npm - @okx_ai/okx-trade-cli - Versions diffs - 1.3.6-beta.3 → 1.3.7 - Mend

@okx_ai/okx-trade-cli 1.3.6-beta.3 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/LICENSE +21 -0
package/dist/index.js +578 -338
package/dist/index.js.map +1 -1
package/package.json +10 -10
package/scripts/postinstall-download.js +152 -0

package/dist/index.js CHANGED Viewed

@@ -34,16 +34,22 @@ import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
 import { join as join4, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
+import { createHash } from "crypto";
+import { readFileSync as readFileSync2, readdirSync, statSync } from "fs";
+import { join as join5 } from "path";
+import { createHash as createHash2, createPublicKey, verify as cryptoVerify } from "crypto";
+import { readFileSync as readFileSync3 } from "fs";
+import { join as join6, resolve as resolve2, sep as sep2 } from "path";
 import yauzl from "yauzl";
 import { createWriteStream, mkdirSync as mkdirSync3 } from "fs";
-import { resolve as resolve2, dirname as dirname2 } from "path";
-import { readFileSync as readFileSync2, existsSync } from "fs";
-import { join as join5 } from "path";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
-import { join as join6, dirname as dirname3 } from "path";
+import { resolve as resolve3, dirname as dirname2 } from "path";
+import { readFileSync as readFileSync4, existsSync } from "fs";
+import { join as join7 } from "path";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4, existsSync as existsSync2 } from "fs";
+import { join as join8, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join7, dirname as dirname4 } from "path";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
+import { join as join9, dirname as dirname4 } from "path";
 import { homedir as homedir5 } from "os";
 // ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
@@ -121,7 +127,7 @@ function skipVoid(str, ptr, banNewLines, banComments) {
     ptr++;
   return banComments || c !== "#" ? ptr : skipVoid(str, skipComment(str, ptr), banNewLines);
 }
-function skipUntil(str, ptr, sep2, end, banNewLines = false) {
+function skipUntil(str, ptr, sep3, end, banNewLines = false) {
   if (!end) {
     ptr = indexOfNewline(str, ptr);
     return ptr < 0 ? str.length : ptr;
@@ -130,7 +136,7 @@ function skipUntil(str, ptr, sep2, end, banNewLines = false) {
     let c = str[i];
     if (c === "#") {
       i = indexOfNewline(str, i);
-    } else if (c === sep2) {
+    } else if (c === sep3) {
       return i + 1;
     } else if (c === end || banNewLines && (c === "\n" || c === "\r" && str[i + 1] === "\n")) {
       return i;
@@ -873,8 +879,8 @@ function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
 }
 // ../core/dist/index.js
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join8 } from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
+import { join as join10 } from "path";
 import { homedir as homedir6 } from "os";
 import fs2 from "fs";
 import path2 from "path";
@@ -891,25 +897,37 @@ import {
   renameSync as renameSync4
 } from "fs";
 import { homedir as homedir9, platform as platform2 } from "os";
-import { join as join11, dirname as dirname7 } from "path";
+import { join as join13, dirname as dirname7 } from "path";
 import { createWriteStream as createWriteStream2, unlinkSync as unlinkSync3 } from "fs";
 import { get as httpsGet } from "https";
 import { get as httpGet } from "http";
 import {
-  readFileSync as readFileSync7,
+  readFileSync as readFileSync9,
   mkdirSync as mkdirSync8,
   chmodSync,
   existsSync as existsSync6,
   unlinkSync as unlinkSync4,
   renameSync as renameSync3
 } from "fs";
-import { createHash } from "crypto";
+import { createHash as createHash3 } from "crypto";
 import { homedir as homedir8, platform, arch } from "os";
-import { join as join10, dirname as dirname6 } from "path";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync6, existsSync as existsSync8 } from "fs";
-import { join as join12 } from "path";
+import { join as join12, dirname as dirname6 } from "path";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync7, mkdirSync as mkdirSync10, unlinkSync as unlinkSync6, existsSync as existsSync8 } from "fs";
+import { join as join14 } from "path";
 import { homedir as homedir10 } from "os";
-setGlobalDispatcher(new EnvHttpProxyAgent());
+function hasProxyEnv(env = process.env) {
+  return Boolean(
+    env.HTTPS_PROXY || env.https_proxy || env.HTTP_PROXY || env.http_proxy
+  );
+}
+function installEnvProxyDispatcher(deps = {}) {
+  const env = deps.env ?? process.env;
+  if (!hasProxyEnv(env)) return false;
+  const register = deps.register ?? (() => setGlobalDispatcher(new EnvHttpProxyAgent()));
+  register();
+  return true;
+}
+installEnvProxyDispatcher();
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var PILOT_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -932,25 +950,25 @@ function execPilotBinary(domain, exclude = [], userAgent) {
   if (userAgent) {
     args.push("--user-agent", userAgent);
   }
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     execFile(
       binPath,
       args,
       { timeout: EXEC_TIMEOUT_MS, encoding: "utf-8" },
       (error, stdout) => {
         if (error) {
-          resolve3(null);
+          resolve4(null);
           return;
         }
         try {
           const result = JSON.parse(stdout);
           if (result.code === 0 && result.data) {
-            resolve3(result.data);
+            resolve4(result.data);
           } else {
-            resolve3(null);
+            resolve4(null);
           }
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       }
     );
@@ -1284,7 +1302,7 @@ var EXIT_CODES = {
   NOT_LOGGED_IN: 2,
   REFRESH_FAILED: 3
 };
-function finalizeToken(code, token, resolve3, reject) {
+function finalizeToken(code, token, resolve4, reject) {
   if (code === EXIT_CODES.SUCCESS) {
     if (!token) {
       reject(new AuthenticationError(
@@ -1293,7 +1311,7 @@ function finalizeToken(code, token, resolve3, reject) {
       ));
       return;
     }
-    resolve3(token);
+    resolve4(token);
     return;
   }
   if (code === EXIT_CODES.NOT_LOGGED_IN) {
@@ -1330,7 +1348,7 @@ function defaultWindowsPipeName() {
   return WIN_PIPE_PREFIX + randomBytes(32).toString("hex");
 }
 function execAuthTokenWindows(binPath, makePipeName = defaultWindowsPipeName) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const pipeName = makePipeName();
     const server = createServer();
     const chunks = [];
@@ -1350,7 +1368,7 @@ function execAuthTokenWindows(binPath, makePipeName = defaultWindowsPipeName) {
     const tryFinalize = () => {
       if (!pipeClosed || exitCode === void 0) return;
       const token = Buffer.concat(chunks).toString("utf-8").trim();
-      settle(() => finalizeToken(exitCode, token, resolve3, reject));
+      settle(() => finalizeToken(exitCode, token, resolve4, reject));
     };
     server.on("connection", (socket) => {
       connectionMade = true;
@@ -1397,7 +1415,7 @@ function execAuthToken() {
   return process.platform === "win32" ? execAuthTokenWindows(binPath) : execAuthTokenUnix(binPath);
 }
 function execAuthTokenUnix(binPath) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn2(binPath, ["token"], {
       stdio: ["ignore", "ignore", "inherit", "pipe"]
       //       stdin    stdout    stderr     fd3 (pipe)
@@ -1410,35 +1428,35 @@ function execAuthTokenUnix(binPath) {
