@okx_ai/okx-trade-mcp 1.3.2-beta.5 → 1.3.2

package/dist/index.js

@@ -22,18 +22,21 @@ import {
 import { homedir as homedir2 } from "os";
 import { join as join2, dirname } from "path";
 import { createHmac } from "crypto";
+import { spawn, execFile as execFile2 } from "child_process";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 import fs from "fs";
 import path from "path";
 import os from "os";
 import { writeFileSync as writeFileSync2, renameSync as renameSync2, unlinkSync as unlinkSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3, resolve, basename, sep } from "path";
+import { join as join4, resolve, basename, sep } from "path";
 import { randomUUID } from "crypto";
 import yauzl from "yauzl";
-import { join as join5, dirname as dirname3 } from "path";
-import { homedir as homedir3 } from "os";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
-import { join as join6, dirname as dirname4 } from "path";
+import { join as join6, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync5, existsSync as existsSync3 } from "fs";
+import { join as join7, dirname as dirname4 } from "path";
+import { homedir as homedir5 } from "os";
 
 // ../../node_modules/.pnpm/smol-toml@1.6.0/node_modules/smol-toml/dist/error.js
 function getLineColFromPtr(string, ptr) {
@@ -722,8 +725,8 @@ function parse(toml, { maxDepth = 1e3, integersAsBigInt } = {}) {
 
 // ../core/dist/index.js
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, existsSync as existsSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir5 } from "os";
+import { join as join8 } from "path";
+import { homedir as homedir6 } from "os";
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
@@ -731,6 +734,8 @@ import * as fs3 from "fs";
 import * as path3 from "path";
 import * as os3 from "os";
 import { execFileSync } from "child_process";
+import { join as join12 } from "path";
+import { homedir as homedir10 } from "os";
 var EXEC_TIMEOUT_MS = 3e4;
 var ALLOWED_DOMAIN_RE = /^[\w.-]+\.okx\.com$/;
 var PILOT_BIN_DIR = join(homedir(), ".okx", "bin");
@@ -1042,6 +1047,11 @@ var ConfigError = class extends OkxMcpError {
     super("ConfigError", message, { suggestion });
   }
 };
+var NotLoggedInError = class extends ConfigError {
+  constructor(suggestion = "Run `okx auth login` to authenticate.") {
+    super("Not logged in.", suggestion);
+  }
+};
 var ValidationError = class extends OkxMcpError {
   constructor(message, suggestion) {
     super("ValidationError", message, { suggestion });
@@ -1094,6 +1104,97 @@ function toToolErrorPayload(error, fallbackEndpoint) {
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
+var EXIT_CODES = {
+  SUCCESS: 0,
+  UNAUTHORIZED_CALLER: 1,
+  NOT_LOGGED_IN: 2,
+  REFRESH_FAILED: 3
+};
+var EXEC_TIMEOUT_MS2 = 5e3;
+var AUTH_BIN_DIR = join3(homedir3(), ".okx", "bin");
+function getAuthBinaryPath() {
+  if (process.env.OKX_AUTH_BIN) {
+    return process.env.OKX_AUTH_BIN;
+  }
+  const ext = process.platform === "win32" ? ".exe" : "";
+  return join3(AUTH_BIN_DIR, `okx-auth${ext}`);
+}
+function execAuthToken() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3, reject) => {
+    const child = spawn(binPath, ["token"], {
+      stdio: ["ignore", "ignore", "inherit", "pipe"]
+      //       stdin    stdout    stderr     fd3 (pipe)
+    });
+    const chunks = [];
+    const fd3 = child.stdio[3];
+    fd3.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", (err) => {
+      reject(new ConfigError(
+        `Failed to spawn okx-auth: ${err.message}`,
+        "Ensure the okx-auth binary exists and is executable."
+      ));
+    });
+    child.on("close", (code) => {
+      if (code === EXIT_CODES.SUCCESS) {
+        const token = Buffer.concat(chunks).toString("utf-8").trim();
+        if (!token) {
+          reject(new AuthenticationError(
+            "okx-auth returned empty token.",
+            "Run `okx auth login` to re-authenticate."
+          ));
+          return;
+        }
+        resolve3(token);
+        return;
+      }
+      if (code === EXIT_CODES.NOT_LOGGED_IN) {
+        reject(new NotLoggedInError());
+        return;
+      }
+      if (code === EXIT_CODES.UNAUTHORIZED_CALLER) {
+        reject(new AuthenticationError(
+          "okx-auth rejected the caller (unauthorized).",
+          "Ensure you are running from a trusted OKX tool."
