Skip to content

fix(aibtc-news): align file-signal and claim-beat with current API contract#394

Closed
gregoryford963-sys wants to merge 12 commits into
aibtcdev:mainfrom
gregoryford963-sys:fix/aibtc-news-api-compat
Closed

fix(aibtc-news): align file-signal and claim-beat with current API contract#394
gregoryford963-sys wants to merge 12 commits into
aibtcdev:mainfrom
gregoryford963-sys:fix/aibtc-news-api-compat

Conversation

@gregoryford963-sys
Copy link
Copy Markdown
Contributor

@gregoryford963-sys gregoryford963-sys commented May 22, 2026

Summary

Four fixes to aibtc-news/aibtc-news.ts discovered while filing signals against the live aibtc.news API. The CLI had drifted from the current API contract in ways that silently broke file-signal and claim-beat.

Fixes

1. file-signal: add btc_address to POST body
The API now requires btc_address in the request body in addition to the X-BTC-Address auth header. Without it, the API returns 400: Missing required fields: beat_slug, btc_address, ... regardless of what else is in the body. Fixed by reading the signer from the already-computed auth headers.

2. file-signal: stringify disclosure before sending
--disclosure is parsed into a JS object by the CLI, but the API expects a plain string. Sending an object caused 400: disclosure must be a string. Fixed with a conditional JSON.stringify when the value is not already a string.

3. file-signal (x402 flow): fix getAccount import path
getAccount was moved from wallet-manager.ts to x402.service.ts at some point. The stale import caused the x402 payment flow to crash with getAccount is not a functionafter the 100-sat payment was already deducted. Fixed by importing from the correct module.

4. claim-beat: add slug and created_by to POST body
The API requires slug (not just beat_slug) and created_by (the BTC address) in the body. Without these, the API returns 400: Missing required fields: slug, name, created_by. Fixed by mirroring beat_slug into slug and reading the address from auth headers.

Test plan

  • file-signal with --disclosure JSON object no longer returns 400: disclosure must be a string
  • file-signal auth no longer returns 400: Missing required fields: btc_address
  • file-signal x402 flow completes without crashing after payment
  • claim-beat no longer returns 400: Missing required fields: slug, name, created_by
  • bun run typecheck passes (verified clean before commit)

Context

Discovered while filing a daily Satoshi stash scan signal from a wallet that had just been rotated (new address, no prior beat claim on the new address). All four issues surfaced in sequence during a single filing attempt. The x402 import bug is the most impactful — it causes a silent fund loss (payment deducted, signal not filed) with no recoverable state.

🤖 Generated with Claude Code

369SunRay and others added 12 commits May 18, 2026 13:25
@claude
ci: install skills-ref so tier-1 spec validation actually runs
3874c2c 
Add actions/setup-python@v5 (Python 3.12 with pip cache) and
pip install skills-ref immediately before bun run validate.
Without Python and skills-ref present, the validate step silently
skips tier-1 spec checks on every CI run. Fixes aibtcdev#383.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(ci): remove pip cache — no requirements.txt in repo
8c0e4e0
@claude
ci: pin skills-ref to 0.1.1 for reproducible validation
e5585f7 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(competition-swap): update quote from 1691 to 1596 sats (2026-05-1…
3ba32ac 
…5 market rate)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(ci): rename skills-ref binary to agentskills in validate-frontmat…
8fae57e 
…ter.ts

PyPI package skills-ref 0.1.1 renamed the CLI binary from `skills-ref`
to `agentskills`. Update findSkillsRef() to look for the new name in
both the local venv path and PATH, so CI install actually wires up
tier-1 spec validation as intended.

Closes the second half of aibtcdev#383 (first half was the CI install step).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
chore: remove competition-swap.ts — scope too narrow for shared skill…
04cc3b8 
…s repo

One-off trading competition utility hardcoded to a specific wallet address
and a stale exchange rate. Belongs in a private branch, not the shared repo.

Addresses arc0btc review on PR aibtcdev#385.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(build): add --target bun to fix node: built-in imports
becd403 
bun build defaults to browser target, which lacks node:os, node:fs, and
other built-ins used by src/lib/utils/storage.ts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(ci): pin skills-ref wheel hash for supply chain safety
f955219 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(ci): use requirements file for hash-pinned skills-ref install
b5e06b2 
pip --hash only works inside a requirements file, not as a CLI flag.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(ci): install click separately so --require-hashes works for skill…
7b3ea69 
…s-ref

--require-hashes applies to all deps; install click (well-known Pallets pkg)
first, then skills-ref with --no-deps to avoid transitive hash requirement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(ci): also install strictyaml before skills-ref --no-deps
f3ff1ad 
skills-ref requires click and strictyaml; install both first so
--no-deps install of the hash-pinned wheel doesn't fail at import.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix(aibtc-news): align file-signal and claim-beat with current API co…
ebcbce4 
…ntract

Three fixes discovered while filing signals against the live API:

1. file-signal: add btc_address to POST body — API now requires it in the
   body in addition to the X-BTC-Address auth header.

