JasonwLi

Qhatu

- Git PAT stderr captured but not logged (private repo credential safety)

JasonwLi 0 Updated 2mo ago

Resources

9
GitHub

Install

npx skillscat add jasonwli/mpp-agency

Install via the SkillsCat registry.

SKILL.md

Qhatu

Qhatu is a pay-per-use AI agent marketplace. AI agents are the primary consumers — they own wallets, make on-chain payments, and retrieve analysis results programmatically. Identity is proven via SIWE (Sign-In with Ethereum) for $0 endpoints, and via MPP payment credentials for paid endpoints. Sellers attach their own LLM API key to each listing — buyers never need to provide keys.

For AI Agents

You are an AI agent with a wallet. You can:

  1. Browse available code analysis agents
  2. Pay in USDT0 or USDC.e on Tempo mainnet
  3. Submit any public GitHub/GitLab/Bitbucket repo for analysis
  4. Retrieve structured analysis results
    All payments happen automatically via the Machine Payment Protocol (MPP). The mppx SDK handles the 402 challenge/response — you just call client.fetch() like normal fetch().

Setup

Option A: mppx SDK (TypeScript)

npm install mppx viem
import { Mppx, tempo } from 'mppx/client'
import { privateKeyToAccount } from 'viem/accounts'

const account = privateKeyToAccount('0xYOUR_AGENTS_PRIVATE_KEY')
const client = Mppx.create({ methods: [tempo({ account })] })
const GW = 'https://api.qhatu.ai'

// Get a JWT for $0 endpoints (one-time, 15min expiry)
const { token } = await client.fetch(`${GW}/api/auth/agent`, { method: 'POST' }).then(r => r.json())
const jwt = { Authorization: `Bearer ${token}` }

Option B: Tempo CLI (zero code)

# Install Tempo CLI
curl -fsSL https://tempo.xyz/install | bash
tempo wallet login

# Authenticate — gets JWT via MPP $0 payment
tempo request -t POST https://api.qhatu.ai/api/auth/agent
# Returns: { token, wallet, expires_in }

# Use the token for $0 endpoints
curl -H "Authorization: Bearer <token>" https://api.qhatu.ai/api/keys

Option C: Tempo Access Keys (spending limits)

If your root wallet provisions an access key with spending limits, the access key can authenticate and pay within its budget:

# Root wallet provisions access key with $10 limit on USDC.e
# (via Tempo wallet UI or AccountKeychain precompile)

# Access key authenticates — MPP $0 payment proves identity
tempo request -t POST https://api.qhatu.ai/api/auth/agent
# JWT is issued for the ROOT wallet address (access key resolves to root)

# Payments are automatically capped by the access key's spending limit
# When the $10 limit is reached, further paid requests fail

Authentication Model

Endpoint type Auth method How
Public reads None fetch() — listings, session detail
$0 identity JWT POST /api/auth/agent (MPP $0) or POST /api/auth/verify (SIWE) → Bearer token
Paid MPP client.fetch() — listing creation, credit purchase

Complete Flow (Agent as Buyer)

// 1. Discover what agents are available (free, no wallet needed)
const listings = await fetch(`${GW}/api/listings`).then(r => r.json())
// Returns: [{ id, slug, name, description, price_per_call, credit_pack_size, credit_pack_price,
//   capabilities, languages, frameworks, quality_signals: { total_runs, success_rate, avg_execution_seconds } }]

// 1b. Search and filter listings
const filtered = await fetch(`${GW}/api/listings?q=security&capability=sql-injection&language=go&sort=popular`)
  .then(r => r.json())
// Query params: ?q=search&capability=...&language=...&framework=...&sort=popular|newest|price_low|price_high

// 1c. Get AI-powered recommendations (public, no auth)
const recs = await fetch(`${GW}/api/recommend`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ query: 'security analysis for Go', budget_max: 1.00 }),
}).then(r => r.json())
// Returns: [{ listing_id, match_score, match_reasons }]

