@okx_ai/okx-trade-cli 1.3.1-beta.11 → 1.3.1-beta.13

package/dist/index.js

@@ -21,25 +21,28 @@ import {
 import { homedir as homedir2 } from "os";
 import { join as join2, dirname } from "path";
 import { createHmac } from "crypto";
+import { spawn, execFile as execFile2 } from "child_process";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 import fs from "fs";
 import path from "path";
 import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3, resolve, basename, sep } from "path";
+import { join as join4, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
 import yauzl from "yauzl";
 import { createWriteStream, mkdirSync as mkdirSync3 } from "fs";
 import { resolve as resolve2, dirname as dirname2 } from "path";
 import { readFileSync as readFileSync2, existsSync } from "fs";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
-import { join as join5, dirname as dirname3 } from "path";
-import { homedir as homedir3 } from "os";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join6, dirname as dirname4 } from "path";
+import { join as join6, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
+import { join as join7, dirname as dirname4 } from "path";
+import { homedir as homedir5 } from "os";
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
+// ../../node_modules/smol-toml/dist/error.js
 function getLineColFromPtr(string, ptr) {
   let lines = string.slice(0, ptr).split(/\r\n|\n|\r/g);
   return [lines.length, lines.pop().length + 1];
@@ -79,7 +82,7 @@ ${codeblock}`, options);
   }
 };
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/util.js
+// ../../node_modules/smol-toml/dist/util.js
 function isEscaped(str, ptr) {
   let i = 0;
   while (str[ptr - ++i] === "\\")
@@ -110,9 +113,14 @@ function skipComment(str, ptr) {
 }
 function skipVoid(str, ptr, banNewLines, banComments) {
   let c;
-  while ((c = str[ptr]) === " " || c === "	" || !banNewLines && (c === "\n" || c === "\r" && str[ptr + 1] === "\n"))
-    ptr++;
-  return banComments || c !== "#" ? ptr : skipVoid(str, skipComment(str, ptr), banNewLines);
+  while (1) {
+    while ((c = str[ptr]) === " " || c === "	" || !banNewLines && (c === "\n" || c === "\r" && str[ptr + 1] === "\n"))
+      ptr++;
+    if (banComments || c !== "#")
+      break;
+    ptr = skipComment(str, ptr);
+  }
+  return ptr;
 }
 function skipUntil(str, ptr, sep2, end, banNewLines = false) {
   if (!end) {
@@ -153,7 +161,7 @@ function getStringEnd(str, seek) {
   return seek;
 }
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/date.js
+// ../../node_modules/smol-toml/dist/date.js
 var DATE_TIME_RE = /^(\d{4}-\d{2}-\d{2})?[T ]?(?:(\d{2}):\d{2}(?::\d{2}(?:\.\d+)?)?)?(Z|[-+]\d{2}:\d{2})?$/i;
 var TomlDate = class _TomlDate extends Date {
   #hasDate = false;
@@ -245,7 +253,7 @@ var TomlDate = class _TomlDate extends Date {
   }
 };
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/primitive.js
+// ../../node_modules/smol-toml/dist/primitive.js
 var INT_REGEX = /^((0x[0-9a-fA-F](_?[0-9a-fA-F])*)|(([+-]|0[ob])?\d(_?\d)*))$/;
 var FLOAT_REGEX = /^[+-]?\d(_?\d)*(\.\d(_?\d)*)?([eE][+-]?\d(_?\d)*)?$/;
 var LEADING_ZERO = /^[+-]?0[0-9_]/;
@@ -384,7 +392,7 @@ function parseValue(value, toml, ptr, integersAsBigInt) {
   return date;
 }
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/extract.js
+// ../../node_modules/smol-toml/dist/extract.js
 function sliceAndTrimEndOf(str, startPtr, endPtr) {
   let value = str.slice(startPtr, endPtr);
   let commentIdx = value.indexOf("#");
@@ -451,7 +459,7 @@ function extractValue(str, ptr, end, depth, integersAsBigInt) {
   ];
 }
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/struct.js
+// ../../node_modules/smol-toml/dist/struct.js
 var KEY_PART_RE = /^[a-zA-Z0-9-_]+[ \t]*$/;
 function parseKey(str, ptr, end = "=") {
   let dot = ptr - 1;
@@ -599,7 +607,7 @@ function parseArray(str, ptr, depth, integersAsBigInt) {
   return [res, ptr];
 }
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/parse.js
+// ../../node_modules/smol-toml/dist/parse.js
 function peekTable(key, table, meta, type) {
   let t = table;
   let m = meta;
@@ -724,7 +732,7 @@ function parse(toml, { maxDepth = 1e3, integersAsBigInt } = {}) {
   return res;
 }
 
-// ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/stringify.js
+// ../../node_modules/smol-toml/dist/stringify.js
 var BARE_KEY = /^[a-z0-9-_]+$/i;
 function extendedTypeOf(obj) {
   let type = typeof obj;
@@ -867,8 +875,8 @@ function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
 
 // ../core/dist/index.js
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir5 } from "os";
+import { join as join8 } from "path";
+import { homedir as homedir6 } from "os";
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
@@ -876,6 +884,18 @@ import * as fs3 from "fs";
 import * as path3 from "path";
 import * as os3 from "os";
 import { execFileSync } from "child_process";
+import {
+  createWriteStream as createWriteStream3,
+  mkdirSync as mkdirSync9,
+  chmodSync as chmodSync2,
+  existsSync as existsSync7,
+  unlinkSync as unlinkSync4,
+  renameSync as renameSync4
+} from "fs";
+import { homedir as homedir9, platform as platform2 } from "os";
+import { join as join11, dirname as dirname7 } from "path";
+import { get as httpsGet2 } from "https";
+import { get as httpGet2 } from "http";
 import {
   readFileSync as readFileSync7,
   createWriteStream as createWriteStream2,
@@ -886,10 +906,13 @@ import {
   renameSync as renameSync3
 } from "fs";
 import { createHash } from "crypto";
-import { homedir as homedir7, platform, arch } from "os";
-import { join as join9, dirname as dirname6 } from "path";
+import { homedir as homedir8, platform, arch } from "os";
+import { join as join10, dirname as dirname6 } from "path";
 import { get as httpsGet } from "https";
 import { get as httpGet } from "http";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync5, existsSync as existsSync8 } from "fs";
+import { join as join12 } from "path";
+import { homedir as homedir10 } from "os";
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var DOH_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -898,7 +921,7 @@ function getDohBinaryPath() {
     return process.env.OKX_DOH_BINARY_PATH;
   }
   const ext = process.platform === "win32" ? ".exe" : "";
-  return join(DOH_BIN_DIR, `okx-pilot${ext}`);
+  return join(DOH_BIN_DIR, `okx-doh-resolver${ext}`);
 }
 function execDohBinary(domain, exclude = [], userAgent) {
   if (!ALLOWED_DOMAIN_RE.test(domain)) {
@@ -969,7 +992,7 @@ function classifyAndCache(node, hostname, failedNodes, cachePath) {
   if (!node) {
     return { mode: null, node: null };
   }
-  if (node.ip === hostname && node.host === hostname) {
+  if (node.ip === hostname || node.host === hostname) {
     writeCache(hostname, {
       mode: "direct",
       node: null,
@@ -1201,6 +1224,11 @@ var ConfigError = class extends OkxMcpError {
     super("ConfigError", message, { suggestion });
   }
 };
+var NotLoggedInError = class extends ConfigError {
+  constructor(suggestion = "Run `okx auth login` to authenticate.") {
+    super("Not logged in.", suggestion);
+  }
+};
 var ValidationError = class extends OkxMcpError {
   constructor(message, suggestion) {
     super("ValidationError", message, { suggestion });
@@ -1253,6 +1281,97 @@ function toToolErrorPayload(error, fallbackEndpoint) {
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
+var EXIT_CODES = {
+  SUCCESS: 0,
+  UNAUTHORIZED_CALLER: 1,
+  NOT_LOGGED_IN: 2,
+  REFRESH_FAILED: 3
+};
+var EXEC_TIMEOUT_MS2 = 5e3;
+var AUTH_BIN_DIR = join3(homedir3(), ".okx", "bin");
+function getAuthBinaryPath() {
+  if (process.env.OKX_AUTH_BIN) {
+    return process.env.OKX_AUTH_BIN;
+  }
+  const ext = process.platform === "win32" ? ".exe" : "";
+  return join3(AUTH_BIN_DIR, `okx-auth${ext}`);
+}
+function execAuthToken() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn(binPath, ["token"], {
+      stdio: ["ignore", "ignore", "inherit", "pipe"]
+      //       stdin    stdout    stderr     fd3 (pipe)
+    });
+    const chunks = [];
+    const fd3 = child.stdio[3];
+    fd3.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", (err) => {
+      reject(new ConfigError(
+        `Failed to spawn okx-auth: ${err.message}`,
+        "Ensure the okx-auth binary exists and is executable."
+      ));
+    });
+    child.on("close", (code) => {
+      if (code === EXIT_CODES.SUCCESS) {
+        const token = Buffer.concat(chunks).toString("utf-8").trim();
+        if (!token) {
+          reject(new AuthenticationError(
+            "okx-auth returned empty token.",
+            "Run `okx auth login` to re-authenticate."
+          ));
+          return;
+        }
+        resolve3(token);
+        return;
+      }
+      if (code === EXIT_CODES.NOT_LOGGED_IN) {
+        reject(new NotLoggedInError());
+        return;
+      }
+      if (code === EXIT_CODES.UNAUTHORIZED_CALLER) {
+        reject(new AuthenticationError(
+          "okx-auth rejected the caller (unauthorized).",
+          "Ensure you are running from a trusted OKX tool."
+        ));
+        return;
+      }
+      if (code === EXIT_CODES.REFRESH_FAILED) {
+        reject(new AuthenticationError(
+          "Token refresh failed.",
+          "Run `okx auth login` to re-authenticate."
+        ));
+        return;
+      }
+      reject(new AuthenticationError(
+        `okx-auth token exited with code ${code}.`,
+        "Run `okx auth login` to re-authenticate."
+      ));
+    });
+  });
+}
+function execAuthStatus() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3) => {
+    execFile2(
+      binPath,
+      ["status", "--json"],
+      { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
+      (error, stdout) => {
+        if (error) {
+          resolve3(null);
+          return;
+        }
+        try {
+          const result = JSON.parse(stdout);
+          resolve3(result);
+        } catch {
+          resolve3(null);
+        }
+      }
+    );
+  });
+}
 function sleep(ms) {
   return new Promise((resolve3) => {
     setTimeout(resolve3, ms);
@@ -1331,10 +1450,10 @@ var OKX_CODE_BEHAVIORS = {
   "50011": { retry: true, suggestion: "Rate limited. Back off and retry after a delay." },
   "50061": { retry: true, suggestion: "Too many connections. Reduce request frequency and retry." },
   // Server temporarily unavailable → retryable
-  "50001": { retry: true, suggestion: "Service temporarily unavailable. Retry in a few minutes." },
-  "50004": { retry: true, suggestion: "Endpoint request timeout. Retry later." },
+  "50001": { retry: true, suggestion: "OKX system upgrade in progress. Retry in a few minutes." },
+  "50004": { retry: true, suggestion: "Endpoint temporarily unavailable. Retry later." },
   "50013": { retry: true, suggestion: "System busy. Retry after 1-2 seconds." },
-  "50026": { retry: true, suggestion: "System error. Retry in a few minutes." },
+  "50026": { retry: true, suggestion: "Order book system upgrading. Retry in a few minutes." },
   // Region / compliance restriction → do not retry
   "51155": { retry: false, suggestion: "Feature unavailable in your region (site: {site}). Verify your site setting matches your account registration region. Available sites: global, eea, us. Do not retry." },
   "51734": { retry: false, suggestion: "Feature not supported for your KYC country (site: {site}). Verify your site setting matches your account registration region. Available sites: global, eea, us. Do not retry." },
@@ -1384,6 +1503,7 @@ function maskKey(key) {
   if (key.length <= 8) return "***";
   return `${key.slice(0, 3)}***${key.slice(-3)}`;
 }
+var TOKEN_CACHE_TTL_MS = 6e4;
 function vlog2(message) {
   process.stderr.write(`[verbose] ${message}
 `);
@@ -1392,6 +1512,8 @@ var OkxRestClient = class _OkxRestClient {
   config;
   rateLimiter;
   dispatcher;
+  cachedAccessToken;
+  cachedAccessTokenAt = 0;
   doh;
   constructor(config) {
     this.config = config;
@@ -1406,6 +1528,51 @@ var OkxRestClient = class _OkxRestClient {
       hasCustomProxy: !!config.proxyUrl
     });
   }
+  /**
+   * Resolve OAuth access token via the okx-auth binary (fd3 pipe).
+   * Caches the token for 60 s to avoid spawning the binary on every
+   * request. The binary handles refresh internally (300s TTL lead),
+   * so periodic re-calls let it serve a fresh token when needed.
+   * Returns null when not logged in.
+   */
+  async resolveAccessToken() {
+    if (this.cachedAccessToken && Date.now() - this.cachedAccessTokenAt < TOKEN_CACHE_TTL_MS) {
+      return this.cachedAccessToken;
+    }
+    try {
+      const token = await execAuthToken();
+      this.cachedAccessToken = token;
+      this.cachedAccessTokenAt = Date.now();
+      return token;
+    } catch (e) {
+      if (e instanceof NotLoggedInError) {
+        return null;
+      }
+      throw e;
+    }
+  }
+  /**
+   * Dynamic auth — determines auth method per request.
+   *
+   * 1. API key in config → HMAC signing (no OAuth fallback)
+   * 2. OAuth token via okx-auth binary → Bearer token
+   * 3. Neither → throw ConfigError
+   */
+  async applyAuth(headers, method, requestPath, bodyJson, timestamp) {
+    if (this.config.apiKey && this.config.secretKey && this.config.passphrase) {
+      this.setAuthHeaders(headers, method, requestPath, bodyJson, timestamp);
+      return;
+    }
+    const accessToken = await this.resolveAccessToken();
+    if (accessToken) {
+      headers.set("Authorization", `Bearer ${accessToken}`);
+      return;
+    }
+    throw new ConfigError(
+      "No credentials found.",
+      "Run `okx auth login` to authenticate, or configure API key credentials."
