@okx_ai/okx-trade-cli 1.3.6-beta.1 → 1.3.6-beta.2

package/dist/index.js

@@ -34,16 +34,22 @@ import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
 import { join as join4, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
+import { createHash } from "crypto";
+import { readFileSync as readFileSync2, readdirSync, statSync } from "fs";
+import { join as join5 } from "path";
+import { createHash as createHash2, createPublicKey, verify as cryptoVerify } from "crypto";
+import { readFileSync as readFileSync3 } from "fs";
+import { join as join6, resolve as resolve2, sep as sep2 } from "path";
 import yauzl from "yauzl";
 import { createWriteStream, mkdirSync as mkdirSync3 } from "fs";
-import { resolve as resolve2, dirname as dirname2 } from "path";
-import { readFileSync as readFileSync2, existsSync } from "fs";
-import { join as join5 } from "path";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
-import { join as join6, dirname as dirname3 } from "path";
+import { resolve as resolve3, dirname as dirname2 } from "path";
+import { readFileSync as readFileSync4, existsSync } from "fs";
+import { join as join7 } from "path";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
+import { join as join8, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join7, dirname as dirname4 } from "path";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
+import { join as join9, dirname as dirname4 } from "path";
 import { homedir as homedir5 } from "os";
 
 // ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
@@ -121,7 +127,7 @@ function skipVoid(str, ptr, banNewLines, banComments) {
     ptr++;
   return banComments || c !== "#" ? ptr : skipVoid(str, skipComment(str, ptr), banNewLines);
 }
-function skipUntil(str, ptr, sep2, end, banNewLines = false) {
+function skipUntil(str, ptr, sep3, end, banNewLines = false) {
   if (!end) {
     ptr = indexOfNewline(str, ptr);
     return ptr < 0 ? str.length : ptr;
@@ -130,7 +136,7 @@ function skipUntil(str, ptr, sep2, end, banNewLines = false) {
     let c = str[i];
     if (c === "#") {
       i = indexOfNewline(str, i);
-    } else if (c === sep2) {
+    } else if (c === sep3) {
       return i + 1;
     } else if (c === end || banNewLines && (c === "\n" || c === "\r" && str[i + 1] === "\n")) {
       return i;
@@ -873,8 +879,8 @@ function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
 }
 
 // ../core/dist/index.js
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join8 } from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
+import { join as join10 } from "path";
 import { homedir as homedir6 } from "os";
 import fs2 from "fs";
 import path2 from "path";
@@ -891,25 +897,37 @@ import {
   renameSync as renameSync4
 } from "fs";
 import { homedir as homedir9, platform as platform2 } from "os";
-import { join as join11, dirname as dirname7 } from "path";
+import { join as join13, dirname as dirname7 } from "path";
 import { createWriteStream as createWriteStream2, unlinkSync as unlinkSync3 } from "fs";
 import { get as httpsGet } from "https";
 import { get as httpGet } from "http";
 import {
-  readFileSync as readFileSync7,
+  readFileSync as readFileSync9,
   mkdirSync as mkdirSync8,
   chmodSync,
   existsSync as existsSync6,
   unlinkSync as unlinkSync4,
   renameSync as renameSync3
 } from "fs";
-import { createHash } from "crypto";
+import { createHash as createHash3 } from "crypto";
 import { homedir as homedir8, platform, arch } from "os";
-import { join as join10, dirname as dirname6 } from "path";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync6, existsSync as existsSync8 } from "fs";
-import { join as join12 } from "path";
+import { join as join12, dirname as dirname6 } from "path";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync6, existsSync as existsSync8 } from "fs";
+import { join as join14 } from "path";
 import { homedir as homedir10 } from "os";
-setGlobalDispatcher(new EnvHttpProxyAgent());
+function hasProxyEnv(env = process.env) {
+  return Boolean(
+    env.HTTPS_PROXY || env.https_proxy || env.HTTP_PROXY || env.http_proxy
+  );
+}
+function installEnvProxyDispatcher(deps = {}) {
+  const env = deps.env ?? process.env;
+  if (!hasProxyEnv(env)) return false;
+  const register = deps.register ?? (() => setGlobalDispatcher(new EnvHttpProxyAgent()));
+  register();
+  return true;
+}
+installEnvProxyDispatcher();
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var PILOT_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -932,25 +950,25 @@ function execPilotBinary(domain, exclude = [], userAgent) {
   if (userAgent) {
     args.push("--user-agent", userAgent);
   }
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     execFile(
       binPath,
       args,
       { timeout: EXEC_TIMEOUT_MS, encoding: "utf-8" },
       (error, stdout) => {
         if (error) {
-          resolve3(null);
+          resolve4(null);
           return;
         }
         try {
           const result = JSON.parse(stdout);
           if (result.code === 0 && result.data) {
-            resolve3(result.data);
+            resolve4(result.data);
           } else {
-            resolve3(null);
+            resolve4(null);
           }
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       }
     );
@@ -1284,7 +1302,7 @@ var EXIT_CODES = {
   NOT_LOGGED_IN: 2,
   REFRESH_FAILED: 3
 };
-function finalizeToken(code, token, resolve3, reject) {
+function finalizeToken(code, token, resolve4, reject) {
   if (code === EXIT_CODES.SUCCESS) {
     if (!token) {
       reject(new AuthenticationError(
@@ -1293,7 +1311,7 @@ function finalizeToken(code, token, resolve3, reject) {
       ));
       return;
     }
-    resolve3(token);
+    resolve4(token);
     return;
   }
   if (code === EXIT_CODES.NOT_LOGGED_IN) {
@@ -1330,7 +1348,7 @@ function defaultWindowsPipeName() {
   return WIN_PIPE_PREFIX + randomBytes(32).toString("hex");
 }
