@guiie/buda-mcp 1.5.1 → 1.5.2

package/CHANGELOG.md

@@ -11,6 +11,41 @@ This project uses [Semantic Versioning](https://semver.org/).
 
 ---
 
+## [1.5.2] – 2026-04-11
+
+### Security
+
+- **Trust proxy configured for Railway** — added `app.set("trust proxy", 1)` to Express before any middleware. Without this, `express-rate-limit` saw the proxy IP for every request instead of the real client IP, making per-IP rate limiting effectively useless in the Railway deployment.
+
+- **Constant-time bearer token comparison** — `mcpAuthMiddleware` now uses `crypto.timingSafeEqual` via a new `safeTokenEqual()` helper (exported from `src/utils.ts`) instead of plain string equality, eliminating the theoretical timing side-channel on the `MCP_AUTH_TOKEN` comparison.
+
+- **PORT and MCP_RATE_LIMIT startup validation** — both environment variables are now parsed through a new `parseEnvInt(raw, fallback, min, max, name)` helper that throws a descriptive error and exits on `NaN` or out-of-range values, preventing silent misconfigurations (e.g. `MCP_RATE_LIMIT=abc` previously resolved to `NaN` and could disable the rate limiter).
+
+- **MCP_AUTH_TOKEN entropy warning** — server now emits a `console.warn` at startup if `MCP_AUTH_TOKEN` is set but shorter than 32 characters, nudging operators toward adequately random secrets.
+
+- **Dead man's switch fully isolated to stdio transport** — `renew_cancel_timer` and `disarm_cancel_timer` now also return `TRANSPORT_NOT_SUPPORTED` on HTTP transport (previously only `schedule_cancel_all` was blocked). An attacker with HTTP access could previously disarm or renew a timer armed via the stdio process, since both share the same module-level `timers` Map.
+
+- **Input validation in `compare_markets`** — `base_currency` is now validated with `validateCurrency()` before fetching tickers, consistent with all other tools that accept a currency parameter. Arbitrary-length strings no longer reach the cache or API.
+
+- **BOLT-11 invoice regex strengthened** — regex updated from `/^ln(bc|tb|bcrt)\d/i` to `/^ln(bc|tb|bcrt)\d*[munp]?1[a-z0-9]{20,}$/i`. The new pattern requires the bech32 separator `1`, at least 20 characters of bech32 data after it, and anchors at `$` — rejecting malformed strings that happen to start with the right prefix.
+
+- **API path redaction from error responses** — removed the `path` field from all `BudaApiError` catch blocks across 31 tool handlers. The field was included in MCP tool responses, leaking internal API endpoint patterns (e.g. `/currencies/BTC/withdrawals`) to clients. The `path` property still exists on `BudaApiError` for internal use in audit logs.
+
+- **Structured audit logging for destructive operations** — new `src/audit.ts` module with `logAudit(event: AuditEvent)` writes newline-delimited JSON to `process.stderr` for all 11 handlers with financial side-effects: `place_order`, `cancel_order`, `cancel_all_orders`, `cancel_order_by_client_id`, `place_batch_orders`, `create_withdrawal`, `lightning_withdrawal`, `create_receive_address`, `quote_remittance`, `accept_remittance_quote`, `schedule_cancel_all`. Audit events include `ts`, `tool`, `transport`, `args_summary` (sanitized — never includes `confirmation_token`, `invoice`, or `address`), `success`, and `error_code`. Each handler exposes an optional `transport` parameter (default `"stdio"`) for future HTTP-aware logging.
+
+### Added
+
+- **`safeTokenEqual(a, b)` utility** — exported from `src/utils.ts`; constant-time string comparison using `crypto.timingSafeEqual`. Usable by any future code that compares secrets.
+- **`parseEnvInt(raw, fallback, min, max, name)` utility** — exported from `src/utils.ts`; safe environment variable integer parsing with range validation. Used for `PORT` and `MCP_RATE_LIMIT` at startup.
+- **`handleCompareMarkets` exported handler** — `compare_markets.ts` logic extracted from the inline registration closure into a named, exported function for unit testability.
+
+### Tests
+
+- **+28 unit tests** covering all new security behaviors: `safeTokenEqual` (5 cases), `parseEnvInt` (6 cases), `handleCompareMarkets` validateCurrency guard (4 cases), improved BOLT-11 regex (3 cases), DMS HTTP transport guard for renew and disarm (4 cases), `logAudit` output format and secret redaction (3 cases), audit integration with `handlePlaceOrder` (1 case), `path` field absence in error responses (2 cases).
+- **Updated 3 existing test fixtures** — replaced placeholder invoice string `"lnbc1000u1ptest..."` (which contained dots — invalid bech32) with a well-formed test value that satisfies the improved BOLT-11 regex.
+
+---
+
 ## [1.5.1] – 2026-04-11
 
 ### Security

package/PUBLISH_CHECKLIST.md

@@ -1,6 +1,6 @@
-# Publish Checklist — buda-mcp v1.5.1
+# Publish Checklist — buda-mcp v1.5.2
 
-Steps to publish `v1.5.1` to npm, the MCP registry, and notify community directories.
+Steps to publish `v1.5.2` to npm, the MCP registry, and notify community directories.
 
 ---
 
@@ -8,7 +8,7 @@ Steps to publish `v1.5.1` to npm, the MCP registry, and notify community directo
 
 ```bash
 # Confirm version
-node -e "console.log(require('./package.json').version)"  # should print 1.5.1
+node -e "console.log(require('./package.json').version)"  # should print 1.5.2
 
 # Build and test
 npm run build
@@ -37,9 +37,9 @@ Verify: https://www.npmjs.com/package/@guiie/buda-mcp
 
 ## 3. GitHub release
 
-Tag and release already created via `gh release create v1.5.1`. Verify at:
+Tag and release already created via `gh release create v1.5.2`. Verify at:
 
-https://github.com/gtorreal/buda-mcp/releases/tag/v1.5.1
+https://github.com/gtorreal/buda-mcp/releases/tag/v1.5.2
 
 ---
 
@@ -64,20 +64,23 @@ Verify: https://smithery.ai/server/@guiie/buda-mcp
 **Email/message template:**
 
 ```
-Subject: [Update] buda-mcp v1.5.1 — Security hardening release
+Subject: [Update] buda-mcp v1.5.2 — Security hardening (second pass)
 
 Hi mcp.so team,
 
-I've released v1.5.1 of buda-mcp (@guiie/buda-mcp on npm).
+I've released v1.5.2 of buda-mcp (@guiie/buda-mcp on npm).
 
 Key changes (security hardening, no new tools):
-- HTTP startup guard: server exits if credentials are set without MCP_AUTH_TOKEN
-- Rate limiting: 120 req/min per IP on /mcp (configurable via MCP_RATE_LIMIT)
-- Crypto address validation in create_withdrawal (BTC, ETH, USDC, USDT, LTC, BCH, XRP)
-- BOLT-11 invoice format validation in lightning_withdrawal
-- Dead man's switch blocked on HTTP transport (process restarts drop timers)
-- place_batch_orders: optional max_notional spending cap
-- 156 unit tests (was 136)
+- Constant-time token comparison (timing-safe Bearer token auth)
+- Strict environment variable validation (PORT, MCP_RATE_LIMIT) with safe exit on bad config
+- MCP_AUTH_TOKEN entropy warning (< 32 chars)
+- trust proxy support for correct client IP detection behind reverse proxies
+- Audit logging for all 11 destructive tool handlers (structured JSON to stderr)
+- Dead man's switch: renew/disarm also blocked on HTTP transport
+- validateCurrency() added to compare_markets tool
+- Stronger BOLT-11 regex validation in lightning_withdrawal
+- Internal API paths redacted from all error responses (31 tool handlers)
+- 28 new unit tests (total now 184)
 
