@thirdfy/agent-cli 0.1.41 → 0.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -4,6 +4,19 @@ All notable changes to `@thirdfy/agent-cli` are documented here. The format is b
4
4
 
5
5
  ## [Unreleased]
6
6
 
7
+ ## [0.1.43] - 2026-05-19
8
+
9
+ ### Changed
10
+
11
+ - Solo `agent_wallet` Hyperliquid account reads inject `userAddress` from the managed execution wallet via preflight when omitted (open orders, user state, funding status). Pairs with thirdfy-api-v2 **v3.4.27**.
12
+
13
+ ## [0.1.42] - 2026-05-19
14
+
15
+ ### Changed
16
+
17
+ - Email login persists and surfaces API `executionWallets` for `agent_wallet` writes; `whoami`, `wallet list`, and `doctor auth` distinguish owner embedded wallets (auth only) from agent execution wallets to fund.
18
+ - Onboarding help and docs clarify Bridge2 must fund the managed execution wallet, not the owner login wallet, and that Thirdfy credits are separate from Privy gas sponsorship. Pairs with thirdfy-api-v2 **v3.4.25**.
19
+
7
20
  ## [0.1.41] - 2026-05-19
8
21
 
9
22
  ### Changed
package/README.md CHANGED
@@ -42,7 +42,7 @@ npx @thirdfy/agent-cli --help
42
42
 
43
43
  ## Release notes
44
44
 
45
- Version history and highlights: [CHANGELOG.md](./CHANGELOG.md). **v0.1.41** documents Hyperliquid `get_hyperliquid_funding_status` as setup step 0, Bridge2 sender custody, and `deposit_hyperliquid_bridge --estimated-amount-usd` (pairs with API **v3.4.24**). **v0.1.40** fixes email/bootstrap credential persistence when the API returns nested registration payloads, so owner-session onboarding can save the hidden execution identity without exposing a raw agent API key. **v0.1.39** makes `agent_wallet` the fresh solo default, adds framework guidance for Hermes/OpenClaw/Claude Managed Agents, clarifies Gator/ERC-7710 delegation flows, and keeps BYOW/self plus hybrid/thirdfy mode switching explicit. **v0.1.38** is a **documentation and metadata patch**: it republishes to npm so the package homepage matches the updated `README.md` on `main`, and aligns root `package-lock.json` version fields with `package.json`. **v0.1.37** adds **email OTP** `thirdfy-agent login email` (send code, then complete with `--code --accept-terms`), **`help onboarding`**, **`doctor auth`**, **`wallet list`**, and **masked `whoami`** output so agents and operators get first-run guidance without dumping secrets. Earlier releases added provider discovery parity, portfolio analytics, managed-wallet swap normalization, and **self/build-tx** swap human-decimal `amountIn` parity when using `amountInHuman` + `tokenInDecimals`.
45
+ Version history and highlights: [CHANGELOG.md](./CHANGELOG.md). **v0.1.43** injects Hyperliquid `userAddress` from the managed execution wallet for solo `agent_wallet` reads when omitted (pairs with API **v3.4.27**). **v0.1.42** persists API `executionWallets` from email login, updates `doctor auth` / onboarding help for agent execution wallet funding vs owner embedded auth wallet, and documents Bridge2 `FUND_AGENT_EXECUTION_WALLET` remediation (pairs with API **v3.4.25**). **v0.1.41** documents Hyperliquid `get_hyperliquid_funding_status` as setup step 0, Bridge2 sender custody, and `deposit_hyperliquid_bridge --estimated-amount-usd` (pairs with API **v3.4.24**). **v0.1.40** fixes email/bootstrap credential persistence when the API returns nested registration payloads, so owner-session onboarding can save the hidden execution identity without exposing a raw agent API key. **v0.1.39** makes `agent_wallet` the fresh solo default, adds framework guidance for Hermes/OpenClaw/Claude Managed Agents, clarifies Gator/ERC-7710 delegation flows, and keeps BYOW/self plus hybrid/thirdfy mode switching explicit. **v0.1.38** is a **documentation and metadata patch**: it republishes to npm so the package homepage matches the updated `README.md` on `main`, and aligns root `package-lock.json` version fields with `package.json`. **v0.1.37** adds **email OTP** `thirdfy-agent login email` (send code, then complete with `--code --accept-terms`), **`help onboarding`**, **`doctor auth`**, **`wallet list`**, and **masked `whoami`** output so agents and operators get first-run guidance without dumping secrets. Earlier releases added provider discovery parity, portfolio analytics, managed-wallet swap normalization, and **self/build-tx** swap human-decimal `amountIn` parity when using `amountInHuman` + `tokenInDecimals`.