 function execAuthTokenWindows(binPath, makePipeName = defaultWindowsPipeName) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const pipeName = makePipeName();
     const server = createServer();
     const chunks = [];
@@ -1350,7 +1368,7 @@ function execAuthTokenWindows(binPath, makePipeName = defaultWindowsPipeName) {
     const tryFinalize = () => {
       if (!pipeClosed || exitCode === void 0) return;
       const token = Buffer.concat(chunks).toString("utf-8").trim();
-      settle(() => finalizeToken(exitCode, token, resolve3, reject));
+      settle(() => finalizeToken(exitCode, token, resolve4, reject));
     };
     server.on("connection", (socket) => {
       connectionMade = true;
@@ -1397,7 +1415,7 @@ function execAuthToken() {
   return process.platform === "win32" ? execAuthTokenWindows(binPath) : execAuthTokenUnix(binPath);
 }
 function execAuthTokenUnix(binPath) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn2(binPath, ["token"], {
       stdio: ["ignore", "ignore", "inherit", "pipe"]
       //       stdin    stdout    stderr     fd3 (pipe)
@@ -1410,35 +1428,35 @@ function execAuthTokenUnix(binPath) {
     });
     child.on("close", (code) => {
       const token = Buffer.concat(chunks).toString("utf-8").trim();
-      finalizeToken(code, token, resolve3, reject);
+      finalizeToken(code, token, resolve4, reject);
     });
   });
 }
 function execAuthStatus() {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     execFile2(
       binPath,
       ["status", "--json"],
       { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
       (error, stdout) => {
         if (error) {
-          resolve3(null);
+          resolve4(null);
           return;
         }
         try {
           const result = JSON.parse(stdout);
-          resolve3(result);
+          resolve4(result);
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       }
     );
   });
 }
 function sleep(ms) {
-  return new Promise((resolve3) => {
-    setTimeout(resolve3, ms);
+  return new Promise((resolve4) => {
+    setTimeout(resolve4, ms);
   });
 }
 var RateLimiter = class {
@@ -4264,6 +4282,223 @@ async function downloadSkillZip(client, name, targetDir, format = "zip") {
   const filePath = safeWriteFile(targetDir, fileName, result.data);
   return filePath;
 }
+function listFilesRecursive(dir, base = "") {
+  const results = [];
+  for (const entry of readdirSync(dir)) {
+    const fullPath = join5(dir, entry);
+    const relPath = base ? `${base}/${entry}` : entry;
+    if (statSync(fullPath).isDirectory()) {
+      results.push(...listFilesRecursive(fullPath, relPath));
+    } else {
+      results.push(relPath);
+    }
+  }
+  return results;
+}
+function computeFileHashes(contentDir) {
+  const hashes = {};
+  for (const relPath of listFilesRecursive(contentDir)) {
+    if (relPath === "_meta.json") continue;
+    const bytes = readFileSync2(join5(contentDir, relPath));
+    hashes[relPath] = "sha256:" + createHash("sha256").update(bytes).digest("hex");
+  }
+  return hashes;
+}
+async function getPublicKey(client, keyId) {
+  try {
+    const query = {};
+    if (keyId !== void 0) query.keyId = keyId;
+    const result = await client.privateGet(
+      "/api/v5/skill/signing-key",
+      query
+    );
+    if (!result.data || result.data.status !== "active") return null;
+    return result.data.publicKey;
+  } catch (e) {
+    if (e instanceof ConfigError) throw e;
+    return null;
+  }
+}
+var ED25519_SPKI_HEADER = Buffer.from("302a300506032b6570032100", "hex");
+function parseSSHPublicKey(base64) {
+  try {
+    const buf = Buffer.from(base64, "base64");
+    let offset = 0;
+    if (buf.length < 4) return null;
+    const algLen = buf.readUInt32BE(offset);
+    offset += 4;
+    if (offset + algLen + 4 > buf.length) return null;
+    if (buf.subarray(offset, offset + algLen).toString("ascii") !== "ssh-ed25519") return null;
+    offset += algLen;
+    const keyLen = buf.readUInt32BE(offset);
+    offset += 4;
+    if (keyLen !== 32 || offset + keyLen > buf.length) return null;
+    return buf.subarray(offset, offset + keyLen);
+  } catch {
+    return null;
+  }
+}
+async function verifySkillSignature(contentDir, signing, opts) {
+  if (!signing) {
+    const fallback = await tryServerFallback(contentDir, opts);
+    if (fallback?.status === "verified_by_server") return fallback;
+    return {
+      status: "failed",
+      error: fallback?.error ?? "Skill is not signed",
+      ...fallback?.mismatched?.length && { mismatched: fallback.mismatched }
+    };
+  }
+  const publicKeyBase64 = opts?.fetchPublicKey ? await opts.fetchPublicKey(signing.public_key_id) ?? "" : "";
+  if (!publicKeyBase64) {
+    return localFail(
+      contentDir,
+      opts,
+      `Unknown signing key: ${signing.public_key_id}. Please update CLI.`,
+      "Unknown signing key \u2014 consider updating CLI"
+    );
+  }
+  const rawKey = parseSSHPublicKey(publicKeyBase64);
+  if (!rawKey) {
+    return localFail(
+      contentDir,
+      opts,
+      `Malformed public key for key ID: ${signing.public_key_id}`,
+      "Malformed public key from server \u2014 consider updating CLI",
+      signing.public_key_id
+    );
+  }
+  if (!ed25519Verify(signing, rawKey)) {
+    return localFail(
+      contentDir,
+      opts,
+      "Invalid signature",
+      "Signature mismatch \u2014 key may be outdated or file was modified",
+      signing.public_key_id
+    );
+  }
+  const bindingError = checkNameVersionBinding(signing, opts);
+  if (bindingError) {
+    return { status: "failed", error: bindingError, publicKeyId: signing.public_key_id };
+  }
+  const integrityFailure = await checkFileIntegrity(signing, contentDir, opts);
+  if (integrityFailure) return integrityFailure;
+  const signedFiles = new Set(Object.keys(signing.files));
+  const extraFiles = listFilesRecursive(contentDir).filter(
+    (f) => f !== "_meta.json" && !signedFiles.has(f)
+  );
