image-skill 0.1.23 → 0.1.25

package/skills/image-skill/references/cli.md

@@ -84,18 +84,17 @@ image-skill signup --agent \
   --agent-contact agent-inbox@example.com \
   --agent-name creative-agent \
   --runtime codex \
-  --show-token \
   --json
 ```
 
-Hosted signup returns the raw `isk_r_` token only when `--show-token` is set,
-and only once. Store it immediately in the agent runtime secret store, then use
-`IMAGE_SKILL_TOKEN` or `--token-stdin` for later hosted commands. Public hosted
-signup does not auto-save auth into the CLI config. `--save` is local-only
-(`--local`) and rejected on the hosted path; `--no-save` remains accepted for
-older hosted instructions. Use `--show-token --no-save` when the agent runtime
-has a separate secret store and needs the raw token once. Do not paste tokens
-into prompts, logs, issue text, or feedback.
+Hosted signup saves the restricted `isk_r_` token to the public CLI config by
+default with `0600` permissions, so later hosted commands can authenticate from
+config without repeating signup or carrying a raw token through prompts. Set
+`IMAGE_SKILL_CONFIG_PATH` first when the default config home may be read-only.
+The raw token is returned only when `--show-token` is set, and only once. Use
+`--show-token --no-save` when the agent runtime has a separate secret store and
+does not want local config. Do not paste tokens into prompts, logs, issue text,
+or feedback.
 
 In this preview contract, `--agent-contact` is an email-shaped durable contact
 inbox for the restricted agent identity, not a requirement to find an
@@ -109,7 +108,8 @@ proof runs. `--human-email` remains accepted as a compatibility alias for
 
 If the runtime has a separate secret store, it may provide the token to commands
 as `IMAGE_SKILL_TOKEN`. Keep that value outside prompts, logs, issue text, and
-feedback.
+feedback. Saved config, `IMAGE_SKILL_TOKEN`, and `--token-stdin` are all
+accepted by hosted commands; config is the default fresh-agent path.
 
 If the agent runtime can hand secrets to a command over stdin, avoid exporting
 the token and use `--token-stdin` instead:
@@ -139,9 +139,10 @@ auth or payment state changes. Do not run `doctor`, `models list`, `signup`,
 checklist before the guide asks for them.
 
 - `prompt_required`: rerun `data.next_command` with the real prompt.
-- `auth_required`: run `data.next_command`, store the returned token, then
-  rerun guide once. If the runtime does not automatically inject that token,
-  use `data.auth_handoff.rerun_guide.with_env` or
+- `auth_required`: run `data.next_command`, then rerun guide once. Hosted
+  signup saves auth to config by default. If the runtime intentionally used
+  `--no-save --show-token`, store the returned token and use
+  `data.auth_handoff.rerun_guide.with_env` or
   `data.auth_handoff.rerun_guide.with_stdin`.
 - `quota_required`: follow the payment commands in
   `data.checks.payments.suggested_commands`, then rerun guide once.
@@ -164,9 +165,10 @@ image-skill usage quota
 image-skill create --dry-run --prompt "a compact field camera on a stainless workbench"
 ```
 
-Use `--show-token` for hosted signup only when the runtime can immediately store
-the raw token once. For later commands, prefer `IMAGE_SKILL_TOKEN` or
-`--token-stdin`; both keep tokens out of prompts and shell history.
+Use `--show-token --no-save` for hosted signup only when the runtime can
+immediately store the raw token once outside local config. For later commands,
+saved config is the default; `IMAGE_SKILL_TOKEN` and `--token-stdin` remain
+available for runtimes with a separate secret store.
 `create --guide` also returns `data.auth_handoff` with copy-safe env/stdin
 templates when auth is required or when the returned create command needs the
 same auth context.
@@ -190,9 +192,9 @@ export PATH="$npm_config_prefix/bin:$PATH"
 npx -y image-skill@latest create --guide --prompt "a compact field camera on a stainless workbench" --json
 ```
 
-Hosted signup does not auto-save auth state; it returns the token once with
-`--show-token`. If the runtime also needs a writable compatibility config path,
-set `IMAGE_SKILL_CONFIG_PATH` before `signup`:
+Hosted signup saves auth state to the public CLI config by default. If the
+runtime needs a writable compatibility config path, set
+`IMAGE_SKILL_CONFIG_PATH` before `signup`:
 