     });
     child.on("close", (code) => {
       const token = Buffer.concat(chunks).toString("utf-8").trim();
-      finalizeToken(code, token, resolve3, reject);
+      finalizeToken(code, token, resolve4, reject);
     });
   });
 }
 function execAuthStatus() {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     execFile2(
       binPath,
       ["status", "--json"],
       { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
       (error, stdout) => {
         if (error) {
-          resolve3(null);
+          resolve4(null);
           return;
         }
         try {
           const result = JSON.parse(stdout);
-          resolve3(result);
+          resolve4(result);
         } catch {
-          resolve3(null);
+          resolve4(null);
         }
       }
     );
   });
 }
 function sleep(ms) {
-  return new Promise((resolve3) => {
-    setTimeout(resolve3, ms);
+  return new Promise((resolve4) => {
+    setTimeout(resolve4, ms);
   });
 }
 var RateLimiter = class {
@@ -4264,6 +4282,223 @@ async function downloadSkillZip(client, name, targetDir, format = "zip") {
   const filePath = safeWriteFile(targetDir, fileName, result.data);
   return filePath;
 }
+function listFilesRecursive(dir, base = "") {
+  const results = [];
+  for (const entry of readdirSync(dir)) {
+    const fullPath = join5(dir, entry);
+    const relPath = base ? `${base}/${entry}` : entry;
+    if (statSync(fullPath).isDirectory()) {
+      results.push(...listFilesRecursive(fullPath, relPath));
+    } else {
+      results.push(relPath);
+    }
+  }
+  return results;
+}
+function computeFileHashes(contentDir) {
+  const hashes = {};
+  for (const relPath of listFilesRecursive(contentDir)) {
+    if (relPath === "_meta.json") continue;
+    const bytes = readFileSync2(join5(contentDir, relPath));
+    hashes[relPath] = "sha256:" + createHash("sha256").update(bytes).digest("hex");
+  }
+  return hashes;
+}
+async function getPublicKey(client, keyId) {
+  try {
+    const query = {};
+    if (keyId !== void 0) query.keyId = keyId;
+    const result = await client.privateGet(
+      "/api/v5/skill/signing-key",
+      query
+    );
+    if (!result.data || result.data.status !== "active") return null;
+    return result.data.publicKey;
+  } catch (e) {
+    if (e instanceof ConfigError) throw e;
+    return null;
+  }
+}
+var ED25519_SPKI_HEADER = Buffer.from("302a300506032b6570032100", "hex");
+function parseSSHPublicKey(base64) {
+  try {
+    const buf = Buffer.from(base64, "base64");
+    let offset = 0;
+    if (buf.length < 4) return null;
+    const algLen = buf.readUInt32BE(offset);
+    offset += 4;
+    if (offset + algLen + 4 > buf.length) return null;
+    if (buf.subarray(offset, offset + algLen).toString("ascii") !== "ssh-ed25519") return null;
+    offset += algLen;
+    const keyLen = buf.readUInt32BE(offset);
+    offset += 4;
+    if (keyLen !== 32 || offset + keyLen > buf.length) return null;
+    return buf.subarray(offset, offset + keyLen);
+  } catch {
+    return null;
+  }
+}
+async function verifySkillSignature(contentDir, signing, opts) {
+  if (!signing) {
+    const fallback = await tryServerFallback(contentDir, opts);
+    if (fallback?.status === "verified_by_server") return fallback;
+    return {
+      status: "failed",
+      error: fallback?.error ?? "Skill is not signed",
+      ...fallback?.mismatched?.length && { mismatched: fallback.mismatched }
+    };
+  }
+  const publicKeyBase64 = opts?.fetchPublicKey ? await opts.fetchPublicKey(signing.public_key_id) ?? "" : "";
+  if (!publicKeyBase64) {
+    return localFail(
+      contentDir,
+      opts,
+      `Unknown signing key: ${signing.public_key_id}. Please update CLI.`,
+      "Unknown signing key \u2014 consider updating CLI"
+    );
+  }
+  const rawKey = parseSSHPublicKey(publicKeyBase64);
+  if (!rawKey) {
+    return localFail(
+      contentDir,
+      opts,
+      `Malformed public key for key ID: ${signing.public_key_id}`,
+      "Malformed public key from server \u2014 consider updating CLI",
+      signing.public_key_id
+    );
+  }
+  if (!ed25519Verify(signing, rawKey)) {
+    return localFail(
+      contentDir,
+      opts,
+      "Invalid signature",
+      "Signature mismatch \u2014 key may be outdated or file was modified",
+      signing.public_key_id
+    );
+  }
+  const bindingError = checkNameVersionBinding(signing, opts);
+  if (bindingError) {
+    return { status: "failed", error: bindingError, publicKeyId: signing.public_key_id };
+  }
+  const integrityFailure = await checkFileIntegrity(signing, contentDir, opts);
+  if (integrityFailure) return integrityFailure;
+  const signedFiles = new Set(Object.keys(signing.files));
+  const extraFiles = listFilesRecursive(contentDir).filter(
+    (f) => f !== "_meta.json" && !signedFiles.has(f)
+  );
+  return { status: "verified", publicKeyId: signing.public_key_id, filesChecked: signedFiles.size, extraFiles };
+}
+async function localFail(contentDir, opts, localError, serverHint, keyId) {
+  const fallback = await tryServerFallback(contentDir, opts);
+  if (fallback?.status === "verified_by_server") {
+    return { ...fallback, error: serverHint };
+  }
+  return {
+    status: "failed",
+    error: localError,
+    ...keyId && { publicKeyId: keyId },
+    ...fallback?.mismatched?.length && { mismatched: fallback.mismatched }
+  };
+}
+function ed25519Verify(signing, rawKey) {
+  const payloadObj = { files: signing.files, public_key_id: signing.public_key_id };
+  if (signing.name !== void 0) payloadObj.name = signing.name;
+  if (signing.version !== void 0) payloadObj.version = signing.version;
+  const message = Buffer.from(canonicalize(payloadObj), "utf-8");
+  const sig = Buffer.from(signing.signature, "base64");
+  const spkiKey = Buffer.concat([ED25519_SPKI_HEADER, rawKey]);
+  const keyObj = createPublicKey({ key: spkiKey, format: "der", type: "spki" });
+  return cryptoVerify(null, message, keyObj, sig);
+}
+function checkNameVersionBinding(signing, opts) {
+  if (signing.name !== void 0 && opts?.skillName !== void 0 && signing.name !== opts.skillName) {
+    return `Skill name mismatch: signature binds "${signing.name}" but installing as "${opts.skillName}"`;
+  }
+  if (signing.version !== void 0 && opts?.skillVersion !== void 0 && signing.version !== opts.skillVersion) {
+    return `Skill version mismatch: signature binds "${signing.version}" but package declares "${opts.skillVersion}"`;
+  }
+  return null;
+}
+async function checkFileIntegrity(signing, contentDir, opts) {
+  const resolvedContentDir = resolve2(contentDir);
+  for (const [filename, expectedHash] of Object.entries(signing.files)) {
+    const resolvedPath = resolve2(join6(contentDir, filename));
+    if (!resolvedPath.startsWith(resolvedContentDir + sep2)) {
+      return { status: "failed", error: `Path traversal detected in signing manifest: ${filename}`, publicKeyId: signing.public_key_id };
+    }
+    let bytes;
+    try {
+      bytes = readFileSync3(resolvedPath);
+    } catch {
+      return { status: "failed", error: `File missing: ${filename}`, publicKeyId: signing.public_key_id };
+    }
+    const actual = "sha256:" + createHash2("sha256").update(bytes).digest("hex");
+    if (actual !== expectedHash) {
+      return localFail(
+        contentDir,
+        opts,
+        `File integrity check failed: ${filename}`,