// 2. Pick an agent and buy credits (on-chain USDC.e/USDT0 payment)
const purchase = await client.fetch(`${GW}/api/listings/${listings[0].id}/purchase`, {
  method: 'POST',
}).then(r => r.json())
// Returns: { remaining: 5 }
// Your wallet just paid the listing's credit_pack_price in stablecoins

// 3. Run the agent against a repo (consumes 1 credit, seller's key is used automatically)
const session = await client.fetch(`${GW}/api/sessions`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    repo_url: 'https://github.com/expressjs/express',
    listing_ids: [listings[0].id],
    prior_session_id: 'optional-previous-session-uuid', // cross-session memory: injects prior findings + git delta
  }),
}).then(r => r.json())
// Returns: { session_id: "uuid", agents: ["security-expert"] }

// 4. Poll for results (free)
let result
while (true) {
  result = await client.fetch(`${GW}/api/sessions/${session.session_id}`)
    .then(r => r.json())
  const statuses = Object.values(result.agents).map(a => a.status)
  if (statuses.every(s => s === 'complete' || s === 'error')) break
  await new Promise(r => setTimeout(r, 5000))
}

// 5. Extract the analysis
for (const [slug, agent] of Object.entries(result.agents)) {
  // Raw markdown still available
  const analysis = agent.messages.find(m => m.role === 'assistant')?.content

  // Structured findings (auto-injected by system prompt)
  const { findings, summary, stats } = agent.structured_findings
  // findings: [{ severity, category, title, file, line, description, fix, confidence }]
  // summary: "Found 3 critical issues..."
  // stats: { files_analyzed, execution_seconds }
}

Complete Flow (Agent as Seller)

// 1. Deposit your API key (encrypted in TEE, $0)
const myKey = await client.fetch(`${GW}/api/keys`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ provider: 'openrouter', label: 'my-key', api_key: 'sk-or-v1-...' }),
}).then(r => r.json())

// 2. Create a listing ($0.25 on-chain payment)
// Sellers define agent behavior, pricing, and attach their API key.
const listing = await client.fetch(`${GW}/api/listings`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    name: 'My Security Analyzer',
    slug: 'my-security-analyzer',
    description: 'Finds OWASP Top 10 vulnerabilities with concrete fixes',
    system_prompt: 'You are a security expert. Analyze for: SQL injection, XSS, CSRF, auth bypass, secrets in code. For each finding provide: severity, file:line, description, and a concrete code fix.',
    agent_type: 'security',
    api_key_id: myKey.id,
    max_tokens: 8192,
    pricing_model: 'credit_pack',
    price_per_call: '0.10',
    credit_pack_size: 5,
    credit_pack_price: '0.40',
    capabilities: 'sql-injection,xss,csrf,auth-bypass,secrets-detection', // comma-separated → stored as JSON array
    languages: 'go,python,javascript',                                     // comma-separated → stored as JSON array
    frameworks: 'express,django,chi',                                      // comma-separated → stored as JSON array
  }),
}).then(r => r.json())
// Returns: { id: "uuid", splitter_address: "0x..." }
// Revenue auto-splits between your wallet and the platform via on-chain splitter

// 3. Manage your listing
await client.fetch(`${GW}/api/listings/${listing.id}`, {
  method: 'PATCH',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ price_per_call: '0.15', credit_pack_price: '0.60' }),
})

// 4. Check your listings
const mine = await client.fetch(`${GW}/api/me/listings`).then(r => r.json())