+        ));
+        return;
+      }
+      if (code === EXIT_CODES.REFRESH_FAILED) {
+        reject(new AuthenticationError(
+          "Token refresh failed.",
+          "Run `okx auth login` to re-authenticate."
+        ));
+        return;
+      }
+      reject(new AuthenticationError(
+        `okx-auth token exited with code ${code}.`,
+        "Run `okx auth login` to re-authenticate."
+      ));
+    });
+  });
+}
+function execAuthStatus() {
+  const binPath = getAuthBinaryPath();
+  return new Promise((resolve3) => {
+    execFile2(
+      binPath,
+      ["status", "--json"],
+      { timeout: EXEC_TIMEOUT_MS2, encoding: "utf-8" },
+      (error, stdout) => {
+        if (error) {
+          resolve3(null);
+          return;
+        }
+        try {
+          const result = JSON.parse(stdout);
+          resolve3(result);
+        } catch {
+          resolve3(null);
+        }
+      }
+    );
+  });
+}
 function sleep(ms) {
   return new Promise((resolve3) => {
     setTimeout(resolve3, ms);
@@ -1225,6 +1326,7 @@ function maskKey(key) {
   if (key.length <= 8) return "***";
   return `${key.slice(0, 3)}***${key.slice(-3)}`;
 }
+var TOKEN_CACHE_TTL_MS = 6e4;
 function vlog2(message) {
   process.stderr.write(`[verbose] ${message}
 `);
@@ -1233,6 +1335,8 @@ var OkxRestClient = class _OkxRestClient {
   config;
   rateLimiter;
   dispatcher;
+  cachedAccessToken;
+  cachedAccessTokenAt = 0;
   pilot;
   constructor(config) {
     this.config = config;
@@ -1247,6 +1351,51 @@ var OkxRestClient = class _OkxRestClient {
       hasCustomProxy: !!config.proxyUrl
     });
   }
+  /**
+   * Resolve OAuth access token via the okx-auth binary (fd3 pipe).
+   * Caches the token for 60 s to avoid spawning the binary on every
+   * request. The binary handles refresh internally (300s TTL lead),
+   * so periodic re-calls let it serve a fresh token when needed.
+   * Returns null when not logged in.
+   */
+  async resolveAccessToken() {
+    if (this.cachedAccessToken && Date.now() - this.cachedAccessTokenAt < TOKEN_CACHE_TTL_MS) {
+      return this.cachedAccessToken;
+    }
+    try {
+      const token = await execAuthToken();
+      this.cachedAccessToken = token;
+      this.cachedAccessTokenAt = Date.now();
+      return token;
+    } catch (e) {
+      if (e instanceof NotLoggedInError) {
+        return null;
+      }
+      throw e;
+    }
+  }
+  /**
+   * Dynamic auth — determines auth method per request.
+   *
+   * 1. API key in config → HMAC signing (no OAuth fallback)
+   * 2. OAuth token via okx-auth binary → Bearer token
+   * 3. Neither → throw ConfigError
+   */
+  async applyAuth(headers, method, requestPath, bodyJson, timestamp) {
+    if (this.config.apiKey && this.config.secretKey && this.config.passphrase) {
+      this.setAuthHeaders(headers, method, requestPath, bodyJson, timestamp);
+      return;
+    }
+    const accessToken = await this.resolveAccessToken();
+    if (accessToken) {
+      headers.set("Authorization", `Bearer ${accessToken}`);
+      return;
+    }
+    throw new ConfigError(
+      "No credentials found.",
+      "Run `okx auth login` to authenticate, or configure API key credentials."
+    );
+  }
   /** The canonical base URL for this client (e.g. https://www.okx.com). */
   get baseUrl() {
     return this.config.baseUrl;
@@ -1305,18 +1454,6 @@ var OkxRestClient = class _OkxRestClient {
     });
   }
   setAuthHeaders(headers, method, requestPath, bodyJson, timestamp) {
-    if (!this.config.hasAuth) {
-      throw new ConfigError(
-        "Private endpoint requires API credentials.",
-        "Configure OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE."
-      );
-    }
-    if (!this.config.apiKey || !this.config.secretKey || !this.config.passphrase) {
-      throw new ConfigError(
-        "Invalid private API credentials state.",
-        "Ensure all OKX credentials are set."
