@guiie/buda-mcp 1.5.1 → 1.5.2

package/dist/tools/remittances.js

@@ -2,6 +2,7 @@ import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
 import { validateCurrency } from "../validation.js";
+import { logAudit } from "../audit.js";
 export const listRemittancesToolSchema = {
     name: "list_remittances",
     description: "Returns all fiat remittance transfers for the authenticated Buda.com account. " +
@@ -130,7 +131,7 @@ export async function handleListRemittances(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -147,7 +148,7 @@ export async function handleGetRemittance(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -155,7 +156,7 @@ export async function handleGetRemittance(args, client) {
         };
     }
 }
-export async function handleQuoteRemittance(args, client) {
+export async function handleQuoteRemittance(args, client, transport = "stdio") {
     const { currency, amount, recipient_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -188,21 +189,20 @@ export async function handleQuoteRemittance(args, client) {
                 recipient_id,
             },
         });
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: false, error_code: msg.code });
+        return result;
     }
 }
-export async function handleAcceptRemittanceQuote(args, client) {
+export async function handleAcceptRemittanceQuote(args, client, transport = "stdio") {
     const { id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -223,18 +223,17 @@ export async function handleAcceptRemittanceQuote(args, client) {
         const data = await client.put(`/remittances/${id}`, {
             remittance: { state: "confirming" },
         });
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/tools/simulate_order.js

@@ -110,7 +110,7 @@ export async function handleSimulateOrder(args, client, cache) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/spread.js

@@ -67,7 +67,7 @@ export function register(server, client, cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/technical_indicators.js

@@ -195,7 +195,7 @@ export async function handleTechnicalIndicators(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/ticker.js

@@ -60,7 +60,7 @@ export function register(server, client, cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/trades.js

@@ -76,7 +76,7 @@ export function register(server, client, _cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/volume.js

@@ -55,7 +55,7 @@ export function register(server, client, _cache) {
         }
         catch (err) {
             const msg = err instanceof BudaApiError
-                ? { error: err.message, code: err.status, path: err.path }
+                ? { error: err.message, code: err.status }
                 : { error: String(err), code: "UNKNOWN" };
             return {
                 content: [{ type: "text", text: JSON.stringify(msg) }],

package/dist/tools/withdrawals.d.ts

@@ -81,7 +81,7 @@ type CreateWithdrawalArgs = {
     bank_account_id?: number;
     confirmation_token: string;
 };
-export declare function handleCreateWithdrawal(args: CreateWithdrawalArgs, client: BudaClient): Promise<{
+export declare function handleCreateWithdrawal(args: CreateWithdrawalArgs, client: BudaClient, transport?: "http" | "stdio"): Promise<{
     content: Array<{
         type: "text";
         text: string;

package/dist/tools/withdrawals.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"withdrawals.d.ts","sourceRoot":"","sources":["../../src/tools/withdrawals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CA8B1C,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,mBAAmB,GAAG,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,CAAC;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAqBF,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,wBAAwB,EAC9B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA+ChF;AAED,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBtC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAmGhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA+BpE"}
+{"version":3,"file":"withdrawals.d.ts","sourceRoot":"","sources":["../../src/tools/withdrawals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAMxD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;CA8B1C,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,mBAAmB,GAAG,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,CAAC;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAqBF,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,wBAAwB,EAC9B,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA+ChF;AAED,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBtC,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAkGhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA+BpE"}

