@drawcall/market 0.1.26 → 0.1.28

package/dist/skill.js

@@ -5,39 +5,46 @@ description: Find, preview, install, generate, and publish Drawcall Market asset
 
 # Drawcall Market
 
-Use the \`market\` CLI. Keep commands short and read the summary line plus asset bullets.
+Use the \`market\` CLI. Keep commands short and read the summary lines.
 
 ## Quick Start
 
 \`\`\`sh
 market search "wooden chair" --type model --limit 3
-market install wooden-chair --type model --cwd "$PWD"
+market install wooden-chair --cwd "$PWD"
 market preview wooden-chair --out /tmp/wooden-chair.png
 \`\`\`
 
 ## Workflow
 
-1. Search first unless the user gave an exact asset name.
-2. Search requires \`--type\`; use \`model\` unless the user names another supported type: \`humanoid-model\`, \`texture\`, \`humanoid-animation\`, \`template\`, \`sound-effect\`, \`background-music\`, or \`environment\`.
-3. Use \`--limit 1\` for lookup, \`--limit 3\` for choice. Search caps at 5.
-4. Use \`--verbose\` only when the one-line descriptions are not enough.
+1. Search first unless the user already gave an exact asset name. \`search\` requires \`--type\`; use \`model\` unless the user names another supported type: \`humanoid-model\`, \`texture\`, \`humanoid-animation\`, \`template\`, \`sound-effect\`, \`background-music\`, or \`environment\`.
+2. Use \`--limit 1\` for lookup, \`--limit 3\` for choice. Search caps at 5. Add \`--verbose\` only when the one-line descriptions are not enough.
+3. \`install\` takes one or more exact asset names (optionally \`name@range\`); it does not search or generate. Find names with \`search\` first. No \`--type\` is needed — asset names are unique.
+4. \`preview <name>\` saves the preview image; no \`--type\` is needed. Not every type has previews (e.g. \`humanoid-animation\`, \`template\`, \`sound-effect\`, \`background-music\`); the CLI reports when one is unavailable.
 5. Use \`--unapproved\` only when the user asks for unapproved/private/admin assets. Do not install unapproved assets without explicit acceptance.
-6. Preview before installing when visual fit matters: \`market preview <name> --out <file>\`. Preview is not supported for \`humanoid-animation\`, \`template\`, \`sound-effect\`, or \`background-music\`.
-7. Generate only when the user wants a new asset, auth is available, and the requested asset type supports generation. No asset type currently supports generation.
-8. Upload only when publishing is requested.
-9. Installed \`environment\` assets contain \`public/environment/<name>.hdr\` for Three.js IBL lighting and \`public/environment/<name>-background.webp\` for the visible equirectangular background. Use \`market preview\` to fetch the preview image separately.
+6. \`generate --type <type> "<prompt>"\` creates a new asset; it requires login and a type that supports generation. No asset type currently supports generation.
+7. Upload only when publishing is requested: \`market upload <name> <zip> "<description>" --type <type>\`. Declare dependencies with repeatable flags: \`--npm name@range\`, \`--asset name@range\`, \`--skill label=source\` (source is a GitHub/git ref or a local path to a skill directory inside the zip). Example: \`market upload my-scene scene.zip "A scene" --type model --npm three@^0.178.0 --skill web-design=vercel-labs/agent-skills\`.
+8. Installed \`environment\` assets contain \`public/environment/<name>.hdr\` for Three.js IBL lighting and \`public/environment/<name>-background.webp\` for the visible equirectangular background. Use \`market preview\` to fetch the preview image separately.
 
