solana-traderclaw 1.0.36 → 1.0.38

package/bin/installer-step-engine.mjs

@@ -619,7 +619,7 @@ function traderCronPrescriptiveJobs(agentId) {
       schedule: "0 * * * *",
       agentId,
       message:
-        "CRON_JOB: alpha_scan — Call solana_scan_launches to find new token launches from the last hour. For each candidate, call solana_token_snapshot to check price, volume, and age. Filter for: 24h volume above 50000 USD, market cap above 10000 USD. For tokens that pass, call solana_token_holders to check holder distribution (skip if top holder owns more than 30 percent), then solana_token_risk to check for mint/freeze authority (hard skip if present). If a token passes all checks, call solana_alpha_submit to add it to the alpha buffer for the CTO's next heartbeat evaluation. Log all scanned tokens and results using solana_memory_write. Do not execute trades directly — only submit to alpha buffer. Do not ask questions.",
+        "CRON_JOB: alpha_scan — Call solana_scan_launches to find new token launches from the last hour. For each candidate, call solana_token_snapshot to check price, volume, and age. Filter for: 24h volume above 50000 USD, market cap above 10000 USD. For tokens that pass, call solana_token_holders to check holder distribution (skip if top holder owns more than 30 percent), then solana_token_risk to check for mint/freeze authority (hard skip if present). If a token passes all checks, use solana_trade_precheck and consider trade execution using solana_trade_execute. Log all scanned tokens and results using solana_memory_write. Do not ask questions.",
       enabled: true,
     },
     {

package/bin/openclaw-trader.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { createInterface } from "readline";
-import { readFileSync, writeFileSync, mkdirSync, appendFileSync } from "fs";
+import { readFileSync, writeFileSync, mkdirSync, appendFileSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 import { randomUUID, createPrivateKey, sign as cryptoSign } from "crypto";
@@ -2596,6 +2596,242 @@ async function cmdInstall(args) {
   printInfo("Press Ctrl+C to stop the wizard server.");
 }
 
+async function cmdTestSession(args) {
+  const config = readConfig();
+  const pluginConfig = getPluginConfig(config);
+
+  if (!pluginConfig) {
+    printError("No plugin configuration found. Run 'traderclaw setup' first.");
+    process.exit(1);
+  }
+
+  const orchestratorUrl = pluginConfig.orchestratorUrl;
+  if (!orchestratorUrl) {
+    printError("orchestratorUrl not set in config. Run 'traderclaw setup' to fix.");
+    process.exit(1);
+  }
+
+  const dataDir = pluginConfig.dataDir || join(process.cwd(), ".traderclaw-v1-data");
+  const sessionTokensPath = join(dataDir, "session-tokens.json");
+
+  let sidecar = null;
+  try {
+    if (existsSync(sessionTokensPath)) {
+      sidecar = JSON.parse(readFileSync(sessionTokensPath, "utf-8"));
+    }
+  } catch { /* ignore */ }
+
+  const effectiveRefreshToken =
+    (sidecar?.refreshToken && sidecar.refreshToken.length > 0)
+      ? sidecar.refreshToken
+      : pluginConfig.refreshToken;
+
+  const walletPrivateKeyInput = args.includes("--wallet-private-key")
+    ? args[args.indexOf("--wallet-private-key") + 1] || ""
+    : "";
+
+  print("\nTraderClaw V1 — Session Auth Test\n");
+  print("=".repeat(50));
+  printInfo(`  Orchestrator:     ${orchestratorUrl}`);
+  printInfo(`  API key:          ${pluginConfig.apiKey ? maskKey(pluginConfig.apiKey) : "MISSING"}`);
+  printInfo(`  Refresh token:    ${effectiveRefreshToken ? maskKey(effectiveRefreshToken) : "MISSING"}`);
+  printInfo(`  Sidecar file:     ${sidecar ? sessionTokensPath : "not found"}`);
+  printInfo(`  Wallet pub key:   ${pluginConfig.walletPublicKey || "not set"}`);
+  printInfo(`  Wallet priv key:  ${getRuntimeWalletPrivateKey(walletPrivateKeyInput) ? "available" : "NOT AVAILABLE"}`);
+  print("");
+
+  const results = [];
+  let currentAccessToken = null;
+  let currentRefreshToken = effectiveRefreshToken;
+
+  // --- Test 1: Initial refresh ---
+  print("  [1/5] Token refresh...");
+  const t1Start = Date.now();
+  try {
+    if (!currentRefreshToken) {
+      throw new Error("No refresh token available — skip to challenge flow test");
+    }
+    const tokens = await doRefresh(orchestratorUrl, currentRefreshToken);
+    if (!tokens) {
+      printWarn("        Refresh returned null (token revoked/expired) — will test challenge flow");
+      results.push({ test: "initial_refresh", status: "expired", ms: Date.now() - t1Start });
+      currentRefreshToken = null;
+    } else {
+      const ms = Date.now() - t1Start;
+      currentAccessToken = tokens.accessToken;
+      currentRefreshToken = tokens.refreshToken;
+      printSuccess(`        OK (${ms}ms) — accessTokenTtl: ${tokens.accessTokenTtlSeconds}s, refreshTokenTtl: ${tokens.refreshTokenTtlSeconds}s`);
+      results.push({
+        test: "initial_refresh",
+        status: "ok",
+        ms,
+        accessTokenTtl: tokens.accessTokenTtlSeconds,
+        refreshTokenTtl: tokens.refreshTokenTtlSeconds,
+        tier: tokens.session?.tier,
+      });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "initial_refresh", status: "fail", ms: Date.now() - t1Start, error: err.message });
+    currentRefreshToken = null;
+  }
+
+  // --- Test 2: Second refresh (verifies rotation worked) ---
+  print("  [2/5] Second refresh (token rotation check)...");
+  const t2Start = Date.now();
+  try {
+    if (!currentRefreshToken) {
+      throw new Error("No refresh token — skipped (previous test failed)");
+    }
+    const tokens2 = await doRefresh(orchestratorUrl, currentRefreshToken);
+    if (!tokens2) {
+      printError("        FAIL: second refresh returned null — rotation may be broken");
+      results.push({ test: "rotation_check", status: "fail", ms: Date.now() - t2Start, error: "null response" });
+    } else {
+      const ms = Date.now() - t2Start;
+      const rotated = tokens2.refreshToken !== currentRefreshToken;
+      currentAccessToken = tokens2.accessToken;
+      currentRefreshToken = tokens2.refreshToken;
+      if (rotated) {
+        printSuccess(`        OK (${ms}ms) — refresh token rotated correctly`);
+      } else {
+        printWarn(`        OK (${ms}ms) — refresh token NOT rotated (server may use static tokens)`);
+      }
+      results.push({ test: "rotation_check", status: "ok", ms, rotated });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "rotation_check", status: "fail", ms: Date.now() - t2Start, error: err.message });
+  }
+
+  // --- Test 3: API call with access token ---
+  print("  [3/5] Authenticated API call (/healthz)...");
+  const t3Start = Date.now();
+  try {
+    if (!currentAccessToken) {
+      throw new Error("No access token — skipped");
+    }
+    const health = await httpRequest(`${orchestratorUrl}/healthz`, {
+      accessToken: currentAccessToken,
+      timeout: 8000,
+    });
+    const ms = Date.now() - t3Start;
+    if (health.ok) {
+      printSuccess(`        OK (${ms}ms) — orchestrator healthy`);
+      results.push({ test: "api_call", status: "ok", ms });
+    } else {
+      printError(`        FAIL: HTTP ${health.status}`);
+      results.push({ test: "api_call", status: "fail", ms, error: `HTTP ${health.status}` });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "api_call", status: "fail", ms: Date.now() - t3Start, error: err.message });
+  }
+
+  // --- Test 4: Challenge flow (re-auth from scratch) ---
+  print("  [4/5] Challenge flow (full re-authentication)...");
+  const t4Start = Date.now();
+  try {
+    if (!pluginConfig.apiKey) {
+      throw new Error("No API key — cannot test challenge flow");
+    }
+    const challenge = await doChallenge(orchestratorUrl, pluginConfig.apiKey, pluginConfig.walletPublicKey);
+    const ms = Date.now() - t4Start;
+    if (challenge.walletProofRequired) {
+      const wpk = getRuntimeWalletPrivateKey(walletPrivateKeyInput);
+      if (wpk) {
+        try {
+          const walletSig = signChallengeLocally(challenge.challenge, wpk);
+          const tokens = await doSessionStart(
+            orchestratorUrl,
+            pluginConfig.apiKey,
+            challenge.challengeId,
+            challenge.walletPublicKey || pluginConfig.walletPublicKey,
+            walletSig,
+          );
+          const totalMs = Date.now() - t4Start;
+          currentAccessToken = tokens.accessToken;
+          currentRefreshToken = tokens.refreshToken;
+          printSuccess(`        OK (${totalMs}ms) — challenge + wallet proof succeeded`);
+          results.push({ test: "challenge_flow", status: "ok", ms: totalMs, walletProof: true });
+        } catch (sigErr) {
+          printError(`        FAIL (wallet signing): ${sigErr.message}`);
+          results.push({ test: "challenge_flow", status: "fail", ms: Date.now() - t4Start, error: sigErr.message });
+        }
+      } else {
+        printWarn(`        PARTIAL (${ms}ms) — challenge OK but wallet proof needed and TRADERCLAW_WALLET_PRIVATE_KEY not available`);
+        printWarn("        Set TRADERCLAW_WALLET_PRIVATE_KEY env var or pass --wallet-private-key to test fully");
+        results.push({ test: "challenge_flow", status: "partial", ms, walletProofRequired: true, keyAvailable: false });
+      }
+    } else {
+      const tokens = await doSessionStart(orchestratorUrl, pluginConfig.apiKey, challenge.challengeId);
+      const totalMs = Date.now() - t4Start;
+      currentAccessToken = tokens.accessToken;
+      currentRefreshToken = tokens.refreshToken;
+      printSuccess(`        OK (${totalMs}ms) — challenge flow succeeded (no wallet proof needed)`);
+      results.push({ test: "challenge_flow", status: "ok", ms: totalMs, walletProof: false });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "challenge_flow", status: "fail", ms: Date.now() - t4Start, error: err.message });
+  }
+
+  // --- Test 5: Persist rotated tokens back to sidecar ---
+  print("  [5/5] Persist tokens to sidecar...");
+  try {
+    if (currentRefreshToken && currentAccessToken) {
+      mkdirSync(dataDir, { recursive: true });
+      const payload = {
+        refreshToken: currentRefreshToken,
+        accessToken: currentAccessToken,
+        accessTokenExpiresAt: Date.now() + 900_000,
+        walletPublicKey: pluginConfig.walletPublicKey || undefined,
+      };
+      const tmp = `${sessionTokensPath}.${process.pid}.${Date.now()}.tmp`;
+      writeFileSync(tmp, JSON.stringify(payload, null, 2) + "\n", "utf-8");
+      const { renameSync } = await import("fs");
+      renameSync(tmp, sessionTokensPath);
+      printSuccess(`        OK — written to ${sessionTokensPath}`);
+      results.push({ test: "persist_sidecar", status: "ok" });
+
+      pluginConfig.refreshToken = currentRefreshToken;
+      removeLegacyWalletPrivateKey(pluginConfig);
+      setPluginConfig(config, pluginConfig);
+      writeConfig(config);
+      printSuccess("        Config updated with latest refresh token");
+    } else {
+      printWarn("        SKIP — no valid tokens to persist");
+      results.push({ test: "persist_sidecar", status: "skip" });
+    }
+  } catch (err) {
+    printError(`        FAIL: ${err.message}`);
+    results.push({ test: "persist_sidecar", status: "fail", error: err.message });
+  }
+
+  // --- Summary ---
+  print("\n" + "=".repeat(50));
+  const passed = results.filter((r) => r.status === "ok").length;
+  const failed = results.filter((r) => r.status === "fail").length;
+  const partial = results.filter((r) => r.status === "partial" || r.status === "expired" || r.status === "skip").length;
+
+  if (failed === 0 && passed > 0) {
+    printSuccess(`\n  ALL TESTS PASSED (${passed}/${results.length})`);
+  } else if (failed > 0) {
+    printError(`\n  ${failed} FAILED, ${passed} passed, ${partial} skipped/partial`);
+  } else {
+    printWarn(`\n  ${passed} passed, ${partial} skipped/partial`);
+  }
+
+  print("\n  Build-and-test workflow (no reinstall):");
+  printInfo("    cd /path/to/plugin && npm run build");
+  printInfo("    npm link");
+  printInfo("    sudo systemctl restart openclaw");
+  printInfo("    traderclaw test-session");
+  print("");
+
+  if (failed > 0) process.exit(1);
+}
+
 function printHelp() {
   print(`
 TraderClaw V1 CLI v${VERSION}
@@ -2612,6 +2848,7 @@ Commands:
   logout             Revoke current session and clear tokens
   status             Check connection health and wallet status
   config             View and manage configuration
+  test-session       Test session auth flow (refresh, rotation, challenge) without reinstalling
 
