@liquiditytech/rapidx-cli 1.0.26

package/dist/core/update/check-update.js

@@ -0,0 +1,295 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { RAPIDX_SKILLS_SCHEMA_VERSION, RAPIDX_SKILLS_VERSION } from "../contracts/compatibility.js";
+import { SCHEMA_VERSION } from "../contracts/types.js";
+import { RAPIDX_VERSION } from "../version.js";
+export const DEFAULT_RELEASE_MANIFEST_URL = "https://raw.githubusercontent.com/LiquidityTech/ltp-rapidx-skill/main/releases/stable.json";
+export const DEFAULT_UPDATE_CACHE_TTL_SECONDS = 86_400;
+export const BUILTIN_MINIMUM_SUPPORTED_VERSION = "1.0.20";
+export const BUILTIN_MINIMUM_WRITE_VERSION = "1.0.24";
+export async function checkForUpdate(input = {}, env = process.env, cwd = process.cwd()) {
+    const manifestUrl = resolveManifestUrl(input, env);
+    const cacheTtlSeconds = resolveCacheTtl(input);
+    const cacheFile = resolveUpdateCacheFile(env, cwd);
+    const cached = loadCachedUpdateState(cacheFile);
+    if (!input.force && cached && !isCacheExpired(cached, cacheTtlSeconds)) {
+        return {
+            ...cached.result,
+            manifestSource: "cache",
+            cacheTtlSeconds
+        };
+    }
+    try {
+        const manifest = await fetchReleaseManifest(manifestUrl);
+        const result = buildUpdateCheckResult(manifest, {
+            checkedAt: new Date().toISOString(),
+            cacheTtlSeconds,
+            manifestUrl,
+            manifestSource: "remote"
+        });
+        saveCachedUpdateState(cacheFile, {
+            checkedAt: result.checkedAt,
+            cacheTtlSeconds,
+            result
+        });
+        return result;
+    }
+    catch (error) {
+        if (cached) {
+            return {
+                ...cached.result,
+                manifestSource: "cache",
+                cacheTtlSeconds,
+                error: error instanceof Error ? error.message : String(error)
+            };
+        }
+        return buildUnknownUpdateCheckResult({
+            checkedAt: new Date().toISOString(),
+            cacheTtlSeconds,
+            manifestUrl,
+            manifestSource: "fallback",
+            error: error instanceof Error ? error.message : String(error)
+        });
+    }
+}
+export function buildUpdateCheckResult(manifest, metadata) {
+    const minimumSupportedVersion = manifest.minimumSupportedVersion || BUILTIN_MINIMUM_SUPPORTED_VERSION;
+    const minimumWriteVersion = maxVersion(manifest.minimumWriteVersion || BUILTIN_MINIMUM_WRITE_VERSION, BUILTIN_MINIMUM_WRITE_VERSION);
+    const status = computeUpdateStatus({
+        currentVersion: RAPIDX_VERSION,
+        latestVersion: manifest.latestCliVersion,
+        minimumSupportedVersion,
+        minimumWriteVersion
+    });
+    const writeAllowed = status !== "WRITE_BLOCKED";
+    return {
+        currentVersion: RAPIDX_VERSION,
+        latestVersion: manifest.latestCliVersion,
+        minimumSupportedVersion,
+        minimumWriteVersion,
+        latestMcpSchemaVersion: manifest.latestMcpSchemaVersion,
+        currentMcpSchemaVersion: SCHEMA_VERSION,
+        skillsVersion: manifest.skillsVersion,
+        currentSkillsVersion: RAPIDX_SKILLS_VERSION,
+        skillsSchemaVersion: manifest.skillsSchemaVersion,
+        currentSkillsSchemaVersion: RAPIDX_SKILLS_SCHEMA_VERSION,
+        updateAvailable: compareVersions(RAPIDX_VERSION, manifest.latestCliVersion) < 0,
+        writeAllowed,
+        status,
+        severity: manifest.severity,
+        breaking: manifest.breaking,
+        checkedAt: metadata.checkedAt,
+        cacheTtlSeconds: metadata.cacheTtlSeconds,
+        manifestUrl: metadata.manifestUrl,
+        manifestSource: metadata.manifestSource,
+        releaseNotesUrl: manifest.releaseNotesUrl,
+        skillsUpdateRecommended: manifest.skillsUpdateRecommended || compareVersions(RAPIDX_SKILLS_VERSION, manifest.skillsVersion) < 0,
+        upgrade: manifest.upgrade,
+        ...(metadata.error ? { error: metadata.error } : {})
+    };
+}
+export function resolveUpdateCacheFile(env = process.env, cwd = process.cwd()) {
+    const stateDir = env.RAPIDX_STATE_DIR ? resolve(env.RAPIDX_STATE_DIR) : resolve(cwd, ".rapidx");
+    return join(stateDir, "update-state.json");
+}
+function resolveManifestUrl(input, env) {
+    const url = firstNonEmpty(input.manifestUrl, env.RAPIDX_RELEASE_MANIFEST_URL, DEFAULT_RELEASE_MANIFEST_URL);
+    assertHttpsUrl(url);
+    return url;
+}
+function resolveCacheTtl(input) {
+    if (typeof input.maxCacheAgeSeconds === "number" && Number.isFinite(input.maxCacheAgeSeconds) && input.maxCacheAgeSeconds >= 0) {
+        return input.maxCacheAgeSeconds;
+    }
+    return DEFAULT_UPDATE_CACHE_TTL_SECONDS;
+}
+async function fetchReleaseManifest(url) {
+    const response = await fetch(url);
+    if (!response.ok) {
+        throw new Error(`Release manifest request failed with HTTP ${response.status}.`);
+    }
+    const raw = JSON.parse(await response.text());
+    return normalizeReleaseManifest(raw);
+}
+function normalizeReleaseManifest(raw) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        throw new Error("Release manifest must be a JSON object.");
+    }
+    const value = raw;
+    const upgrade = isPlainObject(value.upgrade) ? value.upgrade : {};
+    const manifest = {
+        product: readLiteral(value.product, "rapidx", "product"),
+        channel: readLiteral(value.channel, "stable", "channel"),
+        latestCliVersion: readRequiredString(value.latestCliVersion, "latestCliVersion"),
+        minimumSupportedVersion: readOptionalString(value.minimumSupportedVersion, BUILTIN_MINIMUM_SUPPORTED_VERSION),
+        minimumWriteVersion: readOptionalString(value.minimumWriteVersion, BUILTIN_MINIMUM_WRITE_VERSION),
+        latestMcpSchemaVersion: readOptionalString(value.latestMcpSchemaVersion, SCHEMA_VERSION),
+        skillsVersion: readOptionalString(value.skillsVersion, RAPIDX_SKILLS_VERSION),
+        skillsSchemaVersion: readOptionalString(value.skillsSchemaVersion, RAPIDX_SKILLS_SCHEMA_VERSION),
+        skillsUpdateRecommended: value.skillsUpdateRecommended === true,
+        severity: readSeverity(value.severity),
+        breaking: value.breaking === true,
+        releaseNotesUrl: readOptionalString(value.releaseNotesUrl, ""),
+        upgrade: {
+            global: readOptionalString(upgrade.global, undefined),
+            workspace: readOptionalString(upgrade.workspace, undefined),
+            skills: readOptionalString(upgrade.skills, undefined)
+        }
+    };
+    assertSemver(manifest.latestCliVersion, "latestCliVersion");
+    assertSemver(manifest.minimumSupportedVersion, "minimumSupportedVersion");
+    assertSemver(manifest.minimumWriteVersion, "minimumWriteVersion");
+    return manifest;
+}
+function fallbackManifest() {
+    return {
+        product: "rapidx",
+        channel: "stable",
+        latestCliVersion: RAPIDX_VERSION,
+        minimumSupportedVersion: BUILTIN_MINIMUM_SUPPORTED_VERSION,
+        minimumWriteVersion: BUILTIN_MINIMUM_WRITE_VERSION,
+        latestMcpSchemaVersion: SCHEMA_VERSION,
+        skillsVersion: RAPIDX_SKILLS_VERSION,
+        skillsSchemaVersion: RAPIDX_SKILLS_SCHEMA_VERSION,
+        skillsUpdateRecommended: false,
+        severity: "none",
+        breaking: false,
+        releaseNotesUrl: "",
+        upgrade: {}
+    };
+}
+function buildUnknownUpdateCheckResult(metadata) {
+    const manifest = fallbackManifest();
+    return {
+        currentVersion: RAPIDX_VERSION,
+        latestVersion: RAPIDX_VERSION,
+        minimumSupportedVersion: manifest.minimumSupportedVersion,
+        minimumWriteVersion: manifest.minimumWriteVersion,
+        latestMcpSchemaVersion: manifest.latestMcpSchemaVersion,
+        currentMcpSchemaVersion: SCHEMA_VERSION,
+        skillsVersion: manifest.skillsVersion,
+        currentSkillsVersion: RAPIDX_SKILLS_VERSION,
+        skillsSchemaVersion: manifest.skillsSchemaVersion,
+        currentSkillsSchemaVersion: RAPIDX_SKILLS_SCHEMA_VERSION,
+        updateAvailable: false,
+        writeAllowed: true,
+        status: "UNKNOWN",
+        severity: "none",
+        breaking: false,
+        checkedAt: metadata.checkedAt,
+        cacheTtlSeconds: metadata.cacheTtlSeconds,
+        manifestUrl: metadata.manifestUrl,
+        manifestSource: metadata.manifestSource,
+        releaseNotesUrl: "",
+        skillsUpdateRecommended: false,
+        upgrade: {},
+        error: metadata.error
+    };
+}
+function computeUpdateStatus(input) {
+    if (compareVersions(input.currentVersion, input.minimumWriteVersion) < 0) {
+        return "WRITE_BLOCKED";
+    }
+    if (compareVersions(input.currentVersion, input.minimumSupportedVersion) < 0) {
+        return "UPGRADE_REQUIRED";
+    }
+    if (compareVersions(input.currentVersion, input.latestVersion) < 0) {
+        return "UPDATE_AVAILABLE";
+    }
+    return "CURRENT";
+}
+function compareVersions(left, right) {
+    const a = parseVersion(left);
+    const b = parseVersion(right);
+    for (const index of [0, 1, 2]) {
+        const leftPart = a[index];
+        const rightPart = b[index];
+        if (leftPart !== rightPart) {
+            return leftPart < rightPart ? -1 : 1;
+        }
+    }
+    return 0;
+}
+function maxVersion(left, right) {
+    return compareVersions(left, right) >= 0 ? left : right;
+}
+function parseVersion(version) {
+    const match = /^(\d+)\.(\d+)\.(\d+)(?:[-+].*)?$/.exec(version);
+    if (!match) {
+        throw new Error(`Invalid semver version: ${version}`);
+    }
+    return [Number(match[1]), Number(match[2]), Number(match[3])];
+}
+function assertSemver(version, field) {
+    try {
+        parseVersion(version);
+    }
+    catch {
+        throw new Error(`Release manifest field ${field} must be semver.`);
+    }
+}
+function loadCachedUpdateState(filePath) {
+    if (!existsSync(filePath)) {
+        return undefined;
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(filePath, "utf8"));
+        if (!isPlainObject(parsed) || !isPlainObject(parsed.result) || typeof parsed.checkedAt !== "string") {
+            return undefined;
+        }
+        return parsed;
+    }
+    catch {
+        return undefined;
+    }
+}
+function saveCachedUpdateState(filePath, state) {
+    mkdirSync(dirname(filePath), { recursive: true });
+    writeFileSync(filePath, `${JSON.stringify(state, null, 2)}\n`, { mode: 0o600 });
+}
+function isCacheExpired(state, ttlSeconds) {
+    if (ttlSeconds === 0) {
+        return true;
+    }
+    const checkedAt = Date.parse(state.checkedAt);
+    if (!Number.isFinite(checkedAt)) {
+        return true;
+    }
+    return Date.now() - checkedAt > ttlSeconds * 1000;
+}
+function readRequiredString(value, field) {
+    if (typeof value !== "string" || value.length === 0) {
+        throw new Error(`Release manifest field ${field} is required.`);
+    }
+    return value;
+}
+function readOptionalString(value, fallback) {
+    return typeof value === "string" && value.length > 0 ? value : fallback ?? "";
+}
+function readLiteral(value, expected, field) {
+    if (value !== expected) {
+        throw new Error(`Release manifest field ${field} must be ${expected}.`);
+    }
+    return expected;
+}
+function readSeverity(value) {
+    return value === "recommended" || value === "required" || value === "critical" || value === "none" ? value : "none";
+}
+function firstNonEmpty(...values) {
+    return values.find((value) => typeof value === "string" && value.length > 0) ?? DEFAULT_RELEASE_MANIFEST_URL;
+}
+function isPlainObject(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function assertHttpsUrl(value) {
+    let parsed;
+    try {
+        parsed = new URL(value);
+    }
+    catch {
+        throw new Error("Release manifest URL must be a valid HTTPS URL.");
+    }
+    if (parsed.protocol !== "https:") {
+        throw new Error("Release manifest URL must use HTTPS.");
+    }
+}