 ## Output
 
-Commands print concise summaries:
+Commands print concise, line-oriented summaries:
 
 \`\`\`text
 Results: 2/8 query="wooden chair" type=model approval=approved
 - wooden-chair@1.0.0 | model | approved | Low-poly wooden chair
-Installed 1 asset: wooden-chair@1.0.0
+Installed:
+- wooden-chair@1.0.0 (asset)
+  files:
+    public/model
+    └─ wooden-chair.glb
+- three@^0.178.0 (npm)
+- web-design-guidelines ← vercel-labs/agent-skills/tree/main/skills/web-design-guidelines (skill)
 Saved preview for wooden-chair@1.0.0: /tmp/wooden-chair.png
 \`\`\`
 
+Assets may also declare \`skill\` dependencies, installed for you via the \`skills\` CLI (\`skills add\`) during \`install\`. Sources are either a GitHub/git ref or a local path to a skill directory shipped inside the asset. This requires \`npx\` to be available.
+
 If search returns no results, try one broader noun phrase. If a command returns \`Error: Not logged in...\`, ask before running \`market login\`.
 `;
 //# sourceMappingURL=skill.js.map

package/dist/skill.js.map

@@ -1 +1 @@
-{"version":3,"file":"skill.js","sourceRoot":"","sources":["../src/skill.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyC1B,CAAA"}
+{"version":3,"file":"skill.js","sourceRoot":"","sources":["../src/skill.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgD1B,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drawcall/market",
-  "version": "0.1.26",
+  "version": "0.1.28",
   "repository": {
     "type": "git",
     "url": "https://github.com/drawcall-ai/market",

package/src/asset-implementation.ts

@@ -28,6 +28,7 @@ export interface AssetUploadZipInput {
   description?: string
   npmDependencies: Record<string, string>
   assetDependencies: Record<string, string>
+  skillDependencies: Record<string, string>
   tags: string[]
   zip: File
 }

package/src/cli.ts

@@ -24,6 +24,9 @@ const DEFAULT_BASE_URL = 'https://api.market.drawcall.ai'
 const AUTH_ISSUER_URL = 'https://auth.drawcall.ai/api/auth'
 const DEVICE_CLIENT_ID = 'market-cli'
 
+/** Accumulate a repeatable option into an array. */
+const collect = (value: string, previous: string[]): string[] => previous.concat(value)
+
 const typeOption = new Option('--type <type>', 'Asset type').choices([...ASSET_TYPES])
 const apiOption = new Option('--api <url>', 'API URL').default(
   process.env.MARKET_API_URL,
@@ -56,7 +59,10 @@ program
     const client = createMarketClient({ baseUrl, authToken: token })
     const profile = await client.user.getProfile()
     if (!profile) throw new Error('The Market API did not accept the auth token.')
-    await saveConfig({ authToken: token, baseUrl })
+    // Only pin baseUrl in config when the user explicitly chose one. Persisting
+    // the default would freeze logged-in users to a host the CLI can no longer
+    // change in a future release.
+    await saveConfig(opts.api ? { authToken: token, baseUrl: opts.api } : { authToken: token })
     console.log(loginResult(profile.email, getConfigPath()))
   })
 
@@ -69,25 +75,18 @@ program
 
 program
   .command('install')
-  .description('Install by name or prompt')
-  .argument('<assets...>', 'Names or prompts')
-  .addOption(typeOption)
+  .description('Install assets by name')
+  .argument('<assets...>', 'Asset names, optionally with @range')
   .addOption(apiOption)
   .option('--unapproved', 'Include unapproved versions', false)
   .option('--cwd <dir>', 'Project directory')
-  .action(
-    async (
-      args: string[],
-      opts: { type?: AssetType; api?: string; unapproved: boolean; cwd?: string },
-    ) => {
-      await installCommand(args, {
-        type: opts.type,
-        baseUrl: opts.api,
-        unapproved: opts.unapproved,
-        cwd: opts.cwd,
-      })
-    },
-  )
+  .action(async (args: string[], opts: { api?: string; unapproved: boolean; cwd?: string }) => {
+    await installCommand(args, {
+      baseUrl: opts.api,
+      unapproved: opts.unapproved,
+      cwd: opts.cwd,
+    })
+  })
 
