@guiie/buda-mcp 1.5.2 → 1.5.4

package/.github/workflows/publish.yml

@@ -10,8 +10,8 @@ jobs:
     name: Build & test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: "20"
           cache: "npm"
@@ -28,8 +28,8 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: "20"
           registry-url: "https://registry.npmjs.org"
@@ -53,15 +53,25 @@ jobs:
     name: Publish to MCP Registry
     needs: npm
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       MCP_REGISTRY_TOKEN: ${{ secrets.MCP_REGISTRY_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - name: Install mcp-publisher
         run: |
-          curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" \
-            | tar xz mcp-publisher
+          RELEASE_TAG=$(gh api repos/modelcontextprotocol/registry/releases/latest --jq '.tag_name')
+          VER="${RELEASE_TAG#v}"
+          curl -fsSL -o mcp-publisher.tar.gz \
+            "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz"
+          curl -fsSL -o checksums.txt \
+            "https://github.com/modelcontextprotocol/registry/releases/download/${RELEASE_TAG}/registry_${VER}_checksums.txt"
+          grep "mcp-publisher_linux_amd64.tar.gz" checksums.txt | sha256sum --check
+          tar xzf mcp-publisher.tar.gz mcp-publisher
           sudo mv mcp-publisher /usr/local/bin/
+        env:
+          GH_TOKEN: ${{ github.token }}
       - name: Authenticate and publish to MCP Registry
         run: |
           mcp-publisher login token "$MCP_REGISTRY_TOKEN"

package/CHANGELOG.md

@@ -11,6 +11,58 @@ This project uses [Semantic Versioning](https://semver.org/).
 