+        "_meta.json may be corrupted",
+        signing.public_key_id
+      );
+    }
+  }
+  return null;
+}
+async function tryServerFallback(contentDir, opts) {
+  if (!opts?.serverSideVerify || !opts.skillName) return null;
+  const fileHashes = computeFileHashes(contentDir);
+  const result = await opts.serverSideVerify(
+    opts.skillName,
+    opts.skillVersion,
+    fileHashes
+  );
+  if (!result) return null;
+  if (result.verified) {
+    return {
+      status: "verified_by_server",
+      filesChecked: Object.keys(fileHashes).length,
+      serverVersion: result.version
+    };
+  }
+  return {
+    status: "failed",
+    filesChecked: Object.keys(fileHashes).length,
+    mismatched: result.mismatched,
+    ...result.message && { error: result.message }
+  };
+}
+function canonicalize(obj) {
+  return JSON.stringify(deepSortKeys(obj));
+}
+function compareKeys(a, b) {
+  if (a < b) return -1;
+  if (a > b) return 1;
+  return 0;
+}
+function deepSortKeys(val) {
+  if (val === null || typeof val !== "object") return val;
+  if (Array.isArray(val)) return val.map(deepSortKeys);
+  const sorted = {};
+  for (const key of Object.keys(val).sort(compareKeys)) {
+    sorted[key] = deepSortKeys(val[key]);
+  }
+  return sorted;
+}
+async function serverSideVerify(client, skillName, version, files) {
+  try {
+    const body = { skillName, files };
+    if (version !== void 0) body.version = version;
+    const result = await client.privatePost(
+      "/api/v5/skill/verify",
+      body
+    );
+    return result.data;
+  } catch (e) {
+    if (e instanceof ConfigError) throw e;
+    return null;
+  }
+}
 var DEFAULT_MAX_TOTAL_BYTES = 100 * 1024 * 1024;
 var DEFAULT_MAX_FILES = 1e3;
 var DEFAULT_MAX_COMPRESSION_RATIO = 100;
@@ -4302,7 +4537,7 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   const maxTotalBytes = limits?.maxTotalBytes ?? DEFAULT_MAX_TOTAL_BYTES;
   const maxFiles = limits?.maxFiles ?? DEFAULT_MAX_FILES;
   const maxCompressionRatio = limits?.maxCompressionRatio ?? DEFAULT_MAX_COMPRESSION_RATIO;
-  const resolvedTarget = resolve2(targetDir);
+  const resolvedTarget = resolve3(targetDir);
   mkdirSync3(resolvedTarget, { recursive: true });
   return new Promise((resolvePromise, reject) => {
     yauzl.open(zipPath, { lazyEntries: true }, (err, zipfile) => {
@@ -4342,11 +4577,11 @@ async function extractSkillZip(zipPath, targetDir, limits) {
   });
 }
 function readMetaJson(contentDir) {
-  const metaPath = join5(contentDir, "_meta.json");
+  const metaPath = join7(contentDir, "_meta.json");
   if (!existsSync(metaPath)) {
     throw new Error(`_meta.json not found in ${contentDir}. Invalid skill package.`);
   }
-  const raw = readFileSync2(metaPath, "utf-8");
+  const raw = readFileSync4(metaPath, "utf-8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -4364,22 +4599,49 @@ function readMetaJson(contentDir) {
     name: String(meta.name),
     version: String(meta.version),
     title: typeof meta.title === "string" ? meta.title : "",
-    description: typeof meta.description === "string" ? meta.description : ""
+    description: typeof meta.description === "string" ? meta.description : "",
+    signing: parseSigningBlock(meta.signing)
+  };
+}
+function tryReadMetaJson(contentDir) {
+  try {
+    return readMetaJson(contentDir);
+  } catch {
+    return null;
+  }
+}
+function parseSigningBlock(raw) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const s = raw;
+  if (typeof s.signature !== "string" || typeof s.public_key_id !== "string" || !s.files) {
+    return void 0;
+  }
+  const rawFiles = s.files;
+  const files = {};
+  for (const [key, value] of Object.entries(rawFiles)) {
+    if (typeof value === "string") files[key] = value;
+  }
+  return {
+    signature: s.signature,
+    public_key_id: s.public_key_id,
+    files,
+    ...typeof s.name === "string" && { name: s.name },
+    ...typeof s.version === "string" && { version: s.version }
   };
 }
 function validateSkillMdExists(contentDir) {
-  const skillMdPath = join5(contentDir, "SKILL.md");
+  const skillMdPath = join7(contentDir, "SKILL.md");
   if (!existsSync(skillMdPath)) {
     throw new Error(`SKILL.md not found in ${contentDir}. Invalid skill package.`);
   }
 }
-var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join8(homedir4(), ".okx", "skills", "registry.json");
 function readRegistry(registryPath = DEFAULT_REGISTRY_PATH) {
   if (!existsSync2(registryPath)) {
     return { version: 1, skills: {} };
   }
   try {
-    const raw = readFileSync3(registryPath, "utf-8");
+    const raw = readFileSync5(registryPath, "utf-8");
     return JSON.parse(raw);
   } catch {
     return { version: 1, skills: {} };
@@ -4389,7 +4651,7 @@ function writeRegistry(registry, registryPath = DEFAULT_REGISTRY_PATH) {
   mkdirSync4(dirname3(registryPath), { recursive: true });
   writeFileSync3(registryPath, JSON.stringify(registry, null, 2) + "\n", "utf-8");
 }
-function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH) {
+function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH, verification) {
   const registry = readRegistry(registryPath);
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const existing = registry.skills[meta.name];
@@ -4399,7 +4661,8 @@ function upsertSkillRecord(meta, registryPath = DEFAULT_REGISTRY_PATH) {
     description: meta.description,
     installedAt: existing?.installedAt ?? now,
     updatedAt: now,
-    source: "marketplace"
+    source: "marketplace",
+    ...verification !== void 0 && { verification }
   };
   writeRegistry(registry, registryPath);
 }
@@ -12195,12 +12458,12 @@ function createToolRunner(client, config) {
   };
 }
 function configFilePath() {
-  return join7(homedir5(), ".okx", "config.toml");
+  return join9(homedir5(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path42 = configFilePath();
   if (!existsSync3(path42)) return { profiles: {} };
-  const raw = readFileSync4(path42, "utf-8");
+  const raw = readFileSync6(path42, "utf-8");
   try {
     return parse(raw);
   } catch (err) {
@@ -12350,7 +12613,7 @@ async function loadConfig(cli) {
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
+var CACHE_FILE = join10(homedir6(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 var NEGATIVE_CHECK_INTERVAL_MS = 60 * 60 * 1e3;
 var DEFAULT_REGISTRY = "https://registry.npmjs.org/";
@@ -12358,7 +12621,7 @@ var FETCH_TIMEOUT_MS = 3e3;
 function readCache2() {
   try {
     if (existsSync4(CACHE_FILE)) {
-      return JSON.parse(readFileSync5(CACHE_FILE, "utf-8"));
+      return JSON.parse(readFileSync7(CACHE_FILE, "utf-8"));
     }
   } catch {
   }
@@ -12366,7 +12629,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
+    mkdirSync6(join10(homedir6(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -12396,13 +12659,13 @@ function buildNpmrcCandidates() {
   let dir = process.cwd();
   const root = dir.startsWith("/") ? "/" : dir.slice(0, 3);
   while (true) {
-    add(join8(dir, ".npmrc"));
+    add(join10(dir, ".npmrc"));
     if (dir === root) break;
-    const parent = join8(dir, "..");
+    const parent = join10(dir, "..");
     if (parent === dir) break;
     dir = parent;
   }
-  add(join8(homedir6(), ".npmrc"));
+  add(join10(homedir6(), ".npmrc"));
   if (process.platform !== "win32") {
     add("/etc/npmrc");
   }
@@ -12411,7 +12674,7 @@ function buildNpmrcCandidates() {
 function readNpmrcRegistry(filePath) {
