@zoralabs/cli 1.2.0 → 1.3.0

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.tsx
-import { Command as Command16 } from "commander";
+import { Command as Command17 } from "commander";
 import { ExitPromptError } from "@inquirer/core";
 import "fs";
 import { setApiBaseUrl } from "@zoralabs/coins-sdk";
@@ -175,6 +175,9 @@ function bannedCoinMessage(address) {
 function bannedCoinBuyMessage(address) {
   return `Unable to buy ${address} because it violates the Zora terms of service. Already own this coin? Run zora sell ${address} --all to exit your position.`;
 }
+function bannedProfileMessage(identifier) {
+  return `This account (${identifier}) has been blocked for violating the Zora terms of service.`;
+}
 function fsErrorMessage(err, path) {
   if (!(err instanceof Error)) return String(err);
   const code = err.code;
@@ -1466,7 +1469,7 @@ var getClient = () => {
   return client;
 };
 var commonProperties = () => ({
-  cli_version: true ? "1.2.0" : "development",
+  cli_version: true ? "1.3.0" : "development",
   os: process.platform,
   arch: process.arch,
   node_version: process.version
@@ -2754,6 +2757,23 @@ async function createFirstPost(params) {
   };
 }
 
+// src/lib/agent/api-key.ts
+var CREATE_API_KEY_MUTATION = "mutation CreateApiKeyMutation($apiKeyName: String!, $hosts: [String!]) { createApiKey(apiKeyName: $apiKeyName, hosts: $hosts) { apiKey }}";
+async function createApiKey(token, apiKeyName, hosts) {
+  const { data, errors, status } = await graphqlRequest(
+    token,
+    CREATE_API_KEY_MUTATION,
+    "CreateApiKeyMutation",
+    { apiKeyName, hosts: hosts ?? null }
+  );
+  const apiKey = data?.createApiKey?.apiKey;
+  if (apiKey) {
+    return apiKey;
+  }
+  const lastError = errors?.[0]?.message ?? `HTTP ${status}`;
+  throw new Error(`createApiKey failed: ${lastError}`);
+}
+
 // src/lib/agent/onboard.ts
 var DEFAULT_BASE_RPC = "https://mainnet.base.org";
 var ZORA_BASE_URL = "https://zora.co";
@@ -2777,6 +2797,15 @@ async function onboardAgent(opts) {
   const isNewUser = session.isNewUser;
   progress("profile", "creating the Zora profile");
   let profile = await createAgentProfile(session.accessToken);
+  progress("apiKey", "creating an API key");
+  const apiKey = await createApiKey(session.accessToken, "AGENT_API_KEY");
+  try {
+    saveApiKey(apiKey);
+  } catch (err) {
+    throw new Error(
+      `Failed to save API key: ${fsErrorMessage(err, getConfigPath())}`
+    );
+  }
   if (opts.username !== void 0 || opts.bio !== void 0 || opts.avatar !== void 0) {
     const chosen = [
       opts.username !== void 0 ? "username" : void 0,
@@ -2839,7 +2868,7 @@ async function onboardAgent(opts) {
     dryRun,
     profileUrl: `${ZORA_BASE_URL}/@${profile.username}`
   };
-  if (opts.withCoin) {
+  if (!opts.skipCoin) {
     progress(
       "coin",
       dryRun ? "simulating the creator coin" : "minting the creator coin"
@@ -3068,12 +3097,12 @@ function resolveAgentKey(json, override, { allowGenerate = true } = {}) {
   return { key: generated, source: getWalletPath(), generated: true };
 }
 var agentCommand = new Command("agent").description(
-  "Create and manage a Zora agent identity.\nStands up an identity from an EOA \u2014 Privy account, profile, and smart wallet \u2014 with no human interaction. The creator coin is opt-in: add it with `agent create --with-coin` or later with `agent coin`."
+  "Create and manage a Zora agent identity.\nStands up an identity from an EOA \u2014 Privy account, profile, smart wallet, and creator coin \u2014 with no human interaction."
 ).action(function() {
   this.outputHelp();
 });
 agentCommand.command("create").description(
-  "Create a Zora agent from an EOA, end to end and unattended: headless Privy account, profile, and smart wallet. The creator coin is opt-in (--with-coin, or `agent coin` later); a first post is published when --caption and --image are supplied. Every on-chain step is sponsored, so the agent needs no ETH."
+  "Create a Zora agent from an EOA, end to end and unattended: headless Privy account, profile, smart wallet, and creator coin. A first post is published when --caption and --image are supplied. Every on-chain step is sponsored, so the agent needs no ETH. Skip the coin with --skip-coin."
 ).option(
   "--private-key <key>",
   "EOA private key to sign in with (default: ZORA_PRIVATE_KEY, then your saved wallet, else a new one is generated)"
@@ -3083,8 +3112,8 @@ agentCommand.command("create").description(
   String(DEFAULT_SIWE_CHAIN_ID)
 ).option("--rpc-url <url>", "Base RPC URL (defaults to the public endpoint)").option(
   "--dry-run",
-  "Create the account, profile, and smart wallet, but simulate the opted-in coin + post instead of minting them"
-).option("--with-coin", "Also create the agent's creator coin").option("--skip-post", "Skip publishing the first post").option(
+  "Create the account, profile, and smart wallet, but simulate the coin + post instead of minting them"
+).option("--skip-coin", "Skip minting the agent's creator coin").option("--skip-post", "Skip publishing the first post").option(
   "--username <name>",
   "Set the agent's username (also sets the display name; must be available). Default: an auto-assigned handle."
 ).option("--bio <text>", "Set the agent's bio. Default: an auto-assigned bio.").option(
@@ -3158,16 +3187,29 @@ agentCommand.command("create").description(
     }
   }
   const resolved = resolveAgentKey(json, options.privateKey);
-  const wouldMint = Boolean(options.withCoin) || hasCaption && hasImage;
+  const wouldMint = !options.skipCoin || hasCaption && hasImage;
   if (!options.dryRun && wouldMint) {
     const existingAgent = peekAgentWallet();
     if (existingAgent) {
       await confirmAgentAction({
         json,
         force: options.force,
-        warning: `You already have an agent: @${existingAgent.username} (smart wallet ${existingAgent.smartWalletAddress}).
-Re-running 'agent create' will mint another creator coin and/or first post for it.`,
-        question: `Create another coin/post for @${existingAgent.username}?`
+        warning: (() => {
+          const willMintCoin = !options.skipCoin;
+          const willMintPost = hasCaption && hasImage;
+          const what = [
+            willMintCoin && "creator coin",
+            willMintPost && "first post"
+          ].filter(Boolean).join(" and ");
+          return `You already have an agent: @${existingAgent.username} (smart wallet ${existingAgent.smartWalletAddress}).
