@farazirfan/costar-server-executor 1.7.19 → 1.7.21

package/public/index.html

@@ -1142,6 +1142,30 @@
 
         <!-- ═══ Settings Page ═══ -->
         <div class="page" id="page-settings">
+          <div class="card">
+            <div class="card-header">
+              <h3>Environment Variables</h3>
+              <div style="display:flex;gap:8px;">
+                <button class="btn btn-sm" onclick="loadEnvVariables()">Refresh</button>
+                <button class="btn btn-sm btn-primary" onclick="openEnvModal()">+ Add Variable</button>
+              </div>
+            </div>
+            <div class="table-wrap">
+              <table>
+                <thead>
+                  <tr>
+                    <th>Key</th>
+                    <th>Value</th>
+                    <th>Actions</th>
+                  </tr>
+                </thead>
+                <tbody id="env-table-body">
+                  <tr><td colspan="3"><div class="loading-center"><div class="spinner"></div></div></td></tr>
+                </tbody>
+              </table>
+            </div>
+          </div>
+
           <div class="card">
             <div class="card-header">
               <h3>Configuration</h3>
@@ -1211,6 +1235,25 @@
     </div>
   </div>
 
+  <!-- Environment Variable Modal -->
+  <div class="modal-overlay" id="env-modal">
+    <div class="modal">
+      <h3 id="env-modal-title">Add Environment Variable</h3>
+      <div class="form-group">
+        <label>Key (UPPERCASE_WITH_UNDERSCORES)</label>
+        <input type="text" id="env-key" placeholder="e.g. MY_API_KEY" style="text-transform:uppercase;" />
+      </div>
+      <div class="form-group">
+        <label>Value</label>
+        <input type="text" id="env-value" placeholder="Enter value..." />
+      </div>
+      <div class="modal-actions">
+        <button class="btn" onclick="closeEnvModal()">Cancel</button>
+        <button class="btn btn-primary" onclick="saveEnvVariable()">Save</button>
+      </div>
+    </div>
+  </div>
+
   <script>
     /* ═══════════════════════════════════════════════
      *  CoStar Dashboard - Client-side JS
@@ -2072,6 +2115,166 @@
       } catch (err) {
         document.getElementById('settings-config').innerHTML = `<div style="color:var(--red);padding:12px;">Error: ${esc(err.message)}</div>`;
       }
+
+      // Also load env variables
+      loadEnvVariables();
+    }
+
+    // ─── Environment Variables ───────────────────────
+    let envVariables = [];
+
+    async function loadEnvVariables() {
+      try {
+        const data = await api('/api/env');
+        envVariables = data.variables || [];
+        const tbody = document.getElementById('env-table-body');
+
+        if (envVariables.length === 0) {
+          tbody.innerHTML = `<tr><td colspan="3"><div class="empty-state"><div class="empty-icon">&#128295;</div><p>No environment variables configured.</p></div></td></tr>`;
+          return;
+        }
+
+        tbody.innerHTML = envVariables.map((env, idx) => {
+          const valueDisplay = env.masked 
+            ? `<span style="font-family:var(--mono);color:var(--text-muted);" id="env-value-${idx}">${esc(env.value)}</span>
+               <button class="btn btn-sm" onclick="revealEnvValue('${esc(env.key)}', ${idx})" id="env-reveal-${idx}" style="margin-left:8px;">&#128065; Reveal</button>`
+            : `<span style="font-family:var(--mono);">${esc(env.value)}</span>`;
+
+          return `<tr>
+            <td><code style="font-size:13px;color:var(--accent);">${esc(env.key)}</code></td>
+            <td>${valueDisplay}</td>
+            <td>
+              <button class="btn btn-sm" onclick="editEnvVariable('${esc(env.key)}')">Edit</button>
+              <button class="btn btn-sm btn-danger" onclick="deleteEnvVariable('${esc(env.key)}')">Delete</button>
+            </td>
+          </tr>`;
+        }).join('');
+      } catch (err) {
+        document.getElementById('env-table-body').innerHTML = `<tr><td colspan="3" style="color:var(--red);padding:16px;">Error: ${esc(err.message)}</td></tr>`;
+      }
+    }
+
+    async function revealEnvValue(key, idx) {