46
46
 
47
47
  **Maintainers — npm:** follow [docs/releasing.md](./docs/releasing.md). From a clone with gitignored `.env`, use `npm run publish:npm:local -- --dry-run` then `npm run publish:npm:local`. Or run `npm run release:npm` after exporting tokens in the shell. Never commit npm tokens — use [.env.example](./.env.example) as a template only.
48
48
 
@@ -104,7 +104,7 @@ thirdfy-agent logout --json
104
104
  thirdfy-agent logout --all --json
105
105
  ```
106
106
 
107
- `login email` is a two-step headless-safe flow. Without `--code`, the CLI asks the Thirdfy API onboarding broker to send a Privy email OTP and exits with the exact next command. With `--code --accept-terms`, it stores a short-lived owner session in `~/.thirdfy/config.json`, records linked EVM/Solana wallets plus the owner `userDid` when Privy returns them, stores a new agent API key when first-run bootstrap issues one, and defaults new solo profiles to `agent_wallet`. Use `--not-interactive` / `--ni` in automation so missing input fails fast instead of prompting — place **`--ni` after the `login email` subcommand** (for example `thirdfy-agent login email you@example.com --code … --accept-terms --ni`); a leading `thirdfy-agent --ni login email …` is parsed incorrectly because `--ni` would consume the `login` token as its value.
107
+ `login email` is a two-step headless-safe flow. Without `--code`, the CLI asks the Thirdfy API onboarding broker to send a Privy email OTP and exits with the exact next command. With `--code --accept-terms`, it stores a short-lived owner session in `~/.thirdfy/config.json`, records linked EVM/Solana wallets plus the owner `userDid` when Privy returns them, stores a new agent API key when first-run bootstrap issues one, stores the returned `executionWallets` map, and defaults new solo profiles to `agent_wallet`. Email OTP is owner authentication only; fund the returned agent execution wallet for the target chain, not the linked owner embedded wallet. Use `--not-interactive` / `--ni` in automation so missing input fails fast instead of prompting — place **`--ni` after the `login email` subcommand** (for example `thirdfy-agent login email you@example.com --code … --accept-terms --ni`); a leading `thirdfy-agent --ni login email …` is parsed incorrectly because `--ni` would consume the `login` token as its value.
108
108
 
109
109
  `logout --all` is provider-agnostic: it attempts owner-session revocation when a session token exists, then always clears local credentials.
110
110
 
@@ -169,8 +169,8 @@ Auth expectations by mode:
169
169
  - `self`: requires execution identity (`agentApiKey`) today; keyless self lane is blocked with deterministic `SELF_OPEN_DISABLED`.
170
170
  - `hybrid`: requires execution identity and governed mirror semantics (`--hybrid-wallet-mode self|agent_wallet`, default `self`).
171
171
  - `thirdfy`: requires execution identity and delegated governance path.
172
- - `agent_wallet`: requires execution identity and owner `userDid`, but does not require subscriber delegation when the owner identity matches the agent wallet/creator.
173
- - Hyperliquid Bridge2 setup is the Arbitrum exception to the Base-focused `agent_wallet` rule: Bridge2 credits the transaction sender. Pass **`--estimated-amount-usd`** as a top-level flag (not inside `--params`). When USDC sits on your linked email-login wallet (`primaryEvmWallet`) instead of the managed execution wallet, Thirdfy API **v3.4.23+** signs from the funded owner wallet when possible; otherwise it returns **`MANUAL_BRIDGE2_DEPOSIT_REQUIRED`** with `fundedWallet` and `executionWalletAddress`.
172
+ - `agent_wallet`: requires execution identity and owner `userDid`, but does not require subscriber delegation when the owner identity matches the agent wallet/creator. Thirdfy credits/free quota still gate execution; Privy gas sponsorship only covers network gas when enabled.
