@okx_ai/okx-trade-cli 1.3.2-beta.4 → 1.3.2-beta.5

package/dist/index.js

@@ -21,26 +21,23 @@ import {
 import { homedir as homedir2 } from "os";
 import { join as join2, dirname } from "path";
 import { createHmac } from "crypto";
-import { spawn, execFile as execFile2 } from "child_process";
-import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
 import fs from "fs";
 import path from "path";
 import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join4, resolve, basename, sep } from "path";
+import { join as join3, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
 import yauzl from "yauzl";
 import { createWriteStream, mkdirSync as mkdirSync3 } from "fs";
 import { resolve as resolve2, dirname as dirname2 } from "path";
 import { readFileSync as readFileSync2, existsSync } from "fs";
-import { join as join5 } from "path";
+import { join as join4 } from "path";
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
-import { join as join6, dirname as dirname3 } from "path";
-import { homedir as homedir4 } from "os";
+import { join as join5, dirname as dirname3 } from "path";
+import { homedir as homedir3 } from "os";
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join7, dirname as dirname4 } from "path";
-import { homedir as homedir5 } from "os";
+import { join as join6, dirname as dirname4 } from "path";
+import { homedir as homedir4 } from "os";
 
 // ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
 function getLineColFromPtr(string, ptr) {
@@ -870,8 +867,8 @@ function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
 
 // ../core/dist/index.js
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join8 } from "path";
-import { homedir as homedir6 } from "os";
+import { join as join7 } from "path";
+import { homedir as homedir5 } from "os";
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
@@ -879,18 +876,6 @@ import * as fs3 from "fs";
 import * as path3 from "path";
 import * as os3 from "os";
 import { execFileSync } from "child_process";
-import {
-  createWriteStream as createWriteStream3,
-  mkdirSync as mkdirSync9,
-  chmodSync as chmodSync2,
-  existsSync as existsSync7,
-  unlinkSync as unlinkSync4,
-  renameSync as renameSync4
-} from "fs";
-import { homedir as homedir9, platform as platform2 } from "os";
-import { join as join11, dirname as dirname7 } from "path";
-import { get as httpsGet2 } from "https";
-import { get as httpGet2 } from "http";
 import {
   readFileSync as readFileSync7,
   createWriteStream as createWriteStream2,
@@ -901,13 +886,10 @@ import {
   renameSync as renameSync3
 } from "fs";
 import { createHash } from "crypto";
-import { homedir as homedir8, platform, arch } from "os";
-import { join as join10, dirname as dirname6 } from "path";
+import { homedir as homedir7, platform, arch } from "os";
+import { join as join9, dirname as dirname6 } from "path";
 import { get as httpsGet } from "https";
 import { get as httpGet } from "http";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync5, existsSync as existsSync8 } from "fs";
-import { join as join12 } from "path";
-import { homedir as homedir10 } from "os";
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var PILOT_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -1219,11 +1201,6 @@ var ConfigError = class extends OkxMcpError {
     super("ConfigError", message, { suggestion });
   }
 };
-var NotLoggedInError = class extends ConfigError {
-  constructor(suggestion = "Run `okx auth login` to authenticate.") {
-    super("Not logged in.", suggestion);
-  }
-};
 var ValidationError = class extends OkxMcpError {
   constructor(message, suggestion) {
     super("ValidationError", message, { suggestion });
@@ -1276,97 +1253,6 @@ function toToolErrorPayload(error, fallbackEndpoint) {
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
-var EXIT_CODES = {
-  SUCCESS: 0,
-  UNAUTHORIZED_CALLER: 1,
-  NOT_LOGGED_IN: 2,
-  REFRESH_FAILED: 3
-};
-var EXEC_TIMEOUT_MS2 = 5e3;
-var AUTH_BIN_DIR = join3(homedir3(), ".okx", "bin");
-function getAuthBinaryPath() {
-  if (process.env.OKX_AUTH_BIN) {
-    return process.env.OKX_AUTH_BIN;
-  }
-  const ext = process.platform === "win32" ? ".exe" : "";
-  return join3(AUTH_BIN_DIR, `okx-auth${ext}`);
-}
-function execAuthToken() {
-  const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
-    const child = spawn(binPath, ["token"], {
-      stdio: ["ignore", "ignore", "inherit", "pipe"]
-      //       stdin    stdout    stderr     fd3 (pipe)
-    });
-    const chunks = [];
-    const fd3 = child.stdio[3];
-    fd3.on("data", (chunk) => chunks.push(chunk));
-    child.on("error", (err) => {
-      reject(new ConfigError(
-        `Failed to spawn okx-auth: ${err.message}`,
-        "Ensure the okx-auth binary exists and is executable."
-      ));
-    });
-    child.on("close", (code) => {
-      if (code === EXIT_CODES.SUCCESS) {
-        const token = Buffer.concat(chunks).toString("utf-8").trim();
-        if (!token) {
-          reject(new AuthenticationError(
-            "okx-auth returned empty token.",
-            "Run `okx auth login` to re-authenticate."
-          ));
-          return;
-        }
-        resolve3(token);
-        return;
-      }
-      if (code === EXIT_CODES.NOT_LOGGED_IN) {
-        reject(new NotLoggedInError());
-        return;
-      }
-      if (code === EXIT_CODES.UNAUTHORIZED_CALLER) {
-        reject(new AuthenticationError(
-          "okx-auth rejected the caller (unauthorized).",
-          "Ensure you are running from a trusted OKX tool."
-        ));
-        return;
-      }
-      if (code === EXIT_CODES.REFRESH_FAILED) {
-        reject(new AuthenticationError(
-          "Token refresh failed.",
-          "Run `okx auth login` to re-authenticate."
-        ));
-        return;
-      }
-      reject(new AuthenticationError(
-        `okx-auth token exited with code ${code}.`,
-        "Run `okx auth login` to re-authenticate."
-      ));
-    });
-  });
-}
-function execAuthStatus() {
-  const binPath = getAuthBinaryPath();
-  return new Promise((resolve3) => {
-    execFile2(
-      binPath,
-      ["status", "--json"],
-      { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
-      (error, stdout) => {
-        if (error) {
-          resolve3(null);
-          return;
-        }
-        try {
-          const result = JSON.parse(stdout);
-          resolve3(result);
-        } catch {
-          resolve3(null);
-        }
-      }
-    );
-  });
-}
 function sleep(ms) {
   return new Promise((resolve3) => {
     setTimeout(resolve3, ms);
@@ -1498,7 +1384,6 @@ function maskKey(key) {
   if (key.length <= 8) return "***";
   return `${key.slice(0, 3)}***${key.slice(-3)}`;
 }
-var TOKEN_CACHE_TTL_MS = 6e4;
 function vlog2(message) {
   process.stderr.write(`[verbose] ${message}
 `);
@@ -1507,8 +1392,6 @@ var OkxRestClient = class _OkxRestClient {
   config;
   rateLimiter;
   dispatcher;
-  cachedAccessToken;
-  cachedAccessTokenAt = 0;
   pilot;
   constructor(config) {
     this.config = config;
@@ -1523,51 +1406,6 @@ var OkxRestClient = class _OkxRestClient {
       hasCustomProxy: !!config.proxyUrl
     });
   }
-  /**
-   * Resolve OAuth access token via the okx-auth binary (fd3 pipe).
-   * Caches the token for 60 s to avoid spawning the binary on every
-   * request. The binary handles refresh internally (300s TTL lead),
-   * so periodic re-calls let it serve a fresh token when needed.
-   * Returns null when not logged in.
-   */
-  async resolveAccessToken() {
-    if (this.cachedAccessToken && Date.now() - this.cachedAccessTokenAt < TOKEN_CACHE_TTL_MS) {
-      return this.cachedAccessToken;
-    }
-    try {
-      const token = await execAuthToken();
-      this.cachedAccessToken = token;
-      this.cachedAccessTokenAt = Date.now();
-      return token;
-    } catch (e) {
-      if (e instanceof NotLoggedInError) {
-        return null;
-      }
-      throw e;
-    }
-  }
-  /**
-   * Dynamic auth — determines auth method per request.
-   *
-   * 1. API key in config → HMAC signing (no OAuth fallback)
-   * 2. OAuth token via okx-auth binary → Bearer token
-   * 3. Neither → throw ConfigError
-   */
-  async applyAuth(headers, method, requestPath, bodyJson, timestamp) {
-    if (this.config.apiKey && this.config.secretKey && this.config.passphrase) {
-      this.setAuthHeaders(headers, method, requestPath, bodyJson, timestamp);
-      return;
-    }
-    const accessToken = await this.resolveAccessToken();
-    if (accessToken) {
-      headers.set("Authorization", `Bearer ${accessToken}`);
-      return;
-    }
-    throw new ConfigError(
-      "No credentials found.",
-      "Run `okx auth login` to authenticate, or configure API key credentials."
-    );
-  }
   /** The canonical base URL for this client (e.g. https://www.okx.com). */
   get baseUrl() {
     return this.config.baseUrl;
@@ -1626,6 +1464,18 @@ var OkxRestClient = class _OkxRestClient {
     });
   }
   setAuthHeaders(headers, method, requestPath, bodyJson, timestamp) {
+    if (!this.config.hasAuth) {
+      throw new ConfigError(
+        "Private endpoint requires API credentials.",
+        "Configure OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE."
+      );
+    }
+    if (!this.config.apiKey || !this.config.secretKey || !this.config.passphrase) {
+      throw new ConfigError(
+        "Invalid private API credentials state.",
+        "Ensure all OKX credentials are set."
+      );
+    }
     const payload = `${timestamp}${method.toUpperCase()}${requestPath}${bodyJson}`;
     const signature = signOkxPayload(payload, this.config.secretKey);
     headers.set("OK-ACCESS-KEY", this.config.apiKey);
@@ -1740,7 +1590,7 @@ var OkxRestClient = class _OkxRestClient {
     const conn = this.pilot.getConnectionParams();
     this.logRequest("POST", `${conn.baseUrl}${path42}`, "private");
     const reqConfig = { method: "POST", path: path42, auth: "private" };
-    const headers = await this.buildHeaders(reqConfig, path42, bodyJson, getNow());
+    const headers = this.buildHeaders(reqConfig, path42, bodyJson, getNow());
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -1861,7 +1711,7 @@ var OkxRestClient = class _OkxRestClient {
   // Header building
   // ---------------------------------------------------------------------------
   /** Build HTTP headers. reqConfig.extraHeaders must NOT contain auth keys (OK-ACCESS-*). */
-  async buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
+  buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
     const headers = new Headers({
       "Content-Type": "application/json",
       Accept: "application/json"
@@ -1870,7 +1720,7 @@ var OkxRestClient = class _OkxRestClient {
       headers.set("User-Agent", this.config.userAgent);
     }
     if (reqConfig.auth === "private") {
-      await this.applyAuth(headers, reqConfig.method, requestPath, bodyJson, timestamp);
+      this.setAuthHeaders(headers, reqConfig.method, requestPath, bodyJson, timestamp);
     }
     const useSimulated = reqConfig.simulatedTrading !== void 0 ? reqConfig.simulatedTrading : this.config.demo;
     if (useSimulated) {
@@ -1924,7 +1774,7 @@ var OkxRestClient = class _OkxRestClient {
     if (reqConfig.rateLimit) {
       await this.rateLimiter.consume(reqConfig.rateLimit);
     }
-    const headers = await this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
+    const headers = this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -2351,6 +2201,8 @@ function registerIndicatorTools() {
   ];
 }
 var DEFAULT_SOURCE_TAG = "MCP";
+var TOKEN_REGEX = /^[A-Z2-7]{12}$/;
+var TAG_JOIN = "";
 var OKX_SITES = {
   global: {
     label: "Global",
@@ -2364,7 +2216,7 @@ var OKX_SITES = {
   },
   us: {
     label: "US",
-    apiBaseUrl: "https://us.okx.com",
+    apiBaseUrl: "https://app.okx.com",
     webUrl: "https://app.okx.com"
   }
 };
@@ -3308,7 +3160,8 @@ function registerAlgoTradeTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId")
+            clOrdId: readString(args, "clOrdId"),
+            tag: context.config.sourceTag
           }),
           privateRateLimit("swap_place_move_stop_order", 20)
         );
@@ -3653,7 +3506,8 @@ function registerFuturesAlgoTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId")
+            clOrdId: readString(args, "clOrdId"),
+            tag: context.config.sourceTag
           }),
           privateRateLimit("futures_place_move_stop_order", 20)
         );
@@ -3911,7 +3765,7 @@ function safeWriteFile(targetDir, fileName, data) {
     throw new Error(`Invalid file name: "${fileName}"`);
   }
   const resolvedDir = resolve(targetDir);
-  const filePath = join4(resolvedDir, safeName);
+  const filePath = join3(resolvedDir, safeName);
   const resolvedPath = resolve(filePath);
   if (!resolvedPath.startsWith(resolvedDir + sep)) {
     throw new Error(`Path traversal detected: "${fileName}" resolves outside target directory`);
@@ -4039,7 +3893,7 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   });
 }
 function readMetaJson(contentDir) {
-  const metaPath = join5(contentDir, "_meta.json");
+  const metaPath = join4(contentDir, "_meta.json");
   if (!existsSync(metaPath)) {
     throw new Error(`_meta.json not found in ${contentDir}. Invalid skill package.`);
   }
@@ -4065,12 +3919,12 @@ function readMetaJson(contentDir) {
   };
 }
 function validateSkillMdExists(contentDir) {
-  const skillMdPath = join5(contentDir, "SKILL.md");
+  const skillMdPath = join4(contentDir, "SKILL.md");
   if (!existsSync(skillMdPath)) {
     throw new Error(`SKILL.md not found in ${contentDir}. Invalid skill package.`);
   }
 }
-var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join5(homedir3(), ".okx", "skills", "registry.json");
 function readRegistry(registryPath = DEFAULT_REGISTRY_PATH) {
   if (!existsSync2(registryPath)) {
     return { version: 1, skills: {} };
@@ -10485,7 +10339,7 @@ function createToolRunner(client, config) {
   };
 }
 function configFilePath() {
-  return join7(homedir5(), ".okx", "config.toml");
+  return join6(homedir4(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path42 = configFilePath();
@@ -10504,6 +10358,11 @@ Or re-run: okx config init`
     );
   }
 }
+function readTomlProfile(profileName) {
+  const config = readFullConfig();
+  const name = profileName ?? config.default_profile ?? "default";
+  return config.profiles?.[name] ?? {};
+}
 var CONFIG_HEADER = `# OKX Trade Kit Configuration
 # If editing manually, wrap values containing special chars in quotes:
 #   passphrase = 'value'       (if value contains # \\ ")
@@ -10552,24 +10411,18 @@ function parseModuleList(rawModules) {
   }
   return Array.from(deduped);
 }
-async function loadCredentials(toml) {
+function loadCredentials(toml) {
   const apiKey = process.env.OKX_API_KEY?.trim() ?? toml.api_key;
   const secretKey = process.env.OKX_SECRET_KEY?.trim() ?? toml.secret_key;
   const passphrase = process.env.OKX_PASSPHRASE?.trim() ?? toml.passphrase;
-  const hasApiKey = Boolean(apiKey && secretKey && passphrase);
+  const hasAuth = Boolean(apiKey && secretKey && passphrase);
   const partialAuth = Boolean(apiKey) || Boolean(secretKey) || Boolean(passphrase);
-  if (partialAuth && !hasApiKey) {
+  if (partialAuth && !hasAuth) {
     throw new ConfigError(
       "Partial API credentials detected.",
       "Set OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE together (env vars or config.toml profile)."
     );
   }
-  let hasOAuth = false;
-  if (!hasApiKey) {
-    const status = await execAuthStatus();
-    hasOAuth = status?.status === "logged_in";
-  }
-  const hasAuth = hasOAuth || hasApiKey;
   return { apiKey, secretKey, passphrase, hasAuth };
 }
 function resolveSite(cliSite, tomlSite) {
@@ -10592,6 +10445,30 @@ function resolveBaseUrl(site, tomlBaseUrl) {
   }
   return rawBaseUrl.replace(/\/+$/, "");
 }
+function resolveSourceTag(cli, defaultTag, opts = {}) {
+  const readEnv = opts.readEnv !== false;
+  const cliSkill = cli.skill?.trim();
+  if (cliSkill) {
+    if (isValidToken(cliSkill)) return composeTag(defaultTag, cliSkill);
+    console.warn("--skill value format invalid (expected 12-char Base32), ignoring");
+  }
+  if (readEnv) {
+    const envToken = process.env.OKX_SKILL_TOKEN?.trim();
+    if (envToken) {
+      if (isValidToken(envToken)) return composeTag(defaultTag, envToken);
+      console.warn("OKX_SKILL_TOKEN format invalid, ignoring");
+    }
+  }
+  const sourceTag = cli.sourceTag?.trim();
+  if (sourceTag) return sourceTag;
+  return defaultTag;
+}
+function composeTag(defaultTag, token) {
+  return `${defaultTag}${TAG_JOIN}${token}`;
+}
+function isValidToken(s) {
+  return TOKEN_REGEX.test(s);
+}
 function resolveDemo(cli, toml) {
   if (cli.demo && cli.live) {
     throw new ConfigError(
@@ -10603,11 +10480,9 @@ function resolveDemo(cli, toml) {
   if (cli.demo === true) return true;
   return process.env.OKX_DEMO === "1" || process.env.OKX_DEMO === "true" || (toml.demo ?? false);
 }
-async function loadConfig(cli) {
-  const config = readFullConfig();
-  const profileName = cli.profile ?? config.default_profile ?? "default";
-  const toml = config.profiles?.[profileName] ?? {};
-  const creds = await loadCredentials(toml);
+function loadConfig(cli, opts = {}) {
+  const toml = readTomlProfile(cli.profile);
+  const creds = loadCredentials(toml);
   const demo = resolveDemo(cli, toml);
   const site = resolveSite(cli.site, toml.site);
   const baseUrl = resolveBaseUrl(site, toml.base_url);
@@ -10625,9 +10500,9 @@ async function loadConfig(cli) {
       "proxy_url must start with http:// or https://. SOCKS proxies are not supported."
     );
   }
+  const defaultTag = opts.entryPrefix ?? DEFAULT_SOURCE_TAG;
   return {
     ...creds,
-    profile: profileName,
     baseUrl,
     timeoutMs: Math.floor(rawTimeout),
     modules: parseModuleList(cli.modules),
@@ -10635,12 +10510,14 @@ async function loadConfig(cli) {
     demo,
     site,
     userAgent: cli.userAgent,
-    sourceTag: cli.sourceTag ?? DEFAULT_SOURCE_TAG,
+    // sourceTag resolution: --skill > OKX_SKILL_TOKEN > --source-tag > defaultTag
+    // MCP entry passes { readEnv: false } to honour the "MCP path not attributed" contract.