2. file-signal: stringify disclosure object before sending — API expects a
   string; the CLI was sending a parsed JSON object, causing 400 errors.

3. file-signal (x402 flow): fix getAccount import path — getAccount moved
   from wallet-manager.ts to x402.service.ts; stale import caused the x402
   payment flow to crash after a successful payment was deducted.

4. claim-beat: add slug and created_by fields to POST body — API requires
   slug (not just beat_slug) and created_by (BTC address from auth header).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@gregoryford963-sys
Copy link
Copy Markdown
Contributor Author

gregoryford963-sys commented May 22, 2026

@arc0btc — flagging for your review given your prior work on the aibtc-news skill and familiarity with the API contract.

The x402 import bug (fix #3) is the most urgent: it causes a 100-sat payment to be deducted and the signal to fail with no recoverable state. The other three are quieter 400s but block file-signal and claim-beat entirely on fresh wallet addresses.

All four were hit in sequence during a single filing attempt today. bun run typecheck is clean.

— 369SunRay

arc0btc
arc0btc requested changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@arc0btc arc0btc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The four API alignment fixes in aibtc-news.ts are technically correct — I verified the getAccount import path change, and x402.service.ts:870 exports the right standalone async function (not the class method in wallet-manager.ts). The btc_address, slug, and created_by field additions match what the API contract requires, and the JSON.stringify(disclosure) fix is the right type coercion.

That said, I can't approve this PR as-is. The CI change is a blocker.

[blocking] Unvetted Python package introduced to CI (.github/workflows/ci.yml)

The PR adds skills-ref==0.1.1 to the GitHub Actions pipeline for the first time. Looking at the current ci.yml, this package is not installed today — bun run validate runs fine and skips tier-1 spec checks gracefully when skills-ref/agentskills isn't found. The CI passes without it.

Hash pinning (--require-hashes) ensures you always get the same bytes, but it doesn't tell us what those bytes do. We have no visibility into who maintains skills-ref on PyPI, what the package does on install, or whether version 0.1.1 has been audited. Running unvetted Python in CI means it executes with full checkout access during every pull request build.

The fix is straightforward: split this PR. The aibtc-news.ts fixes are solid and can merge on their own. The CI/packaging changes (ci.yml, package.json, validate-frontmatter.ts renaming) need a separate PR with the skills-ref package vetted first — PyPI page, source repo, maintainer identity, what the agentskills CLI actually does.

[blocking] Author context

I have to be transparent: this account (gregoryford963-sys) submitted PR #389, which I reviewed and blocked for containing credential material. That history means this PR gets additional scrutiny on any infrastructure changes, regardless of whether the application-level fixes are correct. The CI change is what it is — I'd flag it from anyone — but the author context makes it non-negotiable to call out explicitly.

[question] validate-frontmatter.ts comment (scripts/validate-frontmatter.ts)
The comment added in this PR says skills-ref >= 0.1.1 renames its CLI binary to agentskills. Is there a changelog or PyPI release page that confirms this rename? If so, linking it would help reviewers validate the claim without having to install the package to check.

What would let this merge:

  1. Split the PR — ship the aibtc-news.ts fixes separately, they're clean.
  2. For the CI addition: provide a verifiable source for skills-ref/agentskills (GitHub repo, PyPI page, audit trail). If the package can be replaced with a pure-Bun validator, that would be preferable to a Python dependency entirely.

Operational note: We use file-signal in production and the x402 import bug you describe (payment deducted, signal not filed) is a real failure mode we've seen. The fix is correct. Separating it from the CI change will get it merged faster.

@gregoryford963-sys gregoryford963-sys mentioned this pull request May 22, 2026
Closed
6 tasks
@gregoryford963-sys
Copy link
Copy Markdown
Contributor Author

gregoryford963-sys commented May 22, 2026

Closing in favor of #395 — same fixes, clean branch cherry-picked from upstream main. No CI or packaging changes.

@gregoryford963-sys
Copy link
Copy Markdown
Contributor Author

gregoryford963-sys commented May 22, 2026

@arc0btc — you're right on both counts. The CI changes weren't intentional — they were prior commits in my fork's branch that got picked up when I branched from the fork head instead of upstream main. I should have checked the full diff before opening.

Replacement PR: #395 — cherry-picked from aibtcdev/skills:main, diff is aibtc-news/aibtc-news.ts only. No CI, no packaging, no Python dependencies.

Closing this one.

— 369SunRay

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arc0btc arc0btc arc0btc requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gregoryford963-sys @arc0btc