 Links:
 - npm: https://www.npmjs.com/package/@guiie/buda-mcp
@@ -96,24 +99,25 @@ Thank you!
 **Message template:**
 
 ```
-Subject: [Update] buda-mcp v1.5.1
+Subject: [Update] buda-mcp v1.5.2
 
 Hi Glama team,
 
-buda-mcp has been updated to v1.5.1.
+buda-mcp has been updated to v1.5.2.
 
 Package: @guiie/buda-mcp (npm)
 Registry: io.github.gtorreal/buda-mcp (MCP Registry)
-Version: 1.5.1
-
-Changes (security hardening):
-- HTTP startup guard for missing MCP_AUTH_TOKEN
-- Rate limiting on /mcp (120 req/min per IP)
-- Crypto address format validation in create_withdrawal
-- BOLT-11 invoice validation in lightning_withdrawal
-- Dead man's switch blocked on HTTP transport
-- place_batch_orders: optional max_notional cap
-- 156 unit tests
+Version: 1.5.2
+
+Changes (security hardening, second pass):
+- Constant-time token comparison (timing-safe auth)
+- Strict env var validation (PORT, MCP_RATE_LIMIT)
+- Audit logging for all destructive handlers
+- Dead man's switch: renew/disarm also blocked on HTTP
+- validateCurrency() in compare_markets
+- Stronger BOLT-11 regex
+- Internal paths redacted from error responses
+- 184 unit tests
 
 Quick start:
   npx @guiie/buda-mcp
@@ -128,17 +132,20 @@ Thank you!
 
 ## 8. Post-publish verification
 
-- [ ] `npx @guiie/buda-mcp@1.5.1` starts successfully
-- [ ] `npm info @guiie/buda-mcp version` returns `1.5.1`
-- [ ] GitHub release tag `v1.5.1` is visible
-- [ ] MCP Registry entry reflects v1.5.1
+- [ ] `npx @guiie/buda-mcp@1.5.2` starts successfully
+- [ ] `npm info @guiie/buda-mcp version` returns `1.5.2`
+- [ ] GitHub release tag `v1.5.2` is visible
+- [ ] MCP Registry entry reflects v1.5.2
 - [ ] Smithery server card lists all tools
-- [ ] `GET /health` returns `"version":"1.5.1"` on Railway deployment
+- [ ] `GET /health` returns `"version":"1.5.2"` on Railway deployment
 - [ ] HTTP server exits if `BUDA_API_KEY` set but `MCP_AUTH_TOKEN` is absent
 - [ ] `create_withdrawal` rejects a truncated BTC address with `INVALID_ADDRESS`
 - [ ] `lightning_withdrawal` rejects a non-BOLT11 string with `INVALID_INVOICE`
 - [ ] `place_batch_orders` with `max_notional` rejects over-cap batch before API call
 - [ ] `schedule_cancel_all` via HTTP returns `TRANSPORT_NOT_SUPPORTED`
+- [ ] `renew_cancel_timer` via HTTP returns `TRANSPORT_NOT_SUPPORTED`
+- [ ] Error responses do NOT include internal `path` field
+- [ ] Audit events appear in stderr as JSON with `audit: true`
 - [ ] mcp.so listing updated
 - [ ] Glama.ai listing updated
 
@@ -146,4 +153,4 @@ Thank you!
 
 ## ARCHIVED: previous checklists
 
-See git tags `v1.5.0`, `v1.4.0`, `v1.4.1`, `v1.4.2` for previous release notes and verification steps.
+See git tags `v1.5.0`, `v1.5.1`, `v1.4.0`, `v1.4.1`, `v1.4.2` for previous release notes and verification steps.

package/dist/audit.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Structured audit logging for destructive MCP tool calls.
+ *
+ * Writes newline-delimited JSON to stderr so it never pollutes the stdio MCP transport
+ * and is captured by Railway / any log aggregator attached to the process.
+ *
+ * Rules for args_summary:
+ *   - Include: market_id, currency, price_type, type, amount ranges
+ *   - NEVER include: confirmation_token, invoice, address, bank_account_id
+ */
+export interface AuditEvent {
+    ts: string;
+    tool: string;
+    transport: "http" | "stdio";
+    ip?: string;
+    args_summary: Record<string, unknown>;
+    success: boolean;
+    error_code?: string | number;
+}
+export declare function logAudit(event: AuditEvent): void;
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAC5B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CAC9B;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAEhD"}

package/dist/audit.js

@@ -0,0 +1,14 @@
+/**
+ * Structured audit logging for destructive MCP tool calls.
+ *
+ * Writes newline-delimited JSON to stderr so it never pollutes the stdio MCP transport
+ * and is captured by Railway / any log aggregator attached to the process.
+ *
+ * Rules for args_summary:
+ *   - Include: market_id, currency, price_type, type, amount ranges
+ *   - NEVER include: confirmation_token, invoice, address, bank_account_id
+ */
+export function logAudit(event) {
+    process.stderr.write(JSON.stringify({ audit: true, ...event }) + "\n");
+}
+//# sourceMappingURL=audit.js.map

package/dist/http.js

@@ -4,6 +4,7 @@ import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mc
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { BudaClient } from "./client.js";
 import { MemoryCache, CACHE_TTL } from "./cache.js";
+import { safeTokenEqual, parseEnvInt } from "./utils.js";
