DhanHQ 2.6.1 → 2.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b6e949dc3b147daabce77b5d808d5dcdeb4953e9751322eb8cd671d70201c57
-  data.tar.gz: 12327daca50d50836d724f4eeb5cf664abee766767c7bdec31f51b07b78ddc00
+  metadata.gz: ef2616285615327c5e0ad08a85440d91617ea66818add0a55e4cd6c5e65512aa
+  data.tar.gz: 4232cfcd4c9626683e3bf993f75aa0a8add2f8c83702435c66edb2c58a3e252e
 SHA512:
-  metadata.gz: 0ba1d351594f83a0824961dff0e8cfb28ce9b6fd6e65daa9124bf0ceab651c49aaefd00674cdbfdd78a48f9e7c2032395b4981b0b613bfccbee49b7c46ba319d
-  data.tar.gz: 2e5ca5a81905c9e4fa861296f247eaa2411bf548f84cd94e348c51a079b406280ae9247838c013173552e6564c625ded0fd4504284d097b27892b55ecb9380ca
+  metadata.gz: c0ba9cd2119899ed6c9eaefe27601b142e75abbc541538f241058712b82bccdc5fab6af888489c5ac01423c1bfb387e42cdfcee22487bbafce6d32c7ce6f54b2
+  data.tar.gz: 4107fc9f9a5ced70692469c21a88f2ed6979739af7e3ef5444d1506e5ba574ba4124f2f7f264747a147157164610606ff22408dcd3612649cb19b9f1e558ca8a

data/.rubocop.yml

@@ -28,9 +28,21 @@ RSpec/ExampleLength:
 RSpec/MultipleMemoizedHelpers:
   Max: 10
 
+Lint/ScriptPermission:
+  Exclude:
+    - "bin/**/*"
+
+Metrics/AbcSize:
+  Exclude:
+    - "bin/call_all_endpoints.rb"
+
+Layout/LineLength:
+  Exclude:
+    - "bin/call_all_endpoints.rb"
+
 DhanHQ/UseConstants:
   Enabled: true
   Exclude:
-    - 'lib/DhanHQ/constants.rb'
-    - 'lib/DhanHQ/ws/segments.rb'
-    - 'spec/**/*'
+    - "lib/DhanHQ/constants.rb"
+    - "lib/DhanHQ/ws/segments.rb"
+    - "spec/**/*"

