As discussed on the mailing list, it would be desirable to allow multiple configurations to contribute to the LoginAdminWhitelist.
This issue is marked blocker, as the current implementation was not yet released, thus allowing arbitrary changes without backwards compatibility headaches.
I propose to remove the whitelist.bundles.default and whitelist.bundles.additional properties and replace them by "additional configurations" that each allow to provide a list of whitlisted bundle symbolic names.
In the main configuration for LoginAdminWhitelist I propose to retain the flag to bypass the whitelist completely.
I am uncertain, whether we really need the whitelist regexp for testing, as it is fairly simple to list a hand full of required bundles. If we keep it, I suggest to make its metatype private.
Optionally, we could consider the possibility to allow configuring a list of required "additional configurations". I would leave this until we find a real requirement for this, as it would complicate the implementation.