 program
   .command('search')
@@ -109,12 +108,7 @@ program
         verbose: boolean
       },
     ) => {
-      if (!opts.type) {
-        console.error(
-          errorResult(`Search requires --type. Available types: ${ASSET_TYPES.join(', ')}`),
-        )
-        process.exit(1)
-      }
+      requireType(opts.type, 'Search')
       await searchCommand(query, {
         type: opts.type,
         baseUrl: opts.api,
@@ -135,24 +129,33 @@ program
   .addOption(apiOption)
   .option('--version <version>', 'Explicit semver version')
   .option('--cwd <dir>', 'Project directory')
+  .option('--npm <dep>', 'npm dependency name@range (repeatable)', collect, [])
+  .option('--asset <dep>', 'asset dependency name@range (repeatable)', collect, [])
+  .option('--skill <dep>', 'skill dependency label=source (repeatable)', collect, [])
   .action(
     async (
       name: string,
       zipFilter: string,
       description: string,
-      opts: { type?: AssetType; api?: string; version?: string; cwd?: string },
+      opts: {
+        type?: AssetType
+        api?: string
+        version?: string
+        cwd?: string
+        npm: string[]
+        asset: string[]
+        skill: string[]
+      },
     ) => {
-      if (!opts.type) {
-        console.error(
-          errorResult(`Upload requires --type. Available types: ${ASSET_TYPES.join(', ')}`),
-        )
-        process.exit(1)
-      }
+      requireType(opts.type, 'Upload')
       await uploadCommand(name, zipFilter, description, {
         type: opts.type,
         version: opts.version,
         baseUrl: opts.api,
         cwd: opts.cwd,
+        npm: opts.npm,
+        asset: opts.asset,
+        skill: opts.skill,
       })
     },
   )
@@ -162,7 +165,6 @@ program
   .description('Save preview image')
   .argument('<name>', 'Asset name')
   .argument('[version]', 'Semver version')
-  .addOption(typeOption)
   .addOption(apiOption)
   .option('--unapproved', 'Include unapproved versions', false)
   .option('--out <file>', 'Output image path')
@@ -170,10 +172,9 @@ program
     async (
       name: string,
       version: string | undefined,
-      opts: { type?: AssetType; api?: string; unapproved: boolean; out?: string },
+      opts: { api?: string; unapproved: boolean; out?: string },
     ) => {
       await previewCommand(name, version, {
-        type: opts.type,
         baseUrl: opts.api,
         unapproved: opts.unapproved,
         out: opts.out,
@@ -189,6 +190,7 @@ program
   .addOption(apiOption)
   .option('--cwd <dir>', 'Project directory')
   .action(async (description: string, opts: { type?: AssetType; api?: string; cwd?: string }) => {
+    requireType(opts.type, 'Generate')
     await generateCommand(description, {
       type: opts.type,
       baseUrl: opts.api,
@@ -207,6 +209,15 @@ program.parseAsync().catch((err) => {
   process.exit(1)
 })
 
+function requireType(type: AssetType | undefined, command: string): asserts type is AssetType {
+  if (!type) {
+    console.error(
+      errorResult(`${command} requires --type. Available types: ${ASSET_TYPES.join(', ')}`),
+    )
+    process.exit(1)
+  }
+}
+
 function parseSearchLimit(value: string): number {
   const parsed = Number.parseInt(value, 10)
   if (!Number.isInteger(parsed) || parsed < 1) {

package/src/commands/install.ts

@@ -1,14 +1,12 @@
-import ora, { type Ora } from 'ora'
+import ora from 'ora'
 import { resolve } from '../resolve.js'
 import { install as runInstall } from '../install.js'
-import { generateAndWait } from '../generate.js'
-import { assetNameSchema, type AssetType } from '../schemas.js'
+import { assetNameSchema } from '../schemas.js'
 import { getCliClient } from '../cli-client.js'
-import { compact, generatedInstallResult, installResult } from '../output.js'
+import { installResult } from '../output.js'
 import type { MarketClient } from '../client.js'
 
 export interface InstallCommandOptions {
-  type?: AssetType
   unapproved?: boolean
   cwd?: string
   baseUrl?: string
@@ -20,8 +18,8 @@ interface AssetRequest {
 }
 
 export async function installCommand(args: string[], opts: InstallCommandOptions): Promise<void> {
-  const { client, authToken } = await getCliClient({ baseUrl: opts.baseUrl })
-  const canGenerate = Boolean(authToken)
+  const { client } = await getCliClient({ baseUrl: opts.baseUrl })
+  const includeUnapproved = opts.unapproved ?? false
 