 ```bash
 export IMAGE_SKILL_CONFIG_PATH="$PWD/.image-skill/config.json"
@@ -200,13 +202,17 @@ npx -y image-skill@latest signup --agent \
   --agent-contact agent-inbox@example.com \
   --agent-name creative-agent \
   --runtime codex \
-  --show-token \
   --json
 ```
 
 Config write failures return `PUBLIC_CLI_CONFIG_WRITE_FAILED` with a structured
 `error.recovery.suggested_command`. Agents should follow that recovery field,
 then rerun `create --guide` for the requested creative flow.
+When `create --guide` reaches `auth_required`, it probes the configured auth
+path first. If local config cannot be written, `data.next_command` uses
+`--show-token --no-save` and `data.auth_handoff.rerun_guide.with_stdin` shows
+the token-stdin rerun path instead of asking the agent to try a doomed saved
+signup.
 
 ### `image-skill whoami`
 
@@ -264,6 +270,9 @@ Minimum success data shape:
       "live_money": true,
       "buyer_modes": ["hybrid", "human_only"],
       "requires_browser": true,
+      "agent_initiated": true,
+      "agent_settleable": false,
+      "settlement_blocker": "requires human browser checkout completion",
       "default_pack_id": "starter-500",
       "purchase_endpoint": "/v1/credit-purchases/stripe-checkout-sessions"
     },
@@ -276,6 +285,9 @@ Minimum success data shape:
       "live_money": true,
       "buyer_modes": ["agent_only", "hybrid"],
       "requires_browser": false,
+      "agent_initiated": true,
+      "agent_settleable": true,
+      "settlement_blocker": null,
       "default_pack_id": "starter-500",
       "purchase_endpoint": "/v1/credit-purchases/stripe-x402-deposits"
     }
@@ -299,11 +311,12 @@ curl -sS https://api.image-skill.com/v1/payment-methods
 
 Lists the recommended Image Skill credit packs. Packs are the default
 live-money buying UX because agents get obvious starter choices and avoid tiny
-fee traps. Use the payment method catalog to choose the rail: browserless
-`stripe_x402.exact.usdc` when it is available for agent self-funding, or
-`stripe_checkout` when a human sponsor needs a Checkout handoff. Exact custom
-quotes are still supported when an agent already knows the required credit
-budget.
+fee traps. Use the payment method catalog to choose the rail:
+`stripe_checkout` when a human sponsor can complete Checkout, or
+`stripe_x402.exact.usdc` when a wallet-equipped agent can settle a browserless
+live crypto deposit attempt from returned pay-to instructions.
+Exact custom quotes are still supported when an agent already knows the
+required credit budget.
 
 ```bash
 image-skill credits packs list --json
@@ -343,10 +356,9 @@ curl -sS https://api.image-skill.com/v1/credit-packs
 ### `image-skill credits quote`
 
 Requests a bounded credit quote from the hosted service. Public top-ups use the
-payment method returned by `credits methods --json`: `stripe_x402.exact.usdc`
-for browserless agent self-funding when it is available, or
-`stripe_checkout` for the human Checkout fallback. A quote never grants
-credits.
+payment method returned by `credits methods --json`: `stripe_checkout` for the
+human Checkout path, or `stripe_x402.exact.usdc` for a browserless
+action-required deposit attempt. A quote never grants credits.
 One Image Skill credit is a stable user-facing value unit worth `$0.01`.
 Creative operations can consume more than one credit based on the selected
 model's provider cost and Image Skill's margin policy; inspect
@@ -422,8 +434,9 @@ Minimum success data:
 ```
 
 For x402 quotes, `accepted_payment_method` is
-`"stripe_x402.exact.usdc"` and the response includes redacted
-`quote.x402` metadata for the agent-payable deposit flow.
+`"stripe_x402.exact.usdc"`. The quote does not grant credits or include pay-to
+instructions; `credits buy --provider stripe_x402` creates the action-required
+deposit challenge.
 
 Hosted API equivalent:
 
@@ -440,12 +453,14 @@ Creates a payment action for a previously returned quote. Choose the provider
 that matches the quote's `accepted_payment_method`.
 
 For a `stripe_x402.exact.usdc` quote, `--provider stripe_x402` creates a
-browserless agent-payable USDC deposit challenge. The response is live money
-when `live_money:true`; credits are granted only after verified settlement and
-webhook fulfillment succeeds. Deposit challenge creation itself must not mutate
-credit balances. Stay within the delegated cap and never pass wallet private
-keys, seed phrases, x402 payment headers, deposit client secrets, or provider
-receipts to Image Skill.
+browserless action-required USDC deposit attempt. When the response includes
+`stripe_x402.payable_instructions`, a wallet-equipped agent may pay the exact
+USDC amount to `deposit_address` on Base without using a browser. The response
+is live money when `live_money:true`. Credits are granted only after verified
+settlement and webhook fulfillment succeeds. Deposit challenge creation itself
+must not mutate credit balances. Stay within the delegated cap and never pass
+wallet private keys, seed phrases, x402 payment headers, deposit client
+secrets, card data, Stripe secrets, or provider receipts to Image Skill.
 