+Re-running 'agent create' will mint another ${what} for it.`;
+        })(),
+        question: (() => {
+          const willMintCoin = !options.skipCoin;
+          const willMintPost = hasCaption && hasImage;
+          const what = [willMintCoin && "coin", willMintPost && "post"].filter(Boolean).join("/");
+          return `Create another ${what} for @${existingAgent.username}?`;
+        })()
       });
     }
   }
@@ -3180,7 +3222,7 @@ Re-running 'agent create' will mint another creator coin and/or first post for i
       chainId,
       rpcUrl: options.rpcUrl,
       dryRun: Boolean(options.dryRun),
-      withCoin: Boolean(options.withCoin),
+      skipCoin: Boolean(options.skipCoin),
       skipPost: Boolean(options.skipPost),
       username: options.username,
       bio: options.bio,
@@ -3196,7 +3238,7 @@ Re-running 'agent create' will mint another creator coin and/or first post for i
     return outputErrorAndExit(
       json,
       `Agent onboarding failed: ${formatError(err)}`,
-      "Re-run to retry \u2014 the profile and smart wallet are idempotent. Add the creator coin later with `zora agent coin`."
+      "Re-run to retry \u2014 the profile and smart wallet are idempotent."
     );
   }
   const walletPath = getWalletPath();
@@ -3224,7 +3266,7 @@ Re-running 'agent create' will mint another creator coin and/or first post for i
     generated_wallet: resolved.generated,
     saved_to_wallet: savedToWallet,
     dry_run: result.dryRun,
-    with_coin: Boolean(options.withCoin),
+    skip_coin: Boolean(options.skipCoin),
     minted_coin: Boolean(result.coin?.hash),
     minted_post: Boolean(result.post?.hash),
     coin_failed: Boolean(result.coinError),
@@ -3249,8 +3291,10 @@ Re-running 'agent create' will mint another creator coin and/or first post for i
     },
     render: () => {
       const simulated = result.dryRun && (result.coin || result.post);
+      const simulatedWhat = [result.coin && "coin", result.post && "post"].filter(Boolean).join(" + ");
       console.log(
-        simulated ? "\n\u2713 Agent ready (dry run \u2014 coin + post simulated, not minted)" : result.dryRun ? "\n\u2713 Agent ready (dry run \u2014 account + smart wallet created; no coin/post requested)" : "\n\u2713 Agent ready"
+        simulated ? `
+\u2713 Agent ready (dry run \u2014 ${simulatedWhat} simulated, not minted)` : result.dryRun ? "\n\u2713 Agent ready (dry run \u2014 account + smart wallet created; coin + post skipped)" : "\n\u2713 Agent ready"
       );
       console.log(`  Profile:      @${result.username}`);
       if (options.bio !== void 0) {
@@ -3270,8 +3314,11 @@ Re-running 'agent create' will mint another creator coin and/or first post for i
         );
       } else if (result.coinError) {
         console.log(`  Creator coin: failed \u2014 ${result.coinError}`);
-      } else if (!result.dryRun) {
-        console.log("  Creator coin: none \u2014 add one with `zora agent coin`");
+        console.log("  Retry with `zora agent coin`.");
+      } else if (!result.dryRun && options.skipCoin) {
+        console.log(
+          "  Creator coin: skipped \u2014 add one later with `zora agent coin`"
+        );
       }
       if (result.post) {
         console.log(
@@ -3929,9 +3976,7 @@ budgetCommand.command("record").description(
             "\u2022 No global budget configured \u2014 nothing to record. Set one with `zora agent budget set <amount>`."
           );
         } else {
-          console.log(
-            "\u2022 Budget opted out (no limit) \u2014 nothing to record."
-          );
+          console.log("\u2022 Budget opted out (no limit) \u2014 nothing to record.");
         }
       }
     });
@@ -6917,10 +6962,17 @@ var fetchProfile = async (address) => {
       address,
       handle,
       displayName: profile?.displayName ?? handle,
-      avatarUrl: profile?.avatar?.previewImage?.small ?? null
+      avatarUrl: profile?.avatar?.previewImage?.small ?? null,
+      platformBlocked: profile?.platformBlocked ?? false
     };
   } catch {
-    return { address, handle: null, displayName: null, avatarUrl: null };
+    return {
+      address,
+      handle: null,
+      displayName: null,
+      avatarUrl: null,
+      platformBlocked: false
+    };
   }
 };
 var resolveProfiles = async (addresses, _token, onProgress) => {
@@ -6935,7 +6987,8 @@ var resolveProfiles = async (addresses, _token, onProgress) => {
         address,
         handle: cached.handle,
         displayName: cached.displayName,
-        avatarUrl: cached.avatarUrl
+        avatarUrl: cached.avatarUrl,
+        platformBlocked: cached.platformBlocked ?? false
       });
     } else {
       stale.push(address);
@@ -6960,6 +7013,7 @@ var resolveProfiles = async (addresses, _token, onProgress) => {
           handle: profile.handle,
           displayName: profile.displayName,
           avatarUrl: profile.avatarUrl,
+          platformBlocked: profile.platformBlocked,
           fetchedAt: now
         };
       }
@@ -7293,6 +7347,19 @@ dmCommand.command("send").description(
 ).argument("<address>", "Recipient: Zora handle (@name) or 0x address").argument("[message]", "Message text").action(async function(address, message) {
   const json = getJson(this);
   const peer = await resolvePeer(json, address);
+  const profiles = await resolveProfiles([peer]);
+  const profile = profiles.get(peer);
+  if (profile?.platformBlocked) {
+    track("cli_dm_send", {
+      output_format: json ? "json" : "text",
+      success: false,
+      blocked_profile: true
+    });
+    return outputErrorAndExit(
+      json,
+      bannedProfileMessage(profile.handle ?? peer)
+    );
+  }
   if (!message || !message.trim()) {
     return outputErrorAndExit(
       json,
@@ -7688,10 +7755,219 @@ var exploreCommand = new Command8("explore").description("Browse top, new, and h
   }
 });
 
-// src/commands/get.tsx
+// src/commands/follow.ts
+import { getProfile as getProfile2, setApiKey as setApiKey6 } from "@zoralabs/coins-sdk";
 import { Command as Command9 } from "commander";
+import { erc20Abi as erc20Abi3, isAddress as isAddress7 } from "viem";
+
+// src/lib/follow.ts
+var FOLLOW_MUTATION = "mutation CliFollow($followeeId: String!) { follow(followeeId: $followeeId) { handle profileId vcFollowingStatus } }";
+var UNFOLLOW_MUTATION = "mutation CliUnfollow($followeeId: String!) { unfollow(followeeId: $followeeId) { handle profileId vcFollowingStatus } }";
+async function mutateFollow(token, followeeId, mutation, operationName, field) {
+  const { data, errors, status } = await graphqlRequest(
+    token,
+    mutation,
+    operationName,
+    { followeeId }
+  );
+  const profile = data?.[field];
+  if (profile?.profileId) {
+    return {
+      // The API returns the full address as both fields when the target has no
+      // profile; fall back to profileId so handle is never empty.
