@zeroxyz/cli 0.0.30 → 0.0.32

package/dist/index.js

@@ -6,7 +6,7 @@ import { Command as Command12 } from "commander";
 // package.json
 var package_default = {
   name: "@zeroxyz/cli",
-  version: "0.0.30",
+  version: "0.0.32",
   type: "module",
   bin: {
     zero: "dist/index.js",
@@ -629,7 +629,7 @@ import {
 } from "@relayprotocol/relay-sdk";
 import { x402Client as X402Client } from "@x402/core/client";
 import { decodePaymentResponseHeader, x402HTTPClient } from "@x402/core/http";
-import { ExactEvmScheme } from "@x402/evm/exact/client";
+import { registerExactEvmScheme } from "@x402/evm/exact/client";
 import { createSIWxClientHook } from "@x402/extensions/sign-in-with-x";
 import { wrapFetchWithPayment } from "@x402/fetch";
 import { Challenge, Receipt } from "mppx";
@@ -831,10 +831,9 @@ var PaymentService = class {
   payX402 = async (url, request, _raw, maxPay) => {
     if (!this.account) throw new Error("No wallet configured");
     let capturedAmount = "0";
-    const client = new X402Client().register(
-      "eip155:*",
-      new ExactEvmScheme(this.account)
-    );
+    const client = registerExactEvmScheme(new X402Client(), {
+      signer: this.account
+    });
     client.onBeforePaymentCreation(async (context) => {
       const selected = context.selectedRequirements;
       if (selected && (!selected.extra?.name || !selected.extra?.version)) {
@@ -845,7 +844,9 @@ var PaymentService = class {
       }
       const requirement = context.paymentRequired.accepts[0];
       if (!requirement) return;
-      capturedAmount = formatUnits(BigInt(requirement.amount), 6);
+      const rawAmount = requirement.amount ?? requirement.maxAmountRequired;
+      if (!rawAmount) return;
+      capturedAmount = formatUnits(BigInt(rawAmount), 6);
       if (maxPay && Number.parseFloat(capturedAmount) > Number.parseFloat(maxPay)) {
         return {
           abort: true,
@@ -1222,27 +1223,24 @@ var isJsonContentType = (contentType) => {
 var MAX_REQUEST_BODY_BYTES = 10 * 1024 * 1024;
 var resolveRequestBody = (rawData, readStdin) => {
   const fromFile = (spec) => {
-    if (spec === "@-") {
-      return readFileSync3(0, "utf8");
-    }
-    const path = resolvePath(spec.slice(1));
-    return readFileSync3(path, "utf8");
+    if (spec === "@-") return readFileSync3(0);
+    return readFileSync3(resolvePath(spec.slice(1)));
   };
-  let body;
   if (readStdin && rawData !== void 0) {
     throw new Error(
       "Conflicting body sources: use either --data-stdin or -d, not both."
     );
   }
+  let body;
   if (readStdin) {
-    body = readFileSync3(0, "utf8");
+    body = readFileSync3(0);
   } else if (rawData?.startsWith("@")) {
     body = fromFile(rawData);
   } else {
     body = rawData;
   }
   if (body !== void 0) {
-    const bytes = Buffer.byteLength(body, "utf8");
+    const bytes = Buffer.isBuffer(body) ? body.length : Buffer.byteLength(body, "utf8");
     if (bytes > MAX_REQUEST_BODY_BYTES) {
       throw new Error(
         `Request body is ${bytes} bytes \u2014 exceeds the ${MAX_REQUEST_BODY_BYTES} byte limit. Split the payload, compress it, or contact the capability owner about raising the cap.`
@@ -1345,7 +1343,7 @@ var fetchCommand = (appContext) => new Command3("fetch").description(
         (k) => k.toLowerCase() === "content-type"
       );
       if (resolvedBody && !hasContentType) {
-        headers["content-type"] = "application/json";
+        headers["content-type"] = Buffer.isBuffer(resolvedBody) ? "application/octet-stream" : "application/json";
       }
       const log = (msg) => console.error(`  ${msg}`);
       const method = options.method ? options.method.toUpperCase() : resolvedBody ? "POST" : "GET";
@@ -1493,7 +1491,7 @@ var fetchCommand = (appContext) => new Command3("fetch").description(
       if (capabilityId && apiService.walletAddress) {
         let requestSchema;
         let responseSchema;
-        if (resolvedBody) {
+        if (typeof resolvedBody === "string") {
           const parsedReq = tryParseJson(resolvedBody);
           if (parsedReq !== null && typeof parsedReq === "object") {
             requestSchema = inferSchema(parsedReq);
@@ -1834,21 +1832,153 @@ var getCommand = (appContext) => new Command4("get").description(
 // src/commands/init-command.ts
 import { createHash as createHash3 } from "crypto";
 import {
-  chmodSync,
+  chmodSync as chmodSync2,
   cpSync,
   existsSync as existsSync2,
-  mkdirSync as mkdirSync2,
+  mkdirSync as mkdirSync3,
   readdirSync,
   readFileSync as readFileSync4,
   rmSync,
   statSync,
-  writeFileSync as writeFileSync2
+  writeFileSync as writeFileSync3
 } from "fs";
 import { homedir as homedir2 } from "os";
 import { dirname, join as join2, relative } from "path";
 import { fileURLToPath } from "url";
 import { Command as Command5 } from "commander";
 import { generatePrivateKey, privateKeyToAccount } from "viem/accounts";
+
+// src/util/install-banner.ts
+var ZEROMAN_ART = `
+                                                      :++-.
+                                   .:--==+===--:.     +@%@#+-
+                             .-+*%@@@@%%%%%%@@@@@%#*=.-# #%-=*=
+                          :+#@@@#+-:.        .-+#@@@@@%#. %#  =#:
+                       :+%@@#=:                  :+@%%@@%=+@:  .#=
+                     -*@@#=.                       :%%%%@@%%+    #=
+                   :#@@#-             .:-====--.    :%%%%%@@+     %:
+                  +@@#-          .-+#%@@@@@@@@@@%*-  *@%%%%%+     =#
+                .#@@=    ..   .-*%@@@@%%@%*+#%%%@@@#:=@%%%%@-      %.
+               .%@%:     :#=:+%@@@%@%%@@+:-+*%%%%%%@%#%%%%%%       %-
+               #@%:       .%%@@%%%%#%%*--+=%@@%%%%%%@@%%%%@-       %-
+              +@%:       :#* :%%%%@==+=*=  .%%%%%%%%%%%%%@*        %:
+             .%%+       :%@-  %#.%%@==@#    #@%%%%%%%%%%@#        -#
+     .:::::  -@%:      .%%%*   .-%%%+ ..   =%%%%%%%%%%%@#         #+.
+  .+=-::..-* -@%       +@%%@*=-+%%%@@#-..-*@%%%%%%%%%@@+         -@%%%#+:
+  %-   .:::*=*%%       #%%%%@@@@@@@%%%@@@@@%%%%%%%%%@%-         :%%%%@@@@#-
+ ++     ..*- %@@-      *@%%%%%%#-.     .-#@%%%%%%%@%+.         :@@@@@@%%%@@-
+:#    .:--*:-%%%%.     .%@%%%%%=:----:   :#%%%%@@%+.          -#-:.:-#@@@%@%
+.#        *#+=@%@%-     .#@@@@@%@@@@@@%*-.=%@@@%+.           +*      +%%%%%%=
+ =*   .====-*:#%%@@#=.    .=*#%@%%%%%%%@@@@@%*-            -#=     -*:..   .:*:
+  -*-.     :%*##:-#@@@%#*+==+*#%%%@@@@@@%#+-             :*+.    .-*+:.    .:#-
+   .*+=--+#@@@@@%: .-+#%@@@@@@@@@@%%#+=:.              -*+.     =+:          -*
+      ..:+*###*+=**.     .:::::::.                  .-+=.      =#  -          #:
+                  :*+.                           .=*%%:        .+==*-         #.
+                  -#@@#=:.                  .:=*#%@@%%%=         %-   .-  .+-*=
+                 *@@%%@@@#+==-:::...:::--==+=-=#@@%%%%%@*        .+=-=++-==-:.
+                =@%%%%%%-  .::---====---:.      :#@%%%%%@*
+                =@%%%%%%.                         *@%%%%%@+
+                 #%%%%%@%.                         #@%%%%%@:
+            .-=++*%%%%%%@*                         :%%%%%%%#---:.
+          .*%@@@@@%%%%%%%@:                         %%%%%%%@@@@@%*:
+          %@@@@@@@@@@@@@%%.                        .%@@@@@@@@@@@@@@:
+          -==++++====--:.                           -==+++++++++++=.
+`;
+var ZERO_BANNER = [
+  "\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2588\u2588\u2588\u2588\u2557 ",
+  "\u255A\u2550\u2550\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2588\u2588\u2588\u2588\u2557",
+  "  \u2588\u2588\u2588\u2554\u255D \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2551",
+  " \u2588\u2588\u2588\u2554\u255D  \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551",
+  "\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551  \u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D",
+  "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2550\u255D "
+].join("\n");
+var colorsEnabled = () => {
+  if (process.env.NO_COLOR) return false;
+  if (process.env.FORCE_COLOR) return true;
+  return Boolean(process.stdout.isTTY);
+};
+var wrap = (code, text) => colorsEnabled() ? `\x1B[${code}m${text}\x1B[0m` : text;
+var color = {
+  bold: (s) => wrap("1", s),
+  dim: (s) => wrap("2", s),
+  cyan: (s) => wrap("36", s),
+  magenta: (s) => wrap("35", s),
+  green: (s) => wrap("32", s),
+  yellow: (s) => wrap("33", s),
+  gray: (s) => wrap("90", s),
+  boldCyan: (s) => wrap("1;36", s),
+  boldMagenta: (s) => wrap("1;35", s),
+  boldGreen: (s) => wrap("1;32", s)
+};
+var printZeroBanner = () => {
+  console.log("");
+  console.log(ZEROMAN_ART);
+  console.log(color.boldCyan(ZERO_BANNER));
+  console.log("");
+  console.log(`  ${color.dim("The search engine for AI agents.")}`);
+  console.log("");
+  console.log(color.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log("");
+};
+var supportsUnicode = () => {
+  if (process.platform !== "win32") return true;
+  return Boolean(
+    process.env.WT_SESSION || process.env.TERM_PROGRAM === "vscode"
+  );
+};
+var SYMBOLS = supportsUnicode() ? { check: "\u2713", arrow: "\u203A", warn: "!" } : { check: "OK", arrow: ">", warn: "!" };
+var stepSuccess = (label, detail) => {
+  const line = detail ? `  ${color.boldGreen(SYMBOLS.check)} ${label}  ${color.dim(detail)}` : `  ${color.boldGreen(SYMBOLS.check)} ${label}`;
+  console.log(line);
+};
+var stepWarn = (label, detail) => {
+  const line = detail ? `  ${color.yellow(SYMBOLS.warn)} ${label}  ${color.dim(detail)}` : `  ${color.yellow(SYMBOLS.warn)} ${label}`;
+  console.log(line);
+};
+var stepSkip = (label, detail) => {
+  const line = detail ? `  ${color.gray(SYMBOLS.arrow)} ${color.dim(`${label}  ${detail}`)}` : `  ${color.gray(SYMBOLS.arrow)} ${color.dim(label)}`;
+  console.log(line);
+};
+var stepInfo = (message) => {
+  console.log(`      ${color.gray("\xB7")} ${color.dim(message)}`);
+};
+var sectionDivider = () => {
+  console.log("");
+  console.log(color.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log("");
+};
+var printReadyFooter = () => {
+  const lines = [
+    "",
+    `  ${color.boldGreen("Zero is ready!")} Run ${color.cyan("`zero search`")} to find capabilities.`,
+    "",
+    `  ${color.dim("Try:")}`,
+    `    ${color.cyan('zero search "translate text to Spanish"')}`,
+    `    ${color.cyan('zero search "generate an image"')}`,
+    `    ${color.cyan('zero search "weather forecast"')}`,
+    "",
+    `  ${color.dim("By using Zero, you agree to our Terms of Service:")}`,
+    `    ${color.dim("https://zero.xyz/terms-of-service")}`,
+    `  ${color.dim("Run `zero terms` to view the full terms.")}`,
+    ""
+  ];
+  return lines.join("\n");
+};
+
+// src/util/secure-config.ts
+import { chmodSync, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+var SECURE_DIR_MODE = 448;
+var SECURE_FILE_MODE = 384;
+var ensureSecureDir = (path) => {
+  mkdirSync2(path, { recursive: true, mode: SECURE_DIR_MODE });
+  chmodSync(path, SECURE_DIR_MODE);
+};
+var writeSecureFile = (path, contents) => {
+  writeFileSync2(path, contents, { mode: SECURE_FILE_MODE });
+  chmodSync(path, SECURE_FILE_MODE);
+};
+
+// src/commands/init-command.ts
 var AGENT_TOOLS = [
   { name: "Claude Code", detectDir: ".claude", skillsDir: ".claude/skills" },
   { name: "Codex", detectDir: ".codex", skillsDir: ".agents/skills" },
@@ -1859,19 +1989,27 @@ var AGENT_TOOLS = [
   },
   { name: "Cursor", detectDir: ".cursor", skillsDir: ".cursor/skills" }
 ];
-var getPackageRoot = () => {
-  let dir;
-  if (import.meta.url) {
-    dir = dirname(fileURLToPath(import.meta.url));
-  } else {
-    dir = __dirname;
+var findResourceDir = (startDir, resourceName) => {
+  let current = startDir;
+  while (true) {
+    const candidate = join2(current, resourceName);
+    if (existsSync2(candidate)) {
+      return candidate;
+    }
+    const parent = dirname(current);
+    if (parent === current) {
+      throw new Error(
+        `Could not locate bundled '${resourceName}' directory from ${startDir}`
+      );
+    }
+    current = parent;
   }
-  while (!existsSync2(join2(dir, "package.json"))) {
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
+};
+var getCliModuleDir = () => {
+  if (import.meta.url) {
+    return dirname(fileURLToPath(import.meta.url));
   }
-  return dir;
+  return __dirname;
 };
 var sha256File = (filePath) => createHash3("sha256").update(readFileSync4(filePath)).digest("hex");
 var verifyFileCopy = (src, dest) => {
@@ -1891,7 +2029,7 @@ var collectAllFiles = (dir) => {
   return files;
 };
 var copyDirRecursive = (src, dest) => {
-  mkdirSync2(dest, { recursive: true });
+  mkdirSync3(dest, { recursive: true });
   for (const entry of readdirSync(src, { withFileTypes: true })) {
     const srcPath = join2(src, entry.name);
     const destPath = join2(dest, entry.name);
@@ -1899,42 +2037,61 @@ var copyDirRecursive = (src, dest) => {
       copyDirRecursive(srcPath, destPath);
     } else {
       const data = readFileSync4(srcPath);
-      writeFileSync2(destPath, data);
+      writeFileSync3(destPath, data);
       try {
         const mode = statSync(srcPath).mode;
-        chmodSync(destPath, mode);
+        chmodSync2(destPath, mode);
       } catch {
       }
     }
   }
 };
-var installHook = (home) => {
+var installHook = (home, verbose = false) => {
   const claudeDir = join2(home, ".claude");
   if (!existsSync2(claudeDir)) {
+    if (verbose) {
+      stepInfo(`~/.claude not found \u2014 Claude Code not installed, skipping`);
+    }
     return false;
   }
   const zeroHooksDir = join2(home, ".zero", "hooks");
-  mkdirSync2(zeroHooksDir, { recursive: true });
+  mkdirSync3(zeroHooksDir, { recursive: true });
+  if (verbose) stepInfo(`staged hook dir at ${zeroHooksDir}`);
   const hookFiles = ["auto-approve-zero.sh", "zero-context.sh"];
   const hookDests = {};
+  const hooksSourceDir = findResourceDir(getCliModuleDir(), "hooks");
   for (const hookFile of hookFiles) {
-    const hookSource = join2(getPackageRoot(), "hooks", hookFile);
+    const hookSource = join2(hooksSourceDir, hookFile);
     const hookDest = join2(zeroHooksDir, hookFile);
     cpSync(hookSource, hookDest);
-    chmodSync(hookDest, 493);
+    chmodSync2(hookDest, 493);
     if (!verifyFileCopy(hookSource, hookDest)) {
       throw new Error(
         `Integrity check failed: ${hookDest} does not match source`
       );
     }
     hookDests[hookFile] = hookDest;
+    if (verbose) stepInfo(`copied ${hookFile} \u2192 ${hookDest} (verified)`);
   }
   const settingsPath = join2(claudeDir, "settings.json");
   let settings = {};
+  let settingsExisted = false;
+  let settingsCorrupted = false;
   if (existsSync2(settingsPath)) {
+    settingsExisted = true;
     try {
       settings = JSON.parse(readFileSync4(settingsPath, "utf-8"));
     } catch {
+      settingsCorrupted = true;
+    }
+  }
+  if (verbose) {
+    if (!settingsExisted) {
+      stepInfo(`${settingsPath} did not exist \u2014 creating`);
+    } else if (settingsCorrupted) {
+      stepInfo(`${settingsPath} was unparseable JSON \u2014 rewriting from scratch`);
+    } else {
+      stepInfo(`merging into existing ${settingsPath}`);
     }
   }
   if (!settings.hooks || typeof settings.hooks !== "object") {
@@ -1963,8 +2120,10 @@ var installHook = (home) => {
   });
   if (existingIdx >= 0) {
     preToolUse[existingIdx] = zeroHookEntry;
+    if (verbose) stepInfo(`PreToolUse auto-approve-zero entry replaced`);
   } else {
     preToolUse.push(zeroHookEntry);
+    if (verbose) stepInfo(`PreToolUse auto-approve-zero entry appended`);
   }
   if (!Array.isArray(hooks.UserPromptSubmit)) {
     hooks.UserPromptSubmit = [];
@@ -1987,8 +2146,10 @@ var installHook = (home) => {
   });
   if (existingContextIdx >= 0) {
     userPromptSubmit[existingContextIdx] = contextHookEntry;
+    if (verbose) stepInfo(`UserPromptSubmit zero-context entry replaced`);
   } else {
     userPromptSubmit.push(contextHookEntry);
+    if (verbose) stepInfo(`UserPromptSubmit zero-context entry appended`);
   }
   if (!settings.sandbox || typeof settings.sandbox !== "object") {
     settings.sandbox = {};
@@ -2005,12 +2166,15 @@ var installHook = (home) => {
   const zeroDomain = "*.zero.xyz";
   if (!allowedDomains.includes(zeroDomain)) {
     allowedDomains.push(zeroDomain);
+    if (verbose) stepInfo(`sandbox.network.allowedDomains += ${zeroDomain}`);
+  } else if (verbose) {
+    stepInfo(`${zeroDomain} already in sandbox allowlist \u2014 not modified`);
   }
-  writeFileSync2(settingsPath, `${JSON.stringify(settings, null, 2)}
+  writeFileSync3(settingsPath, `${JSON.stringify(settings, null, 2)}
 `);
   return true;
 };
-var CONFLICTING_SKILL_PATTERNS = ["zam", "tempo"];
+var CONFLICTING_SKILL_PATTERNS = ["zam"];
 var findConflictingSkills = (home) => {
   const found = [];
   for (const tool of AGENT_TOOLS) {
@@ -2040,22 +2204,38 @@ var removeConflictingSkills = (home) => {
   }
   return removed;
 };
-var installSkills = (home) => {
-  const skillsSourceDir = join2(getPackageRoot(), "skills");
+var installSkills = (home, verbose = false) => {
+  const skillsSourceDir = findResourceDir(getCliModuleDir(), "skills");
   const skillDirs = readdirSync(skillsSourceDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name);
+  if (verbose) {
+    stepInfo(
+      `found ${skillDirs.length} bundled skill(s): ${skillDirs.join(", ")}`
+    );
+  }
   const installed = [];
   const errors = [];
