pmxt-core 2.44.4 → 2.44.6

package/dist/server/app.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createWebSocketHandler = void 0;
 exports.createApp = createApp;
+exports.attachWebSocketEndpoint = attachWebSocketEndpoint;
 exports.startServer = startServer;
 const express_1 = __importDefault(require("express"));
 const cors_1 = __importDefault(require("cors"));
@@ -13,6 +14,9 @@ const path_1 = __importDefault(require("path"));
 const ws_handler_1 = require("./ws-handler");
 Object.defineProperty(exports, "createWebSocketHandler", { enumerable: true, get: function () { return ws_handler_1.createWebSocketHandler; } });
 const exchange_factory_1 = require("./exchange-factory");
+const feed_routes_1 = require("./feed-routes");
+const sql_route_1 = require("./sql-route");
+const router_1 = require("../router");
 const errors_1 = require("../errors");
 const logger_1 = require("../utils/logger");
 function loadMethodVerbs() {
@@ -142,7 +146,14 @@ const defaultExchanges = {
     opinion: null,
     metaculus: null,
     smarkets: null,
+    mock: null,
 };
+function getDefaultExchange(exchangeName) {
+    if (!defaultExchanges[exchangeName]) {
+        defaultExchanges[exchangeName] = (0, exchange_factory_1.createExchange)(exchangeName);
+    }
+    return defaultExchanges[exchangeName];
+}
 /**
  * Build an Express app that serves the PMXT sidecar API surface without
  * binding to a port.
@@ -151,12 +162,25 @@ const defaultExchanges = {
  * wrap the sidecar in their own auth / quota / usage middleware and serve
  * it as part of a larger Express application.
  *
- * The returned app registers:
+ * The returned app registers HTTP routes only:
  *   - `GET  /health`
  *   - (optional) the built-in `x-pmxt-access-token` auth check
  *   - `POST /api/:exchange/:method`
  *   - the error handler
  *
+ * WebSocket upgrades do not pass through Express routing. Local servers
+ * created from this app can expose `/ws` by attaching the WebSocket endpoint
+ * to the underlying HTTP server:
+ *
+ * ```ts
+ * import { createApp, attachWebSocketEndpoint } from 'pmxt-core';
+ *
+ * const accessToken = process.env.PMXT_ACCESS_TOKEN;
+ * const app = createApp({ accessToken });
+ * const server = app.listen(4000, "127.0.0.1");
+ * attachWebSocketEndpoint(server, { accessToken });
+ * ```
+ *
  * Usage:
  * ```ts
  * import express from 'express';
@@ -195,6 +219,10 @@ function createApp(options = {}) {
             next();
         });
     }
+    app.use("/v0/sql", (0, sql_route_1.createSqlRouter)());
+    // Mount before /api/:exchange/:method so "feeds" is not interpreted as
+    // an exchange name by the generic dispatcher.
+    app.use("/api/feeds", (0, feed_routes_1.createFeedRouter)());
     // Shared dispatch used by both GET and POST handlers below. Given the
     // method name, the positional args, and optional credentials, it
     // resolves the exchange instance (singleton or per-request) and
@@ -208,7 +236,12 @@ function createApp(options = {}) {
                 // calls — not a server-side env var.  Each request may carry a
                 // different key, so Router is never cached as a singleton.
                 const bearer = req.headers.authorization?.replace(/^Bearer\s+/i, "") || "";
-                exchange = (0, exchange_factory_1.createExchange)(exchangeName, undefined, bearer);
+                exchange = new router_1.Router({
+                    apiKey: bearer,
+                    localExchanges: {
+                        mock: getDefaultExchange("mock"),
+                    },
+                });
             }
             else if (credentials &&
                 (credentials.privateKey ||
@@ -217,10 +250,7 @@ function createApp(options = {}) {
                 exchange = (0, exchange_factory_1.createExchange)(exchangeName, credentials);
             }
             else {
-                if (!defaultExchanges[exchangeName]) {
-                    defaultExchanges[exchangeName] = (0, exchange_factory_1.createExchange)(exchangeName);
-                }
-                exchange = defaultExchanges[exchangeName];
+                exchange = getDefaultExchange(exchangeName);
             }
             if (req.headers["x-pmxt-verbose"] === "true") {
                 exchange.verbose = true;
@@ -327,6 +357,19 @@ function createApp(options = {}) {
     });
     return app;
 }
+/**
+ * Attach the PMXT streaming WebSocket endpoint to an HTTP server.
