@dimcool/mcp 0.1.27 → 0.1.29

package/dist/index.js

@@ -41,7 +41,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var require_XMLHttpRequest = __commonJS({
   "../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js"(exports, module) {
     "use strict";
-    var fs = __require("fs");
+    var fs2 = __require("fs");
     var Url = __require("url");
     var spawn = __require("child_process").spawn;
     module.exports = XMLHttpRequest3;
@@ -199,7 +199,7 @@ var require_XMLHttpRequest = __commonJS({
             throw new Error("XMLHttpRequest: Only GET method is supported");
           }
           if (settings.async) {
-            fs.readFile(unescape(url2.pathname), function(error, data2) {
+            fs2.readFile(unescape(url2.pathname), function(error, data2) {
               if (error) {
                 self2.handleError(error, error.errno || -1);
               } else {
@@ -211,7 +211,7 @@ var require_XMLHttpRequest = __commonJS({
             });
           } else {
             try {
-              this.response = fs.readFileSync(unescape(url2.pathname));
+              this.response = fs2.readFileSync(unescape(url2.pathname));
               this.responseText = this.response.toString("utf8");
               this.status = 200;
               setState(self2.DONE);
@@ -337,15 +337,15 @@ var require_XMLHttpRequest = __commonJS({
         } else {
           var contentFile = ".node-xmlhttprequest-content-" + process.pid;
           var syncFile = ".node-xmlhttprequest-sync-" + process.pid;
-          fs.writeFileSync(syncFile, "", "utf8");
+          fs2.writeFileSync(syncFile, "", "utf8");
           var execString = "var http = require('http'), https = require('https'), fs = require('fs');var doRequest = http" + (ssl ? "s" : "") + ".request;var options = " + JSON.stringify(options) + ";var responseText = '';var responseData = Buffer.alloc(0);var req = doRequest(options, function(response) {response.on('data', function(chunk) {  var data = Buffer.from(chunk);  responseText += data.toString('utf8');  responseData = Buffer.concat([responseData, data]);});response.on('end', function() {fs.writeFileSync('" + contentFile + "', JSON.stringify({err: null, data: {statusCode: response.statusCode, headers: response.headers, text: responseText, data: responseData.toString('base64')}}), 'utf8');fs.unlinkSync('" + syncFile + "');});response.on('error', function(error) {fs.writeFileSync('" + contentFile + "', 'NODE-XMLHTTPREQUEST-ERROR:' + JSON.stringify(error), 'utf8');fs.unlinkSync('" + syncFile + "');});}).on('error', function(error) {fs.writeFileSync('" + contentFile + "', 'NODE-XMLHTTPREQUEST-ERROR:' + JSON.stringify(error), 'utf8');fs.unlinkSync('" + syncFile + "');});" + (data ? "req.write('" + JSON.stringify(data).slice(1, -1).replace(/'/g, "\\'") + "');" : "") + "req.end();";
           var syncProc = spawn(process.argv[0], ["-e", execString]);
           var statusText;
-          while (fs.existsSync(syncFile)) {
+          while (fs2.existsSync(syncFile)) {
           }
-          self2.responseText = fs.readFileSync(contentFile, "utf8");
+          self2.responseText = fs2.readFileSync(contentFile, "utf8");
           syncProc.stdin.end();
-          fs.unlinkSync(contentFile);
+          fs2.unlinkSync(contentFile);
           if (self2.responseText.match(/^NODE-XMLHTTPREQUEST-ERROR:/)) {
             var errorObj = JSON.parse(self2.responseText.replace(/^NODE-XMLHTTPREQUEST-ERROR:/, ""));
             self2.handleError(errorObj, 503);
@@ -1235,8 +1235,8 @@ var require_constants = __commonJS({
 var require_node_gyp_build = __commonJS({
   "../../node_modules/node-gyp-build/node-gyp-build.js"(exports, module) {
     "use strict";
-    var fs = __require("fs");
-    var path2 = __require("path");
+    var fs2 = __require("fs");
+    var path3 = __require("path");
     var os2 = __require("os");
     var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : __require;
     var vars = process.config && process.config.variables || {};
@@ -1253,21 +1253,21 @@ var require_node_gyp_build = __commonJS({
       return runtimeRequire(load.resolve(dir));
     }
     load.resolve = load.path = function(dir) {
