docs(skills): align NyxID skill with CLI + deterministic AI flow rules#679
Draft
ctkm-aelf wants to merge 1 commit into
Draft
docs(skills): align NyxID skill with CLI + deterministic AI flow rules#679ctkm-aelf wants to merge 1 commit into
ctkm-aelf wants to merge 1 commit into
Conversation
…lows Two reported failure modes drove this sweep: 1. Wizard-bypass bias — examples were leading agents to add `--output json` to wizard-capable create/rotate commands, which silently disables the browser wizard and dumps secrets to stdout. 2. Edit-vs-create intent miscapture — agents kept calling `nyxid api-key create` when users asked to update an existing key, partly because the skill never told them to list-first and partly because "API key" is overloaded (NyxID `nyxid_ag_…` agent key vs third-party downstream credential). Also fixes 7 HIGH-severity drifts agents would hit verbatim: `channel-bot route` flag renames (`--bot` → `--bot-id`, `--agent` → `--agent-key-id`), phantom `nyxid keys create`, positional → flag fixes for `service add-ssh --label` and `node credentials add --service`, and removes claim that `nyxid api-key update --rate-limit-per-second` exists. Adds new reference for previously-undocumented surfaces: `service-account`, `developer-app`, `endpoint`, `external-key`, `node docker`, `info`/`repo`/`telemetry`. Pins canonical node-setup paths via a same-machine-vs-split × catalog-vs-custom decision matrix. Verified across three independent reviews including a fresh-reader usability test of 8 user flows (all PASS). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
skills/nyxid/bundle had drifted from the actualnyxidCLI in ways that would cause AI agents to fail silently or take wrong paths. This PR is a deliberate sweep to:cli/src/cli.rs.--output jsonto wizard-capable create/rotate commands, which silently skips the browser wizard and dumps secrets to stdout.nyxid api-key createwhen users asked to update an existing key. Partly because the skill never told them to list-first, partly because "API key" is overloaded (NyxIDnyxid_ag_…agent key vs third-party downstream credential).service-account,developer-app,endpoint,external-key,node docker,info/repo/telemetrywere not covered anywhere in the skill.Highlights
SKILL.md— rewrote "Working Rules" into two subsections: "Capture user intent before acting" (list-first, edit-vs-create,api-keyvsexternal-keydisambiguation) and "CLI invocation defaults" (wizard is the default,--no-wait --output jsonfor headless agents, scripted-flag exceptions narrowed).references/services.md— added a 7-step "Quick reference for AI agents (deterministic flow)" at the top so agents don't have to derive the path from prose.references/managing.md— new "Capturing user intent: edit vs. create" section with a 10-row "Edits agents commonly mistake for create" table mapping wrong invocations to right ones. Added newnyxid endpointandnyxid external-keyreference sections.references/nodes.md— replaced ambiguous setup guidance with a 3-case decision matrix (same machine + catalog →credentials setup; same machine + custom → two-step; different machines → admin runsservice add --via-node, operator runscredentials add).references/accounts.md(new) — fullnyxid service-accountandnyxid developer-appreference plus a "which identity to pick" decision table.channel-bot route createflag renames (--bot→--bot-id,--agent→--agent-key-id), phantomnyxid keys createremoved, positional → flag fixes forservice add-ssh --labelandnode credentials add --service, removed false claim thatnyxid api-key update --rate-limit-per-secondexists (rate limits are set via web UI / raw HTTP).--output jsonadded to read commands (list,show,discover,status); deliberately NOT added to wizard-capable creates/rotates as a default (only as labeled "scripted escape hatch" with warnings).Verification
Three independent sub-agent reviews:
nyxid …invocation in the docs againstcli/src/cli.rsclap definitions. Found 7 HIGH drifts; all fixed in this PR.Net change: 542 insertions / 121 deletions across 9 modified files + 1 new file (
references/accounts.md).Test plan
nyxid channel-bot route create --bot-id … --agent-key-id …parses and creates a routenyxid service add-ssh --label … --host …parses (was previously documented with positional label)nyxid node credentials add --service … --header …parses (was previously documented as positional slug)nyxid service-account create --name … --scopes "…"opens the wizard by defaultnyxid api-key create --no-wait --output jsonreturns the pairing handoff JSON;nyxid pairing resume <id>completes the flownyxid api-key createnyxid service rotate-credential(notnyxid api-key rotate)🤖 Generated with Claude Code