+  return { status: "verified", publicKeyId: signing.public_key_id, filesChecked: signedFiles.size, extraFiles };
+}
+async function localFail(contentDir, opts, localError, serverHint, keyId) {
+  const fallback = await tryServerFallback(contentDir, opts);
+  if (fallback?.status === "verified_by_server") {
+    return { ...fallback, error: serverHint };
+  }
+  return {
+    status: "failed",
+    error: localError,
+    ...keyId && { publicKeyId: keyId },
+    ...fallback?.mismatched?.length && { mismatched: fallback.mismatched }
+  };
+}
+function ed25519Verify(signing, rawKey) {
+  const payloadObj = { files: signing.files, public_key_id: signing.public_key_id };
+  if (signing.name !== void 0) payloadObj.name = signing.name;
+  if (signing.version !== void 0) payloadObj.version = signing.version;
+  const message = Buffer.from(canonicalize(payloadObj), "utf-8");
+  const sig = Buffer.from(signing.signature, "base64");
+  const spkiKey = Buffer.concat([ED25519_SPKI_HEADER, rawKey]);
+  const keyObj = createPublicKey({ key: spkiKey, format: "der", type: "spki" });
+  return cryptoVerify(null, message, keyObj, sig);
+}
+function checkNameVersionBinding(signing, opts) {
+  if (signing.name !== void 0 && opts?.skillName !== void 0 && signing.name !== opts.skillName) {
+    return `Skill name mismatch: signature binds "${signing.name}" but installing as "${opts.skillName}"`;
+  }
+  if (signing.version !== void 0 && opts?.skillVersion !== void 0 && signing.version !== opts.skillVersion) {
+    return `Skill version mismatch: signature binds "${signing.version}" but package declares "${opts.skillVersion}"`;
+  }
+  return null;
+}
+async function checkFileIntegrity(signing, contentDir, opts) {
+  const resolvedContentDir = resolve2(contentDir);
+  for (const [filename, expectedHash] of Object.entries(signing.files)) {
+    const resolvedPath = resolve2(join6(contentDir, filename));
+    if (!resolvedPath.startsWith(resolvedContentDir + sep2)) {
+      return { status: "failed", error: `Path traversal detected in signing manifest: ${filename}`, publicKeyId: signing.public_key_id };
+    }
+    let bytes;
+    try {
+      bytes = readFileSync3(resolvedPath);
+    } catch {
+      return { status: "failed", error: `File missing: ${filename}`, publicKeyId: signing.public_key_id };
+    }
+    const actual = "sha256:" + createHash2("sha256").update(bytes).digest("hex");
+    if (actual !== expectedHash) {
+      return localFail(
+        contentDir,
+        opts,
+        `File integrity check failed: ${filename}`,
+        "_meta.json may be corrupted",
+        signing.public_key_id
+      );
+    }
+  }
+  return null;
+}
+async function tryServerFallback(contentDir, opts) {
+  if (!opts?.serverSideVerify || !opts.skillName) return null;
+  const fileHashes = computeFileHashes(contentDir);
+  const result = await opts.serverSideVerify(
+    opts.skillName,
+    opts.skillVersion,
+    fileHashes
+  );
+  if (!result) return null;
+  if (result.verified) {
+    return {
+      status: "verified_by_server",
+      filesChecked: Object.keys(fileHashes).length,
+      serverVersion: result.version
+    };
+  }
+  return {
+    status: "failed",
+    filesChecked: Object.keys(fileHashes).length,
+    mismatched: result.mismatched,
+    ...result.message && { error: result.message }
+  };
+}
+function canonicalize(obj) {
+  return JSON.stringify(deepSortKeys(obj));
+}
+function compareKeys(a, b) {
+  if (a < b) return -1;
+  if (a > b) return 1;
+  return 0;
+}
+function deepSortKeys(val) {
+  if (val === null || typeof val !== "object") return val;
+  if (Array.isArray(val)) return val.map(deepSortKeys);
+  const sorted = {};
+  for (const key of Object.keys(val).sort(compareKeys)) {
+    sorted[key] = deepSortKeys(val[key]);
+  }
+  return sorted;
+}
+async function serverSideVerify(client, skillName, version, files) {
+  try {
+    const body = { skillName, files };
+    if (version !== void 0) body.version = version;
+    const result = await client.privatePost(
+      "/api/v5/skill/verify",
+      body
+    );
+    return result.data;
+  } catch (e) {
+    if (e instanceof ConfigError) throw e;
+    return null;
+  }
+}
 var DEFAULT_MAX_TOTAL_BYTES = 100 * 1024 * 1024;
 var DEFAULT_MAX_FILES = 1e3;
 var DEFAULT_MAX_COMPRESSION_RATIO = 100;
@@ -4302,7 +4537,7 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   const maxTotalBytes = limits?.maxTotalBytes ?? DEFAULT_MAX_TOTAL_BYTES;
   const maxFiles = limits?.maxFiles ?? DEFAULT_MAX_FILES;
   const maxCompressionRatio = limits?.maxCompressionRatio ?? DEFAULT_MAX_COMPRESSION_RATIO;
-  const resolvedTarget = resolve2(targetDir);
+  const resolvedTarget = resolve3(targetDir);
   mkdirSync3(resolvedTarget, { recursive: true });
   return new Promise((resolvePromise, reject) => {
     yauzl.open(zipPath, { lazyEntries: true }, (err, zipfile) => {
@@ -4342,11 +4577,11 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   });
 }
 function readMetaJson(contentDir) {
-  const metaPath = join5(contentDir, "_meta.json");
+  const metaPath = join7(contentDir, "_meta.json");
   if (!existsSync(metaPath)) {
     throw new Error(`_meta.json not found in ${contentDir}. Invalid skill package.`);
   }
-  const raw = readFileSync2(metaPath, "utf-8");
+  const raw = readFileSync4(metaPath, "utf-8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -4364,22 +4599,49 @@ function readMetaJson(contentDir) {
     name: String(meta.name),
     version: String(meta.version),
     title: typeof meta.title === "string" ? meta.title : "",
-    description: typeof meta.description === "string" ? meta.description : ""
+    description: typeof meta.description === "string" ? meta.description : "",
+    signing: parseSigningBlock(meta.signing)
+  };
+}
+function tryReadMetaJson(contentDir) {
+  try {
+    return readMetaJson(contentDir);
+  } catch {
+    return null;
+  }
+}
+function parseSigningBlock(raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const s = raw;