+      handle: profile.handle ?? profile.profileId,
+      profileId: profile.profileId,
+      followingStatus: profile.vcFollowingStatus ?? "UNKNOWN"
+    };
+  }
+  const lastError = errors?.[0]?.message ?? `HTTP ${status}`;
+  throw new Error(`${field} failed: ${lastError}`);
+}
+function followProfile(token, followeeId) {
+  return mutateFollow(
+    token,
+    followeeId,
+    FOLLOW_MUTATION,
+    "CliFollow",
+    "follow"
+  );
+}
+function unfollowProfile(token, followeeId) {
+  return mutateFollow(
+    token,
+    followeeId,
+    UNFOLLOW_MUTATION,
+    "CliUnfollow",
+    "unfollow"
+  );
+}
+
+// src/commands/follow.ts
+function isPlaceholderName(name) {
+  return name.startsWith("0x") || name.includes("\u2026") || name.includes("...");
+}
+function displayName(result) {
+  return isPlaceholderName(result.handle) ? result.profileId : `@${result.handle}`;
+}
+function relationshipNote(status) {
+  if (status === "MUTUAL_FOLLOWING") return "You follow each other.";
+  if (status === "FOLLOWED") return "They still follow you.";
+  return void 0;
+}
+async function requireCreatorCoinHolding(json, identifier) {
+  const apiKey = getApiKey();
+  if (apiKey) setApiKey6(apiKey);
+  let profile;
+  try {
+    const response = await getProfile2({ identifier });
+    profile = response?.data?.profile;
+  } catch (err) {
+    return outputErrorAndExit(
+      json,
+      `Couldn't look up "${identifier}": ${formatError(err)}`
+    );
+  }
+  if (!profile) {
+    return outputErrorAndExit(
+      json,
+      `No Zora profile found for "${identifier}".`,
+      "Provide an existing Zora username or wallet address."
+    );
+  }
+  const label = profile.handle && !isPlaceholderName(profile.handle) ? `@${profile.handle}` : identifier;
+  const coinAddress = profile.creatorCoin?.address;
+  if (!coinAddress || !isAddress7(coinAddress)) {
+    return outputErrorAndExit(
+      json,
+      `${label} doesn't have a creator coin yet, so there's nothing to buy.`,
+      "Following requires holding the profile's creator coin."
+    );
+  }
+  const { privateKeyAccount, smartWalletAccount } = await resolveAccounts();
+  const wallet = smartWalletAccount?.address ?? privateKeyAccount.address;
+  const { publicClient } = createClients(privateKeyAccount, smartWalletAccount);
+  let balance;
+  try {
+    balance = await publicClient.readContract({
+      abi: erc20Abi3,
+      address: coinAddress,
+      functionName: "balanceOf",
+      args: [wallet]
+    });
+  } catch (err) {
+    return outputErrorAndExit(
+      json,
+      `Couldn't check your creator-coin balance: ${formatError(err)}`
+    );
+  }
+  if (balance === 0n) {
+    return outputErrorAndExit(
+      json,
+      `You must hold ${label}'s creator coin to follow them.`,
+      `Buy some first: zora buy ${coinAddress} --eth 0.001`
+    );
+  }
+}
+async function resolveToken(json, key) {
+  try {
+    const session = await ensurePrivySession({ privateKey: normalizeKey(key) });
+    return session.accessToken;
+  } catch (err) {
+    return outputErrorAndExit(json, `Sign-in failed: ${formatError(err)}`);
+  }
+}
+async function runFollow(command, action, identifierArg) {
+  const json = getJson(command);
+  const followeeId = (identifierArg ?? "").replace(/^@/, "").trim();
+  if (!followeeId) {
+    return outputErrorAndExit(
+      json,
+      `Missing user to ${action}.`,
+      `Usage: zora ${action} <username | address>`
+    );
+  }
+  const key = process.env.ZORA_PRIVATE_KEY || getPrivateKey();
+  if (!key) {
+    return outputErrorAndExit(
+      json,
+      "No wallet configured.",
+      "Run 'zora agent create' to set up your Zora agent."
+    );
+  }
+  if (action === "follow") {
+    await requireCreatorCoinHolding(json, followeeId);
+  }
+  const token = await resolveToken(json, key);
+  let result;
+  try {
+    result = action === "follow" ? await followProfile(token, followeeId) : await unfollowProfile(token, followeeId);
+  } catch (err) {
+    track("cli_follow", {
+      action,
+      output_format: json ? "json" : "static",
+      success: false,
+      error_type: err instanceof Error ? err.constructor.name : "unknown"
+    });
+    await shutdownAnalytics();
+    const message = formatError(err);
+    if (action === "follow" && /yourself/i.test(message)) {
+      return outputErrorAndExit(json, "You can't follow yourself.");
+    }
+    return outputErrorAndExit(
+      json,
+      `Failed to ${action} "${followeeId}": ${message}`,
+      "Check the username or address is a real Zora profile and try again."