+      try {
+        const btn = document.getElementById(`env-reveal-${idx}`);
+        const valueEl = document.getElementById(`env-value-${idx}`);
+        
+        if (!btn || !valueEl) return;
+
+        // If already revealed, hide it again
+        if (btn.textContent.includes('Hide')) {
+          const maskedVar = envVariables[idx];
+          valueEl.textContent = maskedVar.value;
+          btn.innerHTML = '&#128065; Reveal';
+          return;
+        }
+
+        btn.disabled = true;
+        btn.textContent = 'Loading...';
+
+        const data = await api(`/api/env/${encodeURIComponent(key)}`);
+        valueEl.textContent = data.value;
+        btn.disabled = false;
+        btn.innerHTML = '&#128065; Hide';
+
+        // Auto-hide after 10 seconds
+        setTimeout(() => {
+          if (btn.textContent.includes('Hide')) {
+            const maskedVar = envVariables[idx];
+            valueEl.textContent = maskedVar.value;
+            btn.innerHTML = '&#128065; Reveal';
+          }
+        }, 10000);
+      } catch (err) {
+        alert('Failed to reveal value: ' + err.message);
+        const btn = document.getElementById(`env-reveal-${idx}`);
+        if (btn) {
+          btn.disabled = false;
+          btn.innerHTML = '&#128065; Reveal';
+        }
+      }
+    }
+
+    function openEnvModal() {
+      document.getElementById('env-modal').classList.add('open');
+      document.getElementById('env-modal-title').textContent = 'Add Environment Variable';
+      document.getElementById('env-key').value = '';
+      document.getElementById('env-key').disabled = false;
+      document.getElementById('env-value').value = '';
+      document.getElementById('env-key').dataset.editMode = 'false';
+    }
+
+    function closeEnvModal() {
+      document.getElementById('env-modal').classList.remove('open');
+    }
+
+    function editEnvVariable(key) {
+      const envVar = envVariables.find(e => e.key === key);
+      if (!envVar) return;
+
+      document.getElementById('env-modal').classList.add('open');
+      document.getElementById('env-modal-title').textContent = 'Edit Environment Variable';
+      document.getElementById('env-key').value = key;
+      document.getElementById('env-key').disabled = true; // Can't change key when editing
+      document.getElementById('env-value').value = ''; // Don't pre-fill for security
+      document.getElementById('env-value').placeholder = 'Enter new value...';
+      document.getElementById('env-key').dataset.editMode = 'true';
+    }
+
+    async function saveEnvVariable() {
+      const keyInput = document.getElementById('env-key');
+      const valueInput = document.getElementById('env-value');
+      const key = keyInput.value.trim().toUpperCase();
+      const value = valueInput.value.trim();
+      const isEdit = keyInput.dataset.editMode === 'true';
+
+      if (!key) {
+        alert('Key is required.');
+        return;
+      }
+
+      if (!value) {
+        alert('Value is required.');
+        return;
+      }
+
+      // Validate key format
+      if (!/^[A-Z0-9_]+$/.test(key)) {
+        alert('Key must contain only uppercase letters, numbers, and underscores.');
+        return;
+      }
+
+      try {
+        if (isEdit) {
+          await api(`/api/env/${encodeURIComponent(key)}`, {
+            method: 'PUT',
+            body: JSON.stringify({ value }),
+          });
+        } else {
+          await api('/api/env', {
+            method: 'POST',
+            body: JSON.stringify({ key, value }),
+          });
+        }
+
+        closeEnvModal();
+        loadEnvVariables();
+      } catch (err) {
+        alert('Failed to save: ' + err.message);
+      }
+    }
+
+    async function deleteEnvVariable(key) {
+      if (!confirm(`Delete environment variable "${key}"?\n\nThis will remove it from ~/.costar/.env and the current process.`)) {
+        return;
+      }
+
+      try {
+        await api(`/api/env/${encodeURIComponent(key)}`, { method: 'DELETE' });
+        loadEnvVariables();
+      } catch (err) {
+        alert('Failed to delete: ' + err.message);
+      }
     }
 