+ *
+ * Use this with servers built from `createApp()` when you need `/ws` support
+ * for watchOrderBook, watchOrderBooks, or watchTrades. The access token should
+ * match the one passed to `createApp()` so HTTP and WebSocket requests share
+ * the same local auth policy.
+ */
+function attachWebSocketEndpoint(server, options = {}) {
+    const wsHandler = (0, ws_handler_1.createWebSocketHandler)(options);
+    wsHandler.attach(server);
+    return wsHandler;
+}
 /**
  * Start the PMXT sidecar server on the given port with the built-in
  * access-token auth middleware enabled. Returns the underlying
@@ -338,8 +381,6 @@ function createApp(options = {}) {
 async function startServer(port, accessToken) {
     const app = createApp({ accessToken });
     const server = app.listen(port, "127.0.0.1");
-    // Attach WebSocket handler for streaming subscriptions
-    const wsHandler = (0, ws_handler_1.createWebSocketHandler)({ accessToken });
-    wsHandler.attach(server);
+    attachWebSocketEndpoint(server, { accessToken });
     return server;
 }

package/dist/server/feed-routes.js

@@ -66,6 +66,8 @@ function createFeedRouter() {
     // GET /api/feeds/:feed/fetchOHLCV?symbol=BTC/USDT&timeframe=1h&since=...&limit=...
     router.get('/:feed/fetchOHLCV', async (req, res, next) => {
         try {
+            if (sendUnsupportedIfNeeded(req, res, 'fetchOHLCV'))
+                return;
             const symbol = req.query.symbol;
             if (typeof symbol !== 'string') {
                 res.status(400).json({ success: false, error: 'Missing required query parameter: symbol' });
@@ -87,10 +89,10 @@ function createFeedRouter() {
     router.get('/:feed/fetchOrderBook', async (req, res, next) => {
         try {
             const feed = req._feed;
-            if (typeof feed.fetchOrderBook !== 'function') {
-                res.status(501).json({ success: false, error: `Feed '${req.params.feed}' does not support fetchOrderBook` });
+            if (sendUnsupportedIfNeeded(req, res, 'fetchOrderBook'))
                 return;
-            }
+            if (typeof feed.fetchOrderBook !== 'function')
+                return sendUnsupported(res, getFeedParam(req), 'fetchOrderBook');
             const symbol = req.query.symbol;
             if (typeof symbol !== 'string') {
                 res.status(400).json({ success: false, error: 'Missing required query parameter: symbol' });
@@ -107,10 +109,10 @@ function createFeedRouter() {
     router.get('/:feed/fetchOracleRound', async (req, res, next) => {
         try {
             const feed = req._feed;
-            if (typeof feed.fetchOracleRound !== 'function') {
-                res.status(501).json({ success: false, error: `Feed '${req.params.feed}' does not support fetchOracleRound` });
+            if (sendUnsupportedIfNeeded(req, res, 'fetchOracleRound'))
                 return;
-            }
+            if (typeof feed.fetchOracleRound !== 'function')
+                return sendUnsupported(res, getFeedParam(req), 'fetchOracleRound');
             const feedName = req.query.feed;
             if (typeof feedName !== 'string') {
                 res.status(400).json({ success: false, error: 'Missing required query parameter: feed' });
@@ -127,10 +129,10 @@ function createFeedRouter() {
     router.get('/:feed/fetchOracleHistory', async (req, res, next) => {
         try {
             const feed = req._feed;
-            if (typeof feed.fetchOracleHistory !== 'function') {
-                res.status(501).json({ success: false, error: `Feed '${req.params.feed}' does not support fetchOracleHistory` });
+            if (sendUnsupportedIfNeeded(req, res, 'fetchOracleHistory'))
                 return;
-            }
+            if (typeof feed.fetchOracleHistory !== 'function')
+                return sendUnsupported(res, getFeedParam(req), 'fetchOracleHistory');
             const feedName = req.query.feed;
             if (typeof feedName !== 'string') {
                 res.status(400).json({ success: false, error: 'Missing required query parameter: feed' });
@@ -150,10 +152,10 @@ function createFeedRouter() {
     router.get('/:feed/fetchHistoricalPrices', async (req, res, next) => {
         try {
             const feed = req._feed;
-            if (typeof feed.fetchHistoricalPrices !== 'function') {
-                res.status(501).json({ success: false, error: `Feed '${req.params.feed}' does not support fetchHistoricalPrices` });
+            if (sendUnsupportedIfNeeded(req, res, 'fetchHistoricalPrices'))
                 return;
-            }
+            if (typeof feed.fetchHistoricalPrices !== 'function')
+                return sendUnsupported(res, getFeedParam(req), 'fetchHistoricalPrices');
             const symbol = req.query.symbol;
             if (typeof symbol !== 'string') {
                 res.status(400).json({ success: false, error: 'Missing required query parameter: symbol' });
@@ -178,3 +180,23 @@ function createFeedRouter() {
     });
     return router;
 }
+function getRequestFeed(req) {
+    return req._feed;
+}
+function sendUnsupportedIfNeeded(req, res, method) {
+    const feed = getRequestFeed(req);
+    if (feed.has?.[method] !== false)
+        return false;
+    sendUnsupported(res, feed.name || getFeedParam(req), method);
+    return true;
+}
+function sendUnsupported(res, feedName, method) {
+    res.status(501).json({
+        success: false,
+        error: `Feed '${feedName}' does not support ${method}`,
+    });
+}
+function getFeedParam(req) {
+    const value = req.params.feed;
+    return Array.isArray(value) ? value[0] ?? 'unknown' : value;
+}

package/dist/server/sql-route.d.ts

@@ -0,0 +1,2 @@
+import { Router } from "express";
+export declare function createSqlRouter(): Router;

package/dist/server/sql-route.js

@@ -0,0 +1,277 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSqlRouter = createSqlRouter;
+const express_1 = require("express");
+const MAX_QUERY_LENGTH = 10_000;
+const ALLOWED_FIRST_KEYWORDS = new Set([
+    "SELECT",
+    "WITH",
+    "SHOW",
+    "DESCRIBE",
+    "DESC",
+    "EXISTS",
+    "EXPLAIN",
+]);
+const WRITE_KEYWORDS = [
+    "INSERT",
+    "CREATE",
+    "DROP",
+    "ALTER",
+    "DELETE",
+    "TRUNCATE",
+    "ATTACH",
+    "DETACH",
+    "GRANT",
+    "REVOKE",
+    "KILL",
+    "RENAME",
+];
+const BLOCKED_FUNCTIONS = new Set([
+    "hostname",
+    "fqdn",
+    "displayname",
+    "version",
+    "buildid",
+    "serveruuid",
+    "uptime",
+    "tcpport",
+    "currentuser",
+    "user",
+    "currentdatabase",
+    "currentprofiles",
+    "enabledprofiles",
+    "defaultprofiles",
+    "currentroles",
+    "enabledroles",
+    "defaultroles",
+    "filesystemavailable",
+    "filesystemcapacity",
+    "filesystemunreserved",
+    "getsetting",
+    "getmacro",
+]);
+const BLOCKED_DB_PREFIXES = ["system.", "information_schema."];
+function stripComments(sql) {
+    return sql
+        .replace(/\/\*[\s\S]*?\*\//g, " ")
+        .replace(/--[^\n]*/g, " ")
+        .trim();
+}
+function stripStrings(sql) {
+    return sql.replace(/'(?:[^'\\]|\\.)*'/g, "''");
+}
+function validateSqlQuery(sql) {
+    if (typeof sql !== "string") {
+        return { valid: false, error: "query is required" };
+    }
+    const trimmed = sql.trim();
+    if (trimmed.length === 0) {
+        return { valid: false, error: "query is required" };
+    }
+    if (trimmed.length > MAX_QUERY_LENGTH) {
+        return {
+            valid: false,
+            error: `query exceeds maximum length (${MAX_QUERY_LENGTH} chars)`,
+        };
+    }
+    const withoutStrings = stripStrings(trimmed);
+    if (withoutStrings.includes(";")) {
+        return { valid: false, error: "multi-statement queries are not allowed" };
+    }
+    const stripped = stripComments(trimmed);
+    const firstWord = (stripped.split(/\s+/)[0] || "").toUpperCase();
+    if (!ALLOWED_FIRST_KEYWORDS.has(firstWord)) {
+        return {
+            valid: false,
+            error: `query type "${firstWord}" is not allowed - only SELECT, WITH, ` +
+                "SHOW, DESCRIBE, and EXPLAIN are permitted",
+        };
+    }
+    if (firstWord === "SHOW") {
+        const upper = stripped.toUpperCase();