+    );
+  }
   /** The canonical base URL for this client (e.g. https://www.okx.com). */
   get baseUrl() {
     return this.config.baseUrl;
@@ -1463,18 +1630,6 @@ var OkxRestClient = class _OkxRestClient {
     });
   }
   setAuthHeaders(headers, method, requestPath, bodyJson, timestamp) {
-    if (!this.config.hasAuth) {
-      throw new ConfigError(
-        "Private endpoint requires API credentials.",
-        "Configure OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE."
-      );
-    }
-    if (!this.config.apiKey || !this.config.secretKey || !this.config.passphrase) {
-      throw new ConfigError(
-        "Invalid private API credentials state.",
-        "Ensure all OKX credentials are set."
-      );
-    }
     const payload = `${timestamp}${method.toUpperCase()}${requestPath}${bodyJson}`;
     const signature = signOkxPayload(payload, this.config.secretKey);
     headers.set("OK-ACCESS-KEY", this.config.apiKey);
@@ -1589,7 +1744,7 @@ var OkxRestClient = class _OkxRestClient {
     const conn = this.doh.getConnectionParams();
     this.logRequest("POST", `${conn.baseUrl}${path42}`, "private");
     const reqConfig = { method: "POST", path: path42, auth: "private" };
-    const headers = this.buildHeaders(reqConfig, path42, bodyJson, getNow());
+    const headers = await this.buildHeaders(reqConfig, path42, bodyJson, getNow());
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -1706,7 +1861,7 @@ var OkxRestClient = class _OkxRestClient {
   // Header building
   // ---------------------------------------------------------------------------
   /** Build HTTP headers. reqConfig.extraHeaders must NOT contain auth keys (OK-ACCESS-*). */
-  buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
+  async buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
     const headers = new Headers({
       "Content-Type": "application/json",
       Accept: "application/json"
@@ -1715,7 +1870,7 @@ var OkxRestClient = class _OkxRestClient {
       headers.set("User-Agent", this.config.userAgent);
     }
     if (reqConfig.auth === "private") {
-      this.setAuthHeaders(headers, reqConfig.method, requestPath, bodyJson, timestamp);
+      await this.applyAuth(headers, reqConfig.method, requestPath, bodyJson, timestamp);
     }
     const useSimulated = reqConfig.simulatedTrading !== void 0 ? reqConfig.simulatedTrading : this.config.demo;
     if (useSimulated) {
@@ -1769,7 +1924,7 @@ var OkxRestClient = class _OkxRestClient {
     if (reqConfig.rateLimit) {
       await this.rateLimiter.consume(reqConfig.rateLimit);
     }
-    const headers = this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
+    const headers = await this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -2192,7 +2347,7 @@ var OKX_SITES = {
   },
   us: {
     label: "US",
-    apiBaseUrl: "https://app.okx.com",
+    apiBaseUrl: "https://us.okx.com",
     webUrl: "https://app.okx.com"
   }
 };
@@ -3722,7 +3877,7 @@ function safeWriteFile(targetDir, fileName, data) {
     throw new Error(`Invalid file name: "${fileName}"`);
   }
   const resolvedDir = resolve(targetDir);
-  const filePath = join3(resolvedDir, safeName);
+  const filePath = join4(resolvedDir, safeName);
   const resolvedPath = resolve(filePath);
   if (!resolvedPath.startsWith(resolvedDir + sep)) {
     throw new Error(`Path traversal detected: "${fileName}" resolves outside target directory`);
@@ -3850,7 +4005,7 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   });
 }
 function readMetaJson(contentDir) {
-  const metaPath = join4(contentDir, "_meta.json");
+  const metaPath = join5(contentDir, "_meta.json");
   if (!existsSync(metaPath)) {
     throw new Error(`_meta.json not found in ${contentDir}. Invalid skill package.`);
   }
@@ -3876,12 +4031,12 @@ function readMetaJson(contentDir) {
   };
 }
 function validateSkillMdExists(contentDir) {
-  const skillMdPath = join4(contentDir, "SKILL.md");
+  const skillMdPath = join5(contentDir, "SKILL.md");
   if (!existsSync(skillMdPath)) {
     throw new Error(`SKILL.md not found in ${contentDir}. Invalid skill package.`);
   }
 }
-var DEFAULT_REGISTRY_PATH = join5(homedir3(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
 function readRegistry(registryPath = DEFAULT_REGISTRY_PATH) {
   if (!existsSync2(registryPath)) {
     return { version: 1, skills: {} };
@@ -5219,7 +5374,7 @@ function registerOnchainEarnTools() {
   ];
 }
 var DCD_CODE_BEHAVIORS = {
-  "50001": { retry: true, suggestion: "Service temporarily unavailable. Retry in a few minutes." },
+  "50001": { retry: true, suggestion: "DCD service is down. Retry in a few minutes." },
   "50002": { retry: false, suggestion: "Invalid JSON in request body. This is likely a bug \u2014 check request parameters." },
   "50014": { retry: false, suggestion: "Missing required parameter. Check that all required fields are provided." },
   "50016": { retry: false, suggestion: "notionalCcy does not match productId option type. Use baseCcy for CALL, quoteCcy for PUT." },
@@ -7837,10 +7992,10 @@ var NEWS_DETAIL = "/api/v5/orbit/news-detail";
 var NEWS_DOMAINS = "/api/v5/orbit/news-platform";
 var SENTIMENT_QUERY = "/api/v5/orbit/currency-sentiment-query";
 var SENTIMENT_RANKING = "/api/v5/orbit/currency-sentiment-ranking";
-var NEWS_LANGUAGE = ["en-US", "zh-CN"];
+var NEWS_LANGUAGE = ["en_US", "zh_CN"];
 function langHeader(lang) {
-  if (lang === "zh-CN" || lang === "zh_CN") return { "Accept-Language": "zh-CN" };
-  return { "Accept-Language": "en-US" };
+  const resolved = lang === "zh_CN" ? "zh_CN" : "en_US";
+  return { "Accept-Language": resolved };
 }
 var NEWS_DETAIL_LVL = ["brief", "summary", "full"];
 var NEWS_IMPORTANCE = ["high", "medium", "low"];
@@ -7849,7 +8004,7 @@ var NEWS_SORT = ["latest", "relevant"];
 var SENTIMENT_PERIOD = ["1h", "4h", "24h"];
 var D_COINS_NEWS = 'Comma-separated uppercase ticker symbols (e.g. "BTC,ETH"). Normalize names/aliases to standard tickers.';
 var D_COINS_SENTIMENT = 'Comma-separated uppercase ticker symbols, max 20 (e.g. "BTC,ETH"). Normalize names/aliases to standard tickers.';
-var D_LANGUAGE = "Content language: zh-CN or en-US. Infer from user's message. No server default.";
+var D_LANGUAGE = "Content language: zh_CN or en_US. Infer from user's message. No server default.";
 var D_BEGIN = "Start time, Unix epoch milliseconds. Parse relative time if given (e.g. 'yesterday', 'last 7 days').";
 var D_END = "End time, Unix epoch milliseconds. Parse relative time if given. Omit for no upper bound.";
 var D_IMPORTANCE = "Importance filter: high (server default), medium, low. Omit unless user wants broader coverage.";
@@ -9646,7 +9801,7 @@ function createToolRunner(client, config) {
   };
 }
 function configFilePath() {
-  return join6(homedir4(), ".okx", "config.toml");
+  return join7(homedir5(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path42 = configFilePath();
@@ -9665,11 +9820,6 @@ Or re-run: okx config init`
     );
   }
 }
-function readTomlProfile(profileName) {
-  const config = readFullConfig();
-  const name = profileName ?? config.default_profile ?? "default";
-  return config.profiles?.[name] ?? {};
-}
 var CONFIG_HEADER = `# OKX Trade Kit Configuration
 # If editing manually, wrap values containing special chars in quotes:
 #   passphrase = 'value'       (if value contains # \\ ")
@@ -9718,18 +9868,24 @@ function parseModuleList(rawModules) {
   }
   return Array.from(deduped);
 }
-function loadCredentials(toml) {
+async function loadCredentials(toml) {
   const apiKey = process.env.OKX_API_KEY?.trim() ?? toml.api_key;
   const secretKey = process.env.OKX_SECRET_KEY?.trim() ?? toml.secret_key;
   const passphrase = process.env.OKX_PASSPHRASE?.trim() ?? toml.passphrase;
-  const hasAuth = Boolean(apiKey && secretKey && passphrase);
+  const hasApiKey = Boolean(apiKey && secretKey && passphrase);
   const partialAuth = Boolean(apiKey) || Boolean(secretKey) || Boolean(passphrase);
-  if (partialAuth && !hasAuth) {
+  if (partialAuth && !hasApiKey) {
     throw new ConfigError(
       "Partial API credentials detected.",
       "Set OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE together (env vars or config.toml profile)."
     );
   }
+  let hasOAuth = false;
+  if (!hasApiKey) {
+    const status = await execAuthStatus();
+    hasOAuth = status?.status === "logged_in";
+  }
+  const hasAuth = hasOAuth || hasApiKey;
   return { apiKey, secretKey, passphrase, hasAuth };
 }
 function resolveSite(cliSite, tomlSite) {
@@ -9763,9 +9919,11 @@ function resolveDemo(cli, toml) {
   if (cli.demo === true) return true;
   return process.env.OKX_DEMO === "1" || process.env.OKX_DEMO === "true" || (toml.demo ?? false);
 }
-function loadConfig(cli) {
-  const toml = readTomlProfile(cli.profile);
-  const creds = loadCredentials(toml);
+async function loadConfig(cli) {
+  const config = readFullConfig();
+  const profileName = cli.profile ?? config.default_profile ?? "default";
+  const toml = config.profiles?.[profileName] ?? {};
+  const creds = await loadCredentials(toml);
   const demo = resolveDemo(cli, toml);
   const site = resolveSite(cli.site, toml.site);
   const baseUrl = resolveBaseUrl(site, toml.base_url);
@@ -9785,6 +9943,7 @@ function loadConfig(cli) {
   }
   return {
     ...creds,
+    profile: profileName,
     baseUrl,
     timeoutMs: Math.floor(rawTimeout),
     modules: parseModuleList(cli.modules),
@@ -9797,7 +9956,7 @@ function loadConfig(cli) {
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join7(homedir5(), ".okx", "update-check.json");
+var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 function readCache2() {
   try {
@@ -9810,7 +9969,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join7(homedir5(), ".okx"), { recursive: true });
+    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -9980,13 +10139,13 @@ function findMsStoreClaudePath() {
 }
 function getConfigPath(client) {
   const home = os3.homedir();
-  const platform2 = process.platform;
+  const platform3 = process.platform;
   switch (client) {
     case "claude-desktop":
-      if (platform2 === "win32") {
+      if (platform3 === "win32") {
         return findMsStoreClaudePath() ?? path3.join(appData(), "Claude", CLAUDE_CONFIG_FILE);
       }
-      if (platform2 === "darwin") {
+      if (platform3 === "darwin") {
         return path3.join(home, "Library", "Application Support", "Claude", CLAUDE_CONFIG_FILE);
       }
       return path3.join(process.env.XDG_CONFIG_HOME ?? path3.join(home, ".config"), "Claude", CLAUDE_CONFIG_FILE);
@@ -10107,7 +10266,7 @@ function getPlatformDir() {
   return map[`${p}-${a}`] ?? null;
 }
 function getBinaryName() {
-  return platform() === "win32" ? "okx-pilot.exe" : "okx-pilot";
+  return platform() === "win32" ? "okx-doh-resolver.exe" : "okx-doh-resolver";
 }
 function hashFile(filePath) {
   const buf = readFileSync7(filePath);
@@ -10228,7 +10387,7 @@ async function installDohBinary(destPath, sources = CDN_SOURCES, onProgress) {
   if (earlyResult) return earlyResult;
   const platformDir = getPlatformDir();
   const binaryName = getBinaryName();
-  const resolvedDest = destPath ?? join9(homedir7(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join10(homedir8(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync8(dirname6(resolvedDest), { recursive: true });
   const localHash = existsSync6(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -10351,16 +10510,276 @@ function downloadText(url, timeoutMs) {
     })
   );
 }
+var AUTH_CDN_PATH_PREFIX = "/upgradeapp/tools/oauth";
+function getAuthBinaryName() {
+  return platform2() === "win32" ? "okx-auth.exe" : "okx-auth";
+}
+function getAuthStatus(binaryPath, opts) {
+  const resolvedPath = binaryPath ?? getAuthBinaryPath();
+  const platformDir = getPlatformDir();
+  if (!existsSync7(resolvedPath)) {
+    return { binaryPath: resolvedPath, exists: false, platform: platformDir };
+  }
+  if (opts?.skipHash) {
+    return { binaryPath: resolvedPath, exists: true, platform: platformDir };
+  }
+  const { size, sha256 } = hashFile(resolvedPath);
+  return { binaryPath: resolvedPath, exists: true, platform: platformDir, fileSize: size, sha256 };
+}
+async function fetchAuthCdnChecksum(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
+  const platformDir = getPlatformDir();
+  if (!platformDir) return null;
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
+  for (const { host, protocol } of sources) {
+    try {
+      const url = `${protocol}://${host}${checksumPath}`;
+      const raw = await downloadText2(url, timeoutMs);
+      const data = JSON.parse(raw);
+      if (typeof data.sha256 !== "string" || typeof data.size !== "number" || typeof data.target !== "string") {
+        continue;
+      }
+      return { sha256: data.sha256, size: data.size, target: data.target, source: host };
+    } catch {
+    }
+  }
+  return null;
+}
+async function fetchAndValidateChecksum2(host, protocol, checksumPath, platformDir, timeoutMs, onProgress) {
+  const checksumUrl = `${protocol}://${host}${checksumPath}`;
+  onProgress?.(`Fetching checksum from ${host}...`);
+  const raw = await downloadText2(checksumUrl, timeoutMs);
+  const checksum = JSON.parse(raw);
+  if (typeof checksum.sha256 !== "string" || typeof checksum.size !== "number" || typeof checksum.target !== "string") {
+    throw new Error("Invalid checksum.json: missing sha256, size, or target");
+  }
+  if (checksum.target !== platformDir) {
+    throw new Error(`Target mismatch: expected ${platformDir}, got ${checksum.target}`);
+  }
+  return { sha256: checksum.sha256, size: checksum.size, target: checksum.target };
+}
+async function downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, timeoutMs, onProgress) {
+  const binaryUrl = `${protocol}://${host}${binaryPath}`;
+  onProgress?.(`Downloading binary from ${host}...`);
+  await download2(binaryUrl, tmpPath, timeoutMs);
+  const actual = hashFile(tmpPath);
+  if (actual.size !== checksum.size) {
+    throw new Error(`Size mismatch: expected ${checksum.size}, got ${actual.size}`);
+  }
+  if (actual.sha256 !== checksum.sha256) {
+    throw new Error(`SHA-256 mismatch: expected ${checksum.sha256}, got ${actual.sha256}`);
+  }
+}
+function atomicReplace2(tmpPath, resolvedDest) {
+  if (platform2() === "win32") {
+    try {
+      unlinkSync4(resolvedDest);
+    } catch {
+    }
+  }
+  renameSync4(tmpPath, resolvedDest);
+  if (platform2() !== "win32") {
+    chmodSync2(resolvedDest, 493);
+  }
+}
+function installPreChecks2(destPath, sources) {
+  if (!destPath && process.env.OKX_AUTH_BIN) {
+    return { status: "up-to-date", source: "(env override)" };
+  }
+  if (!getPlatformDir()) {
+    return { status: "failed", error: "Unsupported platform" };
+  }
+  if (sources.length === 0) {
+    return { status: "failed", error: "No CDN sources available" };
