Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

$pwd:

firewall-ai-gateway-debug

Name: Firewall Ai Gateway Debug
Author: vercel-labs

// Firewall and Vercel AI Gateway debugging for vercel-openclaw: network policy allowlists, OIDC token refresh, AI Gateway transform rules, firewall learning/enforcement, and sandbox.update networkPolicy calls. Use when model calls, egress, token refresh, or firewall policy application fails.

In Manus ausführen

$ git log --oneline --stat

stars:112

forks:24

updated:8. Mai 2026 um 16:45

SKILL.md

readonly

name	firewall-ai-gateway-debug
description	Firewall and Vercel AI Gateway debugging for vercel-openclaw: network policy allowlists, OIDC token refresh, AI Gateway transform rules, firewall learning/enforcement, and sandbox.update networkPolicy calls. Use when model calls, egress, token refresh, or firewall policy application fails.

Firewall AI Gateway Debug

Use this skill for model-call failures, egress blocks, network policy drift, or AI Gateway token refresh problems.

Evidence First

Collect:

GET /api/admin/preflight or launch verification preflight evidence.
GET /api/admin/logs filtered for firewall., token., gateway., watchdog..
GET /api/admin/sandbox-diag.
Current firewall mode and learned/allowed domains from admin surfaces.
Sanitized model-call or gateway error body. Do not print Authorization tokens.

Critical Splits

AI Gateway credential unavailable vs expired vs circuit-breaker-open.
Static API key bypass vs OIDC token path.
Firewall learning/allowlist issue vs model provider/API issue.
OPENAI_BASE_URL inside sandbox is present, while Authorization is injected by network policy transform.
Policy object shape changes when an AI Gateway token exists.

Invariants

AI Gateway token never enters sandbox files or env.
ai-gateway.vercel.sh stays allowed even in enforcing mode.
Token refresh applies sandbox.update({ networkPolicy }); it should not rewrite config files or restart the gateway.
Public/admin display URLs must not expose deployment-protection bypass secrets.

Fix Boundaries

Primary: src/server/firewall/{domains,policy,state}.ts.
Token path: src/server/sandbox/lifecycle.ts, src/server/deploy-preflight.ts.
Public URLs: src/server/public-url.ts.
Tests: firewall policy tests, token refresh tests, launch-verify/preflight tests.
Docs: docs/environment-variables.md, docs/deployment-protection.md, lat.md/sandbox-lifecycle.md.

Verification

node scripts/verify.mjs --steps=test,typecheck
lat check

For live incidents, prove a model call succeeds after the policy/token change and that no token value appears in logs, UI, or sandbox config.

related-skills.json

gleiches Repository

sandbox-lifecycle-debug.md

from "vercel-labs/vercel-openclaw"

Sandbox lifecycle debugging for vercel-openclaw: create, resume, stop, snapshotting, reset, stale-running reconciliation, persistent Sandbox v2 behavior, hot spares, and lifecycle locks. Use when sandbox state transitions, status polling, stop/resume, reset, or lifecycle recovery is wrong.

2026-05-09112

sandbox-v2-lifecycle.md

from "vercel-labs/vercel-openclaw"

Vercel Sandbox v2 lifecycle expertise for vercel-openclaw: named persistent OpenClaw sandbox create/resume/stop/delete, persistent auto-save truth, manual snapshot diagnostics, short-lived worker sandboxes, hot spares, and SDK v2 semantics.

2026-05-09112

admin-ui-debug.md

from "vercel-labs/vercel-openclaw"

Admin UI and operator surface debugging for vercel-openclaw: command shell design, admin actions, request core, status panels, launch verification UI, channel readiness UI, and local read-only production-data workflows. Use when the root admin UI, controls, visual state, or operator copy is wrong.

2026-05-08112

auth-store-debug.md

from "vercel-labs/vercel-openclaw"

Auth and store debugging for vercel-openclaw: admin-secret mode, Sign in with Vercel, session cookies, CSRF, LOCAL_READ_ONLY, Redis vs memory store, keyspace namespacing, and metadata shape migrations. Use when login, route authorization, Redis persistence, or metadata state is suspect.

2026-05-08112

cron-watchdog-debug.md

from "vercel-labs/vercel-openclaw"

Cron and watchdog debugging for vercel-openclaw: Vercel Cron auth, persisted OpenClaw jobs, cron wake keys, token refresh, restore oracle, hot spare, and watchdog reports. Use when scheduled OpenClaw jobs fail to wake or run, watchdog status is wrong, cron persistence is suspect, or /api/cron/watchdog behavior changes.

2026-05-08112

gateway-proxy-debug.md

from "vercel-labs/vercel-openclaw"

Gateway and proxy debugging for vercel-openclaw: /gateway routing, HTML injection, WebSocket rewrite, gateway-token handoff, waiting page, status heartbeat, sandbox port URL cache, and proxy auth. Use when the OpenClaw UI, WebSockets, gateway proxying, or waiting-page flow breaks.

2026-05-08112

package.json

"author": "vercel-labs"

"repository": "vercel-labs/vercel-openclaw"

GitHub-Repository öffnen Creator-Repositorys ansehen

$ install --global

$ download --local

In Manus ausführen

$ useful --forSOC

InformationssicherheitsanalystenInformatik- und Mathematikberufe15-1212L4

name	firewall-ai-gateway-debug
description	Firewall and Vercel AI Gateway debugging for vercel-openclaw: network policy allowlists, OIDC token refresh, AI Gateway transform rules, firewall learning/enforcement, and sandbox.update networkPolicy calls. Use when model calls, egress, token refresh, or firewall policy application fails.

Firewall AI Gateway Debug

Use this skill for model-call failures, egress blocks, network policy drift, or AI Gateway token refresh problems.

Evidence First

Collect:

GET /api/admin/preflight or launch verification preflight evidence.
GET /api/admin/logs filtered for firewall., token., gateway., watchdog..
GET /api/admin/sandbox-diag.
Current firewall mode and learned/allowed domains from admin surfaces.
Sanitized model-call or gateway error body. Do not print Authorization tokens.

Critical Splits

AI Gateway credential unavailable vs expired vs circuit-breaker-open.
Static API key bypass vs OIDC token path.
Firewall learning/allowlist issue vs model provider/API issue.
OPENAI_BASE_URL inside sandbox is present, while Authorization is injected by network policy transform.
Policy object shape changes when an AI Gateway token exists.

Invariants

AI Gateway token never enters sandbox files or env.
ai-gateway.vercel.sh stays allowed even in enforcing mode.
Token refresh applies sandbox.update({ networkPolicy }); it should not rewrite config files or restart the gateway.
Public/admin display URLs must not expose deployment-protection bypass secrets.

Fix Boundaries

Primary: src/server/firewall/{domains,policy,state}.ts.
Token path: src/server/sandbox/lifecycle.ts, src/server/deploy-preflight.ts.
Public URLs: src/server/public-url.ts.
Tests: firewall policy tests, token refresh tests, launch-verify/preflight tests.
Docs: docs/environment-variables.md, docs/deployment-protection.md, lat.md/sandbox-lifecycle.md.

Verification

node scripts/verify.mjs --steps=test,typecheck
lat check

For live incidents, prove a model call succeeds after the policy/token change and that no token value appears in logs, UI, or sandbox config.

firewall-ai-gateway-debug

Firewall AI Gateway Debug

Evidence First

Critical Splits

Invariants

Fix Boundaries

Verification

Mehr aus diesem Repository

Mehr aus diesem Repository

Firewall AI Gateway Debug

Evidence First

Critical Splits

Invariants

Fix Boundaries

Verification