package/dist/tools/withdrawals.js

@@ -2,6 +2,7 @@ import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { validateCurrency, validateCryptoAddress } from "../validation.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 export const getWithdrawalHistoryToolSchema = {
     name: "get_withdrawal_history",
     description: "Returns withdrawal history for a currency on the authenticated Buda.com account. " +
@@ -81,7 +82,7 @@ export async function handleGetWithdrawalHistory(args, client) {
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
             content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -112,7 +113,7 @@ export const createWithdrawalToolSchema = {
         required: ["currency", "amount", "confirmation_token"],
     },
 };
-export async function handleCreateWithdrawal(args, client) {
+export async function handleCreateWithdrawal(args, client, transport = "stdio") {
     const { currency, amount, address, network, bank_account_id, confirmation_token } = args;
     if (confirmation_token !== "CONFIRM") {
         return {
@@ -187,18 +188,17 @@ export async function handleCreateWithdrawal(args, client) {
             payload.bank_account_id = bank_account_id;
         }
         const data = await client.post(`/currencies/${currency.toUpperCase()}/withdrawals`, payload);
-        return {
-            content: [{ type: "text", text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }],
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }] };
+        logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: true });
+        return result;
     }
     catch (err) {
         const msg = err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
-        return {
-            content: [{ type: "text", text: JSON.stringify(msg) }],
-            isError: true,
-        };
+        const result = { content: [{ type: "text", text: JSON.stringify(msg) }], isError: true };
+        logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: false, error_code: msg.code });
+        return result;
     }
 }
 export function register(server, client) {

package/dist/utils.d.ts

@@ -1,4 +1,14 @@
 import type { Amount, OhlcvCandle } from "./types.js";
+/**
+ * Constant-time string comparison to prevent timing attacks on bearer tokens.
+ */
+export declare function safeTokenEqual(a: string, b: string): boolean;
+/**
+ * Parses a raw string (from an environment variable) as an integer within [min, max].
+ * Returns the fallback when raw is undefined.
+ * Throws a descriptive Error if the value is non-numeric or out of range.
+ */
+export declare function parseEnvInt(raw: string | undefined, fallback: number, min: number, max: number, name: string): number;
 /**
  * Flattens a Buda API Amount tuple [value_string, currency] into a typed object.
  * All numeric strings are cast to float via parseFloat.

package/dist/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAIjF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAI/E;AAWD;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAC3C,MAAM,EAAE,MAAM,GACb,WAAW,EAAE,CAoCf"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD;;GAEG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAK5D;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GACX,MAAM,CASR;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAIjF;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAI/E;AAWD;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,EAC3C,MAAM,EAAE,MAAM,GACb,WAAW,EAAE,CAoCf"}

package/dist/utils.js

@@ -1,3 +1,28 @@
+import { timingSafeEqual } from "crypto";
+/**
+ * Constant-time string comparison to prevent timing attacks on bearer tokens.
+ */
+export function safeTokenEqual(a, b) {
+    const aBuf = Buffer.from(a);
+    const bBuf = Buffer.from(b);
+    if (aBuf.length !== bBuf.length)
+        return false;
+    return timingSafeEqual(aBuf, bBuf);
+}
+/**
+ * Parses a raw string (from an environment variable) as an integer within [min, max].
+ * Returns the fallback when raw is undefined.
+ * Throws a descriptive Error if the value is non-numeric or out of range.
+ */
+export function parseEnvInt(raw, fallback, min, max, name) {
+    if (raw === undefined)
+        return fallback;
+    const n = parseInt(raw, 10);
+    if (isNaN(n) || n < min || n > max) {
+        throw new Error(`[buda-mcp] Invalid ${name} "${raw}". Must be an integer between ${min} and ${max}.`);
+    }
+    return n;
+}
 /**
  * Flattens a Buda API Amount tuple [value_string, currency] into a typed object.
  * All numeric strings are cast to float via parseFloat.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guiie/buda-mcp",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "mcpName": "io.github.gtorreal/buda-mcp",
   "description": "MCP server for Buda.com's public cryptocurrency exchange API (Chile, Colombia, Peru)",
   "type": "module",

package/server.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/gtorreal/buda-mcp",
     "source": "github"
   },
-  "version": "1.5.1",
+  "version": "1.5.2",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@guiie/buda-mcp",
-      "version": "1.5.1",
+      "version": "1.5.2",
       "transport": {
         "type": "stdio"
       }