-      dir = path2.resolve(dir || ".");
+      dir = path3.resolve(dir || ".");
       try {
-        var name = runtimeRequire(path2.join(dir, "package.json")).name.toUpperCase().replace(/-/g, "_");
+        var name = runtimeRequire(path3.join(dir, "package.json")).name.toUpperCase().replace(/-/g, "_");
         if (process.env[name + "_PREBUILD"]) dir = process.env[name + "_PREBUILD"];
       } catch (err) {
       }
       if (!prebuildsOnly) {
-        var release = getFirst(path2.join(dir, "build/Release"), matchBuild);
+        var release = getFirst(path3.join(dir, "build/Release"), matchBuild);
         if (release) return release;
-        var debug12 = getFirst(path2.join(dir, "build/Debug"), matchBuild);
+        var debug12 = getFirst(path3.join(dir, "build/Debug"), matchBuild);
         if (debug12) return debug12;
       }
-      var prebuild = resolve(dir);
+      var prebuild = resolve2(dir);
       if (prebuild) return prebuild;
-      var nearby = resolve(path2.dirname(process.execPath));
+      var nearby = resolve2(path3.dirname(process.execPath));
       if (nearby) return nearby;
       var target = [
         "platform=" + platform,
@@ -1283,27 +1283,27 @@ var require_node_gyp_build = __commonJS({
         // eslint-disable-line
       ].filter(Boolean).join(" ");
       throw new Error("No native build was found for " + target + "\n    loaded from: " + dir + "\n");
-      function resolve(dir2) {
-        var tuples = readdirSync(path2.join(dir2, "prebuilds")).map(parseTuple);
+      function resolve2(dir2) {
+        var tuples = readdirSync(path3.join(dir2, "prebuilds")).map(parseTuple);
         var tuple = tuples.filter(matchTuple(platform, arch)).sort(compareTuples)[0];
         if (!tuple) return;
-        var prebuilds = path2.join(dir2, "prebuilds", tuple.name);
+        var prebuilds = path3.join(dir2, "prebuilds", tuple.name);
         var parsed = readdirSync(prebuilds).map(parseTags);
         var candidates = parsed.filter(matchTags(runtime, abi));
         var winner = candidates.sort(compareTags(runtime))[0];
-        if (winner) return path2.join(prebuilds, winner.file);
+        if (winner) return path3.join(prebuilds, winner.file);
       }
     };
     function readdirSync(dir) {
       try {
-        return fs.readdirSync(dir);
+        return fs2.readdirSync(dir);
       } catch (err) {
         return [];
       }
     }
     function getFirst(dir, filter) {
       var files = readdirSync(dir).filter(filter);
-      return files[0] && path2.join(dir, files[0]);
+      return files[0] && path3.join(dir, files[0]);
     }
     function matchBuild(name) {
       return /\.node$/.test(name);
@@ -1390,7 +1390,7 @@ var require_node_gyp_build = __commonJS({
       return typeof window !== "undefined" && window.process && window.process.type === "renderer";
     }
     function isAlpine(platform2) {
-      return platform2 === "linux" && fs.existsSync("/etc/alpine-release");
+      return platform2 === "linux" && fs2.existsSync("/etc/alpine-release");
     }
     load.parseTags = parseTags;
     load.matchTags = matchTags;
@@ -3676,7 +3676,7 @@ var require_websocket = __commonJS({
     var tls = __require("tls");
     var { randomBytes, createHash } = __require("crypto");
     var { Duplex, Readable } = __require("stream");
-    var { URL } = __require("url");
+    var { URL: URL2 } = __require("url");
     var PerMessageDeflate = require_permessage_deflate();
     var Receiver2 = require_receiver();
     var Sender2 = require_sender();
@@ -4166,11 +4166,11 @@ var require_websocket = __commonJS({
         );
       }
       let parsedUrl;
-      if (address instanceof URL) {
+      if (address instanceof URL2) {
         parsedUrl = address;
       } else {
         try {
-          parsedUrl = new URL(address);
+          parsedUrl = new URL2(address);
         } catch (e) {
           throw new SyntaxError(`Invalid URL: ${address}`);
         }
@@ -4307,7 +4307,7 @@ var require_websocket = __commonJS({
           req.abort();
           let addr;
           try {
-            addr = new URL(location2, address);
+            addr = new URL2(location2, address);
