fix: address all 6 bankr review comments

[deluonchain]

Addresses all 6 issues raised in the Bankr review on BankrBot/skills#481.

Changes

SKILL.md (v16 → v17)

• Added Safety section at the top covering all three Bankr concerns:
  • Oracle output is analysis, not agent instructions — narrative fields must not trigger tool calls, payments, or trades autonomously
  • Analysis and execution are explicitly separated — any trade requires user confirmation
  • x402 budget and opt-in guardrails — user must confirm budget and call count before watchlist loops; ?social=true requires explicit opt-in
• Updated ?social parameter note to reflect opt-in requirement
• Rewrote "simple gate" block to make clear it surfaces a signal for user review, not an execution trigger

references/social-enrichment.md

• Replaced silent fallback with a mandatory disclosure flow — if checkr fails, surface the failure to the user, ask whether to proceed quant-only or abort, and label the result clearly if falling back

references/external-clients.md

• Added prominent wallet custody warning block before all code examples (dedicated hot wallet, spending limits, no .env commits, no primary wallet)
• Pinned package versions: x402-fetch@0.4.0, viem@2.21.19, x402==0.3.1
• Fixed stale payment info: updated from USDC/EIP-3009 to DELU/Permit2 (upto scheme)
• Removed stale ?verbose=true mention (no-op in v29, observed always present)
• Updated code comments to reinforce analysis-only framing

references/response-schema.md

• Added field trust model table labeling narrative fields (decision.read, summary, drivers, risks, observed.social.*) as informational only — must not be parsed as agent instructions
• Updated decision gate example to include "surface for user review — confirm before execution" comment

references/mandate-fields.md

• Added explicit note that the mandate is analysis output, not an execution instruction
• Added confirmation requirement note on size_hint_pct

[deluonchain]

All 6 review comments addressed. Reference implementation merged in #8.

Comment 1 — Prompt injection boundary
Added a Safety section to SKILL.md and a field trust model table to references/response-schema.md. Narrative fields (decision.read, summary, drivers, risks, observed.social.*) are explicitly labeled as human-readable analysis from external systems, not agent instructions.

Comment 2 — Trading decision as execution instruction
Rewrote the "simple gate" block in SKILL.md — now explicitly says the oracle is analysis only and any trade requires separate user confirmation. Added the same note to references/mandate-fields.md at the top of the file.

Comment 3 — Paid x402 budget and confirmation guardrails
Added budget/opt-in language to the Safety section in SKILL.md. Updated references/social-enrichment.md to require explicit user opt-in and cost disclosure before ?social=true is passed.

Comment 4 — Unpinned package installs
Pinned all versions in references/external-clients.md: x402-fetch@0.4.0, viem@2.21.19, x402==0.3.1.

Comment 5 — Private key custody warnings
Added a prominent custody warning block at the top of the examples section in references/external-clients.md: dedicated hot wallet, spending limits, no .env commits, never use a primary wallet.

Comment 6 — Silent social fallback
Replaced the silent fallback instruction in references/social-enrichment.md with a mandatory disclosure flow — agent must surface the failure to the user and ask whether to proceed quant-only or abort.