   const spinner = ora({
     isEnabled: Boolean(process.stderr.isTTY),
@@ -31,15 +29,11 @@ export async function installCommand(args: string[], opts: InstallCommandOptions
     const requests: AssetRequest[] = []
     for (const arg of args) {
       spinner.text = `Resolving "${truncate(arg, 40)}"`
-      requests.push(
-        await resolveArg(client, arg, opts.type, spinner, canGenerate, opts.unapproved ?? false),
-      )
+      requests.push(await resolveArg(client, arg, includeUnapproved))
     }
 
     spinner.text = 'Resolving dependency tree'
-    const resolution = await resolve(client.asset, requests, {
-      includeUnapproved: opts.unapproved ?? false,
-    })
+    const resolution = await resolve(client.asset, requests, { includeUnapproved })
 
     const result = await runInstall(client, resolution, {
       cwd: opts.cwd,
@@ -56,82 +50,41 @@ export async function installCommand(args: string[], opts: InstallCommandOptions
   }
 }
 
+/**
+ * Resolve a single `name` or `name@range` argument to an exact asset request.
+ * Asset names are globally unique, so the name fully determines the asset — no
+ * `--type` is needed. install never fuzzy-searches or generates: it points the
+ * caller at `market search` / `market generate` instead, which keeps behavior
+ * predictable for agents.
+ */
 export async function resolveArg(
   client: MarketClient,
   arg: string,
-  type: AssetType | undefined,
-  spinner: Ora,
-  canGenerate: boolean,
   includeUnapproved: boolean,
 ): Promise<AssetRequest> {
   const parsed = parseNameAndRange(arg)
-  if (parsed) {
-    const existing = await client.asset.exact({
-      name: parsed.name,
-      type,
-      includeUnapproved,
-    })
-    if (existing) return parsed
-
-    if (!includeUnapproved) {
-      const hidden = await client.asset.exact({
-        name: parsed.name,
-        type,
-        includeUnapproved: true,
-      })
-      if (hidden) {
-        throw new Error(
-          `Asset "${parsed.name}" exists but has no approved versions. Re-run with \`--unapproved\` if you have access.`,
-        )
-      }
-    }
-
-    if (arg.includes('@')) {
-      return parsed
-    }
+  if (!parsed) {
+    throw new Error(
+      `Invalid asset name "${arg}". Use \`market search --type <type> <query>\` to find assets.`,
+    )
   }
 
-  spinner.text = `Searching "${truncate(arg, 40)}"`
-  const results = await client.asset.search({
-    query: arg,
-    type,
-    includeUnapproved,
-    limit: 1,
-    page: 1,
-    sort: 'relevance',
-  })
-  if (results.items.length > 0) {
-    const hit = results.items[0]
-    if (process.stderr.isTTY) {
-      spinner.info(`Matched "${compact(arg, 48)}" to ${hit.name} (${hit.type})`)
-      spinner.start()
-    }
-    return { name: hit.name, range: '*' }
-  }
+  const existing = await client.asset.exact({ name: parsed.name, includeUnapproved })
+  if (existing) return parsed
 
-  if (!canGenerate) {
-    throw new Error(
-      `No matches for "${arg}". Run \`market login\` to enable auto-generation of missing assets.`,
-    )
+  if (!includeUnapproved) {
+    const hidden = await client.asset.exact({ name: parsed.name, includeUnapproved: true })
+    if (hidden) {
+      throw new Error(
+        `Asset "${parsed.name}" exists but has no approved versions. Re-run with \`--unapproved\` if you have access.`,
+      )
+    }
   }
 