   try {
     if (!existsSync4(filePath)) return null;
-    const lines = readFileSync5(filePath, "utf-8").split(/\r?\n/);
+    const lines = readFileSync7(filePath, "utf-8").split(/\r?\n/);
     for (const line of lines) {
       const trimmed = line.trim();
       if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
@@ -12738,6 +13001,14 @@ function runSetup(options) {
 `);
   }
 }
+var HttpStatusError = class extends Error {
+  statusCode;
+  constructor(statusCode) {
+    super(`HTTP ${statusCode}`);
+    this.name = "HttpStatusError";
+    this.statusCode = statusCode;
+  }
+};
 function isRedirect(statusCode) {
   return statusCode !== void 0 && statusCode >= 300 && statusCode < 400;
 }
@@ -12752,7 +13023,7 @@ function validateRedirect(res, requestUrl, redirectCount, maxRedirects) {
   return location;
 }
 function fetchResponse(url, timeoutMs) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     let redirects = 0;
     const maxRedirects = 5;
     function doRequest(requestUrl) {
@@ -12770,10 +13041,14 @@ function fetchResponse(url, timeoutMs) {
           return;
         }
         if (res.statusCode !== 200) {
-          reject(new Error(`HTTP ${res.statusCode ?? "unknown"}`));
+          if (res.statusCode === void 0) {
+            reject(new Error("HTTP unknown"));
+          } else {
+            reject(new HttpStatusError(res.statusCode));
+          }
           return;
         }
-        resolve3(res);
+        resolve4(res);
       });
       req.on("error", reject);
       req.on("timeout", () => {
@@ -12786,10 +13061,10 @@ function fetchResponse(url, timeoutMs) {
 }
 function download(url, destPath, timeoutMs) {
   return fetchResponse(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
+    (res) => new Promise((resolve4, reject) => {
       const file = createWriteStream2(destPath);
       res.pipe(file);
-      file.on("finish", () => file.close(() => resolve3()));
+      file.on("finish", () => file.close(() => resolve4()));
       file.on("error", (err) => {
         try {
           unlinkSync3(destPath);
@@ -12802,10 +13077,10 @@ function download(url, destPath, timeoutMs) {
 }
 function downloadText(url, timeoutMs) {
   return fetchResponse(url, timeoutMs).then(
-    (res) => new Promise((resolve3, reject) => {
+    (res) => new Promise((resolve4, reject) => {
       const chunks = [];
       res.on("data", (chunk) => chunks.push(chunk));
-      res.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
+      res.on("end", () => resolve4(Buffer.concat(chunks).toString("utf8")));
       res.on("error", reject);
     })
   );
@@ -12834,10 +13109,10 @@ function getBinaryName() {
   return platform() === "win32" ? "okx-pilot.exe" : "okx-pilot";
 }
 function hashFile(filePath) {
-  const buf = readFileSync7(filePath);
+  const buf = readFileSync9(filePath);
   return {
     size: buf.byteLength,
-    sha256: createHash("sha256").update(buf).digest("hex")
+    sha256: createHash3("sha256").update(buf).digest("hex")
   };
 }
 function getPilotStatus(binaryPath, opts) {
@@ -12952,7 +13227,7 @@ async function installPilotBinary(destPath, sources = CDN_SOURCES, onProgress) {
   if (earlyResult) return earlyResult;
   const platformDir = getPlatformDir();
   const binaryName = getBinaryName();
-  const resolvedDest = destPath ?? join10(homedir8(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join12(homedir8(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync8(dirname6(resolvedDest), { recursive: true });
   const localHash = existsSync6(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -13004,9 +13279,41 @@ function removePilotBinary(binaryPath) {
   }
 }
 var AUTH_CDN_PATH_PREFIX = "/upgradeapp/tools/oauth";
+var LINUX_ARM64_FALLBACK_DIR = "linux-x64";
 function getAuthBinaryName() {
   return platform2() === "win32" ? "okx-auth.exe" : "okx-auth";
 }
+async function _resolveAuthPlatformFromNative(native, sources, timeoutMs) {
+  if (native !== "linux-arm64") {
+    return native;
+  }
+  const checksumPath = `${AUTH_CDN_PATH_PREFIX}/linux-arm64/checksum.json`;
+  let got404 = false;
+  for (const { host, protocol } of sources) {
+    const url = `${protocol}://${host}${checksumPath}`;
+    try {
+      await downloadText(url, timeoutMs);
+      return "linux-arm64";
+    } catch (err) {
+      if (err instanceof HttpStatusError && err.statusCode === 404) {
+        got404 = true;
+        break;
+      }
+    }
+  }
+  if (got404) {
+    console.warn(
+      "[okx-auth] Native linux-arm64 binary not yet on CDN. Falling back to linux-x64 binary \u2014 x86_64 emulation (binfmt_misc/Rosetta) required."
+    );
+    return LINUX_ARM64_FALLBACK_DIR;
+  }
+  return "linux-arm64";
+}
+async function resolveAuthPlatformDir(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
+  const native = getPlatformDir();
+  if (!native) return null;
+  return _resolveAuthPlatformFromNative(native, sources, timeoutMs);
+}
 function getAuthStatus(binaryPath, opts) {
   const resolvedPath = binaryPath ?? getAuthBinaryPath();
   const platformDir = getPlatformDir();
@@ -13020,7 +13327,7 @@ function getAuthStatus(binaryPath, opts) {
   return { binaryPath: resolvedPath, exists: true, platform: platformDir, fileSize: size, sha256 };
 }
 async function fetchAuthCdnChecksum(sources = CDN_SOURCES, timeoutMs = DOWNLOAD_TIMEOUT_MS) {
-  const platformDir = getPlatformDir();
+  const platformDir = await resolveAuthPlatformDir(sources, timeoutMs);
   if (!platformDir) return null;
   const checksumPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/checksum.json`;
   for (const { host, protocol } of sources) {
@@ -13089,12 +13396,51 @@ function installPreChecks2(destPath, sources) {
 function isLocalUpToDate2(localHash, checksum) {
   return localHash !== null && localHash.size === checksum.size && localHash.sha256 === checksum.sha256;
 }
+async function tryInstallFromOneSource(ctx) {
+  const { host, protocol, platformDir, checksumPath, binaryPath, tmpPath, resolvedDest, localHash, onProgress } = ctx;
+  try {
+    const checksum = await fetchAndValidateChecksum2(
+      host,
+      protocol,
+      checksumPath,
+      platformDir,
+      DOWNLOAD_TIMEOUT_MS,
+      onProgress
+    );
+    if (isLocalUpToDate2(localHash, checksum)) {
+      onProgress?.("Already up to date (checksum match)");
+      return { kind: "done", result: { status: "up-to-date", source: host } };
+    }
+    await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
+    atomicReplace2(tmpPath, resolvedDest);
+    onProgress?.(`Downloaded and verified from ${host}`);
+    return { kind: "done", result: { status: "installed", source: host } };
+  } catch (err) {
+    try {
+      unlinkSync5(tmpPath);
+    } catch {
+    }
+    const errObj = err instanceof Error ? err : new Error(String(err));
+    onProgress?.(`${host} failed: ${errObj.message}`);
+    return { kind: "next", err: errObj };
+  }
+}
+function buildInstallFailureResult(errors) {
+  const formatted = errors.map(({ host, err }) => `${host}: ${err.message}`).join("\n");
+  const allHttpErrors = errors.length > 0 && errors.every(({ err }) => err instanceof HttpStatusError);
+  const prefix = allHttpErrors ? "okx-auth binary not available on CDN for this platform" : "All CDN sources failed";
+  return { status: "failed", error: `${prefix}:
+${formatted}` };
+}
 async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
