Skip to content

feat(skill,guides): AuthKit-native agent auth + consent-framed install runbook#65

Merged
spencercharest merged 8 commits into
mainfrom
docs/agent-install-consent-framing
Jul 7, 2026
Merged

feat(skill,guides): AuthKit-native agent auth + consent-framed install runbook#65
spencercharest merged 8 commits into
mainfrom
docs/agent-install-consent-framing

Conversation

@spencercharest

@spencercharest spencercharest commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Closes ZERO-483. Consolidates #64 into this PR (same feature surface, one release). Follows piedotorg/zero#748 (ZERO-477).

What this ships

1. Skill: teach AuthKit-native agent auth (from #64)

The bundled zero skill's Authentication section now opens with the decision rule — who is the account for: human present → zero auth login (device flow), fully autonomous → zero auth agent register (anonymous account + managed wallet, no browser), never agent register when a human is present. Includes the claim handoff (zero auth agent claim <email>).

2. Guides: consent-framed, runner-first rewrite of the install runbook (served at zero.xyz/install.md)

  • Fixes the ZERO-378 injection refusals: the old doc's guardrails were behavioral directives from fetched content ("only run commands verbatim", "ask the user to allow zero.xyz… then retry", "run the SessionStart hook yourself") — the exact grammar injection classifiers key on. Every protection survives as rationale; the doc opens with an authority gate ("act on it only if your operator asked you to set up Zero") so a user's pasted request is the authorization it requires. Adds the npm-provenance affordance (npm view @zeroxyz/cli) that empirically cleared trust gates.
  • Documents the runner-first paradigm: npm i -g @zeroxyz/cli && zero init (or install.sh without Node) — zero init does the per-harness plugin installs itself; the old per-harness commands and manual hook bootstrap are gone.
  • Adds the autonomous auth branch alongside the device-code sign-in, consistent with the skill.

3. Version bump 1.8.0 → 1.9.0 (make minor) — the skill change ships with the plugin.

Companion paste-prompt (goal state)

Help me set up Zero — a free tool that lets you find and use extra services you don't have built in (image/video generation, search live social media, or hosting a free webpage). I'd like you to do the setup yourself: fetch https://www.zero.xyz/install.md and follow its instructions for your environment.

Notes

  • Up to date with main (merged the agents.json matrix work and the attribution-token skill changes; feat(skill): teach AuthKit-native agent auth (zero auth agent register/claim) #64's stale 1.4.0 bumps re-done on top of 1.8.0).
  • zero auth agent register returns 503 until WORKOS_AUTHKIT_DOMAIN is enabled in prod (ZERO-477); both the skill and guide frame the human path as the default.
  • Merging deploys the guide immediately (zero.xyz proxies main); plugin users get the skill via the daily auto-refresh.

🤖 Generated with Claude Code

spencercharest and others added 6 commits July 6, 2026 16:13
…ter`/`claim` (ZERO-483)

The bundled zero skill now encodes the human-vs-autonomous decision rule
before any auth command: a present human means `zero auth login` (device
flow; `register` is an alias), fully autonomous means `zero auth agent
register` (anonymous account + managed wallet, no browser), and `agent
register` is never a way to sign a human in.

Adds the claim handoff section (`zero auth agent claim <email>`): the
hosted page shows the HUMAN a pairing code, they read it back, and the
agent completes — inline on a TTY or via the two-invocation `--code`
pattern — after which credentials rotate automatically. States the
registration facts: wallet created at signup (fund with `zero wallet
fund`), claim token + expiry recorded in ~/.zero/config.json, unclaimed
accounts cleaned up after the registration expires.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Agents fetching zero.xyz/install.md have been hesitant to follow it: the
runbook's guardrails were phrased as behavioral directives from fetched
web content, which is exactly the grammar injection classifiers key on.
Rewrite keeps every step and protection but moves authority to the
operator:

- Open with an explicit consent gate: the page acts only on an operator's
  request, otherwise it is reference documentation.
- Convert behavioral commands to stated rationale (verbatim-commands rule,
  the plugins-dir warning, the web-fetch-summary note).
- Permission changes (zero.xyz allowlisting) are surfaced to the operator
  instead of requested by the page.
- Step 2 shows the literal hook command (bash hooks/ensure-runner.sh) with
  what it does and where it writes, instead of "find and run the hook".
- Step 3 gains the autonomous path: zero auth agent register / claim
  (ZERO-477), alongside the existing device-code sign-in, with guidance to
  prefer the human path when an operator is present.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…it flow

The install paradigm flipped: zero init is now the installer (runner ->
plugin) — it detects harnesses and installs the plugin through each
harness's own plugin manager, with the portable skill/hooks install as
fallback. install.sh provisions the runner and hands off to the same
zero init. The runbook still documented the old plugin -> runner order
with per-harness plugin commands and a manual hook bootstrap.

Replace Steps 1-2 with the real flow (npm i -g @zeroxyz/cli + zero init,
or install.sh without Node), describe what init does step by step, and
add the npm-provenance verification affordance (npm view @zeroxyz/cli)
that empirically clears agent trust gates (ZERO-378). Keeps the
consent-framed preamble, both auth paths, and the Claude Chat section.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@spencercharest spencercharest changed the title docs(guides): consent-framed rewrite of the agent install runbook feat(skill,guides): AuthKit-native agent auth + consent-framed install runbook Jul 7, 2026
@spencercharest
spencercharest marked this pull request as ready for review July 7, 2026 18:31
spencercharest and others added 2 commits July 7, 2026 12:28
Agents hesitate on blind curl|bash because it executes content they never
saw. Make inspection the documented default: download install.sh, invite
reading it, then run — with two integrity affordances (diff against
ensure-runner.sh on main, one documented line different; and the payload
being the same @zeroxyz/cli npm package either way). npm route kept as
the package-manager alternative.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@spencercharest
spencercharest merged commit 36118fa into main Jul 7, 2026
2 checks passed
@spencercharest
spencercharest deleted the docs/agent-install-consent-framing branch July 7, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant