@guiie/buda-mcp 1.5.0 → 1.5.2

package/dist/tools/receive_addresses.js

@@ -1,11 +1,13 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { validateCurrency } from "../validation.js";
+import { logAudit } from "../audit.js";
 export const createReceiveAddressToolSchema = {
     name: "create_receive_address",
     description: "Generates a new receive address for a crypto currency. " +
         "Creates a new blockchain deposit address for the given currency. " +
         "Each call generates a distinct address. Not idempotent. " +
+        "IMPORTANT: Pass confirmation_token='CONFIRM' to execute. " +
         "Only applicable to crypto currencies (BTC, ETH, etc.). " +
         "Requires BUDA_API_KEY and BUDA_API_SECRET. " +
         "Example: 'Give me a fresh Bitcoin deposit address.'",
@@ -16,8 +18,12 @@ export const createReceiveAddressToolSchema = {
                 type: "string",
                 description: "Currency code (e.g. 'BTC', 'ETH').",
             },
+            confirmation_token: {
+                type: "string",
+                description: "Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to generate a new address.",
+            },
         },
-        required: ["currency"],
+        required: ["currency", "confirmation_token"],
     },
 };
 export const listReceiveAddressesToolSchema = {
@@ -88,7 +94,7 @@ export async function handleListReceiveAddresses(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -113,7 +119,7 @@ export async function handleGetReceiveAddress(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -121,8 +127,24 @@ export async function handleGetReceiveAddress(args, client) {
         };
     }
 }
-export async function handleCreateReceiveAddress(args, client) {
-    const { currency } = args;
+export async function handleCreateReceiveAddress(args, client, transport = "stdio") {
+    const { currency, confirmation_token } = args;
+    if (confirmation_token !== "CONFIRM") {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify({
+                        error: "Address not generated. confirmation_token must equal 'CONFIRM' to execute. " +
+                            "Each call creates a distinct address — review and set confirmation_token='CONFIRM' to proceed.",
+                        code: "CONFIRMATION_REQUIRED",
+                        preview: { currency },
+                    }),
+                },
+            ],
+            isError: true,
+        };
+    }
     const validationError = validateCurrency(currency);
     if (validationError) {
         return {
@@ -132,18 +154,17 @@ export async function handleCreateReceiveAddress(args, client) {
     }
     try {
         const data = await client.post(`/currencies/${currency.toUpperCase()}/receive_addresses`, {});
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeAddress(data.receive_address), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeAddress(data.receive_address), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "create_receive_address", transport, args_summary: { currency }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "create_receive_address", transport, args_summary: { currency }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {
@@ -156,6 +177,9 @@ export function register(server, client) {
     }, (args) => handleGetReceiveAddress(args, client));
     server.tool(createReceiveAddressToolSchema.name, createReceiveAddressToolSchema.description, {
         currency: z.string().min(2).max(10).describe("Currency code (e.g. 'BTC', 'ETH')."),
+        confirmation_token: z
+            .string()
+            .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to generate a new address."),
     }, (args) => handleCreateReceiveAddress(args, client));
 }
 //# sourceMappingURL=receive_addresses.js.map

package/dist/tools/remittance_recipients.js

@@ -69,7 +69,7 @@ export async function handleListRemittanceRecipients(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -86,7 +86,7 @@ export async function handleGetRemittanceRecipient(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/remittances.d.ts

@@ -35,6 +35,10 @@ export declare const quoteRemittanceToolSchema: {
                 type: string;
                 description: string;
             };
+            confirmation_token: {
+                type: string;
+                description: string;
+            };
         };
         required: string[];
     };
@@ -94,7 +98,8 @@ export declare function handleQuoteRemittance(args: {
     currency: string;
     amount: number;
     recipient_id: number;
-}, client: BudaClient): Promise<{
+    confirmation_token: string;
+}, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;
@@ -104,7 +109,7 @@ export declare function handleQuoteRemittance(args: {
 export declare function handleAcceptRemittanceQuote(args: {
     id: number;
     confirmation_token: string;
-}, client: BudaClient): Promise<{
+}, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/remittances.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remittances.d.ts","sourceRoot":"","sources":["../../src/tools/remittances.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;CAoBrC,CAAC;AAEF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;CA4BrC,CAAC;AAEF,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;CAuB3C,CAAC;AAEF,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;CAiBnC,CAAC;AAgBF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EACrC,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAoChF;AAED,wBAAsB,mBAAmB,CACvC,IAAI,EAAE;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAgBhF;AAED,wBAAsB,qBAAqB,CACzC,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,EAChE,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAgChF;AAED,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,MAAM,CAAA;CAAE,EAChD,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAqChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAwCpE"}
+{"version":3,"file":"remittances.d.ts","sourceRoot":"","sources":["../../src/tools/remittances.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAMxD,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;CAoBrC,CAAC;AAEF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;CAiCrC,CAAC;AAEF,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;CAuB3C,CAAC;AAEF,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;CAiBnC,CAAC;AAgBF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,EACrC,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAoChF;AAED,wBAAsB,mBAAmB,CACvC,IAAI,EAAE;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAgBhF;AAED,wBAAsB,qBAAqB,CACzC,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,MAAM,CAAA;CAAE,EAC5F,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAiDhF;AAED,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,kBAAkB,EAAE,MAAM,CAAA;CAAE,EAChD,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAoChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA2CpE"}

package/dist/tools/remittances.js

@@ -2,6 +2,7 @@ import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
 import { validateCurrency } from "../validation.js";
+import { logAudit } from "../audit.js";
 export const listRemittancesToolSchema = {
     name: "list_remittances",
     description: "Returns all fiat remittance transfers for the authenticated Buda.com account. " +
@@ -28,7 +29,8 @@ export const quoteRemittanceToolSchema = {
         "Requests a price quote for a fiat remittance to a saved recipient. " +
         "Returns a remittance object in 'quoted' state with an expiry timestamp. " +
         "NOT idempotent — creates a new remittance record each call. " +
-        "To execute, call accept_remittance_quote with the returned ID before it expires. " +
+        "IMPORTANT: Pass confirmation_token='CONFIRM' to execute. " +
+        "To execute the transfer, call accept_remittance_quote with the returned ID before it expires. " +
         "Requires BUDA_API_KEY and BUDA_API_SECRET. " +
         "Example: 'Get a remittance quote to send 100000 CLP to recipient 5.'",
     inputSchema: {
@@ -46,8 +48,12 @@ export const quoteRemittanceToolSchema = {
                 type: "number",
                 description: "ID of the saved remittance recipient.",
             },
+            confirmation_token: {
+                type: "string",
+                description: "Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to create the quote.",
+            },
         },
-        required: ["currency", "amount", "recipient_id"],
+        required: ["currency", "amount", "recipient_id", "confirmation_token"],
     },
 };
 export const acceptRemittanceQuoteToolSchema = {
@@ -125,7 +131,7 @@ export async function handleListRemittances(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -142,7 +148,7 @@ export async function handleGetRemittance(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -150,8 +156,24 @@ export async function handleGetRemittance(args, client) {
         };
     }
 }
-export async function handleQuoteRemittance(args, client) {
-    const { currency, amount, recipient_id } = args;
+export async function handleQuoteRemittance(args, client, transport = "stdio") {
+    const { currency, amount, recipient_id, confirmation_token } = args;
+    if (confirmation_token !== "CONFIRM") {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify({
+                        error: "Remittance quote not created. confirmation_token must equal 'CONFIRM' to execute. " +
+                            "Review the details and set confirmation_token='CONFIRM' to proceed.",
+                        code: "CONFIRMATION_REQUIRED",
+                        preview: { currency, amount, recipient_id },
+                    }),
+                },
+            ],
+            isError: true,
+        };
+    }
     const validationError = validateCurrency(currency);
     if (validationError) {
         return {
@@ -167,21 +189,20 @@ export async function handleQuoteRemittance(args, client) {
                 recipient_id,
             },
         });
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: false, error_code: msg.code });
+        return result;
     }
 }
-export async function handleAcceptRemittanceQuote(args, client) {
+export async function handleAcceptRemittanceQuote(args, client, transport = "stdio") {
     const { id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -202,18 +223,17 @@ export async function handleAcceptRemittanceQuote(args, client) {
         const data = await client.put(`/remittances/${id}`, {
             remittance: { state: "confirming" },
         });
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {
@@ -228,6 +248,9 @@ export function register(server, client) {
         currency: z.string().min(2).max(10).describe("Fiat currency code (e.g. 'CLP', 'COP')."),
         amount: z.number().positive().describe("Amount to remit (positive number)."),
         recipient_id: z.number().int().positive().describe("ID of the saved remittance recipient."),
+        confirmation_token: z
+            .string()
+            .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to create the quote."),
     }, (args) => handleQuoteRemittance(args, client));
     server.tool(acceptRemittanceQuoteToolSchema.name, acceptRemittanceQuoteToolSchema.description, {
         id: z.number().int().positive().describe("The numeric ID of the remittance quote to accept."),