   for (const tool of AGENT_TOOLS) {
     const toolDetectPath = join2(home, tool.detectDir);
     if (!existsSync2(toolDetectPath)) {
+      if (verbose) {
+        stepInfo(
+          `${tool.name}: ~/${tool.detectDir} not found \u2014 skipping install`
+        );
+      }
       continue;
     }
+    if (verbose) {
+      stepInfo(
+        `${tool.name}: detected at ~/${tool.detectDir} \u2014 installing to ~/${tool.skillsDir}`
+      );
+    }
     try {
       const toolSkillsPath = join2(home, tool.skillsDir);
-      mkdirSync2(toolSkillsPath, { recursive: true });
+      mkdirSync3(toolSkillsPath, { recursive: true });
       for (const skillDir of skillDirs) {
         const src = join2(skillsSourceDir, skillDir);
         const dest = join2(toolSkillsPath, skillDir);
+        const existed = existsSync2(dest);
         copyDirRecursive(src, dest);
         for (const srcFile of collectAllFiles(src)) {
           const relPath = relative(src, srcFile);
@@ -2067,6 +2247,11 @@ var installSkills = (home) => {
           }
         }
         installed.push(`${tool.name}: ${dest}`);
+        if (verbose) {
+          stepInfo(
+            `${tool.name}: ${existed ? "updated" : "installed"} skill '${skillDir}'`
+          );
+        }
       }
     } catch (err) {
       errors.push({
@@ -2078,11 +2263,13 @@ var installSkills = (home) => {
   return { installed, errors };
 };
 var runInit = async (appContext, options = {}) => {
+  const verbose = options.verbose ?? false;
   appContext.services.analyticsService.capture("init_started", {
     force: options.force ?? false
   });
   let currentStep = "wallet";
   try {
+    printZeroBanner();
     const home = homedir2();
     const zeroDir = join2(home, ".zero");
     const configPath = join2(zeroDir, "config.json");
@@ -2100,9 +2287,9 @@ var runInit = async (appContext, options = {}) => {
     if (!walletExists || options.force) {
       const privateKey = generatePrivateKey();
       const account = privateKeyToAccount(privateKey);
-      mkdirSync2(zeroDir, { recursive: true });
+      ensureSecureDir(zeroDir);
       const existing = existsSync2(configPath) ? JSON.parse(readFileSync4(configPath, "utf8")) : {};
-      writeFileSync2(
+      writeSecureFile(
         configPath,
         JSON.stringify(
           { ...existing, privateKey, lowBalanceWarning: 1 },
@@ -2112,7 +2299,16 @@ var runInit = async (appContext, options = {}) => {
       );
       walletCreated = true;
       walletAddress = account.address;
-      console.log(`Wallet address: ${account.address}`);
+      stepSuccess("Wallet created", account.address);
+      if (verbose) {
+        if (options.force) {
+          stepInfo(
+            `--force passed \u2014 generated a new key and overwrote ${configPath}`
+          );
+        } else {
+          stepInfo(`no wallet found at ${configPath} \u2014 generated a new key`);
+        }
+      }
     } else {
       try {
         const existing = JSON.parse(readFileSync4(configPath, "utf8"));
@@ -2120,6 +2316,15 @@ var runInit = async (appContext, options = {}) => {
         walletAddress = account.address;
       } catch {
       }
+      stepSkip(
+        "Wallet already configured",
+        walletAddress ?? "run `zero init --force` to reset"
+      );
+      if (verbose) {
+        stepInfo(
+          `existing wallet at ${configPath} was preserved \u2014 pass --force to regenerate`
+        );
+      }
     }
     const agentsDetected = [];
     const agentsWithSkills = [];
@@ -2131,9 +2336,20 @@ var runInit = async (appContext, options = {}) => {
         agentsDetected.push(tool.name);
       }
     }
+    if (verbose) {
+      const missing = AGENT_TOOLS.filter(
+        (t) => !agentsDetected.includes(t.name)
+      ).map((t) => t.name);
+      stepInfo(
+        `agents detected: ${agentsDetected.length > 0 ? agentsDetected.join(", ") : "none"}`
+      );
+      if (missing.length > 0) {
+        stepInfo(`agents not detected: ${missing.join(", ")}`);
+      }
+    }
     currentStep = "skills";
     try {
-      const { installed, errors } = installSkills(home);
+      const { installed, errors } = installSkills(home, verbose);
       for (const entry of installed) {
         const toolName = entry.split(":")[0];
         if (toolName && !agentsWithSkills.includes(toolName)) {
@@ -2152,27 +2368,45 @@ var runInit = async (appContext, options = {}) => {
       skillsError = err instanceof Error ? err.message : "unknown skills error";
       console.error(`Warning: skills install failed: ${skillsError}`);
     }
+    if (agentsWithSkills.length > 0) {
+      stepSuccess("Skills installed");
+    } else if (agentsDetected.length === 0) {
+      stepSkip("No agent tools detected");
+    } else if (skillsError) {
+      stepWarn("Skills install had errors", skillsError);
+    }
     currentStep = "hook";
     try {
-      hookInstalled = installHook(home);
+      hookInstalled = installHook(home, verbose);
     } catch (err) {
       hookError = err instanceof Error ? err.message : "unknown hook error";
     }
+    if (hookInstalled) {
+      stepSuccess("Agents configured");
+    } else if (hookError) {
+      stepWarn("Agent config failed", hookError);
+    }
     currentStep = "cleanup_scan";
     const conflictingSkills = findConflictingSkills(home);
+    if (verbose) {
+      stepInfo(
+        `scanning agent skill dirs for deprecated skills matching [${CONFLICTING_SKILL_PATTERNS.join(", ")}]`
+      );
+    }
     if (conflictingSkills.length > 0) {
       const skillList = conflictingSkills.map((s) => `  - ${s.tool}: ${s.skillName}`).join("\n");
       console.error(
         `
-Found deprecated skills that may conflict with Zero:
+${color.yellow("Found deprecated skills that may conflict with Zero:")}
 ${skillList}
 