package/dist/core/version.js

@@ -0,0 +1 @@
+export const RAPIDX_VERSION = "1.0.26";

package/dist/mcp/audit.js

@@ -0,0 +1,10 @@
+import { AuditWriter } from "../core/index.js";
+const writer = new AuditWriter(process.stderr);
+export function writeMcpAudit(type, status, payload) {
+    const result = writer.write({
+        type,
+        status,
+        payload
+    });
+    return result.auditId;
+}

package/dist/mcp/server.js

@@ -0,0 +1,73 @@
+import { createInterface } from "node:readline";
+import { stdin, stdout } from "node:process";
+import { buildCompatibilityReport, RAPIDX_VERSION } from "../core/index.js";
+import { getMcpToolDefinitions } from "./tool-registry.js";
+import { runMcpTool } from "./tool-runner.js";
+export async function handleMcpRequest(request) {
+    if (request.method === "initialize") {
+        return {
+            jsonrpc: "2.0",
+            id: request.id,
+            result: {
+                protocolVersion: "2025-03-26",
+                serverInfo: { name: "rapidx", version: RAPIDX_VERSION },
+                capabilities: { tools: {} },
+                compatibility: buildCompatibilityReport()
+            }
+        };
+    }
+    if (request.method === "tools/list") {
+        return {
+            jsonrpc: "2.0",
+            id: request.id,
+            result: {
+                tools: getMcpToolDefinitions().map((tool) => ({
+                    name: tool.name,
+                    description: tool.description,
+                    inputSchema: tool.inputSchema
+                }))
+            }
+        };
+    }
+    if (request.method === "tools/call") {
+        const params = request.params ?? {};
+        const name = typeof params.name === "string" ? params.name : "";
+        const args = params.arguments && typeof params.arguments === "object" ? params.arguments : {};
+        const result = await runMcpTool(name, args);
+        return {
+            jsonrpc: "2.0",
+            id: request.id,
+            result: {
+                content: [{ type: "text", text: JSON.stringify(result) }],
+                isError: !result.ok
+            }
+        };
+    }
+    return {
+        jsonrpc: "2.0",
+        id: request.id,
+        error: { code: -32601, message: `Unsupported MCP method: ${request.method}` }
+    };
+}
+export async function startStdioServer() {
+    const rl = createInterface({ input: stdin });
+    for await (const line of rl) {
+        if (!line.trim()) {
+            continue;
+        }
+        try {
+            const request = JSON.parse(line);
+            const response = await handleMcpRequest(request);
+            stdout.write(`${JSON.stringify(response)}\n`);
+        }
+        catch (error) {
+            stdout.write(`${JSON.stringify({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32700,
+                    message: error instanceof Error ? error.message : String(error)
+                }
+            })}\n`);
+        }
+    }
+}

package/dist/mcp/tool-registry.js

@@ -0,0 +1,31 @@
+import { findCapabilityById, findCapabilityByMcpTool, inputSchemaForName, listMcpCapabilities, SCHEMA_VERSION } from "../core/index.js";
+export function getMcpToolDefinitions() {
+    const seen = new Set();
+    const tools = [];
+    for (const capability of listMcpCapabilities()) {
+        if (!capability.mcpTool || seen.has(capability.mcpTool)) {
+            continue;
+        }
+        seen.add(capability.mcpTool);
+        const canonical = capabilityForTool(capability.mcpTool);
+        tools.push({
+            name: capability.mcpTool,
+            description: `RapidX ${canonical.capabilityId} (${canonical.riskLevel}, schema ${SCHEMA_VERSION})`,
+            inputSchema: inputSchemaForName(canonical.inputSchema),
+            capability: canonical
+        });
+    }
+    return tools.sort((a, b) => a.name.localeCompare(b.name));
+}
+export function capabilityForTool(toolName) {
+    const overrideId = toolName === "rapidx/tools"
+        ? "schema.discover"
+        : toolName === "rapidx/self-check"
+            ? "self-check.run"
+            : undefined;
+    const capability = overrideId ? findCapabilityById(overrideId) : findCapabilityByMcpTool(toolName);
+    if (!capability) {
+        throw new Error(`Unknown MCP tool: ${toolName}`);
+    }
+    return capability;
+}