+        if (/^SHOW\s+(GRANTS|CREATE|ACCESS|PROCESSLIST|SETTINGS)/.test(upper)) {
+            return { valid: false, error: "that SHOW command is not allowed" };
+        }
+    }
+    const safeText = stripStrings(stripped);
+    for (const keyword of WRITE_KEYWORDS) {
+        if (new RegExp(`\\b${keyword}\\b`, "i").test(safeText)) {
+            return { valid: false, error: `"${keyword}" is not allowed in queries` };
+        }
+    }
+    const lower = safeText.toLowerCase();
+    for (const prefix of BLOCKED_DB_PREFIXES) {
+        if (lower.includes(prefix)) {
+            return {
+                valid: false,
+                error: "queries against system tables are not allowed",
+            };
+        }
+    }
+    const funcCalls = lower.matchAll(/\b([a-z_][a-z0-9_]*)\s*\(/g);
+    for (const match of funcCalls) {
+        if (BLOCKED_FUNCTIONS.has(match[1])) {
+            return { valid: false, error: `function "${match[1]}" is not allowed` };
+        }
+    }
+    return { valid: true, query: trimmed };
+}
+function allowedPlans() {
+    return new Set((process.env.SQL_ALLOWED_PLANS || "Enterprise")
+        .split(",")
+        .map((plan) => plan.trim().toLowerCase())
+        .filter(Boolean));
+}
+function hasSqlAccess(req) {
+    if (!req.account)
+        return true;
+    const plan = req.account.plan_name ?? req.account.plan ?? "";
+    return typeof plan === "string" && allowedPlans().has(plan.toLowerCase());
+}
+function isConfigured() {
+    return Boolean(process.env.CLICKHOUSE_HTTP_URL);
+}
+function scrubErrorMessage(message) {
+    const user = process.env.CLICKHOUSE_SQL_USER || "readonly";
+    const escapedUser = user.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return message
+        .replace(/\s*\(version\s+[\d.]+ \(official build\)\)/gi, "")
+        .replace(new RegExp(`${escapedUser}:\\s*`, "g"), "");
+}
+function extractErrorMessage(body) {
+    if (typeof body !== "string")
+        return String(body);
+    const trimmed = body.trim();
+    if (trimmed.startsWith("{")) {
+        try {
+            const parsed = JSON.parse(trimmed);
+            return scrubErrorMessage(parsed.exception || parsed.error || trimmed);
+        }
+        catch {
+            // Fall through to plain-text handling.
+        }
+    }
+    return scrubErrorMessage(trimmed.split("\n")[0] || "ClickHouse query failed");
+}
+async function queryClickHouse(sql) {
+    const baseUrl = process.env.CLICKHOUSE_HTTP_URL;
+    if (!baseUrl) {
+        throw Object.assign(new Error("SQL query service is not available"), {
+            chStatusCode: 503,
+        });
+    }
+    let url;
+    try {
+        url = new URL("/", baseUrl);
+    }
+    catch {
+        throw Object.assign(new Error("CLICKHOUSE_HTTP_URL is not a valid URL"), {
+            chStatusCode: 503,
+        });
+    }
+    url.searchParams.set("default_format", "JSON");
+    url.searchParams.set("readonly", "1");
+    url.searchParams.set("allow_ddl", "0");
+    url.searchParams.set("allow_introspection_functions", "0");
+    url.searchParams.set("max_execution_time", "5");
+    url.searchParams.set("max_result_rows", "10000");
+    const user = process.env.CLICKHOUSE_SQL_USER || "readonly";
+    const password = process.env.CLICKHOUSE_SQL_PASSWORD || "";
+    const auth = Buffer.from(`${user}:${password}`).toString("base64");
+    const response = await fetch(url, {
+        method: "POST",
+        headers: {
+            Authorization: `Basic ${auth}`,
+            "Content-Type": "text/plain",
+        },
+        body: sql,
+        signal: AbortSignal.timeout(6_000),
+    });
+    if (!response.ok) {
+        const body = await response.text();
+        const error = new Error(extractErrorMessage(body));
+        error.chStatusCode = response.status;
+        throw error;
+    }
+    const result = (await response.json());
+    if (result.exception) {
+        const error = new Error(extractErrorMessage(result.exception));
+        error.chStatusCode = 400;
+        throw error;
+    }
+    return result;
+}
+function extractQuery(req) {
+    return req.body?.query ?? req.query?.query;
