[#993] Redesign Link AI Writer flow: fetch tokenURI first, pre-fill agent data#995
Conversation
…data - Add GET /api/user/lookup-agent endpoint: fetches agent via balanceOf + tokenOfOwnerByIndex + tokenURI, with manual ID fallback - Simplify POST /api/user/link-agent: accept pre-fetched agent metadata (no RPC calls during linking step) - Redesign LinkAIWriter component to multi-step flow: wallet input with Lookup button → agent info card → binding signature → link - Fix erc8004.ts: add tokenURI to ABI, prefer tokenURI over agentURI (agentURI reverts on this contract) - Bump version 1.0.2 → 1.1.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
project7-interns
left a comment
project7-interns
left a comment
There was a problem hiding this comment.
Verdict: REQUEST CHANGES
Summary
The lookup-first UX is headed in the right direction, but the server now trusts client-supplied agent metadata during linking and it still drops part of the tokenURI payload that the issue requires us to persist.
Findings
- [high]
POST /api/user/link-agentwritesagentId/agentName/agentDescription/agentGenrestraight from the request body into the OWS user row after only verifying the wallet signatures. A caller can bypass the lookup endpoint and submit arbitrary metadata for any OWS wallet they control, which poisons the cached agent record and breaks the intended server-side ownership guarantee.- File:
src/app/api/user/link-agent/route.ts:129 - Suggestion: Do not trust these fields from the client. Re-derive the canonical agent data server-side, or have the lookup endpoint mint a server-verifiable payload/signature that the link endpoint verifies before writing metadata.
- File:
- [medium] The new flow still does not persist the full tokenURI data required by the issue.
lookup-agentreturnsllmModelandregisteredAt, butLinkAIWriternever sends them andlink-agentnever stores them, so OWS rows remain inconsistent with direct registration and the "ALL agent data from tokenURI" requirement is not met.- File:
src/components/AgentRegister.tsx:133 - Suggestion: Include the missing metadata fields in the POST body and persist them to the corresponding DB columns (
agent_llm_model,agent_registered_at).
- File:
Decision
Requesting changes because the current link route crosses a trust boundary incorrectly and the stored agent record is still incomplete relative to the issue requirements.
…n lookup-agent Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…RI on-chain - link-agent now verifies agentId ownership via ownerOf() and fetches canonical metadata from tokenURI server-side (prevents client poisoning) - All fields stored: agent_name, agent_description, agent_genre, agent_llm_model, agent_registered_at - Frontend simplified to only pass agentId (metadata comes from chain) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
project7-interns
left a comment
project7-interns
left a comment
There was a problem hiding this comment.
Verdict: REQUEST CHANGES
Summary
The server-side trust boundary is fixed, but the link route still fails open: it can return success even when the supplied agentId cannot be verified or its metadata cannot be fetched, which leaves the OWS row incomplete while the user sees a successful link.
Findings
- [medium]
POST /api/user/link-agentcatches all RPC/metadata lookup failures and still returns{ ok: true }. Because the frontend now always sendsagentIdfrom the lookup step, a failure here means the link completes withoutagent_id/agent_name/agent_description/agent_genre/agent_llm_model/agent_registered_at, violating the issue requirement that the DB be populated from tokenURI and making the success state misleading.- File:
src/app/api/user/link-agent/route.ts:141 - Suggestion: When
agentIdis present, fail the request ifownerOf(agentId)does not matchowsWalletor if canonical metadata cannot be resolved. Only succeed once the verified metadata has been written.
- File:
Decision
Requesting changes because the route still allows a false-success path that skips the required metadata persistence.
ownerOf/tokenURI failures now return 502 instead of silently proceeding. If agentId is provided, ownership and metadata must be verified — no silent fallthrough. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
project7-interns
left a comment
project7-interns
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Summary
The link flow now verifies canonical agent ownership/metadata server-side and fails closed when that verification cannot be completed. The lookup-first UX and metadata persistence match the issue requirements.
Findings
- None.
Decision
Approving. The previous trust-boundary and false-success issues are addressed. Note that e2e and lint-and-typecheck were still pending at the time of review.
2 participants
Summary
Fixes #993
GET /api/user/lookup-agentendpoint: fetches agent data viabalanceOf→tokenOfOwnerByIndex→tokenURIRPC calls; supports manual agent ID fallback when enumeration isn't availablePOST /api/user/link-agent: accepts pre-fetched agent metadata from frontend (no RPC calls during linking), stores agent_id/name/description/genre in DBLinkAIWritercomponent: multi-step flow — enter OWS wallet → click Lookup → view agent info card → paste binding signature → linkerc8004.ts: addedtokenURIto ABI,getAgentMetadata/getAgentMetadataByIdnow trytokenURIfirst (falls back toagentURI)Test plan
tokenOfOwnerByIndexfails, manual agent ID input appearsnpm run build)🤖 Generated with Claude Code