+  }
+  return null;
+}
+function isLocalUpToDate2(localHash, checksum) {
+  return localHash !== null && localHash.size === checksum.size && localHash.sha256 === checksum.sha256;
+}
+async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
+  const earlyResult = installPreChecks2(destPath, sources);
+  if (earlyResult) return earlyResult;
+  const platformDir = getPlatformDir();
+  const binaryName = getAuthBinaryName();
+  const resolvedDest = destPath ?? join11(homedir9(), ".okx", "bin", binaryName);
+  const tmpPath = resolvedDest + ".tmp";
+  mkdirSync9(dirname7(resolvedDest), { recursive: true });
+  const localHash = existsSync7(resolvedDest) ? hashFile(resolvedDest) : null;
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
+  const binaryPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/${binaryName}`;
+  const errors = [];
+  for (const { host, protocol } of sources) {
+    try {
+      const checksum = await fetchAndValidateChecksum2(
+        host,
+        protocol,
+        checksumPath,
+        platformDir,
+        DOWNLOAD_TIMEOUT_MS,
+        onProgress
+      );
+      if (isLocalUpToDate2(localHash, checksum)) {
+        onProgress?.("Already up to date (checksum match)");
+        return { status: "up-to-date", source: host };
+      }
+      await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
+      atomicReplace2(tmpPath, resolvedDest);
+      onProgress?.(`Downloaded and verified from ${host}`);
+      return { status: "installed", source: host };
+    } catch (err) {
+      try {
+        unlinkSync4(tmpPath);
+      } catch {
+      }
+      const msg = err instanceof Error ? err.message : String(err);
+      errors.push(`${host}: ${msg}`);
+      onProgress?.(`${host} failed: ${msg}`);
+    }
+  }
+  return { status: "failed", error: `All CDN sources failed:
+${errors.join("\n")}` };
+}
+function removeAuthBinary(binaryPath) {
+  const resolvedPath = binaryPath ?? getAuthBinaryPath();
+  try {
+    unlinkSync4(resolvedPath);
+    return { status: "removed" };
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return { status: "not-found" };
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Failed to remove ${resolvedPath}: ${msg}`);
+  }
+}
+function isRedirect2(statusCode) {
+  return statusCode !== void 0 && statusCode >= 300 && statusCode < 400;
+}
+function validateRedirect2(res, requestUrl, redirectCount, maxRedirects) {
+  if (redirectCount > maxRedirects) {
+    throw new Error(`Too many redirects (${maxRedirects})`);
+  }
+  const location = res.headers.location;
+  if (requestUrl.startsWith("https") && !location.startsWith("https")) {
+    throw new Error("Refused HTTPS \u2192 HTTP redirect downgrade");
+  }
+  return location;
+}
+function fetchResponse2(url, timeoutMs) {
+  return new Promise((resolve3, reject) => {
+    let redirects = 0;
+    const maxRedirects = 5;
+    function doRequest(requestUrl) {
+      const reqFn = requestUrl.startsWith("https") ? httpsGet2 : httpGet2;
+      const req = reqFn(requestUrl, { timeout: timeoutMs }, (res) => {
+        if (isRedirect2(res.statusCode) && res.headers.location) {
+          redirects++;
+          try {
+            const location = validateRedirect2(res, requestUrl, redirects, maxRedirects);
+            res.resume();
+            doRequest(location);
+          } catch (err) {
+            reject(err);
+          }
+          return;
+        }
+        if (res.statusCode !== 200) {
+          reject(new Error(`HTTP ${res.statusCode ?? "unknown"}`));
+          return;
+        }
+        resolve3(res);
+      });
+      req.on("error", reject);
+      req.on("timeout", () => {
+        req.destroy();
+        reject(new Error("Download timed out"));
+      });
+    }
+    doRequest(url);
+  });
+}
+function download2(url, destPath, timeoutMs) {
+  return fetchResponse2(url, timeoutMs).then(
+    (res) => new Promise((resolve3, reject) => {
+      const file = createWriteStream3(destPath);
+      res.pipe(file);
+      file.on("finish", () => file.close(() => resolve3()));
+      file.on("error", (err) => {
+        try {
+          unlinkSync4(destPath);
+        } catch {
+        }
+        reject(err);
+      });
+    })
+  );
+}
+function downloadText2(url, timeoutMs) {
+  return fetchResponse2(url, timeoutMs).then(
+    (res) => new Promise((resolve3, reject) => {
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
+      res.on("error", reject);
+    })
+  );
+}
+var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
+var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
+function readCache3() {
+  try {
+    if (!existsSync8(CACHE_PATH)) return null;
+    const data = JSON.parse(readFileSync8(CACHE_PATH, "utf-8"));
+    if (typeof data.cdnSha256 !== "string" || typeof data.checkedAt !== "number") return null;
+    return { cdnSha256: data.cdnSha256, checkedAt: data.checkedAt };
+  } catch {
+    return null;
+  }
+}
+function writeCache3(cdnSha256) {
+  try {
+    mkdirSync10(join12(homedir10(), ".okx"), { recursive: true });
+    writeFileSync7(CACHE_PATH, JSON.stringify({ cdnSha256, checkedAt: Date.now() }, null, 2), "utf-8");
+  } catch {
+  }
+}
+async function ensureAuthBinaryLatest(onProgress) {
+  if (process.env.OKX_AUTH_BIN) return;
+  const cache = readCache3();
+  if (cache && Date.now() - cache.checkedAt < CHECK_INTERVAL_MS2) return;
+  try {
+    const cdn = await fetchAuthCdnChecksum(void 0, 5e3);
+    if (!cdn) return;
+    const local = getAuthStatus();
+    if (local.exists && local.sha256 === cdn.sha256) {
+      writeCache3(cdn.sha256);
+      return;
+    }
+    onProgress?.("Updating okx-auth binary...");
+    const result = await installAuthBinary(void 0, void 0, onProgress);
+    if (result.status === "installed" || result.status === "up-to-date") {
+      const updated = getAuthStatus();
+      if (updated.sha256) writeCache3(updated.sha256);
+      if (result.status === "installed") {
+        onProgress?.("\u2713 okx-auth updated successfully");
+      }
+    }
+  } catch {
+  }
+}
+function updateAuthBinaryCache(sha256) {
+  writeCache3(sha256);
+}
+function clearAuthBinaryCache() {
+  try {
+    unlinkSync5(CACHE_PATH);
+  } catch {
+  }
+}
 
-// src/commands/diagnose.ts
-import dns from "dns/promises";
-import net from "net";
-import os5 from "os";
-import tls from "tls";
-
-// src/commands/diagnose-utils.ts
-import fs4 from "fs";
-import { createRequire } from "module";
+// src/commands/auth.ts
+import { spawn as spawn2 } from "child_process";
+import readline from "readline";
 
 // src/formatter.ts
 import { EOL } from "os";
