@thirdfy/agent-cli 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md ADDED
@@ -0,0 +1,57 @@
1
+ # Changelog
2
+
3
+ All notable changes to `@thirdfy/agent-cli` are documented here. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
4
+
5
+ ## [Unreleased]
6
+
7
+ ## [0.1.8] - 2026-04-07
8
+
9
+ **npm:** [`@thirdfy/agent-cli@0.1.8`](https://www.npmjs.com/package/@thirdfy/agent-cli/v/0.1.8)
10
+ **Git tag:** `v0.1.8`
11
+
12
+ ### Added
13
+
14
+ - **Managed custodial lifecycle validation:** Added CLI E2E path for managed wallet delegation parity (`e2e:managed:delegation:parity`) and integrated coverage into production certification flow.
15
+
16
+ ### Changed
17
+
18
+ - **Self execution diagnostics:** `doctor self` is now routed as an offline/local command and no longer depends on capabilities negotiation.
19
+ - **Managed wallet command routing:** Removed thin wrapper indirection and wired `managed wallet init/grant` directly to delegation custodial handlers.
20
+
21
+ ### Fixed
22
+
23
+ - **Effect check payload safety:** Hardened relaxed-mode effect-check fallback so warning payload shape remains deterministic in edge paths.
24
+ - **Managed wallet integration test contract:** Validation-only detection now correctly uses `executionLane === 'validation_only'`, with explicit auth env isolation for deterministic header assertions.
25
+
26
+ ## [0.1.7] - 2026-04-05
27
+
28
+ **npm:** [`@thirdfy/agent-cli@0.1.7`](https://www.npmjs.com/package/@thirdfy/agent-cli/v/0.1.7)
29
+ **Git tag:** [`v0.1.7`](https://github.com/thirdfy/agent-cli/releases/tag/v0.1.7)
30
+
31
+ ### Added
32
+
33
+ - **Login and local config:** `thirdfy-agent login`, `logout` (including `logout --all` for local clear plus owner-session revoke when applicable), `whoami`, and `config set` / `config show` with defaults persisted under `~/.thirdfy/config.json`. Credential precedence remains: CLI flags, then environment variables, then saved config (see README).
34
+ - **Custodial delegation (MetaMask-compatible path):** `delegation init-custodial` and `delegation custodial-grant` alongside the existing `delegation create` / `delegation activate` lifecycle.
35
+ - **Delegation operator ergonomics:** `delegation show` as an alias for `delegation status`; expanded delegation inspection and parity-focused behavior for automation.
36
+ - **E2E / certification:** Delegation parity and production certification scripts (`e2e:self:delegation:parity`, `e2e:delegation:prod:certify`) and related gates documented in internal runbooks.
37
+
38
+ ### Changed
39
+
40
+ - **`delegation redeem`:** Respects the effective run mode (flag / env / profile) when building the execution path.
41
+ - **Swap amount handling:** Clearer separation between *missing* and *ambiguous* amount-unit errors; stricter validation of human-form amounts (including excess precision) and decimals handling for `amountInHuman` flows.
42
+
43
+ ### Fixed
44
+
45
+ - **Config and bootstrap:** Safer bootstrap output, tighter validation, preserved config semantics on upgrade paths, and `config set` rejects prototype-path keys to avoid confusing or unsafe key shapes.
46
+ - **Login / token handling:** Stricter verification of token shape after login and safer config cloning for delegation-related routing.
47
+ - **E2E:** Session-auth paths keep a dev-mock wallet fallback where intended so local and CI simulations stay stable.
48
+
49
+ ### Tooling
50
+
51
+ - **Release workflow:** When a version is already published to npm, CI skips `npm publish` so tag-based runs can still create or align GitHub releases without duplicate-publish failures.
52
+
53
+ ---
54
+
55
+ ## [0.1.6] - 2026-03-30
56
+
57
+ Prior release; see [git compare `v0.1.6...v0.1.7`](https://github.com/thirdfy/agent-cli/compare/v0.1.6...v0.1.7) for the full commit list.
package/README.md CHANGED
@@ -42,8 +42,8 @@ export THIRDFY_OWNER_SESSION_TOKEN="..."
42
42
 