           } catch (e) {
             const err = new SyntaxError(`Invalid URL: ${location2}`);
             emitErrorAndClose(websocket, err);
@@ -7309,13 +7309,13 @@ var require_nacl_fast = __commonJS({
 import {
   chmod,
   mkdir,
-  readFile,
+  readFile as readFile2,
   rename,
-  stat,
+  stat as stat2,
   writeFile
 } from "fs/promises";
 import os from "os";
-import path from "path";
+import path2 from "path";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { Keypair as Keypair2 } from "@solana/web3.js";
 import bs582 from "bs58";
@@ -8572,12 +8572,12 @@ function parse2(str) {
   uri.queryKey = queryKey(uri, uri["query"]);
   return uri;
 }
-function pathNames(obj, path2) {
-  const regx = /\/{2,9}/g, names = path2.replace(regx, "/").split("/");
-  if (path2.slice(0, 1) == "/" || path2.length === 0) {
+function pathNames(obj, path3) {
+  const regx = /\/{2,9}/g, names = path3.replace(regx, "/").split("/");
+  if (path3.slice(0, 1) == "/" || path3.length === 0) {
     names.splice(0, 1);
   }
-  if (path2.slice(-1) == "/") {
+  if (path3.slice(-1) == "/") {
     names.splice(names.length - 1, 1);
   }
   return names;
@@ -9194,7 +9194,7 @@ var protocol2 = Socket.protocol;
 // ../../node_modules/socket.io-client/build/esm-debug/url.js
 var import_debug7 = __toESM(require_src(), 1);
 var debug7 = (0, import_debug7.default)("socket.io-client:url");
-function url(uri, path2 = "", loc) {
+function url(uri, path3 = "", loc) {
   let obj = uri;
   loc = loc || typeof location !== "undefined" && location;
   if (null == uri)
@@ -9228,7 +9228,7 @@ function url(uri, path2 = "", loc) {
   obj.path = obj.path || "/";
   const ipv6 = obj.host.indexOf(":") !== -1;
   const host = ipv6 ? "[" + obj.host + "]" : obj.host;
-  obj.id = obj.protocol + "://" + host + ":" + obj.port + path2;
+  obj.id = obj.protocol + "://" + host + ":" + obj.port + path3;
   obj.href = obj.protocol + "://" + host + (loc && loc.port === obj.port ? "" : ":" + obj.port);
   return obj;
 }
@@ -9878,9 +9878,9 @@ var Socket2 = class extends Emitter {
    * @return a Promise that will be fulfilled when the server acknowledges the event
    */
   emitWithAck(ev, ...args) {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const fn = (arg1, arg2) => {
-        return arg1 ? reject(arg1) : resolve(arg2);
+        return arg1 ? reject(arg1) : resolve2(arg2);
       };
       fn.withError = true;
       args.push(fn);
@@ -10852,8 +10852,8 @@ function lookup(uri, opts) {
   const parsed = url(uri, opts.path || "/socket.io");
   const source = parsed.source;
   const id = parsed.id;
-  const path2 = parsed.path;
-  const sameNamespace = cache[id] && path2 in cache[id]["nsps"];
+  const path3 = parsed.path;
+  const sameNamespace = cache[id] && path3 in cache[id]["nsps"];
   const newConnection = opts.forceNew || opts["force new connection"] || false === opts.multiplex || sameNamespace;
   let io;
   if (newConnection) {
@@ -11751,6 +11751,16 @@ var Admin = class {
     );
   }
 };
+function isFile(input) {
+  return typeof input.arrayBuffer === "function";
+}
+function buildFormDataFromPayload(payload) {
+  const formData = new FormData();
+  const part = payload.data instanceof Uint8Array ? payload.data : new Uint8Array(payload.data);
+  const blob = new Blob([part], { type: payload.mimeType });
+  formData.append("file", blob, payload.filename);
+  return formData;
+}
 var Users = class {
   constructor(http, logger2) {
     this.http = http;
@@ -11837,14 +11847,22 @@ var Users = class {
   async updateProfile(data) {
     return this.http.patch("/users/me/profile", data);
   }
-  async uploadAvatar(file) {
-    const formData = new FormData();
-    formData.append("file", file);
+  async uploadAvatar(input) {
+    const payload = isFile(input) ? {
+      data: new Uint8Array(await input.arrayBuffer()),
+      mimeType: input.type,
+      filename: input.name
+    } : input;
+    const formData = buildFormDataFromPayload(payload);
     return this.http.upload("/users/me/profile/avatar", formData);
   }
-  async uploadCoverImage(file) {
-    const formData = new FormData();
-    formData.append("file", file);
+  async uploadCoverImage(input) {