173
+ - Hyperliquid Bridge2 setup is the Arbitrum exception to the Base-focused `agent_wallet` rule: Bridge2 credits the transaction sender. Pass **`--estimated-amount-usd`** as a top-level flag (not inside `--params`). When USDC sits on your linked email-login wallet (`primaryEvmWallet`) instead of the managed execution wallet, Thirdfy API returns **`FUND_AGENT_EXECUTION_WALLET`** / **`MANUAL_BRIDGE2_DEPOSIT_REQUIRED`** with `fundedWallet` and `executionWalletAddress`; move native Arbitrum USDC to `executionWalletAddress` and retry.
174
174
  - custody mode defaults are profile-aware:
175
175
  - `managed` default for `thirdfy`
176
176
  - `external` default for `self` and `hybrid`
@@ -1001,6 +1001,45 @@ function getPreparedParams(flags) {
1001
1001
  return parseJsonFlag(flags, 'params');
1002
1002
  }
1003
1003
 
1004
+ function hyperliquidDefaultAddressParamForAction(action) {
1005
+ const canonical = String(action || '').trim().toLowerCase().replace(/_/g, '-');
1006
+ if (
1007
+ canonical === 'get-hyperliquid-open-orders'
1008
+ || canonical === 'get-hyperliquid-user-state'
1009
+ || canonical === 'get-hyperliquid-builder-fee-status'
1010
+ || canonical === 'get-hyperliquid-referral-status'
1011
+ ) {
1012
+ return 'userAddress';
1013
+ }
1014
+ if (
1015
+ canonical === 'get-hyperliquid-setup-status'
1016
+ || canonical === 'get-hyperliquid-funding-status'
1017
+ || canonical === 'get-hyperliquid-onboarding-plan'
1018
+ || canonical === 'prepare-hyperliquid-onboarding'
1019
+ ) {
1020
+ return 'mainWalletAddress';
1021
+ }
1022
+ return null;
1023
+ }
1024
+
1025
+ async function applyHyperliquidAgentWalletAddressDefault(ctx, flags, resolved, runMode) {
1026
+ if (runMode !== 'agent_wallet') return null;
1027
+ const paramName = hyperliquidDefaultAddressParamForAction(resolved?.resolvedAction);
1028
+ if (!paramName) return null;
1029
+ const params = getPreparedParams(flags);
1030
+ if (String(params?.[paramName] || '').trim()) return null;
1031
+ const preflight = await resolveManagedExecutionPreflight(ctx, flags, resolved, {
1032
+ runMode: 'agent_wallet',
1033
+ requireFundingCheck: false,
1034
+ });
1035
+ if (!preflight.success || !preflight.executionWalletAddress) return preflight;
1036
+ flags.__preparedParams = {
1037
+ ...(params || {}),
1038
+ [paramName]: preflight.executionWalletAddress,
1039
+ };
1040
+ return preflight;
1041
+ }
1042
+
1004
1043
  async function commandCatalogsList(ctx, flags, capabilities) {
1005
1044
  const response = await apiGet(ctx, '/api/v1/agent/actions/catalog');
1006
1045
  const actions = extractActions(response);
@@ -1194,7 +1233,8 @@ async function commandPreflight(ctx, flags, capabilities) {
1194
1233
  enforceOffchainVenueLaneCompatibility(resolved.resolvedAction, runMode);
1195
1234
  const hybridWalletMode = runMode === 'hybrid' ? normalizeHybridWalletMode(flags.hybridWalletMode) : null;
1196
1235
  enforceChainCompatibility(capabilities, flags, runMode);
1197
- const backendResult = await runPreflightByMode(runMode, ctx, flags, resolved, { hybridWalletMode });
1236
+ const managedPreflight = await applyHyperliquidAgentWalletAddressDefault(ctx, flags, resolved, runMode);
1237
+ const backendResult = await runPreflightByMode(runMode, ctx, flags, resolved, { hybridWalletMode, managedPreflight });
1198
1238
  const normalized = applyExecutionFallbackHints(backendResult.normalized, {
1199
1239
  flags,
1200
1240
  runMode,
@@ -1229,10 +1269,12 @@ async function commandRun(ctx, flags, capabilities) {
1229
1269
  enforceOffchainVenueLaneCompatibility(resolved.resolvedAction, runMode);