     // ─── Utilities ───────────────────────────────────

package/skills/coinbase/LEARNING.md

@@ -0,0 +1,117 @@
+# Coinbase Trading Journal
+
+> **Read this before every Coinbase operation.** Update after every trade.
+> Never delete entries — mark outdated ones as `[OUTDATED]` with date and reason.
+
+---
+
+## Trade Log
+
+| Date | Pair | Side | Type | Size | Fill Price | Fees | P&L | Notes |
+|------|------|------|------|------|------------|------|-----|-------|
+| *(No trades yet)* | | | | | | | | |
+
+---
+
+## API Quirks & Gotchas
+
+> Things that tripped you up. Save others (your future self) the pain.
+
+1. All numeric values must be strings — `"100.00"` not `100`
+2. HTTP 200 doesn't mean success — always check `order.success`
+3. Duplicate `client_order_id` returns existing order, not error
+
+*(Add more as you discover them)*
+
+---
+
+## Fee Insights
+
+> Track fee rates and patterns to optimize execution.
+
+- **Current fee tier:** *Unknown — check with `getTransactionSummary()`*
+- **Maker rate:** *TBD*
+- **Taker rate:** *TBD*
+
+<!--
+- [DATE] Fee observation. Example: post_only limit orders save 0.2% in fees vs market orders
+-->
+
+---
+
+## Order Patterns That Work
+
+> Reusable patterns you've validated with real trades.
+
+<!--
+- [DATE] PATTERN: description. PAIR: which pair. RESULT: outcome.
+Example:
+- [2026-02-14] PATTERN: Limit buy 0.5% below current price with GTD 1-hour expiry. PAIR: BTC-USD. RESULT: Filled 70% of the time, saved avg $15 in slippage vs market orders.
+-->
+
+---
+
+## Order Patterns That Failed
+
+> Equally important — what NOT to do.
+
+<!--
+- [DATE] PATTERN: description. PAIR: which pair. PROBLEM: what went wrong.
+Example:
+- [2026-02-14] PATTERN: Market sell large SOL position ($5000). PAIR: SOL-USD. PROBLEM: 1.2% slippage due to thin order book. Should have used limit or split into smaller orders.
+-->
+
+---
+
+## Product-Specific Notes
+
+> Observations about specific trading pairs.
+
+<!--
+- [DATE] PRODUCT: observation
+Example:
+- [2026-02-14] BTC-USD: min order $1, base_increment 0.00000001, quote_increment 0.01
+- [2026-02-14] SOL-USD: wider spreads after hours, better to trade during US market hours
+-->
+
+---
+
+## Scripts I've Created
+
+| Script | Purpose | Works Well? | Last Modified |
+|--------|---------|-------------|---------------|
+| *(None yet)* | | | |
+
+---
+
+## Mistakes to Never Repeat
+
+1. *(Will accumulate from real trading)*
+
+---
+
+## Performance Summary
+
+### All Time
+- **Total Trades:** 0
+- **Total Fees Paid:** $0
+- **Net P&L:** $0
+- **Avg Slippage:** N/A
+
+### Current Week
+- **Trades:** 0
+- **Fees:** $0
+- **P&L:** $0
+
+---
+
+## Open Questions
+
+1. What are the actual minimum order sizes for each product?
+2. How much slippage to expect on market orders for different pair sizes?
+3. What's the optimal order type for different trade sizes?
+4. When does `post_only` get rejected vs filled?
+
+---
+
+> Every entry makes your next trade better. Record everything.