43
43
  thirdfy-agent actions --agent-api-key "$AGENT_API_KEY" --json
44
44
  thirdfy-agent profile init --profile personal --json
45
- thirdfy-agent preflight --agent-api-key "$AGENT_API_KEY" --action swap --params '{"tokenIn":"0x...","tokenOut":"0x...","amountIn":"1000000"}' --estimated-amount-usd 25 --json
46
- thirdfy-agent run --agent-api-key "$AGENT_API_KEY" --action swap --params '{"tokenIn":"0x...","tokenOut":"0x...","amountIn":"1000000"}' --estimated-amount-usd 25 --json
45
+ thirdfy-agent preflight --agent-api-key "$AGENT_API_KEY" --action swap --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000"}' --estimated-amount-usd 25 --json
46
+ thirdfy-agent run --agent-api-key "$AGENT_API_KEY" --action swap --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000"}' --estimated-amount-usd 25 --json
47
47
  thirdfy-agent intent-status --intent-id "<intentId>" --json
48
48
  ```
49
49
 
@@ -51,12 +51,37 @@ By default, the CLI targets production (`https://api.thirdfy.com`). Use `--api-b
51
51
 
52
52
  ## Auth model
53
53
 
54
- - `AGENT_API_KEY`: execution identity and policy-aware action access (`actions --agent-api-key`, `preflight`, `run`)
55
- - `THIRDFY_AUTH_TOKEN`: Privy-native owner/account auth (`agent register`, `agent key *`, `delegation *`, `credentials *`, `credits balance`)
56
- - `THIRDFY_OWNER_SESSION_TOKEN`: wallet-sign owner auth session (`agent register`, `agent key *`)
54
+ - `AGENT_API_KEY`: execution identity for `preflight`, `run`, `self-exec`, and policy-aware discovery.
55
+ - `THIRDFY_AUTH_TOKEN`: owner/account auth for onboarding and delegation commands.
56
+ - `THIRDFY_OWNER_SESSION_TOKEN`: wallet-sign owner session for onboarding and owner operations.
57
+
58
+ CLI precedence now supports login/config defaults:
59
+
60
+ 1. explicit flag
61
+ 2. environment variable
62
+ 3. `~/.thirdfy/config.json` (from `thirdfy-agent login` / `config set`)
57
63
 
58
64
  Execution-only workflows can run with only `AGENT_API_KEY` after onboarding is complete.
59
65
 
66
+ ### Login / logout / config UX
67
+
68
+ ```bash
69
+ # Store auth defaults once
70
+ thirdfy-agent login --auth-token "$THIRDFY_AUTH_TOKEN" --agent-api-key "$AGENT_API_KEY" --json
71
+
72
+ # Inspect config
73
+ thirdfy-agent whoami --json
74
+ thirdfy-agent config set --key runMode --value self --json
75
+
76
+ # Local-only logout (default)
77
+ thirdfy-agent logout --json
78
+
79
+ # Local clear + server owner-session revoke (if present)
80
+ thirdfy-agent logout --all --json
81
+ ```
82
+
83
+ `logout --all` is provider-agnostic: it attempts owner-session revocation when a session token exists, then always clears local credentials.
84
+
60
85
  ### Wallet-sign onboarding path
61
86
 
62
87
  ```bash
@@ -85,6 +110,12 @@ thirdfy-agent agent register --owner-session-token "$THIRDFY_OWNER_SESSION_TOKEN
85
110
  - `--run-mode self` -> self-custody rail (`build-tx` flow; default for `profile=personal`)
86
111
  - `--run-mode hybrid` -> self-custody + governance mirror metadata (default for `profile=builder`)
87
112
 
