@okx_ai/okx-trade-cli 1.3.2-beta.5 → 1.3.2-beta.6

package/dist/index.js

@@ -21,23 +21,26 @@ import {
 import { homedir as homedir2 } from "os";
 import { join as join2, dirname } from "path";
 import { createHmac } from "crypto";
+import { spawn, execFile as execFile2 } from "child_process";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 import fs from "fs";
 import path from "path";
 import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3, resolve, basename, sep } from "path";
+import { join as join4, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
 import yauzl from "yauzl";
 import { createWriteStream, mkdirSync as mkdirSync3 } from "fs";
 import { resolve as resolve2, dirname as dirname2 } from "path";
 import { readFileSync as readFileSync2, existsSync } from "fs";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
-import { join as join5, dirname as dirname3 } from "path";
-import { homedir as homedir3 } from "os";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join6, dirname as dirname4 } from "path";
+import { join as join6, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
+import { join as join7, dirname as dirname4 } from "path";
+import { homedir as homedir5 } from "os";
 
 // ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
 function getLineColFromPtr(string, ptr) {
@@ -867,8 +870,8 @@ function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
 
 // ../core/dist/index.js
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir5 } from "os";
+import { join as join8 } from "path";
+import { homedir as homedir6 } from "os";
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
@@ -876,6 +879,18 @@ import * as fs3 from "fs";
 import * as path3 from "path";
 import * as os3 from "os";
 import { execFileSync } from "child_process";
+import {
+  createWriteStream as createWriteStream3,
+  mkdirSync as mkdirSync9,
+  chmodSync as chmodSync2,
+  existsSync as existsSync7,
+  unlinkSync as unlinkSync4,
+  renameSync as renameSync4
+} from "fs";
+import { homedir as homedir9, platform as platform2 } from "os";
+import { join as join11, dirname as dirname7 } from "path";
+import { get as httpsGet2 } from "https";
+import { get as httpGet2 } from "http";
 import {
   readFileSync as readFileSync7,
   createWriteStream as createWriteStream2,
@@ -886,10 +901,13 @@ import {
   renameSync as renameSync3
 } from "fs";
 import { createHash } from "crypto";
-import { homedir as homedir7, platform, arch } from "os";
-import { join as join9, dirname as dirname6 } from "path";
+import { homedir as homedir8, platform, arch } from "os";
+import { join as join10, dirname as dirname6 } from "path";
 import { get as httpsGet } from "https";
 import { get as httpGet } from "http";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync5, existsSync as existsSync8 } from "fs";
+import { join as join12 } from "path";
+import { homedir as homedir10 } from "os";
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var PILOT_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -1201,6 +1219,11 @@ var ConfigError = class extends OkxMcpError {
     super("ConfigError", message, { suggestion });
   }
 };
+var NotLoggedInError = class extends ConfigError {
+  constructor(suggestion = "Run `okx auth login` to authenticate.") {
+    super("Not logged in.", suggestion);
+  }
+};
 var ValidationError = class extends OkxMcpError {
   constructor(message, suggestion) {
     super("ValidationError", message, { suggestion });
@@ -1253,6 +1276,97 @@ function toToolErrorPayload(error, fallbackEndpoint) {
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
+var EXIT_CODES = {
+  SUCCESS: 0,
+  UNAUTHORIZED_CALLER: 1,
+  NOT_LOGGED_IN: 2,
+  REFRESH_FAILED: 3
+};
+var EXEC_TIMEOUT_MS2 = 5e3;
+var AUTH_BIN_DIR = join3(homedir3(), ".okx", "bin");
+function getAuthBinaryPath() {
+  if (process.env.OKX_AUTH_BIN) {
+    return process.env.OKX_AUTH_BIN;
+  }
+  const ext = process.platform === "win32" ? ".exe" : "";
+  return join3(AUTH_BIN_DIR, `okx-auth${ext}`);
+}
+function execAuthToken() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn(binPath, ["token"], {
+      stdio: ["ignore", "ignore", "inherit", "pipe"]
+      //       stdin    stdout    stderr     fd3 (pipe)
+    });
+    const chunks = [];
+    const fd3 = child.stdio[3];
+    fd3.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", (err) => {
+      reject(new ConfigError(
+        `Failed to spawn okx-auth: ${err.message}`,
+        "Ensure the okx-auth binary exists and is executable."
+      ));
+    });
+    child.on("close", (code) => {
+      if (code === EXIT_CODES.SUCCESS) {
+        const token = Buffer.concat(chunks).toString("utf-8").trim();
+        if (!token) {
+          reject(new AuthenticationError(
+            "okx-auth returned empty token.",
+            "Run `okx auth login` to re-authenticate."
+          ));
+          return;
+        }
+        resolve3(token);
+        return;
+      }
+      if (code === EXIT_CODES.NOT_LOGGED_IN) {
+        reject(new NotLoggedInError());
+        return;
+      }
+      if (code === EXIT_CODES.UNAUTHORIZED_CALLER) {
+        reject(new AuthenticationError(
+          "okx-auth rejected the caller (unauthorized).",
+          "Ensure you are running from a trusted OKX tool."
+        ));
+        return;
+      }
+      if (code === EXIT_CODES.REFRESH_FAILED) {
+        reject(new AuthenticationError(
+          "Token refresh failed.",
+          "Run `okx auth login` to re-authenticate."
+        ));
+        return;
+      }
+      reject(new AuthenticationError(
+        `okx-auth token exited with code ${code}.`,
+        "Run `okx auth login` to re-authenticate."
+      ));
+    });
+  });
+}
+function execAuthStatus() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3) => {
+    execFile2(
+      binPath,
+      ["status", "--json"],
+      { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
+      (error, stdout) => {
+        if (error) {
+          resolve3(null);
+          return;
+        }
+        try {
+          const result = JSON.parse(stdout);
+          resolve3(result);
+        } catch {
+          resolve3(null);
+        }
+      }
+    );
+  });
+}
 function sleep(ms) {
   return new Promise((resolve3) => {
     setTimeout(resolve3, ms);
@@ -1384,6 +1498,7 @@ function maskKey(key) {
   if (key.length <= 8) return "***";
   return `${key.slice(0, 3)}***${key.slice(-3)}`;
 }
+var TOKEN_CACHE_TTL_MS = 6e4;
 function vlog2(message) {
   process.stderr.write(`[verbose] ${message}
 `);
@@ -1392,6 +1507,8 @@ var OkxRestClient = class _OkxRestClient {
   config;
   rateLimiter;
   dispatcher;
+  cachedAccessToken;
+  cachedAccessTokenAt = 0;
   pilot;
   constructor(config) {
     this.config = config;
@@ -1406,6 +1523,51 @@ var OkxRestClient = class _OkxRestClient {
       hasCustomProxy: !!config.proxyUrl
     });
   }
+  /**
+   * Resolve OAuth access token via the okx-auth binary (fd3 pipe).
+   * Caches the token for 60 s to avoid spawning the binary on every
+   * request. The binary handles refresh internally (300s TTL lead),
+   * so periodic re-calls let it serve a fresh token when needed.
+   * Returns null when not logged in.
+   */
+  async resolveAccessToken() {
+    if (this.cachedAccessToken && Date.now() - this.cachedAccessTokenAt < TOKEN_CACHE_TTL_MS) {
+      return this.cachedAccessToken;
+    }
+    try {
+      const token = await execAuthToken();
+      this.cachedAccessToken = token;
+      this.cachedAccessTokenAt = Date.now();
+      return token;
+    } catch (e) {
+      if (e instanceof NotLoggedInError) {
+        return null;
+      }
+      throw e;
+    }
+  }
+  /**
+   * Dynamic auth — determines auth method per request.
+   *
+   * 1. API key in config → HMAC signing (no OAuth fallback)
+   * 2. OAuth token via okx-auth binary → Bearer token
+   * 3. Neither → throw ConfigError
+   */
+  async applyAuth(headers, method, requestPath, bodyJson, timestamp) {
+    if (this.config.apiKey && this.config.secretKey && this.config.passphrase) {
+      this.setAuthHeaders(headers, method, requestPath, bodyJson, timestamp);
+      return;
+    }
+    const accessToken = await this.resolveAccessToken();
+    if (accessToken) {
+      headers.set("Authorization", `Bearer ${accessToken}`);
+      return;
+    }
+    throw new ConfigError(
+      "No credentials found.",
+      "Run `okx auth login` to authenticate, or configure API key credentials."
+    );
+  }
   /** The canonical base URL for this client (e.g. https://www.okx.com). */
   get baseUrl() {
     return this.config.baseUrl;
@@ -1464,18 +1626,6 @@ var OkxRestClient = class _OkxRestClient {
     });
   }
   setAuthHeaders(headers, method, requestPath, bodyJson, timestamp) {
-    if (!this.config.hasAuth) {
-      throw new ConfigError(
-        "Private endpoint requires API credentials.",
-        "Configure OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE."
-      );
-    }
-    if (!this.config.apiKey || !this.config.secretKey || !this.config.passphrase) {
-      throw new ConfigError(
-        "Invalid private API credentials state.",
-        "Ensure all OKX credentials are set."
-      );
-    }
     const payload = `${timestamp}${method.toUpperCase()}${requestPath}${bodyJson}`;
     const signature = signOkxPayload(payload, this.config.secretKey);
     headers.set("OK-ACCESS-KEY", this.config.apiKey);
@@ -1590,7 +1740,7 @@ var OkxRestClient = class _OkxRestClient {
     const conn = this.pilot.getConnectionParams();
     this.logRequest("POST", `${conn.baseUrl}${path42}`, "private");
     const reqConfig = { method: "POST", path: path42, auth: "private" };
-    const headers = this.buildHeaders(reqConfig, path42, bodyJson, getNow());
+    const headers = await this.buildHeaders(reqConfig, path42, bodyJson, getNow());
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -1711,7 +1861,7 @@ var OkxRestClient = class _OkxRestClient {
   // Header building
   // ---------------------------------------------------------------------------
   /** Build HTTP headers. reqConfig.extraHeaders must NOT contain auth keys (OK-ACCESS-*). */
-  buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
+  async buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
     const headers = new Headers({
       "Content-Type": "application/json",
       Accept: "application/json"
@@ -1720,7 +1870,7 @@ var OkxRestClient = class _OkxRestClient {
       headers.set("User-Agent", this.config.userAgent);
     }
     if (reqConfig.auth === "private") {
-      this.setAuthHeaders(headers, reqConfig.method, requestPath, bodyJson, timestamp);
+      await this.applyAuth(headers, reqConfig.method, requestPath, bodyJson, timestamp);
     }
     const useSimulated = reqConfig.simulatedTrading !== void 0 ? reqConfig.simulatedTrading : this.config.demo;
     if (useSimulated) {
@@ -1774,7 +1924,7 @@ var OkxRestClient = class _OkxRestClient {
     if (reqConfig.rateLimit) {
       await this.rateLimiter.consume(reqConfig.rateLimit);
     }
-    const headers = this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
+    const headers = await this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -2201,8 +2351,6 @@ function registerIndicatorTools() {
   ];
 }
 var DEFAULT_SOURCE_TAG = "MCP";
-var TOKEN_REGEX = /^[A-Z2-7]{12}$/;
-var TAG_JOIN = "";
 var OKX_SITES = {
   global: {
     label: "Global",
@@ -2216,7 +2364,7 @@ var OKX_SITES = {
   },
   us: {
     label: "US",
-    apiBaseUrl: "https://app.okx.com",
+    apiBaseUrl: "https://us.okx.com",
     webUrl: "https://app.okx.com"
   }
 };
@@ -3160,8 +3308,7 @@ function registerAlgoTradeTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId"),
-            tag: context.config.sourceTag
+            clOrdId: readString(args, "clOrdId")
           }),
           privateRateLimit("swap_place_move_stop_order", 20)
         );
@@ -3506,8 +3653,7 @@ function registerFuturesAlgoTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId"),
-            tag: context.config.sourceTag
+            clOrdId: readString(args, "clOrdId")
           }),
           privateRateLimit("futures_place_move_stop_order", 20)
         );
@@ -3765,7 +3911,7 @@ function safeWriteFile(targetDir, fileName, data) {
     throw new Error(`Invalid file name: "${fileName}"`);
   }
   const resolvedDir = resolve(targetDir);
-  const filePath = join3(resolvedDir, safeName);
+  const filePath = join4(resolvedDir, safeName);
   const resolvedPath = resolve(filePath);
   if (!resolvedPath.startsWith(resolvedDir + sep)) {
     throw new Error(`Path traversal detected: "${fileName}" resolves outside target directory`);
@@ -3893,7 +4039,7 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   });
 }
 function readMetaJson(contentDir) {
-  const metaPath = join4(contentDir, "_meta.json");
+  const metaPath = join5(contentDir, "_meta.json");
   if (!existsSync(metaPath)) {
     throw new Error(`_meta.json not found in ${contentDir}. Invalid skill package.`);
   }
@@ -3919,12 +4065,12 @@ function readMetaJson(contentDir) {
   };
 }
 function validateSkillMdExists(contentDir) {
-  const skillMdPath = join4(contentDir, "SKILL.md");
+  const skillMdPath = join5(contentDir, "SKILL.md");
   if (!existsSync(skillMdPath)) {
     throw new Error(`SKILL.md not found in ${contentDir}. Invalid skill package.`);
   }
 }
-var DEFAULT_REGISTRY_PATH = join5(homedir3(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
 function readRegistry(registryPath = DEFAULT_REGISTRY_PATH) {
   if (!existsSync2(registryPath)) {
     return { version: 1, skills: {} };
@@ -10339,7 +10485,7 @@ function createToolRunner(client, config) {
   };
 }
 function configFilePath() {
-  return join6(homedir4(), ".okx", "config.toml");
+  return join7(homedir5(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path42 = configFilePath();
@@ -10358,11 +10504,6 @@ Or re-run: okx config init`
     );
   }
 }
-function readTomlProfile(profileName) {
-  const config = readFullConfig();
-  const name = profileName ?? config.default_profile ?? "default";
-  return config.profiles?.[name] ?? {};
-}
 var CONFIG_HEADER = `# OKX Trade Kit Configuration
 # If editing manually, wrap values containing special chars in quotes:
 #   passphrase = 'value'       (if value contains # \\ ")
@@ -10411,18 +10552,24 @@ function parseModuleList(rawModules) {
   }
   return Array.from(deduped);
 }
-function loadCredentials(toml) {
+async function loadCredentials(toml) {
   const apiKey = process.env.OKX_API_KEY?.trim() ?? toml.api_key;
   const secretKey = process.env.OKX_SECRET_KEY?.trim() ?? toml.secret_key;
   const passphrase = process.env.OKX_PASSPHRASE?.trim() ?? toml.passphrase;
-  const hasAuth = Boolean(apiKey && secretKey && passphrase);
+  const hasApiKey = Boolean(apiKey && secretKey && passphrase);
   const partialAuth = Boolean(apiKey) || Boolean(secretKey) || Boolean(passphrase);
-  if (partialAuth && !hasAuth) {
+  if (partialAuth && !hasApiKey) {
     throw new ConfigError(
       "Partial API credentials detected.",
       "Set OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE together (env vars or config.toml profile)."