+    sourceTag: resolveSourceTag(cli, defaultTag, { readEnv: opts.readEnv }),
     proxyUrl: rawProxyUrl || void 0,
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
+var CACHE_FILE = join7(homedir5(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 function readCache2() {
   try {
@@ -10653,7 +10530,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
+    mkdirSync6(join7(homedir5(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -10823,13 +10700,13 @@ function findMsStoreClaudePath() {
 }
 function getConfigPath(client) {
   const home = os3.homedir();
-  const platform3 = process.platform;
+  const platform2 = process.platform;
   switch (client) {
     case "claude-desktop":
-      if (platform3 === "win32") {
+      if (platform2 === "win32") {
         return findMsStoreClaudePath() ?? path3.join(appData(), "Claude", CLAUDE_CONFIG_FILE);
       }
-      if (platform3 === "darwin") {
+      if (platform2 === "darwin") {
         return path3.join(home, "Library", "Application Support", "Claude", CLAUDE_CONFIG_FILE);
       }
       return path3.join(process.env.XDG_CONFIG_HOME ?? path3.join(home, ".config"), "Claude", CLAUDE_CONFIG_FILE);
@@ -10941,7 +10818,7 @@ var DOWNLOAD_TIMEOUT_MS = 3e4;
 var PLATFORM_MAP = {
   "darwin-arm64": "darwin-arm64",
   "darwin-x64": "darwin-x64",
-  "linux-arm64": "linux-x64",
+  "linux-arm64": "linux-arm64",
   "linux-x64": "linux-x64",
   "win32-arm64": "win32-arm64",
   "win32-x64": "win32-x64"
@@ -11073,7 +10950,7 @@ async function installPilotBinary(destPath, sources = CDN_SOURCES, onProgress) {
   if (earlyResult) return earlyResult;
   const platformDir = getPlatformDir();
   const binaryName = getBinaryName();
-  const resolvedDest = destPath ?? join10(homedir8(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join9(homedir7(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync8(dirname6(resolvedDest), { recursive: true });
   const localHash = existsSync6(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -11196,276 +11073,16 @@ function downloadText(url, timeoutMs) {
     })
   );
 }
-var AUTH_CDN_PATH_PREFIX = "/upgradeapp/tools/oauth";
-function getAuthBinaryName() {
-  return platform2() === "win32" ? "okx-auth.exe" : "okx-auth";
-}
-function getAuthStatus(binaryPath, opts) {
-  const resolvedPath = binaryPath ?? getAuthBinaryPath();
-  const platformDir = getPlatformDir();
-  if (!existsSync7(resolvedPath)) {
-    return { binaryPath: resolvedPath, exists: false, platform: platformDir };
-  }
-  if (opts?.skipHash) {
-    return { binaryPath: resolvedPath, exists: true, platform: platformDir };
-  }
-  const { size, sha256 } = hashFile(resolvedPath);
-  return { binaryPath: resolvedPath, exists: true, platform: platformDir, fileSize: size, sha256 };
-}
-async function fetchAuthCdnChecksum(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
-  const platformDir = getPlatformDir();
-  if (!platformDir) return null;
-  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
-  for (const { host, protocol } of sources) {
-    try {
-      const url = `${protocol}://${host}${checksumPath}`;
-      const raw = await downloadText2(url, timeoutMs);
-      const data = JSON.parse(raw);
-      if (typeof data.sha256 !== "string" || typeof data.size !== "number" || typeof data.target !== "string") {
-        continue;
-      }
-      return { sha256: data.sha256, size: data.size, target: data.target, source: host };
-    } catch {
-    }
-  }
-  return null;
-}
-async function fetchAndValidateChecksum2(host, protocol, checksumPath, platformDir, timeoutMs, onProgress) {
-  const checksumUrl = `${protocol}://${host}${checksumPath}`;
-  onProgress?.(`Fetching checksum from ${host}...`);
-  const raw = await downloadText2(checksumUrl, timeoutMs);
-  const checksum = JSON.parse(raw);
-  if (typeof checksum.sha256 !== "string" || typeof checksum.size !== "number" || typeof checksum.target !== "string") {
-    throw new Error("Invalid checksum.json: missing sha256, size, or target");
-  }
-  if (checksum.target !== platformDir) {
-    throw new Error(`Target mismatch: expected ${platformDir}, got ${checksum.target}`);
-  }
-  return { sha256: checksum.sha256, size: checksum.size, target: checksum.target };
-}
-async function downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, timeoutMs, onProgress) {
-  const binaryUrl = `${protocol}://${host}${binaryPath}`;
-  onProgress?.(`Downloading binary from ${host}...`);
-  await download2(binaryUrl, tmpPath, timeoutMs);
-  const actual = hashFile(tmpPath);
-  if (actual.size !== checksum.size) {
-    throw new Error(`Size mismatch: expected ${checksum.size}, got ${actual.size}`);
-  }
-  if (actual.sha256 !== checksum.sha256) {
-    throw new Error(`SHA-256 mismatch: expected ${checksum.sha256}, got ${actual.sha256}`);
-  }
-}
-function atomicReplace2(tmpPath, resolvedDest) {
-  if (platform2() === "win32") {
-    try {
-      unlinkSync4(resolvedDest);
-    } catch {
-    }
-  }
-  renameSync4(tmpPath, resolvedDest);
-  if (platform2() !== "win32") {
-    chmodSync2(resolvedDest, 493);
-  }
-}
-function installPreChecks2(destPath, sources) {
-  if (!destPath && process.env.OKX_AUTH_BIN) {
-    return { status: "up-to-date", source: "(env override)" };
-  }
-  if (!getPlatformDir()) {
-    return { status: "failed", error: "Unsupported platform" };
-  }
-  if (sources.length === 0) {
-    return { status: "failed", error: "No CDN sources available" };
-  }
-  return null;
-}
-function isLocalUpToDate2(localHash, checksum) {
-  return localHash !== null && localHash.size === checksum.size && localHash.sha256 === checksum.sha256;
-}
-async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
-  const earlyResult = installPreChecks2(destPath, sources);
-  if (earlyResult) return earlyResult;
-  const platformDir = getPlatformDir();
-  const binaryName = getAuthBinaryName();
-  const resolvedDest = destPath ?? join11(homedir9(), ".okx", "bin", binaryName);
-  const tmpPath = resolvedDest + ".tmp";
-  mkdirSync9(dirname7(resolvedDest), { recursive: true });
-  const localHash = existsSync7(resolvedDest) ? hashFile(resolvedDest) : null;
-  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
-  const binaryPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/${binaryName}`;
-  const errors = [];
-  for (const { host, protocol } of sources) {
-    try {
-      const checksum = await fetchAndValidateChecksum2(
-        host,
-        protocol,
-        checksumPath,
-        platformDir,
-        DOWNLOAD_TIMEOUT_MS,
-        onProgress
-      );
-      if (isLocalUpToDate2(localHash, checksum)) {
-        onProgress?.("Already up to date (checksum match)");
-        return { status: "up-to-date", source: host };
-      }
-      await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
-      atomicReplace2(tmpPath, resolvedDest);
-      onProgress?.(`Downloaded and verified from ${host}`);
-      return { status: "installed", source: host };
-    } catch (err) {
-      try {
-        unlinkSync4(tmpPath);
-      } catch {
-      }
-      const msg = err instanceof Error ? err.message : String(err);
-      errors.push(`${host}: ${msg}`);
-      onProgress?.(`${host} failed: ${msg}`);
-    }
-  }
-  return { status: "failed", error: `All CDN sources failed:
-${errors.join("\n")}` };
-}
-function removeAuthBinary(binaryPath) {
-  const resolvedPath = binaryPath ?? getAuthBinaryPath();
-  try {
-    unlinkSync4(resolvedPath);
-    return { status: "removed" };
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return { status: "not-found" };
-    }
-    const msg = err instanceof Error ? err.message : String(err);
-    throw new Error(`Failed to remove ${resolvedPath}: ${msg}`);
-  }
-}
-function isRedirect2(statusCode) {
-  return statusCode !== void 0 && statusCode >= 300 && statusCode < 400;
-}
-function validateRedirect2(res, requestUrl, redirectCount, maxRedirects) {
-  if (redirectCount > maxRedirects) {
-    throw new Error(`Too many redirects (${maxRedirects})`);
-  }
-  const location = res.headers.location;
-  if (requestUrl.startsWith("https") && !location.startsWith("https")) {
-    throw new Error("Refused HTTPS \u2192 HTTP redirect downgrade");
-  }
-  return location;
-}
-function fetchResponse2(url, timeoutMs) {
-  return new Promise((resolve3, reject) => {
-    let redirects = 0;
-    const maxRedirects = 5;
-    function doRequest(requestUrl) {
-      const reqFn = requestUrl.startsWith("https") ? httpsGet2 : httpGet2;
-      const req = reqFn(requestUrl, { timeout: timeoutMs }, (res) => {
-        if (isRedirect2(res.statusCode) && res.headers.location) {
-          redirects++;
-          try {
-            const location = validateRedirect2(res, requestUrl, redirects, maxRedirects);
-            res.resume();
-            doRequest(location);
-          } catch (err) {
-            reject(err);
-          }
-          return;
-        }
-        if (res.statusCode !== 200) {
-          reject(new Error(`HTTP ${res.statusCode ?? "unknown"}`));
-          return;
-        }
-        resolve3(res);
-      });
-      req.on("error", reject);
-      req.on("timeout", () => {
-        req.destroy();
-        reject(new Error("Download timed out"));
-      });
-    }
-    doRequest(url);
-  });
-}
-function download2(url, destPath, timeoutMs) {
-  return fetchResponse2(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
-      const file = createWriteStream3(destPath);
-      res.pipe(file);
-      file.on("finish", () => file.close(() => resolve3()));
-      file.on("error", (err) => {
-        try {
-          unlinkSync4(destPath);
-        } catch {
-        }
-        reject(err);
-      });
-    })
-  );
-}
-function downloadText2(url, timeoutMs) {
-  return fetchResponse2(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
-      const chunks = [];
-      res.on("data", (chunk) => chunks.push(chunk));
-      res.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
-      res.on("error", reject);
-    })
-  );
-}
-var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
-var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
-function readCache3() {
-  try {
-    if (!existsSync8(CACHE_PATH)) return null;
-    const data = JSON.parse(readFileSync8(CACHE_PATH, "utf-8"));
-    if (typeof data.cdnSha256 !== "string" || typeof data.checkedAt !== "number") return null;
-    return { cdnSha256: data.cdnSha256, checkedAt: data.checkedAt };
-  } catch {
-    return null;
-  }
-}
-function writeCache3(cdnSha256) {
-  try {
-    mkdirSync10(join12(homedir10(), ".okx"), { recursive: true });
-    writeFileSync7(CACHE_PATH, JSON.stringify({ cdnSha256, checkedAt: Date.now() }, null, 2), "utf-8");
-  } catch {
-  }
-}
-async function ensureAuthBinaryLatest(onProgress) {
-  if (process.env.OKX_AUTH_BIN) return;
-  const cache = readCache3();
-  if (cache && Date.now() - cache.checkedAt < CHECK_INTERVAL_MS2) return;
-  try {
-    const cdn = await fetchAuthCdnChecksum(void 0, 5e3);
-    if (!cdn) return;
-    const local = getAuthStatus();
-    if (local.exists && local.sha256 === cdn.sha256) {
-      writeCache3(cdn.sha256);
-      return;
-    }
-    onProgress?.("Updating okx-auth binary...");
-    const result = await installAuthBinary(void 0, void 0, onProgress);
-    if (result.status === "installed" || result.status === "up-to-date") {
-      const updated = getAuthStatus();
-      if (updated.sha256) writeCache3(updated.sha256);
-      if (result.status === "installed") {
-        onProgress?.("\u2713 okx-auth updated successfully");
-      }
-    }
-  } catch {
-  }
-}
-function updateAuthBinaryCache(sha256) {
-  writeCache3(sha256);
-}
-function clearAuthBinaryCache() {
-  try {
-    unlinkSync5(CACHE_PATH);
-  } catch {
-  }
-}
 
-// src/commands/auth.ts
-import { spawn as spawn2 } from "child_process";
-import readline from "readline";
+// src/commands/diagnose.ts
+import dns from "dns/promises";
+import net from "net";
+import os5 from "os";
+import tls from "tls";
+
+// src/commands/diagnose-utils.ts
+import fs4 from "fs";
+import { createRequire } from "module";
 
 // src/formatter.ts
 import { EOL } from "os";
@@ -11556,286 +11173,7 @@ function markFailedIfSCodeError(data) {
   }
 }
 
-// src/commands/auth.ts
-function runOkxAuth(args) {
-  const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
-    const child = spawn2(binPath, args, {
-      stdio: "inherit"
-    });
-    child.on("error", (err) => {
-      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
-    });
-    child.on("close", (code) => {
-      resolve3(code ?? 1);
-    });
-  });
-}
-function runOkxAuthCapture(args) {
-  const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
-    const child = spawn2(binPath, args, {
-      stdio: ["inherit", "pipe", "inherit"]
-    });
-    const chunks = [];
-    child.stdout.on("data", (chunk) => chunks.push(chunk));
-    child.on("error", (err) => {
-      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
-    });
-    child.on("close", (code) => {
-      resolve3({
-        code: code ?? 1,
-        stdout: Buffer.concat(chunks).toString("utf-8")
-      });
-    });
-  });
-}
-function findApiKeyProfile() {
-  let config;
-  try {
-    config = readFullConfig();
-  } catch {
-    return null;
-  }
-  for (const [name, profile] of Object.entries(config.profiles ?? {})) {
-    if (profile?.api_key) return name;
-  }
-  return null;
-}
-async function cmdAuthLogin(args) {
-  const apiKeyProfile = findApiKeyProfile();
-  if (apiKeyProfile) {
-    if (args.manual) {
-      outputLine(JSON.stringify({
-        status: "skipped",
-        reason: "api_key_configured",
-        profile: apiKeyProfile,
-        message: `API key already configured (profile: ${apiKeyProfile}). OAuth login skipped \u2014 API key will be used automatically.`
-      }));
-    } else {
-      outputLine(`API key already configured (profile: ${apiKeyProfile}). OAuth login skipped \u2014 API key will be used automatically.`);
-    }
-    return;
-  }
-  const cliArgs = ["login"];
-  if (args.site) cliArgs.push("--site", args.site);
-  if (args.manual) cliArgs.push("--manual");
-  const code = await runOkxAuth(cliArgs);
-  if (code !== 0) {
-    process.exitCode = code;
-  }
-}
-async function cmdAuthLogout() {
-  const code = await runOkxAuth(["logout"]);
-  if (code !== 0) {
-    process.exitCode = code;
-  }
-}
-async function cmdAuthStatus(args) {
-  const cliArgs = ["status"];
-  if (args.json) cliArgs.push("--json");
-  const result = await runOkxAuthCapture(cliArgs);
-  if (result.stdout) {
-    process.stdout.write(result.stdout);
-  }
-  if (result.code !== 0) {
-    process.exitCode = result.code;
-  }
-}
-function resolveChecksumMatch(local, cdnChecksum, cdnError) {
-  if (!local.exists) return "not-installed";
-  if (cdnError || !cdnChecksum) return "unavailable";
-  if (cdnChecksum.sha256 === local.sha256) return "match";
-  return "mismatch";
-}
-function checksumMatchLabel(match) {
-  if (match === "match") return "\u2713 match";
-  if (match === "mismatch") return "\u2717 mismatch (update available)";
-  return "CDN unreachable";
-}
-function formatBytes(bytes) {
-  if (bytes < 1024) return `${bytes} B`;
-  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
-  return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
-}
-async function cmdAuthInstallStatus(json) {
-  const local = getAuthStatus();
-  let cdnChecksum = null;
-  let cdnError = null;
-  if (local.exists) {
-    try {
-      cdnChecksum = await fetchAuthCdnChecksum(void 0, 5e3);
-    } catch (err) {
-      cdnError = err instanceof Error ? err.message : String(err);
-    }
-  }
-  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
-  if (json) {
-    outputLine(
-      JSON.stringify({
-        binaryPath: local.binaryPath,
-        exists: local.exists,
-        platform: local.platform,
-        fileSize: local.fileSize ?? null,
-        sha256: local.sha256 ?? null,
-        cdnMatch: checksumMatch,
-        cdnSha256: cdnChecksum?.sha256 ?? null,
-        cdnSource: cdnChecksum?.source ?? null
-      })
-    );
-    return;
-  }
-  outputLine("");
-  outputLine("  okx-auth Binary Status");
-  outputLine("  " + "\u2500".repeat(40));
-  outputLine(`  Binary path : ${local.binaryPath}`);
-  outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
-  outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
-  if (local.exists) {
-    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
-    outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
-    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
-    if (cdnChecksum) {
-      outputLine(`  CDN source  : ${cdnChecksum.source}`);
-    }
-  }
-  outputLine("");
-}
-async function cmdAuthInstall(json) {
-  const messages2 = [];
-  const onProgress = (msg) => {
-    if (!json) {
-      outputLine(`  ${msg}`);
-    }
-    messages2.push(msg);
-  };
-  if (!json) {
-    outputLine("");
-    outputLine("  Installing okx-auth...");
-  }
-  const result = await installAuthBinary(void 0, void 0, onProgress);
-  if (json) {
-    outputLine(JSON.stringify({ status: result.status, source: result.source ?? null, error: result.error ?? null, messages: messages2 }));
-    if (result.status === "failed") {
-      process.exitCode = 1;
-    }
-    return;
-  }
-  if (result.status === "installed" || result.status === "up-to-date") {
-    const local = getAuthStatus();
-    if (local.sha256) updateAuthBinaryCache(local.sha256);
-  }
-  if (result.status === "installed") {
-    outputLine(`  \u2713 okx-auth installed successfully (${result.source ?? ""})`);
-  } else if (result.status === "up-to-date") {
-    outputLine("  \u2713 okx-auth is already up to date");
-  } else {
-    errorLine(`  \u2717 Installation failed: ${result.error ?? "unknown error"}`);
-    errorLine("  Hint: check network connectivity or try again later");
-    process.exitCode = 1;
-  }
-  outputLine("");
-}
-async function cmdAuthRemove(force, json) {
-  const local = getAuthStatus(void 0, { skipHash: true });
-  if (!local.exists) {
-    if (json) {
-      outputLine(JSON.stringify({ status: "not-installed" }));
-    } else {
-      outputLine("  okx-auth is not installed.");
-    }
-    return;
-  }
-  if (!await confirmRemoval(force, local.binaryPath)) return;
-  let result;
-  try {
-    result = removeAuthBinary();
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (json) {
-      outputLine(JSON.stringify({ status: "failed", error: msg }));
-    } else {
-      errorLine(`  \u2717 Failed to remove: ${msg}`);
-    }
-    process.exitCode = 1;
-    return;
-  }
-  if (json) {
-    outputLine(JSON.stringify({ status: result.status, path: local.binaryPath }));
-    return;
-  }
-  if (result.status === "removed") {
-    clearAuthBinaryCache();
-    outputLine(`  \u2713 Removed: ${local.binaryPath}`);
-  } else {
-    outputLine("  okx-auth is not installed.");
-  }
-}
-async function confirmRemoval(force, binaryPath) {
-  if (force) return true;
-  if (!process.stdin.isTTY) {
-    errorLine("  Error: stdin is not a TTY. Use --force to skip confirmation.");
-    process.exitCode = 1;
-    return false;
-  }
-  const confirmed = await askConfirmation(
-    `  Remove okx-auth at ${binaryPath}? [y/N] `
-  );
-  if (!confirmed) {
-    outputLine("  Cancelled.");
-    return false;
-  }
-  return true;
-}
-function askConfirmation(prompt2) {
-  return new Promise((resolve3) => {
-    const rl = readline.createInterface({
-      input: process.stdin,
-      output: process.stdout
-    });
-    rl.question(prompt2, (answer) => {
-      rl.close();
-      resolve3(answer.trim().toLowerCase() === "y");
-    });
-  });
-}
-async function handleAuthCommand(action, _rest, v) {
-  const site = v.site;
-  const json = v.json;
-  const manual = v.manual;
-  const force = v.force;
-  if (["login", "logout", "status"].includes(action)) {
-    await ensureAuthBinaryLatest((msg) => errorLine(`  ${msg}`));
-  }
-  switch (action) {
-    case "login":
-      return cmdAuthLogin({ site, manual });
-    case "logout":
-      return cmdAuthLogout();
-    case "status":
-      return cmdAuthStatus({ json });
-    case "install":
-      return cmdAuthInstall(json ?? false);
-    case "install-status":
-      return cmdAuthInstallStatus(json ?? false);
-    case "remove":
-      return cmdAuthRemove(force ?? false, json ?? false);
-    default:
-      errorLine(`Unknown auth command: ${action}`);
-      errorLine("Available: login, logout, status, install, install-status, remove");
-      process.exitCode = 1;
-  }
-}
-
-// src/commands/diagnose.ts
-import dns from "dns/promises";
-import net from "net";
-import os5 from "os";
-import tls from "tls";
-
 // src/commands/diagnose-utils.ts
-import fs4 from "fs";
-import { createRequire } from "module";
 var _require = createRequire(import.meta.url);
 function readCliVersion() {
   for (const rel of ["../package.json", "../../package.json"]) {
@@ -11921,7 +11259,7 @@ function sanitize2(value) {
 import fs5 from "fs";
 import path4 from "path";
 import os4 from "os";
-import { spawnSync, spawn as spawn3 } from "child_process";
+import { spawnSync, spawn } from "child_process";
 import { createRequire as createRequire2 } from "module";
 import { fileURLToPath } from "url";
 var _require2 = createRequire2(import.meta.url);
@@ -12255,7 +11593,7 @@ async function checkStdioHandshake(entryPath, report) {
       clearTimeout(timer);
       resolve3(passed);
     };
-    const child = spawn3(process.execPath, [entryPath], {
+    const child = spawn(process.execPath, [entryPath], {
       stdio: ["pipe", "pipe", "pipe"],
       env: { ...process.env }
     });
@@ -12374,7 +11712,7 @@ async function cmdDiagnoseMcp(options = {}) {
 
 // src/commands/diagnose.ts
 var CLI_VERSION = readCliVersion();
-var GIT_HASH = true ? "a4277b3" : "dev";
+var GIT_HASH = true ? "7acf49fb" : "dev";
 function maskKey2(key) {
   if (!key) return "(not set)";
   if (key.length <= 8) return "****";
@@ -12735,24 +12073,24 @@ function suggestSubcommand(action, knownActions) {
 
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
-import { dirname as dirname8, join as join13 } from "path";
-import { homedir as homedir11 } from "os";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync9 } from "fs";
+import { dirname as dirname7, join as join10 } from "path";
+import { homedir as homedir8 } from "os";
 var PACKAGES = ["@okx_ai/okx-trade-mcp", "@okx_ai/okx-trade-cli"];
-var CACHE_FILE2 = join13(homedir11(), ".okx", "last_check");
+var CACHE_FILE2 = join10(homedir8(), ".okx", "last_check");
 var THROTTLE_MS = 12 * 60 * 60 * 1e3;
-var NPM_BIN = join13(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
+var NPM_BIN = join10(dirname7(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
 function readLastCheck() {
   try {
-    return parseInt(readFileSync9(CACHE_FILE2, "utf-8").trim(), 10) || 0;
+    return parseInt(readFileSync8(CACHE_FILE2, "utf-8").trim(), 10) || 0;
   } catch {
     return 0;
   }
 }
 function writeLastCheck() {
   try {
-    mkdirSync11(join13(homedir11(), ".okx"), { recursive: true });
-    writeFileSync8(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
+    mkdirSync9(join10(homedir8(), ".okx"), { recursive: true });
+    writeFileSync7(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
   } catch {
   }
 }
@@ -14217,18 +13555,22 @@ async function cmdNewsSentimentRank(run, opts) {
 }
 
 // src/config/loader.ts
-async function loadProfileConfig(opts) {
-  return loadConfig({
-    profile: opts.profile,
-    modules: opts.modules,
-    readOnly: opts.readOnly ?? false,
-    demo: opts.demo,
-    live: opts.live,
-    site: opts.site,
-    userAgent: opts.userAgent,
-    sourceTag: opts.sourceTag,
-    verbose: opts.verbose
-  });
+function loadProfileConfig(opts) {
+  return loadConfig(
+    {
+      profile: opts.profile,
+      modules: opts.modules,
+      readOnly: opts.readOnly ?? false,
+      demo: opts.demo,
+      live: opts.live,
+      site: opts.site,
+      userAgent: opts.userAgent,
+      sourceTag: opts.sourceTag,
+      skill: opts.skill,
+      verbose: opts.verbose
+    },
+    { entryPrefix: opts.entryPrefix, readEnv: opts.readEnv }
+  );
 }
 
 // src/help.ts
@@ -14237,12 +13579,13 @@ var HELP_TREE = generateHelpTree();
 function printGlobalHelp() {
   const lines = [
     "",
-    `Usage: okx [--profile <name>] [--demo | --live] [--json] <module> <action> [args...]`,
+    `Usage: okx [--profile <name>] [--demo | --live] [--skill <token>] [--json] <module> <action> [args...]`,
     "",
     "Global Options:",
     `  --profile <name>   Use a named profile from ${configFilePath()}`,
     "  --demo             Use simulated trading (demo) mode",
     "  --live             Force live trading mode (overrides profile demo=true; mutually exclusive with --demo)",
+    "  --skill <token>    OKX skill token for order tagging (from SKILL.md)",
     "  --json             Output raw JSON",
     "  --env              With --json, wrap output as {env, profile, data}",
     "  --verbose          Show detailed network request/response info (stderr)",
@@ -14375,6 +13718,7 @@ import { parseArgs } from "util";
 var CLI_OPTIONS = {
   profile: { type: "string" },
   demo: { type: "boolean", default: false },
+  skill: { type: "string" },
   json: { type: "boolean", default: false },
   env: { type: "boolean", default: false },
   help: { type: "boolean", default: false },
@@ -14554,9 +13898,6 @@ var CLI_OPTIONS = {
   dir: { type: "string" },
   page: { type: "string" },
   format: { type: "string" },
-  // auth
-  site: { type: "string" },
-  manual: { type: "boolean", default: false },
   // event contract
   underlying: { type: "string" },
   seriesId: { type: "string" },
@@ -17780,14 +17121,14 @@ async function cmdDcdQuoteAndBuy(run, opts) {
 }
 
 // src/commands/skill.ts
-import { tmpdir, homedir as homedir13 } from "os";
-import { join as join15, dirname as dirname9 } from "path";
-import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync10, copyFileSync as copyFileSync2 } from "fs";
+import { tmpdir, homedir as homedir10 } from "os";
+import { join as join12, dirname as dirname8 } from "path";
+import { mkdirSync as mkdirSync10, rmSync, existsSync as existsSync8, copyFileSync as copyFileSync2 } from "fs";
 import { execFileSync as execFileSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function resolveNpx() {
-  const sibling = join15(dirname9(process.execPath), "npx");
-  if (existsSync10(sibling)) return sibling;
+  const sibling = join12(dirname8(process.execPath), "npx");
+  if (existsSync8(sibling)) return sibling;
   return "npx";
 }
 var THIRD_PARTY_INSTALL_NOTICE = "Note: This skill was created by a third-party developer, not by OKX. Review SKILL.md before use.";
@@ -17840,13 +17181,13 @@ async function cmdSkillCategories(run, json) {
   outputLine("");
 }
 async function cmdSkillAdd(name, config, json) {
-  const tmpBase = join15(tmpdir(), `okx-skill-${randomUUID2()}`);
-  mkdirSync12(tmpBase, { recursive: true });
+  const tmpBase = join12(tmpdir(), `okx-skill-${randomUUID2()}`);
+  mkdirSync10(tmpBase, { recursive: true });
   try {
     outputLine(`Downloading ${name}...`);
     const client = new OkxRestClient(config);
     const zipPath = await downloadSkillZip(client, name, tmpBase);
-    const contentDir = await extractSkillZip(zipPath, join15(tmpBase, "content"));
+    const contentDir = await extractSkillZip(zipPath, join12(tmpBase, "content"));
     const meta = readMetaJson(contentDir);
     validateSkillMdExists(contentDir);
     outputLine("Installing to detected agents...");
@@ -17856,7 +17197,7 @@ async function cmdSkillAdd(name, config, json) {
         timeout: 6e4
       });
     } catch (e) {
-      const savedZip = join15(process.cwd(), `${name}.zip`);
+      const savedZip = join12(process.cwd(), `${name}.zip`);
       try {
         copyFileSync2(zipPath, savedZip);
       } catch {
@@ -17895,7 +17236,7 @@ function cmdSkillRemove(name, json) {
       timeout: 6e4
     });
   } catch {
-    const agentsPath = join15(homedir13(), ".agents", "skills", name);
+    const agentsPath = join12(homedir10(), ".agents", "skills", name);
     try {
       rmSync(agentsPath, { recursive: true, force: true });
     } catch {
@@ -17969,14 +17310,14 @@ function printSkillInstallResult(meta, json) {
 }
 
 // src/commands/pilot.ts
-import readline2 from "readline";
-function resolveChecksumMatch2(local, cdnChecksum, cdnError) {
+import readline from "readline";
+function resolveChecksumMatch(local, cdnChecksum, cdnError) {
   if (!local.exists) return "not-installed";
   if (cdnError || !cdnChecksum) return "unavailable";
   if (cdnChecksum.sha256 === local.sha256) return "match";
   return "mismatch";
 }
-function checksumMatchLabel2(match) {
+function checksumMatchLabel(match) {
   if (match === "match") return "\u2713 match";
   if (match === "mismatch") return "\u2717 mismatch (update available)";
   return "CDN unreachable";
@@ -17989,9 +17330,9 @@ function formatStatusText(local, checksumMatch, cdnChecksum, runtimeMode) {
   outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
   outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
   if (local.exists) {
-    outputLine(`  File size   : ${formatBytes2(local.fileSize)}`);
+    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
     outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
-    outputLine(`  CDN check   : ${checksumMatchLabel2(checksumMatch)}`);
+    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
     if (cdnChecksum) {
       outputLine(`  CDN source  : ${cdnChecksum.source}`);
     }
@@ -18018,7 +17359,7 @@ async function cmdPilotStatus(json, binaryPath) {
       cdnError = err instanceof Error ? err.message : String(err);
     }
   }
-  const checksumMatch = resolveChecksumMatch2(local, cdnChecksum, cdnError);
+  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
   if (json) {
     outputLine(
       JSON.stringify({
@@ -18084,7 +17425,7 @@ async function cmdPilotRemove(force, json, binaryPath) {
       process.exitCode = 1;
       return;
     }
-    const confirmed = await askConfirmation2(
+    const confirmed = await askConfirmation(
       `  Remove Pilot at ${local.binaryPath}? [y/N] `
     );
     if (!confirmed) {
@@ -18103,14 +17444,14 @@ async function cmdPilotRemove(force, json, binaryPath) {
     outputLine("  Pilot is not installed.");
   }
 }
-function formatBytes2(bytes) {
+function formatBytes(bytes) {
   if (bytes < 1024) return `${bytes} B`;
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
   return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
 }
-function askConfirmation2(prompt2) {
+function askConfirmation(prompt2) {
   return new Promise((resolve3) => {
-    const rl = readline2.createInterface({
+    const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
     });
@@ -18579,7 +17920,7 @@ async function cmdEventCancel(run, opts) {
 // src/index.ts
 var _require3 = createRequire3(import.meta.url);
 var CLI_VERSION2 = _require3("../package.json").version;
-var GIT_HASH2 = true ? "a4277b3" : "dev";
+var GIT_HASH2 = true ? "7acf49fb" : "dev";
 function handlePilotCommand(action, json, force, binaryPath) {
   if (action === "status") return cmdPilotStatus(json, binaryPath);
   if (action === "install") return cmdPilotInstall(json, binaryPath);
@@ -19622,13 +18963,13 @@ function handleNewsCommand(run, action, rest, v, json) {
   const period = v.period;
   const points = v.points !== void 0 ? Number(v.points) : 24;
   const sortBy = v["sort-by"];
-  const platform3 = v.platform;
-  const searchOpts = { coins: v.coins, importance: v.importance, platform: platform3, sentiment: v.sentiment, sortBy, begin, end, language, detailLvl, limit, after, json };
-  const listOpts = { coins: v.coins, importance: v.importance, platform: platform3, begin, end, language, detailLvl, limit, after, json };
+  const platform2 = v.platform;
+  const searchOpts = { coins: v.coins, importance: v.importance, platform: platform2, sentiment: v.sentiment, sortBy, begin, end, language, detailLvl, limit, after, json };
+  const listOpts = { coins: v.coins, importance: v.importance, platform: platform2, begin, end, language, detailLvl, limit, after, json };
   const dispatch = {
     latest: () => cmdNewsLatest(run, listOpts),
-    important: () => cmdNewsImportant(run, { coins: v.coins, platform: platform3, begin, end, language, detailLvl, limit, json }),
-    "by-coin": () => cmdNewsByCoin(run, v.coins ?? rest[0], { importance: v.importance, platform: platform3, begin, end, language, detailLvl, limit, json }),
+    important: () => cmdNewsImportant(run, { coins: v.coins, platform: platform2, begin, end, language, detailLvl, limit, json }),
+    "by-coin": () => cmdNewsByCoin(run, v.coins ?? rest[0], { importance: v.importance, platform: platform2, begin, end, language, detailLvl, limit, json }),
     search: () => cmdNewsSearch(run, v.keyword ?? rest[0], searchOpts),
     detail: () => cmdNewsDetail(run, rest[0], { language, json }),
     platforms: () => cmdNewsPlatforms(run, { json }),
@@ -19769,7 +19110,7 @@ function wrapRunnerWithLogger(baseRunner, logger, verbose = false) {
 async function runDiagnose(v) {
   let config;
   try {
-    config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
+    config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI", skill: v.skill, entryPrefix: "CLI" });
   } catch {
   }
   return cmdDiagnose(config, v.profile ?? "default", { mcp: v.mcp, cli: v.cli, all: v.all, output: v.output });
@@ -19792,7 +19133,6 @@ function routeManagementCommand(module, action, rest, json, v) {
     handleSetupCommand(v);
     return true;
   }
-  if (module === "auth") return handleAuthCommand(action, rest, v);
   if (module === "upgrade") return cmdUpgrade(CLI_VERSION2, { beta: v.beta, check: v.check, force: v.force }, json);
   if (module === "pilot") {
     const r = handlePilotCommand(action, json, v.force ?? false);
@@ -19825,7 +19165,7 @@ async function main() {
   const json = v.json ?? false;
   const mgmt = routeManagementCommand(module, action, rest, json, v);
   if (mgmt !== void 0) return mgmt === true ? void 0 : mgmt;
-  const config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
+  const config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI", skill: v.skill, entryPrefix: "CLI" });
   setEnvContext({ demo: config.demo, profile: v.profile ?? "default" });
   setJsonEnvEnabled(v.env ?? false);
   const client = new OkxRestClient(config);