@guiie/buda-mcp 1.5.1 → 1.5.3

package/src/tools/fees.ts

@@ -69,7 +69,7 @@ export async function handleGetNetworkFees(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/lightning.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 import type { LightningWithdrawalResponse, LightningInvoiceResponse } from "../types.js";
 
 export const lightningWithdrawalToolSchema = {
@@ -69,6 +70,7 @@ type CreateLightningInvoiceArgs = {
 export async function handleLightningWithdrawal(
   args: LightningWithdrawalArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { invoice, confirmation_token } = args;
 
@@ -91,7 +93,7 @@ export async function handleLightningWithdrawal(
     };
   }
 
-  const BOLT11_RE = /^ln(bc|tb|bcrt)\d/i;
+  const BOLT11_RE = /^ln(bc|tb|bcrt)\d*[munp]?1[a-z0-9]{20,}$/i;
   if (!BOLT11_RE.test(invoice)) {
     return {
       content: [{
@@ -117,10 +119,10 @@ export async function handleLightningWithdrawal(
     const amount = flattenAmount(lw.amount);
     const fee = flattenAmount(lw.fee);
 
-    return {
+    const result = {
       content: [
         {
-          type: "text",
+          type: "text" as const,
           text: JSON.stringify(
             {
               id: lw.id,
@@ -138,15 +140,16 @@ export async function handleLightningWithdrawal(
         },
       ],
     };
+    logAudit({ ts: new Date().toISOString(), tool: "lightning_withdrawal", transport, args_summary: {}, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "lightning_withdrawal", transport, args_summary: {}, success: false, error_code: msg.code });
+    return result;
   }
 }
 
@@ -192,7 +195,7 @@ export async function handleCreateLightningInvoice(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -201,7 +204,11 @@ export async function handleCreateLightningInvoice(
   }
 }
 
-export function register(server: McpServer, client: BudaClient): void {
+export function register(
+  server: McpServer,
+  client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
+): void {
   server.tool(
     lightningWithdrawalToolSchema.name,
     lightningWithdrawalToolSchema.description,
@@ -217,7 +224,7 @@ export function register(server: McpServer, client: BudaClient): void {
             "Any other value will reject the request without paying.",
         ),
     },
-    (args) => handleLightningWithdrawal(args, client),
+    (args) => handleLightningWithdrawal(args, client, transport),
   );
 
   server.tool(

package/src/tools/market_sentiment.ts

@@ -118,7 +118,7 @@ export async function handleMarketSentiment(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/market_summary.ts

@@ -101,7 +101,7 @@ export async function handleMarketSummary(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/markets.ts

@@ -68,7 +68,7 @@ export function register(server: McpServer, client: BudaClient, cache: MemoryCac
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/order_lookup.ts

@@ -88,7 +88,7 @@ export async function handleGetOrder(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -109,7 +109,7 @@ export async function handleGetOrderByClientId(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/orderbook.ts

@@ -83,7 +83,7 @@ export function register(server: McpServer, client: BudaClient, cache: MemoryCac
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/orders.ts

@@ -135,7 +135,7 @@ export function register(server: McpServer, client: BudaClient): void {
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/place_order.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { validateMarketId } from "../validation.js";
+import { logAudit } from "../audit.js";
 import type { OrderResponse } from "../types.js";
 
 export const toolSchema = {
@@ -91,6 +92,7 @@ type PlaceOrderArgs = {
 export async function handlePlaceOrder(
   args: PlaceOrderArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const {
     market_id,
@@ -243,22 +245,43 @@ export async function handlePlaceOrder(
       payload,
     );
 
-    return {
-      content: [{ type: "text", text: JSON.stringify(data.order, null, 2) }],
+    const result = {
+      content: [{ type: "text" as const, text: JSON.stringify(data.order, null, 2) }],
     };
+    logAudit({
+      ts: new Date().toISOString(),
+      tool: "place_order",
+      transport,
+      args_summary: { market_id, type, price_type, amount },
+      success: true,
+    });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
+    const result = {
+      content: [{ type: "text" as const, text: JSON.stringify(msg) }],
       isError: true,
     };
+    logAudit({
+      ts: new Date().toISOString(),
+      tool: "place_order",
+      transport,
+      args_summary: { market_id, type, price_type, amount },
+      success: false,
+      error_code: msg.code,
+    });
+    return result;
   }
 }
 
-export function register(server: McpServer, client: BudaClient): void {
+export function register(
+  server: McpServer,
+  client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
+): void {
   server.tool(
     toolSchema.name,
     toolSchema.description,
@@ -316,6 +339,6 @@ export function register(server: McpServer, client: BudaClient): void {
             "Any other value will reject the request without placing an order.",
         ),
     },
-    (args) => handlePlaceOrder(args, client),
+    (args) => handlePlaceOrder(args, client, transport),
   );
 }

package/src/tools/price_history.ts

@@ -108,7 +108,7 @@ export function register(server: McpServer, client: BudaClient, _cache: MemoryCa
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/quotation.ts