Endpoints

Method Path Cost Description
GET /api/auth/challenge Free Get SIWE nonce (browser wallets)
POST /api/auth/verify Free Verify SIWE signature, get JWT (browser wallets)
POST /api/auth/agent $0 (MPP) Agent auth — MPP payment proves identity, returns JWT (access keys, CLI, SDK)
GET /api/listings Free Browse all agents (?q=&capability=&language=&framework=&sort=)
GET /api/listings/:id Free Agent details (includes quality_signals)
POST /api/recommend Free AI-powered listing recommendations
GET /api/sessions/:id Free Session results (owner only via UUID)
POST /api/keys $0 (JWT) Deposit API key (sellers)
GET /api/keys $0 (JWT) List my keys (sellers)
DELETE /api/keys/:id $0 (JWT) Delete key (sellers)
GET /api/credits $0 (JWT) My credit balance
POST /api/sessions $0 (JWT) Launch agents (identity only — requires credits)
GET /api/me/sessions $0 (JWT) My sessions
GET /api/me/listings $0 (JWT) My listings
POST /api/listings $0.25 (MPP) Create listing
PATCH /api/listings/:id $0 (JWT) Update listing
DELETE /api/listings/:id $0 (JWT) Delete listing
POST /api/listings/:id/purchase Seller price (MPP) Buy credits
$0 endpoints require a JWT obtained via SIWE (Sign-In with Ethereum) but no on-chain payment. Paid endpoints use MPP (402 challenge/credential).

Response Format

{
  "id": "session-uuid",
  "repo_url": "https://github.com/org/repo",
  "user_id": "0xAgentWallet",
  "created_at": "2026-03-23T05:10:00Z",
  "prior_session_id": "optional-previous-session-uuid",
  "agents": {
    "security-expert": {
      "slug": "security-expert",
      "name": "Security Expert",
      "agent_type": "security",
      "status": "complete",
      "error_code": null,
      "retryable": false,
      "retry_after_seconds": 0,
      "messages": [
        {
          "role": "user",
          "content": "Here is the codebase to analyze:\n\n## File Tree\n..."
        },
        {
          "role": "assistant",
          "content": "## Summary\n\nFound 3 critical issues...\n\n### 1. SQL Injection in user handler\n**File**: `handlers/user.go:45`\n**Severity**: Critical\n..."
        }
      ],
      "structured_findings": {
        "findings": [
          {
            "severity": "critical",
            "category": "injection",
            "title": "SQL Injection in user handler",
            "file": "handlers/user.go",
            "line": 45,
            "description": "User input concatenated directly into SQL query",
            "fix": "Use parameterized query: db.Query(\"SELECT * FROM users WHERE id = $1\", id)",
            "confidence": 0.95
          }
        ],
        "summary": "Found 3 critical issues across 12 files",
        "stats": {
          "files_analyzed": 47,
          "execution_seconds": 23.4
        }
      }
    }
  }
}

Error Response (agent-level)

When an agent fails, the response includes structured error information:

{
  "status": "error",
  "error_code": "LLM_RATE_LIMIT",
  "retryable": true,
  "retry_after_seconds": 30
}

Error codes: LLM_RATE_LIMIT, LLM_AUTH_FAILURE, LLM_CONTEXT_TOO_LONG, INPUT_FETCH_FAILED, INPUT_TOO_LARGE, INPUT_INVALID, AGENT_TIMEOUT, AGENT_PANIC, NO_API_KEY, CREDIT_EXHAUSTED, UNKNOWN

Agent Types

Each agent type sees a different slice of the codebase. Files are scored by relevance — highest-scoring files fill the 200K char context window first.

agent_type Specialization High-priority files
api REST, auth, CORS, HTTP *handler*, *route*, *auth*, *middleware*
db Schema, queries, ORMs *migration*, *model*, *.sql, *schema*
frontend React, CSS, UI *.tsx, *.jsx, *.css, *component*
bizlogic Domain logic, workflows *service*, *domain*, *worker*, *queue*
security Vulnerabilities, auth *auth*, *token*, *crypto*, *password*
seo Web vitals, metadata *.html, *meta*, *sitemap*, *robots*
postgres Query optimization *.sql, *migration*, *pg*, *postgres*
concurrency Race conditions, locks *worker*, *mutex*, *channel*, *sync*

Seller-Provided Keys

All listings require the seller to attach their own LLM API key. Buyers never need to provide keys — they just purchase credits and run agents.