1230
1270
  const hybridWalletMode = runMode === 'hybrid' ? normalizeHybridWalletMode(flags.hybridWalletMode) : null;
1231
1271
  enforceChainCompatibility(capabilities, flags, runMode);
1272
+ const managedPreflight = await applyHyperliquidAgentWalletAddressDefault(ctx, flags, resolved, runMode);
1232
1273
  const skipPreflight = Boolean(flags.skipPreflight);
1233
1274
  const backendResult = await runExecutionByMode(runMode, ctx, flags, resolved, {
1234
1275
  skipPreflight,
1235
1276
  hybridWalletMode,
1277
+ managedPreflight,
1236
1278
  });
1237
1279
  const normalized = applyExecutionFallbackHints(backendResult.normalized, {
1238
1280
  flags,
@@ -1327,8 +1369,9 @@ async function commandWalletExecute(ctx, flags, capabilities) {
1327
1369
  const resolved = await resolveActionSelection(ctx, normalizedFlags);
1328
1370
  prepareActionParamsForFlags(normalizedFlags, resolved.resolvedAction);
1329
1371
  enforceChainCompatibility(capabilities, normalizedFlags, 'agent_wallet');
1372
+ const managedPreflight = await applyHyperliquidAgentWalletAddressDefault(ctx, normalizedFlags, resolved, 'agent_wallet');
1330
1373
  const skipPreflight = Boolean(normalizedFlags.skipPreflight);
1331
- const result = await executeManagedWalletRun(ctx, normalizedFlags, resolved, { skipPreflight });
1374
+ const result = await executeManagedWalletRun(ctx, normalizedFlags, resolved, { skipPreflight, managedPreflight });
1332
1375
  printEnvelope({
1333
1376
  success: result.success,
1334
1377
  code: result.success ? 'WALLET_EXECUTED' : result.preflightBlocked ? 'PREFLIGHT_BLOCKED' : 'RUN_FAILED',
@@ -2551,9 +2594,10 @@ function buildOnboardingHelp(ctx) {
2551
2594
  'thirdfy-agent login email user@example.com',
2552
2595
  'thirdfy-agent login email user@example.com --code <otp> --accept-terms --key-name "My Agent"',
2553
2596
  'thirdfy-agent whoami',
2554
- 'thirdfy-agent managed wallet init --chain-id 8453',
2597
+ 'thirdfy-agent wallet list --json',
2555
2598
  'thirdfy-agent preflight --run-mode agent_wallet --action <action> --params <json> --json',
2556
2599
  ],
2600
+ note: 'Email OTP authenticates the owner. Fund the returned agent execution wallet for the target chain; do not fund the owner embedded/login wallet for agent_wallet writes.',
2557
2601
  },
2558
2602
  {
2559
2603
  id: 'wallet_sign',
@@ -2587,7 +2631,7 @@ function buildOnboardingHelp(ctx) {
2587
2631
  rule: 'Commands must fail fast instead of waiting for prompts when required input is missing.',
2588
2632
  },
2589
2633
  executionModes: {
2590
- agent_wallet: 'Solo managed wallet execution through /execution-wallet + /execute; no subscriber binding when owner userDid matches.',
2634
+ agent_wallet: 'Solo managed server-wallet execution through /execution-wallet + /execute; no subscriber binding when owner userDid matches. Network gas may be sponsored, but Thirdfy credits/free-quota gates still apply.',
2591
2635
  self: 'BYOW/OWS local signing through build-tx, wallet sign, and wallet submit.',
2592
2636
  hybrid: 'Primary self or agent_wallet execution with optional Thirdfy mirror validation.',
2593
2637
  thirdfy: 'Publisher/fanout execute-intent; requires active subscriber/delegation bindings for writes.',
@@ -2595,7 +2639,7 @@ function buildOnboardingHelp(ctx) {
2595
2639
  },
2596
2640
  frameworkGuidance: {
2597
2641
  hermes:
2598
- 'Hermes agents should receive a pre-provisioned Thirdfy profile/env, run doctor auth/self at startup, use agent_wallet for managed solo writes, and keep strategy logic separate from CLI secrets.',
2642