113
+ Auth expectations by mode:
114
+
115
+ - `self`: requires execution identity (`agentApiKey`) today; keyless self lane is blocked with deterministic `SELF_OPEN_DISABLED`.
116
+ - `hybrid`: requires execution identity and governed mirror semantics.
117
+ - `thirdfy`: requires execution identity and delegated governance path.
118
+
88
119
  Selection precedence:
89
120
 
90
121
  1. `--run-mode`
@@ -102,6 +133,63 @@ thirdfy-agent whoami --json
102
133
 
103
134
  `profile use --profile <name>` resets run mode to that profile default unless `--run-mode` is explicitly provided.
104
135
 
136
+ ### One-command self execution (BYOW)
137
+
138
+ Use `--broadcast` with `run --run-mode self` to keep one deterministic command for build/sign/send:
139
+
140
+ ```bash
141
+ thirdfy-agent run \
142
+ --agent-api-key "$AGENT_API_KEY" \
143
+ --run-mode self \
144
+ --broadcast \
145
+ --action swap \
146
+ --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000","chainId":8453}' \
147
+ --json
148
+ ```
149
+
150
+ The default `run --run-mode self` behavior is still unsigned-only (advanced users can sign externally).
151
+
152
+ Self lane effect-check controls:
153
+
154
+ ```bash
155
+ # strict: fail if no observable token delta
156
+ thirdfy-agent self-exec ... --effect-check strict --json
157
+
158
+ # relaxed (default): retry/read balances, warn on mismatch, do not false-fail the tx
159
+ thirdfy-agent self-exec ... --effect-check relaxed --json
160
+
161
+ # off: skip post-trade token-delta verification
162
+ thirdfy-agent self-exec ... --effect-check off --json
163
+ ```
164
+
165
+ Signer diagnostics:
166
+
167
+ ```bash
168
+ thirdfy-agent doctor self --json
169
+ ```
170
+
171
+ ## Swap amount contract (agent-safe)
172
+
173
+ For `--action swap`, CLI enforces an explicit amount unit contract:
174
+
175
+ - Provide exactly one of:
176
+ - `amountInRaw` (base units integer string), or
177
+ - `amountInHuman` + `tokenInDecimals` (CLI converts to `amountInRaw`)
178
+ - Legacy `amountIn` is accepted only as raw integer compatibility input.
179
+ - Ambiguous payloads (both/none) fail with `AMOUNT_UNIT_AMBIGUOUS`.
180
+
181
+ Examples:
182
+
183
+ ```bash
184
+ # Raw/base units
185
+ thirdfy-agent run --agent-api-key "$AGENT_API_KEY" --action swap \
186
+ --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000","chainId":8453}' --json
187
+
188
+ # Human units + decimals
189
+ thirdfy-agent run --agent-api-key "$AGENT_API_KEY" --action swap \
190
+ --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInHuman":"1.5","tokenInDecimals":6,"chainId":8453}' --json
191
+ ```
192
+
105
193
  ## Jeff shorthand rail
106
194
 
107
195
  Jeff-friendly aliases map directly to core commands:
@@ -118,6 +206,8 @@ Jeff-friendly aliases map directly to core commands:
118
206
  - Profiles: `profile init`, `profile use`, `profile show`, `whoami`
119
207
  - Onboarding: `agent auth challenge`, `agent auth verify`, `agent register`, `agent key rotate`, `agent key revoke`
120
208
  - Governance readiness: `delegation create`, `delegation activate`, `delegation status`, `credentials upsert`, `credentials status`
209
+ - Delegation operations: `delegation show`, `delegation inspect`, `delegation revoke`
210
+ - Delegation execution helpers: `delegation balance`, `delegation redeem`
121
211
  - Account: `credits balance`
122
212
 