   const earlyResult = installPreChecks2(destPath, sources);
   if (earlyResult) return earlyResult;
-  const platformDir = getPlatformDir();
+  const platformDir = await resolveAuthPlatformDir(sources);
+  if (!platformDir) {
+    return { status: "failed", error: "Unsupported platform" };
+  }
   const binaryName = getAuthBinaryName();
-  const resolvedDest = destPath ?? join11(homedir9(), ".okx", "bin", binaryName);
+  const resolvedDest = destPath ?? join13(homedir9(), ".okx", "bin", binaryName);
   const tmpPath = resolvedDest + ".tmp";
   mkdirSync9(dirname7(resolvedDest), { recursive: true });
   const localHash = existsSync7(resolvedDest) ? hashFile(resolvedDest) : null;
@@ -13102,35 +13448,21 @@ async function installAuthBinary(destPath, sources = CDN_SOURCES, onProgress) {
   const binaryPath = `${AUTH_CDN_PATH_PREFIX}/${platformDir}/${binaryName}`;
   const errors = [];
   for (const { host, protocol } of sources) {
-    try {
-      const checksum = await fetchAndValidateChecksum2(
-        host,
-        protocol,
-        checksumPath,
-        platformDir,
-        DOWNLOAD_TIMEOUT_MS,
-        onProgress
-      );
-      if (isLocalUpToDate2(localHash, checksum)) {
-        onProgress?.("Already up to date (checksum match)");
-        return { status: "up-to-date", source: host };
-      }
-      await downloadAndVerify2(host, protocol, binaryPath, tmpPath, checksum, DOWNLOAD_TIMEOUT_MS, onProgress);
-      atomicReplace2(tmpPath, resolvedDest);
-      onProgress?.(`Downloaded and verified from ${host}`);
-      return { status: "installed", source: host };
-    } catch (err) {
-      try {
-        unlinkSync5(tmpPath);
-      } catch {
-      }
-      const msg = err instanceof Error ? err.message : String(err);
-      errors.push(`${host}: ${msg}`);
-      onProgress?.(`${host} failed: ${msg}`);
-    }
+    const attempt = await tryInstallFromOneSource({
+      host,
+      protocol,
+      platformDir,
+      checksumPath,
+      binaryPath,
+      tmpPath,
+      resolvedDest,
+      localHash,
+      onProgress
+    });
+    if (attempt.kind === "done") return attempt.result;
+    errors.push({ host, err: attempt.err });
   }
-  return { status: "failed", error: `All CDN sources failed:
-${errors.join("\n")}` };
+  return buildInstallFailureResult(errors);
 }
 function removeAuthBinary(binaryPath) {
   const resolvedPath = binaryPath ?? getAuthBinaryPath();
@@ -13145,12 +13477,12 @@ function removeAuthBinary(binaryPath) {
     throw new Error(`Failed to remove ${resolvedPath}: ${msg}`);
   }
 }
-var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
+var CACHE_PATH = join14(homedir10(), ".okx", "auth-binary-check.json");
 var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
 function readCache3() {
   try {
     if (!existsSync8(CACHE_PATH)) return null;
-    const data = JSON.parse(readFileSync8(CACHE_PATH, "utf-8"));
+    const data = JSON.parse(readFileSync10(CACHE_PATH, "utf-8"));
     if (typeof data.cdnSha256 !== "string" || typeof data.checkedAt !== "number") return null;
     return { cdnSha256: data.cdnSha256, checkedAt: data.checkedAt };
   } catch {
@@ -13159,7 +13491,7 @@ function readCache3() {
 }
 function writeCache3(cdnSha256) {
   try {
-    mkdirSync10(join12(homedir10(), ".okx"), { recursive: true });
+    mkdirSync10(join14(homedir10(), ".okx"), { recursive: true });
     writeFileSync7(CACHE_PATH, JSON.stringify({ cdnSha256, checkedAt: Date.now() }, null, 2), "utf-8");
   } catch {
   }
@@ -13294,7 +13626,7 @@ function markFailedIfSCodeError(data) {
 // src/commands/auth.ts
 function runOkxAuth(args) {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn3(binPath, args, {
       stdio: "inherit"
     });
@@ -13302,13 +13634,13 @@ function runOkxAuth(args) {
       reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
     });
     child.on("close", (code) => {
-      resolve3(code ?? 1);
+      resolve4(code ?? 1);
     });
   });
 }
 function runOkxAuthCapture(args) {
   const binPath = getAuthBinaryPath();
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const child = spawn3(binPath, args, {
       stdio: ["inherit", "pipe", "inherit"]
     });
@@ -13318,7 +13650,7 @@ function runOkxAuthCapture(args) {
       reject(new Error(`Failed to spawn okx-auth: ${err.message}`));
     });
     child.on("close", (code) => {
-      resolve3({
+      resolve4({
         code: code ?? 1,
         stdout: Buffer.concat(chunks).toString("utf-8")
       });
@@ -13523,14 +13855,14 @@ async function confirmRemoval(force, binaryPath) {
   return true;
 }
 function askConfirmation(prompt2) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stdout
     });
     rl.question(prompt2, (answer) => {
       rl.close();
-      resolve3(answer.trim().toLowerCase() === "y");
+      resolve4(answer.trim().toLowerCase() === "y");
     });
   });
 }
@@ -13562,110 +13894,6 @@ async function handleAuthCommand(action, _rest, v) {
   }
 }
-// src/commands/outcomes.ts
-import { spawn as spawn4 } from "child_process";
-import { existsSync as existsSync9 } from "fs";
-import { delimiter, join as join13 } from "path";
-var OUTCOMES_BINARY_NAME = process.platform === "win32" ? "okx-outcomes.exe" : "okx-outcomes";
-function resolveOutcomesBinaryPath() {
-  const override = process.env.OKX_OUTCOMES_BIN;
-  if (override) {
-    if (existsSync9(override)) return override;
-    errorLine(
-      `Warning: OKX_OUTCOMES_BIN is set to '${override}' but no file exists there; falling back to PATH search.`
-    );
-  }
-  const paths = (process.env.PATH ?? "").split(delimiter);
-  for (const dir of paths) {
-    if (!dir) continue;
-    const full = join13(dir, OUTCOMES_BINARY_NAME);
-    if (existsSync9(full)) return full;
-  }
-  return null;
-}
-function printInstallHint() {
-  errorLine("Error: okx-outcomes binary not found in PATH.");
-  errorLine("");
-  errorLine("Install (macOS / Linux):");
-  errorLine("  curl -fsSL https://raw.githubusercontent.com/okx/outcomes/master/install.sh | sh");
-  errorLine("");
-  errorLine("Install (Windows): download okx-outcomes.exe from");
-  errorLine("  https://github.com/okx/outcomes/releases");
-  errorLine("and place it on your PATH.");
-  errorLine("");
-  errorLine("Or set OKX_OUTCOMES_BIN env var to a custom binary path.");
-}
-function runOkxOutcomes(args) {
-  const binPath = resolveOutcomesBinaryPath();
-  if (!binPath) {
-    printInstallHint();
-    return Promise.resolve(127);
-  }
-  return new Promise((resolve3, reject) => {
-    const child = spawn4(binPath, args, { stdio: "inherit" });
-    child.on(
-      "error",
-      (err) => reject(new Error(`Failed to spawn okx-outcomes: ${err.message}`))
-    );
-    child.on("close", (code) => resolve3(code ?? 1));
-  });
-}
-function printOutcomesHelp() {
-  const lines = [
-    "Usage: okx outcomes <command> [args...]",
-    "",
-    "OKX Outcomes - YES/NO event contract trading via the okx-outcomes binary.",
-    "",
-    "Common commands:",
-    "  data events                     List outcome events",
-    "  data event <eventId>            Get event detail",
-    "  data event-markets <eventId>    Event + all its markets (returns asset ids)",
-    "  data market <marketId>          Get single market detail",
-    "  data trending                   List trending events",
-    "  data ticker <assetId>           24h ticker for an outcome asset",