-  spinner.text = `No matches; generating "${truncate(arg, 40)}"`
-  const generated = await generateAndWait(
-    client,
-    { description: arg, type },
-    {
-      onProgress: (msg) => {
-        spinner.text = msg
-      },
-    },
+  throw new Error(
+    `Asset "${parsed.name}" not found. Use \`market search\` to find assets or ` +
+      `\`market generate --type <type>\` to create one.`,
   )
-  if (process.stderr.isTTY) {
-    spinner.info(
-      `${generatedInstallResult(generated.assetName, generated.version)} for "${compact(arg, 48)}"`,
-    )
-    spinner.start()
-  }
-  return { name: generated.assetName, range: generated.version }
 }
 
 function parseNameAndRange(arg: string): AssetRequest | null {

package/src/commands/preview.ts

@@ -3,10 +3,9 @@ import * as path from 'path'
 import ora from 'ora'
 import { getCliClient } from '../cli-client.js'
 import { previewResult } from '../output.js'
-import { assetNameSchema, semverSchema, type AssetType } from '../schemas.js'
+import { assetNameSchema, semverSchema } from '../schemas.js'
 
 export interface PreviewCommandOptions {
-  type?: AssetType
   unapproved?: boolean
   out?: string
   baseUrl?: string
@@ -19,13 +18,10 @@ export async function previewCommand(
 ): Promise<void> {
   const parsedName = assetNameSchema.parse(name)
   const parsedVersion = version ? semverSchema.parse(version) : undefined
-  if (
-    opts.type === 'humanoid-animation' ||
-    opts.type === 'template' ||
-    opts.type === 'sound-effect'
-  ) {
-    throw new Error(`Preview images are not supported for ${opts.type}`)
-  }
+  // The asset name is globally unique, so the server resolves the type. Whether
+  // that type supports preview images is also a server concern: the API checks
+  // for a provider `downloadPreviewImage` capability and returns a clear,
+  // type-specific error rather than us mirroring a list that can drift.
 
   const spinner = ora({
     text: `Resolving preview for ${parsedName}`,
@@ -40,7 +36,6 @@ export async function previewCommand(
       (
         await client.asset.exact({
           name: parsedName,
-          type: opts.type,
           includeUnapproved: opts.unapproved ?? false,
         })
       )?.latestVersion

package/src/commands/upload.ts

@@ -12,6 +12,12 @@ export interface UploadCommandOptions {
   version?: string
   cwd?: string
   baseUrl?: string
+  /** npm dependencies, each `name@range` (range defaults to `*`). */
+  npm?: string[]
+  /** asset dependencies, each `name@range` (range defaults to `*`). */
+  asset?: string[]
+  /** skill dependencies, each `label=source` passed to `skills add`. */
+  skill?: string[]
 }
 
 export async function uploadCommand(
@@ -29,6 +35,10 @@ export async function uploadCommand(
   try {
     const parsedName = assetNameSchema.parse(name)
     const parsedVersion = opts.version ? semverSchema.parse(opts.version) : undefined
+    // Parse dep flags before any network work so a malformed spec fails fast.
+    const npmDependencies = parseVersionedDeps(opts.npm ?? [], 'npm')
+    const assetDependencies = parseVersionedDeps(opts.asset ?? [], 'asset')
+    const skillDependencies = parseSkillDeps(opts.skill ?? [])
     const cwd = opts.cwd ?? process.cwd()
     const type = opts.type
     const zipFile = await resolveOneZipFile(cwd, zipFilter)
@@ -58,7 +68,13 @@ export async function uploadCommand(
         version: existing.latestVersion,
       })
       const latestBytes = new Uint8Array(await latestZip.arrayBuffer())
-      if (existing.description === description && bytesEqual(latestBytes, zip)) {
+      if (
+        existing.description === description &&
+        depsEqual(existing.npmDependencies, npmDependencies) &&
+        depsEqual(existing.assetDependencies, assetDependencies) &&
+        depsEqual(existing.skillDependencies, skillDependencies) &&
+        bytesEqual(latestBytes, zip)
+      ) {
         spinner.stop()
         console.log(unchangedUploadResult(parsedName, existing.latestVersion))
         return
@@ -72,8 +88,9 @@ export async function uploadCommand(
       type,
       version,
       description,
-      npmDependencies: {},
-      assetDependencies: {},
+      npmDependencies,
+      assetDependencies,
+      skillDependencies,
       tags: [],
       zip: new File([toArrayBuffer(zip)], `${parsedName}-${version}.zip`, {
         type: 'application/zip',
@@ -88,6 +105,65 @@ export async function uploadCommand(
   }
 }
 
