DhanHQ 2.6.2 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4469f87602b1825aa53ac5d53ef3493fb3a6fd40b00fd58199f23ba3c4a3e129
-  data.tar.gz: 7b5c65ab06cf2f945f488af2ab63499eb9a5fe2cea6ec04579db12a227ac121e
+  metadata.gz: df325d70c7c2e3c13493ad199ca8e11bb7f5a9df1d62a775452e4fb1eeed5842
+  data.tar.gz: 7cfde3f38fa073311ad50992ef497ba7391927b78136346e7549c135e7a4d7cc
 SHA512:
-  metadata.gz: 13683dc64df357c014a4427bbf3ee9981f3c52ad12795cd7f08d02e3d2cab3597efdb3668f63521f3bd2d43d616ac5ba577b11e104b304738c1b1c0769438bd2
-  data.tar.gz: cc2992611f9d3d4c785be89edc8bb3c33bffb6170a2575a20c532c8ff4ee9838bc1bf0021cdec6327349ff008fa7ae278b8e56d7cc2286310df3d0f4cd604292
+  metadata.gz: 945e4a71c15f01e33f7f05a3ed2453e7558c46d9c9bb5067a6225e68e87b4c3aac4a903ff08da384b488f9b8d36764f9f1f47103a8a8db4d5b90d1ea97e09252
+  data.tar.gz: 1b805c79a999c6604cd58d8df163c339233b09732d77c1911010dfa3d5ea32e12ae27d166b1484621338ba378acace69003328e9e6d4ec3654eb646df753c2c0

data/.rubocop.yml

@@ -28,9 +28,21 @@ RSpec/ExampleLength:
 RSpec/MultipleMemoizedHelpers:
   Max: 10
 
+Lint/ScriptPermission:
+  Exclude:
+    - "bin/**/*"
+
+Metrics/AbcSize:
+  Exclude:
+    - "bin/call_all_endpoints.rb"
+
+Layout/LineLength:
+  Exclude:
+    - "bin/call_all_endpoints.rb"
+
 DhanHQ/UseConstants:
   Enabled: true
   Exclude:
-    - 'lib/DhanHQ/constants.rb'
-    - 'lib/DhanHQ/ws/segments.rb'
-    - 'spec/**/*'
+    - "lib/DhanHQ/constants.rb"
+    - "lib/DhanHQ/ws/segments.rb"
+    - "spec/**/*"

data/AGENTS.md

@@ -0,0 +1,23 @@
+# AGENTS.md
+
+## Cursor Cloud specific instructions
+
+This is a pure-Ruby gem (no Rails, no running servers). Development commands are documented in `CLAUDE.md`.
+
+### Quick reference
+
+| Task | Command |
+|------|---------|
+| Install deps | `bundle install` |
+| Tests | `bundle exec rspec` |
+| Lint | `bundle exec rubocop` |
+| Both | `bundle exec rake` |
+| Single spec | `bundle exec rspec spec/path/to_spec.rb` |
+
+### Non-obvious caveats
+
+- **Bundler 4.x required**: The lockfile was bundled with Bundler 4.0.6. Install with `sudo gem install bundler -v 4.0.6` if missing.
+- **`libyaml-dev` must be installed**: The `psych` gem (transitive dep) needs `yaml.h`. Without `libyaml-dev`, `bundle install` fails on native extension build.
+- **`vendor/bundle` path**: Gems are installed to `./vendor/bundle` via `.bundle/config` to avoid needing root write access to `/var/lib/gems`.
+- **No real API calls in tests**: All HTTP interactions are stubbed with WebMock/VCR. No `DHAN_CLIENT_ID` or `DHAN_ACCESS_TOKEN` secrets are needed to run the test suite.
+- **No services to start**: This is a library gem. There is no web server, database, or background worker. Testing is purely `bundle exec rspec` / `bundle exec rubocop`.

data/ARCHITECTURE.md

@@ -0,0 +1,115 @@
+# dhanhq-client Architecture
+
+This document describes the architecture of the DhanHQ v2 API client gem: layers, dependencies, and design patterns in use.
+
+## Guiding principles
+
+- **Dependency rule**: High-level policy (models, domain) does not depend on low-level details (HTTP, JSON). Infrastructure (Client, BaseAPI) depends on configuration and helpers; models depend on resources (abstractions) and contracts.
+- **Single responsibility**: Each layer has one reason to change. Models own domain behavior; resources own HTTP; contracts own validation rules.
+- **Open/closed**: New endpoints are added by adding new Model + Resource + Contract pairs without modifying BaseAPI or BaseModel core.
+- **Don’t force patterns**: Patterns (Strategy, Factory Method, Facade) emerged from refactoring; we avoid speculative abstraction.
+
+---
+
+## Layer overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│  Entry & configuration (lib/dhan_hq.rb, Configuration)          │
+├─────────────────────────────────────────────────────────────────┤
+│  Domain / facade layer (Models)                                 │
+│  Order, Position, MarketFeed, OptionChain, ExpiredOptionsData…  │
+│  → validate via Contracts, delegate HTTP to Resources           │
+├─────────────────────────────────────────────────────────────────┤
+│  REST / HTTP layer (Resources, BaseAPI, BaseResource)           │
+│  → build path, format params, call Client                       │
+├─────────────────────────────────────────────────────────────────┤
+│  Transport layer (Client, RateLimiter, RequestHelper,           │
+│  ResponseHelper)                                                │
+│  → Faraday, headers, retries, error mapping                     │
+├─────────────────────────────────────────────────────────────────┤
+│  Validation (Contracts)                                         │
+│  → Dry::Validation, shared macros in BaseContract               │
+├─────────────────────────────────────────────────────────────────┤
+│  WebSocket (WS::*) — separate subsystem                         │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Directory structure and roles
+
+| Path | Role | Responsibility |
+|------|------|----------------|
+| `lib/dhan_hq.rb` | Entry point | Zeitwerk setup, eager load of core/helpers/errors, `DhanHQ.configure` |
+| `core/` | Base abstractions | BaseAPI (HTTP verbs, path building, param formatting), BaseModel (attributes, resource, validation, CRUD helpers), BaseResource (CRUD on BaseAPI), AuthAPI, ErrorHandler |
+| `helpers/` | Cross-cutting | APIHelper, AttributeHelper (keys, normalization), ValidationHelper (validate_params!, validate!), RequestHelper (headers, payload, build_from_response), ResponseHelper (parse_json, handle_response, error mapping) |
+| `models/` | Domain / facade | Typed wrappers (Order, Position, Holding, etc.). Define `resource`, optional `validation_contract`, and domain methods. Validate then delegate to resource. |
+| `resources/` | REST wrappers | One class per API surface (Orders, Positions, MarketFeed, OptionChain, …). Set `HTTP_PATH`, `API_TYPE`; implement get/post/put/delete via BaseAPI. |
+| `contracts/` | Request/response validation | Dry::Validation contracts (PlaceOrderContract, ModifyOrderContract, OptionChainContract, etc.). BaseContract provides shared macros (e.g. lot_size, tick_size). |
+| `auth/` | Token lifecycle | Token generator/renewal/manager for dynamic tokens. |
+| `concerns/` | Shared behavior | Modules included across layers (e.g. `OrderAudit` for live trading guard + audit logging, included in all order resources). |
+| `utils/` | Utilities | Cross-cutting utilities not tied to a single layer (e.g. `NetworkInspector` for IP/hostname/env lookup used by order audit logging). |
+| `ws/` | WebSocket | Connection, packets, decoder, market depth, orders client — isolated from REST. |
+
+---
+
+## Dependency flow
+
+- **Configuration** is global (`DhanHQ.configuration`). Client and helpers read it (access_token, client_id, base_url).
+- **Models** depend on:
+  - **Resources** (Factory Method: `resource` returns the right BaseAPI subclass)
+  - **Contracts** (for validate_params!)
+  - **Helpers** (via BaseModel: ValidationHelper, RequestHelper, ResponseHelper, AttributeHelper, APIHelper)
+- **Resources** depend on:
+  - **Client** (injected via BaseAPI: `DhanHQ::Client.new(api_type)`)
+  - **Helpers** (BaseAPI includes APIHelper, AttributeHelper; Client uses RequestHelper, ResponseHelper)
+- **Client** depends on Configuration, RateLimiter, and helpers. No dependency on Models or Resources.
+- **Contracts** depend on Constants (and optional instrument_meta). No dependency on Models or HTTP.
+
+So: **Models → Resources → Client**; **Contracts** are used by Models (and optionally Resources); **Helpers** are used by Client, BaseAPI, and BaseModel.
+
+---
+
+## Design patterns in use
+
+| Pattern | Where | Purpose |
+|--------|--------|--------|
+| **Facade** | Models (e.g. `Order.place`, `MarketFeed.ltp`) | Single entry point for “place order” or “get LTP”; hide validation, normalization, and resource call. |
+| **Factory Method** | BaseModel `resource` | Subclasses override `resource` to return the correct REST wrapper (e.g. Orders, OptionChain) without callers knowing the class. |
+| **Strategy** | BaseAPI `param_formatter_for(full_path)` | Choose how to format params by path: pass-through (marketfeed), titleize (optionchain), default camelize. Encapsulated in lambdas. |
+| **Template Method** | BaseModel `save` | `save` calls `new_record? ? create : update`; subclasses override `create`/`update` or collection methods. |
+| **Adapter** | RequestHelper / ResponseHelper | Adapt external API (headers, JSON, status codes) to internal hashes and error classes. |
+| **Singleton (per API type)** | RateLimiter.for(api_type) | One rate limiter per API type so all clients share limits. |
+
+---
+
+## Error handling
+
+- **Validation failures**: Raised as `DhanHQ::ValidationError` with a message that includes contract errors (e.g. `"Invalid parameters: #{result.errors.to_h}"`). Used by ValidationHelper, ExpiredOptionsData, Trade, and any code that validates via contracts.
+- **HTTP / API errors**: Mapped in ResponseHelper (e.g. 401 → InvalidAuthenticationError, 807 → TokenExpiredError) and raised as appropriate `DhanHQ::*` subclasses.
+- **Client** retries on auth failures (once, with token refresh) and on transient/network errors (with backoff).
+
+---
+
+## Configuration
+
+- Credentials and URLs live in `DhanHQ::Configuration` (access_token, client_id, base_url, sandbox, optional access_token_provider).
+- `DhanHQ.configure { }`, `configure_with_env`, and `configure_from_token_endpoint` set configuration. Never hardcode credentials; use env vars or token endpoint.
+
+---
+
+## WebSocket (WS)
+
+- Separate subsystem under `DhanHQ::WS`: own connection, packet types, decoder, market depth, orders client.
+- Shares configuration (e.g. access token) but not the REST Client or Resources. Documented in code and specs; not expanded here.
+
+---
+
+## Adding a new API surface
+
+1. **Contract** (optional): Add a Dry::Validation contract under `contracts/` if the endpoint has structured input.
+2. **Resource**: Add a class under `resources/` inheriting BaseAPI (or BaseResource). Set `HTTP_PATH`, `API_TYPE`; implement methods that call `get`/`post`/`put`/`delete`.
+3. **Model**: Add a class under `models/` inheriting BaseModel. Override `resource` to return the new resource; override `validation_contract` if needed; implement class/instance methods that call `validate_params!` then `resource.*`.
+
+This keeps the dependency rule and keeps each layer focused on one concern.

data/CHANGELOG.md

@@ -1,3 +1,68 @@
+## [2.7.0] - 2026-03-17
+
+### Added
+
+- **Order audit logging across all order types**: Every order submission (regular, super, forever/GTT, and alert orders) now emits a WARN-level structured JSON log line capturing: event type, public IPv4/IPv6, hostname, runtime environment, `security_id`, `correlation_id`, and UTC timestamp. Log output example:
+  ```json
+  {"event":"DHAN_ORDER_ATTEMPT","hostname":"DESKTOP-SHUBHAM","env":"production","ipv4":"122.171.22.40","ipv6":"2401:4900:...","security_id":"11536","correlation_id":"SCALPER_7af1","timestamp":"2026-03-17T06:45:22Z"}
+  ```
+  Events logged: `DHAN_ORDER_ATTEMPT`, `DHAN_ORDER_MODIFY_ATTEMPT`, `DHAN_ORDER_SLICING_ATTEMPT`, `DHAN_SUPER_ORDER_ATTEMPT`, `DHAN_SUPER_ORDER_MODIFY_ATTEMPT`, `DHAN_SUPER_ORDER_CANCEL_ATTEMPT`, `DHAN_FOREVER_ORDER_ATTEMPT`, `DHAN_FOREVER_ORDER_MODIFY_ATTEMPT`, `DHAN_FOREVER_ORDER_CANCEL_ATTEMPT`, `DHAN_ALERT_ORDER_ATTEMPT`, `DHAN_ALERT_ORDER_MODIFY_ATTEMPT`, `DHAN_ALERT_ORDER_DELETE_ATTEMPT`, `DHAN_PNL_EXIT_CONFIGURE_ATTEMPT`, `DHAN_PNL_EXIT_STOP_ATTEMPT`.
+- **`DhanHQ::Concerns::OrderAudit`**: Shared concern providing `log_order_context` and `ensure_live_trading!` — included in `Resources::Orders`, `Resources::SuperOrders`, `Resources::ForeverOrders`, `Resources::AlertOrders`, and `Resources::PnlExit`.
+- **`DhanHQ::Utils::NetworkInspector`**: New utility class that resolves the machine's public IPv4 (via api.ipify.org), IPv6 (via api64.ipify.org), hostname (`Socket.gethostname`), and runtime environment (`RAILS_ENV` / `RACK_ENV` / `APP_ENV`). IP lookups are memoized for the process lifetime; call `NetworkInspector.reset_cache!` to refresh.
+- **Live trading guard**: All mutating order/trader-control calls require `ENV["LIVE_TRADING"]="true"`. Guarded methods:
+  - `Resources::Orders#create`, `#update`, `#slicing`, `#cancel`
+  - `Resources::SuperOrders#create`, `#update`, `#cancel`
+  - `Resources::ForeverOrders#create`, `#update`, `#cancel`
+  - `Resources::AlertOrders#create`, `#update`, `#delete`
+  - `Resources::PnlExit#configure`, `#stop`
+- **`DhanHQ::LiveTradingDisabledError`**: New error class raised when the live trading guard fires.
+- **Correlation ID prefix convention**: Recommended per-app correlation ID prefixes for instant source identification in the Dhan orderbook (e.g. `SCALPER_7af1`, `TRADER_3bc9`). See README.
+
+### Changed
+
+- **`Resources::Orders`**: `#create`, `#update`, `#slicing`, `#cancel` log order context and enforce the live trading guard.
+- **`Resources::SuperOrders`**: `#create`, `#update`, `#cancel` log order context and enforce the live trading guard.
+- **`Resources::ForeverOrders`**: `#create`, `#update`, `#cancel` log order context and enforce the live trading guard.
+- **`Resources::AlertOrders`**: `#create`, `#update`, `#delete` log order context and enforce the live trading guard; `#delete` added.
+- **`Resources::PnlExit`**: `#configure` and `#stop` use `OrderAudit` (guard + audit log).
+
+### Breaking
+
+- **`ENV["LIVE_TRADING"]` required for all order/trader-control mutations**: Any call that creates, updates, cancels, or deletes orders (or configures/stops PnL exit) now raises `LiveTradingDisabledError` unless `ENV["LIVE_TRADING"]="true"`. Affects `Resources::Orders`, `Resources::SuperOrders`, `Resources::ForeverOrders`, `Resources::AlertOrders`, `Resources::PnlExit`, and the corresponding model wrappers. Set `LIVE_TRADING=true` in production and `LIVE_TRADING=false` (or omit) in development/test.