package/dist/mcp/tool-runner.js

@@ -0,0 +1,144 @@
+import { consumePreview, createTargetedTradePreview, createTradePreview, defaultSafetyPolicy, executeRapidXCapability, findCapabilityById, getSchemaResult, makeEvidence, makePreviewStore, makeSafetyState, normalizeUnknownError, runSelfCheck, runTradingVerification, verifyPreview, buildLiveReadOnlySelfCheck, buildLiveTradingVerificationProbes, checkForUpdate, } from "../core/index.js";
+import { capabilityForTool, getMcpToolDefinitions } from "./tool-registry.js";
+import { writeMcpAudit } from "./audit.js";
+const previewStore = makePreviewStore();
+const safetyState = makeSafetyState();
+export async function runMcpTool(toolName, input = {}) {
+    try {
+        if (toolName === "rapidx/tools") {
+            const data = {
+                schemaVersion: getSchemaResult().schemaVersion,
+                tools: getMcpToolDefinitions().map((tool) => ({
+                    name: tool.name,
+                    riskLevel: tool.capability.riskLevel,
+                    inputSchema: tool.capability.inputSchema,
+                    outputSchema: tool.capability.outputSchema,
+                    previewRequired: tool.capability.previewRequired
+                }))
+            };
+            const auditId = writeMcpAudit("tools/list", "PASS", { toolName });
+            return { ok: true, status: "PASS", data, auditId, evidence: [makeEvidence("rapidx/tools")] };
+        }
+        if (toolName === "rapidx/self-check") {
+            const report = await runSelfCheck({
+                input: { scope: input.scope === "deep" ? "deep" : "quick", readOnly: true, checkUpdates: input.checkUpdates === true },
+                ...buildLiveReadOnlySelfCheck(input)
+            });
+            const auditId = writeMcpAudit("self-check", report.status, { toolName, status: report.status });
+            return { ok: report.status === "PASS", status: report.status, data: report, auditId, evidence: report.evidence };
+        }
+        if (toolName === "rapidx/update/check") {
+            const updateInput = { force: input.force === true };
+            if (typeof input.manifestUrl === "string") {
+                updateInput.manifestUrl = input.manifestUrl;
+            }
+            if (typeof input.maxCacheAgeSeconds === "number") {
+                updateInput.maxCacheAgeSeconds = input.maxCacheAgeSeconds;
+            }
+            const update = await checkForUpdate(updateInput);
+            const status = envelopeStatusForUpdate(update.status);
+            const auditId = writeMcpAudit("update-check", status, { toolName, updateStatus: update.status });
+            return { ok: status === "PASS", status, data: update, auditId, evidence: [makeEvidence(toolName)] };
+        }
+        if (toolName === "rapidx/trading-verification" || toolName === "rapidx/trade/verify-live") {
+            const report = await runTradingVerification(input, buildLiveTradingVerificationProbes(input));
+            const auditId = writeMcpAudit("trading-verification", report.status, { toolName, status: report.status });
+            return tradingVerificationEnvelope(toolName, report, auditId);
+        }
+        const capability = capabilityForTool(toolName);
+        if (toolName === "rapidx/order/preview" || toolName === "rapidx/order/place-preview") {
+            const previewCapability = findCapabilityById("order.preview");
+            if (!previewCapability) {
+                throw new Error("order.preview capability missing");
+            }
+            const preview = createTradePreview(previewCapability, input, { ...defaultSafetyPolicy(), tradingEnabled: true, readOnly: false }, safetyState, previewStore);
+            const auditId = writeMcpAudit("trade-preview", "PASS", { toolName, capabilityId: capability.capabilityId, previewId: preview.previewId });
+            return { ok: true, status: "PASS", data: preview, auditId, evidence: [makeEvidence(toolName)] };
+        }
+        const concretePreviewTarget = concretePreviewTargetForTool(toolName);
+        if (concretePreviewTarget) {
+            const targetCapability = findCapabilityById(concretePreviewTarget);
+            if (!targetCapability) {
+                throw new Error(`${concretePreviewTarget} capability missing`);
+            }
+            const preview = createTargetedTradePreview(targetCapability, input, { ...defaultSafetyPolicy(), tradingEnabled: true, readOnly: false }, safetyState, previewStore);
+            const auditId = writeMcpAudit("trade-preview", "PASS", { toolName, capabilityId: targetCapability.capabilityId, previewId: preview.previewId });
+            return { ok: true, status: "PASS", data: preview, auditId, evidence: [makeEvidence(toolName)] };
+        }
+        if (toolName === "rapidx/trade/preview") {