+/**
+ * Parse `name@range` specs (npm or asset deps) into a name→range record. The
+ * range is optional and defaults to `*`. A leading `@` is treated as a scope
+ * marker, so `@scope/pkg@^1.0.0` splits into `@scope/pkg` and `^1.0.0`.
+ */
+export function parseVersionedDeps(specs: string[], kind: 'npm' | 'asset'): Record<string, string> {
+  const out: Record<string, string> = {}
+  for (const spec of specs) {
+    const at = spec.lastIndexOf('@')
+    const hasRange = at > 0
+    const name = hasRange ? spec.slice(0, at) : spec
+    const range = hasRange ? spec.slice(at + 1) : '*'
+    if (!name || !range) {
+      throw new Error(`Invalid ${kind} dependency "${spec}". Use name@range (e.g. three@^0.178.0).`)
+    }
+    if (name in out) {
+      throw new Error(`Duplicate ${kind} dependency "${name}".`)
+    }
+    out[name] = range
+  }
+  return out
+}
+
+/**
+ * Parse `label=source` specs into a label→source record. The source is passed
+ * verbatim to `skills add` (a GitHub/git ref or a local path), so only the
+ * first `=` is treated as the separator.
+ */
+export function parseSkillDeps(specs: string[]): Record<string, string> {
+  const out: Record<string, string> = {}
+  for (const spec of specs) {
+    const eq = spec.indexOf('=')
+    if (eq <= 0 || eq === spec.length - 1) {
+      throw new Error(
+        `Invalid skill dependency "${spec}". Use label=source ` +
+          `(e.g. web-design=vercel-labs/agent-skills).`,
+      )
+    }
+    const label = spec.slice(0, eq)
+    if (label in out) {
+      throw new Error(`Duplicate skill dependency "${label}".`)
+    }
+    out[label] = spec.slice(eq + 1)
+  }
+  return out
+}
+
+/** Compare a stored dependency JSON string against a freshly parsed record. */
+function depsEqual(storedJson: string, next: Record<string, string>): boolean {
+  let stored: Record<string, string>
+  try {
+    stored = JSON.parse(storedJson || '{}') as Record<string, string>
+  } catch {
+    return false
+  }
+  const keys = Object.keys(stored)
+  return keys.length === Object.keys(next).length && keys.every((key) => stored[key] === next[key])
+}
+
 async function resolveOneZipFile(cwd: string, zipFilter: string): Promise<string> {
   const absolute = path.resolve(cwd, zipFilter)
   const stat = await maybeStat(absolute)

package/src/config.ts

@@ -41,8 +41,14 @@ export async function loadConfig(): Promise<Config | null> {
 export async function saveConfig(config: Config): Promise<void> {
   const dir = configDir()
   await fs.mkdir(dir, { recursive: true })
+  // `mode` on writeFile/mkdir only applies when the path is created, so chmod
+  // explicitly to protect a pre-existing (possibly world-readable) token file
+  // and its directory. A chmod failure means we could not secure the token, so
+  // let it surface rather than silently leaving it exposed.
+  await fs.chmod(dir, 0o700)
   const file = configPath()
   await fs.writeFile(file, JSON.stringify(config, null, 2) + '\n', { mode: 0o600 })
+  await fs.chmod(file, 0o600)
 }
 
 export async function clearConfig(): Promise<boolean> {

package/src/contract.ts

@@ -17,6 +17,7 @@ export interface AssetVersion {
   approved: boolean
   npmDependencies: string
   assetDependencies: string
+  skillDependencies: string
   sourceKey: string
   createdAt: Date
 }
@@ -43,6 +44,7 @@ export interface AssetSearchResult {
   approved: boolean
   npmDependencies: string
   assetDependencies: string
+  skillDependencies: string
 }
 
 export interface PaginatedList<T> {

package/src/index.ts

@@ -43,6 +43,7 @@ export {
   assetNameSchema,
   npmDependenciesSchema,
   assetDependenciesSchema,
+  skillDependenciesSchema,
   uploadZipSchema,
   downloadZipSchema,
   exactAssetSchema,