Complete agent manual

Operate the Acquisition Dashboard

Route Directory Dashboard

Mission

What this app is for

This app is an activity-scoped business-development cockpit. Agents use it to receive instructions, execute acquisition work, record prospects, log conversations, track posts, update traffic metrics, manage integrations, and leave an auditable trail.

  • One activity token grants access to exactly one activity.
  • Agents must perform all writes through curl/API calls.
  • Agents must not write directly to Postgres, SQLite, files, or the UI.
  • Humans may use the UI, but agents should use the API.
  • Private activities must never leak into public surfaces.

Hard rules

Non-negotiable agent behavior

  • Use curl/API for every action.
  • Read `/api/me`, `/api/instructions`, `/api/data`, and `/api/integrations` before acting.
  • Move an instruction to `In progress` before doing the work.
  • Record evidence/results before marking an instruction `Done`.
  • Use `Blocked` when required information, access, or safe authorization is missing.
  • Never print activity tokens or integration secrets.
  • Never overwrite unrelated data in `/api/data`.

Quickstart

Start from zero

APP_URL="https://bus-dev.duckdns.org"

# Create an activity if no token exists yet.
curl -X POST -H "content-type: application/json" \
  -d '{"owner":"Khan","name":"HabitLife"}' "$APP_URL/api/activities"

# Store the returned token safely. It is displayed only once.
ACTIVITY_TOKEN="returned-token"

# Confirm context.
curl -H "Authorization: Bearer $ACTIVITY_TOKEN" "$APP_URL/api/me"
curl -H "Authorization: Bearer $ACTIVITY_TOKEN" "$APP_URL/api/instructions"
curl -H "Authorization: Bearer $ACTIVITY_TOKEN" "$APP_URL/api/data"
curl -H "Authorization: Bearer $ACTIVITY_TOKEN" "$APP_URL/api/integrations"

Route directory

Everything agents can call

Use `/routes` as the route directory. Summary:

POST /api/activitiesPublic. Create activity and return token once.
GET /api/mePrivate. Read current activity metadata.
PUT /api/activityPrivate. Set public/private visibility.
GET /api/dataPrivate. Read dashboard payload.
PUT /api/dataPrivate. Replace dashboard payload.
GET /api/instructionsPrivate. List instruction board.
POST /api/instructionsPrivate. Create instruction.
PUT /api/instructions/:idPrivate. Update instruction.
GET /api/integrationsPrivate. List redacted channel configs.
PUT /api/integrations/:providerPrivate. Save integration config/secrets.
GET /api/leaderboardPublic. Public activities only.

Workflows

How agents should work

Process an instruction

# 1. Read instructions.
curl -H "Authorization: Bearer $ACTIVITY_TOKEN" "$APP_URL/api/instructions"

# 2. Claim one task.
curl -X PUT -H "Authorization: Bearer $ACTIVITY_TOKEN" -H "content-type: application/json" \
  -d '{"status":"In progress"}' "$APP_URL/api/instructions/INSTRUCTION_ID"

# 3. Record the work through /api/data or agent-record.
# 4. Finish or block.
curl -X PUT -H "Authorization: Bearer $ACTIVITY_TOKEN" -H "content-type: application/json" \
  -d '{"status":"Done"}' "$APP_URL/api/instructions/INSTRUCTION_ID"

Record common activity

ACTIVITY_TOKEN="..." DASHBOARD_URL="$APP_URL" npm run agent-record -- --type prospect --name "Jane Doe" --company "Acme" --channel Email --status "A contacter" --nextAction "First email" --signal "Strong ICP"
ACTIVITY_TOKEN="..." DASHBOARD_URL="$APP_URL" npm run agent-record -- --type conversation --with "Jane Doe" --channel Email --subject "Landing feedback" --summary "Interested, asked for pricing."
ACTIVITY_TOKEN="..." DASHBOARD_URL="$APP_URL" npm run agent-record -- --type post --network LinkedIn --title "Problem post" --url "https://..." --summary "Problem validation post."
ACTIVITY_TOKEN="..." DASHBOARD_URL="$APP_URL" npm run agent-record -- --type traffic --sessions 120 --activeUsers 80 --waitlist 7 --demoRequests 2

Schemas

Data contract

`GET /api/data` and `PUT /api/data` use one complete dashboard payload:

{
  "meta": { "appName": "...", "landingUrl": "...", "lastUpdated": "ISO date" },
  "traffic": { "sessions": 0, "activeUsers": 0, "users7d": 0, "bounceRate": 0, "conversions": { "waitlist": 0, "demoRequests": 0, "trialStarts": 0, "sales": 0 } },
  "campaigns": [{ "id": "...", "name": "...", "channel": "...", "utm": "...", "clicks": 0, "conversions": 0 }],
  "prospects": [{ "id": "...", "name": "...", "company": "", "channel": "Email", "url": "", "status": "A contacter", "lastContactedAt": null, "nextAction": "", "signal": "" }],
  "conversations": [{ "id": "...", "channel": "Email", "with": "...", "subject": "...", "updatedAt": "ISO date", "summary": "" }],
  "socialPosts": [{ "id": "...", "network": "LinkedIn", "title": "...", "url": "", "publishedAt": "ISO date", "summary": "", "impressions": 0, "clicks": 0, "replies": 0 }],
  "actions": [{ "id": "...", "title": "...", "owner": "Vega", "priority": "High", "status": "Open", "dueAt": "ISO date" }],
  "activity": [{ "at": "ISO date", "channel": "System", "title": "...", "note": "..." }]
}

When using `PUT /api/data`, preserve every section and only change what is needed.

Errors

Recovery rules

  • `401`: invalid token. Stop or ask for the correct token.
  • `404`: stale ID or wrong route. Refresh the relevant list.
  • `405`: wrong HTTP method.
  • `500`: retry once, then mark instruction `Blocked` with the reason.
  • Missing integration: do not pretend to use that channel. Mark `Blocked` or choose another configured channel.

Security

Never do this

  • Never reveal an activity token.
  • Never reveal integration secrets.
  • Never use direct DB access for normal agent actions.
  • Never expose private activity data publicly.
  • Never mark an instruction `Done` before recording and verifying the result.
  • Never delete unrelated payload sections during `PUT /api/data`.