@waiaas/skills 2.11.0-rc.21 → 2.11.0-rc.23

package/README.md

@@ -133,7 +133,7 @@ waiaas quickset                  # Creates wallets + sessions automatically
 waiaas set-master                # (Later) Harden password, then delete recovery.key
 ```
 
-The `--auto-provision` flag generates a cryptographically random master password and saves it to `~/.waiaas/recovery.key`. All subsequent CLI commands read it automatically. See the [Agent Self-Setup Guide](docs/guides/agent-self-setup.md) for the complete flow.
+The `--auto-provision` flag generates a cryptographically random master password and saves it to `~/.waiaas/recovery.key`. All subsequent CLI commands read it automatically. See the [Agent Self-Setup Guide](docs/agent-guides/agent-self-setup.md) for the complete flow.
 
 For manual setup with human-guided password entry, install skills and follow `waiaas-setup/SKILL.md`:
 
@@ -215,10 +215,10 @@ Enabled by default (`admin_ui = true` in config.toml).
 | [Security Model](docs/security-model.md) | Authentication, policy engine, Kill Switch, AutoStop |
 | [Deployment Guide](docs/deployment.md) | Docker, npm, configuration reference |
 | [API Reference](docs/api-reference.md) | REST API endpoints and authentication |
-| [Agent Self-Setup Guide](docs/guides/agent-self-setup.md) | Fully autonomous setup with auto-provision |
-| [Agent Skills Integration](docs/guides/agent-skills-integration.md) | Universal guide for 27+ AI agent platforms |
-| [Claude Code Integration](docs/guides/claude-code-integration.md) | Skill files + MCP server setup for Claude Code |
-| [OpenClaw Integration](docs/guides/openclaw-integration.md) | Quick setup for OpenClaw bot |
+| [Agent Self-Setup Guide](docs/agent-guides/agent-self-setup.md) | Fully autonomous setup with auto-provision |
+| [Agent Skills Integration](docs/agent-guides/agent-skills-integration.md) | Universal guide for 27+ AI agent platforms |
+| [Claude Code Integration](docs/agent-guides/claude-code-integration.md) | Skill files + MCP server setup for Claude Code |
+| [OpenClaw Integration](docs/agent-guides/openclaw-integration.md) | Quick setup for OpenClaw bot |
 | [Wallet SDK Integration](docs/wallet-sdk-integration.md) | Integration guide for wallet developers |
 | [Why WAIaaS?](docs/why-waiaas/) | Background on AI agent wallet security |
 | [Contributing](CONTRIBUTING.md) | Development setup, code style, testing, PR guidelines |

package/dist/openclaw.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../src/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAwBH;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE;IAAE,KAAK,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAmCpE"}
+{"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../src/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAwBH;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE;IAAE,KAAK,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAkCpE"}

package/dist/openclaw.js

@@ -44,7 +44,6 @@ Add to ~/.openclaw/openclaw.json:
         "waiaas-quickstart": {
           "env": {
             "WAIAAS_BASE_URL": "http://localhost:3100",
-            "WAIAAS_MASTER_PASSWORD": "<your-master-password>",
             "WAIAAS_SESSION_TOKEN": "<your-session-token>"
           }
         }

package/dist/openclaw.js.map

@@ -1 +1 @@
-{"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../src/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAA0B,MAAM,gBAAgB,CAAC;AAE7E;;;;;;;GAOG;AACH,SAAS,iBAAiB,CACxB,QAA2B,EAC3B,YAAoB;IAEpB,OAAO;QACL,IAAI,EAAE,UAAU,YAAY,EAAE;QAC9B,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAwB;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IAEjE,OAAO,CAAC,GAAG,CAAC,iCAAiC,SAAS,KAAK,CAAC,CAAC;IAE7D,MAAM,MAAM,GAAG,mBAAmB,CAAC;QACjC,UAAU,EAAE,SAAS;QACrB,SAAS;QACT,oBAAoB,EAAE,iBAAiB;QACvC,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CACT,WAAW,MAAM,CAAC,SAAS,eAAe,MAAM,CAAC,OAAO,WAAW,CACpE,CAAC;IAEF,IAAI,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;CAgBf,CAAC,CAAC;IACD,CAAC;AACH,CAAC"}
+{"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../src/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAA0B,MAAM,gBAAgB,CAAC;AAE7E;;;;;;;GAOG;AACH,SAAS,iBAAiB,CACxB,QAA2B,EAC3B,YAAoB;IAEpB,OAAO;QACL,IAAI,EAAE,UAAU,YAAY,EAAE;QAC9B,WAAW,EAAE,QAAQ,CAAC,WAAW;KAClC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAwB;IAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IAEjE,OAAO,CAAC,GAAG,CAAC,iCAAiC,SAAS,KAAK,CAAC,CAAC;IAE7D,MAAM,MAAM,GAAG,mBAAmB,CAAC;QACjC,UAAU,EAAE,SAAS;QACrB,SAAS;QACT,oBAAoB,EAAE,iBAAiB;QACvC,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CACT,WAAW,MAAM,CAAC,SAAS,eAAe,MAAM,CAAC,OAAO,WAAW,CACpE,CAAC;IAEF,IAAI,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;CAef,CAAC,CAAC;IACD,CAAC;AACH,CAAC"}