data/ARCHITECTURE.md

@@ -0,0 +1,113 @@
+# dhanhq-client Architecture
+
+This document describes the architecture of the DhanHQ v2 API client gem: layers, dependencies, and design patterns in use.
+
+## Guiding principles
+
+- **Dependency rule**: High-level policy (models, domain) does not depend on low-level details (HTTP, JSON). Infrastructure (Client, BaseAPI) depends on configuration and helpers; models depend on resources (abstractions) and contracts.
+- **Single responsibility**: Each layer has one reason to change. Models own domain behavior; resources own HTTP; contracts own validation rules.
+- **Open/closed**: New endpoints are added by adding new Model + Resource + Contract pairs without modifying BaseAPI or BaseModel core.
+- **Don’t force patterns**: Patterns (Strategy, Factory Method, Facade) emerged from refactoring; we avoid speculative abstraction.
+
+---
+
+## Layer overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│  Entry & configuration (lib/dhan_hq.rb, Configuration)          │
+├─────────────────────────────────────────────────────────────────┤
+│  Domain / facade layer (Models)                                 │
+│  Order, Position, MarketFeed, OptionChain, ExpiredOptionsData…  │
+│  → validate via Contracts, delegate HTTP to Resources           │
+├─────────────────────────────────────────────────────────────────┤
+│  REST / HTTP layer (Resources, BaseAPI, BaseResource)           │
+│  → build path, format params, call Client                       │
+├─────────────────────────────────────────────────────────────────┤
+│  Transport layer (Client, RateLimiter, RequestHelper,           │
+│  ResponseHelper)                                                │
+│  → Faraday, headers, retries, error mapping                     │
+├─────────────────────────────────────────────────────────────────┤
+│  Validation (Contracts)                                         │
+│  → Dry::Validation, shared macros in BaseContract               │
+├─────────────────────────────────────────────────────────────────┤
+│  WebSocket (WS::*) — separate subsystem                         │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Directory structure and roles
+
+| Path | Role | Responsibility |
+|------|------|----------------|
+| `lib/dhan_hq.rb` | Entry point | Zeitwerk setup, eager load of core/helpers/errors, `DhanHQ.configure` |
+| `core/` | Base abstractions | BaseAPI (HTTP verbs, path building, param formatting), BaseModel (attributes, resource, validation, CRUD helpers), BaseResource (CRUD on BaseAPI), AuthAPI, ErrorHandler |
+| `helpers/` | Cross-cutting | APIHelper, AttributeHelper (keys, normalization), ValidationHelper (validate_params!, validate!), RequestHelper (headers, payload, build_from_response), ResponseHelper (parse_json, handle_response, error mapping) |
+| `models/` | Domain / facade | Typed wrappers (Order, Position, Holding, etc.). Define `resource`, optional `validation_contract`, and domain methods. Validate then delegate to resource. |
+| `resources/` | REST wrappers | One class per API surface (Orders, Positions, MarketFeed, OptionChain, …). Set `HTTP_PATH`, `API_TYPE`; implement get/post/put/delete via BaseAPI. |
+| `contracts/` | Request/response validation | Dry::Validation contracts (PlaceOrderContract, ModifyOrderContract, OptionChainContract, etc.). BaseContract provides shared macros (e.g. lot_size, tick_size). |
+| `auth/` | Token lifecycle | Token generator/renewal/manager for dynamic tokens. |
+| `ws/` | WebSocket | Connection, packets, decoder, market depth, orders client — isolated from REST. |
+
+---
+
+## Dependency flow
+
+- **Configuration** is global (`DhanHQ.configuration`). Client and helpers read it (access_token, client_id, base_url).
+- **Models** depend on:
+  - **Resources** (Factory Method: `resource` returns the right BaseAPI subclass)
+  - **Contracts** (for validate_params!)
+  - **Helpers** (via BaseModel: ValidationHelper, RequestHelper, ResponseHelper, AttributeHelper, APIHelper)
+- **Resources** depend on:
+  - **Client** (injected via BaseAPI: `DhanHQ::Client.new(api_type)`)
+  - **Helpers** (BaseAPI includes APIHelper, AttributeHelper; Client uses RequestHelper, ResponseHelper)
+- **Client** depends on Configuration, RateLimiter, and helpers. No dependency on Models or Resources.
+- **Contracts** depend on Constants (and optional instrument_meta). No dependency on Models or HTTP.
+
+So: **Models → Resources → Client**; **Contracts** are used by Models (and optionally Resources); **Helpers** are used by Client, BaseAPI, and BaseModel.
+
+---
+
+## Design patterns in use
+
+| Pattern | Where | Purpose |
+|--------|--------|--------|
+| **Facade** | Models (e.g. `Order.place`, `MarketFeed.ltp`) | Single entry point for “place order” or “get LTP”; hide validation, normalization, and resource call. |
+| **Factory Method** | BaseModel `resource` | Subclasses override `resource` to return the correct REST wrapper (e.g. Orders, OptionChain) without callers knowing the class. |
+| **Strategy** | BaseAPI `param_formatter_for(full_path)` | Choose how to format params by path: pass-through (marketfeed), titleize (optionchain), default camelize. Encapsulated in lambdas. |
+| **Template Method** | BaseModel `save` | `save` calls `new_record? ? create : update`; subclasses override `create`/`update` or collection methods. |
+| **Adapter** | RequestHelper / ResponseHelper | Adapt external API (headers, JSON, status codes) to internal hashes and error classes. |
+| **Singleton (per API type)** | RateLimiter.for(api_type) | One rate limiter per API type so all clients share limits. |
+
+---
+
+## Error handling
+
+- **Validation failures**: Raised as `DhanHQ::ValidationError` with a message that includes contract errors (e.g. `"Invalid parameters: #{result.errors.to_h}"`). Used by ValidationHelper, ExpiredOptionsData, Trade, and any code that validates via contracts.
+- **HTTP / API errors**: Mapped in ResponseHelper (e.g. 401 → InvalidAuthenticationError, 807 → TokenExpiredError) and raised as appropriate `DhanHQ::*` subclasses.
+- **Client** retries on auth failures (once, with token refresh) and on transient/network errors (with backoff).
+
+---
+
+## Configuration
+
+- Credentials and URLs live in `DhanHQ::Configuration` (access_token, client_id, base_url, sandbox, optional access_token_provider).
+- `DhanHQ.configure { }`, `configure_with_env`, and `configure_from_token_endpoint` set configuration. Never hardcode credentials; use env vars or token endpoint.
+
+---
+
+## WebSocket (WS)
+
+- Separate subsystem under `DhanHQ::WS`: own connection, packet types, decoder, market depth, orders client.
+- Shares configuration (e.g. access token) but not the REST Client or Resources. Documented in code and specs; not expanded here.
+
+---
+
+## Adding a new API surface
+
+1. **Contract** (optional): Add a Dry::Validation contract under `contracts/` if the endpoint has structured input.
+2. **Resource**: Add a class under `resources/` inheriting BaseAPI (or BaseResource). Set `HTTP_PATH`, `API_TYPE`; implement methods that call `get`/`post`/`put`/`delete`.
+3. **Model**: Add a class under `models/` inheriting BaseModel. Override `resource` to return the new resource; override `validation_contract` if needed; implement class/instance methods that call `validate_params!` then `resource.*`.
+
+This keeps the dependency rule and keeps each layer focused on one concern.