+
+---
+
+## [2.6.3] - 2026-03-14
+
+### Added
+
+- **Constants::Urls**: All canonical Dhan API/auth/WebSocket URLs in one place (`REST_API_BASE`, `SANDBOX_API_BASE`, `AUTH_BASE`, `WS_MARKET_FEED`, `WS_ORDER_UPDATE`, `WS_DEPTH_20`, `WS_DEPTH_200`, `INSTRUMENT_CSV_*`, `DOCS`, `ORIGIN`). Configuration, Auth, and WS defaults now use these constants.
+- **Order modification limit enforcement**: `Order#modify` enforces Dhan’s 25-modifications-per-order cap per instance; the 26th modify raises `DhanHQ::ModificationLimitError` and does not call the API. Count is in-process only (fresh `find` resets it).
+- **DhanHQ::ModificationLimitError**: New error class for the 25-per-order limit (rescuable).
+- **API error payload on exceptions**: Raised API errors now expose the full response body as `error.response_body` (e.g. `errorCode`, `errorMessage`, and any future keys like `errors` or `details`). Useful for logging and debugging.
+- **DH-905 message hint**: For `InputExceptionError` (DH-905), the exception message now includes a note that the Dhan API does not return which field failed, and to check required params and value types for the endpoint.
+- **Kill switch status validation**: `Resources::KillSwitch#update(status)` and `Models::KillSwitch.update(status)` now validate that `status` is `ACTIVATE` or `DEACTIVATE` (case-insensitive); invalid values raise `DhanHQ::ValidationError` before the request.
+- **Super order cancel leg validation**: `Resources::SuperOrders#cancel(order_id, leg_name)` validates `leg_name` against the API path enum (`ENTRY_LEG`, `STOP_LOSS_LEG`, `TARGET_LEG`); invalid values raise `DhanHQ::ValidationError`.
+
+### Changed
+
+- **SliceOrderContract**: Aligned with Dhan v2 orders doc — `amoTime` now allows `PRE_OPEN`; validity restricted to `DAY`/`IOC`; product type restricted to `CNC`/`INTRADAY`/`MARGIN`/`MTF`; `correlationId` max length 30 (was 25).
+- **Order#modify** YARD: Documented modification limit and `ModificationLimitError`.
+- **Error#initialize**: `DhanHQ::Error` now accepts an optional `response_body:` keyword argument so API-raised errors can carry the parsed response. Subclasses unchanged; `raise ErrorClass, "msg"` still works.
+- **ResponseHelper**: When the API returns extra keys (`errors`, `details`, `validationErrors`), they are appended to the exception message. DH-905 errors include the endpoint hint above.
+- **Margin contracts**: `MarginCalculatorContract` and `MultiScripMarginCalcRequestContract` accept optional `orderType` (per OpenAPI; some accounts require it). `Margin` model and `bin/test_all` margin payloads send `order_type: LIMIT` when `DHAN_TEST_MARGIN=true`.
+- **bin/test_all**: Fixed `ArgumentError: wrong number of arguments (given 1, expected 0)` by invoking endpoint lambdas with no arguments inside `Timeout.timeout` (the timeout block receives the duration). Refactored `endpoint_list` for RuboCop Metrics/AbcSize; optional read endpoints (forever order by id, PnL exit, margin) are skipped unless `DHAN_TEST_FOREVER_ORDER_ID`, `DHAN_TEST_PNL_EXIT=true`, or `DHAN_TEST_MARGIN=true` are set.
+
+### Fixed
+
+- **bin/test_all**: All 30 read endpoints now run successfully by default (26 called, 4 optional); margin/PnL/forever-by-id no longer fail when fixtures are missing.
+
+### Removed
+
+- **docs/DHAN_V2_GAPS.md**: Removed; path/behavior alignment remains in `docs/API_VERIFICATION.md`.
+
+---
+
 ## [2.6.2] - 2026-03-07
 