-To remove them, run: zero init cleanup`
+To remove them, run: ${color.cyan("zero init cleanup")}`
       );
+    } else if (verbose) {
+      stepInfo(`no deprecated skills found`);
     }
-    console.error(
-      'Zero is ready! Run `zero search` to find capabilities.\n\nBy using Zero, you agree to our Terms of Service:\n  https://zero.xyz/terms-of-service\n\nRun `zero terms` to view the full terms.\n\nTry:\n  zero search "translate text to Spanish"\n  zero search "generate an image"\n  zero search "weather forecast"'
-    );
+    sectionDivider();
+    console.error(printReadyFooter());
     currentStep = "complete";
     appContext.services.analyticsService.capture("wallet_initialized", {
       // biome-ignore lint/style/useNamingConvention: snake_case for analytics
@@ -2207,12 +2441,13 @@ To remove them, run: zero init cleanup`
     throw err;
   }
 };
-var initCommand = (appContext) => new Command5("init").description("Initialize Zero CLI for usage").option("--force", "Overwrite existing configuration").action(async (options) => {
+var initCommand = (appContext) => new Command5("init").description("Initialize Zero CLI for usage").option("--force", "Overwrite existing configuration").option(
+  "-v, --verbose",
+  "Explain why each install step was taken or skipped"
+).action(async (options) => {
   await runInit(appContext, options);
 }).addCommand(
-  new Command5("cleanup").description(
-    "Remove deprecated skills (zam, tempo) that conflict with Zero"
-  ).action(() => {
+  new Command5("cleanup").description("Remove deprecated skills (zam) that conflict with Zero").action(() => {
     const home = homedir2();
     const removed = removeConflictingSkills(home);
     if (removed.length === 0) {
@@ -2630,7 +2865,7 @@ Read the full terms at: ${TERMS_URL}
 });
 