     );
   }
+  let hasOAuth = false;
+  if (!hasApiKey) {
+    const status = await execAuthStatus();
+    hasOAuth = status?.status === "logged_in";
+  }
+  const hasAuth = hasOAuth || hasApiKey;
   return { apiKey, secretKey, passphrase, hasAuth };
 }
 function resolveSite(cliSite, tomlSite) {
@@ -10445,30 +10592,6 @@ function resolveBaseUrl(site, tomlBaseUrl) {
   }
   return rawBaseUrl.replace(/\/+$/, "");
 }
-function resolveSourceTag(cli, defaultTag, opts = {}) {
-  const readEnv = opts.readEnv !== false;
-  const cliSkill = cli.skill?.trim();
-  if (cliSkill) {
-    if (isValidToken(cliSkill)) return composeTag(defaultTag, cliSkill);
-    console.warn("--skill value format invalid (expected 12-char Base32), ignoring");
-  }
-  if (readEnv) {
-    const envToken = process.env.OKX_SKILL_TOKEN?.trim();
-    if (envToken) {
-      if (isValidToken(envToken)) return composeTag(defaultTag, envToken);
-      console.warn("OKX_SKILL_TOKEN format invalid, ignoring");
-    }
-  }
-  const sourceTag = cli.sourceTag?.trim();
-  if (sourceTag) return sourceTag;
-  return defaultTag;
-}
-function composeTag(defaultTag, token) {
-  return `${defaultTag}${TAG_JOIN}${token}`;
-}
-function isValidToken(s) {
-  return TOKEN_REGEX.test(s);
-}
 function resolveDemo(cli, toml) {
   if (cli.demo && cli.live) {
     throw new ConfigError(
@@ -10480,9 +10603,11 @@ function resolveDemo(cli, toml) {
   if (cli.demo === true) return true;
   return process.env.OKX_DEMO === "1" || process.env.OKX_DEMO === "true" || (toml.demo ?? false);
 }
-function loadConfig(cli, opts = {}) {
-  const toml = readTomlProfile(cli.profile);
-  const creds = loadCredentials(toml);
+async function loadConfig(cli) {
+  const config = readFullConfig();
+  const profileName = cli.profile ?? config.default_profile ?? "default";
+  const toml = config.profiles?.[profileName] ?? {};
+  const creds = await loadCredentials(toml);
   const demo = resolveDemo(cli, toml);
   const site = resolveSite(cli.site, toml.site);
   const baseUrl = resolveBaseUrl(site, toml.base_url);
@@ -10500,9 +10625,9 @@ function loadConfig(cli, opts = {}) {
       "proxy_url must start with http:// or https://. SOCKS proxies are not supported."
     );
   }
-  const defaultTag = opts.entryPrefix ?? DEFAULT_SOURCE_TAG;
   return {
     ...creds,
+    profile: profileName,
     baseUrl,
     timeoutMs: Math.floor(rawTimeout),
     modules: parseModuleList(cli.modules),
@@ -10510,14 +10635,12 @@ function loadConfig(cli, opts = {}) {
     demo,
     site,
     userAgent: cli.userAgent,
-    // sourceTag resolution: --skill > OKX_SKILL_TOKEN > --source-tag > defaultTag
-    // MCP entry passes { readEnv: false } to honour the "MCP path not attributed" contract.
-    sourceTag: resolveSourceTag(cli, defaultTag, { readEnv: opts.readEnv }),
+    sourceTag: cli.sourceTag ?? DEFAULT_SOURCE_TAG,
     proxyUrl: rawProxyUrl || void 0,
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join7(homedir5(), ".okx", "update-check.json");
+var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 function readCache2() {
   try {
@@ -10530,7 +10653,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join7(homedir5(), ".okx"), { recursive: true });
+    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -10700,13 +10823,13 @@ function findMsStoreClaudePath() {
 }
 function getConfigPath(client) {
   const home = os3.homedir();
-  const platform2 = process.platform;
+  const platform3 = process.platform;
   switch (client) {
     case "claude-desktop":
-      if (platform2 === "win32") {
+      if (platform3 === "win32") {
         return findMsStoreClaudePath() ?? path3.join(appData(), "Claude", CLAUDE_CONFIG_FILE);
       }
-      if (platform2 === "darwin") {
+      if (platform3 === "darwin") {
         return path3.join(home, "Library", "Application Support", "Claude", CLAUDE_CONFIG_FILE);
       }
       return path3.join(process.env.XDG_CONFIG_HOME ?? path3.join(home, ".config"), "Claude", CLAUDE_CONFIG_FILE);
@@ -10818,7 +10941,7 @@ var DOWNLOAD_TIMEOUT_MS = 3e4;
 var PLATFORM_MAP = {
   "darwin-arm64": "darwin-arm64",
   "darwin-x64": "darwin-x64",
-  "linux-arm64": "linux-arm64",
+  "linux-arm64": "linux-x64",
   "linux-x64": "linux-x64",
   "win32-arm64": "win32-arm64",
   "win32-x64": "win32-x64"
@@ -10950,7 +11073,7 @@ async function installPilotBinary(destPath, sources = CDN_SOURCES, onProgress) {
   if (earlyResult) return earlyResult;
   const platformDir = getPlatformDir();
   const binaryName = getBinaryName();
-  const resolvedDest = destPath ?? join9(homedir7(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join10(homedir8(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync8(dirname6(resolvedDest), { recursive: true });
   const localHash = existsSync6(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -11073,16 +11196,276 @@ function downloadText(url, timeoutMs) {
     })
   );
 }
+var AUTH_CDN_PATH_PREFIX = "/upgradeapp/tools/oauth";
+function getAuthBinaryName() {
+  return platform2() === "win32" ? "okx-auth.exe" : "okx-auth";
+}
+function getAuthStatus(binaryPath, opts) {
+  const resolvedPath = binaryPath ?? getAuthBinaryPath();
+  const platformDir = getPlatformDir();
+  if (!existsSync7(resolvedPath)) {
+    return { binaryPath: resolvedPath, exists: false, platform: platformDir };
+  }
+  if (opts?.skipHash) {
+    return { binaryPath: resolvedPath, exists: true, platform: platformDir };
+  }
+  const { size, sha256 } = hashFile(resolvedPath);
+  return { binaryPath: resolvedPath, exists: true, platform: platformDir, fileSize: size, sha256 };
+}
+async function fetchAuthCdnChecksum(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
+  const platformDir = getPlatformDir();
+  if (!platformDir) return null;
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
+  for (const { host, protocol } of sources) {
+    try {
+      const url = `${protocol}://${host}${checksumPath}`;
+      const raw = await downloadText2(url, timeoutMs);
+      const data = JSON.parse(raw);
+      if (typeof data.sha256 !== "string" || typeof data.size !== "number" || typeof data.target !== "string") {
+        continue;
+      }
+      return { sha256: data.sha256, size: data.size, target: data.target, source: host };
+    } catch {
+    }
+  }
+  return null;
+}
+async function fetchAndValidateChecksum2(host, protocol, checksumPath, platformDir, timeoutMs, onProgress) {
+  const checksumUrl = `${protocol}://${host}${checksumPath}`;
+  onProgress?.(`Fetching checksum from ${host}...`);
+  const raw = await downloadText2(checksumUrl, timeoutMs);
