diff --git a/skills/agent-payment-x402/SKILL.md b/skills/agent-payment-x402/SKILL.md index 156fecd..962c6d3 100644 --- a/skills/agent-payment-x402/SKILL.md +++ b/skills/agent-payment-x402/SKILL.md @@ -1,21 +1,40 @@ --- name: agent-payment-x402 -description: Add x402 payment execution to AI agents — per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents need to pay for APIs, services, or other agents. +description: Add x402 payment execution to AI agents with per-task budgets, spending controls, and non-custodial wallets. Supports Base through agentwallet-sdk and X Layer through OKX Payments / OKX Agent Payments Protocol. origin: community --- # Agent Payment Execution (x402) -Enable AI agents to make autonomous payments with built-in spending controls. Uses the x402 HTTP payment protocol and MCP tools so agents can pay for external services, APIs, or other agents without custodial risk. +Enable AI agents to make policy-gated payments with built-in spending controls. Uses the x402 HTTP payment protocol and MCP tools so agents can pay for external services, APIs, or other agents without custodial risk. ## When to Use Use when: your agent needs to pay for an API call, purchase a service, settle with another agent, enforce per-task spending limits, or manage a non-custodial wallet. Pairs naturally with cost-aware-llm-pipeline and security-review skills. +## Decision Tree + +Choose the integration path based on whether your agent is buying access to a paid API or charging others for one: + +| Need | Recommended path | +|------|------------------| +| Agent pays a 402-gated API on Base or another agentwallet-supported chain | Use `agentwallet-sdk` as an MCP payment server with strict spending policy | +| Agent pays a 402-gated API on X Layer | Use OKX Agent Payments Protocol from `okx/onchainos-skills`; `okx-x402-payment` is a deprecated legacy alias | +| TypeScript API charges agents | Use OKX Payments TypeScript seller SDK docs for Express, Hono, Fastify, or Next.js | +| Go API charges agents | Use OKX Payments Go seller SDK docs for Gin, Echo, or `net/http` | +| Rust API charges agents | Use OKX Payments Rust seller SDK docs for Axum | +| Java API charges agents | Use OKX Payments Java seller SDK docs for Spring Boot 2/3, Java EE, or Jakarta | +| Python API charges agents | Check the current OKX Payments repository before implementation; a Python seller guide may not be available | + +## Supported Networks + +- `agentwallet-sdk`: use the package docs to confirm current network coverage before production. Base Sepolia is the safest development default; Base mainnet is the production path called out by the original skill. +- OKX Payments / X Layer: current seller docs target X Layer (`eip155:196`) and USDT0 settlement. Fetch current SDK docs before generating production code because payment packages and facilitator behavior can change quickly. + ## How It Works ### x402 Protocol -x402 extends HTTP 402 (Payment Required) into a machine-negotiable flow. When a server returns `402`, the agent's payment tool automatically negotiates price, checks budget, signs a transaction, and retries — no human in the loop. +x402 extends HTTP 402 (Payment Required) into a machine-negotiable flow. When a server returns `402`, the agent's payment tool negotiates price, checks budget, signs a transaction, and retries only inside the policy and confirmation boundary set by the orchestrator. ### Spending Controls Every payment tool call enforces a `SpendingPolicy`: @@ -33,6 +52,8 @@ The payment layer exposes standard MCP tools that slot into any Gemini CLI or ag > **Security note**: Always pin the package version. This tool manages private keys — unpinned `npx` installs introduce supply-chain risk. +### Option A: agentwallet-sdk (Base / multi-chain) + ```json { "mcpServers": { @@ -55,6 +76,28 @@ The payment layer exposes standard MCP tools that slot into any Gemini CLI or ag > **Note**: Spending policy is set by the **orchestrator** before delegating to the agent — not by the agent itself. This prevents agents from escalating their own spending limits. Configure policy via `set_policy` in your orchestration layer or pre-task hook, never as an agent-callable tool. +### Option B: OKX Agent Payments Protocol (X Layer) + +Use this path for X Layer x402, Multi-Party Payment (MPP), session payment, charge, and A2A charge flows. + +For buyer-side agent flows: + +1. Install or reference the current [`okx/onchainos-skills`](https://github.com/okx/onchainos-skills) repository — these skills live in that external repo, not in EGC. +2. Use [`okx-agent-payments-protocol`](https://github.com/okx/onchainos-skills/tree/main/skills/okx-agent-payments-protocol) (in the `okx/onchainos-skills` repo) as the dispatcher. +3. Treat [`okx-x402-payment`](https://github.com/okx/onchainos-skills/tree/main/skills/okx-x402-payment) (same repo) as a deprecated compatibility alias, not as the canonical skill. +4. Require explicit user confirmation before wallet status checks or payment actions. Do not hide payment execution behind a generic tool call. + +For seller-side API flows, fetch the latest language-specific guide before generating code: + +| Runtime | Current guide | +|---------|---------------| +| TypeScript | `https://raw.githubusercontent.com/okx/payments/main/typescript/SELLER.md` | +| Go | `https://raw.githubusercontent.com/okx/payments/main/go/x402/SELLER.md` | +| Rust | `https://raw.githubusercontent.com/okx/payments/main/rust/x402/SELLER.md` | +| Java | `https://raw.githubusercontent.com/okx/payments/main/java/SELLER.md` | + +Do not copy examples from older docs without checking the current OKX repository. Current OKX guidance uses `okx-agent-payments-protocol` as the dispatcher, and Java seller docs are now available. + ## Examples ### Budget enforcement in an MCP client @@ -176,3 +219,6 @@ main().catch((err) => { - **npm**: [`agentwallet-sdk`](https://www.npmjs.com/package/agentwallet-sdk) - **Merged into NVIDIA NeMo Agent Toolkit**: [PR #17](https://github.com/NVIDIA/NeMo-Agent-Toolkit-Examples/pull/17) — x402 payment tool for NVIDIA's agent examples - **Protocol spec**: [x402.org](https://x402.org) +- **OKX Payments SDKs**: [`okx/payments`](https://github.com/okx/payments) — TypeScript, Go, Rust, and Java seller integrations for X Layer x402 +- **OKX Agent Payments Protocol skill**: [`okx/onchainos-skills`](https://github.com/okx/onchainos-skills/tree/main/skills/okx-agent-payments-protocol) +- **OKX Payments overview**: [web3.okx.com/onchainos/dev-docs/payments/overview](https://web3.okx.com/onchainos/dev-docs/payments/overview) diff --git a/skills/backend-patterns/SKILL.md b/skills/backend-patterns/SKILL.md index a0705d9..2c8a586 100644 --- a/skills/backend-patterns/SKILL.md +++ b/skills/backend-patterns/SKILL.md @@ -419,51 +419,14 @@ export const DELETE = requirePermission('delete')( ## Rate Limiting -### Simple In-Memory Rate Limiter - -```typescript -class RateLimiter { - private requests = new Map() - - async checkLimit( - identifier: string, - maxRequests: number, - windowMs: number - ): Promise { - const now = Date.now() - const requests = this.requests.get(identifier) || [] - - // Remove old requests outside window - const recentRequests = requests.filter(time => now - time < windowMs) - - if (recentRequests.length >= maxRequests) { - return false // Rate limit exceeded - } - - // Add current request - recentRequests.push(now) - this.requests.set(identifier, recentRequests) - - return true - } -} - -const limiter = new RateLimiter() - -export async function GET(request: Request) { - const ip = request.headers.get('x-forwarded-for') || 'unknown' - - const allowed = await limiter.checkLimit(ip, 100, 60000) // 100 req/min - - if (!allowed) { - return NextResponse.json({ - error: 'Rate limit exceeded' - }, { status: 429 }) - } - - // Continue with request -} -``` +Rate limiting must use a shared store such as Redis, a gateway, or the +platform's native limiter. Do not use per-process in-memory counters for +production APIs: they reset on deploy, split across replicas, and fail open in +serverless or multi-instance environments. + +Keep the backend layer responsible for choosing the integration point and error +shape; use `api-design` for the HTTP contract and `security-review` for abuse +case review. ## Background Jobs & Queues diff --git a/skills/deep-research/SKILL.md b/skills/deep-research/SKILL.md index 18b925e..f9266fd 100644 --- a/skills/deep-research/SKILL.md +++ b/skills/deep-research/SKILL.md @@ -6,6 +6,10 @@ origin: ECC # Deep Research +> **Drift-prone skill.** Firecrawl/Exa MCP tool names, quotas, and result +> shapes change. Verify the configured MCP tools and current API docs before +> promising coverage or quoting live source counts. + Produce thorough, cited research reports from multiple web sources using firecrawl and exa MCP tools. ## When to Use diff --git a/skills/exa-search/SKILL.md b/skills/exa-search/SKILL.md index 4edfcd7..676574a 100644 --- a/skills/exa-search/SKILL.md +++ b/skills/exa-search/SKILL.md @@ -6,6 +6,10 @@ origin: ECC # Exa Search +> **Drift-prone skill.** Exa MCP tool names, parameters, and account limits can +> change. Confirm the exposed tool surface and current Exa docs before relying +> on a specific search mode, category, or livecrawl behavior. + Neural search for web content, code, companies, and people via the Exa MCP server. ## When to Use diff --git a/skills/fal-ai-media/SKILL.md b/skills/fal-ai-media/SKILL.md index 7b65ea2..29c3ecb 100644 --- a/skills/fal-ai-media/SKILL.md +++ b/skills/fal-ai-media/SKILL.md @@ -6,6 +6,10 @@ origin: ECC # fal.ai Media Generation +> **Drift-prone skill.** fal.ai model IDs, pricing, inputs, and MCP tool names +> change quickly. Search or fetch the current model metadata before promising a +> specific model, parameter, output format, or cost. + Generate images, videos, and audio using fal.ai models via MCP. ## When to Use diff --git a/skills/search-first/SKILL.md b/skills/search-first/SKILL.md index 807ca57..4c49279 100644 --- a/skills/search-first/SKILL.md +++ b/skills/search-first/SKILL.md @@ -20,6 +20,10 @@ Use this skill when: ``` ┌─────────────────────────────────────────────┐ +│ 0. TOOL AVAILABILITY PREFLIGHT │ +│ Check search channels before relying on │ +│ them; report skipped channels honestly │ +├─────────────────────────────────────────────┤ │ 1. NEED ANALYSIS │ │ Define what functionality is needed │ │ Identify language/framework constraints │ @@ -57,6 +61,19 @@ Use this skill when: ## How to Use +### Step 0: Tool Availability Preflight + +This is agent guidance, not an executable setup script. Check only the channels +that are relevant to the task and project in front of you. + +| Channel | Check | If missing | +|---------|-------|------------| +| Repository search | `rg --files` and targeted `rg` queries | State that only visible files were inspected | +| Package registry | `npm --version`, `python -m pip --version`, or project package manager | Use web/docs search and avoid claiming registry coverage | +| GitHub CLI | `gh auth status` | Use public web or local git history only | +| MCP/docs tools | Available tool list or local MCP config | Fall back to official docs/web search | +| Skills directory | `ls ~/.gemini/skills` | Say no local skill catalog was available | + ### Quick Mode (inline) Before writing a utility or adding functionality, mentally run through: @@ -82,6 +99,10 @@ Task(subagent_type="general-purpose", prompt=" ") ``` +The exact