-      );
-    }
     const payload = `${timestamp}${method.toUpperCase()}${requestPath}${bodyJson}`;
     const signature = signOkxPayload(payload, this.config.secretKey);
     headers.set("OK-ACCESS-KEY", this.config.apiKey);
@@ -1431,7 +1568,7 @@ var OkxRestClient = class _OkxRestClient {
     const conn = this.pilot.getConnectionParams();
     this.logRequest("POST", `${conn.baseUrl}${path4}`, "private");
     const reqConfig = { method: "POST", path: path4, auth: "private" };
-    const headers = this.buildHeaders(reqConfig, path4, bodyJson, getNow());
+    const headers = await this.buildHeaders(reqConfig, path4, bodyJson, getNow());
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -1552,7 +1689,7 @@ var OkxRestClient = class _OkxRestClient {
   // Header building
   // ---------------------------------------------------------------------------
   /** Build HTTP headers. reqConfig.extraHeaders must NOT contain auth keys (OK-ACCESS-*). */
-  buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
+  async buildHeaders(reqConfig, requestPath, bodyJson, timestamp) {
     const headers = new Headers({
       "Content-Type": "application/json",
       Accept: "application/json"
@@ -1561,7 +1698,7 @@ var OkxRestClient = class _OkxRestClient {
       headers.set("User-Agent", this.config.userAgent);
     }
     if (reqConfig.auth === "private") {
-      this.setAuthHeaders(headers, reqConfig.method, requestPath, bodyJson, timestamp);
+      await this.applyAuth(headers, reqConfig.method, requestPath, bodyJson, timestamp);
     }
     const useSimulated = reqConfig.simulatedTrading !== void 0 ? reqConfig.simulatedTrading : this.config.demo;
     if (useSimulated) {
@@ -1615,7 +1752,7 @@ var OkxRestClient = class _OkxRestClient {
     if (reqConfig.rateLimit) {
       await this.rateLimiter.consume(reqConfig.rateLimit);
     }
-    const headers = this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
+    const headers = await this.buildHeaders(reqConfig, requestPath, bodyJson, timestamp);
     if (conn.userAgent) {
       headers.set("User-Agent", conn.userAgent);
     }
@@ -2042,8 +2179,6 @@ function registerIndicatorTools() {
   ];
 }
 var DEFAULT_SOURCE_TAG = "MCP";
-var TOKEN_REGEX = /^[A-Z2-7]{12}$/;
-var TAG_JOIN = "";
 var OKX_SITES = {
   global: {
     label: "Global",
@@ -2057,7 +2192,7 @@ var OKX_SITES = {
   },
   us: {
     label: "US",
-    apiBaseUrl: "https://app.okx.com",
+    apiBaseUrl: "https://us.okx.com",
     webUrl: "https://app.okx.com"
   }
 };
@@ -2973,8 +3108,7 @@ function registerAlgoTradeTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId"),
-            tag: context.config.sourceTag
+            clOrdId: readString(args, "clOrdId")
           }),
           privateRateLimit("swap_place_move_stop_order", 20)
         );
@@ -3319,8 +3453,7 @@ function registerFuturesAlgoTools() {
             callBackSpread: readString(args, "callbackSpread"),
             activePx: readString(args, "activePx"),
             reduceOnly: typeof reduceOnly === "boolean" ? String(reduceOnly) : void 0,
-            clOrdId: readString(args, "clOrdId"),
-            tag: context.config.sourceTag
+            clOrdId: readString(args, "clOrdId")
           }),
           privateRateLimit("futures_place_move_stop_order", 20)
         );
@@ -3578,7 +3711,7 @@ function safeWriteFile(targetDir, fileName, data) {
     throw new Error(`Invalid file name: "${fileName}"`);
   }
   const resolvedDir = resolve(targetDir);
-  const filePath = join3(resolvedDir, safeName);
+  const filePath = join4(resolvedDir, safeName);
   const resolvedPath = resolve(filePath);
   if (!resolvedPath.startsWith(resolvedDir + sep)) {
     throw new Error(`Path traversal detected: "${fileName}" resolves outside target directory`);
@@ -3621,7 +3754,7 @@ async function downloadSkillZip(client, name, targetDir, format = "zip") {
   return filePath;
 }
 var DEFAULT_MAX_TOTAL_BYTES = 100 * 1024 * 1024;