package/src/audit.ts

@@ -0,0 +1,24 @@
+/**
+ * Structured audit logging for destructive MCP tool calls.
+ *
+ * Writes newline-delimited JSON to stderr so it never pollutes the stdio MCP transport
+ * and is captured by Railway / any log aggregator attached to the process.
+ *
+ * Rules for args_summary:
+ *   - Include: market_id, currency, price_type, type, amount ranges
+ *   - NEVER include: confirmation_token, invoice, address, bank_account_id
+ */
+
+export interface AuditEvent {
+  ts: string;
+  tool: string;
+  transport: "http" | "stdio";
+  ip?: string;
+  args_summary: Record<string, unknown>;
+  success: boolean;
+  error_code?: string | number;
+}
+
+export function logAudit(event: AuditEvent): void {
+  process.stderr.write(JSON.stringify({ audit: true, ...event }) + "\n");
+}

package/src/http.ts

@@ -4,6 +4,7 @@ import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mc
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { BudaClient } from "./client.js";
 import { MemoryCache, CACHE_TTL } from "./cache.js";
+import { safeTokenEqual, parseEnvInt } from "./utils.js";
 import { VERSION } from "./version.js";
 import { validateMarketId } from "./validation.js";
 import type { MarketsResponse, TickerResponse } from "./types.js";
@@ -43,7 +44,13 @@ import * as batchOrders from "./tools/batch_orders.js";
 import * as lightning from "./tools/lightning.js";
 import { handleMarketSummary } from "./tools/market_summary.js";
 
-const PORT = parseInt(process.env.PORT ?? "3000", 10);
+let PORT: number;
+try {
+  PORT = parseEnvInt(process.env.PORT, 3000, 1, 65535, "PORT");
+} catch (err) {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+}
 
 const client = new BudaClient(
   undefined,
@@ -224,6 +231,9 @@ function createServer(): McpServer {
 }
 
 const app = express();
+// Required for correct client IP detection behind Railway's reverse proxy.
+// Without this, express-rate-limit sees the proxy IP instead of the real client.
+app.set("trust proxy", 1);
 app.use(express.json());
 
 const MCP_AUTH_TOKEN = process.env.MCP_AUTH_TOKEN;
@@ -237,9 +247,23 @@ if (authEnabled && !MCP_AUTH_TOKEN) {
   process.exit(1);
 }
 
+if (MCP_AUTH_TOKEN && MCP_AUTH_TOKEN.length < 32) {
+  console.warn(
+    "[buda-mcp] WARNING: MCP_AUTH_TOKEN has fewer than 32 characters. Use a longer random secret.",
+  );
+}
+
+let rateLimitMax: number;
+try {
+  rateLimitMax = parseEnvInt(process.env.MCP_RATE_LIMIT, 120, 1, 10_000, "MCP_RATE_LIMIT");
+} catch (err) {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+}
+
 const mcpRateLimiter = rateLimit({
   windowMs: 60_000,
-  max: parseInt(process.env.MCP_RATE_LIMIT ?? "120", 10),
+  max: rateLimitMax,
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many requests. Retry after 60 seconds.", code: "RATE_LIMITED" },
@@ -255,7 +279,7 @@ function mcpAuthMiddleware(
     return;
   }
   const auth = req.headers.authorization ?? "";
-  if (auth !== `Bearer ${MCP_AUTH_TOKEN}`) {
+  if (!safeTokenEqual(auth, `Bearer ${MCP_AUTH_TOKEN}`)) {
     res.status(401).json({ error: "Unauthorized" });
     return;
   }

package/src/tools/account.ts

@@ -47,7 +47,7 @@ export async function handleGetAccountInfo(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/arbitrage.ts

@@ -171,7 +171,7 @@ export async function handleArbitrageOpportunities(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/balance.ts

@@ -73,7 +73,7 @@ export async function handleGetBalance(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/balances.ts

