docs: sync auth model across changelog, security, and guides#9
Conversation
Update all docs that describe the initialize handshake or credentials flow to reflect the new agent-managed auth model: CHANGELOG entry, SECURITY.md wording fix (no longer 'no own auth'), an ACP Handshake section in ARCHITECTURE.md, a no-editor-key note in DEVELOPMENT.md, and a new Authentication/credentials troubleshooting entry.
There was a problem hiding this comment.
Code Review
This pull request updates the project's documentation (including the changelog, security policy, architecture, development, and troubleshooting guides) to reflect the new ACP Registry compatibility and agent-managed authentication handshake. The feedback points out a contradiction in the troubleshooting guide regarding overriding the API key without modifying config.json, suggesting that the environment variable ZCODE_API_KEY should be used instead of the provider config.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| 2. If the file is missing or the key is stale, **install and log into the ZCode desktop app** — it writes a fresh `config.json` with a valid enabled provider. There is no manual API-key configuration in the editor. | ||
|
|
||
| 3. If you need to override the key/base URL without touching `config.json`, set `ZCODE_BASE_URL` and provide the key via the provider config (see `src/backend/credentials.ts` for the merge order). |
There was a problem hiding this comment.
There is a contradiction in this step: it mentions overriding the key/base URL without touching config.json, but then instructs to provide the key via the provider config (which is config.json). It should instead specify providing the key via environment variables (such as ZCODE_API_KEY).
| 3. If you need to override the key/base URL without touching `config.json`, set `ZCODE_BASE_URL` and provide the key via the provider config (see `src/backend/credentials.ts` for the merge order). | |
| 3. If you need to override the key/base URL without touching config.json, set the ZCODE_BASE_URL and ZCODE_API_KEY environment variables (see src/backend/credentials.ts for the merge order). |
Summary
Follow-up to #8 (which merged the code change). That PR's second commit — syncing the docs to the new agent-managed auth model — did not make it through the squash merge. This PR re-applies those documentation updates so every doc that describes the `initialize` handshake or credentials flow is consistent with the advertised `authMethods`.
Changes
Why
The auth model is a user-perceivable behaviour change ("no API key config needed in the editor"). Without these doc updates, CHANGELOG is silent on it, SECURITY.md reads as contradictory, and users hitting a 401 have no troubleshooting entry to follow.
Verification