123
213
  ## Delegation lifecycle (canonical)
@@ -149,6 +239,61 @@ thirdfy-agent delegation status \
149
239
  --agent-key "0xYOUR_AGENT_KEY" \
150
240
  --verify \
151
241
  --json
242
+
243
+ thirdfy-agent delegation inspect \
244
+ --auth-token "$THIRDFY_AUTH_TOKEN" \
245
+ --agent-key "0xYOUR_AGENT_KEY" \
246
+ --verify \
247
+ --json
248
+
249
+ thirdfy-agent delegation revoke \
250
+ --auth-token "$THIRDFY_AUTH_TOKEN" \
251
+ --agent-key "0xYOUR_AGENT_KEY" \
252
+ --reason "user_revoked" \
253
+ --json
254
+
255
+ thirdfy-agent delegation balance \
256
+ --auth-token "$THIRDFY_AUTH_TOKEN" \
257
+ --agent-key "0xYOUR_AGENT_KEY" \
258
+ --json
259
+
260
+ thirdfy-agent delegation redeem \
261
+ --run-mode thirdfy \
262
+ --agent-api-key "$AGENT_API_KEY" \
263
+ --action swap \
264
+ --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000"}' \
265
+ --estimated-amount-usd 5 \
266
+ --json
267
+ ```
268
+
269
+ ### MetaMask custodial-compatible lifecycle (new)
270
+
271
+ ```bash
272
+ thirdfy-agent delegation init-custodial \
273
+ --auth-token "$THIRDFY_AUTH_TOKEN" \
274
+ --chain-id 8453 \
275
+ --json
276
+
277
+ thirdfy-agent delegation custodial-grant \
278
+ --auth-token "$THIRDFY_AUTH_TOKEN" \
279
+ --agent-key "0xYOUR_AGENT_KEY" \
280
+ --token-address "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913" \
281
+ --max-usd-per-day 250 \
282
+ --json
283
+ ```
284
+
285
+ The CLI keeps compatibility with legacy `delegation create` + `delegation activate` during migration.
286
+
287
+ `delegation show` is a direct alias to `delegation status` for gator-style operator ergonomics.
288
+
289
+ Managed easy-wallet command group:
290
+
291
+ ```bash
292
+ thirdfy-agent managed wallet init --auth-token "$THIRDFY_AUTH_TOKEN" --json
293
+ # or: --owner-session-token "$THIRDFY_OWNER_SESSION_TOKEN"
294
+ thirdfy-agent managed wallet grant --auth-token "$THIRDFY_AUTH_TOKEN" --agent-key "0xYOUR_AGENT_KEY" --token-address "0x..." --max-usd-per-day 250 --json
295
+ # or: --owner-session-token "$THIRDFY_OWNER_SESSION_TOKEN"
296
+ thirdfy-agent managed run --agent-api-key "$AGENT_API_KEY" --run-mode thirdfy --action swap --params '{"tokenIn":"0x...","tokenOut":"0x...","amountInRaw":"1000000"}' --json
152
297
  ```
153
298
 
154
299
  ## More docs
@@ -164,11 +309,16 @@ thirdfy-agent delegation status \
164
309
  npm run validate:cli-contract-schemas
165
310
  npm test
166
311
  npm run smoke:cli
312
+ npm run e2e:managed:delegation:parity
167
313
  ```
168
314
 
169
315
  ## Release
170
316
 
317
+ Version history and user-facing notes: [CHANGELOG.md](./CHANGELOG.md) (for example [0.1.7](https://github.com/thirdfy/agent-cli/releases/tag/v0.1.7) — login/config UX, custodial delegation helpers, swap and config hardening).
318
+
171
319
  ```bash
172
320
  npm version patch
173
321
  npm publish --access public
174
322
  ```
323
+
324
+ After publishing, push the matching tag (for example `v0.1.7`) so the [Release workflow](.github/workflows/release.yml) can create a GitHub release. If the package version is already on npm, the workflow skips republishing and still creates the release when triggered by a tag.