+    const payload = isFile(input) ? {
+      data: new Uint8Array(await input.arrayBuffer()),
+      mimeType: input.type,
+      filename: input.name
+    } : input;
+    const formData = buildFormDataFromPayload(payload);
     return this.http.upload("/users/me/profile/cover", formData);
   }
   async removeAvatar() {
@@ -12178,7 +12196,7 @@ async function withRetry(fn, options = {}) {
   throw lastError;
 }
 function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 var DEFAULT_RETRY_OPTIONS = {
   maxAttempts: 3,
@@ -13446,12 +13464,12 @@ var BaseWsTransport = class {
     if (this.connectionState.connected) {
       return Promise.resolve();
     }
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const timeoutId = setTimeout(() => {
         this.waiters.delete(waiter);
         reject(new Error("WebSocket connection timed out"));
       }, timeoutMs);
-      const waiter = { resolve, reject, timeoutId };
+      const waiter = { resolve: resolve2, reject, timeoutId };
       this.waiters.add(waiter);
     });
   }
@@ -14225,6 +14243,22 @@ function createGameActionsStore(transport2) {
         updateState(gameId, updated);
         break;
       }
+      case "game:move": {
+        const { gameId, fen, turn, currentPlayerId, status, winnerId } = event.payload;
+        if (!gameId) return;
+        const current = store.getState().statesByGameId[gameId];
+        if (!isNonRpsState(current)) return;
+        const updated = {
+          ...current,
+          fen,
+          turn,
+          currentPlayerId,
+          status,
+          ...winnerId != null && { winnerId }
+        };
+        updateState(gameId, updated);
+        break;
+      }
       case "game:state": {
         const gameId = event.payload.gameId ?? event.payload.state.gameId;
         if (!gameId) return;
@@ -15957,16 +15991,56 @@ async function joinQueue(client, args) {
   try {
     await client.ensureConnected();
     const lobby = await client.sdk.lobbies.joinQueue(args.lobbyId);
-    const matched = lobby.status === "active" && lobby.gameId;
+    let matched = !!(lobby.status === "active" && lobby.gameId);
+    let gameId = lobby.gameId || null;
+    if (!matched) {
+      const lobbyStore = client.sdk.lobbyStore;
+      lobbyStore.joinLobby(args.lobbyId);
+      const timeout = 3e5;
+      const start = Date.now();
+      let lastRefresh = Date.now();
+      while (Date.now() - start < timeout) {
+        const matchedEvent = lobbyStore.store.getState().matchedEvent;
+        if (matchedEvent?.gameId) {
+          gameId = matchedEvent.gameId;
+          matched = true;
+          break;
+        }
+        if (Date.now() - lastRefresh > 2e3) {
+          try {
+            const fresh = await client.sdk.lobbies.getLobby(args.lobbyId);
+            if (fresh.status === "active" && fresh.gameId) {
+              gameId = fresh.gameId;
+              matched = true;
+              break;
+            }
+          } catch {
+          }
+          lastRefresh = Date.now();
+        }
+        await raceTimeout(
+          new Promise((resolve2) => {
+            const unsub = lobbyStore.store.subscribeSelector(
+              (s) => s.matchedEvent,
+              () => {
+                unsub();
+                resolve2();
+              }
+            );
+          }),
+          1e3
+        );
+      }
+    }
     const spectateUrl = matched ? await getSpectateUrl(client) : null;
     return {
       data: {
         lobbyId: lobby.id,
-        status: lobby.status,
-        gameId: lobby.gameId || null,
+        status: matched ? "active" : lobby.status,
+        gameId,
         matched: !!matched,
         ...spectateUrl && { spectateUrl },
-        hint: matched ? `Game started! Call dim_game_loop with gameId "${lobby.gameId}" to play.${spectateUrl ? ` Tell the user they can spectate at ${spectateUrl}` : ""}` : "Waiting for an opponent. Poll dim_get_lobby to check for a match."
+        hint: matched ? `Game started! Call dim_game_loop with gameId "${gameId}" to play.${spectateUrl ? ` Tell the user they can spectate at ${spectateUrl}` : ""}` : "No match found within timeout. Call dim_join_queue again to resume waiting."