+    );
+  }
+  if (result.followingStatus === "SELF") {
+    track("cli_follow", {
+      action,
+      output_format: json ? "json" : "static",
+      success: false,
+      error_type: "self"
+    });
+    await shutdownAnalytics();
+    return outputErrorAndExit(json, `You can't ${action} yourself.`);
+  }
+  const label = displayName(result);
+  const profileUrl = isPlaceholderName(result.handle) ? void 0 : `https://zora.co/@${result.handle}`;
+  const note2 = relationshipNote(result.followingStatus);
+  track("cli_follow", {
+    action,
+    output_format: json ? "json" : "static",
+    success: true,
+    following_status: result.followingStatus
+  });
+  outputData(json, {
+    json: {
+      action,
+      followee: result.profileId,
+      handle: result.handle,
+      followingStatus: result.followingStatus,
+      ...profileUrl ? { profileUrl } : {}
+    },
+    render: () => {
+      console.log(
+        `
+\u2713 ${action === "follow" ? "Following" : "Unfollowed"} ${label}`
+      );
+      if (note2) console.log(`  ${note2}`);
+      if (profileUrl) console.log(`  ${profileUrl}`);
+      console.log("");
+    }
+  });
+}
+var followCommand = new Command9("follow").description("Follow a Zora user whose creator coin you hold").argument("[identifier]", "Username (@handle), wallet address, or account id").action(async function(identifier) {
+  await runFollow(this, "follow", identifier);
+});
+var unfollowCommand = new Command9("unfollow").description("Unfollow a Zora user by username or address").argument("[identifier]", "Username (@handle), wallet address, or account id").action(async function(identifier) {
+  await runFollow(this, "unfollow", identifier);
+});
+
+// src/commands/get.tsx
+import { Command as Command10 } from "commander";
 import { Box as Box12, Text as Text12 } from "ink";
-import { setApiKey as setApiKey6, getCoinHolders, getCoinSwaps } from "@zoralabs/coins-sdk";
+import { setApiKey as setApiKey7, getCoinHolders, getCoinSwaps } from "@zoralabs/coins-sdk";
 
 // src/components/CoinDetail.tsx
 import { Box as Box7, Text as Text7 } from "ink";
@@ -8186,7 +8462,7 @@ function formatCoinJson(coin) {
 var resolveApiKey2 = () => {
   const apiKey = getApiKey();
   if (apiKey) {
-    setApiKey6(apiKey);
+    setApiKey7(apiKey);
   }
 };
 var CoinResolutionError = class extends Error {
@@ -8315,7 +8591,7 @@ async function fetchRecentTrades(address) {
     return [];
   }
 }
-var getCommand = new Command9("get").description("Look up a coin by address or name").argument("[typeOrId]", "Type prefix (creator-coin, trend) or identifier").argument(
+var getCommand = new Command10("get").description("Look up a coin by address or name").argument("[typeOrId]", "Type prefix (creator-coin, trend) or identifier").argument(
   "[identifier]",
   "Coin address (0x...) or name (when type prefix is given)"
 ).option("--live", "Interactive live-updating display (default)").option("--static", "Static snapshot").option(
@@ -8845,15 +9121,15 @@ import confirm6 from "@inquirer/confirm";
 import {
   createQuote as createQuote2,
   getCoin as getCoin4,
-  setApiKey as setApiKey7,
+  setApiKey as setApiKey8,
   tradeCoin as tradeCoin2,
   tradeCoinSmartWallet as tradeCoinSmartWallet2
 } from "@zoralabs/coins-sdk";
-import { Command as Command10 } from "commander";
+import { Command as Command11 } from "commander";
 import {
-  erc20Abi as erc20Abi3,
+  erc20Abi as erc20Abi4,
   formatUnits as formatUnits5,
-  isAddress as isAddress7,
+  isAddress as isAddress8,
   parseUnits as parseUnits2
 } from "viem";
 function printSellQuote(output, info) {
@@ -8930,7 +9206,7 @@ function printSellResult(output, info) {
   console.log(`   Tx           ${info.txHash}
 `);
 }
-var sellCommand = new Command10("sell").description("Sell a coin").argument(
+var sellCommand = new Command11("sell").description("Sell a coin").argument(
   "[typeOrId]",
   "Type prefix (creator-coin, trend) or coin address/name"
 ).argument("[identifier]", "Coin name (when type prefix is given)").option("--amount <value>", "Sell specific number of coins").option("--usd <value>", "Sell USD equivalent worth of coins").option("--percent <value>", "Sell percentage of coin balance").option("--all", "Sell entire coin balance").option("--to <asset>", "Receive asset: eth, usdc, zora", "eth").option("--token <asset>", "Receive asset: eth, usdc, zora (alias for --to)").option("--quote", "Print quote and exit without trading").option("--yes", "Skip confirmation and execute directly").option("--slippage <pct>", "Slippage tolerance percent", "1").option("--debug", "Print full quote request/response JSON").action(async function(typeOrId, identifier, opts) {
@@ -8947,12 +9223,12 @@ var sellCommand = new Command10("sell").description("Sell a coin").argument(
   }
   const apiKey = getApiKey();
   if (apiKey) {
-    setApiKey7(apiKey);
+    setApiKey8(apiKey);
   }
   let coinAddress;
   let earlyAccounts;
   if (parsed.kind === "address") {
-    if (!isAddress7(parsed.address)) {
+    if (!isAddress8(parsed.address)) {
       return outputErrorAndExit(json, `Invalid address: ${parsed.address}`);
     }
     coinAddress = parsed.address;
@@ -8968,7 +9244,7 @@ var sellCommand = new Command10("sell").description("Sell a coin").argument(
       ambResult = await resolveAmbiguousByNameAndBalance(
         parsed.name,
         (addr) => earlyPublicClient.readContract({
-          abi: erc20Abi3,
+          abi: erc20Abi4,
           address: addr,
           functionName: "balanceOf",
           args: [earlyWalletAddress]
@@ -9112,7 +9388,7 @@ var sellCommand = new Command10("sell").description("Sell a coin").argument(
     }
   } else {
     const balance = await publicClient.readContract({
-      abi: erc20Abi3,
+      abi: erc20Abi4,
       address: coinAddress,
       functionName: "balanceOf",
       args: [walletAddress]
@@ -9374,13 +9650,13 @@ ${err instanceof Error ? err.stack || err.message : String(err)}
 });
 
 // src/commands/profile.tsx
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 import { Box as Box17, Text as Text17 } from "ink";
 import {
   getProfileCoins,
   getProfileBalances as getProfileBalances2,
   getWalletTradeActivity,
-  setApiKey as setApiKey8
+  setApiKey as setApiKey9
 } from "@zoralabs/coins-sdk";
 import { privateKeyToAccount as privateKeyToAccount8 } from "viem/accounts";
 
@@ -9762,7 +10038,7 @@ import { jsx as jsx18, jsxs as jsxs17 } from "react/jsx-runtime";
 var resolveApiKey3 = () => {
   const apiKey = getApiKey();
   if (apiKey) {
-    setApiKey8(apiKey);
+    setApiKey9(apiKey);
   }
 };
 var formatTradeJson2 = (trade, rank) => ({
@@ -9885,7 +10161,7 @@ var resolveIdentifier = (identifierArg, json) => {
     );
   }
 };
-var profileCommand = new Command11("profile").description("View profile activity (posts, holdings, and trades)").argument(
+var profileCommand = new Command12("profile").description("View profile activity (posts, holdings, and trades)").argument(
   "[identifier]",
   "Wallet address or profile handle (defaults to your wallet)"
 ).option("--live", "Interactive live-updating display (default)").option("--static", "Static snapshot").option(
@@ -10429,18 +10705,18 @@ profileCommand.command("trades").description("View profile trade activity (buys
 // src/commands/send.ts
 import confirm7 from "@inquirer/confirm";
 import {
-  getProfile as getProfile2,
+  getProfile as getProfile3,
   prepareUserOperation as prepareUserOperation2,
-  setApiKey as setApiKey9,
+  setApiKey as setApiKey10,
   submitUserOperation as submitUserOperation2,
   toGenericCall as toGenericCall2,
   toUserOperationCalls as toUserOperationCalls2
 } from "@zoralabs/coins-sdk";
-import { Command as Command12 } from "commander";
+import { Command as Command13 } from "commander";
 import {
-  erc20Abi as erc20Abi4,
+  erc20Abi as erc20Abi5,
   formatUnits as formatUnits6,
-  isAddress as isAddress8,
+  isAddress as isAddress9,
   parseUnits as parseUnits3
 } from "viem";
 var SEND_AMOUNT_CHECKS = {
@@ -10449,16 +10725,16 @@ var SEND_AMOUNT_CHECKS = {
   all: (opts) => opts.all === true
 };
 var KNOWN_TOKEN_NAMES = /* @__PURE__ */ new Set(["eth", "usdc", "zora"]);
-function isPlaceholderName(name) {
+function isPlaceholderName2(name) {
   return name.startsWith("0x") || name.includes("\u2026") || name.includes("...");
 }
 async function resolveRecipient(identifier, json = false) {
-  const isIdentifierAddress = isAddress8(identifier);
+  const isIdentifierAddress = isAddress9(identifier);
   try {
-    const response = await getProfile2({ identifier });
+    const response = await getProfile3({ identifier });
     const profile = response?.data?.profile;
     const address = isIdentifierAddress ? identifier : profile?.publicWallet?.walletAddress;
-    if (!address || !isAddress8(address)) {
+    if (!address || !isAddress9(address)) {
       return outputErrorAndExit(
         json,
         !address ? `No Zora profile or wallet found for "${identifier}".` : "Provide a valid 0x address or an existing Zora profile name."
