pmxt-core 2.26.1 → 2.27.1

package/dist/exchanges/kalshi/api.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/kalshi/Kalshi.yaml
- * Generated at: 2026-04-08T07:35:03.814Z
+ * Generated at: 2026-04-09T08:46:23.692Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const kalshiApiSpec: {

package/dist/exchanges/kalshi/api.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.kalshiApiSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/kalshi/Kalshi.yaml
- * Generated at: 2026-04-08T07:35:03.814Z
+ * Generated at: 2026-04-09T08:46:23.692Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.kalshiApiSpec = {

package/dist/exchanges/limitless/api.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/limitless/Limitless.yaml
- * Generated at: 2026-04-08T07:35:03.862Z
+ * Generated at: 2026-04-09T08:46:23.728Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const limitlessApiSpec: {

package/dist/exchanges/limitless/api.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.limitlessApiSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/limitless/Limitless.yaml
- * Generated at: 2026-04-08T07:35:03.862Z
+ * Generated at: 2026-04-09T08:46:23.728Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.limitlessApiSpec = {

package/dist/exchanges/myriad/api.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/myriad/myriad.yaml
- * Generated at: 2026-04-08T07:35:03.878Z
+ * Generated at: 2026-04-09T08:46:23.741Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const myriadApiSpec: {

package/dist/exchanges/myriad/api.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.myriadApiSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/myriad/myriad.yaml
- * Generated at: 2026-04-08T07:35:03.878Z
+ * Generated at: 2026-04-09T08:46:23.741Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.myriadApiSpec = {

package/dist/exchanges/opinion/api.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/opinion/opinion-openapi.yaml
- * Generated at: 2026-04-08T07:35:03.884Z
+ * Generated at: 2026-04-09T08:46:23.746Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const opinionApiSpec: {

package/dist/exchanges/opinion/api.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.opinionApiSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/opinion/opinion-openapi.yaml
- * Generated at: 2026-04-08T07:35:03.884Z
+ * Generated at: 2026-04-09T08:46:23.746Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.opinionApiSpec = {

package/dist/exchanges/polymarket/api-clob.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/PolymarketClobAPI.yaml
- * Generated at: 2026-04-08T07:35:03.820Z
+ * Generated at: 2026-04-09T08:46:23.698Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const polymarketClobSpec: {

package/dist/exchanges/polymarket/api-clob.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.polymarketClobSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/PolymarketClobAPI.yaml
- * Generated at: 2026-04-08T07:35:03.820Z
+ * Generated at: 2026-04-09T08:46:23.698Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.polymarketClobSpec = {

package/dist/exchanges/polymarket/api-data.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/Polymarket_Data_API.yaml
- * Generated at: 2026-04-08T07:35:03.838Z
+ * Generated at: 2026-04-09T08:46:23.711Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const polymarketDataSpec: {

package/dist/exchanges/polymarket/api-data.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.polymarketDataSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/Polymarket_Data_API.yaml
- * Generated at: 2026-04-08T07:35:03.838Z
+ * Generated at: 2026-04-09T08:46:23.711Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.polymarketDataSpec = {

package/dist/exchanges/polymarket/api-gamma.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/PolymarketGammaAPI.yaml
- * Generated at: 2026-04-08T07:35:03.836Z
+ * Generated at: 2026-04-09T08:46:23.708Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const polymarketGammaSpec: {

package/dist/exchanges/polymarket/api-gamma.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.polymarketGammaSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/polymarket/PolymarketGammaAPI.yaml
- * Generated at: 2026-04-08T07:35:03.836Z
+ * Generated at: 2026-04-09T08:46:23.708Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.polymarketGammaSpec = {

package/dist/exchanges/probable/api.d.ts

@@ -1,6 +1,6 @@
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/probable/probable.yaml
- * Generated at: 2026-04-08T07:35:03.870Z
+ * Generated at: 2026-04-09T08:46:23.734Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 export declare const probableApiSpec: {

package/dist/exchanges/probable/api.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.probableApiSpec = void 0;
 /**
  * Auto-generated from /home/runner/work/pmxt/pmxt/core/specs/probable/probable.yaml
- * Generated at: 2026-04-08T07:35:03.870Z
+ * Generated at: 2026-04-09T08:46:23.734Z
  * Do not edit manually -- run "npm run fetch:openapi" to regenerate.
  */
 exports.probableApiSpec = {

package/dist/server/app.d.ts

@@ -1 +1,58 @@
+import { Express } from "express";
+/**
+ * Options accepted by {@link createApp}.
+ */
+export interface CreateAppOptions {
+    /**
+     * Access token for the built-in `x-pmxt-access-token` auth middleware.
+     *
+     * When set, every non-`/health` request must carry a matching token.
+     * This is how the local sidecar protects itself from other processes
+     * on the same machine.
+     *
+     * When omitted (or empty string), the built-in token check is
+     * disabled. This is the mode hosted-pmxt uses when it mounts the core
+     * app under its own Bearer-auth middleware — no point double-checking.
+     */
+    accessToken?: string;
+    /**
+     * If true, skip registering `cors()` and `express.json()`.
+     *
+     * Useful when the host application has already installed its own body
+     * parser / CORS middleware and you just want the route handlers.
+     * Defaults to false.
+     */
+    skipBaseMiddleware?: boolean;
+}
+/**
+ * Build an Express app that serves the PMXT sidecar API surface without
+ * binding to a port.
+ *
+ * This is the mounting point for consumers like hosted-pmxt that want to
+ * wrap the sidecar in their own auth / quota / usage middleware and serve
+ * it as part of a larger Express application.
+ *
+ * The returned app registers:
+ *   - `GET  /health`
+ *   - (optional) the built-in `x-pmxt-access-token` auth check
+ *   - `POST /api/:exchange/:method`
+ *   - the error handler
+ *
+ * Usage:
+ * ```ts
+ * import express from 'express';
+ * import { createApp as createPmxtCoreApp } from 'pmxt-core';
+ *
+ * const app = express();
+ * app.use(myAuthMiddleware);
+ * app.use('/', createPmxtCoreApp());  // no token required — we auth upstream
+ * app.listen(4000);
+ * ```
+ */
+export declare function createApp(options?: CreateAppOptions): Express;
+/**
+ * Start the PMXT sidecar server on the given port with the built-in
+ * access-token auth middleware enabled. Returns the underlying
+ * {@link http.Server} once it is listening.
+ */
 export declare function startServer(port: number, accessToken: string): Promise<import("node:http").Server<typeof import("node:http").IncomingMessage, typeof import("node:http").ServerResponse>>;