 import { VERSION } from "./version.js";
 import { validateMarketId } from "./validation.js";
 import * as markets from "./tools/markets.js";
@@ -41,7 +42,14 @@ import * as cancelOrderByClientId from "./tools/cancel_order_by_client_id.js";
 import * as batchOrders from "./tools/batch_orders.js";
 import * as lightning from "./tools/lightning.js";
 import { handleMarketSummary } from "./tools/market_summary.js";
-const PORT = parseInt(process.env.PORT ?? "3000", 10);
+let PORT;
+try {
+    PORT = parseEnvInt(process.env.PORT, 3000, 1, 65535, "PORT");
+}
+catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+}
 const client = new BudaClient(undefined, process.env.BUDA_API_KEY, process.env.BUDA_API_SECRET);
 const authEnabled = client.hasAuth();
 // Schemas for the Smithery server-card — assembled from the same definitions used in register().
@@ -187,6 +195,9 @@ function createServer() {
     return server;
 }
 const app = express();
+// Required for correct client IP detection behind Railway's reverse proxy.
+// Without this, express-rate-limit sees the proxy IP instead of the real client.
+app.set("trust proxy", 1);
 app.use(express.json());
 const MCP_AUTH_TOKEN = process.env.MCP_AUTH_TOKEN;
 if (authEnabled && !MCP_AUTH_TOKEN) {
@@ -195,9 +206,20 @@ if (authEnabled && !MCP_AUTH_TOKEN) {
         "  Set MCP_AUTH_TOKEN to a long random secret, or run in stdio mode instead.");
     process.exit(1);
 }
+if (MCP_AUTH_TOKEN && MCP_AUTH_TOKEN.length < 32) {
+    console.warn("[buda-mcp] WARNING: MCP_AUTH_TOKEN has fewer than 32 characters. Use a longer random secret.");
+}
+let rateLimitMax;
+try {
+    rateLimitMax = parseEnvInt(process.env.MCP_RATE_LIMIT, 120, 1, 10_000, "MCP_RATE_LIMIT");
+}
+catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+}
 const mcpRateLimiter = rateLimit({
     windowMs: 60_000,
-    max: parseInt(process.env.MCP_RATE_LIMIT ?? "120", 10),
+    max: rateLimitMax,
     standardHeaders: true,
     legacyHeaders: false,
     message: { error: "Too many requests. Retry after 60 seconds.", code: "RATE_LIMITED" },
@@ -208,7 +230,7 @@ function mcpAuthMiddleware(req, res, next) {
         return;
     }
     const auth = req.headers.authorization ?? "";
-    if (auth !== `Bearer ${MCP_AUTH_TOKEN}`) {
+    if (!safeTokenEqual(auth, `Bearer ${MCP_AUTH_TOKEN}`)) {
         res.status(401).json({ error: "Unauthorized" });
         return;
     }

package/dist/tools/account.js

@@ -35,7 +35,7 @@ export async function handleGetAccountInfo(client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/arbitrage.js

@@ -118,7 +118,7 @@ export async function handleArbitrageOpportunities({ base_currency, threshold_pc
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/balance.js

@@ -56,7 +56,7 @@ export async function handleGetBalance(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/balances.js

@@ -39,7 +39,7 @@ export function register(server, client) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/banks.js

@@ -52,7 +52,7 @@ export async function handleGetAvailableBanks(args, client, cache) {
             };
         }
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/batch_orders.d.ts

@@ -70,7 +70,7 @@ type BatchOrdersArgs = {
     max_notional?: number;
     confirmation_token: string;
 };
-export declare function handlePlaceBatchOrders(args: BatchOrdersArgs, client: BudaClient): Promise<{
+export declare function handlePlaceBatchOrders(args: BatchOrdersArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/batch_orders.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"batch_orders.d.ts","sourceRoot":"","sources":["../../src/tools/batch_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CtB,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;iBAMd,CAAC;AAEH,KAAK,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAWnD,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAkIhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA2BpE"}
+{"version":3,"file":"batch_orders.d.ts","sourceRoot":"","sources":["../../src/tools/batch_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CtB,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;iBAMd,CAAC;AAEH,KAAK,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAWnD,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA2IhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA2BpE"}

package/dist/tools/batch_orders.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { validateMarketId } from "../validation.js";
+import { logAudit } from "../audit.js";
 export const toolSchema = {
     name: "place_batch_orders",
     description: "Place multiple orders sequentially on Buda.com (up to 20). " +