package/dist/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,eAAO,MAAM,cAAc,EAAE,SAAS,UAAU,EAiDtC,CAAC;AAEX;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,eAAO,MAAM,cAAc,EAAE,SAAS,UAAU,EAqCtC,CAAC;AAEX;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC"}

package/dist/registry.js

@@ -1,10 +1,5 @@
 import path from "node:path";
 export const SKILL_REGISTRY = [
-    {
-        name: "setup",
-        filename: "setup.skill.md",
-        description: "Zero-state daemon setup: install CLI, initialize, start daemon, create wallet, configure session",
-    },
     {
         name: "quickstart",
         filename: "quickstart.skill.md",
@@ -13,7 +8,7 @@ export const SKILL_REGISTRY = [
     {
         name: "wallet",
         filename: "wallet.skill.md",
-        description: "Wallet CRUD, asset queries, session management, token registry, MCP provisioning, owner management",
+        description: "Wallet queries, asset balances, session info, token list",
     },
     {
         name: "transactions",
@@ -23,12 +18,7 @@ export const SKILL_REGISTRY = [
     {
         name: "policies",
         filename: "policies.skill.md",
-        description: "Policy engine CRUD: 12 policy types for spending limits, whitelists, time restrictions, rate limits, token/contract/approve controls, network restrictions, x402 domain controls",
-    },
-    {
-        name: "admin",
-        filename: "admin.skill.md",
-        description: "Admin API: daemon status, kill switch, notifications, settings management, JWT rotation, shutdown, oracle status, API key management",
+        description: "Policy queries: view applied spending limits, whitelists, time restrictions",
     },
     {
         name: "actions",

package/dist/registry.js.map

@@ -1 +1 @@
-{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAQ7B,MAAM,CAAC,MAAM,cAAc,GAA0B;IACnD;QACE,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,gBAAgB;QAC1B,WAAW,EACT,kGAAkG;KACrG;IACD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,qBAAqB;QAC/B,WAAW,EACT,iFAAiF;KACpF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,iBAAiB;QAC3B,WAAW,EACT,oGAAoG;KACvG;IACD;QACE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,uBAAuB;QACjC,WAAW,EACT,6GAA6G;KAChH;IACD;QACE,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,WAAW,EACT,kLAAkL;KACrL;IACD;QACE,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,gBAAgB;QAC1B,WAAW,EACT,sIAAsI;KACzI;IACD;QACE,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,kBAAkB;QAC5B,WAAW,EACT,0GAA0G;KAC7G;IACD;QACE,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,eAAe;QACzB,WAAW,EACT,+EAA+E;KAClF;CACO,CAAC;AAEX;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC"}
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAQ7B,MAAM,CAAC,MAAM,cAAc,GAA0B;IACnD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,qBAAqB;QAC/B,WAAW,EACT,iFAAiF;KACpF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,iBAAiB;QAC3B,WAAW,EACT,0DAA0D;KAC7D;IACD;QACE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,uBAAuB;QACjC,WAAW,EACT,6GAA6G;KAChH;IACD;QACE,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,WAAW,EACT,6EAA6E;KAChF;IACD;QACE,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,kBAAkB;QAC5B,WAAW,EACT,0GAA0G;KAC7G;IACD;QACE,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,eAAe;QACzB,WAAW,EACT,+EAA+E;KAClF;CACO,CAAC;AAEX;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@waiaas/skills",
-  "version": "2.11.0-rc.21",
+  "version": "2.11.0-rc.23",
   "description": "WAIaaS skill files for AI agents - install via npx @waiaas/skills add <name>",
   "license": "MIT",
   "type": "module",

package/skills/actions.skill.md

@@ -3,7 +3,7 @@ name: "WAIaaS Actions"
 description: "Action Provider framework: list providers, execute DeFi actions through the 6-stage transaction pipeline"
 category: "api"
 tags: [wallet, blockchain, defi, actions, waiass, jupiter, 0x, swap, lifi, bridge, cross-chain, lido, jito, staking, liquid-staking, pendle, yield, pt, yt, drift, perp, perpetual, leverage, futures, dcent-swap, dcent, aggregator, across, across-bridge, polymarket, prediction-market, clob, ctf]
-version: "2.11.0-rc.21"
+version: "2.11.0-rc.23"
 dispatch:
   kind: "tool"
   allowedCommands: ["curl"]
@@ -29,10 +29,7 @@ All action endpoints require **sessionAuth** via `Authorization: Bearer <token>`
 - List action providers and their available actions
 - Execute actions (subject to policy evaluation)
 
-### Admin (masterAuth -- prerequisite)
-- Register API keys for action providers via Admin UI Settings
-- Enable/configure built-in providers via Admin UI > DeFi (`#/defi`) or Agent Identity (`#/agent-identity`)
-- Configure CONTRACT_WHITELIST/ALLOWED_TOKENS policies for provider contracts (or use provider-trust bypass)
+> Provider 활성화, API 키 등록, CONTRACT_WHITELIST 설정은 관리자가 사전에 완료해야 합니다. docs/admin-manual/defi-providers.md 를 참조하세요.
 