package/dist/server/app.js

@@ -3,9 +3,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.createApp = createApp;
 exports.startServer = startServer;
 const express_1 = __importDefault(require("express"));
 const cors_1 = __importDefault(require("cors"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 const polymarket_1 = require("../exchanges/polymarket");
 const limitless_1 = require("../exchanges/limitless");
 const kalshi_1 = require("../exchanges/kalshi");
@@ -18,6 +21,113 @@ const metaculus_1 = require("../exchanges/metaculus");
 const smarkets_1 = require("../exchanges/smarkets");
 const polymarket_us_1 = require("../exchanges/polymarket_us");
 const errors_1 = require("../errors");
+function loadMethodVerbs() {
+    const candidates = [
+        path_1.default.join(__dirname, "method-verbs.json"),
+        path_1.default.join(__dirname, "../../src/server/method-verbs.json"),
+    ];
+    for (const file of candidates) {
+        try {
+            if (fs_1.default.existsSync(file)) {
+                return JSON.parse(fs_1.default.readFileSync(file, "utf8"));
+            }
+        }
+        catch {
+            // Fall through to the next candidate.
+        }
+    }
+    console.warn("[pmxt-core] method-verbs.json not found — GET /api/:exchange/:method disabled. " +
+        "POST continues to work. Rebuild pmxt-core to regenerate.");
+    return {};
+}
+const METHOD_VERBS = loadMethodVerbs();
+/**
+ * Coerce a query-string value into its closest native type, optionally
+ * honoring the arg kind declared in `method-verbs.json`.
+ *
+ * Express's built-in query parser hands us strings (or arrays of strings)
+ * regardless of what the method actually wants. When we know the target
+ * kind we respect it exactly:
+ *   - `string` → never coerce, even if the value looks like a number.
+ *     (Critical for venue IDs like Polymarket's all-numeric condition
+ *     IDs, which must stay strings to keep `.trim()` etc. working.)
+ *   - `number` → parse as float/int; non-numeric input stays a string.
+ *   - `boolean` → accept the literal `"true"` / `"false"`, else leave as-is.
+ *
+ * When the kind is unknown (`undefined`, e.g. object-arg properties that
+ * aren't statically typed), fall back to the permissive heuristic:
+ * lift obvious numeric/boolean literals and leave everything else alone.
+ */
+function coerceQueryValue(raw, kind) {
+    if (Array.isArray(raw))
+        return raw.map((v) => coerceQueryValue(v, kind));
+    if (typeof raw !== "string")
+        return raw;
+    if (kind === "string")
+        return raw;
+    if (kind === "number") {
+        if (/^-?\d+$/.test(raw))
+            return parseInt(raw, 10);
+        if (/^-?\d*\.\d+$/.test(raw))
+            return parseFloat(raw);
+        return raw;
+    }
+    if (kind === "boolean") {
+        if (raw === "true")
+            return true;
+        if (raw === "false")
+            return false;
+        return raw;
+    }
+    // Unknown kind — permissive fallback.
+    if (raw === "true")
+        return true;
+    if (raw === "false")
+        return false;
+    if (raw === "null")
+        return null;
+    if (/^-?\d+$/.test(raw))
+        return parseInt(raw, 10);
+    if (/^-?\d*\.\d+$/.test(raw))
+        return parseFloat(raw);
+    return raw;
+}
+/**
+ * Translate a parsed query-string object into the positional `args`
+ * array that `exchange[method](...args)` expects, using the per-method
+ * spec extracted from BaseExchange.ts at generation time.
+ *
+ * Rules:
+ *   - Primitive args are pulled by name from the query and coerced.
+ *   - A single object arg swallows every *remaining* query key (after
+ *     primitive args have been consumed) as its properties.
+ *   - Trailing `undefined`s are trimmed so optional tail params stay
+ *     optional instead of arriving as explicit `undefined`.
+ */
+function queryToArgs(query, spec) {
+    // Reserve primitive arg names so they don't leak into an object arg.
+    const primitiveNames = new Set(spec.filter((s) => s.kind !== "object").map((s) => s.name));
+    const args = [];
+    for (const arg of spec) {
+        if (arg.kind === "object") {
+            const obj = {};
+            for (const [k, v] of Object.entries(query)) {
+                if (primitiveNames.has(k))
+                    continue;
+                obj[k] = coerceQueryValue(v);
+            }
+            args.push(Object.keys(obj).length > 0 ? obj : undefined);
+        }
+        else {
+            const raw = query[arg.name];
+            args.push(raw !== undefined ? coerceQueryValue(raw, arg.kind) : undefined);
+        }
+    }
+    while (args.length > 0 && args[args.length - 1] === undefined) {
+        args.pop();
+    }
+    return args;
+}
 // Singleton instances for local usage (when no credentials provided)
 const defaultExchanges = {
     polymarket: null,
@@ -31,37 +141,65 @@ const defaultExchanges = {
     metaculus: null,
     smarkets: null,
 };
-async function startServer(port, accessToken) {
+/**
+ * Build an Express app that serves the PMXT sidecar API surface without
+ * binding to a port.
+ *
+ * This is the mounting point for consumers like hosted-pmxt that want to
+ * wrap the sidecar in their own auth / quota / usage middleware and serve
+ * it as part of a larger Express application.
+ *
+ * The returned app registers:
+ *   - `GET  /health`
+ *   - (optional) the built-in `x-pmxt-access-token` auth check
+ *   - `POST /api/:exchange/:method`
+ *   - the error handler
+ *
+ * Usage:
+ * ```ts
+ * import express from 'express';
+ * import { createApp as createPmxtCoreApp } from 'pmxt-core';
+ *
+ * const app = express();
+ * app.use(myAuthMiddleware);
+ * app.use('/', createPmxtCoreApp());  // no token required — we auth upstream
+ * app.listen(4000);
+ * ```
+ */
+function createApp(options = {}) {
+    const { accessToken, skipBaseMiddleware = false } = options;
     const app = (0, express_1.default)();