 ### Changed

data/README.md

@@ -53,6 +53,8 @@ You could wire up Faraday and parse JSON yourself. Here's why you shouldn't:
 - **Secure logging** — automatic token sanitization in all log output
 - **Super Orders** — entry + stop-loss + target + trailing jump in one request
 - **Instrument convenience methods** — `.ltp`, `.ohlc`, `.option_chain` directly on instruments
+- **Order audit logging** — every order attempt logs machine, IP, environment, and correlation ID as structured JSON
+- **Live trading guard** — prevents accidental order placement unless `ENV["LIVE_TRADING"]="true"`
 - **Full REST coverage** — Orders, Trades, Forever Orders, Super Orders, Positions, Holdings, Funds, HistoricalData, OptionChain, MarketFeed, EDIS, Kill Switch, P&L Exit, Alert Orders, Margin Calculator
 - **P&L Based Exit** — automatic position exit on profit/loss thresholds
 - **Postback parser** — parse Dhan webhook payloads with `Postback.parse` and status predicates
@@ -75,6 +77,8 @@ gem install DhanHQ
 
 > **Bleeding edge?** Use `gem 'DhanHQ', git: 'https://github.com/shubhamtaywade82/dhanhq-client.git', branch: 'main'` only if you need unreleased features.
 
+**`bundle update` / `bundle install` warnings** — If you see "Local specification for rexml-3.2.8 has different dependencies" or "Unresolved or ambiguous specs during Gem::Specification.reset: psych", the bundle still completes successfully. To clear the rexml warning once, run: `gem cleanup rexml`. The psych message is a known Bundler quirk and can be ignored.
+
 ### ⚠️ Breaking Change (v2.1.5+)
 
 The require statement changed:
@@ -118,6 +122,57 @@ When the API returns 401, the client retries **once** with a fresh token from yo
 
 ---
 
+## Order Safety
+
+### Live Trading Guard
+
+Order placement (`create`, `slicing`) is blocked unless you explicitly enable it:
+
+```bash
+# Production (Render, VPS, etc.)
+LIVE_TRADING=true
+
+# Development / Test (default — orders are blocked)
+LIVE_TRADING=false   # or simply omit
+```
+
+Attempting to place an order without `LIVE_TRADING=true` raises `DhanHQ::LiveTradingDisabledError`.
+
+### Order Audit Logging
+
+Every order attempt (place, modify, slice) automatically logs a structured JSON line at WARN level:
+
+```json
+{
+  "event": "DHAN_ORDER_ATTEMPT",
+  "hostname": "DESKTOP-SHUBHAM",
+  "env": "production",
+  "ipv4": "122.171.22.40",
+  "ipv6": "2401:4900:894c:8448:1da9:27f1:48e7:61be",
+  "security_id": "11536",
+  "correlation_id": "SCALPER_7af1",
+  "timestamp": "2026-03-17T06:45:22Z"
+}
+```
+
+This tells you instantly which machine, app, IP, and environment placed the order.
+
+### Correlation ID Prefixes
+
+Use per-app prefixes for instant source identification in the Dhan orderbook:
+
+```ruby
+# algo_scalper_api
+correlation_id: "SCALPER_#{SecureRandom.hex(4)}"
+
+# algo_trader_api
+correlation_id: "TRADER_#{SecureRandom.hex(4)}"
+```
+
+The Dhan orderbook will show `SCALPER_7af1` or `TRADER_3bc9`, making the source obvious.
+
+---
+
 ## REST API
 
 ### Orders — Place, Modify, Cancel

data/docs/API_VERIFICATION.md

@@ -1,13 +1,12 @@
 # API Verification (Dhan v2)
 
-This document records how the gem’s implementation aligns with the official Dhan API v2 docs.
+Path/behavior alignment with the official Dhan API v2 docs.
 