 ---
 
+## [1.5.4] – 2026-04-11
+
+### Security
+
+- **CI/CD supply-chain hardening** — `publish.yml` now verifies the SHA256 checksum of the `mcp-publisher` binary against the official `registry_*_checksums.txt` file before extraction. The download uses `curl -fsSL` (strict) and aborts if the checksum does not match. Previously the binary was piped directly from the network into `tar` without any integrity check.
+
+- **GitHub Actions pinned to immutable commit SHAs** — all three `actions/checkout` and `actions/setup-node` usages in `publish.yml` are now pinned to their exact commit SHA (`11bd71901...` / `49933ea5...`) with the human-readable tag in a comment. Tag-based references (`@v4`) are mutable and could be silently redirected.
+
+- **`DELETE /mcp` protected by rate limiter and auth middleware** — the endpoint was previously unprotected and returned 405 to anyone without any throttling. It now passes through the same `mcpRateLimiter` and `mcpAuthMiddleware` as the `POST`/`GET` `/mcp` handlers.
+
+- **Version removed from unauthenticated `/health` response** — the `version` field was removed from the public health endpoint to prevent fingerprinting of the exact server version. `status`, `server`, and `auth_mode` are still returned.
+
+- **`/.well-known/mcp/server-card.json` gated by auth when credentials are configured** — when `MCP_AUTH_TOKEN` is set, the server-card endpoint now requires the same Bearer token as `/mcp`, preventing unauthenticated enumeration of all tool schemas including authenticated ones.
+
+- **`validateCurrency` added to `get_arbitrage_opportunities`** — the `base_currency` input was the only tool parameter that bypassed the shared currency validator. It now runs `validateCurrency()` before any business logic. The Zod schema in `register()` was also tightened with `.min(2).max(10).regex(/^[A-Z0-9]+$/i)`.
+
+- **`network` field in `create_withdrawal` validated by regex** — the blockchain network identifier for crypto withdrawals is now validated against `/^[a-z][a-z0-9-]{1,29}$/` in the Zod schema, rejecting unexpected values before they reach the Buda API.
+
+- **Audit log for `lightning_withdrawal` now includes amount** — `args_summary` was previously empty (`{}`), making the audit trail useless for this operation. The confirmed withdrawal amount (`amount_btc`) is now included so anomaly detection and post-incident review have meaningful context. The invoice string is still never logged.
+
+- **`safeTokenEqual` now eliminates token-length timing oracle** — both strings are written into equal-length zero-padded `Buffer.alloc(maxLen)` before `timingSafeEqual`, so execution time no longer varies with the difference in string lengths. A final `aByteLen === bByteLen` guard prevents a padded match from returning `true`.
+
+- **CORS policy documented explicitly** — an inline comment clarifies that CORS is intentionally not configured because `buda-mcp` is a server-to-server MCP transport, not a browser client target. `helmet()` already sets the relevant browser security headers.
+
+---
+
+## [1.5.3] – 2026-04-11
+
+### Security
+
+- **Upstream API errors no longer forwarded to MCP clients** — `BudaClient.handleResponse` now logs the full Buda API error detail (status, path, message) to `process.stderr` as structured JSON and returns only a generic message to the MCP caller (e.g. `"Buda API error 404 on /path."`). Previously, raw upstream error messages including potential internal details were forwarded directly to clients.
+
+- **Audit log transport field corrected for HTTP** — nine destructive tool handlers (`place_order`, `cancel_order`, `cancel_all_orders`, `cancel_order_by_client_id`, `place_batch_orders`, `create_withdrawal`, `lightning_withdrawal`, `create_receive_address`, `quote_remittance`, `accept_remittance_quote`) now correctly log `transport: "http"` when invoked via the HTTP server. Previously their `register()` functions defaulted to `"stdio"`, making all HTTP audit events appear as stdio traffic.
+
+- **HTTP security headers via `helmet`** — Express HTTP server now applies `helmet()` as the first middleware, adding `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `X-DNS-Prefetch-Control`, `X-Download-Options`, and removing `X-Powered-By`.
+
+- **Request body size limit** — `express.json()` now enforces an explicit `limit: "10kb"` on the `/mcp` endpoint, reducing the memory/CPU surface for oversized body attacks in combination with the existing rate limiter.
+
+- **Rate limiting extended to `/health` and `/.well-known/mcp/server-card.json`** — a `staticRateLimiter` (60 req/min) now protects these endpoints, which previously had no throttling. Sufficient for all legitimate uptime monitors and Smithery discovery.
+
+- **`trust proxy` topology documented** — added inline comment to `app.set("trust proxy", 1)` explaining the single-hop assumption (Railway), the impact on `req.ip` and `express-rate-limit` client IP detection, and the action required if an additional proxy layer is added.
+
+### Pending (manual)
+
+- **CI binary pinning** — `publish.yml` should pin `mcp-publisher` to a fixed version with SHA256 verification instead of downloading `releases/latest`. Target version: `v1.5.0`, SHA256: `79bbb73ba048c5906034f73ef6286d7763bd53cf368ea0b358fc593ed360cbd5`. See `PUBLISH_CHECKLIST.md` for the exact step.
+
+### Added
+
+- `helmet` dependency (v8.x) — HTTP security headers middleware.
+
+---
+
 ## [1.5.2] – 2026-04-11
 
 ### Security

package/PUBLISH_CHECKLIST.md

@@ -1,6 +1,6 @@
-# Publish Checklist — buda-mcp v1.5.2
+# Publish Checklist — buda-mcp v1.5.4
 
-Steps to publish `v1.5.2` to npm, the MCP registry, and notify community directories.
+Steps to publish `v1.5.4` to npm, the MCP registry, and notify community directories.
 
 ---
 
@@ -8,7 +8,7 @@ Steps to publish `v1.5.2` to npm, the MCP registry, and notify community directo
 
 ```bash
 # Confirm version
-node -e "console.log(require('./package.json').version)"  # should print 1.5.2
+node -e "console.log(require('./package.json').version)"  # should print 1.5.4
 
 # Build and test
 npm run build
@@ -37,9 +37,9 @@ Verify: https://www.npmjs.com/package/@guiie/buda-mcp
 
 ## 3. GitHub release
 
-Tag and release already created via `gh release create v1.5.2`. Verify at:
+Tag and release already created via `gh release create v1.5.4`. Verify at:
 
-https://github.com/gtorreal/buda-mcp/releases/tag/v1.5.2
+https://github.com/gtorreal/buda-mcp/releases/tag/v1.5.4
 
 ---
 
@@ -64,23 +64,18 @@ Verify: https://smithery.ai/server/@guiie/buda-mcp
 **Email/message template:**
 
 ```
-Subject: [Update] buda-mcp v1.5.2 — Security hardening (second pass)
+Subject: [Update] buda-mcp v1.5.3 — Security hardening (third pass)
 
 Hi mcp.so team,
 
-I've released v1.5.2 of buda-mcp (@guiie/buda-mcp on npm).
+I've released v1.5.3 of buda-mcp (@guiie/buda-mcp on npm).
 
 Key changes (security hardening, no new tools):
-- Constant-time token comparison (timing-safe Bearer token auth)
-- Strict environment variable validation (PORT, MCP_RATE_LIMIT) with safe exit on bad config
-- MCP_AUTH_TOKEN entropy warning (< 32 chars)
-- trust proxy support for correct client IP detection behind reverse proxies
-- Audit logging for all 11 destructive tool handlers (structured JSON to stderr)
-- Dead man's switch: renew/disarm also blocked on HTTP transport
-- validateCurrency() added to compare_markets tool
-- Stronger BOLT-11 regex validation in lightning_withdrawal
-- Internal API paths redacted from all error responses (31 tool handlers)
-- 28 new unit tests (total now 184)
+- Upstream API errors no longer forwarded to MCP clients (generic messages only, detail logged server-side)
+- Audit log transport field corrected for HTTP (9 handlers previously showed "stdio" for HTTP traffic)
+- HTTP security headers via helmet (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, etc.)
+- Request body size limit enforced (10kb) on /mcp endpoint
+- Rate limiting extended to /health and /.well-known/mcp/server-card.json endpoints
 
