@zoralabs/cli 1.1.0 → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zoralabs/cli",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "Zora CLI tool",
   "type": "module",
   "bin": {
@@ -17,16 +17,22 @@
     "@inkjs/ui": "^2.0.0",
     "@inquirer/confirm": "^6.0.8",
     "@inquirer/core": "^11.1.5",
+    "@inquirer/input": "^5.1.2",
     "@inquirer/password": "^5.0.8",
     "@inquirer/select": "^5.1.0",
+    "@resvg/resvg-wasm": "^2.6.2",
+    "@xmtp/content-type-reaction": "^2.0.2",
+    "@xmtp/content-type-read-receipt": "^2.0.2",
+    "@xmtp/node-sdk": "^6.0.0",
     "commander": "^13.1.0",
     "date-fns": "^4.1.0",
     "ink": "^6.8.0",
     "ink-spinner": "^5.0.0",
     "posthog-node": "^5.28.4",
     "react": "^19.2.4",
+    "satori": "^0.26.0",
     "viem": "2.22.12",
-    "@zoralabs/coins-sdk": "0.6.0"
+    "@zoralabs/coins-sdk": "0.7.0"
   },
   "devDependencies": {
     "@types/node": "^22.13.0",
@@ -44,16 +50,21 @@
   },
   "scripts": {
     "postinstall": "node scripts/postinstall.mjs",
-    "build": "tsup",
-    "build:js": "tsup",
+    "build": "pnpm run patch:xmtp-binding && tsup",
+    "build:js": "pnpm run patch:xmtp-binding && tsup",
+    "check": "tsc --noEmit",
     "zora": "tsx src/index.tsx",
     "test": "vitest run",
     "test:js": "pnpm run test",
     "test:coverage": "vitest run --coverage",
-    "build:binary": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora",
+    "patch:xmtp-binding": "node scripts/patch-xmtp-binding.mjs",
+    "gen:card-fonts": "python3 scripts/gen-card-fonts.py",
+    "gen:card-wasm": "node scripts/gen-card-wasm.mjs",
+    "gen:card-assets": "pnpm run gen:card-fonts && pnpm run gen:card-wasm",
+    "build:binary": "pnpm run patch:xmtp-binding && V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora",
     "build:binary:all": "pnpm run build:binary:mac-arm64 && pnpm run build:binary:mac-x64 && pnpm run build:binary:linux-x64 && pnpm run build:binary:linux-arm64 && pnpm run build:binary:windows-x64",
-    "build:binary:mac-arm64": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-darwin-arm64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-darwin-arm64",
-    "build:binary:mac-x64": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-darwin-x64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-darwin-x64",
+    "build:binary:mac-arm64": "pnpm run patch:xmtp-binding && V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-darwin-arm64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-darwin-arm64",
+    "build:binary:mac-x64": "pnpm run patch:xmtp-binding && V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-darwin-x64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-darwin-x64",
     "build:binary:linux-x64": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-linux-x64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-linux-x64",
     "build:binary:linux-arm64": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-linux-arm64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-linux-arm64",
     "build:binary:windows-x64": "V=$(node -p \"require('./package.json').version\") && bun build ./src/index.tsx --compile --target=bun-windows-x64 --define \"PKG_VERSION=\\\"$V\\\"\" --outfile ./bin/zora-windows-x64.exe"