       }
     };
   } catch (error) {
@@ -16081,13 +16155,12 @@ async function gameLoop(client, args) {
     const store = client.sdk.gameActionsStore;
     const timeout = 3e5;
     const start = Date.now();
-    let state = store.store.getState().statesByGameId[gameId];
-    if (!state) {
-      const fetched = await client.sdk.games.getGameState(gameId);
-      store.setBaseState(gameId, fetched);
-      store.joinGame(gameId);
-      state = fetched;
-    }
+    await client.ensureConnected();
+    store.joinGame(gameId);
+    const fetched = await client.sdk.games.getGameState(gameId);
+    store.setBaseState(gameId, fetched);
+    let state = fetched;
+    let lastRefresh = Date.now();
     while (Date.now() - start < timeout) {
       state = store.store.getState().statesByGameId[gameId];
       if (state?.status === "completed") {
@@ -16097,17 +16170,22 @@ async function gameLoop(client, args) {
         return buildGameLoopReturn(client, gameId, state, "your-turn");
       }
       await raceTimeout(
-        new Promise((resolve) => {
+        new Promise((resolve2) => {
           const unsub = store.store.subscribeSelector(
             (s) => s.statesByGameId[gameId],
             () => {
               unsub();
-              resolve();
+              resolve2();
             }
           );
         }),
         1e3
       );
+      if (Date.now() - lastRefresh > 2e3) {
+        const fresh = await client.sdk.games.getGameState(gameId);
+        store.setBaseState(gameId, fresh);
+        lastRefresh = Date.now();
+      }
     }
     state = store.store.getState().statesByGameId[gameId];
     return buildGameLoopReturn(client, gameId, state ?? {}, "timeout");
@@ -16181,11 +16259,11 @@ async function acceptRematch(client, args) {
   }
 }
 function raceTimeout(promise, ms) {
-  return new Promise((resolve) => {
-    const timer = setTimeout(resolve, ms);
+  return new Promise((resolve2) => {
+    const timer = setTimeout(resolve2, ms);
     promise.then(() => {
       clearTimeout(timer);
-      resolve();
+      resolve2();
     });
   });
 }
@@ -16767,6 +16845,321 @@ async function getAgentConfig(client) {
   }
 }
 
+// ../dim-agent-core/src/tools/profile.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import * as dns from "dns";
+import { promisify } from "util";
+var dnsLookup = promisify(dns.lookup);
+var MAX_FILE_SIZE_BYTES = 5 * 1024 * 1024;
+var FETCH_TIMEOUT_MS = 15e3;
+var ALLOWED_MIME_TYPES = [
+  "image/jpeg",
+  "image/jpg",
+  "image/png",
+  "image/webp",
+  "image/gif"
+];
+var EXT_TO_MIME = {
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp"
+};
+function getDefaultAllowedBaseDir() {
+  const env = process.env.DIM_AGENT_WORKSPACE_DIR;
+  if (env) return path.resolve(env);
+  const home = process.env.HOME || process.env.USERPROFILE || ".";
+  return path.join(home, ".openclaw", "workspace");
+}
+function isPathUnderBase(filePath, baseDir) {
+  const resolved = path.resolve(filePath);
+  const base = path.resolve(baseDir);
+  const relative2 = path.relative(base, resolved);
+  return relative2 !== "" && !relative2.startsWith("..") && !path.isAbsolute(relative2);
+}
+function mimeFromExtension(filePathOrUrl) {
+  const ext = path.extname(filePathOrUrl).toLowerCase();
+  return EXT_TO_MIME[ext] ?? null;
+}
+function normalizeContentType(header) {
+  if (!header) return null;
+  const main = header.split(";")[0].trim().toLowerCase();
+  return main || null;
+}
+function isAllowedMime(mime) {
+  return ALLOWED_MIME_TYPES.includes(
+    mime
+  );
+}
+function isPrivateOrLocalHost(hostname) {
+  if (hostname === "localhost" || hostname === "::1") return true;
+  const ipv4 = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(hostname);
+  if (ipv4) {
+    const [, a, b, c, d] = ipv4.map(Number);
+    if (a === 127) return true;
+    if (a === 10) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    return false;
+  }
+  if (hostname.startsWith("::1") || hostname.startsWith("fe80:")) return true;
+  return false;
+}
+async function assertUrlSafeForFetch(imageUrl) {
+  let parsed;
+  try {
+    parsed = new URL(imageUrl);
+  } catch {
+    throw new Error("Invalid imageUrl: not a valid URL.");
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("Invalid imageUrl: only http and https are allowed.");
+  }
+  const hostname = parsed.hostname;
+  if (isPrivateOrLocalHost(hostname)) {
+    throw new Error(
+      "Invalid imageUrl: URLs to localhost or private IPs are not allowed."