data/CHANGELOG.md

@@ -1,3 +1,42 @@
+## [2.6.3] - 2026-03-14
+
+### Added
+
+- **Constants::Urls**: All canonical Dhan API/auth/WebSocket URLs in one place (`REST_API_BASE`, `SANDBOX_API_BASE`, `AUTH_BASE`, `WS_MARKET_FEED`, `WS_ORDER_UPDATE`, `WS_DEPTH_20`, `WS_DEPTH_200`, `INSTRUMENT_CSV_*`, `DOCS`, `ORIGIN`). Configuration, Auth, and WS defaults now use these constants.
+- **Order modification limit enforcement**: `Order#modify` enforces Dhan’s 25-modifications-per-order cap per instance; the 26th modify raises `DhanHQ::ModificationLimitError` and does not call the API. Count is in-process only (fresh `find` resets it).
+- **DhanHQ::ModificationLimitError**: New error class for the 25-per-order limit (rescuable).
+- **API error payload on exceptions**: Raised API errors now expose the full response body as `error.response_body` (e.g. `errorCode`, `errorMessage`, and any future keys like `errors` or `details`). Useful for logging and debugging.
+- **DH-905 message hint**: For `InputExceptionError` (DH-905), the exception message now includes a note that the Dhan API does not return which field failed, and to check required params and value types for the endpoint.
+- **Kill switch status validation**: `Resources::KillSwitch#update(status)` and `Models::KillSwitch.update(status)` now validate that `status` is `ACTIVATE` or `DEACTIVATE` (case-insensitive); invalid values raise `DhanHQ::ValidationError` before the request.
+- **Super order cancel leg validation**: `Resources::SuperOrders#cancel(order_id, leg_name)` validates `leg_name` against the API path enum (`ENTRY_LEG`, `STOP_LOSS_LEG`, `TARGET_LEG`); invalid values raise `DhanHQ::ValidationError`.
+
+### Changed
+
+- **SliceOrderContract**: Aligned with Dhan v2 orders doc — `amoTime` now allows `PRE_OPEN`; validity restricted to `DAY`/`IOC`; product type restricted to `CNC`/`INTRADAY`/`MARGIN`/`MTF`; `correlationId` max length 30 (was 25).
+- **Order#modify** YARD: Documented modification limit and `ModificationLimitError`.
+- **Error#initialize**: `DhanHQ::Error` now accepts an optional `response_body:` keyword argument so API-raised errors can carry the parsed response. Subclasses unchanged; `raise ErrorClass, "msg"` still works.
+- **ResponseHelper**: When the API returns extra keys (`errors`, `details`, `validationErrors`), they are appended to the exception message. DH-905 errors include the endpoint hint above.
+- **Margin contracts**: `MarginCalculatorContract` and `MultiScripMarginCalcRequestContract` accept optional `orderType` (per OpenAPI; some accounts require it). `Margin` model and `bin/test_all` margin payloads send `order_type: LIMIT` when `DHAN_TEST_MARGIN=true`.
+- **bin/test_all**: Fixed `ArgumentError: wrong number of arguments (given 1, expected 0)` by invoking endpoint lambdas with no arguments inside `Timeout.timeout` (the timeout block receives the duration). Refactored `endpoint_list` for RuboCop Metrics/AbcSize; optional read endpoints (forever order by id, PnL exit, margin) are skipped unless `DHAN_TEST_FOREVER_ORDER_ID`, `DHAN_TEST_PNL_EXIT=true`, or `DHAN_TEST_MARGIN=true` are set.
+
+### Fixed
+
+- **bin/test_all**: All 30 read endpoints now run successfully by default (26 called, 4 optional); margin/PnL/forever-by-id no longer fail when fixtures are missing.
+
+### Removed
+
+- **docs/DHAN_V2_GAPS.md**: Removed; path/behavior alignment remains in `docs/API_VERIFICATION.md`.
+
+---
+
+## [2.6.2] - 2026-03-07
+
+### Changed
+
+- **Release from main** after merging add-sandbox-support. Includes sandbox REST base URL, `ensure_configuration!`, payload non-mutation, Rakefile/VCR fixes, and docs. Full feature list is under [2.6.0](#260---2026-03-06); 2.6.0 and 2.6.1 are already on RubyGems.
+
+---
+
 ## [2.6.1] - 2026-03-07
 
