Auth Guard
Enforce a deterministic auth path: one credential source, one helper command path, one startup check, one fallback policy.
Quick Workflow
- 1. Identify the target service endpoint and current failing flow.
- Define canonical credential source (env var first, credentials file second).
- Create/update a helper script in workspace (
.pi/) that always injects auth. - Add a startup/auth-check command that verifies credentials and endpoint access.
- Update HEARTBEAT.md or AGENTS.md to require helper usage (ban raw unauthenticated calls).
- Add explicit fallback behavior for unauthorized states.
Rules to Apply
- - Prefer
ENV_VAR override, then ~/.config/<service>/credentials.json. - Never embed secrets in logs, memory notes, or chat responses.
- Never call protected endpoints via raw curl if a helper exists.
- Keep fallback behavior explicit and low-noise.
- Store helper scripts in
workspace/.pi/ for easy reuse.
Runtime Requirements
- - �INLINECODE4
- INLINECODE5
- INLINECODE6
Check once before using this skill:
CODEBLOCK0
Safety Limits
- - Pass only trusted credential paths under
~/.config/<service>/... by default. - Do not point
--cred-file at arbitrary workspace files or unrelated secret stores. - Keep probe URLs scoped to the target service auth endpoint.
Startup Auth Check Pattern
Run at session start (or before heartbeat loops):
CODEBLOCK1
Expected outcomes:
- -
AUTH_OK → proceed with normal authenticated helper flow. - INLINECODE10� or
AUTH_FAIL_* → use defined fallback path and record one concise note.
Reusable Snippets
Use drop-in policy snippets from:
- -
references/snippets.md (HEARTBEAT + AGENTS + helper policy blocks)
References
- -
references/contract.md for the full Keychain Contract pattern - INLINECODE14� for ready-to-paste operational snippets
- INLINECODE15� for multi-service usage examples (Moltbook, GitHub, Slack)
认证守卫
强制执行确定性认证路径:一个凭证源、一个辅助命令路径、一个启动检查、一个回退策略。
快速工作流
- 1. 识别目标服务端点及当前失败的流程。
- 定义标准凭证源(优先环境变量,其次凭证文件)。
- 在工作区(.pi/)创建/更新一个始终注入认证信息的辅助脚本。
- 添加启动/认证检查命令,验证凭证和端点访问权限。
- 更新HEARTBEAT.md或AGENTS.md以要求使用辅助脚本(禁止原始未认证调用)。
- 为未授权状态添加明确的回退行为。
应用规则
- - 优先使用ENV_VAR覆盖,其次使用~/.config//credentials.json。
- 切勿在日志、备忘录或聊天回复中嵌入密钥。
- 如果存在辅助脚本,切勿通过原始curl调用受保护端点。
- 保持回退行为明确且低干扰。
- 将辅助脚本存储在workspace/.pi/中以便重复使用。
运行时要求
使用此技能前检查一次:
bash
command -v bash curl python3 >/dev/null
安全限制
- - 默认仅传递~/.config//...下的可信凭证路径。
- 不要将--cred-file指向任意工作区文件或无关的密钥存储。
- 将探测URL范围限定在目标服务的认证端点。
启动认证检查模式
在会话启动时(或心跳循环前)运行:
bash
bash skills/auth-guard/scripts/auth_check.sh \
--service moltbook \
--url https://www.moltbook.com/api/v1/feed?sort=new&limit=1 \
--env-var MOLTBOOKAPIKEY \
--cred-file $HOME/.config/moltbook/credentials.json
预期结果:
- - AUTHOK → 继续执行正常的认证辅助流程。
- AUTHMISSING 或 AUTHFAIL* → 使用定义的回退路径并记录一条简洁的备注。
可复用代码片段
使用以下位置的即插即用策略片段:
- - references/snippets.md(HEARTBEAT + AGENTS + 辅助策略块)
参考文档
- - references/contract.md:完整的密钥链契约模式
- references/snippets.md:可直接粘贴的操作片段
- references/examples.md:多服务使用示例(Moltbook、GitHub、Slack)