 **Sources:**
 
 - [dhanhq.co/docs/v2](https://dhanhq.co/docs/v2/) – main docs
 - [dhanhq.co/docs/v2/edis](https://dhanhq.co/docs/v2/edis/) – EDIS
 - [api.dhan.co/v2](https://api.dhan.co/v2/#/) – Developer Kit (when available)
-- In-repo: `CODE_REVIEW_ISSUES.md` (Alert Orders, IP Setup paths)
 
 ---
 
@@ -32,7 +31,7 @@ This document records how the gem’s implementation aligns with the official Dh
 
 | Doc path                  | Gem resource              | Path used        |
 |---------------------------|---------------------------|------------------|
-| `/alerts/orders`          | `Resources::AlertOrders`  | `HTTP_PATH = "/alerts/orders"` |
+| `/alerts/orders`          | `Resources::AlertOrders`  | `HTTP_PATH = "/v2/alerts/orders"` |
 | GET/POST `/alerts/orders` | `#all`, `#create`         | BaseResource     |
 | GET/PUT/DELETE `/alerts/orders/{trigger-id}` | `#find`, `#update`, `#delete` | `/{id}` |
 
@@ -46,16 +45,19 @@ Model: `Models::AlertOrder`. Condition must include `exchange_segment`, `exp_dat
 
 | Doc path        | Gem method     | Path / body |
 |-----------------|----------------|-------------|
-| GET /ip/getIP   | `#current`     | `get("/getIP")` |
-| POST /ip/setIP  | `#set(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `post("/setIP", params: { ip:, ip_flag:, dhan_client_id: })`; `dhan_client_id` defaults from config |
-| PUT /ip/modifyIP| `#update(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `put("/modifyIP", params: { ip:, ip_flag:, dhan_client_id: })` |
+| GET /v2/ip/getIP   | `#current`     | `get("/getIP")` (HTTP_PATH = "/v2/ip") |
+| POST /v2/ip/setIP  | `#set(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `post("/setIP", params: { ip:, ip_flag:, dhan_client_id: })`; `dhan_client_id` defaults from config |
+| PUT /v2/ip/modifyIP| `#update(ip:, ip_flag: "PRIMARY", dhan_client_id: nil)` | `put("/modifyIP", params: { ip:, ip_flag:, dhan_client_id: })` |
 
 ---
 
 ## Trader Control / Kill Switch
 
-- **Kill Switch:** `Resources::KillSwitch`, `Models::KillSwitch` – path `/v2/killswitch`. Manage (activate/deactivate) uses **query parameter** per [traders-control](https://dhanhq.co/docs/v2/traders-control/): `POST /v2/killswitch?killSwitchStatus=ACTIVATE` (or `DEACTIVATE`) with no body. `#status` is GET.
-- **Trader Control:** `Resources::TraderControl` – path `/trader-control`; `#status`, `#enable`, `#disable`. Not found on the public docs; kept for compatibility.
+**Doc:** [dhanhq.co/docs/v2](https://dhanhq.co/docs/v2/) → Trading APIs → Trader's Control.
+
+- **Kill Switch:** `Resources::KillSwitch`, `Models::KillSwitch` – path `/v2/killswitch`. Manage (activate/deactivate) uses **query parameter**: `POST /v2/killswitch?killSwitchStatus=ACTIVATE` (or `DEACTIVATE`) with no body. `#status` is GET.
+- **P&L Exit:** `Models::PnlExit` – path `/v2/pnlExit`. GET status, POST configure, DELETE stop.
+- **TraderControl:** `Resources::TraderControl` – path `/trader-control` is **not** in the Dhan v2 API. The class is kept for backward compatibility but raises `DhanHQ::Error` when any method is called; use KillSwitch and PnlExit instead.
 
 ---
 

data/docs/ENDPOINTS_AND_SANDBOX.md

@@ -101,3 +101,15 @@ These are **not** sandbox-aware; they always use the URLs above.
 - **REST:** When `sandbox` is true, all REST calls go to `https://sandbox.dhan.co/v2`. Only `GET /v2/profile` and `GET /v2/fundlimit` are verified working on sandbox; other REST endpoints are not verified — see "Sandbox: verified vs not working / unverified" above.
 - **Auth:** Token generation and renewal always use production hosts.
 - **WebSockets:** Sandbox does **not** support WebSocket. Order updates, market feed, and market depth always use production URLs; the gem does not publish or use any sandbox WebSocket URLs.
+
+## Call-all-endpoints script
+
+`bin/call_all_endpoints.rb` invokes every REST endpoint exposed by the gem (read-only by default; use `--all` to include write/destructive calls). Useful for connectivity checks or sandbox verification.
+
+```bash
+bin/call_all_endpoints.rb              # read-only
+bin/call_all_endpoints.rb --list       # print endpoint list
+bin/call_all_endpoints.rb --all        # include POST/PUT/DELETE
+```
+
+Requires `DHAN_CLIENT_ID` and `DHAN_ACCESS_TOKEN`. Optional: `DHAN_SANDBOX=true`, `DHAN_TEST_SECURITY_ID`, `DHAN_TEST_ORDER_ID`, `DHAN_TEST_ISIN`, `DHAN_TEST_EXPIRY`. When not using `--skip-unavailable`, the script creates a temporary alert for GET/PUT/DELETE alert endpoints and deletes it at exit.