-var DEFAULT_REGISTRY_PATH = join5(homedir3(), ".okx", "skills", "registry.json");
+var DEFAULT_REGISTRY_PATH = join6(homedir4(), ".okx", "skills", "registry.json");
 function registerSkillsTools() {
   return [
     {
@@ -10006,7 +10139,7 @@ function toMcpTool(tool) {
   };
 }
 function configFilePath() {
-  return join6(homedir4(), ".okx", "config.toml");
+  return join7(homedir5(), ".okx", "config.toml");
 }
 function readFullConfig() {
   const path4 = configFilePath();
@@ -10025,11 +10158,6 @@ Or re-run: okx config init`
     );
   }
 }
-function readTomlProfile(profileName) {
-  const config = readFullConfig();
-  const name = profileName ?? config.default_profile ?? "default";
-  return config.profiles?.[name] ?? {};
-}
 function expandShorthand(moduleId) {
   if (moduleId === "all") return [...MODULES];
   if (moduleId === "earn" || moduleId === "earn.all") return [...EARN_SUB_MODULE_IDS];
@@ -10063,18 +10191,24 @@ function parseModuleList(rawModules) {
   }
   return Array.from(deduped);
 }
-function loadCredentials(toml) {
+async function loadCredentials(toml) {
   const apiKey = process.env.OKX_API_KEY?.trim() ?? toml.api_key;
   const secretKey = process.env.OKX_SECRET_KEY?.trim() ?? toml.secret_key;
   const passphrase = process.env.OKX_PASSPHRASE?.trim() ?? toml.passphrase;
-  const hasAuth = Boolean(apiKey && secretKey && passphrase);
+  const hasApiKey = Boolean(apiKey && secretKey && passphrase);
   const partialAuth = Boolean(apiKey) || Boolean(secretKey) || Boolean(passphrase);
-  if (partialAuth && !hasAuth) {
+  if (partialAuth && !hasApiKey) {
     throw new ConfigError(
       "Partial API credentials detected.",
       "Set OKX_API_KEY, OKX_SECRET_KEY and OKX_PASSPHRASE together (env vars or config.toml profile)."
     );
   }
+  let hasOAuth = false;
+  if (!hasApiKey) {
+    const status = await execAuthStatus();
+    hasOAuth = status?.status === "logged_in";
+  }
+  const hasAuth = hasOAuth || hasApiKey;
   return { apiKey, secretKey, passphrase, hasAuth };
 }
 function resolveSite(cliSite, tomlSite) {
@@ -10097,30 +10231,6 @@ function resolveBaseUrl(site, tomlBaseUrl) {
   }
   return rawBaseUrl.replace(/\/+$/, "");
 }
-function resolveSourceTag(cli, defaultTag, opts = {}) {
-  const readEnv = opts.readEnv !== false;
-  const cliSkill = cli.skill?.trim();
-  if (cliSkill) {
-    if (isValidToken(cliSkill)) return composeTag(defaultTag, cliSkill);
-    console.warn("--skill value format invalid (expected 12-char Base32), ignoring");
-  }
-  if (readEnv) {
-    const envToken = process.env.OKX_SKILL_TOKEN?.trim();
-    if (envToken) {
-      if (isValidToken(envToken)) return composeTag(defaultTag, envToken);
-      console.warn("OKX_SKILL_TOKEN format invalid, ignoring");
-    }
-  }
-  const sourceTag = cli.sourceTag?.trim();
-  if (sourceTag) return sourceTag;
-  return defaultTag;
-}
-function composeTag(defaultTag, token) {
-  return `${defaultTag}${TAG_JOIN}${token}`;
-}
-function isValidToken(s) {
-  return TOKEN_REGEX.test(s);
-}
 function resolveDemo(cli, toml) {
   if (cli.demo && cli.live) {
     throw new ConfigError(
@@ -10132,9 +10242,11 @@ function resolveDemo(cli, toml) {
   if (cli.demo === true) return true;
   return process.env.OKX_DEMO === "1" || process.env.OKX_DEMO === "true" || (toml.demo ?? false);
 }
-function loadConfig(cli, opts = {}) {
-  const toml = readTomlProfile(cli.profile);
-  const creds = loadCredentials(toml);
+async function loadConfig(cli) {
+  const config = readFullConfig();
+  const profileName = cli.profile ?? config.default_profile ?? "default";
+  const toml = config.profiles?.[profileName] ?? {};
+  const creds = await loadCredentials(toml);
   const demo = resolveDemo(cli, toml);
   const site = resolveSite(cli.site, toml.site);
   const baseUrl = resolveBaseUrl(site, toml.base_url);
@@ -10152,9 +10264,9 @@ function loadConfig(cli, opts = {}) {
       "proxy_url must start with http:// or https://. SOCKS proxies are not supported."