@@ -10466,9 +10742,10 @@ async function resolveRecipient(identifier, json = false) {
     }
     return {
       address,
-      handle: profile?.handle && !isPlaceholderName(profile.handle) ? `@${profile.handle}` : void 0,
-      username: profile?.username && !isPlaceholderName(profile.username) ? profile.username : void 0,
-      displayName: profile?.displayName && !isPlaceholderName(profile.displayName) ? profile.displayName : void 0
+      handle: profile?.handle && !isPlaceholderName2(profile.handle) ? `@${profile.handle}` : void 0,
+      username: profile?.username && !isPlaceholderName2(profile.username) ? profile.username : void 0,
+      displayName: profile?.displayName && !isPlaceholderName2(profile.displayName) ? profile.displayName : void 0,
+      platformBlocked: profile?.platformBlocked ?? false
     };
   } catch (err) {
     return isIdentifierAddress ? { address: identifier } : outputErrorAndExit(
@@ -10547,7 +10824,7 @@ async function sendCallViaSmartWallet(call, bundlerClient, account) {
   }
   return receipt.receipt.transactionHash;
 }
-var sendCommand = new Command12("send").description("Send coins or ETH to an address or Zora profile").argument(
+var sendCommand = new Command13("send").description("Send coins or ETH to an address or Zora profile").argument(
   "[typeOrId]",
   "Token (eth, usdc, zora), type prefix (creator-coin, trend), or coin address/name"
 ).argument("[identifier]", "Coin name (when type prefix is given)").option("--to <recipient>", "Recipient: address (0x...) or Zora profile name").option("--amount <value>", "Send specific amount").option("--percent <value>", "Send percentage of balance (1-100)").option("--all", "Send entire balance").option("--yes", "Skip confirmation").action(async function(firstArg, secondArg, opts) {
@@ -10561,9 +10838,22 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
   }
   const apiKey = getApiKey();
   if (apiKey) {
-    setApiKey9(apiKey);
+    setApiKey10(apiKey);
   }
   const resolvedRecipient = await resolveRecipient(opts.to, json);
+  if (resolvedRecipient.platformBlocked) {
+    track("cli_send", {
+      output_format: json ? "json" : "text",
+      success: false,
+      blocked_profile: true
+    });
+    return outputErrorAndExit(
+      json,
+      bannedProfileMessage(
+        resolvedRecipient.handle ?? resolvedRecipient.address
+      )
+    );
+  }
   const amountMode = getAmountMode(
     json,
     opts,
@@ -10824,7 +11114,7 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
     let symbol;
     if (knownToken) {
       balance = await publicClient.readContract({
-        abi: erc20Abi4,
+        abi: erc20Abi5,
         address: tokenAddress,
         functionName: "balanceOf",
         args: [walletAddress]
@@ -10834,18 +11124,18 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
     } else {
       const results = await Promise.all([
         publicClient.readContract({
-          abi: erc20Abi4,
+          abi: erc20Abi5,
           address: tokenAddress,
           functionName: "balanceOf",
           args: [walletAddress]
         }),
         publicClient.readContract({
-          abi: erc20Abi4,
+          abi: erc20Abi5,
           address: tokenAddress,
           functionName: "decimals"
         }),
         publicClient.readContract({
-          abi: erc20Abi4,
+          abi: erc20Abi5,
           address: tokenAddress,
           functionName: "symbol"
         })
@@ -10955,7 +11245,7 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
     try {
       txHash = smartWalletAccount ? await sendCallViaSmartWallet(
         {
-          abi: erc20Abi4,
+          abi: erc20Abi5,
           address: tokenAddress,
           functionName: "transfer",
           args: [resolvedRecipient.address, amount]
@@ -10963,7 +11253,7 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
         bundlerClient,
         smartWalletAccount
       ) : await walletClient.writeContract({
-        abi: erc20Abi4,
+        abi: erc20Abi5,
         address: tokenAddress,
         functionName: "transfer",
         args: [resolvedRecipient.address, amount]
@@ -11028,7 +11318,7 @@ var sendCommand = new Command12("send").description("Send coins or ETH to an add
 });
 
 // src/commands/setup.tsx
-import { Command as Command13 } from "commander";
+import { Command as Command14 } from "commander";
 import { Text as Text18, Box as Box18 } from "ink";
 
 // src/lib/strings.ts
@@ -11196,7 +11486,7 @@ ${BOLD}${DIM}[${step}/${total}]${RESET} ${BOLD}${title}${RESET}`
   console.log(`${DIM}${"\u2500".repeat(Math.max(cols, 20))}${RESET}
 `);
 }
-var setupCommand = new Command13("setup").description("Guided first-time setup").option("--create", "Create a new wallet without prompting").option("--force", "Overwrite existing wallet without prompting").option("--yes", "Skip interactive prompt and execute directly").action(async function(options) {
+var setupCommand = new Command14("setup").description("Guided first-time setup").option("--create", "Create a new wallet without prompting").option("--force", "Overwrite existing wallet without prompting").option("--yes", "Skip interactive prompt and execute directly").action(async function(options) {
   const json = getJson(this);
   const nonInteractive = getYes(this);
   if (!json) stepLine(1, 3, "Set up wallet");
@@ -11333,7 +11623,8 @@ async function promptAndSaveApiKey(json, nonInteractive = false) {
 }
 
 // src/commands/skills.ts
-import { Command as Command14 } from "commander";
+import { Command as Command15 } from "commander";
+import { createHash as createHash2 } from "crypto";
 import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, existsSync as existsSync4 } from "fs";
 import { resolve, join as join3 } from "path";
 var DEFAULT_SKILLS_BASE_URL = "https://agents.zora.com/skill";
@@ -11343,81 +11634,96 @@ var SKILLS = [
   {
     name: "onboarding",
     category: "Onboarding",