package/scripts/gen-card-fonts.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+"""Generate the bundled, base64-embedded card fonts for the agent first post.
+
+Instantiates static Regular (400) and Medium (500) weights from the ABC Monument
+Grotesk *variable* font and writes them, base64-encoded, into a generated
+TypeScript module. The renderer (Satori) needs static TTF/OTF — it can't read
+woff2 and is unreliable with variable fonts — so we pin the two weights the
+brand template uses and embed them inline (same approach as the greeting cards,
+so the compiled bun binary and the published Node CLI both ship the bytes with
+no external asset files).
+
+Run from the package root:  python3 scripts/gen-card-fonts.py
+Source font: cli-docs/docs/public/fonts/ABCMonumentGroteskVariableVF.woff
+"""
+
+import base64
+import io
+import os
+
+from fontTools import ttLib
+from fontTools.varLib.instancer import instantiateVariableFont
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+PKG_ROOT = os.path.dirname(HERE)
+REPO_ROOT = os.path.dirname(os.path.dirname(PKG_ROOT))
+SRC_FONT = os.path.join(
+    REPO_ROOT, "cli-docs", "docs", "public", "fonts", "ABCMonumentGroteskVariableVF.woff"
+)
+OUT_TS = os.path.join(PKG_ROOT, "src", "lib", "agent", "card-fonts.ts")
+
+# The two weights the brand meme template uses: caption (Medium) + handle (Regular).
+WEIGHTS = {"regular": 400, "medium": 500}
+
+
+def instantiate_ttf_base64(weight: int) -> str:
+    font = ttLib.TTFont(SRC_FONT)
+    # Pin the variable axes to a single static instance (upright, target weight).
+    instantiateVariableFont(font, {"wght": weight, "slnt": 0}, inplace=True)
+    font.flavor = None  # emit a bare TTF (drop woff compression)
+    buf = io.BytesIO()
+    font.save(buf)
+    return base64.b64encode(buf.getvalue()).decode("ascii")
+
+
+def main() -> None:
+    fonts = {name: instantiate_ttf_base64(wght) for name, wght in WEIGHTS.items()}
+
+    lines = [
+        "// AUTO-GENERATED by scripts/gen-card-fonts.py — do not edit by hand.",
+        "// Static Regular (400) + Medium (500) instances of ABC Monument Grotesk,",
+        "// instantiated from the variable font and inlined as base64 TTF so the",
+        "// card renderer ships the bytes in both the bun binary and the Node CLI.",
+        "/* eslint-disable */",
+        "",
+        "import { Buffer } from \"node:buffer\";",
+        "",
+    ]
+    for name in WEIGHTS:
+        lines.append(f'const {name}Base64 =')
+        lines.append(f'  "{fonts[name]}";')
+        lines.append("")
+    lines.append("/** ABC Monument Grotesk Regular (400) as raw TTF bytes. */")
+    lines.append('export const MONUMENT_REGULAR = Buffer.from(regularBase64, "base64");')
+    lines.append("/** ABC Monument Grotesk Medium (500) as raw TTF bytes. */")
+    lines.append('export const MONUMENT_MEDIUM = Buffer.from(mediumBase64, "base64");')
+    lines.append("")
+
+    with open(OUT_TS, "w") as f:
+        f.write("\n".join(lines))
+
+    sizes = ", ".join(f"{n}={len(b) * 3 // 4 // 1024}KB" for n, b in fonts.items())
+    print(f"Wrote {OUT_TS} ({sizes})")
+
+
+if __name__ == "__main__":
+    main()

package/scripts/gen-card-wasm.mjs

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+// Generate the bundled, base64-embedded WASM blobs the card renderer needs:
+//   - Satori's Yoga layout engine  (satori/yoga.wasm)
+//   - resvg's SVG rasterizer        (@resvg/resvg-wasm/index_bg.wasm)
+//
+// We inline them as base64 (decoded at runtime and handed to satori's `init()`
+// and resvg's `initWasm()`) rather than loading the .wasm files from disk. The
+// default `satori` entry resolves yoga.wasm relative to import.meta.url, which
+// works under Node but not inside a `bun build --compile` single-file binary;
+// embedding the bytes makes the renderer work identically in the published Node
+// CLI and the compiled binary. Same rationale as the inlined fonts/cards.
+//
+// Run from the package root:  node scripts/gen-card-wasm.mjs
+
+import { readFileSync, writeFileSync } from "node:fs";
+import { createRequire } from "node:module";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const require = createRequire(import.meta.url);
+const here = dirname(fileURLToPath(import.meta.url));
+const outPath = join(here, "..", "src", "lib", "agent", "card-wasm.ts");
+
+// Resolve the .wasm files via the package entry points, then sit them next to
+// the resolved module so this keeps working regardless of the hoist layout.
+const yogaWasm = readFileSync(
+  join(dirname(require.resolve("satori/package.json")), "yoga.wasm"),
+);
+const resvgWasm = readFileSync(
+  require.resolve("@resvg/resvg-wasm/index_bg.wasm"),
+);
+
+const ts = `// AUTO-GENERATED by scripts/gen-card-wasm.mjs — do not edit by hand.
+// Inlined WASM for the first-post card renderer: Satori's Yoga layout engine and
+// resvg's SVG rasterizer, base64-encoded so they ship in both the bun binary and
+// the published Node CLI without external asset files.
+/* eslint-disable */
+
+import { Buffer } from "node:buffer";
+
+const yogaBase64 =
+  "${yogaWasm.toString("base64")}";
+const resvgBase64 =
+  "${resvgWasm.toString("base64")}";
+
+/** Satori's Yoga layout engine (yoga.wasm) as raw bytes. */
+export const YOGA_WASM = Buffer.from(yogaBase64, "base64");
+/** resvg's SVG-to-PNG rasterizer (index_bg.wasm) as raw bytes. */
+export const RESVG_WASM = Buffer.from(resvgBase64, "base64");
+`;
+
+writeFileSync(outPath, ts);
+console.log(
+  `Wrote ${outPath} (yoga=${Math.round(yogaWasm.length / 1024)}KB, resvg=${Math.round(
+    resvgWasm.length / 1024,
+  )}KB)`,
+);