-    "  data candles <assetId>          OHLCV candles for an outcome asset",
-    "  search <keyword>                Search events/markets",
-    "  (Note: events/event/market etc. live UNDER the `data` namespace \u2014 calling them",
-    "         as top-level commands prints the binary's help instead of returning JSON.)",
-    "",
-    "  clob price/prices/midpoint(s)/spread(s)/book(s) --asset <id>",
-    "                                  CLOB read-side market data",
-    "  clob create-order               Place limit order (EIP-712 signed)",
-    "  clob market-order               Cross book immediately (IOC/FOK)",
-    "  clob cancel-oid | cancel-all | heartbeat",
-    "",
-    "  ctf split/merge/redeem          Conditional token operations",
-    "",
-    "  account balance/order/orders/positions/closed-positions/trades",
-    "                                  HMAC-auth account queries",
-    "",
-    "  wallet show                     Show derived wallet address",
-    "  status                          Health check",
-    "  setup                           Interactive .env wizard",
-    "",
-    "Run 'okx outcomes <command> --help' for command-specific help.",
-    "",
-    "Note: place flags after the subcommand, e.g. 'okx outcomes events --json'",
-    "      (or before the module: 'okx --json outcomes events'). Writing",
-    "      'okx outcomes --json events' is not supported.",
-    "",
-    "Requires: curl -fsSL https://raw.githubusercontent.com/okx/outcomes/master/install.sh | sh"
-  ];
-  for (const line of lines) outputLine(line);
-}
-async function handleOutcomesCommand(action, rest, v) {
-  if (!action || action === "--help" || action === "-h" || action === "help") {
-    printOutcomesHelp();
-    return;
-  }
-  const forwardArgs = [action, ...rest];
-  if (v.json && !forwardArgs.includes("--json") && !forwardArgs.includes("-j")) {
-    forwardArgs.push("--json");
-  }
-  const code = await runOkxOutcomes(forwardArgs);
-  if (code !== 0) process.exitCode = code;
-}
 // src/commands/diagnose.ts
 import dns from "dns/promises";
 import net from "net";
@@ -13691,26 +13919,26 @@ var Report = class {
     this.lines.push({ key, value });
   }
   print() {
-    const sep2 = "\u2500".repeat(52);
+    const sep3 = "\u2500".repeat(52);
     outputLine("");
-    outputLine(`  \u2500\u2500 Diagnostic Report (copy & share) ${sep2.slice(35)}`);
+    outputLine(`  \u2500\u2500 Diagnostic Report (copy & share) ${sep3.slice(35)}`);
     for (const { key, value } of this.lines) {
       outputLine(`  ${key.padEnd(14)} ${value}`);
     }
-    outputLine(`  ${sep2}`);
+    outputLine(`  ${sep3}`);
     outputLine("");
   }
   /** Write report to a file path, returns true on success. */
   writeToFile(filePath) {
     try {
-      const sep2 = "\u2500".repeat(52);
+      const sep3 = "\u2500".repeat(52);
       const lines = [
-        `\u2500\u2500 Diagnostic Report (copy & share) ${sep2.slice(35)}`
+        `\u2500\u2500 Diagnostic Report (copy & share) ${sep3.slice(35)}`
       ];
       for (const { key, value } of this.lines) {
         lines.push(`${key.padEnd(14)} ${value}`);
       }
-      lines.push(sep2, "");
+      lines.push(sep3, "");
       fs4.writeFileSync(filePath, lines.join("\n"), "utf8");
       return true;
     } catch (_e) {
@@ -13760,7 +13988,7 @@ function sanitize2(value) {
 import fs5 from "fs";
 import path4 from "path";
 import os4 from "os";
-import { spawnSync, spawn as spawn5 } from "child_process";
+import { spawnSync, spawn as spawn4 } from "child_process";
 import { createRequire as createRequire2 } from "module";
 import { fileURLToPath } from "url";
 var _require2 = createRequire2(import.meta.url);
@@ -14086,15 +14314,15 @@ async function checkStdioHandshake(entryPath, report) {
       clientInfo: { name: "okx-diagnose", version: "1.0" }
     }
   });
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     let settled = false;
     const settle = (passed) => {
       if (settled) return;
       settled = true;
       clearTimeout(timer);
-      resolve3(passed);
+      resolve4(passed);
     };
-    const child = spawn5(process.execPath, [entryPath], {
+    const child = spawn4(process.execPath, [entryPath], {
       stdio: ["pipe", "pipe", "pipe"],
       env: { ...process.env }
     });
@@ -14213,7 +14441,7 @@ async function cmdDiagnoseMcp(options = {}) {
 // src/commands/diagnose.ts
 var CLI_VERSION = readCliVersion();
-var GIT_HASH = true ? "0614700e" : "dev";
+var GIT_HASH = true ? "2c1da5c1" : "dev";
 function maskKey2(key) {
   if (!key) return "(not set)";
   if (key.length <= 8) return "****";
@@ -14230,7 +14458,7 @@ async function checkDns(hostname) {
 }
 async function checkSocket(createFn, successEvent, timeoutMs) {
   const t0 = Date.now();
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const socket = createFn();
     const cleanup = () => {
       socket.removeAllListeners();
@@ -14238,15 +14466,15 @@ async function checkSocket(createFn, successEvent, timeoutMs) {
     };
     socket.once(successEvent, () => {
       cleanup();
-      resolve3({ ok: true, ms: Date.now() - t0 });
+      resolve4({ ok: true, ms: Date.now() - t0 });
     });
     socket.once("timeout", () => {
       cleanup();
-      resolve3({ ok: false, ms: Date.now() - t0, error: `timed out after ${timeoutMs}ms` });
+      resolve4({ ok: false, ms: Date.now() - t0, error: `timed out after ${timeoutMs}ms` });
     });
     socket.once("error", (err) => {
       cleanup();
-      resolve3({ ok: false, ms: Date.now() - t0, error: err.message });
+      resolve4({ ok: false, ms: Date.now() - t0, error: err.message });
     });
   });
 }
@@ -14574,23 +14802,23 @@ function suggestSubcommand(action, knownActions, knownPaths = []) {
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync2 } from "child_process";
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
-import { dirname as dirname8, join as join14 } from "path";
+import { readFileSync as readFileSync11, writeFileSync as writeFileSync8, mkdirSync as mkdirSync11 } from "fs";
+import { dirname as dirname8, join as join15 } from "path";
 import { homedir as homedir11 } from "os";
 var PACKAGES = ["@okx_ai/okx-trade-mcp", "@okx_ai/okx-trade-cli"];
-var CACHE_FILE2 = join14(homedir11(), ".okx", "last_check");
+var CACHE_FILE2 = join15(homedir11(), ".okx", "last_check");
 var THROTTLE_MS = 12 * 60 * 60 * 1e3;
-var NPM_BIN = join14(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
+var NPM_BIN = join15(dirname8(process.execPath), process.platform === "win32" ? "npm.cmd" : "npm");
 function readLastCheck() {
   try {
-    return parseInt(readFileSync9(CACHE_FILE2, "utf-8").trim(), 10) || 0;
+    return parseInt(readFileSync11(CACHE_FILE2, "utf-8").trim(), 10) || 0;
   } catch {
     return 0;
   }
 }
 function writeLastCheck() {
   try {
-    mkdirSync11(join14(homedir11(), ".okx"), { recursive: true });
+    mkdirSync11(join15(homedir11(), ".okx"), { recursive: true });
     writeFileSync8(CACHE_FILE2, String(Math.floor(Date.now() / 1e3)), "utf-8");
   } catch {
   }
@@ -15746,63 +15974,6 @@ var CLI_REGISTRY = {
     description: "Upgrade okx CLI and MCP server to the latest stable version",
     usage: "okx upgrade [--check] [--beta] [--force] [--json]"
   },
-  // ── outcomes ───────────────────────────────────────────────────────────────
-  // External binary wrapper - forwards to the okx-outcomes binary (formerly okx-predict).