 Links:
 - npm: https://www.npmjs.com/package/@guiie/buda-mcp
@@ -99,24 +94,22 @@ Thank you!
 **Message template:**
 
 ```
-Subject: [Update] buda-mcp v1.5.2
+Subject: [Update] buda-mcp v1.5.3
 
 Hi Glama team,
 
-buda-mcp has been updated to v1.5.2.
+buda-mcp has been updated to v1.5.3.
 
 Package: @guiie/buda-mcp (npm)
 Registry: io.github.gtorreal/buda-mcp (MCP Registry)
-Version: 1.5.2
-
-Changes (security hardening, second pass):
-- Constant-time token comparison (timing-safe auth)
-- Strict env var validation (PORT, MCP_RATE_LIMIT)
-- Audit logging for all destructive handlers
-- Dead man's switch: renew/disarm also blocked on HTTP
-- validateCurrency() in compare_markets
-- Stronger BOLT-11 regex
-- Internal paths redacted from error responses
+Version: 1.5.3
+
+Changes (security hardening, third pass):
+- Upstream API errors no longer forwarded to MCP clients
+- Audit log transport field corrected for HTTP (9 handlers)
+- HTTP security headers via helmet
+- Request body size limit (10kb) on /mcp endpoint
+- Rate limiting on /health and server-card endpoints
 - 184 unit tests
 
 Quick start:
@@ -132,25 +125,45 @@ Thank you!
 
 ## 8. Post-publish verification
 
-- [ ] `npx @guiie/buda-mcp@1.5.2` starts successfully
-- [ ] `npm info @guiie/buda-mcp version` returns `1.5.2`
-- [ ] GitHub release tag `v1.5.2` is visible
-- [ ] MCP Registry entry reflects v1.5.2
+- [ ] `npx @guiie/buda-mcp@1.5.3` starts successfully
+- [ ] `npm info @guiie/buda-mcp version` returns `1.5.3`
+- [ ] GitHub release tag `v1.5.3` is visible
+- [ ] MCP Registry entry reflects v1.5.3
 - [ ] Smithery server card lists all tools
-- [ ] `GET /health` returns `"version":"1.5.2"` on Railway deployment
-- [ ] HTTP server exits if `BUDA_API_KEY` set but `MCP_AUTH_TOKEN` is absent
-- [ ] `create_withdrawal` rejects a truncated BTC address with `INVALID_ADDRESS`
-- [ ] `lightning_withdrawal` rejects a non-BOLT11 string with `INVALID_INVOICE`
-- [ ] `place_batch_orders` with `max_notional` rejects over-cap batch before API call
-- [ ] `schedule_cancel_all` via HTTP returns `TRANSPORT_NOT_SUPPORTED`
-- [ ] `renew_cancel_timer` via HTTP returns `TRANSPORT_NOT_SUPPORTED`
-- [ ] Error responses do NOT include internal `path` field
-- [ ] Audit events appear in stderr as JSON with `audit: true`
+- [ ] `GET /health` returns `"version":"1.5.3"` on Railway deployment
+- [ ] `GET /health` responds with `X-Content-Type-Options: nosniff` header (helmet active)
+- [ ] `GET /health` rate-limited at 60 req/min
+- [ ] Error responses from the MCP server show generic message (not raw Buda API detail)
+- [ ] Audit log shows `"transport":"http"` for HTTP-triggered destructive tools
+- [ ] Pending: manually apply CI binary pinning to `publish.yml` (see CHANGELOG v1.5.3)
 - [ ] mcp.so listing updated
 - [ ] Glama.ai listing updated
 
 ---
 
+---
+
+## 9. Pending manual fix — CI binary pinning
+
+Edit `.github/workflows/publish.yml`, replace the `Install mcp-publisher` step with:
+
+```yaml
+- name: Install mcp-publisher
+  env:
+    MCP_PUBLISHER_VERSION: "v1.5.0"
+    MCP_PUBLISHER_SHA256: "79bbb73ba048c5906034f73ef6286d7763bd53cf368ea0b358fc593ed360cbd5"
+  run: |
+    curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" \
+      -o mcp-publisher.tar.gz
+    echo "${MCP_PUBLISHER_SHA256}  mcp-publisher.tar.gz" | sha256sum --check
+    tar xz -f mcp-publisher.tar.gz mcp-publisher
+    sudo mv mcp-publisher /usr/local/bin/
+```
+
+SHA256 verified against GitHub release `v1.5.0` on 2026-04-11. Update both values when bumping `mcp-publisher`.
+
+---
+
 ## ARCHIVED: previous checklists
 
 See git tags `v1.5.0`, `v1.5.1`, `v1.4.0`, `v1.4.1`, `v1.4.2` for previous release notes and verification steps.

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAKA,qBAAa,YAAa,SAAQ,KAAK;aAEnB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM;aAEZ,YAAY,CAAC,EAAE,MAAM;gBAHrB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,EACC,YAAY,CAAC,EAAE,MAAM,YAAA;CAKxC;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAqB;gBAG7C,OAAO,GAAE,MAAiB,EAC1B,MAAM,CAAC,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM;IAOpB,OAAO,IAAI,OAAO;IAIlB,OAAO,CAAC,aAAa,CAAK;IAE1B,OAAO,CAAC,KAAK;IAIb,OAAO,CAAC,IAAI;IASZ,OAAO,CAAC,WAAW;IAWnB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;;;OAIG;YACW,cAAc;YA2Bd,cAAc;IActB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAoB1E,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAmBnD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAmBlD,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAmBpF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAKA,qBAAa,YAAa,SAAQ,KAAK;aAEnB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM;aAEZ,YAAY,CAAC,EAAE,MAAM;gBAHrB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,EACC,YAAY,CAAC,EAAE,MAAM,YAAA;CAKxC;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAqB;gBAG7C,OAAO,GAAE,MAAiB,EAC1B,MAAM,CAAC,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM;IAOpB,OAAO,IAAI,OAAO;IAIlB,OAAO,CAAC,aAAa,CAAK;IAE1B,OAAO,CAAC,KAAK;IAIb,OAAO,CAAC,IAAI;IASZ,OAAO,CAAC,WAAW;IAWnB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAOzB;;;;OAIG;YACW,cAAc;YA2Bd,cAAc;IAsBtB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAoB1E,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAmBnD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAmBlD,MAAM,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;CAmBpF"}