 ### Changed
@@ -8,6 +47,22 @@
 
 ## [2.6.0] - 2026-03-06
 
+### Sandbox & configuration
+
+- **Sandbox environment**: `DhanHQ.configuration.sandbox` (or `ENV["DHAN_SANDBOX"]=true`) switches REST base URL to `https://sandbox.dhan.co/v2`. Only `GET /v2/profile` and `GET /v2/fundlimit` are verified on sandbox; other REST endpoints are unverified. See `docs/ENDPOINTS_AND_SANDBOX.md`.
+- **WebSocket**: Sandbox does **not** support WebSocket. Order updates, market feed, and market depth always use production URLs regardless of `sandbox`; no sandbox WS URLs are published.
+- **Env-only bootstrap**: `DhanHQ.ensure_configuration!` ensures configuration exists (from ENV when nil). Called automatically in `Client#initialize` so apps using only `DHAN_CLIENT_ID` / `DHAN_ACCESS_TOKEN` work without calling `configure_with_env`.
+
+### Fixed
+
+- **Payload mutation**: `prepare_payload` no longer mutates the caller's hash when injecting `dhanClientId` for DATA APIs; uses a duplicate so frozen or reused hashes are safe.
+- **VCR**: Removed erroneous `/v2/v2/` market feed cassette entries (404 responses).
+- **Rakefile**: Single RuboCop task; removed redundant `rubocop:fix` / `rubocop:fix_all` and deprecated `--auto-correct-all` flag.
+
+### Added
+
+- **docs/ENDPOINTS_AND_SANDBOX.md**: Lists all REST/WebSocket endpoints, sandbox behavior, and endpoints verified vs not supported on sandbox.
+
 ### Fixed (API docs alignment)
 
 - **Kill Switch**: Manage API now uses query parameter per [dhanhq.co/docs/v2/traders-control](https://dhanhq.co/docs/v2/traders-control/). `Resources::KillSwitch#update(status)` sends `POST /v2/killswitch?killSwitchStatus=ACTIVATE` (or `DEACTIVATE`) with no body. `Models::KillSwitch.update("ACTIVATE")` / `.activate` / `.deactivate` unchanged.

data/README.md

@@ -75,6 +75,8 @@ gem install DhanHQ
 
 > **Bleeding edge?** Use `gem 'DhanHQ', git: 'https://github.com/shubhamtaywade82/dhanhq-client.git', branch: 'main'` only if you need unreleased features.
 
+**`bundle update` / `bundle install` warnings** — If you see "Local specification for rexml-3.2.8 has different dependencies" or "Unresolved or ambiguous specs during Gem::Specification.reset: psych", the bundle still completes successfully. To clear the rexml warning once, run: `gem cleanup rexml`. The psych message is a known Bundler quirk and can be ignored.
+
 ### ⚠️ Breaking Change (v2.1.5+)
 
 The require statement changed:

data/Rakefile

@@ -7,6 +7,8 @@ RSpec::Core::RakeTask.new(:spec)
 
 require "rubocop/rake_task"
 
-RuboCop::RakeTask.new
+# Single RuboCop task; the gem also registers rubocop:autocorrect and rubocop:autocorrect_all.
+desc "Run RuboCop"
+RuboCop::RakeTask.new(:rubocop)
 
 task default: %i[spec rubocop]

data/docs/API_VERIFICATION.md

@@ -1,13 +1,12 @@
 # API Verification (Dhan v2)
 
-This document records how the gem’s implementation aligns with the official Dhan API v2 docs.
+Path/behavior alignment with the official Dhan API v2 docs.
 
 **Sources:**
 
 - [dhanhq.co/docs/v2](https://dhanhq.co/docs/v2/) – main docs
 - [dhanhq.co/docs/v2/edis](https://dhanhq.co/docs/v2/edis/) – EDIS
 - [api.dhan.co/v2](https://api.dhan.co/v2/#/) – Developer Kit (when available)
-- In-repo: `CODE_REVIEW_ISSUES.md` (Alert Orders, IP Setup paths)
 
 ---
 
@@ -32,7 +31,7 @@ This document records how the gem’s implementation aligns with the official Dh
 
 | Doc path                  | Gem resource              | Path used        |
 |---------------------------|---------------------------|------------------|
-| `/alerts/orders`          | `Resources::AlertOrders`  | `HTTP_PATH = "/alerts/orders"` |
+| `/alerts/orders`          | `Resources::AlertOrders`  | `HTTP_PATH = "/v2/alerts/orders"` |
 | GET/POST `/alerts/orders` | `#all`, `#create`         | BaseResource     |
 | GET/PUT/DELETE `/alerts/orders/{trigger-id}` | `#find`, `#update`, `#delete` | `/{id}` |
 
