rule(B-0743)+backlog: desktop admin consent pattern via biometric + small challenge ('I execute, you fingerprint') — new consent-first AI design pattern for admin permission on desktop instead of server

[AceHack]

Summary

Aaron 2026-05-25, after B-0737 zflash shipped + the full day's substrate cascade:

"hey we should save this interaction pattern about human permission excalation being on touch and the extra small challenge as new consent first ai design patterns for admin permisson on desktop instead of server."

Two artifacts in one PR — saving the interaction pattern as substrate so future AIs inherit it:

1. New auto-loading rule at .claude/rules/desktop-admin-consent-via-biometric-plus-small-challenge-i-execute-you-fingerprint.md — future-Otto + Alexa + Riven + Vera + Lior + any future AI inherits the pattern at cold-boot
2. B-0743 backlog row — generalization scope for applying the pattern to other desktop destructive ops

The pattern (4 composing elements)

1. Hardware sanity rails (deterministic; agent CAN'T bypass) — B-0728 substrate
2. Per-run random nonce + explicit-consent token in a SMALL challenge (yes <4-hex> = 8 chars)
3. Biometric PAM at sudo / elevation time (Touch ID / Windows Hello / fprintd; system-level UI the agent CANNOT spoof)
4. Provenance chain (B-0732 Layer 1; captures {tool, nonce, biometric-identity, side-effect})

Desktop vs server design space (rule documents the distinction)

Layer	Server AI consent	Desktop AI consent (THIS PATTERN)
Who's present	No human at action time	Human at keyboard/trackpad
Identity proof	Machine identity (IAM/SPIFFE/OIDC)	Human biometric (Touch ID/Hello/fprintd)
Consent timing	Deploy time + policy time	Action time + per-invocation
Bypass risk	Stolen credentials → full access	Stolen credentials → still need physical biometric

Most current AI-agent ecosystems use server-side patterns EVERYWHERE — including on the operator's desktop. That conflates the contexts. Desktop has physical-presence proof available, cheap, meaningful; using it changes the consent model fundamentally.

What CANNOT substitute for biometric (rule documents)

• Sudoers NOPASSWD (removes all auth)
• Stored password via Keychain (better than NOPASSWD; no physical-presence proof)
• GUI password prompt (replay-able; biometric is Secure-Enclave one-shot)
• Pre-shared secret in env var (agent has access)
• MFA via phone push (cross-device latency; on-device biometric is lower-friction)

Generalization scope — candidate future Z-tools

Each independently shippable + inherits the pattern wholesale: zformat / zwipe / zrotate-creds / zinstall-cert / zsetup-ssh-key / zdb-migrate-prod / zsign-package / zelevate-network / zinstall-cluster (B-0742 composes) / zfork-zeta (B-0741 composes).

Operator UX consistency across all Z-prefixed desktop destructive tools:

$ z<tool>
[sanity output]
type: yes a3f9
> yes a3f9
[Touch ID / Windows Hello / fprintd prompt]
[ op proceeds ]

Composes with

• B-0728 (destructive-tool authoring contract; foundation)
• B-0737 (zflash Mac — empirical anchor; first instance of the pattern)
• B-0738 / B-0739 (zflash Linux + Windows — cross-platform pattern coverage)
• B-0732 (leverage-class safety substrate — provenance chain)
• B-0664 (NCI HC-8 floor — operator authority preserved via biometric)
• .claude/rules/dont-ask-permission.md (agent invokes within authority; biometric IS per-run permission grant)
• .claude/rules/classifier-bypass-research-do-not-deploy-without-zeta-safer-floor.md (biometric INSTALLS safety; not a bypass)
• .claude/rules/glass-halo-bidirectional.md (biometric prompts are system-level UI; visible to operator regardless of terminal)

Closing today's substrate cascade

Today's 2026-05-25 arc — B-0728 destructive-tool authoring contract → B-0743 design-pattern landing. The pattern surfaced operationally in B-0737 zflash; this PR names it as design-pattern substrate so future contributors inherit the discipline without re-discovering it.

Naming-expert review pending

If pattern goes public-surface (talk / blog post / industry presentation), Ilyana (per .claude/skills/naming-expert/SKILL.md) review applies. Current working names documented in the rule body.

Test plan

• Rule auto-loads at cold-boot (new file in .claude/rules/; matches loading-taxonomy)
• Rule cross-references all composing rules + backlog
• B-0743 row has composes_with only B-NNNN row IDs; file paths in related_substrate:
• BACKLOG.md regenerated
• No code changes; substrate-engineering pattern-landing only
• Substrate-honest framing in both rule + row (not perfect; documented trade-offs)
• Empirical anchor (B-0737 zflash) explicitly cited as validation
• Server-side AI consent pattern acknowledged as sibling design space (not competing claim)

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

Adds a new .claude/rules/ rule and a corresponding P2 backlog row capturing a “desktop admin consent” interaction pattern (biometric elevation + small per-run challenge) and its intended generalization scope to future desktop-destructive tools.

Changes:

• Added a new auto-loading rule documenting the biometric + short challenge consent pattern for desktop privileged/destructive operations.
• Added backlog row B-0743 describing the pattern, its composition, and candidate future tools that should inherit it.
• Updated docs/BACKLOG.md to include the new B-0743 entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
docs/backlog/P2/B-0743-desktop-admin-consent-pattern-biometric-plus-small-challenge-i-execute-you-fingerprint-rule-landing-plus-generalization-scope-aaron-2026-05-25.md	New backlog row capturing the pattern + generalization scope; includes cross-references and a candidate-tool table.
docs/BACKLOG.md	Regenerated index entry adding B-0743 under P2.
.claude/rules/desktop-admin-consent-via-biometric-plus-small-challenge-i-execute-you-fingerprint.md	New rule describing the operational consent pattern and when/why it applies.

[AceHack]

Closing as substrate-stale (DIRTY-conflict) per .claude/rules/pr-triage-tiers.md Tier 3 + the discriminator pass below.

Discriminator pass:

• Branch prefix: backlog/ or rule/ (past-Otto-CLI session work) → MINE (the maintainer's 2026-05-26 catch: "this is losing to yourself")
• Substrate state: mergeStateStatus: DIRTY, mergeable: CONFLICTING — branch created 2026-05-25; main has moved ~30 commits since; rebase would need substantial conflict resolution
• Substrate on main: this PR's B-number is NOT on main today (verified via git ls-tree origin/main -- docs/backlog/) — substrate is genuinely missing, not redundant

Disposition: close. The branch content is preserved in git history; re-land path is cherry-pick onto a fresh branch off current main with any ID-collision renumbering needed. This is the same Tier 3 disposition applied to today's #5038 + #5032 (same root cause: 2026-05-25 evening session left ~9 backlog/rule PRs DIRTY when the next morning's iter-5.x + iter-6 work landed and moved main forward).

This close is NOT a punt — it's explicit ownership classification per .claude/rules/fighting-past-self-vs-peer-agent-distinguisher-fix-your-own-coordinate-on-peers-dont-punt-by-default.md (recurrence anchor landed today via #5126). The substrate-honest re-land path is documented; the operator-tax of indeterminate DIRTY state is cleared.