diff --git a/src/pages/docs/app-store.astro b/src/pages/docs/app-store.astro index f433d74b..1391e8b2 100644 --- a/src/pages/docs/app-store.astro +++ b/src/pages/docs/app-store.astro @@ -224,9 +224,11 @@ ipc.Serve(ctx, conn, d) // on the --socket the daemon su diff --git a/src/pages/docs/consent.astro b/src/pages/docs/consent.astro index 26330eba..9cd87b0a 100644 --- a/src/pages/docs/consent.astro +++ b/src/pages/docs/consent.astro @@ -163,8 +163,9 @@ const bodyContent = `

Consent & Privacy Controls

What you're accepting: The injector fetches content at runtime from the public TeoSlayer/pilot-skills repository and writes it to your agent's config directory. In auto mode, this happens every 15 minutes. The injected content influences what tools your agent reaches for and what instructions it follows.

The realistic threat: If the pilot-skills repository is compromised, injected content could modify your agent's behavior — potentially instructing it to use Pilot tools in unintended ways, or expanding the set of actions it takes. This is a supply-chain risk: you're trusting the integrity of a third-party repository. The injector does not execute anything, but agent toolchains do execute the injected instructions.

-

Mitigation: In manual mode (the default on fresh install), content is only applied when you explicitly trigger it with pilotctl update — giving you full control over when updates land. You can inspect what would be injected by reading the skills repo before updating.

+

Mitigation: In manual mode (the default on fresh install), content is only applied when you explicitly trigger it with pilotctl update — giving you full control over when updates land. Before triggering, pilotctl skills status shows every managed file, its current state, the exact action the next update would take, and a content hash — so nothing changes without you seeing it coming. pilotctl skills paths lists every file the injector manages, and the content itself is a public repo you can read line by line.

Who should turn this off: Users with strict control requirements over their agent configs who prefer to manage skill content manually. Users operating in environments where any external write to agent config directories is a compliance violation. Users who have already managed their CLAUDE.md and don't want it modified.

+

What you lose if you turn it off: Your agents stop knowing Pilot exists. Every new session starts blind — no specialist directory, no pilot-director, no app-store awareness — and falls back to web_search and curl for live data. As the network grows (new specialists, new apps), disabled agents never find out. If your concern is change control rather than injection itself, manual mode keeps the capability while guaranteeing nothing updates until you run pilotctl update yourself — that's the trade most control-conscious users actually want.

Three modes — choose your risk / convenience trade-off

@@ -192,9 +193,13 @@ const bodyContent = `

Consent & Privacy Controls

Commands

-
# Check current mode, see which files are managed and their paths
+  
# Preview: current mode, every managed file, its state, the action the
+# next update would take, and a content hash — see changes before they land
 pilotctl skills status
 
+# List every file the injector manages
+pilotctl skills paths
+
 # Switch to auto — skills reconcile every 15 minutes in the background
 pilotctl skills set-mode auto
 
@@ -272,8 +277,8 @@ pilotd -sandbox -sandbox-dir /opt/pilot-data \\
   description="Four features ship on by default in Pilot Protocol: telemetry, broadcasts, reviews, and skill injection. Risk profiles, benefits, and opt-out commands for each."
   activePage="consent"
   canonicalPath="/docs/consent"
-  prev={{ label: "App Store", href: "/docs/app-store" }}
-  next={{ label: "Trust & Handshakes", href: "/docs/trust" }}
+  prev={{ label: "MCP Setup", href: "/docs/mcp-setup" }}
+  next={{ label: "Security", href: "/docs/security" }}
 >