 ```
 Authorization: Bearer wai_sess_eyJ...

package/skills/erc8004.skill.md

@@ -3,7 +3,7 @@ name: "WAIaaS ERC-8004"
 description: "ERC-8004 Trustless Agents: identity registration, reputation management, on-chain validation"
 category: "api"
 tags: [wallet, blockchain, erc-8004, identity, reputation, validation, trust, waiass]
-version: "2.11.0-rc.21"
+version: "2.11.0-rc.23"
 dispatch:
   kind: "tool"
   allowedCommands: ["curl"]
@@ -23,7 +23,7 @@ http://localhost:3100
 
 - **Read endpoints (GET):** Require `Authorization: Bearer <token>` (sessionAuth).
 - **Write actions:** Executed via `POST /v1/actions/erc8004_agent/{action}` with sessionAuth. Subject to policy evaluation (6-stage pipeline).
-- **Admin configuration:** Configure via Admin UI > Agent Identity (`#/agent-identity`), or via `X-Master-Password` header for enabling the provider and configuring registry addresses.
+- **Admin configuration:** See docs/admin-manual/erc8004-setup.md for provider and registry setup.
 
 ## Permissions
 
@@ -31,10 +31,7 @@ http://localhost:3100
 - Query agent identity, reputation, validation status (4 GET endpoints)
 - Execute write actions: register, set wallet, set URI, set metadata, give/revoke feedback, request validation
 
-### Admin (masterAuth -- prerequisite)
-- ERC-8004 provider is enabled by default since v30.11 (`actions.erc8004_agent_enabled=true`)
-- Configure registry addresses and registration file base URL
-- Create REPUTATION_THRESHOLD policies
+> ERC-8004 Provider 설정(레지스트리 주소, REPUTATION_THRESHOLD 정책)은 관리자가 사전에 완료해야 합니다. docs/admin-manual/erc8004-setup.md 를 참조하세요.
 