+    );
+  }
+  try {
+    const { address } = await dnsLookup(hostname, { family: 4 });
+    if (isPrivateOrLocalHost(address)) {
+      throw new Error(
+        "Invalid imageUrl: hostname resolves to a private or local IP."
+      );
+    }
+    if (address === "169.254.169.254") {
+      throw new Error("Invalid imageUrl: cloud metadata URLs are not allowed.");
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Invalid imageUrl:"))
+      throw err;
+    throw new Error(
+      `Invalid imageUrl: could not resolve hostname (${err instanceof Error ? err.message : String(err)}).`
+    );
+  }
+}
+async function resolveImageFromFilePath(filePath, allowedBaseDir) {
+  if (!path.isAbsolute(filePath)) {
+    filePath = path.resolve(allowedBaseDir, filePath);
+  }
+  const realPath = await fs.realpath(filePath).catch(() => null);
+  const resolved = realPath ?? filePath;
+  if (!isPathUnderBase(resolved, allowedBaseDir)) {
+    throw new Error("filePath is outside the allowed workspace directory.");
+  }
+  const stat3 = await fs.stat(resolved, { bigint: false }).catch(() => null);
+  if (!stat3) throw new Error("File not found or not readable.");
+  if (stat3.size > MAX_FILE_SIZE_BYTES) {
+    throw new Error(
+      `File size exceeds ${MAX_FILE_SIZE_BYTES / 1024 / 1024}MB limit.`
+    );
+  }
+  const buffer = await fs.readFile(resolved);
+  const mime = mimeFromExtension(resolved) ?? "image/png";
+  if (!isAllowedMime(mime)) {
+    throw new Error(
+      `File type not allowed. Allowed: ${ALLOWED_MIME_TYPES.join(", ")}.`
+    );
+  }
+  const filename = path.basename(resolved) || "image";
+  return {
+    data: new Uint8Array(buffer),
+    mimeType: mime,
+    filename
+  };
+}
+async function resolveImageFromUrl(imageUrl) {
+  await assertUrlSafeForFetch(imageUrl);
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+  try {
+    const res = await fetch(imageUrl, {
+      redirect: "manual",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (res.status >= 300 && res.status < 400) {
+      throw new Error("Redirects are not allowed. Use the final image URL.");
+    }
+    if (!res.ok) {
+      throw new Error(`Fetch failed: ${res.status} ${res.statusText}`);
+    }
+    const contentType = normalizeContentType(res.headers.get("Content-Type"));
+    const mimeFromHeader = contentType && isAllowedMime(contentType) ? contentType : null;
+    const contentLength = res.headers.get("Content-Length");
+    if (contentLength) {
+      const len = parseInt(contentLength, 10);
+      if (!Number.isNaN(len) && len > MAX_FILE_SIZE_BYTES) {
+        throw new Error(
+          `Content-Length (${len}) exceeds ${MAX_FILE_SIZE_BYTES / 1024 / 1024}MB limit.`
+        );
+      }
+    }
+    const buf = await res.arrayBuffer();
+    if (buf.byteLength > MAX_FILE_SIZE_BYTES) {
+      throw new Error(
+        `Response size exceeds ${MAX_FILE_SIZE_BYTES / 1024 / 1024}MB limit.`
+      );
+    }
+    const mime = mimeFromHeader ?? mimeFromExtension(imageUrl) ?? "image/png";
+    if (!isAllowedMime(mime)) {
+      throw new Error(
+        `Content-Type not allowed. Allowed: ${ALLOWED_MIME_TYPES.join(", ")}.`
+      );
+    }
+    const ext = mime === "image/jpeg" || mime === "image/jpg" ? ".jpg" : mime.replace("image/", ".");
+    return {
+      data: new Uint8Array(buf),
+      mimeType: mime,
+      filename: `image${ext}`
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function uploadAvatar(client, args) {
+  try {
+    if (!client.currentUserId) {
+      return {
+        error: "Not authenticated. Call dim_login first.",
+        isError: true
+      };
+    }
+    const { filePath, imageUrl } = args;
+    if (filePath && imageUrl) {
+      return {
+        error: "Provide either filePath or imageUrl, not both.",
+        isError: true
+      };
+    }
+    if (!filePath && !imageUrl) {
+      return { error: "Provide filePath or imageUrl.", isError: true };
+    }
+    const baseDir = getDefaultAllowedBaseDir();