-  // All toolName=null because outcomes commands are not exposed as MCP tools.
-  outcomes: {
-    description: "OKX Outcomes markets (YES/NO event contracts) via external okx-outcomes binary",
-    commands: {
-      // Note: events / event / event-markets / market / trending / ticker /
-      // candles live UNDER the `data` namespace in the upstream binary.
-      // Calling them as top-level commands prints the binary's help text
-      // instead of returning JSON. Always invoke as `okx outcomes data <cmd>`.
-      data: {
-        toolName: null,
-        usage: "okx outcomes data <events|event|event-markets|market|trending|ticker|candles> [args...]",
-        description: "Public market data namespace: events, event(-markets), market, trending, ticker, candles"
-      },
-      search: {
-        toolName: null,
-        usage: "okx outcomes search <keyword> [--limit <n>] [--cursor <c>]",
-        description: "Search events/markets by keyword"
-      },
-      account: {
-        toolName: null,
-        usage: "okx outcomes account <balance|order|orders|positions|closed-positions|trades>",
-        description: "HMAC-auth account queries"
-      },
-      clob: {
-        toolName: null,
-        usage: "okx outcomes clob <price|prices|midpoint|midpoints|spread|spreads|book|books|order|orders|trades|create-order|market-order|cancel-oid|cancel-all|heartbeat>",
-        description: "CLOB market data (--asset) + EIP-712 signed order operations"
-      },
-      ctf: {
-        toolName: null,
-        usage: "okx outcomes ctf <split|merge|redeem> --market <id> [--amount <xp>]",
-        description: "Conditional Token Framework: split xp into YES/NO, merge, redeem"
-      },
-      wallet: {
-        toolName: null,
-        usage: "okx outcomes wallet show",
-        description: "Show derived wallet address (from PREDICTIONS_AGENT_PRIVATE_KEY)"
-      },
-      status: {
-        toolName: null,
-        usage: "okx outcomes status [--json]",
-        description: "Health check: API + balance reachability"
-      },
-      setup: {
-        toolName: null,
-        usage: "okx outcomes setup",
-        description: "Interactive .env wizard for PREDICTIONS_* env vars"
-      },
-      shell: {
-        toolName: null,
-        usage: "okx outcomes shell",
-        description: "Interactive REPL (do not invoke from agent context)"
-      }
-    }
-  },
   // ── list-tools ──────────────────────────────────────────────────────────────
   "list-tools": {
     description: "List all available tools and their parameters (use --json for machine-readable output)",
@@ -16675,30 +16846,6 @@ function parseCli(argv) {
   }
   return { values, positionals };
 }
-function peekFirstPositional(argv) {
-  const booleanFlags = /* @__PURE__ */ new Set();
-  for (const [name, opt] of Object.entries(CLI_OPTIONS)) {
-    const o = opt;
-    if (o.type === "boolean") {
-      booleanFlags.add(name);
-      if (o.short) booleanFlags.add(o.short);
-    }
-  }
-  for (let i = 0; i < argv.length; i++) {
-    const tok = argv[i];
-    if (tok === "--") {
-      const next2 = argv[i + 1];
-      return next2 === void 0 ? void 0 : { module: next2, idx: i + 1 };
-    }
-    if (!tok.startsWith("-")) return { module: tok, idx: i };
-    if (tok.includes("=")) continue;
-    const name = tok.replace(/^--?/, "");
-    if (booleanFlags.has(name)) continue;
-    const next = argv[i + 1];
-    if (next !== void 0 && !next.startsWith("-")) i++;
-  }
-  return void 0;
-}
 // src/commands/market.ts
 function getData2(result) {
@@ -18678,7 +18825,7 @@ Config saved to ${p}
   }
 };
 function prompt(rl, question) {
-  return new Promise((resolve3) => rl.question(question, resolve3));
+  return new Promise((resolve4) => rl.question(question, resolve4));
 }
 function cmdConfigShow(json) {
   const config = readFullConfig();
@@ -20101,18 +20248,21 @@ async function cmdDcdQuoteAndBuy(run, opts) {
 // src/commands/skill.ts
 import { tmpdir, homedir as homedir13 } from "os";
-import { join as join16, dirname as dirname9 } from "path";
-import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync11, copyFileSync as copyFileSync2 } from "fs";
+import { join as join17, dirname as dirname9 } from "path";
+import { mkdirSync as mkdirSync12, rmSync, existsSync as existsSync10, copyFileSync as copyFileSync2 } from "fs";
 import { execFileSync as execFileSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function resolveNpx() {
-  const sibling = join16(dirname9(process.execPath), "npx");
-  if (existsSync11(sibling)) return sibling;
+  const sibling = join17(dirname9(process.execPath), "npx");
+  if (existsSync10(sibling)) return sibling;
   return "npx";
 }
 function npxEnv() {
   return { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" };
 }
+function getSkillContentDir(name) {
+  return join17(homedir13(), ".agents", "skills", name);
+}
 var THIRD_PARTY_INSTALL_NOTICE = "Note: This skill was created by a third-party developer, not by OKX. Review SKILL.md before use.";
 async function cmdSkillSearch(run, opts) {
   const args = {};
@@ -20162,16 +20312,56 @@ async function cmdSkillCategories(run, json) {
   }
   outputLine("");
 }
-async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
-  const tmpBase = join16(tmpdir(), `okx-skill-${randomUUID2()}`);
+async function wrapVerify(fn) {
+  try {
+    return await fn();
+  } catch (e) {
+    if (e instanceof ConfigError) {
+      throw new Error(
+        `Signature verification requires authentication \u2014 run \`okx auth login\` first, or use --force to bypass.`
+      );
+    }
+    throw e;
+  }
+}
+async function cmdSkillAdd(name, config, json, force = false, exec = execFileSync2, _deps) {
+  const _download = _deps?.download ?? downloadSkillZip;
+  const _extract = _deps?.extract ?? extractSkillZip;
+  const tmpBase = join17(tmpdir(), `okx-skill-${randomUUID2()}`);
   mkdirSync12(tmpBase, { recursive: true });
   try {
     outputLine(`Downloading ${name}...`);
     const client = new OkxRestClient(config);
-    const zipPath = await downloadSkillZip(client, name, tmpBase);
-    const contentDir = await extractSkillZip(zipPath, join16(tmpBase, "content"));
+    const zipPath = await _download(client, name, tmpBase);
+    const contentDir = await _extract(zipPath, join17(tmpBase, "content"));
     const meta = readMetaJson(contentDir);
     validateSkillMdExists(contentDir);
+    outputLine("Verifying signature...");
+    const verifyResult = await wrapVerify(
+      () => verifySkillSignature(contentDir, meta.signing, {
+        fetchPublicKey: (keyId) => getPublicKey(client, keyId),
+        serverSideVerify: (sName, version, files) => serverSideVerify(client, sName, version, files),
+        skillName: meta.name,
+        skillVersion: meta.version
+      })
+    );
+    if (verifyResult.status === "failed") {
+      if (!force) {
+        throw new Error(`Signature verification failed: ${verifyResult.error ?? "unknown error"}. Use --force to install anyway.`);
+      }
+      process.stderr.write(`WARNING: Signature verification failed \u2014 ${verifyResult.error ?? "unknown"}. Installing anyway (--force).