@@ -100,7 +100,7 @@ export async function handleGetRealQuotation(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/receive_addresses.ts

@@ -2,6 +2,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { validateCurrency } from "../validation.js";
+import { logAudit } from "../audit.js";
 import type { ReceiveAddressesResponse, SingleReceiveAddressResponse, ReceiveAddress } from "../types.js";
 
 export const createReceiveAddressToolSchema = {
@@ -114,7 +115,7 @@ export async function handleListReceiveAddresses(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -147,7 +148,7 @@ export async function handleGetReceiveAddress(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -159,6 +160,7 @@ export async function handleGetReceiveAddress(
 export async function handleCreateReceiveAddress(
   args: { currency: string; confirmation_token: string },
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { currency, confirmation_token } = args;
 
@@ -193,22 +195,25 @@ export async function handleCreateReceiveAddress(
       `/currencies/${currency.toUpperCase()}/receive_addresses`,
       {},
     );
-    return {
-      content: [{ type: "text", text: JSON.stringify(normalizeAddress(data.receive_address), null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(normalizeAddress(data.receive_address), null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "create_receive_address", transport, args_summary: { currency }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "create_receive_address", transport, args_summary: { currency }, success: false, error_code: msg.code });
+    return result;
   }
 }
 
-export function register(server: McpServer, client: BudaClient): void {
+export function register(
+  server: McpServer,
+  client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
+): void {
   server.tool(
     listReceiveAddressesToolSchema.name,
     listReceiveAddressesToolSchema.description,
@@ -237,6 +242,6 @@ export function register(server: McpServer, client: BudaClient): void {
         .string()
         .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to generate a new address."),
     },
-    (args) => handleCreateReceiveAddress(args, client),
+    (args) => handleCreateReceiveAddress(args, client, transport),
   );
 }

package/src/tools/remittance_recipients.ts

@@ -87,7 +87,7 @@ export async function handleListRemittanceRecipients(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -108,7 +108,7 @@ export async function handleGetRemittanceRecipient(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/remittances.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { flattenAmount } from "../utils.js";
 import { validateCurrency } from "../validation.js";
+import { logAudit } from "../audit.js";
 import type { RemittancesResponse, SingleRemittanceResponse, Remittance } from "../types.js";
 
 export const listRemittancesToolSchema = {
@@ -152,7 +153,7 @@ export async function handleListRemittances(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -173,7 +174,7 @@ export async function handleGetRemittance(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -185,6 +186,7 @@ export async function handleGetRemittance(
 export async function handleQuoteRemittance(
   args: { currency: string; amount: number; recipient_id: number; confirmation_token: string },
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { currency, amount, recipient_id, confirmation_token } = args;
 
@@ -222,24 +224,24 @@ export async function handleQuoteRemittance(
         recipient_id,
       },
     });
-    return {
-      content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "quote_remittance", transport, args_summary: { currency, amount, recipient_id }, success: false, error_code: msg.code });
+    return result;
   }
 }
 
 export async function handleAcceptRemittanceQuote(
   args: { id: number; confirmation_token: string },
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { id, confirmation_token } = args;
 
@@ -264,22 +266,25 @@ export async function handleAcceptRemittanceQuote(
     const data = await client.put<SingleRemittanceResponse>(`/remittances/${id}`, {
       remittance: { state: "confirming" },
     });
-    return {
-      content: [{ type: "text", text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(normalizeRemittance(data.remittance), null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "accept_remittance_quote", transport, args_summary: { remittance_id: id }, success: false, error_code: msg.code });
+    return result;
   }
 }
 
-export function register(server: McpServer, client: BudaClient): void {
+export function register(
+  server: McpServer,
+  client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
+): void {
   server.tool(
     listRemittancesToolSchema.name,
     listRemittancesToolSchema.description,
@@ -310,7 +315,7 @@ export function register(server: McpServer, client: BudaClient): void {
         .string()
         .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to create the quote."),
     },
-    (args) => handleQuoteRemittance(args, client),
+    (args) => handleQuoteRemittance(args, client, transport),
   );
 
   server.tool(
@@ -320,6 +325,6 @@ export function register(server: McpServer, client: BudaClient): void {
       id: z.number().int().positive().describe("The numeric ID of the remittance quote to accept."),
       confirmation_token: z.string().describe("Must be 'CONFIRM' to proceed. Any other value aborts."),
     },
-    (args) => handleAcceptRemittanceQuote(args, client),
+    (args) => handleAcceptRemittanceQuote(args, client, transport),
   );
 }

package/src/tools/simulate_order.ts

@@ -148,7 +148,7 @@ export async function handleSimulateOrder(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/spread.ts