package/scripts/generate-skill-hashes.ts

@@ -0,0 +1,210 @@
+/**
+ * Generates SHA-256 integrity hashes for all skills.
+ *
+ * Usage:
+ *   npx tsx scripts/generate-skill-hashes.ts          # Print hashes to console
+ *   npx tsx scripts/generate-skill-hashes.ts --write  # Update skills.ts directly
+ *   npx tsx scripts/generate-skill-hashes.ts --check  # Check if hashes are up-to-date (CI)
+ */
+
+import { createHash } from "node:crypto";
+import { readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SKILLS_TS_PATH = join(__dirname, "../src/commands/skills.ts");
+
+const SKILLS_URL = "https://agents.zora.com/skill";
+
+const computeIntegrity = (content: string): string => {
+  const hash = createHash("sha256").update(content, "utf8").digest("base64");
+  return `sha256-${hash}`;
+};
+
+/**
+ * Parse skill names from skills.ts to avoid import dependency chain.
+ * Single source of truth - names are extracted from the SKILLS array.
+ */
+function parseSkillNamesFromFile(): string[] {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  const names: string[] = [];
+
+  // Match all name: "skillname" patterns within the SKILLS array
+  const namePattern = /name:\s*"([^"]+)"/g;
+  let match;
+  while ((match = namePattern.exec(content)) !== null) {
+    names.push(match[1]);
+  }
+
+  if (names.length === 0) {
+    throw new Error("No skill names found in skills.ts");
+  }
+
+  return names;
+}
+
+/**
+ * Parse current hashes from skills.ts
+ */
+function getCurrentHashes(): Map<string, string> {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  const hashes = new Map<string, string>();
+  const skillNames = parseSkillNamesFromFile();
+
+  for (const name of skillNames) {
+    // Use lazy matching to find the integrity field for each skill
+    const pattern = new RegExp(
+      `name:\\s*"${name}"[\\s\\S]*?integrity:\\s*"([^"]*)"`,
+    );
+    const match = content.match(pattern);
+    if (match) {
+      hashes.set(name, match[1]);
+    }
+  }
+
+  return hashes;
+}
+
+async function fetchAllHashes(): Promise<Map<string, string>> {
+  const hashes = new Map<string, string>();
+  const skillNames = parseSkillNamesFromFile();
+
+  for (const name of skillNames) {
+    const url = `${SKILLS_URL}/${name}.md`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch ${name}: HTTP ${response.status}`);
+    }
+    const content = await response.text();
+    hashes.set(name, computeIntegrity(content));
+  }
+
+  return hashes;
+}
+
+function updateSkillsFile(hashes: Map<string, string>): boolean {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  let updated = content;
+  let changed = false;
+  const errors: string[] = [];
+
+  for (const [name, hash] of hashes) {
+    // First, verify this skill has an integrity field by checking
+    // that we can find it within its own object block (before the next skill)
+    // Find the position of this skill's name
+    const namePattern = new RegExp(`name:\\s*"${name}"`);
+    const nameMatch = namePattern.exec(updated);
+    if (!nameMatch) {
+      errors.push(`Skill "${name}" not found in skills.ts`);
+      continue;
+    }
+
