub refusing to issue a token
+because the user can't access the upstream OAuth app
+(`panda-proxy`). Distinguish from a genuinely expired code by
+checking that the failure is immediate after device-flow approval,
+not after a multi-minute wait.
+
+When the user picks "Request allowlist", give them the request
+template (don't make them assemble it themselves):
+
+| field | value |
+|---|---|
+| GitHub identity | <ask the user for their GH username> |
+| Service | panda-proxy (`panda-proxy.ethpandaops.io`) |
+| Dex issuer | `https://dex.primary.production.platform.ethpandaops.io` |
+| OAuth client ID | `panda-proxy` |
+| Reason | <user's project + team> |
+| Reproducer | `panda auth login --no-browser` returns `bad_verification_code` after entering the device code |
+
+Where to send: EthPandaOps Slack/Discord, or GitHub issue on
+`ethpandaops/panda`. Visible maintainers in the proxy config's
+success-page rules: `samcm`, `mattevans`.
+
+Also stop the local panda server while waiting — it will flap
+because the proxy embedding backend is unreachable without auth:
+
+```bash
+panda server stop
+```
+
 ## Step 4 — Self-host the proxy (alternative path)
 
 For orgs with their own ClickHouse / Prometheus / Loki credentials.