@@ -51,7 +51,7 @@ export function register(server: McpServer, client: BudaClient): void {
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/banks.ts

@@ -73,7 +73,7 @@ export async function handleGetAvailableBanks(
     }
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/batch_orders.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { validateMarketId } from "../validation.js";
+import { logAudit } from "../audit.js";
 import type { OrderResponse } from "../types.js";
 
 export const toolSchema = {
@@ -76,6 +77,7 @@ type BatchOrdersArgs = {
 export async function handlePlaceBatchOrders(
   args: BatchOrdersArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { orders, max_notional, confirmation_token } = args;
 
@@ -202,9 +204,18 @@ export async function handlePlaceBatchOrders(
     response.warning = "Some orders failed. Already-placed orders were NOT rolled back.";
   }
 
+  const isError = failed > 0 && succeeded === 0 ? true : undefined;
+  logAudit({
+    ts: new Date().toISOString(),
+    tool: "place_batch_orders",
+    transport,
+    args_summary: { order_count: orders.length, succeeded, failed },
+    success: !isError,
+    error_code: isError ? "PARTIAL_OR_FULL_FAILURE" : undefined,
+  });
   return {
     content: [{ type: "text", text: JSON.stringify(response, null, 2) }],
-    isError: failed > 0 && succeeded === 0 ? true : undefined,
+    isError,
   };
 }
 

package/src/tools/cancel_all_orders.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { validateMarketId } from "../validation.js";
+import { logAudit } from "../audit.js";
 import type { CancelAllOrdersResponse } from "../types.js";
 
 export const toolSchema = {
@@ -37,6 +38,7 @@ type CancelAllOrdersArgs = {
 export async function handleCancelAllOrders(
   args: CancelAllOrdersArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { market_id, confirmation_token } = args;
 
@@ -76,23 +78,19 @@ export async function handleCancelAllOrders(
 
     const data = await client.delete<CancelAllOrdersResponse>(`/orders`, params);
 
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({ canceled_count: data.canceled_count, market_id }),
-        },
-      ],
+    const result = {
+      content: [{ type: "text" as const, text: JSON.stringify({ canceled_count: data.canceled_count, market_id }) }],
     };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_all_orders", transport, args_summary: { market_id }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_all_orders", transport, args_summary: { market_id }, success: false, error_code: msg.code });
+    return result;
   }
 }
 

package/src/tools/cancel_order.ts

@@ -1,6 +1,7 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
+import { logAudit } from "../audit.js";
 import type { OrderResponse } from "../types.js";
 
 export const toolSchema = {
@@ -36,6 +37,7 @@ type CancelOrderArgs = {
 export async function handleCancelOrder(
   args: CancelOrderArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { order_id, confirmation_token } = args;
 
@@ -62,18 +64,17 @@ export async function handleCancelOrder(
       order: { state: "canceling" },
     });
 
-    return {
-      content: [{ type: "text", text: JSON.stringify(data.order, null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(data.order, null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_order", transport, args_summary: { order_id }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_order", transport, args_summary: { order_id }, success: false, error_code: msg.code });
+    return result;
   }
 }
 

package/src/tools/cancel_order_by_client_id.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 import type { OrderResponse, Order } from "../types.js";
 
 export const toolSchema = {
@@ -69,6 +70,7 @@ function normalizeOrder(o: Order) {
 export async function handleCancelOrderByClientId(
   args: CancelOrderByClientIdArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { client_id, confirmation_token } = args;
 
@@ -96,18 +98,17 @@ export async function handleCancelOrderByClientId(
       { order: { state: "canceling" } },
     );
 
-    return {
-      content: [{ type: "text", text: JSON.stringify(normalizeOrder(data.order), null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(normalizeOrder(data.order), null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_order_by_client_id", transport, args_summary: {}, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "cancel_order_by_client_id", transport, args_summary: {}, success: false, error_code: msg.code });
+    return result;
   }
 }