+            const targetCapabilityId = typeof input.targetCapabilityId === "string" ? input.targetCapabilityId : "";
+            const targetCapability = targetCapabilityId ? findCapabilityById(targetCapabilityId) : undefined;
+            if (!targetCapability) {
+                throw new Error(`Unknown trade preview target: ${targetCapabilityId || "<missing>"}`);
+            }
+            if (targetCapability.operationType !== "TRADE_WRITE" || isPreviewCapability(targetCapability.capabilityId)) {
+                throw new Error("trade preview target must be a non-preview trade write capability.");
+            }
+            const preview = createTargetedTradePreview(targetCapability, input, { ...defaultSafetyPolicy(), tradingEnabled: true, readOnly: false }, safetyState, previewStore);
+            const auditId = writeMcpAudit("trade-preview", "PASS", { toolName, capabilityId: targetCapability.capabilityId, previewId: preview.previewId });
+            return { ok: true, status: "PASS", data: preview, auditId, evidence: [makeEvidence(toolName)] };
+        }
+        if (capability.previewRequired) {
+            verifyPreview(previewStore, typeof input.previewId === "string" ? input.previewId : undefined, capability, input);
+            const consentId = input.continueConsentId;
+            if (typeof consentId !== "string" || consentId.length === 0) {
+                return { ok: false, status: "BLOCKED", code: "RMCP20001", message: "continueConsentId is required for trade writes.", evidence: [makeEvidence(toolName)] };
+            }
+            consumePreview(previewStore, typeof input.previewId === "string" ? input.previewId : undefined, capability, input);
+        }
+        const data = await executeRapidXCapability(capability.capabilityId, input);
+        const auditId = writeMcpAudit("tool-call", "PASS", { toolName, capabilityId: capability.capabilityId });
+        return {
+            ok: true,
+            status: "PASS",
+            data,
+            auditId,
+            evidence: [makeEvidence(toolName, "real_tool_call")]
+        };
+    }
+    catch (error) {
+        const productError = normalizeUnknownError(error, "RMCP12003");
+        return {
+            ok: false,
+            status: productError.status,
+            code: productError.code.replace(/^RCORE/, "RMCP"),
+            message: productError.message,
+            evidence: [makeEvidence(toolName)]
+        };
+    }
+}
+function concretePreviewTargetForTool(toolName) {
+    if (toolName === "rapidx/order/amend-preview") {
+        return "order.amend";
+    }
+    if (toolName === "rapidx/order/cancel-preview") {
+        return "order.cancel";
+    }
+    return undefined;
+}
+function tradingVerificationEnvelope(toolName, report, auditId) {
+    if (report.status === "PASS") {
+        return { ok: true, status: "PASS", data: report, auditId, evidence: [makeEvidence(toolName)] };
+    }
+    return {
+        ok: false,
+        status: report.status,
+        code: (report.errorCode ?? "RCORE10002").replace(/^RCORE/, "RMCP"),
+        message: report.errorMessage ?? `Trading verification failed: ${report.errorCode ?? report.status}.`,
+        data: report,
+        auditId,
+        evidence: [makeEvidence(toolName)]
+    };
+}
+function isPreviewCapability(capabilityId) {
+    return capabilityId.endsWith(".preview") || capabilityId.endsWith("-preview");
+}
+function envelopeStatusForUpdate(status) {
+    if (status === "WRITE_BLOCKED" || status === "UPGRADE_REQUIRED") {
+        return "BLOCKED";
+    }
+    if (status === "UNKNOWN") {
+        return "NOT_VERIFIED";
+    }
+    return "PASS";
+}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@liquiditytech/rapidx-cli",
+  "version": "1.0.26",
+  "description": "RapidX CLI, MCP server mode, registry, and release assets.",
+  "type": "module",
+  "private": false,
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://git@github.com/LiquidityTech/ltp-rapidx-cli-mcp.git"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "bin": {
+    "rapidx": "dist/cli/bin.js"
+  },
+  "files": [
+    "dist/cli/**/*.js",
+    "dist/core/**/*.js",
+    "dist/mcp/**/*.js",
+    "packages/distribution/docs",
+    "packages/distribution/registry",
+    "packages/distribution/manifests",
+    "README.md"
+  ],
+  "scripts": {
+    "prebuild": "node packages/distribution/scripts/clean-dist.mjs",
+    "build": "tsc -p tsconfig.json && node packages/distribution/scripts/normalize-dist.mjs",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:release-smoke": "vitest run packages/distribution/tests/release-smoke.test.ts",
+    "validate:release": "node dist/distribution/src/validate-release.js"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "1.29.0",
+    "zod": "3.25.76"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.8.0",
+    "vitest": "^4.1.1"
+  }
+}