package/dist/client.js

@@ -90,7 +90,12 @@ export class BudaClient {
             catch {
                 // ignore parse error, use statusText
             }
-            throw new BudaApiError(response.status, path, `Buda API ${response.status}: ${detail}`);
+            // Log full upstream detail server-side only — never forward to MCP caller
+            process.stderr.write(JSON.stringify({ buda_api_error: true, status: response.status, path, detail }) + "\n");
+            const clientMsg = response.status === 429
+                ? `Rate limit exceeded on ${path}. Retry later.`
+                : `Buda API error ${response.status} on ${path}.`;
+            throw new BudaApiError(response.status, path, clientMsg);
         }
         return response.json();
     }

package/dist/http.js

@@ -1,4 +1,5 @@
 import express from "express";
+import helmet from "helmet";
 import rateLimit from "express-rate-limit";
 import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
@@ -127,22 +128,22 @@ function createServer() {
     if (authEnabled) {
         balances.register(server, client);
         orders.register(server, client);
-        placeOrder.register(server, client);
-        cancelOrder.register(server, client);
+        placeOrder.register(server, client, "http");
+        cancelOrder.register(server, client, "http");
         deadMansSwitch.register(server, client, "http");
         account.register(server, client);
         balance.register(server, client);
         orderLookup.register(server, client);
         networkFees.register(server, client);
         deposits.register(server, client);
-        withdrawals.register(server, client);
-        receiveAddresses.register(server, client);
-        remittances.register(server, client);
+        withdrawals.register(server, client, "http");
+        receiveAddresses.register(server, client, "http");
+        remittances.register(server, client, "http");
         remittanceRecipients.register(server, client);
-        cancelAllOrders.register(server, client);
-        cancelOrderByClientId.register(server, client);
-        batchOrders.register(server, client);
-        lightning.register(server, client);
+        cancelAllOrders.register(server, client, "http");
+        cancelOrderByClientId.register(server, client, "http");
+        batchOrders.register(server, client, "http");
+        lightning.register(server, client, "http");
     }
     // MCP Resources
     server.resource("buda-markets", "buda://markets", async (uri) => {
@@ -195,10 +196,15 @@ function createServer() {
     return server;
 }
 const app = express();
-// Required for correct client IP detection behind Railway's reverse proxy.
-// Without this, express-rate-limit sees the proxy IP instead of the real client.
+app.use(helmet());
+// CORS: intentionally not configured. This server is designed for server-to-server MCP
+// communication only (AI agents, Claude Desktop, etc.) — not for browser clients.
+// Helmet already sets X-Content-Type-Options, X-Frame-Options, and related headers.
+// trust proxy: 1 = trust exactly one hop (Railway's reverse proxy).
+// If Cloudflare or another proxy is added in front, increment this value.
+// Affects: req.ip and express-rate-limit client IP detection.
 app.set("trust proxy", 1);
-app.use(express.json());
+app.use(express.json({ limit: "10kb" }));
 const MCP_AUTH_TOKEN = process.env.MCP_AUTH_TOKEN;
 if (authEnabled && !MCP_AUTH_TOKEN) {
     console.error("[buda-mcp] FATAL: BUDA_API_KEY/BUDA_API_SECRET are set but MCP_AUTH_TOKEN is not.\n" +
@@ -224,6 +230,13 @@ const mcpRateLimiter = rateLimit({
     legacyHeaders: false,
     message: { error: "Too many requests. Retry after 60 seconds.", code: "RATE_LIMITED" },
 });
+const staticRateLimiter = rateLimit({
+    windowMs: 60_000,
+    max: 60,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: "Too many requests.", code: "RATE_LIMITED" },
+});
 function mcpAuthMiddleware(req, res, next) {
     if (!MCP_AUTH_TOKEN) {
         next();
@@ -236,18 +249,20 @@ function mcpAuthMiddleware(req, res, next) {
     }
     next();
 }
-// Health check for Railway / uptime monitors
-app.get("/health", (_req, res) => {