@@ -46,16 +45,19 @@ Model: `Models::AlertOrder`. Condition must include `exchange_segment`, `exp_dat
 
 | Doc path        | Gem method     | Path / body |
 |-----------------|----------------|-------------|
-| GET /ip/getIP   | `#current`     | `get("/getIP")` |
-| POST /ip/setIP  | `#set(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `post("/setIP", params: { ip:, ip_flag:, dhan_client_id: })`; `dhan_client_id` defaults from config |
-| PUT /ip/modifyIP| `#update(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `put("/modifyIP", params: { ip:, ip_flag:, dhan_client_id: })` |
+| GET /v2/ip/getIP   | `#current`     | `get("/getIP")` (HTTP_PATH = "/v2/ip") |
+| POST /v2/ip/setIP  | `#set(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `post("/setIP", params: { ip:, ip_flag:, dhan_client_id: })`; `dhan_client_id` defaults from config |
+| PUT /v2/ip/modifyIP| `#update(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `put("/modifyIP", params: { ip:, ip_flag:, dhan_client_id: })` |
 
 ---
 
 ## Trader Control / Kill Switch
 
-- **Kill Switch:** `Resources::KillSwitch`, `Models::KillSwitch` – path `/v2/killswitch`. Manage (activate/deactivate) uses **query parameter** per [traders-control](https://dhanhq.co/docs/v2/traders-control/): `POST /v2/killswitch?killSwitchStatus=ACTIVATE` (or `DEACTIVATE`) with no body. `#status` is GET.
-- **Trader Control:** `Resources::TraderControl` – path `/trader-control`; `#status`, `#enable`, `#disable`. Not found on the public docs; kept for compatibility.
+**Doc:** [dhanhq.co/docs/v2](https://dhanhq.co/docs/v2/) → Trading APIs → Trader's Control.
+
+- **Kill Switch:** `Resources::KillSwitch`, `Models::KillSwitch` – path `/v2/killswitch`. Manage (activate/deactivate) uses **query parameter**: `POST /v2/killswitch?killSwitchStatus=ACTIVATE` (or `DEACTIVATE`) with no body. `#status` is GET.
+- **P&L Exit:** `Models::PnlExit` – path `/v2/pnlExit`. GET status, POST configure, DELETE stop.
+- **TraderControl:** `Resources::TraderControl` – path `/trader-control` is **not** in the Dhan v2 API. The class is kept for backward compatibility but raises `DhanHQ::Error` when any method is called; use KillSwitch and PnlExit instead.
 