package/skills/coinbase/SKILL.md

@@ -0,0 +1,217 @@
+---
+name: coinbase
+description: "Execute real trades on Coinbase Advanced Trade. Supports market, limit, stop-limit, and bracket orders for crypto. Handles account balances, order management, price data, portfolio tracking, and fee estimation. Use when the user wants to buy/sell crypto, check balances, place orders, manage positions, or do anything on Coinbase."
+metadata:
+  emoji: "🪙"
+  requires:
+    env: ["COINBASE_API_KEY", "COINBASE_API_SECRET"]
+---
+
+# Coinbase Trading Executor
+
+You can execute real trades on Coinbase using the Advanced Trade API. This is real money — be precise, confirm with the user, and never skip risk checks.
+
+## CRITICAL: Always Read LEARNING.md First
+
+**Before ANY Coinbase action, read [LEARNING.md](LEARNING.md).** It contains API quirks you've discovered, order patterns that work, mistakes to avoid, and fee insights from real trades.
+
+## Authentication
+
+The user's Coinbase API credentials are available as environment variables:
+- `COINBASE_API_KEY` — format: `organizations/{org_id}/apiKeys/{key_id}`
+- `COINBASE_API_SECRET` — EC private key in PEM format
+
+These use **CDP (Coinbase Developer Platform) keys** with **ES256 JWT** authentication. The `coinbase-api` npm package handles JWT generation internally.
+
+## Setup
+
+Before first use, ensure the SDK is installed in the workspace:
+
+```bash
+npm list coinbase-api 2>/dev/null || npm install coinbase-api
+```
+
+## How to Execute Trades
+
+All Coinbase operations use TypeScript/JavaScript scripts via `execute_code` or shell commands. Use the `coinbase-api` package:
+
+```typescript
+import { CBAdvancedTradeClient } from 'coinbase-api';
+
+const client = new CBAdvancedTradeClient({
+  apiKey: process.env.COINBASE_API_KEY,
+  apiSecret: process.env.COINBASE_API_SECRET,
+});
+```
+
+## Execution Workflow
+
+```
+- [ ] Step 1: Read LEARNING.md
+- [ ] Step 2: Verify balances and account status
+- [ ] Step 3: Get current price and market data
+- [ ] Step 4: Preview the order (estimate fees/slippage)
+- [ ] Step 5: Execute the order
+- [ ] Step 6: Verify order fill and record result
+- [ ] Step 7: Update LEARNING.md
+```
+
+### Step 2: Check Balances
+
+```typescript
+const accounts = await client.getAccounts();
+for (const acct of accounts.accounts) {
+  if (parseFloat(acct.available_balance.value) > 0) {
+    console.log(`${acct.currency}: ${acct.available_balance.value}`);
+  }
+}
+```
+
+### Step 3: Get Price Data
+
+```typescript
+// Current price
+const product = await client.getProduct({ product_id: 'BTC-USD' });
+console.log(`Price: $${product.price}, 24h change: ${product.price_percentage_change_24h}%`);
+
+// Best bid/ask spread
+const spread = await client.getBestBidAsk({ product_ids: ['BTC-USD'] });
+
+// OHLCV candles (last 24h, 1-hour granularity)
+const candles = await client.getProductCandles({
+  product_id: 'BTC-USD',
+  start: String(Math.floor(Date.now() / 1000) - 86400),
+  end: String(Math.floor(Date.now() / 1000)),
+  granularity: 'ONE_HOUR',
+});
+```
+
+### Step 4: Preview Order
+
+**Always preview before executing.** This shows estimated fees and slippage:
+
+```typescript
+const preview = await client.previewOrder({
+  product_id: 'BTC-USD',
+  side: 'BUY',
+  order_configuration: {
+    market_market_ioc: { quote_size: '100.00' },
+  },
+});
+// Shows: quote_size, base_size, best_bid, best_ask, total_fees, slippage
+```
+
+### Step 5: Place Orders
+
+See [references/order-types.md](references/order-types.md) for all order types and configurations.
+