package/dist/tools/simulate_order.js

@@ -110,7 +110,7 @@ export async function handleSimulateOrder(args, client, cache) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/spread.js

@@ -67,7 +67,7 @@ export function register(server, client, cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/technical_indicators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"technical_indicators.d.ts","sourceRoot":"","sources":["../../src/tools/technical_indicators.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;CA8BtB,CAAC;AAsGF,KAAK,uBAAuB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,IAAI,GAAG,KAAK,GAAG,KAAK,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA2GhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAyBpE"}
+{"version":3,"file":"technical_indicators.d.ts","sourceRoot":"","sources":["../../src/tools/technical_indicators.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;CA8BtB,CAAC;AAsGF,KAAK,uBAAuB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,IAAI,GAAG,KAAK,GAAG,KAAK,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA4GhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAyBpE"}

package/dist/tools/technical_indicators.js

@@ -146,7 +146,7 @@ export async function handleTechnicalIndicators(args, client) {
         const macdResult = macd(closes, 12, 26, 9);
         const bbResult = bollingerBands(closes, 20, 2);
         const sma20 = parseFloat(sma(closes, 20).toFixed(2));
-        const sma50 = parseFloat(sma(closes, 50).toFixed(2));
+        const sma50 = closes.length >= 50 ? parseFloat(sma(closes, 50).toFixed(2)) : null;
         const lastClose = closes[closes.length - 1];
         // Signal interpretations
         const rsiSignal = rsiValue !== null && rsiValue > 70
@@ -180,6 +180,7 @@ export async function handleTechnicalIndicators(args, client) {
                 bollinger_bands: bbResult,
                 sma_20: sma20,
                 sma_50: sma50,
+                sma_50_warning: sma50 === null ? `insufficient data (need 50 candles, have ${closes.length})` : undefined,
             },
             signals: {
                 rsi_signal: rsiSignal,
@@ -194,7 +195,7 @@ export async function handleTechnicalIndicators(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/ticker.js

@@ -60,7 +60,7 @@ export function register(server, client, cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/trades.js

@@ -76,7 +76,7 @@ export function register(server, client, _cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/volume.js

@@ -55,7 +55,7 @@ export function register(server, client, _cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/withdrawals.d.ts

@@ -81,7 +81,7 @@ type CreateWithdrawalArgs = {
     bank_account_id?: number;
     confirmation_token: string;
 };
-export declare function handleCreateWithdrawal(args: CreateWithdrawalArgs, client: BudaClient): Promise<{
+export declare function handleCreateWithdrawal(args: CreateWithdrawalArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/withdrawals.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"withdrawals.d.ts","sourceRoot":"","sources":["../../src/tools/withdrawals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CA8B1C,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,mBAAmB,GAAG,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,CAAC;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAqBF,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,wBAAwB,EAC9B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA+ChF;AAED,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsBtC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAyFhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA+BpE"}
+{"version":3,"file":"withdrawals.d.ts","sourceRoot":"","sources":["../../src/tools/withdrawals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAMxD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CA8B1C,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,mBAAmB,GAAG,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,CAAC;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAqBF,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,wBAAwB,EAC9B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA+ChF;AAED,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBtC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAkGhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA+BpE"}