 ---
 

data/docs/ENDPOINTS_AND_SANDBOX.md

@@ -0,0 +1,115 @@
+# DhanHQ gem — Endpoints and sandbox support
+
+## Sandbox behavior
+
+- **REST:** When `DhanHQ.configuration.sandbox == true` (or `ENV["DHAN_SANDBOX"]=true`), the client uses `https://sandbox.dhan.co/v2` as the base URL for **all** requests that go through `DhanHQ::Client`. Every wrapped REST endpoint listed below is therefore **sent** to the sandbox host when sandbox is enabled.
+- **Sandbox does NOT support WebSocket.** Order updates, market feed, and market depth are **production-only**. The gem always uses production WebSocket URLs regardless of the `sandbox` setting. There are no sandbox WebSocket endpoints in the Dhan v2 API; do not rely on sandbox for real-time streams.
+- **Auth endpoints** (`DhanHQ::Auth`) do **not** use sandbox. They always call:
+  - `https://auth.dhan.co` — token generation
+  - `https://api.dhan.co/v2` — token renewal  
+  So token generation/renewal always hit production; only data/order REST calls follow the sandbox flag.
+
+---
+
+## Sandbox: verified vs not working / unverified
+
+| Status    | Endpoints |
+|-----------|-----------|
+| **Verified on sandbox** (gem specs) | `GET /v2/profile`, `GET /v2/fundlimit` |
+| **Sandbox connectivity spec** | `spec/dhan_hq/sandbox_connectivity_spec.rb` — uses VCR `record: :new_episodes`. In CI, use committed cassettes or skip without sandbox credentials; locally, run with `VCR_RECORD=new_episodes` and sandbox credentials to record. |
+| **Not supported in sandbox** | All WebSocket endpoints (order updates, market feed, market depth). Use production only. |
+| **Not verified on sandbox** | All other REST endpoints below. They may fail, return differently, or be unavailable in sandbox. Use Dhan documentation or manual testing before relying on them in sandbox. |
+
+**REST endpoints not verified / may not work on sandbox** (only profile and funds are verified):
+
+- `/v2/ledger`, `/v2/trades/{from}/{to}/{page}` (statements)
+- `/v2/orders` (all order CRUD, slicing, external)
+- `/v2/positions`, `/v2/positions/convert`
+- `/v2/holdings`
+- `/v2/trades`, `/v2/trades/{order_id}`
+- `/v2/forever/orders` (all)
+- `/v2/super/orders` (all)
+- `/v2/killswitch`
+- `/trader-control`
+- `/ip/getIP`, `/ip/setIP`, `/ip/modifyIP`
+- `/edis/tpin`, `/edis/form`, `/edis/bulkform`, `/edis/inquire/{isin}`
+- `/alerts/orders`
+- `/v2/pnlExit`
+- `/v2/margincalculator`, `/v2/margincalculator/multi`
+- `/v2/instrument/{segment}`
+- `/v2/marketfeed/ltp`, `/v2/marketfeed/ohlc`, `/v2/marketfeed/quote`
+- `/v2/optionchain`, `/v2/optionchain/expirylist`
+- `/v2/charts/historical`, `/v2/charts/intraday`, `/v2/charts/rollingoption`
+
+---
+
+## REST endpoints integrated in the gem
+
+Paths are as built by the gem (HTTP_PATH + endpoint). Base URL is either `https://api.dhan.co/v2` (production) or `https://sandbox.dhan.co/v2` (sandbox).
+
+| Resource / model           | Path(s)                                      | Methods   | API type        |
+|---------------------------|----------------------------------------------|-----------|-----------------|
+| **Profile**               | `/v2/profile`                               | GET       | non_trading_api |
+| **Funds**                 | `/v2/fundlimit`                              | GET       | non_trading_api |
+| **Statements**            | `/v2/ledger`, `/v2/trades/{from}/{to}/{page}`| GET       | non_trading_api |
+| **Orders**                | `/v2/orders`, `/v2/orders/{id}`, `/v2/orders/external/{correlation_id}`, `/v2/orders/slicing` | GET, POST, PUT, DELETE | order_api |
+| **Positions**             | `/v2/positions`, `/v2/positions/convert`     | GET, POST, DELETE | order_api |
+| **Holdings**              | `/v2/holdings`                               | GET       | order_api       |
+| **Trades**                | `/v2/trades`, `/v2/trades/{order_id}`        | GET       | order_api       |
+| **Forever orders**        | `/v2/forever/orders`, `/v2/forever/orders/{id}` | GET, POST, PUT, DELETE | order_api |
+| **Super orders**          | `/v2/super/orders`, `/v2/super/orders/{id}`, leg delete | GET, POST, PUT, DELETE | order_api |
+| **Kill switch**           | `/v2/killswitch`                             | GET, POST | order_api       |
+| **Trader control**        | `/trader-control`                            | GET, POST | order_api       |
+| **IP setup**              | `/ip/getIP`, `/ip/setIP`, `/ip/modifyIP`     | GET, POST, PUT | order_api |
+| **EDIS**                  | `/edis/tpin`, `/edis/form`, `/edis/bulkform`, `/edis/inquire/{isin}` | GET, POST | order_api |
+| **Alert orders**          | `/alerts/orders`                             | GET, POST, PUT, DELETE | order_api |
+| **PnL exit**              | `/v2/pnlExit`                                | GET, POST, DELETE | order_api |
+| **Margin calculator**     | `/v2/margincalculator`, `/v2/margincalculator/multi` | POST      | order_api       |
+| **Instruments**           | `/v2/instrument/{segment}` (redirect to CSV) | GET       | data_api        |
+| **Market feed**           | `/v2/marketfeed/ltp`, `/v2/marketfeed/ohlc`, `/v2/marketfeed/quote` | POST      | data_api / quote_api |
+| **Option chain**          | `/v2/optionchain`, `/v2/optionchain/expirylist` | POST      | data_api        |
+| **Historical data**       | `/v2/charts/historical`, `/v2/charts/intraday` | POST      | data_api        |
+| **Expired options data**  | `/v2/charts/rollingoption`                   | POST      | data_api        |
+
+---
+
+## Auth (outside main client base URL)
+
+| Purpose           | URL / path                     | Method |
+|-------------------|--------------------------------|--------|
+| Generate token    | `https://auth.dhan.co/app/generateAccessToken` | POST   |
+| Renew token       | `https://api.dhan.co/v2/RenewToken`           | POST   |
+
+These are **not** sandbox-aware; they always use the URLs above.
+
+---
+
+## WebSocket endpoints (production only; sandbox not supported)
+
+| Purpose        | URL |
+|----------------|-----|
+| Order updates  | `wss://api-order-update.dhan.co` |
+| Market feed    | `wss://api-feed.dhan.co` |
+| Market depth   | `wss://depth-api-feed.dhan.co/twentydepth` |
+
+**Sandbox:** Dhan sandbox does **not** provide WebSocket services. These endpoints are production-only. The gem never switches WS URLs based on `sandbox`; you can still override via `DhanHQ.configuration.ws_order_url`, `ws_market_feed_url`, `ws_market_depth_url`, or env vars `DHAN_WS_ORDER_URL`, `DHAN_WS_MARKET_FEED_URL`, `DHAN_WS_MARKET_DEPTH_URL` if you have a different production URL.
+
+---
+
+## Summary
+
+- **REST:** When `sandbox` is true, all REST calls go to `https://sandbox.dhan.co/v2`. Only `GET /v2/profile` and `GET /v2/fundlimit` are verified working on sandbox; other REST endpoints are not verified — see "Sandbox: verified vs not working / unverified" above.
+- **Auth:** Token generation and renewal always use production hosts.
+- **WebSockets:** Sandbox does **not** support WebSocket. Order updates, market feed, and market depth always use production URLs; the gem does not publish or use any sandbox WebSocket URLs.
+
+## Call-all-endpoints script
+
+`bin/call_all_endpoints.rb` invokes every REST endpoint exposed by the gem (read-only by default; use `--all` to include write/destructive calls). Useful for connectivity checks or sandbox verification.
+
+```bash
+bin/call_all_endpoints.rb              # read-only
+bin/call_all_endpoints.rb --list       # print endpoint list
+bin/call_all_endpoints.rb --all        # include POST/PUT/DELETE
+```
+
+Requires `DHAN_CLIENT_ID` and `DHAN_ACCESS_TOKEN`. Optional: `DHAN_SANDBOX=true`, `DHAN_TEST_SECURITY_ID`, `DHAN_TEST_ORDER_ID`, `DHAN_TEST_ISIN`, `DHAN_TEST_EXPIRY`. When not using `--skip-unavailable`, the script creates a temporary alert for GET/PUT/DELETE alert endpoints and deletes it at exit.