+// Health check for Railway / uptime monitors.
+// version is intentionally omitted to avoid fingerprinting by unauthenticated callers.
+app.get("/health", staticRateLimiter, (_req, res) => {
     res.json({
         status: "ok",
         server: "buda-mcp",
-        version: VERSION,
         auth_mode: authEnabled ? "authenticated" : "public",
     });
 });
 // Smithery static server card — assembled programmatically from tool definitions.
 // Adding a new tool only requires exporting its toolSchema; this handler needs no changes.
-app.get("/.well-known/mcp/server-card.json", (_req, res) => {
+// When auth is enabled, the server card is gated behind the same bearer token as /mcp
+// to avoid leaking the full tool schema to unauthenticated callers.
+app.get("/.well-known/mcp/server-card.json", staticRateLimiter, mcpAuthMiddleware, (_req, res) => {
     res.json({
         serverInfo: { name: "buda-mcp", version: VERSION },
         authentication: { required: authEnabled },
@@ -284,7 +299,7 @@ app.get("/mcp", mcpRateLimiter, mcpAuthMiddleware, async (req, res) => {
     await server.connect(transport);
     await transport.handleRequest(req, res);
 });
-app.delete("/mcp", async (_req, res) => {
+app.delete("/mcp", mcpRateLimiter, mcpAuthMiddleware, async (_req, res) => {
     res.status(405).json({ error: "Sessions not supported (stateless server)" });
 });
 app.listen(PORT, () => {

package/dist/tools/arbitrage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"arbitrage.d.ts","sourceRoot":"","sources":["../../src/tools/arbitrage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AAGrD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAyBtB,CAAC;AAYF,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,wBAAsB,4BAA4B,CAChD,EAAE,aAAa,EAAE,aAAmB,EAAE,EAAE,cAAc,EACtD,MAAM,EAAE,UAAU,EAClB,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAgIhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI,CAmBxF"}
+{"version":3,"file":"arbitrage.d.ts","sourceRoot":"","sources":["../../src/tools/arbitrage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AAIrD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAyBtB,CAAC;AAYF,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,wBAAsB,4BAA4B,CAChD,EAAE,aAAa,EAAE,aAAmB,EAAE,EAAE,cAAc,EACtD,MAAM,EAAE,UAAU,EAClB,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAwIhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI,CAsBxF"}

package/dist/tools/arbitrage.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { BudaApiError } from "../client.js";
 import { CACHE_TTL } from "../cache.js";
+import { validateCurrency } from "../validation.js";
 export const toolSchema = {
     name: "get_arbitrage_opportunities",
     description: "Detects cross-country price discrepancies for a given asset across Buda's CLP, COP, and PEN markets, " +
@@ -26,6 +27,13 @@ export const toolSchema = {
     },
 };
 export async function handleArbitrageOpportunities({ base_currency, threshold_pct = 0.5 }, client, cache) {
+    const currencyError = validateCurrency(base_currency);
+    if (currencyError) {
+        return {
+            content: [{ type: "text", text: JSON.stringify({ error: currencyError, code: "INVALID_CURRENCY" }) }],
+            isError: true,
+        };
+    }
     try {
         const base = base_currency.toUpperCase();
         const data = await cache.getOrFetch("tickers:all", CACHE_TTL.TICKER, () => client.get("/tickers"));
@@ -130,6 +138,9 @@ export function register(server, client, cache) {
     server.tool(toolSchema.name, toolSchema.description, {
         base_currency: z
             .string()
+            .min(2)
+            .max(10)
+            .regex(/^[A-Z0-9]+$/i, "Must be 2–10 alphanumeric characters (e.g. 'BTC', 'ETH').")
             .describe("Base asset to scan (e.g. 'BTC', 'ETH', 'XRP')."),
         threshold_pct: z
             .number()

package/dist/tools/batch_orders.d.ts

@@ -77,6 +77,6 @@ export declare function handlePlaceBatchOrders(args: BatchOrdersArgs, client: Bu
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=batch_orders.d.ts.map

package/dist/tools/batch_orders.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"batch_orders.d.ts","sourceRoot":"","sources":["../../src/tools/batch_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CtB,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;iBAMd,CAAC;AAEH,KAAK,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAWnD,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA2IhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA2BpE"}
+{"version":3,"file":"batch_orders.d.ts","sourceRoot":"","sources":["../../src/tools/batch_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CtB,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;iBAMd,CAAC;AAEH,KAAK,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAWnD,KAAK,eAAe,GAAG;IACrB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA2IhF;AAED,wBAAgB,QAAQ,CACtB,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,IAAI,CA2BN"}