package/dist/tools/withdrawals.js

@@ -1,7 +1,8 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
-import { validateCurrency } from "../validation.js";
+import { validateCurrency, validateCryptoAddress } from "../validation.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 export const getWithdrawalHistoryToolSchema = {
     name: "get_withdrawal_history",
     description: "Returns withdrawal history for a currency on the authenticated Buda.com account. " +
@@ -81,7 +82,7 @@ export async function handleGetWithdrawalHistory(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -93,6 +94,7 @@ export const createWithdrawalToolSchema = {
     name: "create_withdrawal",
     description: "Create a withdrawal on Buda.com. Supports both crypto (address) and fiat (bank_account_id) withdrawals. " +
         "Exactly one of address or bank_account_id must be provided. " +
+        "WARNING: Crypto withdrawals are irreversible — verify the destination address carefully before confirming. " +
         "IMPORTANT: Pass confirmation_token='CONFIRM' to execute. " +
         "Requires BUDA_API_KEY and BUDA_API_SECRET.",
     inputSchema: {
@@ -111,7 +113,7 @@ export const createWithdrawalToolSchema = {
         required: ["currency", "amount", "confirmation_token"],
     },
 };
-export async function handleCreateWithdrawal(args, client) {
+export async function handleCreateWithdrawal(args, client, transport = "stdio") {
     const { currency, amount, address, network, bank_account_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -166,6 +168,15 @@ export async function handleCreateWithdrawal(args, client) {
             isError: true,
         };
     }
+    if (hasAddress) {
+        const addrError = validateCryptoAddress(address, currency);
+        if (addrError) {
+            return {
+                content: [{ type: "text", text: JSON.stringify({ error: addrError, code: "INVALID_ADDRESS" }) }],
+                isError: true,
+            };
+        }
+    }
     try {
         const payload = { amount: String(amount) };
         if (hasAddress) {
@@ -177,18 +188,17 @@ export async function handleCreateWithdrawal(args, client) {
             payload.bank_account_id = bank_account_id;
         }
         const data = await client.post(`/currencies/${currency.toUpperCase()}/withdrawals`, payload);
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/utils.d.ts

@@ -1,4 +1,14 @@
 import type { Amount, OhlcvCandle } from "./types.js";
+/**
+ * Constant-time string comparison to prevent timing attacks on bearer tokens.
+ */
+export declare function safeTokenEqual(a: string, b: string): boolean;
+/**
+ * Parses a raw string (from an environment variable) as an integer within [min, max].
+ * Returns the fallback when raw is undefined.
+ * Throws a descriptive Error if the value is non-numeric or out of range.
+ */
+export declare function parseEnvInt(raw: string | undefined, fallback: number, min: number, max: number, name: string): number;
 /**
  * Flattens a Buda API Amount tuple [value_string, currency] into a typed object.
  * All numeric strings are cast to float via parseFloat.

package/dist/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAEjF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAI/E;AAWD;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAC3C,MAAM,EAAE,MAAM,GACb,WAAW,EAAE,CAoCf"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD;;GAEG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAK5D;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GACX,MAAM,CASR;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAIjF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAI/E;AAWD;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAC3C,MAAM,EAAE,MAAM,GACb,WAAW,EAAE,CAoCf"}

package/dist/utils.js

@@ -1,9 +1,37 @@
+import { timingSafeEqual } from "crypto";
+/**
+ * Constant-time string comparison to prevent timing attacks on bearer tokens.
+ */
+export function safeTokenEqual(a, b) {
+    const aBuf = Buffer.from(a);
+    const bBuf = Buffer.from(b);
+    if (aBuf.length !== bBuf.length)
+        return false;
+    return timingSafeEqual(aBuf, bBuf);
+}
+/**
+ * Parses a raw string (from an environment variable) as an integer within [min, max].
+ * Returns the fallback when raw is undefined.
+ * Throws a descriptive Error if the value is non-numeric or out of range.
+ */
+export function parseEnvInt(raw, fallback, min, max, name) {
+    if (raw === undefined)
+        return fallback;
+    const n = parseInt(raw, 10);
+    if (isNaN(n) || n < min || n > max) {
+        throw new Error(`[buda-mcp] Invalid ${name} "${raw}". Must be an integer between ${min} and ${max}.`);
+    }
+    return n;
+}
 /**
  * Flattens a Buda API Amount tuple [value_string, currency] into a typed object.
  * All numeric strings are cast to float via parseFloat.
  */
 export function flattenAmount(amount) {
-    return { value: parseFloat(amount[0]), currency: amount[1] };
+    const value = parseFloat(amount[0]);
+    if (isNaN(value))
+        throw new Error(`Invalid amount value: "${amount[0]}"`);
+    return { value, currency: amount[1] };
 }
 /**
  * Returns a liquidity rating based on the bid/ask spread percentage.