+    const payload = filePath ? await resolveImageFromFilePath(filePath, baseDir) : await resolveImageFromUrl(imageUrl);
+    const user = await client.sdk.users.uploadAvatar(payload);
+    return { data: { success: true, user } };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : String(error),
+      isError: true
+    };
+  }
+}
+async function uploadCoverImage(client, args) {
+  try {
+    if (!client.currentUserId) {
+      return {
+        error: "Not authenticated. Call dim_login first.",
+        isError: true
+      };
+    }
+    const { filePath, imageUrl } = args;
+    if (filePath && imageUrl) {
+      return {
+        error: "Provide either filePath or imageUrl, not both.",
+        isError: true
+      };
+    }
+    if (!filePath && !imageUrl) {
+      return { error: "Provide filePath or imageUrl.", isError: true };
+    }
+    const baseDir = getDefaultAllowedBaseDir();
+    const payload = filePath ? await resolveImageFromFilePath(filePath, baseDir) : await resolveImageFromUrl(imageUrl);
+    const user = await client.sdk.users.uploadCoverImage(payload);
+    return { data: { success: true, user } };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : String(error),
+      isError: true
+    };
+  }
+}
+async function removeAvatar(client) {
+  try {
+    if (!client.currentUserId) {
+      return {
+        error: "Not authenticated. Call dim_login first.",
+        isError: true
+      };
+    }
+    const user = await client.sdk.users.removeAvatar();
+    return { data: { success: true, user } };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : String(error),
+      isError: true
+    };
+  }
+}
+async function removeCoverImage(client) {
+  try {
+    if (!client.currentUserId) {
+      return {
+        error: "Not authenticated. Call dim_login first.",
+        isError: true
+      };
+    }
+    const user = await client.sdk.users.removeCoverImage();
+    return { data: { success: true, user } };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : String(error),
+      isError: true
+    };
+  }
+}
+function getProfileImageRequirements() {
+  return {
+    data: {
+      avatar: {
+        maxFileSizeBytes: MAX_FILE_SIZE_BYTES,
+        maxDimensions: { width: 200, height: 200 },
+        aspectRatio: "1:1",
+        allowedMimeTypes: [...ALLOWED_MIME_TYPES]
+      },
+      cover: {
+        maxFileSizeBytes: MAX_FILE_SIZE_BYTES,
+        maxDimensions: { width: 1200, height: 400 },
+        aspectRatio: "3:1",
+        allowedMimeTypes: [...ALLOWED_MIME_TYPES]
+      }
+    }
+  };
+}
+var BIO_MAX_LENGTH = 500;
+async function setBio(client, args) {
+  try {
+    if (!client.currentUserId) {
+      return {
+        error: "Not authenticated. Call dim_login first.",
+        isError: true
+      };
+    }
+    const { bio } = args;
+    if (typeof bio !== "string") {
+      return { error: "bio must be a string.", isError: true };
+    }
+    if (bio.length > BIO_MAX_LENGTH) {
+      return {
+        error: `Bio must be at most ${BIO_MAX_LENGTH} characters.`,
+        isError: true
+      };
+    }
+    await client.sdk.users.updateProfile({ bio });
+    return { data: { success: true } };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : String(error),
+      isError: true
+    };
+  }
+}
+
 // ../dim-agent-core/src/tools/users.ts
 function formatMinor(m) {
   if (m == null) return "\u2014";
@@ -16859,6 +17252,70 @@ var TOOL_DEFINITIONS = [
     },
     execute: (c, a) => setUsername(c, a)
   },
+  {
+    name: "dim_upload_avatar",
+    description: "Upload a profile avatar image. Provide filePath (path to image file in workspace) or imageUrl (URL to fetch image from). Max 5MB; allowed types: JPEG, PNG, WebP, GIF. Use dim_get_profile_image_requirements for dimensions.",
+    params: {
+      filePath: {
+        type: "string",
+        description: "Path to image file (under allowed workspace)"
+      },
+      imageUrl: {
+        type: "string",