 // src/commands/wallet-command.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync6 } from "fs";
 import { homedir as homedir3 } from "os";
 import { join as join3 } from "path";
 import { Command as Command10 } from "commander";
@@ -2652,6 +2887,9 @@ var walletBalanceCommand = (appContext) => new Command10("balance").description(
   console.log(`${balance.amount} ${balance.asset}`);
 });
 var walletFundCommand = (appContext) => new Command10("fund").description("Fund your wallet").argument("[amount]", "Amount to fund in USDC").option("--manual", "Show wallet address for manual transfer").option(
+  "--no-open",
+  "Print the funding URL instead of opening a browser (for agents \u2014 funding links are one-time use, hand the URL to the user)"
+).option(
   "--use <provider>",
   "Onramp provider: coinbase or stripe",
   "coinbase"
@@ -2679,12 +2917,19 @@ ${address}`);
       provider
     );
     if (url) {
-      await open(url);
-      console.log("Opened funding page in your browser.");
-      console.log(`If it didn't open, visit: ${url}`);
+      if (options.open) {
+        await open(url);
+        console.log("Opened funding page in your browser.");
+        console.log(`If it didn't open, visit: ${url}`);
+      } else {
+        console.log(
+          "Funding URL (one-time use \u2014 open it in a browser to fund):"
+        );
+        console.log(url);
+      }
       console.log(`Your wallet address: ${address}`);
       analyticsService.capture("wallet_funded", {
-        method: "browser",
+        method: options.open ? "browser" : "url",
         amount
       });
     } else {
@@ -2736,9 +2981,9 @@ var walletSetCommand = (appContext) => new Command10("set").description("Set wal
     } catch {
     }
   }
-  mkdirSync3(zeroDir, { recursive: true });
+  ensureSecureDir(zeroDir);
   const existing = existsSync3(configPath) ? JSON.parse(readFileSync6(configPath, "utf8")) : {};
-  writeFileSync3(
+  writeSecureFile(
     configPath,
     JSON.stringify(
       {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@zeroxyz/cli",
-	"version": "0.0.30",
+	"version": "0.0.32",
 	"type": "module",
 	"bin": {
 		"zero": "dist/index.js",