package/dist/tools/batch_orders.js

@@ -176,7 +176,7 @@ export async function handlePlaceBatchOrders(args, client, transport = "stdio")
         isError,
     };
 }
-export function register(server, client) {
+export function register(server, client, transport = "stdio") {
     server.tool(toolSchema.name, toolSchema.description, {
         orders: z
             .array(orderShape)
@@ -193,6 +193,6 @@ export function register(server, client) {
         confirmation_token: z
             .string()
             .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to execute."),
-    }, (args) => handlePlaceBatchOrders(args, client));
+    }, (args) => handlePlaceBatchOrders(args, client, transport));
 }
 //# sourceMappingURL=batch_orders.js.map

package/dist/tools/cancel_all_orders.d.ts

@@ -29,6 +29,6 @@ export declare function handleCancelAllOrders(args: CancelAllOrdersArgs, client:
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=cancel_all_orders.d.ts.map

package/dist/tools/cancel_all_orders.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_all_orders.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_all_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAqDhF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}
+{"version":3,"file":"cancel_all_orders.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_all_orders.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,mBAAmB,EACzB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAqDhF;AAED,wBAAgB,QAAQ,CACtB,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,IAAI,CAkBN"}

package/dist/tools/cancel_all_orders.js

@@ -71,7 +71,7 @@ export async function handleCancelAllOrders(args, client, transport = "stdio") {
         return result;
     }
 }
-export function register(server, client) {
+export function register(server, client, transport = "stdio") {
     server.tool(toolSchema.name, toolSchema.description, {
         market_id: z
             .string()
@@ -81,6 +81,6 @@ export function register(server, client) {
             .string()
             .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to execute. " +
             "Any other value will reject the request without canceling."),
-    }, (args) => handleCancelAllOrders(args, client));
+    }, (args) => handleCancelAllOrders(args, client, transport));
 }
 //# sourceMappingURL=cancel_all_orders.js.map

package/dist/tools/cancel_order.d.ts

@@ -29,6 +29,6 @@ export declare function handleCancelOrder(args: CancelOrderArgs, client: BudaCli
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=cancel_order.d.ts.map

package/dist/tools/cancel_order.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_order.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAsChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAmBpE"}
+{"version":3,"file":"cancel_order.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAIxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAuBtB,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,eAAe,EACrB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAsChF;AAED,wBAAgB,QAAQ,CACtB,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,IAAI,CAmBN"}

package/dist/tools/cancel_order.js

@@ -58,7 +58,7 @@ export async function handleCancelOrder(args, client, transport = "stdio") {
         return result;
     }
 }
-export function register(server, client) {
+export function register(server, client, transport = "stdio") {
     server.tool(toolSchema.name, toolSchema.description, {
         order_id: z
             .number()
@@ -69,6 +69,6 @@ export function register(server, client) {
             .string()
             .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to cancel the order. " +
             "Any other value will reject the request without canceling."),
-    }, (args) => handleCancelOrder(args, client));
+    }, (args) => handleCancelOrder(args, client, transport));
 }
 //# sourceMappingURL=cancel_order.js.map

package/dist/tools/cancel_order_by_client_id.d.ts

@@ -29,6 +29,6 @@ export declare function handleCancelOrderByClientId(args: CancelOrderByClientIdA
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=cancel_order_by_client_id.d.ts.map

package/dist/tools/cancel_order_by_client_id.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cancel_order_by_client_id.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order_by_client_id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAsBtB,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAmCF,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,yBAAyB,EAC/B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAuChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CAkBpE"}