-    description: "Set up on Zora for the first time \u2014 publish your profile, create your smart wallet and creator coin, and post your first meme"
+    description: "Set up on Zora for the first time \u2014 publish your profile, create your smart wallet and creator coin, and post your first meme",
+    integrity: "sha256-8ZSloIyoC232S4QZDyb6PXL94n3OWlhBopHuTpt4Txo="
   },
   // Discovery
   {
     name: "early-buyer",
     category: "Discovery",
-    description: "Auto-buy new coin launches from creators you follow"
+    description: "Auto-buy new coin launches from creators you follow",
+    integrity: "sha256-MsU1e7kShm2X8jLY4nqNh8N+2ZNTKs0FVTzOVXf/rTQ="
   },
   {
     name: "watchlist",
     category: "Discovery",
-    description: "Track coins and alert when market cap hits configured thresholds"
+    description: "Track coins and alert when market cap hits configured thresholds",
+    integrity: "sha256-jWtGdWJ5gZBE4449BPOA6csCLP8b6dq5svubs/cljBk="
   },
   {
     name: "trend-sniper",
     category: "Discovery",
-    description: "Watch the global trending feed and snipe new trend coins on appearance or a volume spike"
+    description: "Watch the global trending feed and snipe new trend coins on appearance or a volume spike",
+    integrity: "sha256-eb6f+uK43inyv10TEXCLOTxZcaMiatnrbhilUdkIm/0="
   },
   {
     name: "new-coin-screener",
     category: "Discovery",
-    description: "Poll the global new-coin feed and auto-buy launches that pass a market-cap/holder screen"
+    description: "Poll the global new-coin feed and auto-buy launches that pass a market-cap/holder screen",
+    integrity: "sha256-P/IZ6vn94w+vTwNhxhxMyJInv90ZTlFJJbDJbWGNESs="
   },
   {
     name: "whale-watcher",
     category: "Discovery",
-    description: "Watch top holders and large trades on chosen coins, then alert or auto-trade on whale moves"
+    description: "Watch top holders and large trades on chosen coins, then alert or auto-trade on whale moves",
+    integrity: "sha256-9SMJMageM2VlxlMmoZpja2s0VecSymwSQUP0XSaodfI="
   },
   // Social
   {
     name: "copy-trader",
     category: "Social",
-    description: "Mirror another user's trades \u2014 existing holdings, future trades, or both"
+    description: "Mirror another user's trades \u2014 existing holdings, future trades, or both",
+    integrity: "sha256-Pj6Idrr52zzdwC+byLwRFjcS9EfVItemygm1q2+hbmQ="
   },
   {
     name: "dm-responder",
     category: "Social",
-    description: "Auto-triage and respond to DMs \u2014 approve/deny requests, greet new conversations, and flag keyword matches by rule"
+    description: "Auto-triage and respond to DMs \u2014 approve/deny requests, greet new conversations, and flag keyword matches by rule",
+    integrity: "sha256-ankYlTwsh6xdjL+uZZhKn4y9jZSwHRzYXxAcfrb3yqU="
   },
   {
     name: "comment-engager",
     category: "Social",
-    description: "Read and reply to comments on coins you hold, in your own voice, to build social presence"
+    description: "Read and reply to comments on coins you hold, in your own voice, to build social presence",
+    integrity: "sha256-oHbXs3JIOwaEJ/yubo/xIDC3rMIU5Rq7u3SGT7vIKv0="
   },
   {
     name: "social-trader",
     category: "Social",
-    description: "Follow specific creators and buy their new post coins or growing creator coins"
+    description: "Follow specific creators and buy their new post coins or growing creator coins",
+    integrity: "sha256-T/txP3ctq2NNaWkXOr7nWj4JuZJlKTMMMCWjh6qsmk8="
   },
   {
     name: "auto-poster",
     category: "Social",
-    description: "Publish a new post on a schedule to keep your agent active and in-character"
+    description: "Publish a new post on a schedule to keep your agent active and in-character",
+    integrity: "sha256-7vhcFa9fCArAOKu5hDUaMmR0Pw4SvTjXeVXU8BB9550="
   },
   // Risk
   {
     name: "take-profit",
     category: "Risk",
-    description: "Auto-sell positions at configured take-profit or stop-loss price targets"
+    description: "Auto-sell positions at configured take-profit or stop-loss price targets",
+    integrity: "sha256-CHtXieeBhnmfYAzazwIGHk7af1sJYHO2ox3nVDJD3yg="
   },
   {
     name: "dca",
     category: "Risk",
-    description: "Dollar-cost-average a fixed amount into chosen coins each iteration, with budget caps"
+    description: "Dollar-cost-average a fixed amount into chosen coins each iteration, with budget caps",
+    integrity: "sha256-xiSCYid81h0btfQV5gNlfsV0sLjc+1DvQSU3ORgYGJI="
   },
   {
     name: "portfolio-rebalancer",
     category: "Risk",
-    description: "Rebalance holdings back to target allocations when they drift past a tolerance band"
+    description: "Rebalance holdings back to target allocations when they drift past a tolerance band",
+    integrity: "sha256-LzeWI1kfOhOr1oeXmLABAfrrUtJ3jm+llOb+wGjo5/Q="
   },
   // Reporting
   {
     name: "portfolio-digest",
     category: "Reporting",
-    description: "Read-only periodic portfolio and PnL digest, optionally delivered to the operator by DM"
+    description: "Read-only periodic portfolio and PnL digest, optionally delivered to the operator by DM",
+    integrity: "sha256-tp8GQTSzRfqdKKT1H/ox8GOv3nRHSDLXbh9iaHTmjp4="
   }
 ];
 var AGENT_ORDER = [
@@ -11448,7 +11754,11 @@ var detectAgent = (cwd) => {
   }
   return null;
 };
-var fetchSkill = async (name) => {
+var computeIntegrity = (content) => {
+  const hash = createHash2("sha256").update(content, "utf8").digest("base64");
+  return `sha256-${hash}`;
+};
+var fetchSkill = async (name, expectedIntegrity, skipVerify) => {
   const url = `${getSkillsBaseUrl()}/${name}.md`;
   const response = await fetch(url);
   if (!response.ok) {
@@ -11456,17 +11766,30 @@ var fetchSkill = async (name) => {
       `Failed to fetch ${url}: ${response.status} ${response.statusText}`
     );
   }
-  return response.text();
+  const content = await response.text();
+  if (!skipVerify) {
+    const actual = computeIntegrity(content);
+    if (actual !== expectedIntegrity) {
+      throw new Error(
+        `Skill integrity check failed for "${name}".
