Guides | Hoolix

Guides

Practical docs for building with agentic AI

Short, source-backed guides that connect tools and standards to real setup decisions.

Model Context Protocol4 min

First MCP Server Checklist

A practical checklist for selecting and connecting your first MCP server safely.

mcpsecuritysetup

Pick a trusted server

Start with official servers or servers with a verified namespace, active maintenance, and minimal permissions.

Prefer narrow scope

Use read-only or project-scoped URLs where available. Supabase MCP supports project_ref and read_only=true; Vercel MCP supports project-specific URLs.

Validate locally

Connect the server, list tools, and ask one low-risk query before granting write tools.

Keep human review on

Agents connected to MCP can act on real systems. Keep approval prompts enabled for deploys, database writes, browser automation, and repository changes.

Source Source Source Source

OpenAI5 min

From Codex Skill to Plugin

When to keep a Codex workflow as a local skill and when to package it as a plugin.

codexskillsplugins

Use a skill first

Create a small .agents/skills/<name>/SKILL.md when the workflow is local, repo-specific, or still evolving.

Package when reuse matters

Move to a plugin when you want other developers to install the workflow, when you bundle multiple skills, or when the package needs MCP configuration or app integration metadata.

Keep descriptions sharp

Codex progressively discloses skill content. The name and description decide whether the skill is discovered, so put the trigger use case up front.

Include scripts only when needed

Instruction-only skills are easier to review. Add scripts, references, and assets when the workflow needs repeatable mechanics or templates.

Source

Supabase5 min

Supabase GitHub Auth for Next.js

The moving parts for Supabase SSR auth, GitHub OAuth, and callback URLs.

supabasegithub-oauthnextjsauth

GitHub OAuth callback URL

For Supabase Auth, the GitHub OAuth app authorization callback URL is https://<project-ref>.supabase.co/auth/v1/callback.

Next.js app callback

In a server-side PKCE flow, your app also needs an /auth/callback route. The browser goes through Supabase Auth, then Supabase redirects back to your app route so exchangeCodeForSession can set cookies.

Redirect allow list

Add your deployed site URL and local dev URL to Supabase Auth redirect URLs. This app uses /auth/callback?next=/dashboard.

Store credentials server-side

GitHub client secret belongs in Supabase Auth provider configuration, not in browser-exposed Next.js variables.

Source Source