+**Market Buy** (spend $X of quote currency):
+```typescript
+const order = await client.submitOrder({
+  client_order_id: crypto.randomUUID(),
+  product_id: 'BTC-USD',
+  side: 'BUY',
+  order_configuration: {
+    market_market_ioc: { quote_size: '100.00' },  // spend $100
+  },
+});
+```
+
+**Market Sell** (sell X units of base asset):
+```typescript
+const order = await client.submitOrder({
+  client_order_id: crypto.randomUUID(),
+  product_id: 'BTC-USD',
+  side: 'SELL',
+  order_configuration: {
+    market_market_ioc: { base_size: '0.001' },  // sell 0.001 BTC
+  },
+});
+```
+
+**Limit Buy** (Good Till Cancel):
+```typescript
+const order = await client.submitOrder({
+  client_order_id: crypto.randomUUID(),
+  product_id: 'BTC-USD',
+  side: 'BUY',
+  order_configuration: {
+    limit_limit_gtc: {
+      base_size: '0.001',
+      limit_price: '95000.00',
+      post_only: false,
+    },
+  },
+});
+```
+
+### Step 6: Verify Order
+
+```typescript
+// Check response immediately
+if (order.success) {
+  const orderId = order.success_response.order_id;
+  // Get fill details
+  const status = await client.getOrder({ order_id: orderId });
+  console.log(`Status: ${status.status}, Filled: ${status.filled_size} @ ${status.average_filled_price}`);
+} else {
+  console.error(`Order failed: ${order.error_response.message}`);
+}
+```
+
+**IMPORTANT:** Coinbase returns HTTP 200 even on order failure. Always check `order.success === true`.
+
+### Step 7: Update LEARNING.md
+
+After every trade, record: asset, side, type, size, fill price, fees, outcome, and any API quirks encountered.
+
+## Order Management
+
+```typescript
+// List open orders
+const orders = await client.getOrders({ order_status: ['OPEN', 'PENDING'] });
+
+// Cancel specific orders
+const cancel = await client.cancelOrders({ order_ids: ['order-id-here'] });
+
+// Get fills (trade executions)
+const fills = await client.getFills({ order_id: 'order-id-here' });
+```
+
+## Portfolio & Fees
+
+```typescript
+// Portfolio breakdown
+const portfolios = await client.getPortfolios({});
+const breakdown = await client.getPortfolioBreakdown({ portfolio_id: portfolios.portfolios[0].uuid });
+
+// Fee tier info
+const fees = await client.getTransactionSummary({});
+// Shows: fee_tier, total_volume, maker_fee_rate, taker_fee_rate
+```
+
+## Critical Rules
+
+1. **ALWAYS preview orders before executing** — know the fees and slippage
+2. **All values are STRINGS** — `"100.00"` not `100`. The API rejects numbers.
+3. **client_order_id must be unique** — always use `crypto.randomUUID()`
+4. **Check `order.success`** — HTTP 200 doesn't mean order succeeded
+5. **Product ID format** — always `BASE-QUOTE` e.g. `BTC-USD`, `ETH-USD`, `SOL-USD`
+6. **Minimum order sizes vary** — check product details before ordering
+7. **Rate limits** — ~10 requests/second for private endpoints
+8. **Never place orders in a loop without delays** — respect rate limits
+9. **Log everything in LEARNING.md** — every trade, every error, every quirk
+
+## Reference Files
+
+- [references/order-types.md](references/order-types.md) — All order configurations with examples
+- [references/api-reference.md](references/api-reference.md) — Complete API endpoint list
+- [references/products.md](references/products.md) — Common trading pairs and their details
+
+## Self-Evolution
+
+You can modify any file in this skill:
+- Found an API quirk? Update LEARNING.md and references
+- Built a reusable script? Save it in `scripts/`
+- Discovered a better workflow? Update this SKILL.md
+- New order type pattern? Add to `references/order-types.md`