+Expected: ${expectedIntegrity}
+Received: ${actual}
+This could indicate a compromised download. If you trust the source, use --skip-verify.`
+      );
+    }
+  }
+  return content;
 };
-var skillsCommand = new Command14("skills").description(
+var skillsCommand = new Command15("skills").description(
   "Install pre-built agent skills \u2014 onboarding plus discovery, social, risk, and reporting strategies (run `skills list` to see them all)"
 ).action(function() {
   this.outputHelp();
 });
+var getPublicSkills = () => SKILLS.map(({ integrity: _, ...rest }) => rest);
 skillsCommand.command("list").description("List available skills").action(function() {
   const json = getJson(this);
   outputData(json, {
-    json: { skills: SKILLS },
+    json: { skills: getPublicSkills() },
     render: () => {
       console.log("Available skills:\n");
       for (const s of SKILLS) {
@@ -11482,12 +11805,13 @@ skillsCommand.command("add [name]").description(
 ).option("--all", "Install all skills").option(
   "--agent <agent>",
   "Target agent: claude, cursor, windsurf, openclaw, hermes (default: auto-detect)"
-).option("--dir <path>", "Explicit directory to install into").action(async function(name) {
+).option("--dir <path>", "Explicit directory to install into").option("--skip-verify", "Skip integrity verification (development only)").action(async function(name) {
   const json = getJson(this);
   const opts = this.opts();
   const installAll = opts.all === true;
   const agentFlag = opts.agent;
   const dirFlag = opts.dir;
+  const skipVerify = opts.skipVerify === true;
   if (!installAll && !name) {
     return outputErrorAndExit(
       json,
@@ -11534,28 +11858,72 @@ skillsCommand.command("add [name]").description(
   mkdirSync3(outDir, { recursive: true });
   const installed = [];
   const errors = [];
-  for (const file of names) {
+  for (const skillName of names) {
+    const skill = SKILLS.find((s) => s.name === skillName);
     try {
-      const content = await fetchSkill(file);
-      const skillDir = join3(outDir, `${SKILL_PREFIX}${file}`);
+      const content = await fetchSkill(
+        skillName,
+        skill.integrity,
+        skipVerify
+      );
+      const skillDir = join3(outDir, `${SKILL_PREFIX}${skillName}`);
       mkdirSync3(skillDir, { recursive: true });
       const outPath = join3(skillDir, "SKILL.md");
       writeFileSync3(outPath, content);
-      installed.push({ name: `${SKILL_PREFIX}${file}`, path: outPath });
+      installed.push({ name: `${SKILL_PREFIX}${skillName}`, path: outPath });
     } catch (err) {
       errors.push({
-        name: file,
+        name: skillName,
         error: err instanceof Error ? err.message : String(err)
       });
     }
   }
   if (errors.length > 0 && installed.length === 0) {
+    const integrityError = errors.find(
+      (e) => e.error.includes("integrity check failed")
+    );
     return outputErrorAndExit(
       json,
       `Failed to install: ${errors.map((e) => e.name).join(", ")}`,
-      "Check your network connection and retry."
+      integrityError ? integrityError.error : "Check your network connection and retry."
     );
   }
+  const hasIntegrityErrors = errors.some(
+    (e) => e.error.includes("integrity check failed")
+  );
+  if (hasIntegrityErrors) {
+    outputData(json, {
+      json: {
+        installed,
+        errors,
+        agent: resolvedAgent,
+        dir: outDir
+      },
+      render: () => {
+        if (resolvedAgent && resolvedAgent !== "custom") {
+          console.log(`\x1B[2mDetected agent: ${resolvedAgent}\x1B[0m`);
+        }
+        for (const { name: name2, path } of installed) {
+          console.log(`\x1B[32m\u2713\x1B[0m Installed ${name2} \u2192 ${path}`);
+        }
+        for (const { name: name2, error } of errors) {
+          console.error(`\x1B[31m\u2717\x1B[0m ${name2}: ${error}`);
+        }
+        console.error(
+          "\n\x1B[31mIntegrity check failed for some skills. This could indicate compromised downloads.\x1B[0m"
+        );
+      }
+    });
+    track("cli_skills_add", {
+      installed_count: installed.length,
+      error_count: errors.length,
+      integrity_errors: true,
+      all: installAll,
+      agent: resolvedAgent ?? "unknown",
+      output_format: json ? "json" : "text"
+    });
+    process.exit(1);
+  }
   outputData(json, {
     json: {
       installed,
@@ -11592,8 +11960,8 @@ Invoke by typing /${firstSkill} in your agent to get started.`
 });
 
 // src/commands/wallet.ts
-import { Command as Command15 } from "commander";
-import { isAddress as isAddress9 } from "viem";
+import { Command as Command16 } from "commander";
+import { isAddress as isAddress10 } from "viem";
 import { privateKeyToAccount as privateKeyToAccount10 } from "viem/accounts";
 var resolvePrivateKey2 = () => {
   const envKey = process.env.ZORA_PRIVATE_KEY;
@@ -11609,15 +11977,15 @@ var resolvePrivateKey2 = () => {
 var resolveSmartWalletAddress3 = () => {
   const envAddress = process.env.ZORA_SMART_WALLET_ADDRESS;
   if (envAddress) {
-    return isAddress9(envAddress) ? { address: envAddress, source: "env" } : { invalid: true, source: "env" };
+    return isAddress10(envAddress) ? { address: envAddress, source: "env" } : { invalid: true, source: "env" };
   }
   const fileAddress = getSmartWalletAddress();
   if (fileAddress !== void 0) {
-    return isAddress9(fileAddress) ? { address: fileAddress, source: "file" } : { invalid: true, source: "file" };
+    return isAddress10(fileAddress) ? { address: fileAddress, source: "file" } : { invalid: true, source: "file" };
   }
   return void 0;
 };
-var walletCommand = new Command15("wallet").description("Manage your Zora wallet").action(function() {
+var walletCommand = new Command16("wallet").description("Manage your Zora wallet").action(function() {
   this.outputHelp();
 });
 walletCommand.command("info").description("Show wallet address and storage location").action(function() {
@@ -12154,7 +12522,7 @@ import { jsx as jsx24 } from "react/jsx-runtime";
 if (process.env.ZORA_API_TARGET) {
   setApiBaseUrl(process.env.ZORA_API_TARGET);
 }
-var version = true ? "1.2.0" : JSON.parse(
+var version = true ? "1.3.0" : JSON.parse(
   readFileSync5(new URL("../package.json", import.meta.url), "utf-8")
 ).version;
 function styledHelpWriteOut(showHeader) {
@@ -12174,7 +12542,7 @@ function styledHelpWriteOut(showHeader) {
   };
 }
 var buildProgram = () => {
-  const program2 = new Command16().name("zora").description("Trade what's trending. Run `zora setup` to get started.").version(version).option("--json", "Output as JSON (for scripts and automation)", false);
+  const program2 = new Command17().name("zora").description("Trade what's trending. Run `zora setup` to get started.").version(version).option("--json", "Output as JSON (for scripts and automation)", false);
   const helpWidth = (process.stdout.columns || 80) - 4;
   program2.configureHelp({
     helpWidth,
@@ -12195,6 +12563,8 @@ var buildProgram = () => {
   program2.addCommand(createCommand);
   program2.addCommand(dmCommand);
   program2.addCommand(exploreCommand);
+  program2.addCommand(followCommand);
+  program2.addCommand(unfollowCommand);
   program2.addCommand(getCommand);
   program2.addCommand(profileCommand);
   program2.addCommand(setupCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zoralabs/cli",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Zora CLI tool",
   "type": "module",
   "bin": {

package/scripts/generate-skill-hashes.ts

@@ -0,0 +1,210 @@
+/**
+ * Generates SHA-256 integrity hashes for all skills.
+ *
+ * Usage:
+ *   npx tsx scripts/generate-skill-hashes.ts          # Print hashes to console
+ *   npx tsx scripts/generate-skill-hashes.ts --write  # Update skills.ts directly
+ *   npx tsx scripts/generate-skill-hashes.ts --check  # Check if hashes are up-to-date (CI)
+ */
+
+import { createHash } from "node:crypto";
+import { readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SKILLS_TS_PATH = join(__dirname, "../src/commands/skills.ts");
+
+const SKILLS_URL = "https://agents.zora.com/skill";
+
+const computeIntegrity = (content: string): string => {
+  const hash = createHash("sha256").update(content, "utf8").digest("base64");
+  return `sha256-${hash}`;
+};
+
+/**
+ * Parse skill names from skills.ts to avoid import dependency chain.
+ * Single source of truth - names are extracted from the SKILLS array.
+ */
+function parseSkillNamesFromFile(): string[] {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  const names: string[] = [];
+
+  // Match all name: "skillname" patterns within the SKILLS array
+  const namePattern = /name:\s*"([^"]+)"/g;
+  let match;
+  while ((match = namePattern.exec(content)) !== null) {
+    names.push(match[1]);
+  }
+
+  if (names.length === 0) {
+    throw new Error("No skill names found in skills.ts");
+  }
+
+  return names;
+}
+
+/**
+ * Parse current hashes from skills.ts
+ */
+function getCurrentHashes(): Map<string, string> {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  const hashes = new Map<string, string>();
+  const skillNames = parseSkillNamesFromFile();
+
+  for (const name of skillNames) {
+    // Use lazy matching to find the integrity field for each skill
+    const pattern = new RegExp(
+      `name:\\s*"${name}"[\\s\\S]*?integrity:\\s*"([^"]*)"`,
+    );
+    const match = content.match(pattern);
+    if (match) {
+      hashes.set(name, match[1]);
+    }
+  }
+
+  return hashes;
+}
+
+async function fetchAllHashes(): Promise<Map<string, string>> {
+  const hashes = new Map<string, string>();
+  const skillNames = parseSkillNamesFromFile();
+
+  for (const name of skillNames) {
+    const url = `${SKILLS_URL}/${name}.md`;
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch ${name}: HTTP ${response.status}`);
+    }
+    const content = await response.text();
+    hashes.set(name, computeIntegrity(content));
+  }
+
+  return hashes;
+}
+
+function updateSkillsFile(hashes: Map<string, string>): boolean {
+  const content = readFileSync(SKILLS_TS_PATH, "utf8");
+  let updated = content;
+  let changed = false;
+  const errors: string[] = [];
+
+  for (const [name, hash] of hashes) {
+    // First, verify this skill has an integrity field by checking
+    // that we can find it within its own object block (before the next skill)
+    // Find the position of this skill's name
+    const namePattern = new RegExp(`name:\\s*"${name}"`);
+    const nameMatch = namePattern.exec(updated);
+    if (!nameMatch) {
+      errors.push(`Skill "${name}" not found in skills.ts`);
+      continue;
+    }
+
+    const namePos = nameMatch.index;
+
+    // Find the next skill's name (if any) to bound our search
+    const remainingContent = updated.slice(namePos + nameMatch[0].length);
+    const nextSkillMatch = /name:\s*"[^"]+"/.exec(remainingContent);
+    const searchBound = nextSkillMatch
+      ? namePos + nameMatch[0].length + nextSkillMatch.index
+      : updated.length;
+
+    // Extract the bounded region for this skill
+    const skillRegion = updated.slice(namePos, searchBound);
+
+    // Check if integrity field exists in this skill's region
+    const integrityInRegion = /integrity:\s*"[^"]*"/.exec(skillRegion);
+    if (!integrityInRegion) {
+      errors.push(
+        `Skill "${name}" is missing integrity field - add 'integrity: "sha256-PLACEHOLDER"' to the skill definition`,
+      );
+      continue;
+    }
+
+    // Now safely replace the integrity value within the bounded region
+    const updatedRegion = skillRegion.replace(
+      /(integrity:\s*)"[^"]*"/,
+      `$1"${hash}"`,
+    );
+
+    if (updatedRegion !== skillRegion) {
+      changed = true;
+      updated = updated.slice(0, namePos) + updatedRegion + updated.slice(searchBound);
+    }
+  }
+
+  if (errors.length > 0) {
+    console.error("\nErrors found:");
+    for (const err of errors) {
+      console.error(`  - ${err}`);
+    }
+    process.exit(1);
+  }
+
+  if (changed) {
+    writeFileSync(SKILLS_TS_PATH, updated);
+  }
+
+  return changed;
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  const writeMode = args.includes("--write");
+  const checkMode = args.includes("--check");
+
+  console.log("Fetching skills from production...\n");
+
+  let remoteHashes: Map<string, string>;
+  try {
+    remoteHashes = await fetchAllHashes();
+  } catch (err) {
+    console.error("Failed to fetch skills:", err);
+    process.exit(1);
+  }
+
+  if (checkMode) {
+    const currentHashes = getCurrentHashes();
+    let hasChanges = false;
+
+    for (const [name, remoteHash] of remoteHashes) {
+      const currentHash = currentHashes.get(name);
+      if (currentHash !== remoteHash) {
+        console.log(`${name}: CHANGED`);
+        console.log(`  Current:  ${currentHash}`);
+        console.log(`  Expected: ${remoteHash}\n`);
+        hasChanges = true;
+      }
+    }
+
+    if (hasChanges) {
+      console.log("Skill hashes are out of date. Run with --write to update.");
+      process.exit(1);
+    } else {
+      console.log("All skill hashes are up to date.");
+      process.exit(0);
+    }
+  }
+
+  if (writeMode) {
+    const changed = updateSkillsFile(remoteHashes);
+    if (changed) {
+      console.log("Updated skills.ts with new hashes:");
+      for (const [name, hash] of remoteHashes) {
+        console.log(`  ${name}: ${hash}`);
+      }
+    } else {
+      console.log("No changes needed - hashes are already up to date.");
+    }
+  } else {
+    console.log("Generated hashes (run with --write to update skills.ts):\n");
+    for (const [name, hash] of remoteHashes) {
+      console.log(`  ${name}: ${hash}`);
+    }
+  }
+}
+
+main().catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});