space/clickthrough
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

docs(skill): clarify user-owned instance setup responsibilities
All checks were successful
python-syntax / syntax-check (push) Successful in 4s
Details

Browse Source
This commit is contained in:
Luna
2026-04-05 20:35:35 +02:00
parent 3a49560e82
commit 2955426f14
2 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
TODO.md
View File

@@ -25,3 +25,4 @@
- [x] Require configured exec secret + per-request exec secret header
- [x] Upgrade skill with verify-before-click rules, confidence thresholds, two-phase risky actions, and Spotify playbook
- [x] Add top-level skill section for instance setup + mini API docs
- [x] Clarify user-owned setup responsibilities vs agent responsibilities in skill docs

25
skill/SKILL.md
View File

@@ -7,19 +7,28 @@ description: Control a local computer through the Clickthrough HTTP server using
Use a strict observe-decide-act-verify loop.
## Getting a computer instance (quick setup)
## Getting a computer instance (user-owned setup)
1. Start Clickthrough on the target computer (default: `127.0.0.1:8123`).
2. Expose it to the agent host (LAN/Tailscale/reverse proxy) and note the base URL.
3. Set auth on the target machine:
The **user/operator** is responsible for provisioning and exposing the target machine.
The agent should not assume it can self-install this stack.
### What the user must do
1. Install dependencies and run Clickthrough on the target computer (default bind: `127.0.0.1:8123`).
2. Expose access path to the agent (LAN/Tailscale/reverse proxy) and provide the base URL.
3. Configure secrets on target machine:
- `CLICKTHROUGH_TOKEN` for general API auth
- `CLICKTHROUGH_EXEC_SECRET` for `/exec` calls
4. Verify connectivity from the agent side:
- `GET /health` with `x-clickthrough-token` header
5. Store connection details for reuse:
4. Share connection details with the agent through a secure channel:
- `base_url`
- `x-clickthrough-token`
- `x-clickthrough-exec-secret` (only when using `/exec`)
- `x-clickthrough-exec-secret` (only when `/exec` is needed)
### What the agent should do
1. Validate connection with `GET /health` using provided headers.
2. Refuse `/exec` attempts when exec secret is missing/invalid.
3. Ask user for missing setup inputs instead of guessing infrastructure.
## Mini API map