package/skills/coinbase/references/api-reference.md

@@ -0,0 +1,124 @@
+# Coinbase Advanced Trade API Reference
+
+> Agent-editable. Add notes and quirks as you discover them.
+> Last updated: Initial version
+
+## Base URL
+
+`https://api.coinbase.com/api/v3/brokerage/`
+
+## SDK Methods (coinbase-api package)
+
+### Accounts & Balances
+
+| Method | Description |
+|--------|-------------|
+| `client.getAccounts()` | List all accounts with balances |
+| `client.getAccount({ account_id })` | Get specific account |
+
+### Market Data
+
+| Method | Description |
+|--------|-------------|
+| `client.getProducts({})` | List all trading pairs |
+| `client.getProduct({ product_id })` | Get product details + current price |
+| `client.getProductCandles({ product_id, start, end, granularity })` | OHLCV candle data |
+| `client.getProductBook({ product_id, limit })` | Order book depth |
+| `client.getBestBidAsk({ product_ids: [...] })` | Best bid/ask spread |
+| `client.getMarketTrades({ product_id, limit })` | Recent market trades |
+
+### Orders
+
+| Method | Description |
+|--------|-------------|
+| `client.submitOrder({ ... })` | Place an order |
+| `client.previewOrder({ ... })` | Preview order (estimate fees/slippage) |
+| `client.getOrder({ order_id })` | Get order details |
+| `client.getOrders({ order_status, product_id, ... })` | List orders with filters |
+| `client.cancelOrders({ order_ids: [...] })` | Cancel one or more orders |
+| `client.getFills({ order_id, product_id, ... })` | Get trade fills |
+
+### Portfolios
+
+| Method | Description |
+|--------|-------------|
+| `client.getPortfolios({})` | List portfolios |
+| `client.getPortfolioBreakdown({ portfolio_id })` | Detailed breakdown with positions |
+
+### Fees
+
+| Method | Description |
+|--------|-------------|
+| `client.getTransactionSummary({})` | Fee tier, volume, maker/taker rates |
+
+## Candle Granularity Options
+
+| Value | Period |
+|-------|--------|
+| `ONE_MINUTE` | 1 min |
+| `FIVE_MINUTE` | 5 min |
+| `FIFTEEN_MINUTE` | 15 min |
+| `THIRTY_MINUTE` | 30 min |
+| `ONE_HOUR` | 1 hr |
+| `TWO_HOUR` | 2 hr |
+| `SIX_HOUR` | 6 hr |
+| `ONE_DAY` | 1 day |
+
+## Candle Timestamps
+
+- `start` and `end` are **Unix timestamps in seconds** (as strings)
+- Example: last 24 hours
+```typescript
+start: String(Math.floor(Date.now() / 1000) - 86400),
+end: String(Math.floor(Date.now() / 1000)),
+```
+
+## Rate Limits
+
+| Type | Limit |
+|------|-------|
+| Private endpoints | ~10 requests/second |
+| Private endpoints | ~5,000 requests/hour |
+| Public endpoints | ~10,000 requests/hour |
+
+Public endpoints have 1-second cache. Use WebSocket for real-time data.
+
+## Error Handling
+
+The API returns HTTP 200 for most responses, including failures. Always check:
+
+```typescript
+if (order.success) {
+  // order.success_response.order_id
+} else {
+  // order.error_response.error, order.error_response.message
+  // Common: INSUFFICIENT_FUND, INVALID_LIMIT_PRICE_POST_ONLY, UNKNOWN_FAILURE_REASON
+}
+```
+
+## Common Error Codes
+
+| Error | Meaning | Fix |
+|-------|---------|-----|
+| `INSUFFICIENT_FUND` | Not enough balance | Check available balance first |
+| `INVALID_LIMIT_PRICE_POST_ONLY` | Post-only order would immediately fill | Adjust price or set `post_only: false` |
+| `UNKNOWN_FAILURE_REASON` | Generic failure | Check order params, product status |
+| `UNSUPPORTED_ORDER_CONFIGURATION` | Invalid order config | Check order type and required fields |
+| `INVALID_PRODUCT_ID` | Product doesn't exist | Verify product_id with `getProducts()` |
+
+## WebSocket Channels (Real-Time)
+
+| Channel | Auth | Description |
+|---------|------|-------------|
+| `ticker` | Public | Real-time price per trade |
+| `ticker_batch` | Public | Batched price updates |
+| `level2` | Public | Order book updates |
+| `market_trades` | Public | Trade executions |
+| `candles` | Public | OHLCV updates |
+| `status` | Public | Product status changes |
+| `user` | Private | Your order fills and updates |
+| `heartbeats` | Public | Connection keepalive |
+
+WebSocket endpoints:
+- Market data: `wss://advanced-trade-ws.coinbase.com`
+- User data: `wss://advanced-trade-ws-user.coinbase.com`