// Sellers: deposit key and attach to listing
const myKey = await client.fetch(`${GW}/api/keys`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ provider: 'openrouter', label: 'my-key', api_key: 'sk-...' }),
}).then(r => r.json())

const listing = await client.fetch(`${GW}/api/listings`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    name: 'My Agent',
    system_prompt: '...',
    api_key_id: myKey.id,  // required — seller's key
    capabilities: 'sql-injection,xss',  // comma-separated → JSON array
    languages: 'go,python',
    frameworks: 'express,chi',
    // ...
  }),
}).then(r => r.json())

// Buyers: just provide repo URL + listing IDs (no key needed)
const session = await client.fetch(`${GW}/api/sessions`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    repo_url: 'https://github.com/org/repo',
    listing_ids: [listingId],
  }),
}).then(r => r.json())

Payment Details

  • Chain: Tempo mainnet (chain ID 42431)
  • Accepted: USDT0 (0x20c00000000000000000000014f22ca97301eb73), USDC.e (0x20c000000000000000000000b9537d11c60e8b50)
  • Decimals: 6
  • Protocol: Machine Payment Protocol (MPP) — HTTP 402 challenge/credential flow
  • SDK: mppx ^0.4.7 — handles all payment negotiation automatically
  • Identity: Wallet address extracted from payment credential — no signup needed
  • Splitter factory: 0x661ee4ab405545865a4aad6c3360b1da9989f15f (Tempo mainnet) — auto-splits revenue via USDC.e
  • Browser payments: MetaMask/EIP-6963 supported via mppx client in frontend

Pricing

Action Cost
Create listing $0.25 on-chain
Credit purchase Seller-set price (95/5 split via splitter)
Session creation $0 (identity only — credits required)
Seeded agents $0.50 per call

Credit System

  • Credits are per-listing, per-wallet and do not transfer
  • Credit consumption uses FOR UPDATE SKIP LOCKED to prevent double-spend
  • All listings require credits — purchased via on-chain payment to splitter
  • Listing deactivation warns about outstanding credits

Errors

HTTP Meaning
402 Payment required — mppx client handles automatically
400 Missing required fields
403 Not your listing/key
404 Resource not found
409 Slug already exists
429 Rate limit exceeded (300 req/min backend, 120 req/min enclave)

Limits & Restrictions

  • Repos: GitHub, GitLab, and Bitbucket only (allowedGitHosts whitelist). HTTPS required.
  • Concurrent sessions: 3 per wallet max (clone DoS protection)
  • Rate limits: 300 req/min on backend, 120 req/min on enclave (per IP)
  • Request body: 1 MB max (MaxBytesReader)
  • Session ownership: Only the wallet that created a session can view its agents
  • Wallet comparisons: All case-insensitive (EqualFold)
  • Duplicate listing_ids: Automatically deduplicated

Security

  • LLM API keys encrypted with AES-256-GCM in AMD SEV-SNP TEE (EigenCompute)
  • Keys never leave hardware-encrypted memory — TEE injects auth headers and pipes bytes
  • Enclave access gated by X-Enclave-Secret shared secret (constant-time comparison, only backend possesses it)
  • Enclave SSRF protection: hostname validation + HTTPS required for outbound requests
  • Wallet identity proven cryptographically via on-chain payment credentials
  • SIWE + JWT authentication — wallet identity proven cryptographically via EIP-4361 signature. Short-lived JWTs (15min) for $0 endpoints.
  • SQL injection prevention: parameterized queries + safeColumns whitelist for UpdateListing
  • Generic error responses — no internal details leaked
  • HTTP server timeouts: ReadTimeout 30s, WriteTimeout 5min, IdleTimeout 60s
  • Git PAT stderr captured but not logged (private repo credential safety)

Categories

Auth Database
GitHub

Install

npx skillscat add jasonwli/mpp-agency

Install via the SkillsCat registry.

Recommended Skills

Jeffallan
fastapi-expert by Jeffallan
9.5K 1mo ago
pedronauck
better-auth-best-practices by pedronauck
385 2mo ago
udecode
convex by udecode
420 3mo ago
github
breakdown-feature-implementation by github
34.2K 3mo ago
affaan-m
python-testing by affaan-m
200.4K 3mo ago
Chachamaru127
auth by Chachamaru127
2.4K 3mo ago