subagent/dispatch tool name depends on the active harness — use the +name your current Gemini CLI / Antigravity surface exposes rather than copying +the example verbatim. + ## Search Shortcuts by Category ### Development Tooling @@ -96,7 +117,7 @@ Task(subagent_type="general-purpose", prompt=" - Document processing → `unstructured`, `pdfplumber`, `mammoth` ### Data & APIs -- HTTP clients → `httpx` (Python), `ky`/`got` (Node) +- HTTP clients → `httpx` (Python), `ky`/`undici` (Node) - Validation → `zod` (TS), `pydantic` (Python) - Database → Check for MCP servers first @@ -139,8 +160,8 @@ Result: Zero custom code, battle-tested solution ``` Need: Resilient HTTP client with retries and timeout handling Search: npm "http client retry", PyPI "httpx retry" -Found: got (Node) with retry plugin, httpx (Python) with built-in retry -Action: ADOPT — use got/httpx directly with retry config +Found: undici (Node) with retry interceptor, httpx (Python) with built-in retry +Action: ADOPT — use undici/httpx directly with retry config Result: Zero custom code, production-proven libraries ``` @@ -157,5 +178,6 @@ Result: 1 package + 1 schema file, no custom validation logic - **Jumping to code**: Writing a utility without checking if one exists - **Ignoring MCP**: Not checking if an MCP server already provides the capability +- **Silent skipping**: Reporting "nothing found" when a search channel was unavailable - **Over-customizing**: Wrapping a library so heavily it loses its benefits - **Dependency bloat**: Installing a massive package for one small feature diff --git a/skills/security-review/SKILL.md b/skills/security-review/SKILL.md index d4db4d3..35add59 100644 --- a/skills/security-review/SKILL.md +++ b/skills/security-review/SKILL.md @@ -207,6 +207,11 @@ function renderUserContent(html: string) { ``` #### Content Security Policy + +Start strict and loosen only with a documented removal plan. Do not default to +`'unsafe-inline'` or `'unsafe-eval'`; they neutralize much of CSP's protection +and should be treated as temporary compatibility debt. + ```typescript // next.config.js const securityHeaders = [ @@ -214,8 +219,11 @@ const securityHeaders = [ key: 'Content-Security-Policy', value: ` default-src 'self'; - script-src 'self' 'unsafe-eval' 'unsafe-inline'; - style-src 'self' 'unsafe-inline'; + base-uri 'self'; + object-src 'none'; + frame-ancestors 'none'; + script-src 'self'; + style-src 'self'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.example.com; diff --git a/skills/strategic-compact/SKILL.md b/skills/strategic-compact/SKILL.md index d2a9377..70867c9 100644 --- a/skills/strategic-compact/SKILL.md +++ b/skills/strategic-compact/SKILL.md @@ -21,7 +21,7 @@ Strategic compaction at logical boundaries: ## How It Works -The `suggest-compact.sh` script runs on PreToolUse (Edit/Write) and: +The `suggest-compact.js` script runs on PreToolUse (Edit/Write) and: 1. **Tracks tool calls** - Counts tool invocations in session 2. **Threshold detection** - Suggests at configurable threshold (default: 50 calls) @@ -38,7 +38,7 @@ Add to your `~/.gemini/settings.json`: "matcher": "tool == \"Edit\" || tool == \"Write\"", "hooks": [{ "type": "command", - "command": "~/.gemini/skills/strategic-compact/suggest-compact.sh" + "command": "node ~/.gemini/scripts/hooks/suggest-compact.js" }] }] } diff --git a/skills/x-api/SKILL.md b/skills/x-api/SKILL.md index 1f75a9f..c86aab4 100644 --- a/skills/x-api/SKILL.md +++ b/skills/x-api/SKILL.md @@ -6,6 +6,10 @@ origin: ECC # X API +> **Drift-prone skill.** X API endpoints, access tiers, quotas, and write +> permissions change frequently. Verify current developer docs and account +> access before quoting rate limits or implementing a posting/search flow. + Programmatic interaction with X (Twitter) for posting, reading, searching, and analytics. ## When to Use