 ```bash
 image-skill credits buy \
@@ -474,6 +489,21 @@ Minimum x402 action-required data:
     "network": "base",
     "token_currency": "usdc",
     "deposit_address_present": true,
+    "payable_instructions": {
+      "kind": "stripe_crypto_deposit",
+      "network": "base",
+      "token_currency": "usdc",
+      "token_decimals": 6,
+      "token_amount": "5.00",
+      "token_amount_atomic": "5000000",
+      "amount_cents": 500,
+      "amount_usd": "5.00",
+      "deposit_address": "0x...",
+      "token_contract_address": "0x...",
+      "supported_token_currencies": ["usdc"],
+      "expires_at": "2026-05-08T20:00:00.000Z",
+      "exact_amount_required": true
+    },
     "redacted": {
       "payment_intent_id": "[redacted-stripe-payment-intent]",
       "deposit_address": "[redacted-stripe-crypto-deposit-address]",

package/skills/image-skill/references/llms.txt

@@ -60,7 +60,7 @@ First-run guide loop:
 1. Run image-skill create --guide --prompt PROMPT. This is the canonical fresh-agent entrypoint and the only required first command. It performs read-only hosted reachability, executable model availability, auth/quota, and payment rail checks and returns data.stage, data.next_command, data.auth_handoff, data.escape_hatches, and data.mutation. Guide mode must report provider_call: false, hosted_create: false, hosted_signup: false, payment_object: false, credit_debit: false, and media_write: false.
 2. Follow data.next_command. Do not run doctor, models list, signup, whoami, quota, dry-run, or payment commands as a setup checklist before the guide asks for them.
 3. If data.stage is prompt_required, rerun data.next_command with the real prompt.
-4. If data.stage is auth_required, run data.next_command, store the returned token in the agent runtime secret store, then rerun the guide once with IMAGE_SKILL_TOKEN or --token-stdin. If the runtime does not inject the token automatically, use data.auth_handoff.rerun_guide.with_env or data.auth_handoff.rerun_guide.with_stdin. The signup command uses --agent-contact as an email-shaped durable contact inbox for the restricted agent identity, not as a requirement to find an individual human. Hosted signup returns the raw restricted token only when --show-token is set, and only once; it does not auto-save auth into the public CLI config. Use an agent-owned inbox when available; otherwise use an operator, team, or sponsor inbox that can receive future claim, billing, or abuse notices. Do not block waiting for a person, invent a person, or use a throwaway inbox. example.invalid addresses are only appropriate inside documented harness or proof runs. --human-email remains accepted as a compatibility alias, but the guide must not teach it. --save is local-only (--local) and rejected on the hosted path; the guide must not teach it. Use --no-save only for older hosted instructions, and use --show-token --no-save when the runtime has a separate secret store and needs the raw token once.
+4. If data.stage is auth_required, run data.next_command, then rerun the guide once. Hosted signup saves the restricted token to the public CLI config by default with 0600 permissions. If the runtime intentionally uses --no-save --show-token, store the returned token in the agent runtime secret store, then rerun with IMAGE_SKILL_TOKEN or --token-stdin; data.auth_handoff.rerun_guide.with_env and data.auth_handoff.rerun_guide.with_stdin are copy-safe templates for that mode. The signup command uses --agent-contact as an email-shaped durable contact inbox for the restricted agent identity, not as a requirement to find an individual human. Hosted signup returns the raw restricted token only when --show-token is set, and only once. Use an agent-owned inbox when available; otherwise use an operator, team, or sponsor inbox that can receive future claim, billing, or abuse notices. Do not block waiting for a person, invent a person, or use a throwaway inbox. example.invalid addresses are only appropriate inside documented harness or proof runs. --human-email remains accepted as a compatibility alias, but the guide must not teach it. --save is accepted as a compatibility no-op for the default save behavior; use --no-save only when the runtime has a separate secret store and does not want local config.
 5. If data.stage is quota_required, follow the payment commands in data.checks.payments.suggested_commands, then rerun the guide once. One Image Skill credit is $0.01. Credit quotes grant prepaid value units; create/edit operations debit model-priced credits reported as cost.credit_pricing. Starter preview currently gives bounded free-preview credits plus a four-job daily cap.
 6. If data.stage is ready_to_create, run data.next_command for the first bounded create. If the guide authenticated from env or stdin, prefer data.auth_handoff.next_command.with_env or data.auth_handoff.next_command.with_stdin so auth follows the create. In guide cost output, cost.estimated_usd_per_image and cost.estimated_debit_usd_per_image are the Image Skill debit dollars for one output; cost.estimated_provider_usd_per_image is only the upstream provider estimate. Use the guide's returned max_estimated_usd_per_image because it is sized to the credit debit the agent funds. Add --output-count N only after models show confirms the selected create model supports more than one output; credit_pricing.credits_required is the total debit across outputs, while max_estimated_usd_per_image remains a per-image Image Skill debit guard.
 7. After create, use image-skill jobs show JOB_ID to recover status, cost, safety, timestamps, and final assets; image-skill assets get ASSET_URL_OR_ID --output ./result.png to fetch the generated asset without repeating provider work; and image-skill activity list --subject JOB_ID to find ledger events, trace, usage, and asset links to cite.
@@ -70,7 +70,7 @@ Manual escape hatches are not prerequisites. Use image-skill doctor, image-skill
 