+    const namePos = nameMatch.index;
+
+    // Find the next skill's name (if any) to bound our search
+    const remainingContent = updated.slice(namePos + nameMatch[0].length);
+    const nextSkillMatch = /name:\s*"[^"]+"/.exec(remainingContent);
+    const searchBound = nextSkillMatch
+      ? namePos + nameMatch[0].length + nextSkillMatch.index
+      : updated.length;
+
+    // Extract the bounded region for this skill
+    const skillRegion = updated.slice(namePos, searchBound);
+
+    // Check if integrity field exists in this skill's region
+    const integrityInRegion = /integrity:\s*"[^"]*"/.exec(skillRegion);
+    if (!integrityInRegion) {
+      errors.push(
+        `Skill "${name}" is missing integrity field - add 'integrity: "sha256-PLACEHOLDER"' to the skill definition`,
+      );
+      continue;
+    }
+
+    // Now safely replace the integrity value within the bounded region
+    const updatedRegion = skillRegion.replace(
+      /(integrity:\s*)"[^"]*"/,
+      `$1"${hash}"`,
+    );
+
+    if (updatedRegion !== skillRegion) {
+      changed = true;
+      updated = updated.slice(0, namePos) + updatedRegion + updated.slice(searchBound);
+    }
+  }
+
+  if (errors.length > 0) {
+    console.error("\nErrors found:");
+    for (const err of errors) {
+      console.error(`  - ${err}`);
+    }
+    process.exit(1);
+  }
+
+  if (changed) {
+    writeFileSync(SKILLS_TS_PATH, updated);
+  }
+
+  return changed;
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  const writeMode = args.includes("--write");
+  const checkMode = args.includes("--check");
+
+  console.log("Fetching skills from production...\n");
+
+  let remoteHashes: Map<string, string>;
+  try {
+    remoteHashes = await fetchAllHashes();
+  } catch (err) {
+    console.error("Failed to fetch skills:", err);
+    process.exit(1);
+  }
+
+  if (checkMode) {
+    const currentHashes = getCurrentHashes();
+    let hasChanges = false;
+
+    for (const [name, remoteHash] of remoteHashes) {
+      const currentHash = currentHashes.get(name);
+      if (currentHash !== remoteHash) {
+        console.log(`${name}: CHANGED`);
+        console.log(`  Current:  ${currentHash}`);
+        console.log(`  Expected: ${remoteHash}\n`);
+        hasChanges = true;
+      }
+    }
+
+    if (hasChanges) {
+      console.log("Skill hashes are out of date. Run with --write to update.");
+      process.exit(1);
+    } else {
+      console.log("All skill hashes are up to date.");
+      process.exit(0);
+    }
+  }
+
+  if (writeMode) {
+    const changed = updateSkillsFile(remoteHashes);
+    if (changed) {
+      console.log("Updated skills.ts with new hashes:");
+      for (const [name, hash] of remoteHashes) {
+        console.log(`  ${name}: ${hash}`);
+      }
+    } else {
+      console.log("No changes needed - hashes are already up to date.");
+    }
+  } else {
+    console.log("Generated hashes (run with --write to update skills.ts):\n");
+    for (const [name, hash] of remoteHashes) {
+      console.log(`  ${name}: ${hash}`);
+    }
+  }
+}
+
+main().catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});