data/lib/DhanHQ/auth.rb

@@ -27,8 +27,8 @@ module DhanHQ
   #     client_id: ENV["DHAN_CLIENT_ID"]
   #   )
   module Auth
-    AUTH_BASE_URL = "https://auth.dhan.co"
-    API_BASE_URL  = "https://api.dhan.co/v2"
+    AUTH_BASE_URL = Constants::Urls::AUTH_BASE
+    API_BASE_URL  = Constants::Urls::REST_API_BASE
 
     # Generates an access token using TOTP authentication.
     #

data/lib/DhanHQ/client.rb

@@ -40,29 +40,15 @@ module DhanHQ
     # @return [DhanHQ::Client] A new client instance.
     # @raise [DhanHQ::Error] If configuration is invalid or rate limiter initialization fails
     def initialize(api_type:)
-      # Configure from ENV if DHAN_CLIENT_ID is present (backward compatible behavior)
-      # Validation happens at request time in build_headers, not here
-      DhanHQ.configure_with_env if ENV.fetch("DHAN_CLIENT_ID", nil)
-
+      DhanHQ.ensure_configuration!
       # Use shared rate limiter instance per API type to ensure proper coordination
       @rate_limiter = RateLimiter.for(api_type)
 
       raise DhanHQ::Error, "RateLimiter initialization failed" unless @rate_limiter
 
-      # Get timeout values from configuration or environment, with sensible defaults
-      connect_timeout = ENV.fetch("DHAN_CONNECT_TIMEOUT", 10).to_i
-      read_timeout = ENV.fetch("DHAN_READ_TIMEOUT", 30).to_i
-      write_timeout = ENV.fetch("DHAN_WRITE_TIMEOUT", 30).to_i
-
-      @connection = Faraday.new(url: DhanHQ.configuration.base_url) do |conn|
-        conn.request :json, parser_options: { symbolize_names: true }
-        conn.response :json, content_type: /\bjson$/
-        conn.response :logger if ENV["DHAN_DEBUG"] == "true"
-        conn.options.timeout = read_timeout
-        conn.options.open_timeout = connect_timeout
-        conn.options.write_timeout = write_timeout
-        conn.adapter Faraday.default_adapter
-      end
+      # Store initial URL to detect changes
+      @last_base_url = DhanHQ.configuration.base_url
+      @connection = build_connection(@last_base_url)
     end
 