@@ -10451,7 +10870,260 @@ function markFailedIfSCodeError(data) {
   }
 }
 
+// src/commands/auth.ts
+function runOkxAuth(args) {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn2(binPath, args, {
+      stdio: "inherit"
+    });
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      resolve3(code ?? 1);
+    });
+  });
+}
+function runOkxAuthCapture(args) {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn2(binPath, args, {
+      stdio: ["inherit", "pipe", "inherit"]
+    });
+    const chunks = [];
+    child.stdout.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      resolve3({
+        code: code ?? 1,
+        stdout: Buffer.concat(chunks).toString("utf-8")
+      });
+    });
+  });
+}
+async function cmdAuthLogin(args) {
+  const cliArgs = ["login"];
+  if (args.site) cliArgs.push("--site", args.site);
+  if (args.manual) cliArgs.push("--manual");
+  const code = await runOkxAuth(cliArgs);
+  if (code !== 0) {
+    process.exitCode = code;
+  }
+}
+async function cmdAuthLogout() {
+  const code = await runOkxAuth(["logout"]);
+  if (code !== 0) {
+    process.exitCode = code;
+  }
+}
+async function cmdAuthStatus(args) {
+  const cliArgs = ["status"];
+  if (args.json) cliArgs.push("--json");
+  const result = await runOkxAuthCapture(cliArgs);
+  if (result.stdout) {
+    process.stdout.write(result.stdout);
+  }
+  if (result.code !== 0) {
+    process.exitCode = result.code;
+  }
+}
+function resolveChecksumMatch(local, cdnChecksum, cdnError) {
+  if (!local.exists) return "not-installed";
+  if (cdnError || !cdnChecksum) return "unavailable";
+  if (cdnChecksum.sha256 === local.sha256) return "match";
+  return "mismatch";
+}
+function checksumMatchLabel(match) {
+  if (match === "match") return "\u2713 match";
+  if (match === "mismatch") return "\u2717 mismatch (update available)";
+  return "CDN unreachable";
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+}
+async function cmdAuthInstallStatus(json) {
+  const local = getAuthStatus();
+  let cdnChecksum = null;
+  let cdnError = null;
+  if (local.exists) {
+    try {
+      cdnChecksum = await fetchAuthCdnChecksum(void 0, 5e3);
+    } catch (err) {
+      cdnError = err instanceof Error ? err.message : String(err);
+    }
+  }
+  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
+  if (json) {
+    outputLine(
+      JSON.stringify({
+        binaryPath: local.binaryPath,
+        exists: local.exists,
+        platform: local.platform,
+        fileSize: local.fileSize ?? null,
+        sha256: local.sha256 ?? null,
+        cdnMatch: checksumMatch,
+        cdnSha256: cdnChecksum?.sha256 ?? null,
+        cdnSource: cdnChecksum?.source ?? null
+      })
+    );
+    return;
+  }
+  outputLine("");
+  outputLine("  okx-auth Binary Status");
+  outputLine("  " + "\u2500".repeat(40));
+  outputLine(`  Binary path : ${local.binaryPath}`);
+  outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
+  outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
+  if (local.exists) {
+    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
+    outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
+    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
+    if (cdnChecksum) {
+      outputLine(`  CDN source  : ${cdnChecksum.source}`);
+    }
+  }
+  outputLine("");
+}
+async function cmdAuthInstall(json) {
+  const messages2 = [];
+  const onProgress = (msg) => {
+    if (!json) {
+      outputLine(`  ${msg}`);
+    }
+    messages2.push(msg);
+  };
+  if (!json) {
+    outputLine("");
+    outputLine("  Installing okx-auth...");
+  }
+  const result = await installAuthBinary(void 0, void 0, onProgress);
+  if (json) {
+    outputLine(JSON.stringify({ status: result.status, source: result.source ?? null, error: result.error ?? null, messages: messages2 }));
+    if (result.status === "failed") {
+      process.exitCode = 1;
+    }
+    return;
+  }
+  if (result.status === "installed" || result.status === "up-to-date") {
+    const local = getAuthStatus();
+    if (local.sha256) updateAuthBinaryCache(local.sha256);
+  }
+  if (result.status === "installed") {
+    outputLine(`  \u2713 okx-auth installed successfully (${result.source ?? ""})`);
+  } else if (result.status === "up-to-date") {
+    outputLine("  \u2713 okx-auth is already up to date");
+  } else {
+    errorLine(`  \u2717 Installation failed: ${result.error ?? "unknown error"}`);
+    errorLine("  Hint: check network connectivity or try again later");
+    process.exitCode = 1;
+  }
+  outputLine("");
+}
+async function cmdAuthRemove(force, json) {
+  const local = getAuthStatus(void 0, { skipHash: true });
+  if (!local.exists) {
+    if (json) {
+      outputLine(JSON.stringify({ status: "not-installed" }));
+    } else {
+      outputLine("  okx-auth is not installed.");
+    }
+    return;
+  }
+  if (!await confirmRemoval(force, local.binaryPath)) return;
+  let result;
+  try {
+    result = removeAuthBinary();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (json) {
+      outputLine(JSON.stringify({ status: "failed", error: msg }));
+    } else {
+      errorLine(`  \u2717 Failed to remove: ${msg}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  if (json) {
+    outputLine(JSON.stringify({ status: result.status, path: local.binaryPath }));
+    return;
+  }
+  if (result.status === "removed") {
+    clearAuthBinaryCache();
+    outputLine(`  \u2713 Removed: ${local.binaryPath}`);
+  } else {
+    outputLine("  okx-auth is not installed.");
+  }
+}
+async function confirmRemoval(force, binaryPath) {
+  if (force) return true;
+  if (!process.stdin.isTTY) {
+    errorLine("  Error: stdin is not a TTY. Use --force to skip confirmation.");
+    process.exitCode = 1;
+    return false;
+  }
+  const confirmed = await askConfirmation(
+    `  Remove okx-auth at ${binaryPath}? [y/N] `
+  );
+  if (!confirmed) {
+    outputLine("  Cancelled.");
+    return false;
+  }
+  return true;
+}
+function askConfirmation(prompt2) {
+  return new Promise((resolve3) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(prompt2, (answer) => {
+      rl.close();
+      resolve3(answer.trim().toLowerCase() === "y");
+    });
+  });
+}
+async function handleAuthCommand(action, _rest, v) {
+  const site = v.site;
+  const json = v.json;
+  const manual = v.manual;
+  const force = v.force;
+  if (["login", "logout", "status"].includes(action)) {
+    await ensureAuthBinaryLatest((msg) => errorLine(`  ${msg}`));
+  }
+  switch (action) {
+    case "login":
+      return cmdAuthLogin({ site, manual });
+    case "logout":
+      return cmdAuthLogout();
+    case "status":
+      return cmdAuthStatus({ json });
+    case "install":
+      return cmdAuthInstall(json ?? false);
+    case "install-status":
+      return cmdAuthInstallStatus(json ?? false);
+    case "remove":
+      return cmdAuthRemove(force ?? false, json ?? false);
+    default:
+      errorLine(`Unknown auth command: ${action}`);
+      errorLine("Available: login, logout, status, install, install-status, remove");
+      process.exitCode = 1;
+  }
+}
+
+// src/commands/diagnose.ts
+import dns from "dns/promises";
+import net from "net";
+import os5 from "os";
+import tls from "tls";
+
 // src/commands/diagnose-utils.ts
+import fs4 from "fs";
+import { createRequire } from "module";
 var _require = createRequire(import.meta.url);
 function readCliVersion() {
   for (const rel of ["../package.json", "../../package.json"]) {
@@ -10537,7 +11209,7 @@ function sanitize2(value) {
 import fs5 from "fs";
 import path4 from "path";
 import os4 from "os";
-import { spawnSync, spawn } from "child_process";
+import { spawnSync, spawn as spawn3 } from "child_process";
 import { createRequire as createRequire2 } from "module";
 import { fileURLToPath } from "url";
 var _require2 = createRequire2(import.meta.url);
@@ -10871,7 +11543,7 @@ async function checkStdioHandshake(entryPath, report) {
       clearTimeout(timer);
       resolve3(passed);
     };
-    const child = spawn(process.execPath, [entryPath], {
+    const child = spawn3(process.execPath, [entryPath], {
       stdio: ["pipe", "pipe", "pipe"],
       env: { ...process.env }
     });
@@ -10990,7 +11662,7 @@ async function cmdDiagnoseMcp(options = {}) {
 
 // src/commands/diagnose.ts
 var CLI_VERSION = readCliVersion();
-var GIT_HASH = true ? "245ab4e" : "dev";
+var GIT_HASH = true ? "17e06f4" : "dev";
 function maskKey2(key) {
   if (!key) return "(not set)";
   if (key.length <= 8) return "****";
@@ -11326,24 +11998,24 @@ async function runCliChecks(config, profile, outputPath) {
 
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync9 } from "fs";
-import { dirname as dirname7, join as join10 } from "path";
-import { homedir as homedir8 } from "os";
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
+import { dirname as dirname8, join as join13 } from "path";
+import { homedir as homedir11 } from "os";
 var PACKAGES = ["@okx_ai/okx-trade-mcp", "@okx_ai/okx-trade-cli"];
-var CACHE_FILE2 = join10(homedir8(), ".okx", "last_check");
+var CACHE_FILE2 = join13(homedir11(), ".okx", "last_check");
 var THROTTLE_MS = 12 * 60 * 60 * 1e3;
-var NPM_BIN = join10(dirname7(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
+var NPM_BIN = join13(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
 function readLastCheck() {
   try {
-    return parseInt(readFileSync8(CACHE_FILE2, "utf-8").trim(), 10) || 0;
+    return parseInt(readFileSync9(CACHE_FILE2, "utf-8").trim(), 10) || 0;
   } catch {
     return 0;
   }
 }
 function writeLastCheck() {
   try {
-    mkdirSync9(join10(homedir8(), ".okx"), { recursive: true });
-    writeFileSync7(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
+    mkdirSync11(join13(homedir11(), ".okx"), { recursive: true });
+    writeFileSync8(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
   } catch {
   }
 }
@@ -12314,24 +12986,24 @@ var CLI_REGISTRY = {
     commands: {
       latest: {
         toolName: "news_get_latest",
-        usage: "okx news latest [--coins BTC,ETH] [--lang zh-CN] [--limit 20]"
+        usage: "okx news latest [--coins BTC,ETH] [--lang zh_CN] [--limit 20]"
       },
       important: {
         toolName: "news_get_latest",
-        usage: "okx news important [--coins BTC,ETH] [--lang zh-CN] [--limit 20]",
+        usage: "okx news important [--coins BTC,ETH] [--lang zh_CN] [--limit 20]",
         description: "Get important/high-impact crypto news"
       },
       "by-coin": {
         toolName: "news_get_by_coin",
-        usage: "okx news by-coin --coins BTC [--importance high] [--lang zh-CN]"
+        usage: "okx news by-coin --coins BTC [--importance high] [--lang zh_CN]"
       },
       search: {
         toolName: "news_search",
-        usage: "okx news search --keyword <term> [--coins BTC] [--sentiment bullish] [--lang zh-CN]"
+        usage: "okx news search --keyword <term> [--coins BTC] [--sentiment bullish] [--lang zh_CN]"
       },
       detail: {
         toolName: "news_get_detail",
-        usage: "okx news detail <id> [--lang zh-CN]"
+        usage: "okx news detail <id> [--lang zh_CN]"
       },
       domains: {
         toolName: "news_get_domains",
@@ -12763,7 +13435,7 @@ async function cmdNewsSentimentRank(run, opts) {
 }
 
 // src/config/loader.ts
-function loadProfileConfig(opts) {
+async function loadProfileConfig(opts) {
   return loadConfig({
     profile: opts.profile,
     modules: opts.modules,
@@ -13081,6 +13753,9 @@ var CLI_OPTIONS = {
   dir: { type: "string" },
   page: { type: "string" },
   format: { type: "string" },
+  // auth
+  site: { type: "string" },
+  manual: { type: "boolean", default: false },
   // event contract
   underlying: { type: "string" },
   seriesId: { type: "string" },
@@ -16095,14 +16770,14 @@ async function cmdDcdQuoteAndBuy(run, opts) {
 }
 
 // src/commands/skill.ts
-import { tmpdir, homedir as homedir10 } from "os";
-import { join as join12, dirname as dirname8 } from "path";
-import { mkdirSync as mkdirSync10, rmSync, existsSync as existsSync8, copyFileSync as copyFileSync2 } from "fs";
+import { tmpdir, homedir as homedir13 } from "os";
+import { join as join15, dirname as dirname9 } from "path";
+import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync10, copyFileSync as copyFileSync2 } from "fs";
 import { execFileSync as execFileSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function resolveNpx() {
-  const sibling = join12(dirname8(process.execPath), "npx");
-  if (existsSync8(sibling)) return sibling;
+  const sibling = join15(dirname9(process.execPath), "npx");
+  if (existsSync10(sibling)) return sibling;
   return "npx";
 }
 var THIRD_PARTY_INSTALL_NOTICE = "Note: This skill was created by a third-party developer, not by OKX. Review SKILL.md before use.";
@@ -16155,13 +16830,13 @@ async function cmdSkillCategories(run, json) {
   outputLine("");
 }
 async function cmdSkillAdd(name, config, json) {
-  const tmpBase = join12(tmpdir(), `okx-skill-${randomUUID2()}`);
-  mkdirSync10(tmpBase, { recursive: true });
+  const tmpBase = join15(tmpdir(), `okx-skill-${randomUUID2()}`);
+  mkdirSync12(tmpBase, { recursive: true });
   try {
     outputLine(`Downloading ${name}...`);
     const client = new OkxRestClient(config);
     const zipPath = await downloadSkillZip(client, name, tmpBase);
-    const contentDir = await extractSkillZip(zipPath, join12(tmpBase, "content"));
+    const contentDir = await extractSkillZip(zipPath, join15(tmpBase, "content"));
     const meta = readMetaJson(contentDir);
     validateSkillMdExists(contentDir);
     outputLine("Installing to detected agents...");
@@ -16171,7 +16846,7 @@ async function cmdSkillAdd(name, config, json) {
         timeout: 6e4
       });
     } catch (e) {
-      const savedZip = join12(process.cwd(), `${name}.zip`);
+      const savedZip = join15(process.cwd(), `${name}.zip`);
       try {
         copyFileSync2(zipPath, savedZip);
       } catch {
@@ -16210,7 +16885,7 @@ function cmdSkillRemove(name, json) {
       timeout: 6e4
     });
   } catch {
-    const agentsPath = join12(homedir10(), ".agents", "skills", name);
+    const agentsPath = join15(homedir13(), ".agents", "skills", name);
     try {
       rmSync(agentsPath, { recursive: true, force: true });
     } catch {
@@ -16284,14 +16959,14 @@ function printSkillInstallResult(meta, json) {
 }
 
 // src/commands/doh.ts
-import readline from "readline";
-function resolveChecksumMatch(local, cdnChecksum, cdnError) {
+import readline2 from "readline";
+function resolveChecksumMatch2(local, cdnChecksum, cdnError) {
   if (!local.exists) return "not-installed";
   if (cdnError || !cdnChecksum) return "unavailable";
   if (cdnChecksum.sha256 === local.sha256) return "match";
   return "mismatch";
 }
-function checksumMatchLabel(match) {
+function checksumMatchLabel2(match) {
   if (match === "match") return "\u2713 match";
   if (match === "mismatch") return "\u2717 mismatch (update available)";
   return "CDN unreachable";
@@ -16304,9 +16979,9 @@ function formatStatusText(local, checksumMatch, cdnChecksum, runtimeMode) {
   outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
   outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
   if (local.exists) {
-    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
+    outputLine(`  File size   : ${formatBytes2(local.fileSize)}`);
     outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
-    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
+    outputLine(`  CDN check   : ${checksumMatchLabel2(checksumMatch)}`);
     if (cdnChecksum) {
       outputLine(`  CDN source  : ${cdnChecksum.source}`);
     }
@@ -16333,7 +17008,7 @@ async function cmdDohStatus(json, binaryPath) {
       cdnError = err instanceof Error ? err.message : String(err);
     }
   }
-  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
+  const checksumMatch = resolveChecksumMatch2(local, cdnChecksum, cdnError);
   if (json) {
     outputLine(
       JSON.stringify({
@@ -16399,7 +17074,7 @@ async function cmdDohRemove(force, json, binaryPath) {
       process.exitCode = 1;
       return;
     }
-    const confirmed = await askConfirmation(
+    const confirmed = await askConfirmation2(
       `  Remove DoH resolver at ${local.binaryPath}? [y/N] `
     );
     if (!confirmed) {
@@ -16418,14 +17093,14 @@ async function cmdDohRemove(force, json, binaryPath) {
     outputLine("  DoH resolver is not installed.");
   }
 }
-function formatBytes(bytes) {
+function formatBytes2(bytes) {
   if (bytes < 1024) return `${bytes} B`;
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
   return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
 }
-function askConfirmation(prompt2) {
+function askConfirmation2(prompt2) {
   return new Promise((resolve3) => {
-    const rl = readline.createInterface({
+    const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
@@ -16882,7 +17557,7 @@ async function cmdEventCancel(run, opts) {
 // src/index.ts
 var _require3 = createRequire3(import.meta.url);
 var CLI_VERSION2 = _require3("../package.json").version;
-var GIT_HASH2 = true ? "245ab4e" : "dev";
+var GIT_HASH2 = true ? "17e06f4" : "dev";
 function handleDohCommand(action, json, force, binaryPath) {
   if (action === "status") return cmdDohStatus(json, binaryPath);
   if (action === "install") return cmdDohInstall(json, binaryPath);
@@ -17726,7 +18401,7 @@ function handleNewsCommand(run, action, rest, v, json) {
   const limit = v.limit !== void 0 ? Number(v.limit) : void 0;
   const begin = v.begin !== void 0 ? Number(v.begin) : void 0;
   const end = v.end !== void 0 ? Number(v.end) : void 0;
-  const language = v.lang ?? "en-US";
+  const language = v.lang ?? "en_US";
   const detailLvl = v["detail-lvl"];
   const after = v.after;
   const period = v.period;
@@ -17857,7 +18532,7 @@ function wrapRunnerWithLogger(baseRunner, logger, verbose = false) {
 async function runDiagnose(v) {
   let config;
   try {
-    config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
+    config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
   } catch {
   }
   return cmdDiagnose(config, v.profile ?? "default", { mcp: v.mcp, cli: v.cli, all: v.all, output: v.output });
@@ -17872,24 +18547,13 @@ function printVersion() {
   }
 }
 function routeManagementCommand(module, action, rest, json, v) {
-  if (module === "config") {
-    const r = handleConfigCommand(action, rest, json, v.lang, v.force);
-    return r ?? true;
-  }
-  if (module === "setup") {
-    handleSetupCommand(v);
-    return true;
-  }
+  if (module === "config") return handleConfigCommand(action, rest, json, v.lang, v.force);
+  if (module === "setup") return handleSetupCommand(v);
+  if (module === "auth") return handleAuthCommand(action, rest, v);
   if (module === "upgrade") return cmdUpgrade(CLI_VERSION2, { beta: v.beta, check: v.check, force: v.force }, json);
-  if (module === "doh") {
-    const r = handleDohCommand(action, json, v.force ?? false);
-    return r ?? true;
-  }
+  if (module === "doh") return handleDohCommand(action, json, v.force ?? false);
   if (module === "diagnose") return runDiagnose(v);
-  if (module === "list-tools") {
-    cmdListTools(json);
-    return true;
-  }
+  if (module === "list-tools") return cmdListTools(json);
   return void 0;
 }
 async function main() {
@@ -17911,8 +18575,8 @@ async function main() {
   const v = values;
   const json = v.json ?? false;
   const mgmt = routeManagementCommand(module, action, rest, json, v);
-  if (mgmt !== void 0) return mgmt === true ? void 0 : mgmt;
-  const config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
+  if (mgmt) return mgmt;
+  const config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
   setEnvContext({ demo: config.demo, profile: v.profile ?? "default" });
   setJsonEnvEnabled(v.env ?? false);
   const client = new OkxRestClient(config);