diff --git a/TODO.md b/TODO.md index ccfeedd..bc40182 100644 --- a/TODO.md +++ b/TODO.md @@ -25,3 +25,4 @@ - [x] Require configured exec secret + per-request exec secret header - [x] Upgrade skill with verify-before-click rules, confidence thresholds, two-phase risky actions, and Spotify playbook - [x] Add top-level skill section for instance setup + mini API docs +- [x] Clarify user-owned setup responsibilities vs agent responsibilities in skill docs diff --git a/skill/SKILL.md b/skill/SKILL.md index 1f507e0..a835797 100644 --- a/skill/SKILL.md +++ b/skill/SKILL.md @@ -7,19 +7,28 @@ description: Control a local computer through the Clickthrough HTTP server using Use a strict observe-decide-act-verify loop. -## Getting a computer instance (quick setup) +## Getting a computer instance (user-owned setup) -1. Start Clickthrough on the target computer (default: `127.0.0.1:8123`). -2. Expose it to the agent host (LAN/Tailscale/reverse proxy) and note the base URL. -3. Set auth on the target machine: +The **user/operator** is responsible for provisioning and exposing the target machine. +The agent should not assume it can self-install this stack. + +### What the user must do + +1. Install dependencies and run Clickthrough on the target computer (default bind: `127.0.0.1:8123`). +2. Expose access path to the agent (LAN/Tailscale/reverse proxy) and provide the base URL. +3. Configure secrets on target machine: - `CLICKTHROUGH_TOKEN` for general API auth - `CLICKTHROUGH_EXEC_SECRET` for `/exec` calls -4. Verify connectivity from the agent side: - - `GET /health` with `x-clickthrough-token` header -5. Store connection details for reuse: +4. Share connection details with the agent through a secure channel: - `base_url` - `x-clickthrough-token` - - `x-clickthrough-exec-secret` (only when using `/exec`) + - `x-clickthrough-exec-secret` (only when `/exec` is needed) + +### What the agent should do + +1. Validate connection with `GET /health` using provided headers. +2. Refuse `/exec` attempts when exec secret is missing/invalid. +3. Ask user for missing setup inputs instead of guessing infrastructure. ## Mini API map