+  if (typeof s.signature !== "string" || typeof s.public_key_id !== "string" || !s.files) {
+    return void 0;
+  }
+  const rawFiles = s.files;
+  const files = {};
+  for (const [key, value] of Object.entries(rawFiles)) {
+    if (typeof value === "string") files[key] = value;
+  }
+  return {
+    signature: s.signature,
+    public_key_id: s.public_key_id,
+    files,
+    ...typeof s.name === "string" && { name: s.name },
+    ...typeof s.version === "string" && { version: s.version }
   };
 }
 function validateSkillMdExists(contentDir) {
-  const skillMdPath = join5(contentDir, "SKILL.md");
+  const skillMdPath = join7(contentDir, "SKILL.md");
   if (!existsSync(skillMdPath)) {
     throw new Error(`SKILL.md not found in ${contentDir}. Invalid skill package.`);
   }
 }
-var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join8(homedir4(), ".okx", "skills", "registry.json");
 function readRegistry(registryPath = DEFAULT_REGISTRY_PATH) {
   if (!existsSync2(registryPath)) {
     return { version: 1, skills: {} };
   }
   try {
-    const raw = readFileSync3(registryPath, "utf-8");
+    const raw = readFileSync5(registryPath, "utf-8");
     return JSON.parse(raw);
   } catch {
     return { version: 1, skills: {} };
@@ -4389,7 +4651,7 @@ function writeRegistry(registry, registryPath = DEFAULT_REGISTRY_PATH) {
   mkdirSync4(dirname3(registryPath), { recursive: true });
   writeFileSync3(registryPath, JSON.stringify(registry, null, 2) + "\n", "utf-8");
 }
-function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH) {
+function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH, verification) {
   const registry = readRegistry(registryPath);
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const existing = registry.skills[meta.name];
@@ -4399,7 +4661,8 @@ function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH) {
     description: meta.description,
     installedAt: existing?.installedAt ?? now,
     updatedAt: now,
-    source: "marketplace"
+    source: "marketplace",
+    ...verification !== void 0 && { verification }
   };
   writeRegistry(registry, registryPath);
 }
@@ -12195,12 +12458,12 @@ function createToolRunner(client, config) {
   };
 }
 function configFilePath() {
-  return join7(homedir5(), ".okx", "config.toml");
+  return join9(homedir5(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path42 = configFilePath();
   if (!existsSync3(path42)) return { profiles: {} };
-  const raw = readFileSync4(path42, "utf-8");
+  const raw = readFileSync6(path42, "utf-8");
   try {
     return parse(raw);
   } catch (err) {
@@ -12350,7 +12613,7 @@ async function loadConfig(cli) {
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
+var CACHE_FILE = join10(homedir6(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 var NEGATIVE_CHECK_INTERVAL_MS = 60 * 60 * 1e3;
 var DEFAULT_REGISTRY = "https://registry.npmjs.org/";
@@ -12358,7 +12621,7 @@ var FETCH_TIMEOUT_MS = 3e3;
 function readCache2() {
   try {
     if (existsSync4(CACHE_FILE)) {
-      return JSON.parse(readFileSync5(CACHE_FILE, "utf-8"));
+      return JSON.parse(readFileSync7(CACHE_FILE, "utf-8"));
     }
   } catch {
   }
@@ -12366,7 +12629,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
+    mkdirSync6(join10(homedir6(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -12396,13 +12659,13 @@ function buildNpmrcCandidates() {
   let dir = process.cwd();
   const root = dir.startsWith("/") ? "/" : dir.slice(0, 3);
   while (true) {
-    add(join8(dir, ".npmrc"));
+    add(join10(dir, ".npmrc"));
     if (dir === root) break;
-    const parent = join8(dir, "..");
+    const parent = join10(dir, "..");
     if (parent === dir) break;
     dir = parent;
   }
-  add(join8(homedir6(), ".npmrc"));
+  add(join10(homedir6(), ".npmrc"));
   if (process.platform !== "win32") {
     add("/etc/npmrc");
   }
@@ -12411,7 +12674,7 @@ function buildNpmrcCandidates() {
 function readNpmrcRegistry(filePath) {
   try {
     if (!existsSync4(filePath)) return null;
-    const lines = readFileSync5(filePath, "utf-8").split(/\r?\n/);
+    const lines = readFileSync7(filePath, "utf-8").split(/\r?\n/);
     for (const line of lines) {
       const trimmed = line.trim();
       if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
@@ -12738,6 +13001,14 @@ function runSetup(options) {
 `);
   }
 }
+var HttpStatusError = class extends Error {
+  statusCode;
+  constructor(statusCode) {
+    super(`HTTP ${statusCode}`);
+    this.name = "HttpStatusError";
+    this.statusCode = statusCode;
+  }
+};
 function isRedirect(statusCode) {
   return statusCode !== void 0 && statusCode >= 300 && statusCode < 400;
 }
@@ -12752,7 +13023,7 @@ function validateRedirect(res, requestUrl, redirectCount, maxRedirects) {
   return location;
 }
 function fetchResponse(url, timeoutMs) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     let redirects = 0;
     const maxRedirects = 5;
     function doRequest(requestUrl) {
@@ -12770,10 +13041,14 @@ function fetchResponse(url, timeoutMs) {
           return;
         }
         if (res.statusCode !== 200) {
-          reject(new Error(`HTTP ${res.statusCode ?? "unknown"}`));
+          if (res.statusCode === void 0) {
+            reject(new Error("HTTP unknown"));
+          } else {
+            reject(new HttpStatusError(res.statusCode));
+          }
           return;
         }
-        resolve3(res);
+        resolve4(res);
       });
       req.on("error", reject);
       req.on("timeout", () => {
@@ -12786,10 +13061,10 @@ function fetchResponse(url, timeoutMs) {
 }
 function download(url, destPath, timeoutMs) {
   return fetchResponse(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
+    (res) => new Promise((resolve4, reject) => {
       const file = createWriteStream2(destPath);
       res.pipe(file);
-      file.on("finish", () => file.close(() => resolve3()));
+      file.on("finish", () => file.close(() => resolve4()));