     );
   }
-  const defaultTag = opts.entryPrefix ?? DEFAULT_SOURCE_TAG;
   return {
     ...creds,
+    profile: profileName,
     baseUrl,
     timeoutMs: Math.floor(rawTimeout),
     modules: parseModuleList(cli.modules),
@@ -10162,14 +10274,12 @@ function loadConfig(cli, opts = {}) {
     demo,
     site,
     userAgent: cli.userAgent,
-    // sourceTag resolution: --skill > OKX_SKILL_TOKEN > --source-tag > defaultTag
-    // MCP entry passes { readEnv: false } to honour the "MCP path not attributed" contract.
-    sourceTag: resolveSourceTag(cli, defaultTag, { readEnv: opts.readEnv }),
+    sourceTag: cli.sourceTag ?? DEFAULT_SOURCE_TAG,
     proxyUrl: rawProxyUrl || void 0,
     verbose: cli.verbose ?? false
   };
 }
-var CACHE_FILE = join7(homedir5(), ".okx", "update-check.json");
+var CACHE_FILE = join8(homedir6(), ".okx", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 function readCache2() {
   try {
@@ -10182,7 +10292,7 @@ function readCache2() {
 }
 function writeCache2(cache) {
   try {
-    mkdirSync6(join7(homedir5(), ".okx"), { recursive: true });
+    mkdirSync6(join8(homedir6(), ".okx"), { recursive: true });
     writeFileSync5(CACHE_FILE, JSON.stringify(cache, null, 2), "utf-8");
   } catch {
   }
@@ -10336,13 +10446,13 @@ function findMsStoreClaudePath() {
 }
 function getConfigPath(client) {
   const home = os3.homedir();
-  const platform2 = process.platform;
+  const platform3 = process.platform;
   switch (client) {
     case "claude-desktop":
-      if (platform2 === "win32") {
+      if (platform3 === "win32") {
         return findMsStoreClaudePath() ?? path3.join(appData(), "Claude", CLAUDE_CONFIG_FILE);
       }
-      if (platform2 === "darwin") {
+      if (platform3 === "darwin") {
         return path3.join(home, "Library", "Application Support", "Claude", CLAUDE_CONFIG_FILE);
       }
       return path3.join(process.env.XDG_CONFIG_HOME ?? path3.join(home, ".config"), "Claude", CLAUDE_CONFIG_FILE);
@@ -10444,6 +10554,8 @@ function runSetup(options) {
 `);
   }
 }
+var CACHE_PATH = join12(homedir10(), ".okx", "auth-binary-check.json");
+var CHECK_INTERVAL_MS2 = 2 * 60 * 60 * 1e3;
 
 // src/constants.ts
 import { createRequire } from "module";
@@ -10451,7 +10563,7 @@ var _require = createRequire(import.meta.url);
 var pkg = _require("../package.json");
 var SERVER_NAME = "okx-trade-mcp";
 var SERVER_VERSION = pkg.version;
-var GIT_HASH = true ? "7acf49fb" : "dev";
+var GIT_HASH = true ? "1bb94dcd" : "dev";
 
 // src/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -10728,25 +10840,16 @@ async function main() {
 `);
     return;
   }
-  const config = loadConfig(
-    {
-      modules: cli.modules,
-      profile: cli.profile,
-      site: cli.site,
-      readOnly: cli.readOnly,
-      demo: cli.demo,
-      live: cli.live,
-      userAgent: `${SERVER_NAME}/${SERVER_VERSION}`,
-      sourceTag: "MCP"
-    },
-    // MCP path: never read OKX_SKILL_TOKEN from env — the MCP path is not
-    // attributed; skill token should only flow from SKILL.md-injected --skill
-    // in the CLI path (design doc §1.3). `entryPrefix:"MCP"` is set for
-    // semantic completeness: if a future change flips `readEnv:true`, the
-    // composeTag branch would correctly produce `MCP<token>` rather than
-    // relying on DEFAULT_SOURCE_TAG as an implicit default.
-    { readEnv: false, entryPrefix: "MCP" }
-  );
+  const config = await loadConfig({
+    modules: cli.modules,
+    profile: cli.profile,
+    site: cli.site,
+    readOnly: cli.readOnly,
+    demo: cli.demo,
+    live: cli.live,
+    userAgent: `${SERVER_NAME}/${SERVER_VERSION}`,
+    sourceTag: "MCP"
+  });
   const logger = cli.noLog ? void 0 : new TradeLogger(cli.logLevel);
   const server = createServer(config, logger);
   const transport = new StdioServerTransport();