 ---
 
@@ -473,72 +470,11 @@ Write tools are auto-registered from the Action Provider framework. Each tool na
 
 ---
 
-## 5. Admin Settings
-
-Configure ERC-8004 via Admin UI > Agent Identity (`#/agent-identity`), or via `PUT /v1/admin/settings`:
-
-```bash
-curl -s -X PUT http://localhost:3100/v1/admin/settings \
-  -H 'Content-Type: application/json' \
-  -H 'X-Master-Password: <password>' \
-  -d '{"key": "actions.erc8004_agent_enabled", "value": "true"}'
-```
-
-| Setting Key                                      | Type    | Default                                          | Description                                       |
-| ------------------------------------------------ | ------- | ------------------------------------------------ | ------------------------------------------------- |
-| `actions.erc8004_agent_enabled`                  | boolean | `true`                                           | Master feature gate. Enabled by default since v30.11.|
-| `actions.erc8004_identity_registry_address`      | string  | `0x8004A169FB4a3325136EB29fA0ceB6D2e539a432`     | Identity Registry contract address.               |
-| `actions.erc8004_reputation_registry_address`    | string  | `0x8004BAa17C55a88189AE136b182e5fdA19dE9b63`     | Reputation Registry contract address.             |
-| `actions.erc8004_validation_registry_address`    | string  | (empty)                                          | Validation Registry address. Empty = feature off. |
-| `actions.erc8004_registration_file_base_url`     | string  | (empty)                                          | Base URL for registration file hosting.           |
-| `actions.erc8004_auto_publish_registration`      | boolean | `true`                                           | Auto-generate and serve registration files.       |
-| `actions.erc8004_reputation_cache_ttl_sec`       | number  | `300`                                            | Reputation cache TTL in seconds.                  |
-| `actions.erc8004_min_reputation_score`            | number  | `0`                                              | Global minimum reputation score.                  |
-| `actions.erc8004_reputation_rpc_timeout_ms`       | number  | `3000`                                           | RPC timeout for reputation queries (ms).          |
-
-**Action tier override:** Action tier can be overridden per-action via the tier dropdown in Admin UI > Agent Identity, or via Settings API key pattern `actions.erc8004_agent_{action}_tier`. See **admin.skill.md** Section 15.
-
----
-
-## 6. REPUTATION_THRESHOLD Policy
-
-The REPUTATION_THRESHOLD policy evaluates counterparty agent reputation during transaction processing. When the counterparty's on-chain reputation is below the threshold, the transaction security tier is escalated.
-
-For full policy details and rules schema, see **policies.skill.md** (Section 2m).
-
-**Quick setup:**
-
-```bash
-curl -s -X POST http://localhost:3100/v1/policies \
-  -H 'Content-Type: application/json' \
-  -H 'X-Master-Password: <password>' \
-  -d '{
-    "walletId": "<uuid>",
-    "type": "REPUTATION_THRESHOLD",
-    "rules": {
-      "min_score": 50,
-      "below_threshold_tier": "APPROVAL",
-      "unrated_tier": "APPROVAL",
-      "tag1": "",
-      "tag2": "",
-      "check_counterparty": true
-    }
-  }'
-```
-
----
-
-## 7. Common Workflows
+## 5. Common Workflows
 
 ### Register an Agent and Set Up Registration File
 
-1. Verify ERC-8004 is enabled (default: true since v30.11):
-```bash
-curl -s http://localhost:3100/v1/admin/settings \
-  -H 'X-Master-Password: <password>' | grep erc8004_agent_enabled
-```
-
-2. Register the agent (requires owner approval):
+1. Register the agent (requires owner approval):
 ```bash
 curl -s -X POST http://localhost:3100/v1/actions/erc8004_agent/register_agent \
   -H 'Content-Type: application/json' \
@@ -568,29 +504,9 @@ curl -s 'http://localhost:3100/v1/erc8004/agent/99/reputation?tag1=reliability'
   -H 'Authorization: Bearer wai_sess_eyJ...'
 ```
 