data/lib/DhanHQ/auth.rb

@@ -27,8 +27,8 @@ module DhanHQ
   #     client_id: ENV["DHAN_CLIENT_ID"]
   #   )
   module Auth
-    AUTH_BASE_URL = "https://auth.dhan.co"
-    API_BASE_URL  = "https://api.dhan.co/v2"
+    AUTH_BASE_URL = Constants::Urls::AUTH_BASE
+    API_BASE_URL  = Constants::Urls::REST_API_BASE
 
     # Generates an access token using TOTP authentication.
     #

data/lib/DhanHQ/client.rb

@@ -61,48 +61,56 @@ module DhanHQ
     # @raise [DhanHQ::Error] If an HTTP error occurs.
     def request(method, path, payload, retries: 3)
       @token_manager&.ensure_valid_token!
-      @rate_limiter.throttle! # **Ensure we don't hit rate limit before calling API**
-
-      # Ensure connection matches current configuration (e.g. sandbox toggle)
+      @rate_limiter.throttle!
       refresh_connection!
 
-      attempt = 0
-      auth_retry_done = false
-      begin
-        response = connection.send(method, path) do |req|
-          req.headers.merge!(build_headers(path))
-          prepare_payload(req, payload, method, path)
+      with_auth_retry do
+        with_transient_retry(retries: retries) do
+          response = connection.send(method, path) do |req|
+            req.headers.merge!(build_headers(path))
+            prepare_payload(req, payload, method, path)
+          end
+          handle_response(response)
         end
+      end
+    end
 
-        handle_response(response)
-      rescue DhanHQ::InvalidAuthenticationError, DhanHQ::InvalidTokenError,
-             DhanHQ::TokenExpiredError, DhanHQ::AuthenticationFailedError => e
-        config = DhanHQ.configuration
-        if !auth_retry_done && config&.access_token_provider
-          auth_retry_done = true
-          config.on_token_expired&.call(e)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Auth failure (#{e.class}), retrying once with fresh token")
-          retry
-        end
-        raise
+    def with_auth_retry
+      yield
+    rescue DhanHQ::InvalidAuthenticationError, DhanHQ::InvalidTokenError,
+           DhanHQ::TokenExpiredError, DhanHQ::AuthenticationFailedError => e
+      config = DhanHQ.configuration
+      raise unless config&.access_token_provider
+
+      config.on_token_expired&.call(e)
+      DhanHQ.logger&.warn("[DhanHQ::Client] Auth failure (#{e.class}), retrying once with fresh token")
+      yield
+    end
+
+    def with_transient_retry(retries:)
+      attempt = 0
+      begin
+        yield
       rescue DhanHQ::RateLimitError, DhanHQ::InternalServerError, DhanHQ::NetworkError => e
         attempt += 1
-        if attempt <= retries
-          backoff_time = calculate_backoff(attempt)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Transient error (#{e.class}), retrying in #{backoff_time}s (attempt #{attempt}/#{retries})")
-          sleep(backoff_time)
-          retry
-        end
-        raise
+        raise if attempt > retries
+
+        backoff = calculate_backoff(attempt)
+        DhanHQ.logger&.warn(
+          "[DhanHQ::Client] Transient error (#{e.class}), retrying in #{backoff}s (attempt #{attempt}/#{retries})"
+        )
+        sleep(backoff)
+        retry
       rescue Faraday::TimeoutError, Faraday::ConnectionFailed => e
         attempt += 1
-        if attempt <= retries
-          backoff_time = calculate_backoff(attempt)
-          DhanHQ.logger&.warn("[DhanHQ::Client] Network error (#{e.class}), retrying in #{backoff_time}s (attempt #{attempt}/#{retries})")
-          sleep(backoff_time)
-          retry
-        end
-        raise DhanHQ::NetworkError, "Request failed after #{retries} retries: #{e.message}"
+        raise DhanHQ::NetworkError, "Request failed after #{retries} retries: #{e.message}" if attempt > retries
+
+        backoff = calculate_backoff(attempt)
+        DhanHQ.logger&.warn(
+          "[DhanHQ::Client] Network error (#{e.class}), retrying in #{backoff}s (attempt #{attempt}/#{retries})"
+        )
+        sleep(backoff)
+        retry
       end
     end
 