       file.on("error", (err) => {
         try {
           unlinkSync3(destPath);
@@ -12802,10 +13077,10 @@ function download(url, destPath, timeoutMs) {
 }
 function downloadText(url, timeoutMs) {
   return fetchResponse(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
+    (res) => new Promise((resolve4, reject) => {
       const chunks = [];
       res.on("data", (chunk) => chunks.push(chunk));
-      res.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
+      res.on("end", () => resolve4(Buffer.concat(chunks).toString("utf8")));
       res.on("error", reject);
     })
   );
@@ -12834,10 +13109,10 @@ function getBinaryName() {
   return platform() === "win32" ? "okx-pilot.exe" : "okx-pilot";
 }
 function hashFile(filePath) {
-  const buf = readFileSync7(filePath);
+  const buf = readFileSync9(filePath);
   return {
     size: buf.byteLength,
-    sha256: createHash("sha256").update(buf).digest("hex")
+    sha256: createHash3("sha256").update(buf).digest("hex")
   };
 }
 function getPilotStatus(binaryPath, opts) {
@@ -12952,7 +13227,7 @@ async function installPilotBinary(destPath, sources = CDN_SOURCES, onProgress) {
   if (earlyResult) return earlyResult;
   const platformDir = getPlatformDir();
   const binaryName = getBinaryName();
-  const resolvedDest = destPath ?? join10(homedir8(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join12(homedir8(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync8(dirname6(resolvedDest), { recursive: true });
   const localHash = existsSync6(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -13004,9 +13279,41 @@ function removePilotBinary(binaryPath) {
   }
 }
 var AUTH_CDN_PATH_PREFIX = "/upgradeapp/tools/oauth";
+var LINUX_ARM64_FALLBACK_DIR = "linux-x64";
 function getAuthBinaryName() {
   return platform2() === "win32" ? "okx-auth.exe" : "okx-auth";
 }
+async function _resolveAuthPlatformFromNative(native, sources, timeoutMs) {
+  if (native !== "linux-arm64") {
+    return native;
+  }
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/linux-arm64/checksum.json`;
+  let got404 = false;
+  for (const { host, protocol } of sources) {
+    const url = `${protocol}://${host}${checksumPath}`;
+    try {
+      await downloadText(url, timeoutMs);
+      return "linux-arm64";
+    } catch (err) {
+      if (err instanceof HttpStatusError && err.statusCode === 404) {
+        got404 = true;
+        break;
+      }
+    }
+  }
+  if (got404) {
+    console.warn(
+      "[okx-auth] Native linux-arm64 binary not yet on CDN. Falling back to linux-x64 binary \u2014 x86_64 emulation (binfmt_misc/Rosetta) required."
+    );
+    return LINUX_ARM64_FALLBACK_DIR;
+  }
+  return "linux-arm64";
+}
+async function resolveAuthPlatformDir(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
+  const native = getPlatformDir();
+  if (!native) return null;
+  return _resolveAuthPlatformFromNative(native, sources, timeoutMs);
+}
 function getAuthStatus(binaryPath, opts) {
   const resolvedPath = binaryPath ?? getAuthBinaryPath();
   const platformDir = getPlatformDir();
@@ -13020,7 +13327,7 @@ function getAuthStatus(binaryPath, opts) {
   return { binaryPath: resolvedPath, exists: true, platform: platformDir, fileSize: size, sha256 };
 }
 async function fetchAuthCdnChecksum(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
-  const platformDir = getPlatformDir();
+  const platformDir = await resolveAuthPlatformDir(sources, timeoutMs);
   if (!platformDir) return null;
   const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
   for (const { host, protocol } of sources) {
@@ -13089,12 +13396,51 @@ function installPreChecks2(destPath, sources) {
 function isLocalUpToDate2(localHash, checksum) {
   return localHash !== null && localHash.size === checksum.size && localHash.sha256 === checksum.sha256;
 }
+async function tryInstallFromOneSource(ctx) {
+  const { host, protocol, platformDir, checksumPath, binaryPath, tmpPath, resolvedDest, localHash, onProgress } = ctx;
+  try {
+    const checksum = await fetchAndValidateChecksum2(
+      host,
+      protocol,
+      checksumPath,
+      platformDir,
+      DOWNLOAD_TIMEOUT_MS,
+      onProgress
+    );
+    if (isLocalUpToDate2(localHash, checksum)) {
+      onProgress?.("Already up to date (checksum match)");
+      return { kind: "done", result: { status: "up-to-date", source: host } };
+    }
+    await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
+    atomicReplace2(tmpPath, resolvedDest);
+    onProgress?.(`Downloaded and verified from ${host}`);
+    return { kind: "done", result: { status: "installed", source: host } };
+  } catch (err) {
+    try {
+      unlinkSync5(tmpPath);
+    } catch {
+    }
+    const errObj = err instanceof Error ? err : new Error(String(err));
+    onProgress?.(`${host} failed: ${errObj.message}`);
+    return { kind: "next", err: errObj };
+  }
+}
+function buildInstallFailureResult(errors) {
+  const formatted = errors.map(({ host, err }) => `${host}: ${err.message}`).join("\n");
+  const allHttpErrors = errors.length > 0 && errors.every(({ err }) => err instanceof HttpStatusError);
+  const prefix = allHttpErrors ? "okx-auth binary not available on CDN for this platform" : "All CDN sources failed";
+  return { status: "failed", error: `${prefix}:
+${formatted}` };
+}
 async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
   const earlyResult = installPreChecks2(destPath, sources);
   if (earlyResult) return earlyResult;
-  const platformDir = getPlatformDir();
+  const platformDir = await resolveAuthPlatformDir(sources);
+  if (!platformDir) {
+    return { status: "failed", error: "Unsupported platform" };
+  }
   const binaryName = getAuthBinaryName();
-  const resolvedDest = destPath ?? join11(homedir9(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join13(homedir9(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync9(dirname7(resolvedDest), { recursive: true });
   const localHash = existsSync7(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -13102,35 +13448,21 @@ async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
   const binaryPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/${binaryName}`;
   const errors = [];
   for (const { host, protocol } of sources) {
-    try {
-      const checksum = await fetchAndValidateChecksum2(
-        host,
-        protocol,
-        checksumPath,
-        platformDir,
-        DOWNLOAD_TIMEOUT_MS,
-        onProgress
-      );
-      if (isLocalUpToDate2(localHash, checksum)) {
-        onProgress?.("Already up to date (checksum match)");
-        return { status: "up-to-date", source: host };
-      }
-      await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
-      atomicReplace2(tmpPath, resolvedDest);
-      onProgress?.(`Downloaded and verified from ${host}`);
-      return { status: "installed", source: host };
-    } catch (err) {
-      try {
-        unlinkSync5(tmpPath);
-      } catch {
-      }
-      const msg = err instanceof Error ? err.message : String(err);
-      errors.push(`${host}: ${msg}`);
-      onProgress?.(`${host} failed: ${msg}`);
-    }
+    const attempt = await tryInstallFromOneSource({
+      host,
+      protocol,
+      platformDir,
+      checksumPath,
+      binaryPath,
+      tmpPath,
+      resolvedDest,
+      localHash,
+      onProgress
+    });
+    if (attempt.kind === "done") return attempt.result;
+    errors.push({ host, err: attempt.err });
   }
-  return { status: "failed", error: `All CDN sources failed:
-${errors.join("\n")}` };
+  return buildInstallFailureResult(errors);
 }
 function removeAuthBinary(binaryPath) {
   const resolvedPath = binaryPath ?? getAuthBinaryPath();
@@ -13145,12 +13477,12 @@ function removeAuthBinary(binaryPath) {
     throw new Error(`Failed to remove ${resolvedPath}: ${msg}`);
   }
 }
-var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
+var CACHE_PATH = join14(homedir10(), ".okx", "auth-binary-check.json");
 var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
 function readCache3() {
   try {
     if (!existsSync8(CACHE_PATH)) return null;
-    const data = JSON.parse(readFileSync8(CACHE_PATH, "utf-8"));
+    const data = JSON.parse(readFileSync10(CACHE_PATH, "utf-8"));
     if (typeof data.cdnSha256 !== "string" || typeof data.checkedAt !== "number") return null;
     return { cdnSha256: data.cdnSha256, checkedAt: data.checkedAt };
   } catch {
@@ -13159,7 +13491,7 @@ function readCache3() {
 }
 function writeCache3(cdnSha256) {
   try {
-    mkdirSync10(join12(homedir10(), ".okx"), { recursive: true });
+    mkdirSync10(join14(homedir10(), ".okx"), { recursive: true });
     writeFileSync7(CACHE_PATH, JSON.stringify({ cdnSha256, checkedAt: Date.now() }, null, 2), "utf-8");
   } catch {
   }
@@ -13294,7 +13626,7 @@ function markFailedIfSCodeError(data) {
 // src/commands/auth.ts
 function runOkxAuth(args) {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn3(binPath, args, {
       stdio: "inherit"
     });
@@ -13302,13 +13634,13 @@ function runOkxAuth(args) {
       reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
     });
     child.on("close", (code) => {
-      resolve3(code ?? 1);
+      resolve4(code ?? 1);
     });
   });
 }
 function runOkxAuthCapture(args) {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn3(binPath, args, {
       stdio: ["inherit", "pipe", "inherit"]
     });
@@ -13318,7 +13650,7 @@ function runOkxAuthCapture(args) {
       reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
     });
     child.on("close", (code) => {
-      resolve3({
+      resolve4({
         code: code ?? 1,
         stdout: Buffer.concat(chunks).toString("utf-8")
       });
@@ -13523,14 +13855,14 @@ async function confirmRemoval(force, binaryPath) {
   return true;
 }
 function askConfirmation(prompt2) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
     });
     rl.question(prompt2, (answer) => {
       rl.close();
-      resolve3(answer.trim().toLowerCase() === "y");
+      resolve4(answer.trim().toLowerCase() === "y");
     });
   });
 }
@@ -13587,26 +13919,26 @@ var Report = class {
     this.lines.push({ key, value });
   }
   print() {
-    const sep2 = "\u2500".repeat(52);
+    const sep3 = "\u2500".repeat(52);
     outputLine("");
-    outputLine(`  \u2500\u2500 Diagnostic Report (copy & share) ${sep2.slice(35)}`);
+    outputLine(`  \u2500\u2500 Diagnostic Report (copy & share) ${sep3.slice(35)}`);
     for (const { key, value } of this.lines) {
       outputLine(`  ${key.padEnd(14)} ${value}`);
     }
-    outputLine(`  ${sep2}`);
+    outputLine(`  ${sep3}`);
     outputLine("");
   }
   /** Write report to a file path, returns true on success. */
   writeToFile(filePath) {
     try {
-      const sep2 = "\u2500".repeat(52);
+      const sep3 = "\u2500".repeat(52);
       const lines = [
-        `\u2500\u2500 Diagnostic Report (copy & share) ${sep2.slice(35)}`
+        `\u2500\u2500 Diagnostic Report (copy & share) ${sep3.slice(35)}`
       ];
       for (const { key, value } of this.lines) {
         lines.push(`${key.padEnd(14)} ${value}`);
       }
-      lines.push(sep2, "");
+      lines.push(sep3, "");
       fs4.writeFileSync(filePath, lines.join("\n"), "utf8");
       return true;
     } catch (_e) {
@@ -13982,13 +14314,13 @@ async function checkStdioHandshake(entryPath, report) {
       clientInfo: { name: "okx-diagnose", version: "1.0" }
     }
   });
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     let settled = false;
     const settle = (passed) => {
       if (settled) return;
       settled = true;
       clearTimeout(timer);
-      resolve3(passed);
+      resolve4(passed);
     };
     const child = spawn4(process.execPath, [entryPath], {
       stdio: ["pipe", "pipe", "pipe"],
@@ -14109,7 +14441,7 @@ async function cmdDiagnoseMcp(options = {}) {
 
 // src/commands/diagnose.ts
 var CLI_VERSION = readCliVersion();
-var GIT_HASH = true ? "f632d898" : "dev";
+var GIT_HASH = true ? "e5abc21f" : "dev";
 function maskKey2(key) {
   if (!key) return "(not set)";
   if (key.length <= 8) return "****";
@@ -14126,7 +14458,7 @@ async function checkDns(hostname) {
 }
 async function checkSocket(createFn, successEvent, timeoutMs) {
   const t0 = Date.now();
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const socket = createFn();
     const cleanup = () => {
       socket.removeAllListeners();
@@ -14134,15 +14466,15 @@ async function checkSocket(createFn, successEvent, timeoutMs) {
     };
     socket.once(successEvent, () => {
       cleanup();
-      resolve3({ ok: true, ms: Date.now() - t0 });
+      resolve4({ ok: true, ms: Date.now() - t0 });
     });
     socket.once("timeout", () => {
       cleanup();
-      resolve3({ ok: false, ms: Date.now() - t0, error: `timed out after ${timeoutMs}ms` });
+      resolve4({ ok: false, ms: Date.now() - t0, error: `timed out after ${timeoutMs}ms` });
     });
     socket.once("error", (err) => {
       cleanup();
-      resolve3({ ok: false, ms: Date.now() - t0, error: err.message });
+      resolve4({ ok: false, ms: Date.now() - t0, error: err.message });
     });
   });
 }
@@ -14470,23 +14802,23 @@ function suggestSubcommand(action, knownActions, knownPaths = []) {
 
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
-import { dirname as dirname8, join as join13 } from "path";
+import { readFileSync as readFileSync11, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
+import { dirname as dirname8, join as join15 } from "path";
 import { homedir as homedir11 } from "os";
 var PACKAGES = ["@okx_ai/okx-trade-mcp", "@okx_ai/okx-trade-cli"];
-var CACHE_FILE2 = join13(homedir11(), ".okx", "last_check");
+var CACHE_FILE2 = join15(homedir11(), ".okx", "last_check");
 var THROTTLE_MS = 12 * 60 * 60 * 1e3;
-var NPM_BIN = join13(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
+var NPM_BIN = join15(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
 function readLastCheck() {
   try {
-    return parseInt(readFileSync9(CACHE_FILE2, "utf-8").trim(), 10) || 0;
+    return parseInt(readFileSync11(CACHE_FILE2, "utf-8").trim(), 10) || 0;
   } catch {
     return 0;
   }
 }
 function writeLastCheck() {
   try {
-    mkdirSync11(join13(homedir11(), ".okx"), { recursive: true });
+    mkdirSync11(join15(homedir11(), ".okx"), { recursive: true });
     writeFileSync8(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
   } catch {
   }
@@ -18493,7 +18825,7 @@ Config saved to ${p}
   }
 };
 function prompt(rl, question) {
-  return new Promise((resolve3) => rl.question(question, resolve3));
+  return new Promise((resolve4) => rl.question(question, resolve4));
 }
 function cmdConfigShow(json) {
   const config = readFullConfig();
@@ -19916,18 +20248,21 @@ async function cmdDcdQuoteAndBuy(run, opts) {
 
 // src/commands/skill.ts
 import { tmpdir, homedir as homedir13 } from "os";
-import { join as join15, dirname as dirname9 } from "path";
+import { join as join17, dirname as dirname9 } from "path";
 import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync10, copyFileSync as copyFileSync2 } from "fs";
 import { execFileSync as execFileSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function resolveNpx() {
-  const sibling = join15(dirname9(process.execPath), "npx");
+  const sibling = join17(dirname9(process.execPath), "npx");
   if (existsSync10(sibling)) return sibling;
   return "npx";
 }
 function npxEnv() {
   return { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" };
 }
+function getSkillContentDir(name) {
+  return join17(homedir13(), ".agents", "skills", name);
+}
 var THIRD_PARTY_INSTALL_NOTICE = "Note: This skill was created by a third-party developer, not by OKX. Review SKILL.md before use.";
 async function cmdSkillSearch(run, opts) {
   const args = {};
@@ -19977,16 +20312,56 @@ async function cmdSkillCategories(run, json) {
   }
   outputLine("");
 }
-async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
-  const tmpBase = join15(tmpdir(), `okx-skill-${randomUUID2()}`);
+async function wrapVerify(fn) {
+  try {
+    return await fn();
+  } catch (e) {
+    if (e instanceof ConfigError) {
+      throw new Error(
+        `Signature verification requires authentication \u2014 run \`okx auth login\` first, or use --force to bypass.`
+      );
+    }
+    throw e;
+  }
+}
+async function cmdSkillAdd(name, config, json, force = false, exec = execFileSync2, _deps) {
+  const _download = _deps?.download ?? downloadSkillZip;
+  const _extract = _deps?.extract ?? extractSkillZip;
+  const tmpBase = join17(tmpdir(), `okx-skill-${randomUUID2()}`);
   mkdirSync12(tmpBase, { recursive: true });
   try {
     outputLine(`Downloading ${name}...`);
     const client = new OkxRestClient(config);
-    const zipPath = await downloadSkillZip(client, name, tmpBase);
-    const contentDir = await extractSkillZip(zipPath, join15(tmpBase, "content"));
+    const zipPath = await _download(client, name, tmpBase);
+    const contentDir = await _extract(zipPath, join17(tmpBase, "content"));
     const meta = readMetaJson(contentDir);
     validateSkillMdExists(contentDir);
+    outputLine("Verifying signature...");
+    const verifyResult = await wrapVerify(
+      () => verifySkillSignature(contentDir, meta.signing, {
+        fetchPublicKey: (keyId) => getPublicKey(client, keyId),
+        serverSideVerify: (sName, version, files) => serverSideVerify(client, sName, version, files),
+        skillName: meta.name,
+        skillVersion: meta.version
+      })
+    );
+    if (verifyResult.status === "failed") {
+      if (!force) {
+        throw new Error(`Signature verification failed: ${verifyResult.error ?? "unknown error"}. Use --force to install anyway.`);
+      }
+      process.stderr.write(`WARNING: Signature verification failed \u2014 ${verifyResult.error ?? "unknown"}. Installing anyway (--force).
+`);
+    } else if (verifyResult.status === "verified_by_server") {
+      if (!json) {
+        outputLine(`  Verified by server (v${verifyResult.serverVersion ?? "?"})`);
+        if (verifyResult.error) outputLine(`  Note: ${verifyResult.error}`);
+      }
+    } else if (!json) {
+      outputLine(`  Signature verified (key: ${verifyResult.publicKeyId}, files: ${verifyResult.filesChecked})`);
+      if (verifyResult.extraFiles?.length) {
+        outputLine(`  Note: ${verifyResult.extraFiles.length} extra unsigned file(s) present`);
+      }
+    }
     outputLine("Installing to detected agents...");
     try {
       exec(resolveNpx(), ["skills", "add", contentDir, "-y", "-g"], {
@@ -19995,7 +20370,7 @@ async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
         env: npxEnv()
       });
     } catch (e) {
-      const savedZip = join15(process.cwd(), `${name}.zip`);
+      const savedZip = join17(process.cwd(), `${name}.zip`);
       try {
         copyFileSync2(zipPath, savedZip);
       } catch {
@@ -20004,7 +20379,8 @@ async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
       errorLine(`You can manually install from: ${savedZip}`);
       throw e;
     }
-    upsertSkillRecord(meta);
+    const registryStatus = verifyResult.status === "failed" && force ? "bypassed" : verifyResult.status;
+    upsertSkillRecord(meta, void 0, registryStatus);
     printSkillInstallResult(meta, json);
   } finally {
     rmSync(tmpBase, { recursive: true, force: true });
@@ -20035,7 +20411,7 @@ function cmdSkillRemove(name, json, exec = execFileSync2) {
       env: npxEnv()
     });
   } catch {
-    const agentsPath = join15(homedir13(), ".agents", "skills", name);
+    const agentsPath = getSkillContentDir(name);
     try {
       rmSync(agentsPath, { recursive: true, force: true });
     } catch {
@@ -20099,6 +20475,59 @@ function cmdSkillList(json) {
   outputLine("");
   outputLine(`${skills.length} skills installed.`);
 }
+async function cmdSkillVerify(name, config, json) {
+  const record = getSkillRecord(name);
+  if (!record) {
+    errorLine(`Skill "${name}" is not installed.`);
+    process.exitCode = 1;
+    return;
+  }
+  const contentDir = getSkillContentDir(name);
+  if (!existsSync10(contentDir)) {
+    errorLine(`Skill content directory not found: ${contentDir}`);
+    errorLine(`Try reinstalling with: okx skill add ${name}`);
+    process.exitCode = 1;
+    return;
+  }
+  const meta = tryReadMetaJson(contentDir);
+  const client = new OkxRestClient(config);
+  let result;
+  try {
+    result = await wrapVerify(
+      () => verifySkillSignature(contentDir, meta?.signing, {
+        fetchPublicKey: (keyId) => getPublicKey(client, keyId),
+        serverSideVerify: (sName, version, files) => serverSideVerify(client, sName, version, files),
+        skillName: name,
+        skillVersion: meta?.version
+      })
+    );
+  } catch (e) {
+    errorLine(e instanceof Error ? e.message : String(e));
+    process.exitCode = 1;
+    return;
+  }
+  if (meta) {
+    upsertSkillRecord(meta, void 0, result.status);
+  }
+  if (result.status === "failed") {
+    process.exitCode = 1;
+  }
+  if (json) {
+    outputLine(JSON.stringify(result, null, 2));
+    return;
+  }
+  if (result.status === "verified") {
+    outputLine(`\u2713 ${name}: signature verified (key: ${result.publicKeyId}, files: ${result.filesChecked})`);
+    if (result.extraFiles?.length) {
+      outputLine(`  Note: ${result.extraFiles.length} extra unsigned file(s) present`);
+    }
+  } else if (result.status === "verified_by_server") {
+    outputLine(`\u2713 ${name}: verified by server (v${result.serverVersion ?? "?"})`);
+    if (result.error) outputLine(`  Note: ${result.error}`);
+  } else if (result.status === "failed") {
+    errorLine(`\u2717 ${name}: verification failed \u2014 ${result.error ?? "unknown"}`);
+  }
+}
 function printSkillInstallResult(meta, json) {
   if (json) {
     outputLine(JSON.stringify({ name: meta.name, version: meta.version, status: "installed" }, null, 2));
@@ -20249,14 +20678,14 @@ function formatBytes2(bytes) {
   return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
 }
 function askConfirmation2(prompt2) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
     rl.question(prompt2, (answer) => {
       rl.close();
-      resolve3(answer.trim().toLowerCase() === "y");
+      resolve4(answer.trim().toLowerCase() === "y");
     });
   });
 }
@@ -20719,7 +21148,7 @@ async function cmdEventCancel(run, opts) {
 // src/index.ts
 var _require3 = createRequire3(import.meta.url);
 var CLI_VERSION2 = _require3("../package.json").version;
-var GIT_HASH2 = true ? "f632d898" : "dev";
+var GIT_HASH2 = true ? "e5abc21f" : "dev";
 function handlePilotCommand(action, json, force, binaryPath) {
   if (action === "status") return cmdPilotStatus(json, binaryPath);
   if (action === "install") return cmdPilotInstall(json, binaryPath);
@@ -22031,9 +22460,13 @@ function requireSkillName(rest, usage) {
   }
   return name;
 }
-function handleSkillAdd(rest, config, json) {
+function handleSkillAdd(rest, v, config, json) {
   const n = requireSkillName(rest, "Usage: okx skill add <name>");
-  if (n) return cmdSkillAdd(n, config, json);
+  if (n) return cmdSkillAdd(n, config, json, v.force ?? false);
+}
+function handleSkillVerify(rest, config, json) {
+  const n = requireSkillName(rest, "Usage: okx skill verify <name>");
+  if (n) return cmdSkillVerify(n, config, json);
 }
 function handleSkillDownload(rest, v, config, json) {
   const n = requireSkillName(rest, "Usage: okx skill download <name> [--dir <path>] [--format zip|skill]");
@@ -22052,12 +22485,13 @@ function handleSkillCommand(run, action, rest, v, json, config) {
   if (action === "search") return cmdSkillSearch(run, { keyword: rest[0] ?? v.keyword, categories: v.categories, page: v.page, limit: v.limit, json });
   if (action === "categories") return cmdSkillCategories(run, json);
   if (action === "list") return cmdSkillList(json);
-  if (action === "add") return handleSkillAdd(rest, config, json);
+  if (action === "add") return handleSkillAdd(rest, v, config, json);
   if (action === "download") return handleSkillDownload(rest, v, config, json);
   if (action === "remove") return handleSkillRemove(rest, json);
   if (action === "check") return handleSkillCheck(run, rest, json);
+  if (action === "verify") return handleSkillVerify(rest, config, json);
   errorLine(`Unknown skill command: ${action}`);
-  errorLine("Valid: search, categories, add, download, remove, check, list");
+  errorLine("Valid: search, categories, add, download, remove, check, list, verify");
   process.exitCode = 1;
 }
 function handleEventCommand(run, action, rest, v, json) {