-    app.use((0, cors_1.default)());
-    app.use(express_1.default.json());
+    if (!skipBaseMiddleware) {
+        app.use((0, cors_1.default)());
+        app.use(express_1.default.json({ limit: "2mb" }));
+    }
     // Health check (public)
     app.get("/health", (req, res) => {
         res.json({ status: "ok", timestamp: Date.now() });
     });
-    // Auth Middleware
-    app.use((req, res, next) => {
-        const token = req.headers["x-pmxt-access-token"];
-        if (!token || token !== accessToken) {
-            res.status(401).json({
-                success: false,
-                error: "Unauthorized: Invalid or missing access token",
-            });
-            return;
-        }
-        next();
-    });
-    // API endpoint: POST /api/:exchange/:method
-    // Body: { args: any[], credentials?: ExchangeCredentials }
-    app.post("/api/:exchange/:method", async (req, res, next) => {
+    // Optional built-in auth. Only registered when an accessToken is
+    // supplied — hosted-pmxt mounts this app without a token and relies on
+    // its own upstream Bearer middleware.
+    if (accessToken) {
+        app.use((req, res, next) => {
+            const token = req.headers["x-pmxt-access-token"];
+            if (!token || token !== accessToken) {
+                res.status(401).json({
+                    success: false,
+                    error: "Unauthorized: Invalid or missing access token",
+                });
+                return;
+            }
+            next();
+        });
+    }
+    // Shared dispatch used by both GET and POST handlers below. Given the
+    // method name, the positional args, and optional credentials, it
+    // resolves the exchange instance (singleton or per-request) and
+    // invokes `exchange[method](...args)`.
+    async function dispatchMethod(req, res, next, methodName, args, credentials) {
         try {
             const exchangeName = req.params.exchange.toLowerCase();
-            const methodName = req.params.method;
-            const args = Array.isArray(req.body.args) ? req.body.args : [];
-            const credentials = req.body.credentials;
-            // 1. Get or Initialize Exchange
-            // If credentials are provided, create a new instance for this request
-            // Otherwise, use the singleton instance
             let exchange;
             if (credentials &&
                 (credentials.privateKey ||
@@ -75,15 +213,12 @@ async function startServer(port, accessToken) {
                 }
                 exchange = defaultExchanges[exchangeName];
             }
-            // Apply verbose logging if requested via header
             if (req.headers["x-pmxt-verbose"] === "true") {
                 exchange.verbose = true;
             }
             else {
-                // Reset to false for singleton instances to avoid leaking state between requests
                 exchange.verbose = false;
             }
-            // 2. Validate Method
             if (typeof exchange[methodName] !== "function") {
                 res.status(404).json({
                     success: false,
@@ -91,13 +226,48 @@ async function startServer(port, accessToken) {
                 });
                 return;
             }
-            // 3. Execute with direct argument spreading
             const result = await exchange[methodName](...args);
             res.json({ success: true, data: result });
         }
         catch (error) {
             next(error);
         }
+    }
+    // GET /api/:exchange/:method
+    //
+    // Enabled for methods classified as idempotent reads by the OpenAPI
+    // generator (every method starting with `fetch` whose signature fits
+    // in a query string). The method name is looked up in METHOD_VERBS;
+    // if it isn't a GET method we return 405 so callers don't silently
+    // hit a stale route. POST continues to work for every method,
+    // including the ones exposed as GET here, so existing SDK clients
+    // that unconditionally POST keep functioning unchanged.
+    app.get("/api/:exchange/:method", async (req, res, next) => {
+        const methodName = req.params.method;
+        const meta = METHOD_VERBS[methodName];
+        if (!meta || meta.verb !== "get") {
+            res.status(405).json({
+                success: false,
+                error: `Method '${methodName}' is not available via GET. ` +
+                    `Use POST /api/:exchange/${methodName} instead.`,
+            });
+            return;
+        }
+        const args = queryToArgs(req.query, meta.args);
+        // GET requests never carry credentials in the body (and query
+        // strings would leak them); unauthenticated reads only.
+        await dispatchMethod(req, res, next, methodName, args, undefined);
+    });
+    // POST /api/:exchange/:method
+    //
+    // The original RPC-shaped surface. Body: { args: any[], credentials? }.
+    // Accepts every method, including reads — so pre-existing clients
+    // that POST reads keep working forever.
+    app.post("/api/:exchange/:method", async (req, res, next) => {
+        const methodName = req.params.method;
+        const args = Array.isArray(req.body.args) ? req.body.args : [];
+        const credentials = req.body.credentials;
+        await dispatchMethod(req, res, next, methodName, args, credentials);
     });
     // Error handler
     app.use((error, req, res, next) => {
@@ -139,6 +309,15 @@ async function startServer(port, accessToken) {
             },
         });
     });
+    return app;
+}
+/**
+ * Start the PMXT sidecar server on the given port with the built-in
+ * access-token auth middleware enabled. Returns the underlying
+ * {@link http.Server} once it is listening.
+ */
+async function startServer(port, accessToken) {
+    const app = createApp({ accessToken });
     return app.listen(port, "127.0.0.1");
 }
 function createExchange(name, credentials) {