+ 'Hermes agents should receive a pre-provisioned Thirdfy profile/env, run doctor auth/self at startup, use agent_wallet for managed solo writes, fund the agent execution wallet on the target chain, and keep strategy logic separate from CLI secrets.',
2599
2643
  openclaw:
2600
2644
  'OpenClaw agents should keep Thirdfy credentials in runtime secrets, use actions discovery before planning, prefer run --run-mode agent_wallet for own-wallet execution, and use thirdfy only for publisher/fanout.',
2601
2645
  claudeManagedAgents:
@@ -2646,6 +2690,7 @@ async function commandWhoami(ctx, _flags) {
2646
2690
  primaryEvmWallet: wallets.primaryEvmWallet || null,
2647
2691
  evm: Array.isArray(wallets.evm) ? wallets.evm : [],
2648
2692
  solana: Array.isArray(wallets.solana) ? wallets.solana : [],
2693
+ executionWallets: wallets.executionWallets || config.executionWallets || {},
2649
2694
  },
2650
2695
  configPath: getProfileConfigPath(),
2651
2696
  nextSteps: buildOnboardingHelp(ctx).paths[0].commands,
@@ -2665,7 +2710,8 @@ async function commandWalletList(ctx, _flags) {
2665
2710
  primaryEvmWallet: wallets.primaryEvmWallet || null,
2666
2711
  evm: Array.isArray(wallets.evm) ? wallets.evm : [],
2667
2712
  solana: Array.isArray(wallets.solana) ? wallets.solana : [],
2668
- hint: 'Run `thirdfy-agent login email <email>` to refresh linked wallets from Privy-backed onboarding.',
2713
+ executionWallets: wallets.executionWallets || config.executionWallets || {},
2714
+ hint: 'Run `thirdfy-agent login email <email>` to refresh linked wallets and agent execution wallets. Fund executionWallets for agent_wallet writes; linked owner wallets are auth identities.',
2669
2715
  },
2670
2716
  meta: { apiBase: ctx.apiBase },
2671
2717
  });
@@ -2720,6 +2766,20 @@ async function commandDoctorAuth(ctx, _flags) {
2720
2766
  ? `${config.wallets.evm.length} linked EVM wallet${config.wallets.evm.length === 1 ? '' : 's'}`
2721
2767
  : 'missing wallet profile; run email onboarding or wallet-sign proof'),
2722
2768
  },
2769
+ {
2770
+ name: 'agent-execution-wallets',
2771
+ optional: runMode !== 'agent_wallet',
2772
+ ok: Boolean(config.wallets?.executionWallets && Object.keys(config.wallets.executionWallets).length),
2773
+ detail: config.wallets?.executionWallets && Object.keys(config.wallets.executionWallets).length
2774
+ ? `agent execution wallets available for chains: ${Object.keys(config.wallets.executionWallets).join(', ')}`
2775
+ : 'missing agent execution wallets; run `thirdfy-agent login email <email> --code <otp> --accept-terms --json` or execution-wallet preflight',
2776
+ },
2777
+ {
2778
+ name: 'thirdfy-credits-vs-gas-sponsorship',
2779
+ optional: true,
2780
+ ok: true,
2781
+ detail: 'Thirdfy credits/free quota gate action access; Privy gas sponsorship only pays network gas when chain/action sponsorship is enabled.',
2782
+ },
2723
2783
  ];
2724
2784
  const ok = checks.every((entry) => entry.optional || entry.ok);
2725
2785
  printEnvelope({
@@ -2970,12 +3030,14 @@ async function commandLoginEmail(ctx, flags) {
2970
3030
  const agentApiKey = extractAgentApiKey(data);
2971
3031
  const agentKey = extractAgentKey(data);
2972
3032
  const wallets = data.wallets && typeof data.wallets === 'object' ? data.wallets : {};
3033
+ const executionWallets = data.executionWallets && typeof data.executionWallets === 'object' ? data.executionWallets : {};
2973
3034
  const userDid = String(data.owner?.creatorDid || wallets.userDid || '').trim();
2974
3035
  const primaryEvmWallet = String(wallets.primaryEvmWallet || data.owner?.creatorWallet || '').trim();
2975
3036
