Skip to content

docs: sync auth model across changelog, security, and guides#9

Merged
william0wang merged 1 commit into
mainfrom
feat/acp-registry-support
Jul 6, 2026
Merged

docs: sync auth model across changelog, security, and guides#9
william0wang merged 1 commit into
mainfrom
feat/acp-registry-support

Conversation

@william0wang

Copy link
Copy Markdown
Owner

Summary

Follow-up to #8 (which merged the code change). That PR's second commit — syncing the docs to the new agent-managed auth model — did not make it through the squash merge. This PR re-applies those documentation updates so every doc that describes the `initialize` handshake or credentials flow is consistent with the advertised `authMethods`.

Changes

File Change
`CHANGELOG.md` `[Unreleased]`: `### Added` — `authMethods` declaration + registry assets; `### Changed` — removed `agentCapabilities.auth: {}`
`SECURITY.md` Rewrote "no own auth" → accurate: "does not implement its own auth logic; advertises an agent-type `authMethods` entry and reads the GLM key from `config.json`"
`docs/ARCHITECTURE.md` New ACP Handshake section: documents the full `initialize` response shape (protocolVersion / agentInfo / agentCapabilities / authMethods) and why it passes the registry CI's isolated-HOME auth check
`docs/DEVELOPMENT.md` Config-check note: bridge reads the key itself, no editor-side API key required
`docs/TROUBLESHOOTING.md` New Authentication / credential errors (401) entry: symptom, root cause (missing/stale `config.json`), fix (install + log into the ZCode desktop app)

Why

The auth model is a user-perceivable behaviour change ("no API key config needed in the editor"). Without these doc updates, CHANGELOG is silent on it, SECURITY.md reads as contradictory, and users hitting a 401 have no troubleshooting entry to follow.

Verification

  • `pnpm build` — clean
  • `pnpm test` — 100/100 passing
  • Rebased onto latest `main` (`453ee8d`); no conflicts

Update all docs that describe the initialize handshake or credentials flow
to reflect the new agent-managed auth model: CHANGELOG entry, SECURITY.md
wording fix (no longer 'no own auth'), an ACP Handshake section in
ARCHITECTURE.md, a no-editor-key note in DEVELOPMENT.md, and a new
Authentication/credentials troubleshooting entry.
@william0wang william0wang merged commit 1e6ec62 into main Jul 6, 2026
1 check passed
@william0wang william0wang deleted the feat/acp-registry-support branch July 6, 2026 01:29

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the project's documentation (including the changelog, security policy, architecture, development, and troubleshooting guides) to reflect the new ACP Registry compatibility and agent-managed authentication handshake. The feedback points out a contradiction in the troubleshooting guide regarding overriding the API key without modifying config.json, suggesting that the environment variable ZCODE_API_KEY should be used instead of the provider config.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docs/TROUBLESHOOTING.md

2. If the file is missing or the key is stale, **install and log into the ZCode desktop app** — it writes a fresh `config.json` with a valid enabled provider. There is no manual API-key configuration in the editor.

3. If you need to override the key/base URL without touching `config.json`, set `ZCODE_BASE_URL` and provide the key via the provider config (see `src/backend/credentials.ts` for the merge order).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

There is a contradiction in this step: it mentions overriding the key/base URL without touching config.json, but then instructs to provide the key via the provider config (which is config.json). It should instead specify providing the key via environment variables (such as ZCODE_API_KEY).

Suggested change
3. If you need to override the key/base URL without touching `config.json`, set `ZCODE_BASE_URL` and provide the key via the provider config (see `src/backend/credentials.ts` for the merge order).
3. If you need to override the key/base URL without touching config.json, set the ZCODE_BASE_URL and ZCODE_API_KEY environment variables (see src/backend/credentials.ts for the merge order).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant