pi-simocracy 0.2.0 → 0.4.1

package/src/openrouter.ts

@@ -8,22 +8,6 @@
 
 const DEFAULT_MODEL = "google/gemini-2.5-flash-lite";
 
-/**
- * Chat model for the Training Lab + interview flows. Mirrors
- * `DEFAULT_CHAT_MODEL` in `simocracy-v2/lib/openrouter.ts` — keep in
- * sync. Override via `DEFAULT_CHAT_MODEL` env var.
- */
-export const TRAINING_CHAT_MODEL =
-  process.env.DEFAULT_CHAT_MODEL ?? "google/gemini-3.1-flash-lite-preview";
-
-/**
- * Reasoning model used by the merge-constitution flow. Mirrors
- * `DEFAULT_REASONING_MODEL` in `simocracy-v2/lib/openrouter.ts` —
- * keep in sync. Override via `DEFAULT_REASONING_MODEL` env var.
- */
-export const TRAINING_REASONING_MODEL =
-  process.env.DEFAULT_REASONING_MODEL ?? "~google/gemini-pro-latest";
-
 export interface ChatMessage {
   role: "system" | "user" | "assistant";
   content: string;

package/src/png-to-ansi.ts

@@ -235,6 +235,85 @@ export function downscaleRgbaNearest(
   return { data: out, width: newW, height: newH };
 }
 
+/**
+ * Box-average downscale an RGBA buffer to arbitrary target dimensions.
+ *
+ * Uses straight area-weighted averaging on premultiplied alpha so partly
+ * transparent edge pixels don't bleed black into the result. Designed for
+ * non-pixel-art inputs (codex pet idle thumbnails, codex pet sheet cells)
+ * where we want a smaller display size at non-integer ratios.
+ *
+ * If the target equals the source size, returns the input untouched.
+ */
+export function boxDownscaleRgba(
+  data: Buffer,
+  width: number,
+  height: number,
+  targetW: number,
+  targetH: number,
+): { data: Buffer; width: number; height: number } {
+  if (targetW < 1 || targetH < 1) {
+    throw new Error(`boxDownscaleRgba target must be ≥1×1, got ${targetW}×${targetH}`);
+  }
+  if (targetW === width && targetH === height) {
+    return { data, width, height };
+  }
+  const out = Buffer.alloc(targetW * targetH * 4);
+  // For each output pixel, average the source rectangle that maps to it.
+  // Edge cells are clamped to the source extent.
+  for (let oy = 0; oy < targetH; oy++) {
+    const sy0 = (oy * height) / targetH;
+    const sy1 = ((oy + 1) * height) / targetH;
+    const y0 = Math.floor(sy0);
+    const y1 = Math.min(height, Math.ceil(sy1));
+    for (let ox = 0; ox < targetW; ox++) {
+      const sx0 = (ox * width) / targetW;
+      const sx1 = ((ox + 1) * width) / targetW;
+      const x0 = Math.floor(sx0);
+      const x1 = Math.min(width, Math.ceil(sx1));
+
+      // Premultiplied accumulation so transparent pixels don't smear
+      // black RGB values into mostly-opaque neighbours.
+      let rSum = 0,
+        gSum = 0,
+        bSum = 0,
+        aSum = 0,
+        wSum = 0;
+      for (let y = y0; y < y1; y++) {
+        // Vertical coverage of this source row inside the output cell.
+        const wy = Math.min(y + 1, sy1) - Math.max(y, sy0);
+        if (wy <= 0) continue;
+        for (let x = x0; x < x1; x++) {
+          const wx = Math.min(x + 1, sx1) - Math.max(x, sx0);
+          if (wx <= 0) continue;
+          const w = wx * wy;
+          const i = (y * width + x) * 4;
+          const a = data[i + 3];
+          const aw = a * w;
+          rSum += data[i] * aw;
+          gSum += data[i + 1] * aw;
+          bSum += data[i + 2] * aw;
+          aSum += aw;
+          wSum += w;
+        }
+      }
+      const di = (oy * targetW + ox) * 4;
+      if (aSum > 0) {
+        out[di] = Math.min(255, Math.round(rSum / aSum));
+        out[di + 1] = Math.min(255, Math.round(gSum / aSum));
+        out[di + 2] = Math.min(255, Math.round(bSum / aSum));
+        out[di + 3] = Math.min(255, Math.round(aSum / wSum));
+      } else {
+        out[di] = 0;
+        out[di + 1] = 0;
+        out[di + 2] = 0;
+        out[di + 3] = 0;
+      }
+    }
+  }
+  return { data: out, width: targetW, height: targetH };
+}
+
 /**
  * Detect the integer upscale factor of a pixel-art image by scanning
  * for the largest factor F where every F×F block has uniform colour.

package/src/simocracy.ts

@@ -10,7 +10,6 @@ const DEFAULT_INDEXER_URL = "https://simocracy-indexer-production.up.railway.app
 const COLLECTION_SIM = "org.simocracy.sim";
 const COLLECTION_AGENTS = "org.simocracy.agents";
 const COLLECTION_STYLE = "org.simocracy.style";
-const COLLECTION_INTERVIEW_TEMPLATE = "org.simocracy.interviewTemplate";
 
 export interface SpriteSettings {
   selectedOptions: Record<string, string>;
@@ -25,13 +24,33 @@ export interface BlobRef {
   size: number;
 }
 
+/** Which sprite system a sim uses. Absent = legacy 'pipoya'. */
+export type SpriteKind = "pipoya" | "codexPet";
+
+/** Subset of pet.json from the OpenAI hatch-pet skill output. */
+export interface CodexPetManifest {
+  id?: string;
+  displayName?: string;
+  description?: string;
+}
+
 export interface SimRecord {
   $type: "org.simocracy.sim";
   name: string;
-  settings: SpriteSettings;
+  /** Discriminator for sprite system. Absent = 'pipoya'. */
+  spriteKind?: SpriteKind;
+  /** Pipoya appearance settings (only used when spriteKind = 'pipoya'). */
+  settings?: SpriteSettings;
+  /** Rendered avatar PNG/JPEG/WebP thumbnail (always present for codex pets, generated client-side as a 128×128 PNG). */
   image?: BlobRef;
+  /** Pipoya 4×4 walk sheet (128×128 PNG). Only present when spriteKind = 'pipoya'. */
   sprite?: BlobRef;
+  /** Codex pet 8×9 atlas (1536×1872, 192×208 cells, PNG or WebP). Only present when spriteKind = 'codexPet'. */
+  petSheet?: BlobRef;
+  /** Subset of pet.json from the hatch-pet skill output. Only present when spriteKind = 'codexPet'. */
+  petManifest?: CodexPetManifest;
   createdAt: string;
+  updatedAt?: string;
 }
 
 export interface AgentsRecord {
@@ -307,94 +326,9 @@ export async function fetchStyleForSim(simUri: string): Promise<StyleRecord | nu
   }
 }
 
-// ---------------------------------------------------------------------------
-// Interview templates (org.simocracy.interviewTemplate)
-// ---------------------------------------------------------------------------
-
-export interface InterviewQuestionRecord {
-  id: string;
-  type: "open" | "text" | "yesNo";
-  prompt: string;
-  required?: boolean;
-}
-
-export interface InterviewTemplateValue {
-  $type: "org.simocracy.interviewTemplate";
-  name: string;
-  description?: string;
-  questions: InterviewQuestionRecord[];
-  createdAt: string;
-}
-
-export interface LoadedInterviewTemplate {
-  uri: string;
-  cid: string;
-  did: string;
-  rkey: string;
-  template: InterviewTemplateValue;
-}
-
-/**
- * List interview templates from the Simocracy indexer. Mirrors
- * `fetchInterviewTemplates` in simocracy-v2's `lib/indexer.ts` (sans
- * the PDS fallback against the facilitator — pi-simocracy doesn't
- * know the facilitator DID, and an empty list is a soft failure
- * handled by the caller via the built-in fallback template).
- */
-export async function searchInterviewTemplates(
-  limit = 100,
-  opts: { indexerUrl?: string } = {},
-): Promise<LoadedInterviewTemplate[]> {
-  const indexerUrl = opts.indexerUrl ?? DEFAULT_INDEXER_URL;
-  const results: LoadedInterviewTemplate[] = [];
-  let cursor: string | null = null;
-  for (let page = 0; page < 10 && results.length < limit; page++) {
-    const { nodes, hasNextPage, endCursor } = await fetchRecords(
-      COLLECTION_INTERVIEW_TEMPLATE,
-      Math.min(100, limit - results.length),
-      cursor,
-      indexerUrl,
-    );
-    for (const node of nodes) {
-      const value = node.value as unknown as InterviewTemplateValue;
-      if (!value?.name || !Array.isArray(value.questions)) continue;
-      results.push({
-        uri: node.uri,
-        cid: node.cid,
-        did: node.did,
-        rkey: node.rkey,
-        template: value,
-      });
-    }
-    if (!hasNextPage || !endCursor) break;
-    cursor = endCursor;
-  }
-  return results;
-}
-
-/**
- * Fetch a single interview template directly from the owner's PDS by
- * AT-URI. Returns null on any failure — callers fall through to the
- * built-in template.
- */
-export async function fetchInterviewTemplateByUri(
-  templateUri: string,
-): Promise<LoadedInterviewTemplate | null> {
-  try {
-    const { did, collection, rkey } = parseAtUri(templateUri);
-    if (collection !== COLLECTION_INTERVIEW_TEMPLATE) return null;
-    const value = await getRecordFromPds<InterviewTemplateValue>(did, collection, rkey);
-    return {
-      uri: templateUri,
-      cid: "",
-      did,
-      rkey,
-      template: value,
-    };
-  } catch {
-    return null;
-  }
-}
+// (Interview-template fetchers were removed alongside the Training Lab /
+// Interview Modal pipelines. The only remaining persona-edit path is the
+// `simocracy_update_sim` LLM tool, which doesn't consume templates.)
 
 /** Resolve handle of a DID via Bluesky AppView (best-effort). */
 export async function resolveHandle(did: string): Promise<string | null> {

package/src/webp-to-rgba.ts

@@ -0,0 +1,70 @@
+/**
+ * WebP → RGBA decoder for Node.
+ *
+ * `pngjs` covers the PNG side of pi-simocracy, but the OpenAI hatch-pet
+ * skill (and therefore most `org.simocracy.sim` records with
+ * `spriteKind = "codexPet"`) ships its 1536×1872 atlas as WebP. We need
+ * a WebP decoder to render the idle frame.
+ *
+ * @jsquash/webp's `decode()` is browser-shaped: in Node its wasm glue
+ * tries to `fetch()` its own `.wasm` URL, which Undici rejects for
+ * `file://`. Workaround: read the wasm bytes from disk via
+ * `createRequire().resolve()`, compile to a `WebAssembly.Module`, and
+ * feed it to the package's documented `init()` escape hatch. Fully ESM,
+ * no native bindings.
+ *
+ * The wasm module is initialised lazily on the first `decodeWebp()`
+ * call so loading pi-simocracy stays cheap when no one ever loads a
+ * codex pet sim. Subsequent calls reuse the same module.
+ */
+
+import { createRequire } from "node:module";
+import { readFile } from "node:fs/promises";
+import decode, { init as initWebpDecode } from "@jsquash/webp/decode.js";
+
+let wasmInitPromise: Promise<void> | null = null;
+
+async function ensureWasmInit(): Promise<void> {
+  if (wasmInitPromise) return wasmInitPromise;
+  wasmInitPromise = (async () => {
+    const require = createRequire(import.meta.url);
+    // @jsquash/webp ships the decoder wasm next to its JS glue; the
+    // package only re-exports JS files, so we have to resolve the wasm
+    // path manually. Resolving against the JS entry guarantees we hit
+    // the same install of the package the bundler/linker picked.
+    const decodeJs = require.resolve("@jsquash/webp/decode.js");
+    const wasmPath = decodeJs.replace(/decode\.js$/, "codec/dec/webp_dec.wasm");
+    const bytes = await readFile(wasmPath);
+    const mod = await WebAssembly.compile(bytes);
+    await initWebpDecode(mod);
+  })().catch((err) => {
+    // Reset so the next caller can retry; otherwise a transient FS
+    // error would permanently break codex-pet rendering for the session.
+    wasmInitPromise = null;
+    throw new Error(`Failed to init @jsquash/webp wasm: ${(err as Error).message}`);
+  });
+  return wasmInitPromise;
+}
+
+/**
+ * Decode a WebP buffer into the same flat-RGBA shape `decodePng()`
+ * returns, so call sites can treat the two interchangeably.
+ *
+ * Allocates a fresh `Buffer` rather than aliasing `Uint8ClampedArray`
+ * so downstream `Buffer`-only helpers (`pixelAt`, `cropRgba`,
+ * `boxDownscaleRgba`) keep working without coercion.
+ */
+export async function decodeWebp(
+  buf: Buffer,
+): Promise<{ width: number; height: number; data: Buffer }> {
+  await ensureWasmInit();
+  // jSquash wants an ArrayBuffer view of just the relevant bytes —
+  // passing the whole underlying buffer mis-decodes if `buf` is a slice.
+  const ab = buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+  const img = await decode(ab as ArrayBuffer);
+  return {
+    width: img.width,
+    height: img.height,
+    data: Buffer.from(img.data.buffer, img.data.byteOffset, img.data.byteLength),
+  };
+}

package/src/writes.ts

@@ -1,10 +1,17 @@
 /**
  * PDS writes via the authenticated OAuth session.
  *
- * Three record types are written here:
- *   - org.simocracy.interview  (one per Apply, append-only)
- *   - org.simocracy.agents     (1:1 with sim — create or update)
- *   - org.simocracy.style      (1:1 with sim — create or update)
+ * Two record types are written here, both 1:1 with a sim and either
+ * created (first time) or put-overwritten (subsequent edits):
+ *   - org.simocracy.agents  — short description + constitution body
+ *   - org.simocracy.style   — speaking style description
+ *
+ * The questionnaire-driven `org.simocracy.interview` write path was
+ * removed when the structured Training Lab + Interview flows were
+ * dropped from this extension; constitution edits are now made
+ * directly via `simocracy_update_sim` (an LLM-callable tool the
+ * coding agent invokes after chatting with the user about how to
+ * refine the loaded sim).
  *
  * `getAuthenticatedAgent()` restores the session via the OAuth
  * client's session store and returns an `Agent` from `@atproto/api`,
@@ -15,7 +22,8 @@
 import { Agent } from "@atproto/api";
 
 import { getOAuthClient } from "./auth/oauth.ts";
-import { readAuth } from "./auth/storage.ts";
+import { readAuth, type AuthRecord } from "./auth/storage.ts";
+import { resolveHandle } from "./simocracy.ts";
 
 export class NotSignedInError extends Error {
   constructor(message = "Not signed into ATProto. Run `/sim login <handle>` first (e.g. `/sim login alice.bsky.social`). This is separate from pi's built-in `/login` (Anthropic).") {
@@ -24,6 +32,78 @@ export class NotSignedInError extends Error {
   }
 }
 
+/**
+ * Thrown when the signed-in DID does not own the sim that's about to
+ * be written to. The `simocracy.org` webapp owns the public lexicon
+ * surface, but per-sim records (`org.simocracy.agents`,
+ * `org.simocracy.style`) live in the *owner's* PDS — there's no
+ * shared repo. Without this guard a signed-in user could only ever
+ * write to their own repo anyway (the PDS rejects writes to other
+ * DIDs), but the failure would surface as a confusing XRPC 401 from
+ * the PDS at the moment of the call. This class lets the
+ * `simocracy_update_sim` tool fail fast with a human-readable
+ * message *before* it touches the network.
+ */
+export class NotSimOwnerError extends Error {
+  readonly ownerDid: string;
+  readonly ownerHandle: string | null;
+  readonly signedInDid: string;
+  readonly signedInHandle: string | null;
+  constructor(opts: {
+    ownerDid: string;
+    ownerHandle: string | null;
+    signedInDid: string;
+    signedInHandle: string | null;
+    action?: string;
+  }) {
+    const ownerLabel = opts.ownerHandle ? `@${opts.ownerHandle}` : opts.ownerDid;
+    const meLabel = opts.signedInHandle ? `@${opts.signedInHandle}` : opts.signedInDid;
+    const action = opts.action ?? "write to";
+    super(
+      `You can only ${action} sims you own. Loaded sim is owned by ${ownerLabel} — your signed-in DID is ${meLabel}.`,
+    );
+    this.name = "NotSimOwnerError";
+    this.ownerDid = opts.ownerDid;
+    this.ownerHandle = opts.ownerHandle;
+    this.signedInDid = opts.signedInDid;
+    this.signedInHandle = opts.signedInHandle;
+  }
+}
+
+/**
+ * Precondition for the write path: must be signed in *and* the
+ * signed-in DID must match the loaded sim's owner DID. Resolves the
+ * sim owner's handle on a best-effort basis so the error message is
+ * legible. Throws `NotSignedInError` or `NotSimOwnerError` — never
+ * returns falsy. Called by `simocracy_update_sim` (the tool entry
+ * point) before any XRPC traffic, and again at each call site in
+ * this module as defense-in-depth via `assertRepoOwnsSimUri`.
+ */
+export async function assertCanWriteToSim(loadedSim: {
+  did: string;
+  handle: string | null;
+}, opts: { action?: string } = {}): Promise<AuthRecord> {
+  const auth = readAuth();
+  if (!auth) {
+    const action = opts.action ?? "write to a sim";
+    throw new NotSignedInError(
+      `Not signed into ATProto — can't ${action}. Run \`/sim login <handle>\` first (e.g. \`/sim login alice.bsky.social\`). This is separate from pi's built-in \`/login\` (Anthropic).`,
+    );
+  }
+  if (auth.did !== loadedSim.did) {
+    const ownerHandle =
+      loadedSim.handle ?? (await resolveHandle(loadedSim.did).catch(() => null));
+    throw new NotSimOwnerError({
+      ownerDid: loadedSim.did,
+      ownerHandle,
+      signedInDid: auth.did,
+      signedInHandle: auth.handle,
+      action: opts.action,
+    });
+  }
+  return auth;
+}
+
 export async function getAuthenticatedAgent(): Promise<{ agent: Agent; did: string }> {
   const auth = readAuth();
   if (!auth) throw new NotSignedInError();
@@ -45,60 +125,40 @@ export async function getAuthenticatedAgent(): Promise<{ agent: Agent; did: stri
   return { agent, did: auth.did };
 }
 
-const COLLECTION_INTERVIEW = "org.simocracy.interview";
 const COLLECTION_AGENTS = "org.simocracy.agents";
 const COLLECTION_STYLE = "org.simocracy.style";
 
-interface OpenAnswer {
-  questionId?: string;
-  question: string;
-  answer: string;
-}
-interface YesNoAnswer {
-  questionId?: string;
-  statement: string;
-  answer: boolean;
-}
-
 /**
- * POST `org.simocracy.interview`. Mirrors `interview-modal.tsx`'s
- * save payload — with optional template StrongRef.
+ * Defense-in-depth: every write helper below verifies the target
+ * `repo` (which we always set to the signed-in DID) matches the
+ * sim's owner DID parsed out of the AT-URI. This prevents a future
+ * caller from accidentally passing the wrong `did` and writing
+ * orphaned per-sim records into the user's own repo that point at a
+ * sim they don't own. Throws `NotSimOwnerError` synchronously — the
+ * tool entry-point already checks up-front via
+ * `assertCanWriteToSim`, this is the belt-and-braces version that
+ * runs at the actual XRPC call site.
  */
-export async function createInterview(opts: {
-  agent: Agent;
-  did: string;
-  simUri: string;
-  simCid: string;
-  openAnswers: OpenAnswer[];
-  yesNoAnswers: YesNoAnswer[];
-  templateUri?: string;
-  templateCid?: string;
-}): Promise<{ uri: string; cid: string }> {
-  const record: Record<string, unknown> = {
-    $type: COLLECTION_INTERVIEW,
-    sim: { uri: opts.simUri, cid: opts.simCid },
-    openAnswers: opts.openAnswers.map((a) => ({
-      questionId: a.questionId,
-      question: a.question,
-      answer: a.answer,
-    })),
-    yesNoAnswers: opts.yesNoAnswers.map((a) => ({
-      questionId: a.questionId,
-      statement: a.statement,
-      answer: a.answer,
-    })),
-    createdAt: new Date().toISOString(),
-  };
-  if (opts.templateUri && opts.templateCid) {
-    record.template = { uri: opts.templateUri, cid: opts.templateCid };
+function assertRepoOwnsSimUri(did: string, simUri: string): void {
+  // simUri is at://<owner-did>/org.simocracy.sim/<rkey>; if the
+  // string didn't come from parseAtUri we still fall back to a string
+  // prefix check so this stays a pure precondition without re-fetching.
+  const owner = simUri.startsWith("at://")
+    ? simUri.slice("at://".length).split("/")[0]
+    : "";
+  if (!owner) {
+    throw new Error(
+      `Refusing to write: sim AT-URI "${simUri}" is not in at://<did>/<collection>/<rkey> form.`,
+    );
+  }
+  if (owner !== did) {
+    throw new NotSimOwnerError({
+      ownerDid: owner,
+      ownerHandle: null,
+      signedInDid: did,
+      signedInHandle: null,
+    });
   }
-
-  const res = await opts.agent.com.atproto.repo.createRecord({
-    repo: opts.did,
-    collection: COLLECTION_INTERVIEW,
-    record,
-  });
-  return { uri: res.data.uri, cid: res.data.cid };
 }
 
 /**
@@ -116,6 +176,7 @@ export async function createAgents(opts: {
   shortDescription: string;
   description: string;
 }): Promise<{ uri: string; cid: string; rkey: string }> {
+  assertRepoOwnsSimUri(opts.did, opts.simUri);
   const record = {
     $type: COLLECTION_AGENTS,
     sim: { uri: opts.simUri, cid: opts.simCid },
@@ -148,6 +209,7 @@ export async function updateAgents(opts: {
   shortDescription: string;
   description: string;
 }): Promise<{ uri: string; cid: string }> {
+  assertRepoOwnsSimUri(opts.did, opts.simUri);
   const record = {
     $type: COLLECTION_AGENTS,
     sim: { uri: opts.simUri, cid: opts.simCid },
@@ -171,6 +233,7 @@ export async function createStyle(opts: {
   simCid: string;
   description: string;
 }): Promise<{ uri: string; cid: string; rkey: string }> {
+  assertRepoOwnsSimUri(opts.did, opts.simUri);
   const record = {
     $type: COLLECTION_STYLE,
     sim: { uri: opts.simUri, cid: opts.simCid },
@@ -197,6 +260,7 @@ export async function updateStyle(opts: {
   simCid: string;
   description: string;
 }): Promise<{ uri: string; cid: string }> {
+  assertRepoOwnsSimUri(opts.did, opts.simUri);
   const record = {
     $type: COLLECTION_STYLE,
     sim: { uri: opts.simUri, cid: opts.simCid },