package/dist/validation.d.ts

@@ -8,4 +8,10 @@ export declare function validateMarketId(id: string): string | null;
  * Returns an error message string if invalid, or null if valid.
  */
 export declare function validateCurrency(id: string): string | null;
+/**
+ * Validates a crypto withdrawal address against known per-currency formats.
+ * Returns an error message string if the address is invalid, or null if valid
+ * (including null for unknown currencies, where the exchange is the last line of defence).
+ */
+export declare function validateCryptoAddress(address: string, currency: string): string | null;
 //# sourceMappingURL=validation.d.ts.map

package/dist/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAS1D;AAID;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ1D"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAS1D;AAID;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ1D;AAcD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAUtF"}

package/dist/validation.js

@@ -23,4 +23,30 @@ export function validateCurrency(id) {
     }
     return null;
 }
+// Per-currency address format rules.
+// Unknown currencies pass through (undefined rule) — the exchange validates those.
+const ADDRESS_RULES = {
+    BTC: /^(bc1[a-z0-9]{6,87}|[13][a-zA-HJ-NP-Z0-9]{25,34})$/,
+    ETH: /^0x[0-9a-fA-F]{40}$/,
+    USDC: /^0x[0-9a-fA-F]{40}$/,
+    USDT: /^0x[0-9a-fA-F]{40}$/,
+    LTC: /^(ltc1[a-z0-9]{6,87}|[LM3][a-zA-HJ-NP-Z0-9]{25,34})$/,
+    BCH: /^(bitcoincash:)?[qp][a-z0-9]{41}$/,
+    XRP: /^r[1-9A-HJ-NP-Za-km-z]{24,33}$/,
+};
+/**
+ * Validates a crypto withdrawal address against known per-currency formats.
+ * Returns an error message string if the address is invalid, or null if valid
+ * (including null for unknown currencies, where the exchange is the last line of defence).
+ */
+export function validateCryptoAddress(address, currency) {
+    const rule = ADDRESS_RULES[currency.toUpperCase()];
+    if (!rule)
+        return null;
+    if (!rule.test(address)) {
+        return (`Invalid ${currency.toUpperCase()} address format. ` +
+            `Double-check the destination address — crypto withdrawals are irreversible.`);
+    }
+    return null;
+}
 //# sourceMappingURL=validation.js.map

package/dist/version.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,OAAO,EAAE,MAEb,CAAC"}
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAeA,eAAO,MAAM,OAAO,EAAE,MAAiB,CAAC"}

package/dist/version.js

@@ -2,5 +2,12 @@ import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
 const _dir = dirname(fileURLToPath(import.meta.url));
-export const VERSION = JSON.parse(readFileSync(join(_dir, "../package.json"), "utf8")).version;
+let _version = "unknown";
+try {
+    _version = JSON.parse(readFileSync(join(_dir, "../package.json"), "utf8")).version;
+}
+catch {
+    // package.json not found in deployment — use fallback
+}
+export const VERSION = _version;
 //# sourceMappingURL=version.js.map

package/marketplace/README.md

@@ -1,4 +1,4 @@
-# Marketplace Submission Assets — v1.5.0
+# Marketplace Submission Assets — v1.5.1
 
 Ready-to-use assets for submitting buda-mcp to every major AI marketplace.
 Replace `gtorreal` / `gtorreal` with your actual handles before submitting.