package/skills/zero/SKILL.md

@@ -53,7 +53,10 @@ ZERO_AGENT=claude-web zero search "translate hello world"
 
 Both are per-invocation and stateless — there's no persistent config to go stale if you move between sandboxes. Resolution order: `--agent` flag > `ZERO_AGENT` env var > host-specific env signals (`CLAUDECODE`, `CURSOR_TRACE_ID`, `TERM_PROGRAM=vscode`) > `unknown`. Canonical names: `claude-code`, `cursor`, `vscode`, `claude-web`, `codex`, `opencode`. Any string is accepted.
 
-**Step 3 — Fund wallet:** `zero wallet fund` — opens browser to add USDC (Base). For manual transfer: `zero wallet fund --manual`.
+**Step 3 — Fund wallet:**
+
+- **Running inside an agent (you — Claude, Cursor, Codex, etc.):** always pass `--no-open`. Funding links are **one-time use**, so opening them in a headless agent environment burns the link before the user can use it. Run `zero wallet fund --no-open`, then hand the printed URL to the user and ask them to open it in their browser. For manual transfer instead: `zero wallet fund --manual`.
+- **Human at a terminal:** `zero wallet fund` — opens a browser to add USDC (Base). For manual transfer: `zero wallet fund --manual`.
 
 **Step 4 — Confirm readiness:** `zero wallet balance`
 
@@ -68,7 +71,7 @@ Provide:
 
 - Wallet address from `zero wallet address`.
 - Balance from `zero wallet balance`.
-- If balance is 0, direct user to `zero wallet fund` to add USDC.
+- If balance is 0, run `zero wallet fund --no-open` and give the printed one-time URL to the user to open (or suggest `zero wallet fund --manual` for a direct deposit address).
 - 2-3 starter prompts based on available capabilities:
 
 ```bash
@@ -88,8 +91,8 @@ zero search "<query>"
 zero get <position> [--formatted]
 zero fetch <url> [-X <method>] [-d '<json>' | -d @file | --data-stdin] [-H "Key:Value"] [--max-pay <amount>] [--json [--raw-body]] [--capability <id>]
 zero runs [--capability <slug>] [--unreviewed]
-zero review <runId> --accuracy <1-5> --value <1-5> --reliability <1-5>
-zero review --capability <slug> --success --accuracy <1-5> --value <1-5> --reliability <1-5>
+zero review <runId> --accuracy <1-5> --value <1-5> --reliability <1-5> [--content "<notes>"]
+zero review --capability <slug> --success --accuracy <1-5> --value <1-5> --reliability <1-5> [--content "<notes>"]
 ```
 
 ### Workflow
@@ -97,9 +100,25 @@ zero review --capability <slug> --success --accuracy <1-5> --value <1-5> --relia
 1. **Search** — `zero search "weather forecast"` finds matching capabilities. Results show name, cost, rating, and success rate.
 2. **Inspect** — `zero get 1 --formatted` prints a human summary **and a copy-pasteable `Try it:` command** wired to the capability's schema. Plain `zero get 1` returns full JSON (URL, method, `bodySchema`, examples, pricing) for `jq` pipelines. **If `bodySchema` is `null`**, the capability hasn't been schema-indexed yet — skip it and `zero get 2`, don't invent field names.
 3. **Call** — `zero fetch <url>` makes the request. If the server returns 402, payment is handled automatically (x402 and MPP, including cross-chain bridging from Base to Tempo).
-4. **Review** — `zero review <runId>` submits a quality review. Run IDs are printed to **stderr** after a successful fetch (or returned on stdout in `--json` mode). Always review after a paid call.
+4. **Review** — `zero review <runId>` submits a quality review. Run IDs are printed to **stderr** after a successful fetch (or returned on stdout in `--json` mode). Always review after a paid call, and **pass `--content "<notes>"` whenever you have something specific to say** — the content line lands on the capability's public detail page on zero.xyz, so it's what the next human buyer (and the next agent) reads when deciding whether to call this capability. See "Writing review content" below.
 5. **Retroactive review** — if you lost a runId, run `zero runs --unreviewed` (or `zero runs --capability <slug> --unreviewed`). `zero review --capability <slug> ...` auto-resolves to your most recent un-reviewed run for that capability.
 