-### Set Up REPUTATION_THRESHOLD Policy
-
-```bash
-curl -s -X POST http://localhost:3100/v1/policies \
-  -H 'Content-Type: application/json' \
-  -H 'X-Master-Password: <password>' \
-  -d '{
-    "walletId": "<uuid>",
-    "type": "REPUTATION_THRESHOLD",
-    "rules": {
-      "min_score": 50,
-      "below_threshold_tier": "APPROVAL",
-      "unrated_tier": "DELAY",
-      "check_counterparty": true
-    }
-  }'
-```
-
-When the counterparty has a reputation score below 50, the transaction tier is escalated to APPROVAL. When the counterparty has no reputation data, the tier is escalated to DELAY.
-
 ---
 
-## 8. Error Reference
+## 6. Error Reference
 
 | Code                     | HTTP | Description                                    | Recovery                                   |
 | ------------------------ | ---- | ---------------------------------------------- | ------------------------------------------ |
@@ -604,7 +520,7 @@ When the counterparty has a reputation score below 50, the transaction tier is e
 
 ---
 
-## 9. Related Skill Files
+## 7. Related Skill Files
 
 - **policies.skill.md** -- REPUTATION_THRESHOLD policy type (Section 2m) and policy evaluation flow
 - **actions.skill.md** -- Action Provider framework, provider-trust bypass mechanism

package/skills/erc8128.skill.md

@@ -3,7 +3,7 @@ name: "WAIaaS ERC-8128"
 description: "ERC-8128 Signed HTTP Requests: RFC 9421 + EIP-191 signature for API authentication"
 category: "api"
 tags: [wallet, blockchain, erc-8128, signing, rfc9421, http, authentication, waiass]
-version: "2.11.0-rc.21"
+version: "2.11.0-rc.23"
 dispatch:
   kind: "tool"
   allowedCommands: ["curl"]
@@ -29,10 +29,7 @@ Requires **sessionAuth** via `Authorization: Bearer <token>` header.
 - Sign HTTP requests via POST /v1/erc8128/sign
 - Verify HTTP signatures via POST /v1/erc8128/verify
 
-### Admin (masterAuth -- prerequisite)
-- Configure ERC8128_ALLOWED_DOMAINS policy to whitelist target API domains
-- Enable ERC-8128 feature (`erc8128.enabled = true` in Admin Settings)
-- Configure default preset, TTL, nonce, algorithm, and rate limit
+> ERC-8128 기능 활성화 및 ERC8128_ALLOWED_DOMAINS 정책 설정은 관리자가 사전에 완료해야 합니다. docs/admin-manual/erc8128-setup.md 를 참조하세요.
 