 Core commands:
 - image-skill doctor --json
-- image-skill signup --agent --agent-contact AGENT_OR_OPERATOR_INBOX --agent-name NAME --runtime RUNTIME --show-token --json
+- image-skill signup --agent --agent-contact AGENT_OR_OPERATOR_INBOX --agent-name NAME --runtime RUNTIME --json
 - image-skill whoami --json
 - image-skill usage quota --json
 - image-skill quota --json (compatibility alias)
@@ -109,10 +109,10 @@ Hosted API endpoints:
 - POST https://api.image-skill.com/v1/agent-signups creates or rotates a restricted unclaimed agent token. Request JSON prefers agent_contact as the email-shaped durable contact inbox for the restricted agent identity; human_email remains accepted only as a legacy compatibility alias. The contact is not a requirement that an autonomous agent stop until a specific human is present. Response JSON returns data.agent_contact as the redacted contact and returns the token once as data.token. Store it in the agent runtime secret store; never put it in prompts, logs, issue text, or feedback.
 - GET https://api.image-skill.com/v1/whoami returns durable hosted identity for Authorization: Bearer TOKEN.
 - GET https://api.image-skill.com/v1/quota returns durable hosted quota for Authorization: Bearer TOKEN.
-- GET https://api.image-skill.com/v1/payment-methods returns the no-auth action-only payment rail catalog. It tells agents which currently usable rails are available, whether live money can move, buyer modes (agent_only, hybrid, human_only), browser requirements, limits, endpoint paths, and recovery commands. Planned, watch-only, fake, and private harness rails are intentionally omitted.
+- GET https://api.image-skill.com/v1/payment-methods returns the no-auth action-only payment rail catalog. It tells agents which currently usable rails are available, whether live money can move, buyer modes (agent_only, hybrid, human_only), browser requirements, agent_initiated, agent_settleable, settlement_blocker, limits, endpoint paths, and recovery commands. Planned, watch-only, fake, and private harness rails are intentionally omitted.
 - GET https://api.image-skill.com/v1/credit-packs returns the public pack catalog. Recommended live-money packs include starter-500, builder-2000, and studio-5000. Packs are the default top-up UX; exact quotes remain supported for agents that already know the required credit budget.
-- POST https://api.image-skill.com/v1/credit-quotes returns a credit quote for Authorization: Bearer TOKEN. Request JSON: either credits or pack_id, optional payment_method, idempotency_key. Use payment_method stripe_x402.exact.usdc only when credits methods returns it available/quoteable/purchasable/requires_browser:false; use stripe_checkout for the human Checkout fallback. Response includes quote_id, credits, price_amount_cents, currency, accepted_payment_method, pack_id, pack, live_money, and redacted quote.x402 metadata for x402 quotes. One credit equals $0.01, so price_amount_cents equals credits. This does not grant credits.
-- POST https://api.image-skill.com/v1/credit-purchases/stripe-x402-deposits creates a browserless agent-payable USDC deposit challenge for a stripe_x402.exact.usdc quote. Request JSON: quote_id, idempotency_key. Response includes state: action_required, payment_attempt_id, accepted_payment_method: stripe_x402.exact.usdc, live_money, amount_cents, stripe_x402 redacted challenge metadata, and next.agent_action: pay_stripe_crypto_deposit. This does not grant credits; verified settlement/webhook fulfillment grants paid credits exactly once.
+- POST https://api.image-skill.com/v1/credit-quotes returns a credit quote for Authorization: Bearer TOKEN. Request JSON: either credits or pack_id, optional payment_method, idempotency_key. Use stripe_checkout for the human Checkout path. Use payment_method stripe_x402.exact.usdc only when credits methods returns it available/quoteable/purchasable/requires_browser:false; treat it as autonomous self-settlement only when agent_settleable:true is also returned. Response includes quote_id, credits, price_amount_cents, currency, accepted_payment_method, pack_id, pack, and live_money. One credit equals $0.01, so price_amount_cents equals credits. This does not grant credits.
+- POST https://api.image-skill.com/v1/credit-purchases/stripe-x402-deposits creates a browserless action-required USDC deposit attempt for a stripe_x402.exact.usdc quote. Request JSON: quote_id, idempotency_key. Response includes state: action_required, payment_attempt_id, accepted_payment_method: stripe_x402.exact.usdc, live_money, amount_cents, stripe_x402 challenge metadata, stripe_x402.payable_instructions when Stripe returns a Base deposit address, and next.agent_action: pay_stripe_crypto_deposit. A wallet-equipped agent can pay the exact USDC token_amount_atomic to payable_instructions.deposit_address on Base. This does not grant credits; verified settlement/webhook fulfillment grants paid credits exactly once.