+### Writing review content
+
+`--content` is free-form and optional, but strongly encouraged. It's what appears on the capability's public page — so it's doing double duty as a signal for the next agent *and* as human-readable copy for buyers browsing zero.xyz.
+
+**What makes a useful review:** concrete detail a reader can act on. Good examples from real reviews:
+
+- *"Generated the requested gremlin-on-couch image faithfully in ~140ms. Schema straightforward, output URL loaded cleanly, zero surprises. At $0.003 the price-to-quality ratio is excellent."*
+- *"Call worked on second attempt. Key learnings: set `wait_for_greeting=false` and use `first_sentence` to lead with your message, otherwise the AI hangs up on voicemail greetings."*
+- *"Returned relevant market-report links quickly, but not a synthesized ranked answer. Better as raw web-search input than finished research."*
+
+Each names the task attempted, what the output actually was, and a specific observation (latency, a gotcha, a fit/misfit note). That's the kind of line a human buyer trusts and another agent can learn from.
+
+**Review failures with content too.** Failure notes are arguably more valuable — they warn the next caller. Example: *"FLUX Schnell returned HTTP 500 Internal Server Error — paid 0.003 USDC via MPP but got no image."* Pair with `--no-success`.
+
+**Skip `--content` rather than write filler.** "Worked great", "Fast response", or test strings like "trial 1" add noise, pollute the capability's public page, and dilute the signal agents rely on. If you don't have a specific observation, just submit the numeric ratings.
+
 **Fastest path:** `zero search "..." → zero get <n> --formatted → copy the `Try it:` line → edit placeholders → run it`. The `Try it` block already knows whether to use querystring vs `-d`, and labels every header as `[caller-provided]` so you know which `-H` flags to fill in yourself.
 
 ### Request Shape Cheatsheet
@@ -205,7 +224,7 @@ cat payload.json | zero fetch https://api.example.com --data-stdin
 - **Check `ok`, not `status`, for success.** `ok` is a pre-computed 2xx boolean; `status` is the raw HTTP code (useful for distinguishing 404 from 500 but not a success flag).
 - **`--max-pay` is your cost guard.** Always set it before calling an unfamiliar capability or one with per-call pricing you haven't verified.
 - **Capability must be resolvable.** If you skip `zero search` and call `zero fetch <url>` directly, pass `--capability <uid|slug>` so the run is recorded for review.
-- **Review failures too, when they're the capability's fault.** A 4xx/5xx from the upstream API counts as a real result — submit `zero review <runId> --no-success` so future agents see the failure. Do **not** review failures caused by CLI-internal bugs (see Common Issues).
+- **Review failures too, when they're the capability's fault.** A 4xx/5xx from the upstream API counts as a real result — submit `zero review <runId> --no-success --content "<what broke>"` so future agents see the failure and the specific symptom. Do **not** review failures caused by CLI-internal bugs (see Common Issues).
 
 ### Rules
 
@@ -213,7 +232,7 @@ cat payload.json | zero fetch https://api.example.com --data-stdin
 - **Always `zero get` before `zero fetch`.** Even if you "know" the URL, re-fetch the full details to confirm the URL, method, required headers, body schema, and current price. Do not reconstruct a fetch call from memory.
 - Never guess endpoint URLs or schemas.
 - Use `--max-pay` before potentially expensive requests.
-- Review capabilities after every paid call. The review signal feeds search ranking — skipping reviews means your next search is less informed.
+- Review capabilities after every paid call, and include `--content` with a concrete observation whenever you have one. Numeric ratings feed search ranking; the content line is what humans read on the capability's public page and what other agents quote when deciding whether to call it. Skip `--content` rather than write generic filler.
 - Before ending a multi-call task, run `zero runs --unreviewed` and review anything you missed.
 
 ## Configuration
@@ -287,7 +306,8 @@ zero fetch https://nlp-api.example.com/sentiment \
   -H "Content-Type:application/json"
 
 # 4. Review the result (run ID is printed after fetch)
-zero review abc123 --accuracy 5 --value 4 --reliability 5
+zero review abc123 --accuracy 5 --value 4 --reliability 5 \
+  --content "Classified a 200-char product-review snippet as positive in ~180ms; confidence 0.94, matched my manual read. Schema clean, no auth needed."
 
 # 5. Check remaining balance
 zero wallet balance
@@ -299,7 +319,7 @@ zero wallet balance
 |---|---|---|
 | `zero: command not found` | CLI not installed | Run `npm i -g @zeroxyz/cli`, then retry. |
 | "No wallet configured" | Wallet not initialized | Run `zero init` to generate a wallet, or `zero wallet set <key>` to import one. |
-| Balance is 0 or insufficient funds | Wallet needs USDC | Run `zero wallet fund` or `zero wallet fund --manual` for the deposit address. |
+| Balance is 0 or insufficient funds | Wallet needs USDC | From an agent: `zero wallet fund --no-open` and hand the one-time URL to the user. From a human terminal: `zero wallet fund` or `zero wallet fund --manual` for the deposit address. |
 | Payment failed on fetch | Insufficient balance for the capability price | Check `zero wallet balance`, fund if needed, and use `--max-pay` to control spend. |
 | No search results | Query too narrow | Broaden search terms: `zero search "<broader query>"`. |
 | Wrong request schema (4xx error) | Incorrect body or headers | Run `zero get <position>` to check the exact schema, method, and required headers. |