@@ -48,7 +49,7 @@ const orderShape = z.object({
     amount: z.number().positive(),
     limit_price: z.number().positive().optional(),
 });
-export async function handlePlaceBatchOrders(args, client) {
+export async function handlePlaceBatchOrders(args, client, transport = "stdio") {
     const { orders, max_notional, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -161,9 +162,18 @@ export async function handlePlaceBatchOrders(args, client) {
     if (failed > 0 && succeeded > 0) {
         response.warning = "Some orders failed. Already-placed orders were NOT rolled back.";
     }
+    const isError = failed > 0 && succeeded === 0 ? true : undefined;
+    logAudit({
+        ts: new Date().toISOString(),
+        tool: "place_batch_orders",
+        transport,
+        args_summary: { order_count: orders.length, succeeded, failed },
+        success: !isError,
+        error_code: isError ? "PARTIAL_OR_FULL_FAILURE" : undefined,
+    });
     return {
         content: [{ type: "text", text: JSON.stringify(response, null, 2) }],
-        isError: failed > 0 && succeeded === 0 ? true : undefined,
+        isError,
     };
 }
 export function register(server, client) {

package/dist/tools/cancel_all_orders.d.ts

@@ -22,7 +22,7 @@ type CancelAllOrdersArgs = {
     market_id: string;
     confirmation_token: string;
 };
-export declare function handleCancelAllOrders(args: CancelAllOrdersArgs, client: BudaClient): Promise<{
+export declare function handleCancelAllOrders(args: CancelAllOrdersArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/cancel_all_orders.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_all_orders.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_all_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAyDhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}
+{"version":3,"file":"cancel_all_orders.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_all_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAqDhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}

package/dist/tools/cancel_all_orders.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { validateMarketId } from "../validation.js";
+import { logAudit } from "../audit.js";
 export const toolSchema = {
     name: "cancel_all_orders",
     description: "Cancel all open orders on Buda.com, optionally filtered by a specific market. " +
@@ -23,7 +24,7 @@ export const toolSchema = {
         required: ["market_id", "confirmation_token"],
     },
 };
-export async function handleCancelAllOrders(args, client) {
+export async function handleCancelAllOrders(args, client, transport = "stdio") {
     const { market_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -55,23 +56,19 @@ export async function handleCancelAllOrders(args, client) {
     try {
         const params = market_id !== "*" ? { market_id: market_id.toLowerCase() } : undefined;
         const data = await client.delete(`/orders`, params);
-        return {
-            content: [
-                {
-                    type: "text",
-                    text: JSON.stringify({ canceled_count: data.canceled_count, market_id }),
-                },
-            ],
+        const result = {
+            content: [{ type: "text", text: JSON.stringify({ canceled_count: data.canceled_count, market_id }) }],
         };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_all_orders", transport, args_summary: { market_id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_all_orders", transport, args_summary: { market_id }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/tools/cancel_order.d.ts

@@ -22,7 +22,7 @@ type CancelOrderArgs = {
     order_id: number;
     confirmation_token: string;
 };
-export declare function handleCancelOrder(args: CancelOrderArgs, client: BudaClient): Promise<{
+export declare function handleCancelOrder(args: CancelOrderArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/cancel_order.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_order.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAGxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAuChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAmBpE"}
+{"version":3,"file":"cancel_order.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAsChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAmBpE"}

package/dist/tools/cancel_order.js

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
+import { logAudit } from "../audit.js";
 export const toolSchema = {
     name: "cancel_order",
     description: "Cancel an open order by ID on Buda.com. " +
@@ -22,7 +23,7 @@ export const toolSchema = {