+`);
+    } else if (verifyResult.status === "verified_by_server") {
+      if (!json) {
+        outputLine(`  Verified by server (v${verifyResult.serverVersion ?? "?"})`);
+        if (verifyResult.error) outputLine(`  Note: ${verifyResult.error}`);
+      }
+    } else if (!json) {
+      outputLine(`  Signature verified (key: ${verifyResult.publicKeyId}, files: ${verifyResult.filesChecked})`);
+      if (verifyResult.extraFiles?.length) {
+        outputLine(`  Note: ${verifyResult.extraFiles.length} extra unsigned file(s) present`);
+      }
+    }
     outputLine("Installing to detected agents...");
     try {
       exec(resolveNpx(), ["skills", "add", contentDir, "-y", "-g"], {
@@ -20180,7 +20370,7 @@ async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
         env: npxEnv()
       });
     } catch (e) {
-      const savedZip = join16(process.cwd(), `${name}.zip`);
+      const savedZip = join17(process.cwd(), `${name}.zip`);
       try {
         copyFileSync2(zipPath, savedZip);
       } catch {
@@ -20189,7 +20379,8 @@ async function cmdSkillAdd(name, config, json, exec = execFileSync2) {
       errorLine(`You can manually install from: ${savedZip}`);
       throw e;
     }
-    upsertSkillRecord(meta);
+    const registryStatus = verifyResult.status === "failed" && force ? "bypassed" : verifyResult.status;
+    upsertSkillRecord(meta, void 0, registryStatus);
     printSkillInstallResult(meta, json);
   } finally {
     rmSync(tmpBase, { recursive: true, force: true });
@@ -20220,7 +20411,7 @@ function cmdSkillRemove(name, json, exec = execFileSync2) {
       env: npxEnv()
     });
   } catch {
-    const agentsPath = join16(homedir13(), ".agents", "skills", name);
+    const agentsPath = getSkillContentDir(name);
     try {
       rmSync(agentsPath, { recursive: true, force: true });
     } catch {
@@ -20284,6 +20475,59 @@ function cmdSkillList(json) {
   outputLine("");
   outputLine(`${skills.length} skills installed.`);
 }
+async function cmdSkillVerify(name, config, json) {
+  const record = getSkillRecord(name);
+  if (!record) {
+    errorLine(`Skill "${name}" is not installed.`);
+    process.exitCode = 1;
+    return;
+  }
+  const contentDir = getSkillContentDir(name);
+  if (!existsSync10(contentDir)) {
+    errorLine(`Skill content directory not found: ${contentDir}`);
+    errorLine(`Try reinstalling with: okx skill add ${name}`);
+    process.exitCode = 1;
+    return;
+  }
+  const meta = tryReadMetaJson(contentDir);
+  const client = new OkxRestClient(config);
+  let result;
+  try {
+    result = await wrapVerify(
+      () => verifySkillSignature(contentDir, meta?.signing, {
+        fetchPublicKey: (keyId) => getPublicKey(client, keyId),
+        serverSideVerify: (sName, version, files) => serverSideVerify(client, sName, version, files),
+        skillName: name,
+        skillVersion: meta?.version
+      })
+    );
+  } catch (e) {
+    errorLine(e instanceof Error ? e.message : String(e));
+    process.exitCode = 1;
+    return;
+  }
+  if (meta) {
+    upsertSkillRecord(meta, void 0, result.status);
+  }
+  if (result.status === "failed") {
+    process.exitCode = 1;
+  }
+  if (json) {
+    outputLine(JSON.stringify(result, null, 2));
+    return;
+  }
+  if (result.status === "verified") {
+    outputLine(`\u2713 ${name}: signature verified (key: ${result.publicKeyId}, files: ${result.filesChecked})`);
+    if (result.extraFiles?.length) {
+      outputLine(`  Note: ${result.extraFiles.length} extra unsigned file(s) present`);
+    }
+  } else if (result.status === "verified_by_server") {
+    outputLine(`\u2713 ${name}: verified by server (v${result.serverVersion ?? "?"})`);
+    if (result.error) outputLine(`  Note: ${result.error}`);
+  } else if (result.status === "failed") {
+    errorLine(`\u2717 ${name}: verification failed \u2014 ${result.error ?? "unknown"}`);
+  }
+}
 function printSkillInstallResult(meta, json) {
   if (json) {
     outputLine(JSON.stringify({ name: meta.name, version: meta.version, status: "installed" }, null, 2));
@@ -20434,14 +20678,14 @@ function formatBytes2(bytes) {
   return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
 }
 function askConfirmation2(prompt2) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
     rl.question(prompt2, (answer) => {
       rl.close();
-      resolve3(answer.trim().toLowerCase() === "y");
+      resolve4(answer.trim().toLowerCase() === "y");
     });
   });
 }
@@ -20904,7 +21148,7 @@ async function cmdEventCancel(run, opts) {
 // src/index.ts
 var _require3 = createRequire3(import.meta.url);
 var CLI_VERSION2 = _require3("../package.json").version;
-var GIT_HASH2 = true ? "0614700e" : "dev";
+var GIT_HASH2 = true ? "2c1da5c1" : "dev";
 function handlePilotCommand(action, json, force, binaryPath) {
   if (action === "status") return cmdPilotStatus(json, binaryPath);
   if (action === "install") return cmdPilotInstall(json, binaryPath);
@@ -22216,9 +22460,13 @@ function requireSkillName(rest, usage) {
   }
   return name;
 }
-function handleSkillAdd(rest, config, json) {
+function handleSkillAdd(rest, v, config, json) {
   const n = requireSkillName(rest, "Usage: okx skill add <name>");
-  if (n) return cmdSkillAdd(n, config, json);
+  if (n) return cmdSkillAdd(n, config, json, v.force ?? false);
+}
+function handleSkillVerify(rest, config, json) {
+  const n = requireSkillName(rest, "Usage: okx skill verify <name>");
+  if (n) return cmdSkillVerify(n, config, json);
 }
 function handleSkillDownload(rest, v, config, json) {
   const n = requireSkillName(rest, "Usage: okx skill download <name> [--dir <path>] [--format zip|skill]");
@@ -22237,12 +22485,13 @@ function handleSkillCommand(run, action, rest, v, json, config) {
   if (action === "search") return cmdSkillSearch(run, { keyword: rest[0] ?? v.keyword, categories: v.categories, page: v.page, limit: v.limit, json });
   if (action === "categories") return cmdSkillCategories(run, json);
   if (action === "list") return cmdSkillList(json);
-  if (action === "add") return handleSkillAdd(rest, config, json);
+  if (action === "add") return handleSkillAdd(rest, v, config, json);
   if (action === "download") return handleSkillDownload(rest, v, config, json);
   if (action === "remove") return handleSkillRemove(rest, json);
   if (action === "check") return handleSkillCheck(run, rest, json);
+  if (action === "verify") return handleSkillVerify(rest, config, json);
   errorLine(`Unknown skill command: ${action}`);
-  errorLine("Valid: search, categories, add, download, remove, check, list");
+  errorLine("Valid: search, categories, add, download, remove, check, list, verify");
   process.exitCode = 1;
 }
 function handleEventCommand(run, action, rest, v, json) {
@@ -22372,16 +22621,7 @@ async function main() {
     err: (m) => process.stderr.write(m)
   });
   checkForUpdates("@okx_ai/okx-trade-cli", CLI_VERSION2);
-  const rawArgv = process.argv.slice(2);
-  const peek = peekFirstPositional(rawArgv);
-  if (peek?.module === "outcomes") {
-    const after = rawArgv.slice(peek.idx + 1);
-    const action2 = after[0];
-    const rest2 = after.slice(1);
-    const json2 = rawArgv.includes("--json") || rawArgv.includes("-j");
-    return handleOutcomesCommand(action2, rest2, { json: json2 });
-  }
-  const { values, positionals } = parseCli(rawArgv);
+  const { values, positionals } = parseCli(process.argv.slice(2));
   if (values.version) {
     printVersion();
     return;