data/lib/DhanHQ/concerns/order_audit.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require_relative "../utils/network_inspector"
+
+module DhanHQ
+  module Concerns
+    # Shared behavior for order audit logging and live trading safety.
+    #
+    # Include this module in any Resource that submits, modifies, or cancels
+    # orders on the Dhan API. It provides:
+    #
+    # - {#log_order_context}: emits a structured JSON log line (WARN level)
+    #   capturing hostname, public IP, environment, security_id, correlation_id,
+    #   and a UTC timestamp.
+    #
+    # - {#ensure_live_trading!}: raises {DhanHQ::LiveTradingDisabledError}
+    #   unless +ENV["LIVE_TRADING"]+ is +"true"+, preventing accidental order
+    #   placement from development machines.
+    #
+    # @example Including in a resource
+    #   class MyOrders < BaseAPI
+    #     include DhanHQ::Concerns::OrderAudit
+    #
+    #     def create(params)
+    #       ensure_live_trading!
+    #       log_order_context("MY_ORDER_ATTEMPT", params)
+    #       post("", params: params)
+    #     end
+    #   end
+    module OrderAudit
+      private
+
+      # Raises an error if LIVE_TRADING is not explicitly enabled.
+      # Set ENV["LIVE_TRADING"]="true" in production to allow order submission.
+      def ensure_live_trading!
+        return if ENV["LIVE_TRADING"] == "true"
+
+        raise DhanHQ::LiveTradingDisabledError,
+              "Live trading is disabled. Set ENV[\"LIVE_TRADING\"]=\"true\" to enable order placement."
+      end
+
+      # Emits a structured JSON log line with machine/network/correlation context.
+      # Uses WARN level so it appears even when INFO is silenced.
+      def log_order_context(event, params = {})
+        inspector = DhanHQ::Utils::NetworkInspector
+        entry = {
+          event: event,
+          hostname: inspector.hostname,
+          env: inspector.environment,
+          ipv4: inspector.public_ipv4,
+          ipv6: inspector.public_ipv6,
+          security_id: extract_param(params, :securityId, :security_id),
+          correlation_id: extract_param(params, :correlationId, :correlation_id),
+          order_id: extract_param(params, :orderId, :order_id),
+          timestamp: Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        }.compact
+
+        DhanHQ.logger&.warn(JSON.generate(entry))
+      end
+
+      # Extracts a value from params trying both camelCase and snake_case keys,
+      # as well as both symbol and string key types.
+      def extract_param(params, camel_key, snake_key)
+        p = params || {}
+        p[camel_key] || p[camel_key.to_s] || p[snake_key] || p[snake_key.to_s]
+      end
+    end
+  end
+end

data/lib/DhanHQ/configuration.rb

@@ -9,13 +9,12 @@ module DhanHQ
   # @see https://dhanhq.co/docs/v2/ DhanHQ API Documentation
   class Configuration
     # Default REST API host used when the base URL is not overridden.
-    #
     # @return [String]
-    BASE_URL = "https://api.dhan.co/v2"
+    BASE_URL = Constants::Urls::REST_API_BASE
 
     # Default Sandbox API host.
     # @return [String]
-    SANDBOX_URL = "https://sandbox.dhan.co/v2"
+    SANDBOX_URL = Constants::Urls::SANDBOX_API_BASE
     # The client ID for API authentication.
     # @return [String, nil] The client ID or `nil` if not set.
     attr_accessor :client_id
@@ -58,21 +57,21 @@ module DhanHQ
     # Sandbox does not support WebSocket; always returns production URL unless overridden.
     # @return [String]
     def ws_order_url
-      @ws_order_url || "wss://api-order-update.dhan.co"
+      @ws_order_url || Constants::Urls::WS_ORDER_UPDATE
     end
 
     # Websocket market feed endpoint.
     # Sandbox does not support WebSocket; always returns production URL unless overridden.
     # @return [String]
     def ws_market_feed_url
-      @ws_market_feed_url || "wss://api-feed.dhan.co"
+      @ws_market_feed_url || Constants::Urls::WS_MARKET_FEED
     end
 
     # Websocket market depth endpoint.
     # Sandbox does not support WebSocket; always returns production URL unless overridden.
     # @return [String]
     def ws_market_depth_url
-      @ws_market_depth_url || "wss://depth-api-feed.dhan.co/twentydepth"
+      @ws_market_depth_url || Constants::Urls::WS_DEPTH_20
     end
 
     # Market depth level (20 or 200).