 ## 1. Sign HTTP Request
 
@@ -136,37 +133,7 @@ curl -s -X POST http://localhost:3100/v1/erc8128/verify \
 }
 ```
 
-## 3. Prerequisites
-
-Before using ERC-8128 signing, ensure:
-
-1. **ERC-8128 enabled** in Admin Settings:
-   ```bash
-   curl -s -X PUT http://localhost:3100/v1/admin/settings \
-     -H 'Content-Type: application/json' \
-     -H 'X-Master-Password: <password>' \
-     -d '{"settings": [{"key": "erc8128.enabled", "value": "true"}]}'
-   ```
-
-2. **ERC8128_ALLOWED_DOMAINS policy** for the wallet (default-deny):
-   ```bash
-   curl -s -X POST http://localhost:3100/v1/policies \
-     -H 'Content-Type: application/json' \
-     -H 'X-Master-Password: <password>' \
-     -d '{
-       "walletId": "<wallet-uuid>",
-       "type": "ERC8128_ALLOWED_DOMAINS",
-       "rules": {
-         "domains": ["api.example.com", "*.premium-apis.com"]
-       },
-       "priority": 0,
-       "enabled": true
-     }'
-   ```
-
-3. **EVM wallet** -- ERC-8128 uses EIP-191 signing, which requires an Ethereum-compatible wallet. Solana wallets are not supported.
-
-## 4. Presets
+## 3. Presets
 
 Covered Components presets determine which HTTP message components are included in the signature:
 
@@ -176,7 +143,7 @@ Covered Components presets determine which HTTP message components are included
 | `standard` | `@method`, `@target-uri`, `@authority`, `content-digest` | Recommended default |
 | `strict`   | `@method`, `@target-uri`, `@authority`, `content-type`, `content-digest`, `content-length` | Maximum security |
 
-## 5. SDK Usage
+## 4. SDK Usage
 
 **TypeScript SDK:**
 
@@ -218,7 +185,7 @@ console.log(result.status, result.body);
 - `erc8128_sign_request` -- Sign an HTTP request (method, url, headers, body, preset, ttl_seconds)
 - `erc8128_verify_signature` -- Verify a signature (method, url, headers, signature_input, signature, content_digest)
 
-## 6. Error Reference
+## 5. Error Reference
 
 | Code | HTTP | Description | Recovery |
 |------|------|-------------|----------|
@@ -227,7 +194,7 @@ console.log(result.status, result.body);
 | `ERC8128_RATE_LIMITED` | 429 | Rate limit exceeded for this domain | Wait and retry; adjust `erc8128.rate_limit_per_minute` |
 | `UNSUPPORTED_CHAIN` | 400 | Wallet chain does not support EIP-191 signing | Use an EVM wallet |
 
-## 7. Related Skill Files
+## 6. Related Skill Files
 
 - **policies.skill.md** -- ERC8128_ALLOWED_DOMAINS policy management
 - **admin.skill.md** -- ERC-8128 Admin Settings configuration

package/skills/external-actions.skill.md

@@ -3,7 +3,7 @@ name: "WAIaaS External Actions"
 description: "Off-chain action framework: signedData/signedHttp pipeline, credential vault, venue/category policies"
 category: "api"
 tags: [wallet, external-actions, off-chain, signing, credentials, venue, waiass]
-version: "2.11.0-rc.21"
+version: "2.11.0-rc.23"
 dispatch:
   kind: "tool"
   allowedCommands: ["curl"]
@@ -22,7 +22,8 @@ http://localhost:3100
 ```
 
 Action execution and queries use **sessionAuth** (`Authorization: Bearer <token>`).
-Credential management uses **masterAuth** (`X-Master-Password`).
+
+> Credential 관리(생성/삭제/교체)는 관리자 전용입니다. docs/admin-manual/credentials.md 를 참조하세요.
 
 ## Permissions
 
@@ -32,14 +33,6 @@ Credential management uses **masterAuth** (`X-Master-Password`).
 - Get off-chain action detail via `GET /v1/wallets/:id/actions/:actionId`
 - List credential metadata via `GET /v1/wallets/:id/credentials` (names and types only -- never values)
 
-### Admin (masterAuth)
-- Create credentials: `POST /v1/wallets/:id/credentials`
-- Delete credentials: `DELETE /v1/wallets/:id/credentials/:ref`
-- Rotate credentials: `PUT /v1/wallets/:id/credentials/:ref/rotate`
-- Global credentials: `GET/POST/DELETE/PUT /v1/admin/credentials[/:ref[/rotate]]`
-- Venue whitelist policy: via `POST /v1/policies` with type `VENUE_WHITELIST`
-- Category limit policy: via `POST /v1/policies` with type `ACTION_CATEGORY_LIMIT`
-
 ---
 
 ## 1. ResolvedAction 3-Kind System
@@ -74,41 +67,9 @@ Schemes that require credentials reference a `credentialRef` string that resolve
 
 ---
 
-## 3. Credential Management
-
-Credentials are stored encrypted with AES-256-GCM (per-wallet encryption key derived via HKDF from master password). Credential values are **never** returned in API responses.
-
-### Credential Scope
+## 3. Credential Queries
 
