docs: permission-grant ceremony — the mobile-OS app-permission analog#145
Open
hanwencheng wants to merge 1 commit into
Open
docs: permission-grant ceremony — the mobile-OS app-permission analog#145hanwencheng wants to merge 1 commit into
hanwencheng wants to merge 1 commit into
Conversation
The clearest mental model for AgentKeys is the mobile-OS app-permission system: install -> first-launch permission prompt -> per-permission grant -> OS-enforced at the syscall boundary -> revoke in Settings. This encodes that framing in both the strategy anchor and arch.md. strategy doc (expansive) — new §2.7 "The mobile-OS permission model is the product's spine": - full mobile-OS -> AgentKeys mapping table (install=onboard, first-launch prompt=K11 grant ceremony, syscall enforcement=PreToolUse hook, Settings revoke=cap.revoke) - why it's the spine: (1) consumer pitch without saying "IAM" per §3.4 dual narrative, (2) it's exactly the §3.6 IAM-tool-vs-guarantee distinction — a polite may-I function vs OS syscall interception = the hook, (3) the onboarding ceremony is the product trust moment - consumer permission-category vocabulary (travel/health/relationship/ work memory, payment ≤¥50, IoT control, credential access) arch.md (conservative, additive only) — new §10.7 "Permission-grant ceremony — the mobile-OS analog": - maps the UX onto EXISTING primitives (§10.2 bootstrap, §16.1 AgentKeysScope, §19 cap shape, §22d hooks); introduces no contract / key / wire change - documents the one-step-vs-two-step UX nuance: agent create + scope grant unified into one K11-captured onboarding moment = CLI/UX composition of two existing chain calls, NOT a protocol change - identifies the real gap the analogy exposes: the current flat Scope (services[] + one global read_only + payment-only bounds) can't express per-category grants; records the additive future Scope.grants field as a known bounded extension, explicitly deferred to Phase 4 — no v0 contract change - inline compatibility check: 5 ✅ no-contradiction assertions against §10.2 / §16.1 / §22d / §6.3 / §5 canonical names 78 insertions, 0 deletions — purely additive both files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Encodes the mobile-OS app-permission model as AgentKeys' core product mental model. You install an app → it asks for permissions at first launch → you grant/deny each → the OS enforces at the syscall boundary → you revoke in Settings. AgentKeys is the same, one layer up, for AI agents. Pure docs PR — additive only (78 insertions, 0 deletions).
The analogy isn't decorative — it crisply explains why hooks (not just MCP tools) are non-negotiable: an app politely calling a "may I use the camera?" function it can skip = IAM tool; the OS intercepting the camera syscall = IAM guarantee = the
PreToolUsehook. That's exactly the §3.6 / §22d distinction, now with a mental model everyone already owns.What changed
docs/agent-iam-strategy.md— new §2.7 (expansive; it's the product spine)PreToolUsehook, Settings revoke=cap.revoke)docs/arch.md— new §10.7 (conservative; additive only)AgentKeysScope, §19 cap shape, §22d hooks). No contract / key / wire change.agent create+ scope grant unified into one K11-captured onboarding moment = CLI/UX composition of two existing chain calls, not a protocol change.Scope(services[]+ one globalread_only+ payment-only bounds) can't express per-category grants ("read-only travel memory AND no health memory AND payment ≤¥50 AND these two IoT devices"). Records the additive futureScope.grantsfield as a known, bounded extension, explicitly deferred to Phase 4. No v0 contract change.Contradictions checked
Per CLAUDE.md architecture-as-source-of-truth policy. The new §10.7 carries its own verified no-contradiction table; the analogy reinforces the existing hooks-first §22d (the hook is the syscall-interception layer) rather than competing with it. Every cross-reference anchor verified to resolve (§10.2, §16.1, §19, §22c.4, §22d, strategy §3.4/§3.6/§3.7).
Test plan
grepconfirms both new sections present + every referenced anchor (§10.2 / §16.1 / §19 / §22d / §3.7) existsgit diff --stat= 78 insertions, 0 deletionsScope.grantsis documented as deferred-and-additive🤖 Generated with Claude Code