1. Agent Tokens
- Token plaintext is usually shown only once; store it in environment variables or an AI client secret store.
- Do not package tokens into package.zip, commit them to repositories, paste them in public chats, or send them to unrelated third parties.
- If a token is forgotten or leaked, create a new one and revoke the old one.
2. Least-privilege scopes
- For market search only, use read-only scopes such as market.read, package.manifest.read, and entitlement.read.
- For authorization and downloads, add order.request and delivery.read.
- For creator workflows, add package.upload, listing.draft.create, and usage_reports:write.
- Debug scopes such as audit.read should not be enabled by default.
3. API Base
The official relicex_skill uses RELICEX_API_BASE_URL=https://relicex.com/api by default. Agent API paths are /agent/v1/* and are appended by scripts; do not include /agent/v1 in RELICEX_API_BASE_URL.
4. Quote-first and confirmation
- Agents should quote before purchase, commercial license, subscription, or delivery requests.
- Free or already authorized access may continue; paid access, commercial licensing, or subscription consumption should require user confirmation.
- Agents should not automatically buy paid packages, consume subscriptions, or upgrade to commercial licenses without user confirmation.
5. Downloads, uploads, and drafts
- Agents may request delivery.zip within authorization scope.
- Agents may help classify, build, validate, and upload draft listings.
- Agents should not auto-publish listings, package secrets, or bypass platform safety checks.
6. Logs and audit
The platform records necessary Agent API calls for authorization, refund disputes, risk control, security investigation, and usage reports. Users and creators should understand that these records are part of platform governance.