-- **Per-wallet**: Stored under `/v1/wallets/:id/credentials`. Only accessible by that wallet's pipeline.
-- **Global**: Stored under `/v1/admin/credentials`. Accessible by all wallets. Per-wallet credentials take priority over global ones with the same name.
-
-### Create Credential (masterAuth)
-
-```bash
-curl -s -X POST http://localhost:3100/v1/wallets/<wallet-id>/credentials \
-  -H 'Content-Type: application/json' \
-  -H 'X-Master-Password: <password>' \
-  -d '{
-    "name": "polymarket-api-key",
-    "type": "api_key",
-    "value": "secret-api-key-value",
-    "expiresAt": 1735689600
-  }'
-```
-
-**Response (201):**
-```json
-{
-  "id": "cred-uuid",
-  "name": "polymarket-api-key",
-  "type": "api_key",
-  "walletId": "<wallet-id>",
-  "expiresAt": 1735689600,
-  "createdAt": 1700000000,
-  "updatedAt": 1700000000
-}
-```
+Credentials are stored encrypted with AES-256-GCM. Credential values are **never** returned in API responses.
 
 ### List Credentials (sessionAuth)
 
@@ -117,23 +78,7 @@ curl -s http://localhost:3100/v1/wallets/<wallet-id>/credentials \
   -H 'Authorization: Bearer <token>'
 ```
 
-Returns array of `CredentialMetadata` (no `value` field).
-
-### Delete Credential (masterAuth)
-
-```bash
-curl -s -X DELETE http://localhost:3100/v1/wallets/<wallet-id>/credentials/polymarket-api-key \
-  -H 'X-Master-Password: <password>'
-```
-
-### Rotate Credential (masterAuth)
-
-```bash
-curl -s -X PUT http://localhost:3100/v1/wallets/<wallet-id>/credentials/polymarket-api-key/rotate \
-  -H 'Content-Type: application/json' \
-  -H 'X-Master-Password: <password>' \
-  -d '{"value": "new-secret-value"}'
-```
+Returns array of `CredentialMetadata` (names, types, expiry -- no `value` field).
 
 ---
 
@@ -261,11 +206,6 @@ const actions = await client.listOffchainActions({ walletId: 'w1', venue: 'polym
 const detail = await client.getActionResult('w1', 'act-uuid');
 const creds = await client.listCredentials('w1');
 
-// Credential CRUD (masterAuth -- admin only)
-const cred = await client.createCredential('w1', { name: 'api-key', type: 'api_key', value: 'secret' });
-await client.deleteCredential('w1', 'api-key');
-await client.rotateCredential('w1', 'api-key', 'new-secret');
-
 // Off-chain action execution (sessionAuth -- uses existing executeAction)
 const result = await client.executeAction('polymarket_order', 'pm_buy', {
   params: { tokenId: '0x...', amount: '100', price: '0.65', side: 'BUY' },

package/skills/nft.skill.md

@@ -3,7 +3,7 @@ name: "WAIaaS NFT Operations"
 description: "NFT query, transfer, and approval operations for ERC-721, ERC-1155, and Metaplex standards"
 category: "api"
 tags: [wallet, blockchain, nft, erc721, erc1155, metaplex, solana, ethereum, waiass]
-version: "2.11.0-rc.21"
+version: "2.11.0-rc.23"
 dispatch:
   kind: "tool"
   allowedCommands: ["curl"]
@@ -96,14 +96,9 @@ Response includes:
 
 Note: Metadata is cached in the database with a 24-hour TTL.
 
-### GET /v1/wallets/{id}/nfts -- List NFTs (masterAuth)
+### Admin NFT Query
 
-Operator endpoint to query any wallet's NFTs.
-
-```bash
-curl -s 'http://localhost:3100/v1/wallets/01958f3a-1234-7000-8000-abcdef123456/nfts?network=ethereum-mainnet' \
-  -H 'X-Master-Password: your-master-password'
-```
+Operators can query any wallet's NFTs via `GET /v1/wallets/{id}/nfts` -- see docs/admin-manual/wallet-management.md.
 
 ## 3. NFT Transfer (sessionAuth)