Add onboarding verification skill#11158
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
Co-Authored-By: Oz <oz-agent@warp.dev>
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR adds a new local skill for orchestrating logged-out and logged-in Linux Warp onboarding verification through cloud agents.
Concerns
- The authenticated redirect URL construction should require URL-encoding of secret-derived query values before they are embedded in
warp://auth/desktop_redirect. - The authenticated flow should not allow routing the secret-bearing redirect URL through a desktop URI handler in a way that places the token in process arguments or shell history.
Security
- The current URI-handler guidance can cause the refresh token to appear in process listings or shell history if the child agent uses a command such as
xdg-open <warp-url>.
Verdict
Found: 0 critical, 2 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
| - Trim surrounding whitespace and one pair of surrounding single or double quotes if present. | ||
| - If the secret parses as a URL with a `refresh_token` query parameter, extract that `refresh_token` value and ignore any stale `state` in the secret. | ||
| - Otherwise, treat the trimmed secret as the raw refresh token. | ||
| - Build `warp://auth/desktop_redirect?refresh_token=<normalized-refresh-token>&deleted_anonymous_user=true&state=<current-state>`. |
There was a problem hiding this comment.
| - Otherwise, treat the trimmed secret as the raw refresh token. | ||
| - Build `warp://auth/desktop_redirect?refresh_token=<normalized-refresh-token>&deleted_anonymous_user=true&state=<current-state>`. | ||
| - Do not include `user_uid` unless it is already present in a provided desktop redirect URL; it is not required for this flow. | ||
| - Construct the normalized redirect URL in a private temporary file or clipboard value, paste it into Warp's auth token input or route it through the desktop URI handler, then delete the temporary file immediately after use. |
There was a problem hiding this comment.
warp:// URL through a desktop URI handler can leak the refresh token if implemented with command-line arguments; restrict this to paste/clipboard or another mechanism that never puts the URL in shell history or process lists.
|
Updated
No token value is included in the repo or PR comment. |
Add explicit guidance for rotating the managed FTUE auth token and handling token-bearing redirect URLs during remote computer-use onboarding verification. Co-Authored-By: Oz <oz-agent@warp.dev>
captainsafia
left a comment
captainsafia
left a comment
There was a problem hiding this comment.
Seems good overall! Left a note around cueing the agent to use the "Paste Auth Token" flow for login to avoid it having to parse the redirect URI itself.
Update the onboarding verification skill to explicitly cue cloud agents through Warp's Paste Auth Token UI instead of parsing or routing auth redirects outside of Warp. Co-Authored-By: Oz <oz-agent@warp.dev>
2 participants
Description
Adds
.agents/skills/onboarding-verification-skill, a local skill for orchestrating Linux stable Warp first-time onboarding verification in cloud agents.The skill launches two parallel computer-use cloud agents:
ONBOARDING_AGENT_FTUE_REFRESH_TOKEN, verifies authenticated onboarding, runs a terminal command, then opens the avatar/settings path and captures a screenshot showing the logged-in account emailIt also documents safe secret handling for authenticated testing, including normalizing a raw refresh token or desktop redirect URL without printing token contents.
https://www.loom.com/share/2660d3b09f7d45429fb5aa8568d97c08
https://www.loom.com/share/b182f96638f74d5ebc9206e7e508f7d1
Linked Issue
ready-to-specorready-to-implement.Testing
Validated
SKILL.mdfrontmatter and required content with a Python check.Ran the updated skill with two parallel cloud agents using stable Linux Warp.
Logged-out run succeeded: reached a usable terminal and ran
echo warp-onboarding-logged-out-ready.Logged-in run succeeded: authenticated via the managed secret, reached a usable terminal, ran
echo warp-onboarding-logged-in-ready, and captured the avatar/settings email screenshot.Logged-in artifacts:
019e3796-3a9c-7846-9bbd-c637ed0b572a019e3796-7966-746b-b453-93bd4976c806I have manually tested my changes locally with
./script/runScreenshots / Videos
The logged-in run captured screenshots through onboarding and the post-login settings email step. The sanitized archive artifact is
019e3796-7966-746b-b453-93bd4976c806.Agent Mode
CHANGELOG-NONE
Co-Authored-By: Oz oz-agent@warp.dev