+{"version":3,"file":"cancel_order_by_client_id.d.ts","sourceRoot":"","sources":["../../src/tools/cancel_order_by_client_id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CAsBtB,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAmCF,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,yBAAyB,EAC/B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAuChF;AAED,wBAAgB,QAAQ,CACtB,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,IAAI,CAkBN"}

package/dist/tools/cancel_order_by_client_id.js

@@ -87,7 +87,7 @@ export async function handleCancelOrderByClientId(args, client, transport = "std
         return result;
     }
 }
-export function register(server, client) {
+export function register(server, client, transport = "stdio") {
     server.tool(toolSchema.name, toolSchema.description, {
         client_id: z
             .string()
@@ -97,6 +97,6 @@ export function register(server, client) {
             .string()
             .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to execute. " +
             "Any other value will reject the request without canceling."),
-    }, (args) => handleCancelOrderByClientId(args, client));
+    }, (args) => handleCancelOrderByClientId(args, client, transport));
 }
 //# sourceMappingURL=cancel_order_by_client_id.js.map

package/dist/tools/lightning.d.ts

@@ -63,6 +63,6 @@ export declare function handleCreateLightningInvoice(args: CreateLightningInvoic
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=lightning.d.ts.map

package/dist/tools/lightning.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lightning.d.ts","sourceRoot":"","sources":["../../src/tools/lightning.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;CAuBzC,CAAC;AAEF,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAwB5C,CAAC;AAEF,KAAK,uBAAuB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,KAAK,0BAA0B,GAAG;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAgFhF;AAED,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,0BAA0B,EAChC,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA8ChF;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA2CpE"}
+{"version":3,"file":"lightning.d.ts","sourceRoot":"","sources":["../../src/tools/lightning.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AAKxD,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;CAuBzC,CAAC;AAEF,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAwB5C,CAAC;AAEF,KAAK,uBAAuB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,KAAK,0BAA0B,GAAG;IAChC,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAsFhF;AAED,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,0BAA0B,EAChC,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CA8ChF;AAED,wBAAgB,QAAQ,CACtB,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,UAAU,EAClB,SAAS,GAAE,MAAM,GAAG,OAAiB,GACpC,IAAI,CA2CN"}

package/dist/tools/lightning.js

@@ -103,7 +103,13 @@ export async function handleLightningWithdrawal(args, client, transport = "stdio
                 },
             ],
         };
-        logAudit({ ts: new Date().toISOString(), tool: "lightning_withdrawal", transport, args_summary: {}, success: true });
+        logAudit({
+            ts: new Date().toISOString(),
+            tool: "lightning_withdrawal",
+            transport,
+            args_summary: { amount_btc: amount.value },
+            success: true,
+        });
         return result;
     }
     catch (err) {
@@ -153,7 +159,7 @@ export async function handleCreateLightningInvoice(args, client) {
         };
     }
 }
-export function register(server, client) {
+export function register(server, client, transport = "stdio") {
     server.tool(lightningWithdrawalToolSchema.name, lightningWithdrawalToolSchema.description, {
         invoice: z
             .string()
@@ -163,7 +169,7 @@ export function register(server, client) {
             .string()
             .describe("Safety confirmation. Must equal exactly 'CONFIRM' (case-sensitive) to execute. " +
             "Any other value will reject the request without paying."),
-    }, (args) => handleLightningWithdrawal(args, client));
+    }, (args) => handleLightningWithdrawal(args, client, transport));
     server.tool(createLightningInvoiceToolSchema.name, createLightningInvoiceToolSchema.description, {
         amount_satoshis: z
             .number()

package/dist/tools/place_order.d.ts

@@ -79,6 +79,6 @@ export declare function handlePlaceOrder(args: PlaceOrderArgs, client: BudaClien
     }>;
     isError?: boolean;
 }>;
-export declare function register(server: McpServer, client: BudaClient): void;
+export declare function register(server: McpServer, client: BudaClient, transport?: "http" | "stdio"): void;
 export {};
 //# sourceMappingURL=place_order.d.ts.map