@@ -86,7 +86,7 @@ export function register(server: McpServer, client: BudaClient, cache: MemoryCac
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/technical_indicators.ts

@@ -247,7 +247,7 @@ export async function handleTechnicalIndicators(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/ticker.ts

@@ -77,7 +77,7 @@ export function register(server: McpServer, client: BudaClient, cache: MemoryCac
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/trades.ts

@@ -94,7 +94,7 @@ export function register(server: McpServer, client: BudaClient, _cache: MemoryCa
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/volume.ts

@@ -71,7 +71,7 @@ export function register(server: McpServer, client: BudaClient, _cache: MemoryCa
       } catch (err) {
         const msg =
           err instanceof BudaApiError
-            ? { error: err.message, code: err.status, path: err.path }
+            ? { error: err.message, code: err.status }
             : { error: String(err), code: "UNKNOWN" };
         return {
           content: [{ type: "text", text: JSON.stringify(msg) }],

package/src/tools/withdrawals.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { BudaClient, BudaApiError } from "../client.js";
 import { validateCurrency, validateCryptoAddress } from "../validation.js";
 import { flattenAmount } from "../utils.js";
+import { logAudit } from "../audit.js";
 import type { WithdrawalsResponse, SingleWithdrawalResponse, Withdrawal } from "../types.js";
 
 export const getWithdrawalHistoryToolSchema = {
@@ -106,7 +107,7 @@ export async function handleGetWithdrawalHistory(
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
     return {
       content: [{ type: "text", text: JSON.stringify(msg) }],
@@ -152,6 +153,7 @@ type CreateWithdrawalArgs = {
 export async function handleCreateWithdrawal(
   args: CreateWithdrawalArgs,
   client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
 ): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
   const { currency, amount, address, network, bank_account_id, confirmation_token } = args;
 
@@ -238,22 +240,25 @@ export async function handleCreateWithdrawal(
       payload,
     );
 
-    return {
-      content: [{ type: "text", text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }],
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(normalizeWithdrawal(data.withdrawal), null, 2) }] };
+    logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: true });
+    return result;
   } catch (err) {
     const msg =
       err instanceof BudaApiError
-        ? { error: err.message, code: err.status, path: err.path }
+        ? { error: err.message, code: err.status }
         : { error: String(err), code: "UNKNOWN" };
-    return {
-      content: [{ type: "text", text: JSON.stringify(msg) }],
-      isError: true,
-    };
+    const result = { content: [{ type: "text" as const, text: JSON.stringify(msg) }], isError: true as const };
+    logAudit({ ts: new Date().toISOString(), tool: "create_withdrawal", transport, args_summary: { currency, amount, type: hasAddress ? "crypto" : "fiat" }, success: false, error_code: msg.code });
+    return result;
   }
 }
 
-export function register(server: McpServer, client: BudaClient): void {
+export function register(
+  server: McpServer,
+  client: BudaClient,
+  transport: "http" | "stdio" = "stdio",
+): void {
   server.tool(
     getWithdrawalHistoryToolSchema.name,
     getWithdrawalHistoryToolSchema.description,
@@ -282,6 +287,6 @@ export function register(server: McpServer, client: BudaClient): void {
         .string()
         .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to execute."),
     },
-    (args) => handleCreateWithdrawal(args, client),
+    (args) => handleCreateWithdrawal(args, client, transport),
   );
 }

package/src/utils.ts

@@ -1,5 +1,38 @@
+import { timingSafeEqual } from "crypto";
 import type { Amount, OhlcvCandle } from "./types.js";
 
+/**
+ * Constant-time string comparison to prevent timing attacks on bearer tokens.
+ */
+export function safeTokenEqual(a: string, b: string): boolean {
+  const aBuf = Buffer.from(a);
+  const bBuf = Buffer.from(b);
+  if (aBuf.length !== bBuf.length) return false;
+  return timingSafeEqual(aBuf, bBuf);
+}
+
+/**
+ * Parses a raw string (from an environment variable) as an integer within [min, max].
+ * Returns the fallback when raw is undefined.
+ * Throws a descriptive Error if the value is non-numeric or out of range.
+ */
+export function parseEnvInt(
+  raw: string | undefined,
+  fallback: number,
+  min: number,
+  max: number,
+  name: string,
+): number {
+  if (raw === undefined) return fallback;
+  const n = parseInt(raw, 10);
+  if (isNaN(n) || n < min || n > max) {
+    throw new Error(
+      `[buda-mcp] Invalid ${name} "${raw}". Must be an integer between ${min} and ${max}.`,
+    );
+  }
+  return n;
+}
+
 /**
  * Flattens a Buda API Amount tuple [value_string, currency] into a typed object.
  * All numeric strings are cast to float via parseFloat.