+  const checksum = JSON.parse(raw);
+  if (typeof checksum.sha256 !== "string" || typeof checksum.size !== "number" || typeof checksum.target !== "string") {
+    throw new Error("Invalid checksum.json: missing sha256, size, or target");
+  }
+  if (checksum.target !== platformDir) {
+    throw new Error(`Target mismatch: expected ${platformDir}, got ${checksum.target}`);
+  }
+  return { sha256: checksum.sha256, size: checksum.size, target: checksum.target };
+}
+async function downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, timeoutMs, onProgress) {
+  const binaryUrl = `${protocol}://${host}${binaryPath}`;
+  onProgress?.(`Downloading binary from ${host}...`);
+  await download2(binaryUrl, tmpPath, timeoutMs);
+  const actual = hashFile(tmpPath);
+  if (actual.size !== checksum.size) {
+    throw new Error(`Size mismatch: expected ${checksum.size}, got ${actual.size}`);
+  }
+  if (actual.sha256 !== checksum.sha256) {
+    throw new Error(`SHA-256 mismatch: expected ${checksum.sha256}, got ${actual.sha256}`);
+  }
+}
+function atomicReplace2(tmpPath, resolvedDest) {
+  if (platform2() === "win32") {
+    try {
+      unlinkSync4(resolvedDest);
+    } catch {
+    }
+  }
+  renameSync4(tmpPath, resolvedDest);
+  if (platform2() !== "win32") {
+    chmodSync2(resolvedDest, 493);
+  }
+}
+function installPreChecks2(destPath, sources) {
+  if (!destPath && process.env.OKX_AUTH_BIN) {
+    return { status: "up-to-date", source: "(env override)" };
+  }
+  if (!getPlatformDir()) {
+    return { status: "failed", error: "Unsupported platform" };
+  }
+  if (sources.length === 0) {
+    return { status: "failed", error: "No CDN sources available" };
+  }
+  return null;
+}
+function isLocalUpToDate2(localHash, checksum) {
+  return localHash !== null && localHash.size === checksum.size && localHash.sha256 === checksum.sha256;
+}
+async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
+  const earlyResult = installPreChecks2(destPath, sources);
+  if (earlyResult) return earlyResult;
+  const platformDir = getPlatformDir();
+  const binaryName = getAuthBinaryName();
+  const resolvedDest = destPath ?? join11(homedir9(), ".okx", "bin", binaryName);
+  const tmpPath = resolvedDest + ".tmp";
+  mkdirSync9(dirname7(resolvedDest), { recursive: true });
+  const localHash = existsSync7(resolvedDest) ? hashFile(resolvedDest) : null;
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
+  const binaryPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/${binaryName}`;
+  const errors = [];
+  for (const { host, protocol } of sources) {
+    try {
+      const checksum = await fetchAndValidateChecksum2(
+        host,
+        protocol,
+        checksumPath,
+        platformDir,
+        DOWNLOAD_TIMEOUT_MS,
+        onProgress
+      );
+      if (isLocalUpToDate2(localHash, checksum)) {
+        onProgress?.("Already up to date (checksum match)");
+        return { status: "up-to-date", source: host };
+      }
+      await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
+      atomicReplace2(tmpPath, resolvedDest);
+      onProgress?.(`Downloaded and verified from ${host}`);
+      return { status: "installed", source: host };
+    } catch (err) {
+      try {
+        unlinkSync4(tmpPath);
+      } catch {
+      }
+      const msg = err instanceof Error ? err.message : String(err);
+      errors.push(`${host}: ${msg}`);
+      onProgress?.(`${host} failed: ${msg}`);
+    }
+  }
+  return { status: "failed", error: `All CDN sources failed:
+${errors.join("\n")}` };
+}
+function removeAuthBinary(binaryPath) {
+  const resolvedPath = binaryPath ?? getAuthBinaryPath();
+  try {
+    unlinkSync4(resolvedPath);
+    return { status: "removed" };
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return { status: "not-found" };
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Failed to remove ${resolvedPath}: ${msg}`);
+  }
+}
+function isRedirect2(statusCode) {
+  return statusCode !== void 0 && statusCode >= 300 && statusCode < 400;
+}
+function validateRedirect2(res, requestUrl, redirectCount, maxRedirects) {
+  if (redirectCount > maxRedirects) {
+    throw new Error(`Too many redirects (${maxRedirects})`);
+  }
+  const location = res.headers.location;
+  if (requestUrl.startsWith("https") && !location.startsWith("https")) {
+    throw new Error("Refused HTTPS \u2192 HTTP redirect downgrade");
+  }
+  return location;
+}
+function fetchResponse2(url, timeoutMs) {
+  return new Promise((resolve3, reject) => {
+    let redirects = 0;
+    const maxRedirects = 5;
+    function doRequest(requestUrl) {
+      const reqFn = requestUrl.startsWith("https") ? httpsGet2 : httpGet2;
+      const req = reqFn(requestUrl, { timeout: timeoutMs }, (res) => {
+        if (isRedirect2(res.statusCode) && res.headers.location) {
+          redirects++;
+          try {
+            const location = validateRedirect2(res, requestUrl, redirects, maxRedirects);
+            res.resume();
+            doRequest(location);
+          } catch (err) {
+            reject(err);
+          }
+          return;
+        }
+        if (res.statusCode !== 200) {
+          reject(new Error(`HTTP ${res.statusCode ?? "unknown"}`));
+          return;
+        }
+        resolve3(res);
+      });
+      req.on("error", reject);
+      req.on("timeout", () => {
+        req.destroy();
+        reject(new Error("Download timed out"));
+      });
+    }
+    doRequest(url);
+  });
+}
+function download2(url, destPath, timeoutMs) {
+  return fetchResponse2(url, timeoutMs).then(
+    (res) => new Promise((resolve3, reject) => {
+      const file = createWriteStream3(destPath);
+      res.pipe(file);
+      file.on("finish", () => file.close(() => resolve3()));
+      file.on("error", (err) => {
+        try {
+          unlinkSync4(destPath);
+        } catch {
+        }
+        reject(err);
+      });
+    })
+  );
+}
+function downloadText2(url, timeoutMs) {
+  return fetchResponse2(url, timeoutMs).then(
+    (res) => new Promise((resolve3, reject) => {
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
+      res.on("error", reject);
+    })
+  );
+}
+var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
+var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
+function readCache3() {
+  try {
+    if (!existsSync8(CACHE_PATH)) return null;
+    const data = JSON.parse(readFileSync8(CACHE_PATH, "utf-8"));
+    if (typeof data.cdnSha256 !== "string" || typeof data.checkedAt !== "number") return null;
+    return { cdnSha256: data.cdnSha256, checkedAt: data.checkedAt };
+  } catch {
+    return null;
+  }
+}
+function writeCache3(cdnSha256) {
+  try {
+    mkdirSync10(join12(homedir10(), ".okx"), { recursive: true });
+    writeFileSync7(CACHE_PATH, JSON.stringify({ cdnSha256, checkedAt: Date.now() }, null, 2), "utf-8");
+  } catch {
+  }
+}
+async function ensureAuthBinaryLatest(onProgress) {
+  if (process.env.OKX_AUTH_BIN) return;
+  const cache = readCache3();
+  if (cache && Date.now() - cache.checkedAt < CHECK_INTERVAL_MS2) return;
+  try {
+    const cdn = await fetchAuthCdnChecksum(void 0, 5e3);
+    if (!cdn) return;
+    const local = getAuthStatus();
+    if (local.exists && local.sha256 === cdn.sha256) {
+      writeCache3(cdn.sha256);
+      return;
+    }
+    onProgress?.("Updating okx-auth binary...");
+    const result = await installAuthBinary(void 0, void 0, onProgress);
+    if (result.status === "installed" || result.status === "up-to-date") {
+      const updated = getAuthStatus();
+      if (updated.sha256) writeCache3(updated.sha256);
+      if (result.status === "installed") {
+        onProgress?.("\u2713 okx-auth updated successfully");
+      }
+    }
+  } catch {
+  }
+}
+function updateAuthBinaryCache(sha256) {
+  writeCache3(sha256);
+}
+function clearAuthBinaryCache() {
+  try {
+    unlinkSync5(CACHE_PATH);
+  } catch {
+  }
+}
 
-// src/commands/diagnose.ts
-import dns from "dns/promises";
-import net from "net";
-import os5 from "os";
-import tls from "tls";
-
-// src/commands/diagnose-utils.ts
-import fs4 from "fs";
-import { createRequire } from "module";
+// src/commands/auth.ts
+import { spawn as spawn2 } from "child_process";
+import readline from "readline";
 
 // src/formatter.ts
 import { EOL } from "os";
@@ -11173,7 +11556,286 @@ function markFailedIfSCodeError(data) {
   }
 }
 
+// src/commands/auth.ts
+function runOkxAuth(args) {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn2(binPath, args, {
+      stdio: "inherit"
+    });
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      resolve3(code ?? 1);
+    });
+  });
+}
+function runOkxAuthCapture(args) {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn2(binPath, args, {
+      stdio: ["inherit", "pipe", "inherit"]
+    });
+    const chunks = [];
+    child.stdout.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
+    });
+    child.on("close", (code) => {
+      resolve3({
+        code: code ?? 1,
+        stdout: Buffer.concat(chunks).toString("utf-8")
+      });
+    });
+  });
+}
+function findApiKeyProfile() {
+  let config;
+  try {
+    config = readFullConfig();
+  } catch {
+    return null;
+  }
+  for (const [name, profile] of Object.entries(config.profiles ?? {})) {
+    if (profile?.api_key) return name;
+  }
+  return null;
+}
+async function cmdAuthLogin(args) {
+  const apiKeyProfile = findApiKeyProfile();
+  if (apiKeyProfile) {
+    if (args.manual) {
+      outputLine(JSON.stringify({
+        status: "skipped",
+        reason: "api_key_configured",
+        profile: apiKeyProfile,
+        message: `API key already configured (profile: ${apiKeyProfile}). OAuth login skipped \u2014 API key will be used automatically.`
+      }));
+    } else {
+      outputLine(`API key already configured (profile: ${apiKeyProfile}). OAuth login skipped \u2014 API key will be used automatically.`);
+    }
+    return;
+  }
+  const cliArgs = ["login"];
+  if (args.site) cliArgs.push("--site", args.site);
+  if (args.manual) cliArgs.push("--manual");
+  const code = await runOkxAuth(cliArgs);
+  if (code !== 0) {
+    process.exitCode = code;
+  }
+}
+async function cmdAuthLogout() {
+  const code = await runOkxAuth(["logout"]);
+  if (code !== 0) {
+    process.exitCode = code;
+  }
+}
+async function cmdAuthStatus(args) {
+  const cliArgs = ["status"];
+  if (args.json) cliArgs.push("--json");
+  const result = await runOkxAuthCapture(cliArgs);
+  if (result.stdout) {
+    process.stdout.write(result.stdout);
+  }
+  if (result.code !== 0) {
+    process.exitCode = result.code;
+  }
+}
+function resolveChecksumMatch(local, cdnChecksum, cdnError) {
+  if (!local.exists) return "not-installed";
+  if (cdnError || !cdnChecksum) return "unavailable";
+  if (cdnChecksum.sha256 === local.sha256) return "match";
+  return "mismatch";
+}
+function checksumMatchLabel(match) {
+  if (match === "match") return "\u2713 match";
+  if (match === "mismatch") return "\u2717 mismatch (update available)";
+  return "CDN unreachable";
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+}
+async function cmdAuthInstallStatus(json) {
+  const local = getAuthStatus();
+  let cdnChecksum = null;
+  let cdnError = null;
+  if (local.exists) {
+    try {
+      cdnChecksum = await fetchAuthCdnChecksum(void 0, 5e3);
+    } catch (err) {
+      cdnError = err instanceof Error ? err.message : String(err);
+    }
+  }
+  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
+  if (json) {
+    outputLine(
+      JSON.stringify({
+        binaryPath: local.binaryPath,
+        exists: local.exists,
+        platform: local.platform,
+        fileSize: local.fileSize ?? null,
+        sha256: local.sha256 ?? null,
+        cdnMatch: checksumMatch,
+        cdnSha256: cdnChecksum?.sha256 ?? null,
+        cdnSource: cdnChecksum?.source ?? null
+      })
+    );
+    return;
+  }
+  outputLine("");
+  outputLine("  okx-auth Binary Status");
+  outputLine("  " + "\u2500".repeat(40));
+  outputLine(`  Binary path : ${local.binaryPath}`);
+  outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
+  outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
+  if (local.exists) {
+    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
+    outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
+    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
+    if (cdnChecksum) {
+      outputLine(`  CDN source  : ${cdnChecksum.source}`);
+    }
+  }
+  outputLine("");
+}
+async function cmdAuthInstall(json) {
+  const messages2 = [];
+  const onProgress = (msg) => {
+    if (!json) {
+      outputLine(`  ${msg}`);
+    }
+    messages2.push(msg);
+  };
+  if (!json) {
+    outputLine("");
+    outputLine("  Installing okx-auth...");
+  }
+  const result = await installAuthBinary(void 0, void 0, onProgress);
+  if (json) {
+    outputLine(JSON.stringify({ status: result.status, source: result.source ?? null, error: result.error ?? null, messages: messages2 }));
+    if (result.status === "failed") {
+      process.exitCode = 1;
+    }
+    return;
+  }
+  if (result.status === "installed" || result.status === "up-to-date") {
+    const local = getAuthStatus();
+    if (local.sha256) updateAuthBinaryCache(local.sha256);
+  }
+  if (result.status === "installed") {
+    outputLine(`  \u2713 okx-auth installed successfully (${result.source ?? ""})`);
+  } else if (result.status === "up-to-date") {
+    outputLine("  \u2713 okx-auth is already up to date");
+  } else {
+    errorLine(`  \u2717 Installation failed: ${result.error ?? "unknown error"}`);
+    errorLine("  Hint: check network connectivity or try again later");
+    process.exitCode = 1;
+  }
+  outputLine("");
+}
+async function cmdAuthRemove(force, json) {
+  const local = getAuthStatus(void 0, { skipHash: true });
+  if (!local.exists) {
+    if (json) {
+      outputLine(JSON.stringify({ status: "not-installed" }));
+    } else {
+      outputLine("  okx-auth is not installed.");
+    }
+    return;
+  }
+  if (!await confirmRemoval(force, local.binaryPath)) return;
+  let result;
+  try {
+    result = removeAuthBinary();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (json) {
+      outputLine(JSON.stringify({ status: "failed", error: msg }));
+    } else {
+      errorLine(`  \u2717 Failed to remove: ${msg}`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  if (json) {
+    outputLine(JSON.stringify({ status: result.status, path: local.binaryPath }));
+    return;
+  }
+  if (result.status === "removed") {
+    clearAuthBinaryCache();
+    outputLine(`  \u2713 Removed: ${local.binaryPath}`);
+  } else {
+    outputLine("  okx-auth is not installed.");
+  }
+}
+async function confirmRemoval(force, binaryPath) {
+  if (force) return true;
+  if (!process.stdin.isTTY) {
+    errorLine("  Error: stdin is not a TTY. Use --force to skip confirmation.");
+    process.exitCode = 1;
+    return false;
+  }
+  const confirmed = await askConfirmation(
+    `  Remove okx-auth at ${binaryPath}? [y/N] `
+  );
+  if (!confirmed) {
+    outputLine("  Cancelled.");
+    return false;
+  }
+  return true;
+}
+function askConfirmation(prompt2) {
+  return new Promise((resolve3) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(prompt2, (answer) => {
+      rl.close();
+      resolve3(answer.trim().toLowerCase() === "y");
+    });
+  });
+}
+async function handleAuthCommand(action, _rest, v) {
+  const site = v.site;
+  const json = v.json;
+  const manual = v.manual;
+  const force = v.force;
+  if (["login", "logout", "status"].includes(action)) {
+    await ensureAuthBinaryLatest((msg) => errorLine(`  ${msg}`));
+  }
+  switch (action) {
+    case "login":
+      return cmdAuthLogin({ site, manual });
+    case "logout":
+      return cmdAuthLogout();
+    case "status":
+      return cmdAuthStatus({ json });
+    case "install":
+      return cmdAuthInstall(json ?? false);
+    case "install-status":
+      return cmdAuthInstallStatus(json ?? false);
+    case "remove":
+      return cmdAuthRemove(force ?? false, json ?? false);
+    default:
+      errorLine(`Unknown auth command: ${action}`);
+      errorLine("Available: login, logout, status, install, install-status, remove");
+      process.exitCode = 1;
+  }
+}
+
+// src/commands/diagnose.ts
+import dns from "dns/promises";
+import net from "net";
+import os5 from "os";
+import tls from "tls";
+
 // src/commands/diagnose-utils.ts
+import fs4 from "fs";
+import { createRequire } from "module";
 var _require = createRequire(import.meta.url);
 function readCliVersion() {
   for (const rel of ["../package.json", "../../package.json"]) {
@@ -11259,7 +11921,7 @@ function sanitize2(value) {
 import fs5 from "fs";
 import path4 from "path";
 import os4 from "os";
-import { spawnSync, spawn } from "child_process";
+import { spawnSync, spawn as spawn3 } from "child_process";
 import { createRequire as createRequire2 } from "module";
 import { fileURLToPath } from "url";
 var _require2 = createRequire2(import.meta.url);
@@ -11593,7 +12255,7 @@ async function checkStdioHandshake(entryPath, report) {
       clearTimeout(timer);
       resolve3(passed);
     };
-    const child = spawn(process.execPath, [entryPath], {
+    const child = spawn3(process.execPath, [entryPath], {
       stdio: ["pipe", "pipe", "pipe"],
       env: { ...process.env }
     });
@@ -11712,7 +12374,7 @@ async function cmdDiagnoseMcp(options = {}) {
 
 // src/commands/diagnose.ts
 var CLI_VERSION = readCliVersion();
-var GIT_HASH = true ? "7acf49fb" : "dev";
+var GIT_HASH = true ? "3331141" : "dev";
 function maskKey2(key) {
   if (!key) return "(not set)";
   if (key.length <= 8) return "****";
@@ -12047,10 +12709,10 @@ async function runCliChecks(config, profile, outputPath) {
 }
 
 // src/unknown-command.ts
-function unknownSubcommand(module, action, knownActions) {
+function unknownSubcommand(module, action, knownActions, knownPaths = []) {
   const actionStr = action ?? "(missing)";
   errorLine(`Unknown command: okx ${module} ${actionStr}`);
-  const hint = suggestSubcommand(action, knownActions);
+  const hint = suggestSubcommand(action, knownActions, knownPaths);
   if (hint) {
     errorLine(`  Did you mean: okx ${module} ${hint} ?`);
   }
@@ -12060,12 +12722,12 @@ function unknownSubcommand(module, action, knownActions) {
   errorLine(`  Run 'okx ${module} --help' for full usage.`);
   process.exitCode = 1;
 }
-function suggestSubcommand(action, knownActions) {
+function suggestSubcommand(action, knownActions, knownPaths = []) {
   if (!action || !action.includes("-")) return void 0;
   const parts = action.split("-");
   if (parts.length !== 2) return void 0;
   const [a, b] = parts;
-  if (knownActions.includes(b)) {
+  if (knownActions.includes(b) && knownPaths.includes(`${b} ${a}`)) {
     return `${b} ${a}`;
   }
   return void 0;
@@ -12073,24 +12735,24 @@ function suggestSubcommand(action, knownActions) {
 
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync9 } from "fs";
-import { dirname as dirname7, join as join10 } from "path";
-import { homedir as homedir8 } from "os";
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
+import { dirname as dirname8, join as join13 } from "path";
+import { homedir as homedir11 } from "os";
 var PACKAGES = ["@okx_ai/okx-trade-mcp", "@okx_ai/okx-trade-cli"];
-var CACHE_FILE2 = join10(homedir8(), ".okx", "last_check");
+var CACHE_FILE2 = join13(homedir11(), ".okx", "last_check");
 var THROTTLE_MS = 12 * 60 * 60 * 1e3;
-var NPM_BIN = join10(dirname7(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
+var NPM_BIN = join13(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
 function readLastCheck() {
   try {
-    return parseInt(readFileSync8(CACHE_FILE2, "utf-8").trim(), 10) || 0;
+    return parseInt(readFileSync9(CACHE_FILE2, "utf-8").trim(), 10) || 0;
   } catch {
     return 0;
   }
 }
 function writeLastCheck() {
   try {
-    mkdirSync9(join10(homedir8(), ".okx"), { recursive: true });
-    writeFileSync7(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
+    mkdirSync11(join13(homedir11(), ".okx"), { recursive: true });
+    writeFileSync8(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
   } catch {
   }
 }
@@ -13555,22 +14217,18 @@ async function cmdNewsSentimentRank(run, opts) {
 }
 
 // src/config/loader.ts
-function loadProfileConfig(opts) {
-  return loadConfig(
-    {
-      profile: opts.profile,
-      modules: opts.modules,
-      readOnly: opts.readOnly ?? false,
-      demo: opts.demo,
-      live: opts.live,
-      site: opts.site,
-      userAgent: opts.userAgent,
-      sourceTag: opts.sourceTag,
-      skill: opts.skill,
-      verbose: opts.verbose
-    },
-    { entryPrefix: opts.entryPrefix, readEnv: opts.readEnv }
-  );
+async function loadProfileConfig(opts) {
+  return loadConfig({
+    profile: opts.profile,
+    modules: opts.modules,
+    readOnly: opts.readOnly ?? false,
+    demo: opts.demo,
+    live: opts.live,
+    site: opts.site,
+    userAgent: opts.userAgent,
+    sourceTag: opts.sourceTag,
+    verbose: opts.verbose
+  });
 }
 
 // src/help.ts
@@ -13579,13 +14237,12 @@ var HELP_TREE = generateHelpTree();
 function printGlobalHelp() {
   const lines = [
     "",
-    `Usage: okx [--profile <name>] [--demo | --live] [--skill <token>] [--json] <module> <action> [args...]`,
+    `Usage: okx [--profile <name>] [--demo | --live] [--json] <module> <action> [args...]`,
     "",
     "Global Options:",
     `  --profile <name>   Use a named profile from ${configFilePath()}`,
     "  --demo             Use simulated trading (demo) mode",
     "  --live             Force live trading mode (overrides profile demo=true; mutually exclusive with --demo)",
-    "  --skill <token>    OKX skill token for order tagging (from SKILL.md)",
     "  --json             Output raw JSON",
     "  --env              With --json, wrap output as {env, profile, data}",
     "  --verbose          Show detailed network request/response info (stderr)",
@@ -13718,7 +14375,6 @@ import { parseArgs } from "util";
 var CLI_OPTIONS = {
   profile: { type: "string" },
   demo: { type: "boolean", default: false },
-  skill: { type: "string" },
   json: { type: "boolean", default: false },
   env: { type: "boolean", default: false },
   help: { type: "boolean", default: false },
@@ -13898,6 +14554,9 @@ var CLI_OPTIONS = {
   dir: { type: "string" },
   page: { type: "string" },
   format: { type: "string" },
+  // auth
+  site: { type: "string" },
+  manual: { type: "boolean", default: false },
   // event contract
   underlying: { type: "string" },
   seriesId: { type: "string" },
@@ -17121,14 +17780,14 @@ async function cmdDcdQuoteAndBuy(run, opts) {
 }
 
 // src/commands/skill.ts
-import { tmpdir, homedir as homedir10 } from "os";
-import { join as join12, dirname as dirname8 } from "path";
-import { mkdirSync as mkdirSync10, rmSync, existsSync as existsSync8, copyFileSync as copyFileSync2 } from "fs";
+import { tmpdir, homedir as homedir13 } from "os";
+import { join as join15, dirname as dirname9 } from "path";
+import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync10, copyFileSync as copyFileSync2 } from "fs";
 import { execFileSync as execFileSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function resolveNpx() {
-  const sibling = join12(dirname8(process.execPath), "npx");
-  if (existsSync8(sibling)) return sibling;
+  const sibling = join15(dirname9(process.execPath), "npx");
+  if (existsSync10(sibling)) return sibling;
   return "npx";
 }
 var THIRD_PARTY_INSTALL_NOTICE = "Note: This skill was created by a third-party developer, not by OKX. Review SKILL.md before use.";
@@ -17181,13 +17840,13 @@ async function cmdSkillCategories(run, json) {
   outputLine("");
 }
 async function cmdSkillAdd(name, config, json) {
-  const tmpBase = join12(tmpdir(), `okx-skill-${randomUUID2()}`);
-  mkdirSync10(tmpBase, { recursive: true });
+  const tmpBase = join15(tmpdir(), `okx-skill-${randomUUID2()}`);
+  mkdirSync12(tmpBase, { recursive: true });
   try {
     outputLine(`Downloading ${name}...`);
     const client = new OkxRestClient(config);
     const zipPath = await downloadSkillZip(client, name, tmpBase);
-    const contentDir = await extractSkillZip(zipPath, join12(tmpBase, "content"));
+    const contentDir = await extractSkillZip(zipPath, join15(tmpBase, "content"));
     const meta = readMetaJson(contentDir);
     validateSkillMdExists(contentDir);
     outputLine("Installing to detected agents...");
@@ -17197,7 +17856,7 @@ async function cmdSkillAdd(name, config, json) {
         timeout: 6e4
       });
     } catch (e) {
-      const savedZip = join12(process.cwd(), `${name}.zip`);
+      const savedZip = join15(process.cwd(), `${name}.zip`);
       try {
         copyFileSync2(zipPath, savedZip);
       } catch {
@@ -17236,7 +17895,7 @@ function cmdSkillRemove(name, json) {
       timeout: 6e4
     });
   } catch {
-    const agentsPath = join12(homedir10(), ".agents", "skills", name);
+    const agentsPath = join15(homedir13(), ".agents", "skills", name);
     try {
       rmSync(agentsPath, { recursive: true, force: true });
     } catch {
@@ -17310,14 +17969,14 @@ function printSkillInstallResult(meta, json) {
 }
 
 // src/commands/pilot.ts
-import readline from "readline";
-function resolveChecksumMatch(local, cdnChecksum, cdnError) {
+import readline2 from "readline";
+function resolveChecksumMatch2(local, cdnChecksum, cdnError) {
   if (!local.exists) return "not-installed";
   if (cdnError || !cdnChecksum) return "unavailable";
   if (cdnChecksum.sha256 === local.sha256) return "match";
   return "mismatch";
 }
-function checksumMatchLabel(match) {
+function checksumMatchLabel2(match) {
   if (match === "match") return "\u2713 match";
   if (match === "mismatch") return "\u2717 mismatch (update available)";
   return "CDN unreachable";
@@ -17330,9 +17989,9 @@ function formatStatusText(local, checksumMatch, cdnChecksum, runtimeMode) {
   outputLine(`  Installed   : ${local.exists ? "yes" : "no"}`);
   outputLine(`  Platform    : ${local.platform ?? "(unsupported)"}`);
   if (local.exists) {
-    outputLine(`  File size   : ${formatBytes(local.fileSize)}`);
+    outputLine(`  File size   : ${formatBytes2(local.fileSize)}`);
     outputLine(`  SHA-256     : ${local.sha256 ?? "(unknown)"}`);
-    outputLine(`  CDN check   : ${checksumMatchLabel(checksumMatch)}`);
+    outputLine(`  CDN check   : ${checksumMatchLabel2(checksumMatch)}`);
     if (cdnChecksum) {
       outputLine(`  CDN source  : ${cdnChecksum.source}`);
     }
@@ -17359,7 +18018,7 @@ async function cmdPilotStatus(json, binaryPath) {
       cdnError = err instanceof Error ? err.message : String(err);
     }
   }
-  const checksumMatch = resolveChecksumMatch(local, cdnChecksum, cdnError);
+  const checksumMatch = resolveChecksumMatch2(local, cdnChecksum, cdnError);
   if (json) {
     outputLine(
       JSON.stringify({
@@ -17425,7 +18084,7 @@ async function cmdPilotRemove(force, json, binaryPath) {
       process.exitCode = 1;
       return;
     }
-    const confirmed = await askConfirmation(
+    const confirmed = await askConfirmation2(
       `  Remove Pilot at ${local.binaryPath}? [y/N] `
     );
     if (!confirmed) {
@@ -17444,14 +18103,14 @@ async function cmdPilotRemove(force, json, binaryPath) {
     outputLine("  Pilot is not installed.");
   }
 }
-function formatBytes(bytes) {
+function formatBytes2(bytes) {
   if (bytes < 1024) return `${bytes} B`;
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
   return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
 }
-function askConfirmation(prompt2) {
+function askConfirmation2(prompt2) {
   return new Promise((resolve3) => {
-    const rl = readline.createInterface({
+    const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
@@ -17920,7 +18579,7 @@ async function cmdEventCancel(run, opts) {
 // src/index.ts
 var _require3 = createRequire3(import.meta.url);
 var CLI_VERSION2 = _require3("../package.json").version;
-var GIT_HASH2 = true ? "7acf49fb" : "dev";
+var GIT_HASH2 = true ? "3331141" : "dev";
 function handlePilotCommand(action, json, force, binaryPath) {
   if (action === "status") return cmdPilotStatus(json, binaryPath);
   if (action === "install") return cmdPilotInstall(json, binaryPath);
@@ -18250,7 +18909,7 @@ function handleSpotCommand(run, action, rest, v, json) {
     "algo",
     "batch",
     "leverage"
-  ]);
+  ], ["algo place", "algo cancel", "algo amend", "algo trail", "algo orders"]);
 }
 function handleSwapAlgoCommand(run, subAction, v, json) {
   if (subAction === "trail")
@@ -18395,7 +19054,7 @@ function handleSwapCommand(run, action, rest, v, json) {
     "leverage",
     "algo",
     "batch"
-  ]);
+  ], ["algo place", "algo cancel", "algo amend", "algo trail", "algo orders"]);
 }
 function handleOptionAlgoCommand(run, subAction, v, json) {
   if (subAction === "place")
@@ -18497,7 +19156,7 @@ function handleOptionCommand(run, action, rest, v, json) {
     "amend",
     "batch-cancel",
     "algo"
-  ]);
+  ], ["algo place", "algo cancel", "algo amend", "algo orders"]);
 }
 function handleFuturesAlgoCommand(run, subAction, v, json) {
   if (subAction === "trail")
@@ -18642,7 +19301,7 @@ function handleFuturesCommand(run, action, rest, v, json) {
     "leverage",
     "batch",
     "algo"
-  ]);
+  ], ["algo place", "algo cancel", "algo amend", "algo trail", "algo orders"]);
 }
 function handleBotGridCommand(run, v, rest, json) {
   const subAction = rest[0];
@@ -18963,13 +19622,13 @@ function handleNewsCommand(run, action, rest, v, json) {
   const period = v.period;
   const points = v.points !== void 0 ? Number(v.points) : 24;
   const sortBy = v["sort-by"];
-  const platform2 = v.platform;
-  const searchOpts = { coins: v.coins, importance: v.importance, platform: platform2, sentiment: v.sentiment, sortBy, begin, end, language, detailLvl, limit, after, json };
-  const listOpts = { coins: v.coins, importance: v.importance, platform: platform2, begin, end, language, detailLvl, limit, after, json };
+  const platform3 = v.platform;
+  const searchOpts = { coins: v.coins, importance: v.importance, platform: platform3, sentiment: v.sentiment, sortBy, begin, end, language, detailLvl, limit, after, json };
+  const listOpts = { coins: v.coins, importance: v.importance, platform: platform3, begin, end, language, detailLvl, limit, after, json };
   const dispatch = {
     latest: () => cmdNewsLatest(run, listOpts),
-    important: () => cmdNewsImportant(run, { coins: v.coins, platform: platform2, begin, end, language, detailLvl, limit, json }),
-    "by-coin": () => cmdNewsByCoin(run, v.coins ?? rest[0], { importance: v.importance, platform: platform2, begin, end, language, detailLvl, limit, json }),
+    important: () => cmdNewsImportant(run, { coins: v.coins, platform: platform3, begin, end, language, detailLvl, limit, json }),
+    "by-coin": () => cmdNewsByCoin(run, v.coins ?? rest[0], { importance: v.importance, platform: platform3, begin, end, language, detailLvl, limit, json }),
     search: () => cmdNewsSearch(run, v.keyword ?? rest[0], searchOpts),
     detail: () => cmdNewsDetail(run, rest[0], { language, json }),
     platforms: () => cmdNewsPlatforms(run, { json }),
@@ -19110,7 +19769,7 @@ function wrapRunnerWithLogger(baseRunner, logger, verbose = false) {
 async function runDiagnose(v) {
   let config;
   try {
-    config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI", skill: v.skill, entryPrefix: "CLI" });
+    config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
   } catch {
   }
   return cmdDiagnose(config, v.profile ?? "default", { mcp: v.mcp, cli: v.cli, all: v.all, output: v.output });
@@ -19133,6 +19792,7 @@ function routeManagementCommand(module, action, rest, json, v) {
     handleSetupCommand(v);
     return true;
   }
+  if (module === "auth") return handleAuthCommand(action, rest, v);
   if (module === "upgrade") return cmdUpgrade(CLI_VERSION2, { beta: v.beta, check: v.check, force: v.force }, json);
   if (module === "pilot") {
     const r = handlePilotCommand(action, json, v.force ?? false);
@@ -19165,7 +19825,7 @@ async function main() {
   const json = v.json ?? false;
   const mgmt = routeManagementCommand(module, action, rest, json, v);
   if (mgmt !== void 0) return mgmt === true ? void 0 : mgmt;
-  const config = loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI", skill: v.skill, entryPrefix: "CLI" });
+  const config = await loadProfileConfig({ profile: v.profile, demo: v.demo, live: v.live, verbose: v.verbose, userAgent: `okx-trade-cli/${CLI_VERSION2}`, sourceTag: "CLI" });
   setEnvContext({ demo: config.demo, profile: v.profile ?? "default" });
   setJsonEnvEnabled(v.env ?? false);
   const client = new OkxRestClient(config);