# WealthInsight Agent Quickstart

## Public Agent Flow

1. Read `/llms.txt`.
2. Read `/agent.json`.
3. Use the docs under `/agent/docs/` for product context.
4. Use `/api/v1/agent/openapi.json` to understand protected API capabilities.
5. Send users to the relevant public page when no private data is required.

## Personal Finance Agent Flow

1. Ask the user to open `/pages/agent-access.html` while logged in.
2. Ask the user to create a token with only the scopes needed for the task.
3. Use `Authorization: Bearer wiag_<token>` for API calls.
4. Validate the token with `GET /api/v1/agent/me`.
5. Fetch user context with `GET /api/v1/agent/context` only when the token has the required scopes.
6. Use `POST /api/v1/agent/assets`, `/transactions`, or `/expenses` only after explaining the change to the user and confirming the token has the matching write scope.

## Agent Rules

- Never ask for the user's password.
- Never ask for the browser JWT stored by the web app.
- Do not request broad write scopes for read-only analysis.
- Explain any write action before calling it.
- Treat all private financial data as sensitive.