     # Sends an HTTP request to the API with automatic retry for transient errors.
@@ -75,46 +61,56 @@ module DhanHQ
     # @raise [DhanHQ::Error] If an HTTP error occurs.
     def request(method, path, payload, retries: 3)
       @token_manager&.ensure_valid_token!
-      @rate_limiter.throttle! # **Ensure we don't hit rate limit before calling API**
+      @rate_limiter.throttle!
+      refresh_connection!
+
+      with_auth_retry do
+        with_transient_retry(retries: retries) do
+          response = connection.send(method, path) do |req|
+            req.headers.merge!(build_headers(path))
+            prepare_payload(req, payload, method, path)
+          end
+          handle_response(response)
+        end
+      end
+    end
 
+    def with_auth_retry
+      yield
+    rescue DhanHQ::InvalidAuthenticationError, DhanHQ::InvalidTokenError,
+           DhanHQ::TokenExpiredError, DhanHQ::AuthenticationFailedError => e
+      config = DhanHQ.configuration
+      raise unless config&.access_token_provider
+
+      config.on_token_expired&.call(e)
+      DhanHQ.logger&.warn("[DhanHQ::Client] Auth failure (#{e.class}), retrying once with fresh token")
+      yield
+    end
+
+    def with_transient_retry(retries:)
       attempt = 0
-      auth_retry_done = false
       begin
-        response = connection.send(method) do |req|
-          req.url path
-          req.headers.merge!(build_headers(path))
-          prepare_payload(req, payload, method)
-        end
-
-        handle_response(response)
-      rescue DhanHQ::InvalidAuthenticationError, DhanHQ::InvalidTokenError,
-             DhanHQ::TokenExpiredError, DhanHQ::AuthenticationFailedError => e
-        config = DhanHQ.configuration
-        if !auth_retry_done && config&.access_token_provider
-          auth_retry_done = true
-          config.on_token_expired&.call(e)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Auth failure (#{e.class}), retrying once with fresh token")
-          retry
-        end
-        raise
+        yield
       rescue DhanHQ::RateLimitError, DhanHQ::InternalServerError, DhanHQ::NetworkError => e
         attempt += 1
-        if attempt <= retries
-          backoff_time = calculate_backoff(attempt)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Transient error (#{e.class}), retrying in #{backoff_time}s (attempt #{attempt}/#{retries})")
-          sleep(backoff_time)
-          retry
-        end
-        raise
+        raise if attempt > retries
+
+        backoff = calculate_backoff(attempt)
+        DhanHQ.logger&.warn(
+          "[DhanHQ::Client] Transient error (#{e.class}), retrying in #{backoff}s (attempt #{attempt}/#{retries})"
+        )
+        sleep(backoff)
+        retry
       rescue Faraday::TimeoutError, Faraday::ConnectionFailed => e
         attempt += 1
-        if attempt <= retries
-          backoff_time = calculate_backoff(attempt)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Network error (#{e.class}), retrying in #{backoff_time}s (attempt #{attempt}/#{retries})")
-          sleep(backoff_time)
-          retry
-        end
-        raise DhanHQ::NetworkError, "Request failed after #{retries} retries: #{e.message}"
+        raise DhanHQ::NetworkError, "Request failed after #{retries} retries: #{e.message}" if attempt > retries
+
+        backoff = calculate_backoff(attempt)
+        DhanHQ.logger&.warn(
+          "[DhanHQ::Client] Network error (#{e.class}), retrying in #{backoff}s (attempt #{attempt}/#{retries})"
+        )
+        sleep(backoff)
+        retry
       end
     end
 
@@ -201,6 +197,31 @@ module DhanHQ
 
     private
 
+    def refresh_connection!
+      current_url = DhanHQ.configuration.base_url
+      return if @last_base_url == current_url
+
+      @last_base_url = current_url
+      @connection = build_connection(current_url)
+    end
+
+    def build_connection(url)
+      # Get timeout values from configuration or environment, with sensible defaults
+      connect_timeout = ENV.fetch("DHAN_CONNECT_TIMEOUT", 10).to_i
+      read_timeout = ENV.fetch("DHAN_READ_TIMEOUT", 30).to_i
+      write_timeout = ENV.fetch("DHAN_WRITE_TIMEOUT", 30).to_i
+
+      Faraday.new(url: url) do |conn|
+        conn.request :json, parser_options: { symbolize_names: true }
+        conn.response :json, content_type: /\bjson$/
+        conn.response :logger if ENV["DHAN_DEBUG"] == "true"
+        conn.options.timeout = read_timeout
+        conn.options.open_timeout = connect_timeout
+        conn.options.write_timeout = write_timeout
+        conn.adapter Faraday.default_adapter
+      end
+    end
+
     # Calculates exponential backoff time
     #
     # @param attempt [Integer] Current attempt number (1-based)