  const persistedWallets = {
2976
3037
  ...wallets,
2977
3038
  ...(userDid ? { userDid } : {}),
2978
3039
  ...(primaryEvmWallet ? { primaryEvmWallet } : {}),
3040
+ ...(Object.keys(executionWallets).length ? { executionWallets } : {}),
2979
3041
  };
2980
3042
  const runMode = normalizeRunMode(flags.runMode || current.runMode || process.env.THIRDFY_RUN_MODE || 'agent_wallet');
2981
3043
  const custodyMode = normalizeCustodyMode(flags.custodyMode || current.custodyMode || process.env.THIRDFY_CUSTODY_MODE, runMode);
@@ -3023,6 +3085,11 @@ async function commandLoginEmail(ctx, flags) {
3023
3085
  evmWallets: Array.isArray(persistedWallets.evm) ? persistedWallets.evm : [],
3024
3086
  solanaWallets: Array.isArray(persistedWallets.solana) ? persistedWallets.solana : [],
3025
3087
  primaryEvmWallet: persistedWallets.primaryEvmWallet || null,
3088
+ executionWallets:
3089
+ persistedWallets.executionWallets && typeof persistedWallets.executionWallets === 'object'
3090
+ ? persistedWallets.executionWallets
3091
+ : {},
3092
+ ownerLinkedWallet: data.ownerLinkedWallet || null,
3026
3093
  configPath: getProfileConfigPath(),
3027
3094
  nextSteps: response?.nextSteps || [],
3028
3095
  },
@@ -3334,6 +3401,7 @@ async function runPreflightByMode(runMode, ctx, flags, resolved, options = {}) {
3334
3401
  const preflight = await resolveManagedExecutionPreflight(ctx, flags, resolved, {
3335
3402
  runMode,
3336
3403
  requireFundingCheck: true,
3404
+ preflightSeed: options.managedPreflight,
3337
3405
  });
3338
3406
  const normalized = normalizeIntentResponse({
3339
3407
  success: preflight.success,
@@ -3545,6 +3613,7 @@ async function executeManagedWalletRun(ctx, flags, resolved, options) {
3545
3613
  preflight = await resolveManagedExecutionPreflight(ctx, flags, resolved, {
3546
3614
  runMode: 'agent_wallet',
3547
3615
  requireFundingCheck: true,
3616
+ preflightSeed: options?.managedPreflight,
3548
3617
  });
3549
3618
  if (!preflight.success) {
3550
3619
  const normalized = normalizeIntentResponse({
@@ -3797,9 +3866,21 @@ async function resolveManagedExecutionPreflight(ctx, flags, resolved, options =
3797
3866
  runMode,
3798
3867
  });
3799
3868
  if (tokenIn) query.set('tokenIn', tokenIn);
3800
- const response = await apiGet(ctx, `/api/v1/agent/execution-wallet?${query.toString()}`, {
3801
- 'x-agent-api-key': agentApiKey,
3802
- });
3869
+ const preflightSeed = options.preflightSeed && typeof options.preflightSeed === 'object'
3870
+ ? options.preflightSeed
3871
+ : null;
3872
+ if (preflightSeed && preflightSeed.success === false) {
3873
+ return preflightSeed;
3874
+ }
3875
+ const response = preflightSeed
3876
+ ? {
3877
+ executionWalletAddress: preflightSeed.executionWalletAddress || null,
3878
+ signerMethod: preflightSeed.signerMethod || null,
3879
+ fundingTokenBalance: preflightSeed.fundingTokenBalance || null,
3880
+ }
3881
+ : await apiGet(ctx, `/api/v1/agent/execution-wallet?${query.toString()}`, {
3882
+ 'x-agent-api-key': agentApiKey,
3883
+ });
3803
3884
  const executionWalletAddress = String(response?.executionWalletAddress || '').trim().toLowerCase();
3804
3885
  const signerMethod = String(response?.signerMethod || 'managed_wallet_server').trim();
3805
3886
  const rawBalance = String(response?.fundingTokenBalance?.raw || '').trim();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@thirdfy/agent-cli",
3
- "version": "0.1.41",
3
+ "version": "0.1.43",
4
4
  "description": "Thirdfy Agent CLI for onboarding, governance preflight, execute-intent, and status polling.",
5
5
  "type": "module",
6
6
  "bin": {