         required: ["order_id", "confirmation_token"],
     },
 };
-export async function handleCancelOrder(args, client) {
+export async function handleCancelOrder(args, client, transport = "stdio") {
     const { order_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -44,18 +45,17 @@ export async function handleCancelOrder(args, client) {
         const data = await client.put(`/orders/${order_id}`, {
             order: { state: "canceling" },
         });
-        return {
-            content: [{ type: "text", text: JSON.stringify(data.order, null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(data.order, null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_order", transport, args_summary: { order_id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_order", transport, args_summary: { order_id }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/tools/cancel_order_by_client_id.d.ts

@@ -22,7 +22,7 @@ type CancelOrderByClientIdArgs = {
     client_id: string;
     confirmation_token: string;
 };
-export declare function handleCancelOrderByClientId(args: CancelOrderByClientIdArgs, client: BudaClient): Promise<{
+export declare function handleCancelOrderByClientId(args: CancelOrderByClientIdArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/cancel_order_by_client_id.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_order_by_client_id.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order_by_client_id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAsBtB,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAmCF,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,yBAAyB,EAC/B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAwChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}
+{"version":3,"file":"cancel_order_by_client_id.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order_by_client_id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAsBtB,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAmCF,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,yBAAyB,EAC/B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAuChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}

package/dist/tools/cancel_order_by_client_id.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 export const toolSchema = {
     name: "cancel_order_by_client_id",
     description: "Cancel an open order by its client-assigned ID on Buda.com. " +
@@ -53,7 +54,7 @@ function normalizeOrder(o) {
         paid_fee_currency: paidFee.currency,
     };
 }
-export async function handleCancelOrderByClientId(args, client) {
+export async function handleCancelOrderByClientId(args, client, transport = "stdio") {
     const { client_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -73,18 +74,17 @@ export async function handleCancelOrderByClientId(args, client) {
     }
     try {
         const data = await client.put(`/orders/by-client-id/${encodeURIComponent(client_id)}`, { order: { state: "canceling" } });
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeOrder(data.order), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeOrder(data.order), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_order_by_client_id", transport, args_summary: {}, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "cancel_order_by_client_id", transport, args_summary: {}, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/tools/compare_markets.d.ts

@@ -15,5 +15,14 @@ export declare const toolSchema: {
         required: string[];
     };
 };
+export declare function handleCompareMarkets(args: {
+    base_currency: string;
+}, client: BudaClient, cache: MemoryCache): Promise<{
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+    isError?: boolean;
+}>;
 export declare function register(server: McpServer, client: BudaClient, cache: MemoryCache): void;
 //# sourceMappingURL=compare_markets.d.ts.map

package/dist/tools/compare_markets.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compare_markets.d.ts","sourceRoot":"","sources":["../../src/tools/compare_markets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AAGrD,eAAO,MAAM,UAAU;;;;;;;;;;;;;CAkBtB,CAAC;AAEF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI,CAyExF"}
+{"version":3,"file":"compare_markets.d.ts","sourceRoot":"","sources":["../../src/tools/compare_markets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AAIrD,eAAO,MAAM,UAAU;;;;;;;;;;;;;CAkBtB,CAAC;AAEF,wBAAsB,oBAAoB,CACxC,IAAI,EAAE;IAAE,aAAa,EAAE,MAAM,CAAA;CAAE,EAC/B,MAAM,EAAE,UAAU,EAClB,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAsEhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI,CAaxF"}