+}
+async function handleQuery(req, res, next) {
+    try {
+        const validation = validateSqlQuery(extractQuery(req));
+        if (!validation.valid) {
+            res.status(400).json({ error: validation.error });
+            return;
+        }
+        if (!hasSqlAccess(req)) {
+            res.status(403).json({
+                error: "sql_access_denied",
+                message: "SQL query access requires an Enterprise plan",
+            });
+            return;
+        }
+        if (!isConfigured()) {
+            res.status(503).json({
+                error: "service_unavailable",
+                message: "SQL query service is not available. Configure CLICKHOUSE_HTTP_URL " +
+                    "or use the hosted PMXT Enterprise SQL endpoint.",
+            });
+            return;
+        }
+        const result = await queryClickHouse(validation.query);
+        res.json({
+            data: result.data || [],
+            meta: {
+                columns: result.meta || [],
+                rows: result.rows ?? result.data?.length ?? 0,
+                statistics: result.statistics || {},
+            },
+        });
+    }
+    catch (error) {
+        const err = error;
+        if (err.chStatusCode === 503) {
+            res.status(503).json({
+                error: "service_unavailable",
+                message: err.message,
+            });
+            return;
+        }
+        if (err.chStatusCode === 401 || err.chStatusCode === 403) {
+            res.status(502).json({
+                error: "database_error",
+                message: "Database connection failed",
+            });
+            return;
+        }
+        if (err.chStatusCode) {
+            res.status(400).json({
+                error: "query_error",
+                message: err.message,
+            });
+            return;
+        }
+        if (err.name === "TimeoutError" || err.name === "AbortError") {
+            res.status(408).json({
+                error: "query_timeout",
+                message: "Query exceeded the maximum execution time (5s)",
+            });
+            return;
+        }
+        next(error);
+    }
+}
+function createSqlRouter() {
+    const router = (0, express_1.Router)();
+    router.post("/", handleQuery);
+    router.get("/", handleQuery);
+    return router;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pmxt-core",
-  "version": "2.44.4",
+  "version": "2.44.6",
   "description": "pmxt is a unified prediction market data API. The ccxt for prediction markets.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,8 +29,8 @@
     "test": "jest -c jest.config.js",
     "server": "tsx watch src/server/index.ts",
     "server:prod": "node dist/server/index.js",
-    "generate:sdk:python": "npx @openapitools/openapi-generator-cli generate -i src/server/openapi.yaml -g python -o ../sdks/python/generated --package-name pmxt_internal --additional-properties=projectName=pmxt-internal,packageVersion=2.44.4,library=urllib3",
-    "generate:sdk:typescript": "npx @openapitools/openapi-generator-cli generate -i src/server/openapi.yaml -g typescript-fetch -o ../sdks/typescript/generated --additional-properties=npmName=pmxtjs,npmVersion=2.44.4,supportsES6=true,typescriptThreePlus=true && node ../sdks/typescript/scripts/fix-generated.js",
+    "generate:sdk:python": "npx @openapitools/openapi-generator-cli generate -i src/server/openapi.yaml -g python -o ../sdks/python/generated --package-name pmxt_internal --additional-properties=projectName=pmxt-internal,packageVersion=2.44.6,library=urllib3",
+    "generate:sdk:typescript": "npx @openapitools/openapi-generator-cli generate -i src/server/openapi.yaml -g typescript-fetch -o ../sdks/typescript/generated --additional-properties=npmName=pmxtjs,npmVersion=2.44.6,supportsES6=true,typescriptThreePlus=true && node ../sdks/typescript/scripts/fix-generated.js",
     "fetch:openapi": "node scripts/fetch-openapi-specs.js",
     "extract:jsdoc": "node ../scripts/extract-jsdoc.js",
     "generate:docs": "npm run extract:jsdoc && node ../scripts/generate-api-docs.js",