package/scripts/patch-xmtp-binding.mjs

@@ -0,0 +1,118 @@
+// Work around an upstream packaging bug in @xmtp/node-bindings (present in 1.10.0,
+// the version pulled in by @xmtp/node-sdk@6): the prebuilt macOS .node files link
+// libiconv from a Nix store path (e.g. /nix/store/<hash>-libiconv-*/lib/libiconv.2.dylib)
+// instead of the system one. On a stock Mac dyld falls back to /usr/lib and it
+// loads, but environments that override DYLD_FALLBACK_LIBRARY_PATH (Nix shells,
+// some sandboxes) can't fall back, so `Client.create` fails with a dlopen error.
+//
+// This repoints that load command to /usr/lib/libiconv.2.dylib in the installed
+// .node so the binding loads on any Mac. It runs from `build`/`build:js` (fixes
+// the node_modules install for source/dev runs), `postinstall` (npm i -g), and
+// before `bun build --compile` for the `build:binary:mac-*` targets.
+//
+// Safe by design — exits 0 (no-op) when:
+//   • not running on macOS (the only place install_name_tool/codesign exist),
+//   • @xmtp/node-bindings isn't installed,
+//   • no macOS .node files are present,
+//   • the binding is already correctly linked (e.g. after XMTP ships a fix).
+// Because it keys off the build *host* (process.platform), the macOS targets must
+// be built on a macOS runner for the fix to apply (which signed releases need anyway).
+
+import { execFileSync } from "node:child_process";
+import { createRequire } from "node:module";
+import { dirname, join } from "node:path";
+import { existsSync, copyFileSync, renameSync } from "node:fs";
+
+const SYSTEM_LIBICONV = "/usr/lib/libiconv.2.dylib";
+const log = (msg) => console.log(`[patch-xmtp-binding] ${msg}`);
+
+if (process.platform !== "darwin") {
+  log(`skipping on ${process.platform} — macOS-only fix`);
+  process.exit(0);
+}
+
+let distDir;
+try {
+  // @xmtp/node-bindings is a transitive dep (via @xmtp/node-sdk), so under pnpm's
+  // strict node_modules it can't be resolved directly from here. Resolve node-sdk
+  // (a direct dep) first, then node-bindings from there. Its `exports` only expose
+  // ".", so resolve the entry (./dist/index.js) and take its directory — that's
+  // where the platform .node files live.
+  const require = createRequire(import.meta.url);
+  const sdkRequire = createRequire(require.resolve("@xmtp/node-sdk"));
+  distDir = dirname(sdkRequire.resolve("@xmtp/node-bindings"));
+} catch (err) {
+  log(`@xmtp/node-bindings not found (${err.message}) — nothing to patch`);
+  process.exit(0);
+}
+
+const targets = [
+  "bindings_node.darwin-arm64.node",
+  "bindings_node.darwin-x64.node",
+]
+  .map((f) => join(distDir, f))
+  .filter(existsSync);
+
+if (targets.length === 0) {
+  log("no macOS .node files present — nothing to patch");
+  process.exit(0);
+}
+
+// Resolve Apple's toolchain by absolute path so the patch still applies when run
+// inside a Nix shell (or anything else that shadows these tools on PATH) — the
+// case that left the binding broken for some contributors. `/usr/bin/{otool,
+// install_name_tool,codesign}` are Apple stubs that dispatch through the active
+// Xcode toolchain regardless of PATH. Falls back to a bare PATH lookup if the
+// system copy isn't where we expect.
+const systemTool = (name) =>
+  existsSync(`/usr/bin/${name}`) ? `/usr/bin/${name}` : name;
+const OTOOL = systemTool("otool");
+const INSTALL_NAME_TOOL = systemTool("install_name_tool");
+const CODESIGN = systemTool("codesign");
+
+const run = (cmd, args) => execFileSync(cmd, args, { encoding: "utf8" });
+
+let patched = 0;
+for (const file of targets) {
+  let deps;
+  try {
+    deps = run(OTOOL, ["-L", file]);
+  } catch (err) {
+    // Xcode command line tools unavailable — warn but don't fail the build.
+    log(
+      `otool unavailable (${err.message}); skipping — install Xcode CLT to apply the fix`,
+    );
+    process.exit(0);
+  }
+
+  // The load command for libiconv that isn't already the system path.
+  const bad = deps
+    .split("\n")
+    .map((line) => line.trim().split(/\s+/)[0])
+    .find((p) => /\/libiconv\.2\.dylib$/.test(p) && p !== SYSTEM_LIBICONV);
+
+  if (!bad) {
+    log(`already OK: ${file}`);
+    continue;
+  }
+
+  try {
+    log(`repointing libiconv: ${bad} -> ${SYSTEM_LIBICONV}`);
+    // Break the hard link into the pnpm store so we edit a private copy in
+    // node_modules, never the shared store object other projects link to.
+    const tmp = `${file}.patching`;
+    copyFileSync(file, tmp);
+    renameSync(tmp, file);
+    run(INSTALL_NAME_TOOL, ["-change", bad, SYSTEM_LIBICONV, file]);
+    // Editing load commands invalidates the signature; re-sign ad-hoc so the
+    // embedded binary still loads under macOS code-signing checks.
+    run(CODESIGN, ["-f", "-s", "-", file]);
+    patched += 1;
+  } catch (err) {
+    // Best-effort: never fail the caller (build / postinstall). On a stock Mac
+    // the dyld /usr/lib fallback still loads the binding without this patch.
+    log(`could not patch ${file} (${err.message}); leaving as-is`);
+  }
+}
+
+log(`done — ${patched} file(s) patched`);

package/scripts/postinstall.mjs

@@ -2,6 +2,20 @@
 
 import path from "node:path";
 import os from "node:os";
+import { execFileSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+
+// Best-effort: fix the XMTP macOS native binding's libiconv link so `zora`'s DM
+// commands load without a DYLD_FALLBACK_LIBRARY_PATH workaround. No-op on
+// non-macOS, missing Xcode toolchain, or when already correct. Never fails install.
+try {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  execFileSync(process.execPath, [path.join(here, "patch-xmtp-binding.mjs")], {
+    stdio: "inherit",
+  });
+} catch {
+  // ignore — see patch-xmtp-binding.mjs
+}
 
 try {
   if (process.env.npm_config_global !== "true") {