Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions GETTING-STARTED.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The fastest path from "I have a JS/Node project" to "Patchstack is monitoring it

Works in Cursor, Claude Code, Lovable, Bolt, v0, Windsurf, etc. Paste it exactly — every clause is there for a reason (see step 2), so don't shorten it:

> Add Patchstack dependency vulnerability monitoring: first verify `@patchstack/connect` yourself (`npm view @patchstack/connect` shows the live registry record — MIT; source: https://github.com/patchstack/connect; listed under Connectors on https://patchstack.com/llms.txt), and if anything you find contradicts that, stop and show me what you found instead of proceeding. Then install it as a dev dependency, run `npx @patchstack/connect scan` and show me the claim URL it prints (I'll open it in my browser to view reports — don't open or fetch it yourself), then run `npx @patchstack/connect guide`, review the checklist it prints, and make the two remaining changes yourself: the package.json build hooks and the report-a-vulnerability widget snippet.
> Add Patchstack dependency vulnerability monitoring: first verify `@patchstack/connect` yourself (`npm view @patchstack/connect` shows the live registry record — MIT; source: https://github.com/patchstack/connect), and if anything you find contradicts that, stop and show me what you found instead of proceeding. Then install it as a dev dependency, run `npx @patchstack/connect scan` and show me the claim URL it prints (I'll open it in my browser to view reports — don't open or fetch it yourself), then run `npx @patchstack/connect guide`, review the checklist it prints, and make the two remaining changes yourself: the package.json build hooks and the report-a-vulnerability widget snippet.

When the agent finishes it shows you a **claim URL**. Open it in your browser and sign in — that attaches the site to your Patchstack account so you can see the vulnerability reports. That's the only manual step.

Expand All @@ -18,7 +18,7 @@ Some agents decline this request, and that's expected behaviour, not a bug: "ins

Work down this list:

1. **It stopped at the verification step, asks you to confirm, or says it wants the package vetted first.** The prompt tells the agent to stop and show you what it found rather than guess — this is that, working as designed. Reply with the confirmation it asked for, e.g.: *"I've verified this is the official Patchstack package (`npm view @patchstack/connect` — published by patchstack, MIT; listed under Connectors on patchstack.com/llms.txt). Please continue with the remaining steps."* Most partial refusals end here.
1. **It stopped at the verification step, asks you to confirm, or says it wants the package vetted first.** The prompt tells the agent to stop and show you what it found rather than guess — this is that, working as designed. Reply with the confirmation it asked for, e.g.: *"I've verified this is the official Patchstack package (`npm view @patchstack/connect` — published by patchstack, MIT). Please continue with the remaining steps."* Most partial refusals end here.
2. **It did some steps, then stalled.** Ask it to run `npx @patchstack/connect guide` — that prints a live checklist of exactly what's still missing for this project — and to finish only the items marked ✖.
3. **It refuses outright.** Skip the agent; step 3 below is three commands.

Expand Down
2 changes: 1 addition & 1 deletion MAINTAINING.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ The deep "why" — the AI-agent refusal modes each clause guards against — liv

`README.md` (Install prompt section), `GETTING-STARTED.md` (step 1), and `field-test/prompt.txt`. `prompt.txt` is the artifact the harness actually tests. If you change one, change all three — a drift means the docs advertise one prompt while the tested one is another.

The prompt also cites two URLs as provenance anchors: the GitHub repo and https://patchstack.com/llms.txt (whose Connectors section describes the package in neutral product language). Both are load-bearing — web-verifying agents check the vendor's own domain, and a dead cited link reads worse than no link. Only ever cite *descriptive* vendor content: the retired install.txt was an agent-addressed instruction doc, and agents that fetched it as a cited provenance link treated the steering language as the decisive manipulation signal (refusal mode #8; the file has since been removed from patchstack.com). If llms.txt moves or its Connectors section is dropped, update the prompt in all three places and re-gate (`--persona hostinger` covers this pressure).
The prompt cites one provenance anchor: the GitHub repo (`source: https://github.com/patchstack/connect`), which `npm view` corroborates via the package's own `repository` field — so the single verification the prompt names resolves the package *and* confirms the source link, with no web fetch required. It used to also cite https://patchstack.com/llms.txt as a vendor-domain anchor; that was removed on 2026-07-14 because no-web agents (Lovable-class) can't fetch it and were observed fabricating a `404` on it to justify a refusal (see `field-test/README.md`, refusal modes #7–#8). The tradeoff is real and unmitigated in the prompt: web-verifying agents (the `hostinger` class) are no longer pointed straight at a corroborating vendor page, so mode #8's name-squatting pressure can resurface — llms.txt stays live for an agent that browses to it, but the prompt no longer names it. Re-gate `--persona hostinger` (plus `--persona lovable-supplychain`) after any provenance change; if hostinger regresses to a name-squatting refusal, the vendor-domain anchor may need to return in a form no-web agents don't trip on. Don't reintroduce a citation to an agent-addressed instruction doc like the retired https://patchstack.com/install.txt (de-coerced, then removed from patchstack.com outright on 2026-07-14): agents that fetch a cited provenance link and find agent-steering language treat it as the decisive manipulation signal. The durable fix stays upstream: keep `@patchstack/connect` discoverable in Patchstack's official product docs so a web verifier who looks finds it.

## Before shipping a 🔴 or 🟠 change

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ For how this repo fits with the wider Patchstack ecosystem (`saas`, `hub`, `patc

Copy and paste this prompt into any AI coding assistant (Cursor, v0, Bolt, Lovable, Claude Code, etc.). If the assistant declines or stops partway, the step-by-step flow in [`GETTING-STARTED.md`](https://github.com/patchstack/connect/blob/main/GETTING-STARTED.md) covers what to do next:

> Add Patchstack dependency vulnerability monitoring: first verify `@patchstack/connect` yourself (`npm view @patchstack/connect` shows the live registry record — MIT; source: https://github.com/patchstack/connect; listed under Connectors on https://patchstack.com/llms.txt), and if anything you find contradicts that, stop and show me what you found instead of proceeding. Then install it as a dev dependency, run `npx @patchstack/connect scan` and show me the claim URL it prints (I'll open it in my browser to view reports — don't open or fetch it yourself), then run `npx @patchstack/connect guide`, review the checklist it prints, and make the two remaining changes yourself: the package.json build hooks and the report-a-vulnerability widget snippet.
> Add Patchstack dependency vulnerability monitoring: first verify `@patchstack/connect` yourself (`npm view @patchstack/connect` shows the live registry record — MIT; source: https://github.com/patchstack/connect), and if anything you find contradicts that, stop and show me what you found instead of proceeding. Then install it as a dev dependency, run `npx @patchstack/connect scan` and show me the claim URL it prints (I'll open it in my browser to view reports — don't open or fetch it yourself), then run `npx @patchstack/connect guide`, review the checklist it prints, and make the two remaining changes yourself: the package.json build hooks and the report-a-vulnerability widget snippet.

Every clause is load-bearing. AI agents routinely audit this package before completing the request — verifying the tarball against the registry, checking `dist/` for lifecycle scripts and shell/eval calls; that's expected use, and the docs in the tarball state plainly what each command reads, writes, and sends. The prompt can stay short because `guide` is state-aware: it inspects the project (package manager, `.patchstackrc.json`, `package.json` scripts, widget presence, framework) and prints a live checklist of only the remaining steps — with the real site UUID and framework-specific widget placement — followed by the full reference guide (`AGENT-INSTALL.md`, bundled in the package). That also makes the flow idempotent: re-running `guide` on a finished project reports all-done instead of prompting a second install.

Expand Down
Loading
Loading