This file is the primary review context for AI coding agents, including Vercel Agent Code Review. Use it to understand project-specific conventions, production constraints, and common failure modes.
Agentbot now includes two powerful systems inspired by Oh My OpenAgent:
Located in web/app/lib/hashline/, this system prevents stale-line errors by using content hashes instead of line numbers.
Usage for Agents:
// Read file with hashes
import { readWithHashes, formatWithHashes, applyEdit } from '@/app/lib/hashline'
const lines = readWithHashes('/path/to/file.ts')
const formatted = formatWithHashes(lines)
// Output: "12#A3| import { x } from 'y'"
// Apply edit by hash (fails if file changed)
applyEdit('/path/to/file.ts', '12#A3', 'import { z } from "y"')API Endpoints:
GET /api/hashline?path=/path/to/file.ts— Read file with hashesPOST /api/hashline— Apply edit by hash reference
Format: lineNumber#hash| content
Example: 15#B7| const x = 5
Located in web/app/lib/init-deep.ts, generates scoped context files throughout the project.
Usage:
# Generate AGENTS.md for all key directories
curl -X POST /api/init-deep
# Check which directories have AGENTS.md
curl /api/init-deep/status
# Dry run to see what would be generated
curl -X POST /api/init-deep -d '{"dryRun":true}'Scoped Context: Each major directory has its own AGENTS.md with:
- Key files and their purposes
- Directory-specific conventions
- Local dependencies and exports
- Links to parent context
agentbot/
├── web/ # Next.js frontend and API routes
│ ├── app/ # App Router pages and route handlers
│ │ ├── api/ # API routes (see web/app/api/AGENTS.md)
│ │ ├── lib/ # Utilities (see web/app/lib/AGENTS.md)
│ │ │ └── hashline/ # Content-addressed editing system
│ │ └── ...
│ ├── components/ # React components
│ ├── lib/ # Shared utilities
│ └── prisma/ # Prisma schema
├── agentbot-backend/ # Express backend API
├── skills/ # AI skill definitions
└── docs/ # Documentation
cd web
# Start development server
npm run dev
# Build for production
npm run build
# Run tests (Playwright)
npm run test
# Lint code
npm run lint
# Generate Prisma client
npx prisma generatecd agentbot-backend
# Start development server
npm run dev
# Run tests (Jest)
npm run test
# Build TypeScript
npm run buildwebuses Next.js 16 and builds withnext build --webpack- Production runtime for
webisnode .next/standalone/server.js webis deployed on Vercel- Some public pages are intentionally
force-dynamicbecause they render live platform counts from Prisma - Do not reintroduce Turbopack-only assumptions without verifying Vercel build output
Copy .env.example to .env and configure:
Web (.env):
DATABASE_URL— PostgreSQL connection stringNEXTAUTH_SECRET— Auth secretNEXTAUTH_URL— Auth URLDISCORD_CLIENT_ID/SECRET— Discord OAuthTELEGRAM_BOT_TOKEN— Telegram bot tokenSTRIPE_SECRET_KEY— Payment processing
Backend (.env):
PORT— Server port (default: 4000)DATABASE_URL— PostgreSQL connectionJWT_SECRET— JWT signing secret
Agentbot uses Prisma with PostgreSQL. Run migrations:
cd web && npx prisma migrate dev- Unit tests: Jest in backend
- E2E tests: Playwright in web
- Run all tests:
npm testin each directory
- Prefer TypeScript-first route handlers and server components
- Keep edits aligned with existing patterns in
web/app/andweb/components/ - Use Zod for validation and Prisma for ORM-backed state
- Avoid mock data in production routes when real Prisma-backed data exists
- Prefer server-rendered real metrics over client-only placeholders for public dashboards
- Auth: NextAuth.js with multiple providers
- Payments: Stripe with subscription tiers
- Messaging: Telegram, Discord, WhatsApp bots
- Blockchain: Wagmi/Viem for Base network
- AI: OpenAI, Anthropic via AI SDK
- Streaming: Mux for live video
Focus review comments on:
- Security regressions in auth, webhook verification, bearer-token gates, SSRF protections, or secret handling
- Provisioning and agent lifecycle drift between Vercel
web, Prisma state, andagentbot-backend - Public page data integrity — especially stats shown on
/marketplace,/demo,/dashboard/fleet, and/dashboard/colony - Runtime regressions that break Vercel build/start behavior
- Incorrect fallback behavior that hides production failures behind fake success states
web/app/api/provision/route.tsis a legacy-heavy provisioning path and may succeed without creating a PrismaAgentrow- Public platform stats should distinguish between:
- deployed agents: total Prisma
Agentrows - live agents: agents with status
activeorrunning
- deployed agents: total Prisma
User.openclawUrlis not a substitute for anAgentrecord/api/deploymentsis partially compatibility-oriented and should not become the source of truth for platform metrics- Build warnings should be treated seriously when they affect Vercel output, but warning-only noise is secondary to runtime correctness
- For
web, validate withnpm run buildbefore merging meaningful changes - For route handler changes, prefer verifying the exact affected endpoint or page path
- For provisioning or dashboard work, confirm both:
- the data contract returned by the route
- the page that consumes it
- Replacing real counts with hardcoded marketing numbers
- Reporting auth-protected stats as if they are public platform totals
- Assuming
activeis the only valid “live” state without checking the current write paths - Counting success based only on a passing local render when the Vercel build/runtime contract changed
- Create skill:
skills/add-[platform].md - Add API route:
web/app/api/bot/[platform]/route.ts - Add UI component:
web/components/bot/[Platform]Config.tsx
- Create route:
web/app/api/[feature]/route.ts - Add Zod validation schema
- Add to API docs
- Never commit secrets to git
- Use BotID for bot protection
- Enable 2FA on all accounts
- Run
npm auditregularly