package/packages/distribution/docs/cli-only-agent.md

@@ -0,0 +1,12 @@
+# CLI-only Agents
+
+Some agent hosts cannot call MCP tools. They can still call the CLI directly.
+
+Use direct commands only:
+
+```bash
+rapidx schema --json
+rapidx self-check --read-only --json
+```
+
+When passing trade input, use a JSON file or stdin JSON. Avoid interpreter wrappers and bridge scripts.

package/packages/distribution/docs/cli.md

@@ -0,0 +1,49 @@
+# CLI
+
+The `rapidx` CLI is the atomic interface for agents that cannot use MCP.
+
+Official environment variables:
+
+- `LTP_ACCESS_KEY`
+- `LTP_SECRET_KEY`
+- `LTP_API_HOST`
+
+`LTP_API_HOST` is required. Use the API host provided for the current environment.
+
+Supported conventions:
+
+- Use `--json` for machine output.
+- Use `--input @/absolute/path/input.json` for structured input.
+- Use stdin JSON when the host supports it.
+- Do not create bridge scripts.
+- Use `rapidx order place-preview` for `order.place`.
+- Use `rapidx order amend-preview` for `order.amend`.
+- Use `rapidx order cancel-preview` for `order.cancel`.
+- Use `rapidx trade preview` with `targetCapabilityId` for non-order trade writes, including position, account, and algo writes.
+- `rapidx trade preview` input is flat JSON; do not wrap target parameters under `params`.
+- Treat `maxNotional` as a safety upper bound, not as the target order amount. Check symbol `minNotional` before increasing a requested amount.
+
+Examples:
+
+```bash
+rapidx schema --json
+rapidx update check --json
+rapidx self-check --read-only --json
+rapidx self-check --read-only --check-updates --json
+rapidx account balance --input '{"mode":"portfolio"}' --json
+rapidx account balance --input '{"mode":"account"}' --json
+rapidx order place-preview --input @/absolute/path/order-preview.json --json
+rapidx order amend-preview --input @/absolute/path/order-amend-preview.json --json
+rapidx order cancel-preview --input @/absolute/path/order-cancel-preview.json --json
+rapidx trade preview --input @/absolute/path/trade-preview.json --json
+rapidx position history --input @/absolute/path/position-history.json --json
+rapidx account set-position-mode --input @/absolute/path/set-position-mode.json --json
+```
+
+`rapidx update check --json` reads the RapidX release manifest and caches the result locally. Use it during setup, review, or session startup. Trade submit paths should not perform a fresh network update check.
+
+`rapidx account balance` defaults to `mode=portfolio` and reads `/api/v1/trading/portfolio/assets`. `mode=account` reads `/api/v1/account/balance` and requires credentials with account-level permission.
+
+`rapidx account set-position-mode` is a trade write. It requires a matching preview token and a `continueConsentId` before execution.
+
+`rapidx position close` is a close-position action. Do not pass `side` or `quantity`; RapidX determines BUY or SELL from the current position and closes the target symbol/positionSide. Use a reduce-only order flow for partial closes. Verify the final exposure with `rapidx position list --json`, and do not rely only on `order get` to interpret the close intent.