 - POST https://api.image-skill.com/v1/credit-purchases/stripe-checkout-sessions creates a Stripe Checkout Session for a stripe_checkout quote. Request JSON: quote_id, idempotency_key. Response includes state: action_required, payment_attempt_id, checkout_session_id, checkout_handoff_url, checkout_compact_url, checkout_url, accepted_payment_method: stripe_checkout, and next.human_action: open_checkout_url. Present checkout_handoff_url to humans because it is short and redirects to Stripe; checkout_compact_url is also copy-safe when present. If no handoff URL is available, present the full checkout_url in a code block. Do not remove the Stripe # fragment; Checkout needs it in the browser. Stripe-hosted Checkout may accept operator-provided promotion codes; humans enter them on Stripe, not in the Image Skill CLI. This does not grant credits; verified Stripe webhook fulfillment grants paid credits exactly once.
 - GET https://api.image-skill.com/v1/credit-purchases/status returns durable payment state for Authorization: Bearer TOKEN. Query with exactly one of quote_id, payment_attempt_id, checkout_session_id, or receipt_id. Response includes state, quote, payment_attempt, receipt, credit_event, provider_event, limits, and next.
 - GET https://api.image-skill.com/v1/models returns the public model registry. Query params: available=true returns currently usable executable rows, executable=true returns runtime-wired rows regardless current availability, catalog_only=true returns source-backed catalog-only rows, operation=image.generate|image.edit narrows by operation, and provider=fal|xai|openai narrows by provider. Default list output excludes catalog-only rows so fresh agents see executable candidates first. The response summary includes total, returned, available, executable, cataloged_not_wired, provider split, execution_availability, first_actionable_model_ids, recommended filter commands, and catalog-inclusion flags. For runnable choices require both status: available and execution.model_execution_status: executable; provider-level availability alone is not enough. If a reachable provider has no runnable model for the requested operation, summary.execution_availability says so directly and includes the fastest --available --operation recovery command. GET https://api.image-skill.com/v1/models/MODEL_ID returns one model's capability-preserving schema.
@@ -189,7 +189,7 @@ Unclaimed agents may not:
 - send card data, wallet secrets, wallet private keys, seed phrases, raw x402 payment headers, provider receipts, Stripe secrets, MPP tokens, SPTs, bearer tokens, or any payment credential to Image Skill; Stripe payment details must be entered only on Stripe-hosted checkout pages
 
 Credits:
-One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability and whether a browser/human action is required. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, and requires_browser:false, use image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json and then image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json to create the browserless agent-payable deposit challenge. Treat live_money:true as real spend and stay inside the delegated cap. Use image-skill credits packs list --json to inspect recommended packs. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json for the Stripe Checkout human fallback; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use the available agent x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; use per-run/per-step quote keys and inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
+One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability, browser/human requirements, agent_initiated, agent_settleable, and settlement_blocker. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json for the Stripe Checkout human path; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, requires_browser:false, and agent_settleable:true, image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json followed by image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json creates a browserless live deposit attempt with stripe_x402.payable_instructions. Treat live_money:true as real spend, stay inside the delegated cap, and pay exactly token_amount_atomic USDC units to payable_instructions.deposit_address on Base only from a wallet substrate you control. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use an agent_settleable:true x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; use per-run/per-step quote keys and inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
 
 Telemetry:
 - command or endpoint name