+        description: "URL of image to fetch and upload"
+      }
+    },
+    execute: (c, a) => uploadAvatar(c, a)
+  },
+  {
+    name: "dim_upload_cover_image",
+    description: "Upload a profile cover/header image. Provide filePath or imageUrl. Max 5MB; allowed types: JPEG, PNG, WebP, GIF. Use dim_get_profile_image_requirements for dimensions.",
+    params: {
+      filePath: {
+        type: "string",
+        description: "Path to image file (under allowed workspace)"
+      },
+      imageUrl: {
+        type: "string",
+        description: "URL of image to fetch and upload"
+      }
+    },
+    execute: (c, a) => uploadCoverImage(
+      c,
+      a
+    )
+  },
+  {
+    name: "dim_remove_avatar",
+    description: "Remove the current profile avatar (reset to default).",
+    params: {},
+    execute: (c) => removeAvatar(c)
+  },
+  {
+    name: "dim_remove_cover_image",
+    description: "Remove the current profile cover/header image (reset to default).",
+    params: {},
+    execute: (c) => removeCoverImage(c)
+  },
+  {
+    name: "dim_get_profile_image_requirements",
+    description: "Get max dimensions, max file size, aspect ratio, and allowed MIME types for avatar and cover images. Use before uploading to validate or choose images.",
+    params: {},
+    execute: async () => getProfileImageRequirements()
+  },
+  {
+    name: "dim_set_bio",
+    description: "Set or update your profile bio. Max 500 characters. No truncation; shorten if over limit.",
+    params: {
+      bio: {
+        type: "string",
+        description: "The new profile bio (max 500 characters)",
+        required: true,
+        max: 500
+      }
+    },
+    execute: (c, a) => setBio(c, a)
+  },
   {
     name: "dim_check_maintenance",
     description: "Check if DIM is in maintenance mode. Call this before other operations to avoid failing with 503; when maintenance is true, inform the user to come back later.",
@@ -17932,7 +18389,7 @@ function createDimMcpServer(config) {
 }
 
 // src/index.ts
-var DEFAULT_WALLET_STORE_PATH = path.join(
+var DEFAULT_WALLET_STORE_PATH = path2.join(
   os.homedir(),
   ".dim",
   "mcp-wallet.json"
@@ -17951,21 +18408,21 @@ function resolveWalletStorePath(cliArgs2) {
       );
     }
     if (value2.startsWith("~/")) {
-      return path.join(os.homedir(), value2.slice(2));
+      return path2.join(os.homedir(), value2.slice(2));
     }
-    return path.resolve(value2);
+    return path2.resolve(value2);
   }
   const envPath = process.env.DIM_WALLET_STORE_PATH?.trim();
   if (envPath) {
     if (envPath.startsWith("~/")) {
-      return path.join(os.homedir(), envPath.slice(2));
+      return path2.join(os.homedir(), envPath.slice(2));
     }
-    return path.resolve(envPath);
+    return path2.resolve(envPath);
   }
   return DEFAULT_WALLET_STORE_PATH;
 }
 async function writeWalletStoreFile(storePath, record) {
-  await mkdir(path.dirname(storePath), { recursive: true });
+  await mkdir(path2.dirname(storePath), { recursive: true });
   const tmpPath = `${storePath}.tmp`;
   await writeFile(tmpPath, `${JSON.stringify(record, null, 2)}
 `, {
@@ -17977,7 +18434,7 @@ async function writeWalletStoreFile(storePath, record) {
 }
 async function readWalletStoreFile(storePath) {
   try {
-    const raw = await readFile(storePath, "utf8");
+    const raw = await readFile2(storePath, "utf8");
     const parsed = JSON.parse(raw);
     if (parsed.walletPrivateKey && parsed.walletAddress) {
       return {
@@ -18003,7 +18460,7 @@ async function createWalletRecord() {
 }
 async function walletStoreExists(storePath) {
   try {
-    await stat(storePath);
+    await stat2(storePath);
     return true;
   } catch {
     return false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dimcool/mcp",
-  "version": "0.1.27",
+  "version": "0.1.29",
   "description": "MCP server for DIM — lets AI agents play games, chat, send USDC, and earn referral income on the DIM platform",
   "type": "module",
   "bin": {