 Setup options:
   --api-key, -k      API key (skip interactive prompt)
@@ -2658,6 +2895,8 @@ Examples:
   traderclaw status
   traderclaw config show
   traderclaw config set apiTimeout 60000
+  traderclaw test-session
+  traderclaw test-session --wallet-private-key <base58_key>
 `);
 }
 
@@ -2703,6 +2942,9 @@ async function main() {
     case "config":
       await cmdConfig(args.slice(1));
       break;
+    case "test-session":
+      await cmdTestSession(args.slice(1));
+      break;
     default:
       printError(`Unknown command: ${command}`);
       printHelp();

package/dist/{chunk-QSICXLW7.js → chunk-GYXPEC7O.js}

@@ -144,6 +144,8 @@ var SessionManager = class {
   log;
   refreshInFlight = null;
   refreshTokenTtlMs = 0;
+  accessTokenTtlMs = 0;
+  tokenGeneration = 0;
   proactiveRefreshTimer = null;
   proactiveRefreshRunning = false;
   constructor(config) {
@@ -224,6 +226,7 @@ var SessionManager = class {
     if (!this.refreshTokenValue) {
       throw new Error("No refresh token available. Must authenticate via challenge flow.");
     }
+    const genBefore = this.tokenGeneration;
     const res = await rawFetch(
       `${this.baseUrl}/api/session/refresh`,
       "POST",
@@ -233,9 +236,13 @@ var SessionManager = class {
     );
     if (!res.ok) {
       if (res.status === 401 || res.status === 403) {
-        this.accessToken = null;
-        this.refreshTokenValue = null;
-        this.accessTokenExpiresAt = 0;
+        if (this.tokenGeneration === genBefore) {
+          this.accessToken = null;
+          this.refreshTokenValue = null;
+          this.accessTokenExpiresAt = 0;
+        } else {
+          this.log.info("[session] Stale 401/403 ignored \u2014 tokens already rotated by concurrent call.");
+        }
         throw new Error("Refresh token expired or revoked. Must re-authenticate via challenge flow.");
       }
       throw new Error(`Token refresh failed (HTTP ${res.status}): ${JSON.stringify(res.data)}`);
@@ -303,14 +310,7 @@ var SessionManager = class {
     if (this.accessToken && Date.now() < this.accessTokenExpiresAt - 12e4) {
       return this.accessToken;
     }
-    if (!this.refreshInFlight) {
-      this.refreshInFlight = this.ensureRefreshed();
-    }
-    try {
-      await this.refreshInFlight;
-    } finally {
-      this.refreshInFlight = null;
-    }
+    await this.unifiedRefresh();
     if (!this.accessToken) {
       throw new Error(
         `Session expired and could not be refreshed. Re-authentication required. Troubleshooting: ${TRADERCLAW_SESSION_TROUBLESHOOTING}`
@@ -321,14 +321,7 @@ var SessionManager = class {
   async handleUnauthorized() {
     this.accessToken = null;
     this.accessTokenExpiresAt = 0;
-    if (!this.refreshInFlight) {
-      this.refreshInFlight = this.ensureRefreshed();
-    }
-    try {
-      await this.refreshInFlight;
-    } finally {
-      this.refreshInFlight = null;
-    }
+    await this.unifiedRefresh();
     if (!this.accessToken) {
       throw new Error(
         `Session expired and could not be refreshed. Re-authentication required. Troubleshooting: ${TRADERCLAW_SESSION_TROUBLESHOOTING}`
@@ -336,6 +329,20 @@ var SessionManager = class {
     }
     return this.accessToken;
   }
+  /**
+   * Single-mutex refresh: all paths (proactive timer, on-demand getAccessToken,
+   * handleUnauthorized) funnel through here so only one refresh HTTP call is
+   * ever in-flight. Prevents the race where two concurrent refresh() calls
+   * with the same rotating refresh token kill the session.
+   */
+  async unifiedRefresh() {
+    if (!this.refreshInFlight) {
+      this.refreshInFlight = this.ensureRefreshed().finally(() => {
+        this.refreshInFlight = null;
+      });
+    }
+    await this.refreshInFlight;
+  }
   isAuthenticated() {
     return !!this.accessToken;
   }
@@ -357,9 +364,11 @@ var SessionManager = class {
     return this.walletPublicKey;
   }
   applyTokens(tokens) {
+    this.tokenGeneration++;
     this.accessToken = tokens.accessToken;
     this.refreshTokenValue = tokens.refreshToken;
     this.accessTokenExpiresAt = Date.now() + tokens.accessTokenTtlSeconds * 1e3;
+    this.accessTokenTtlMs = tokens.accessTokenTtlSeconds * 1e3;
     this.refreshTokenTtlMs = (tokens.refreshTokenTtlSeconds || 0) * 1e3;
     this.sessionId = tokens.session.id;
     this.tier = tokens.session.tier;
@@ -375,14 +384,19 @@ var SessionManager = class {
     this.scheduleProactiveRefresh();
   }
   /**
-   * Schedule a background token refresh well before the refresh token expires.
-   * Uses 50% of refresh token TTL (clamped between 2 min and 20 min).
-   * Each successful refresh rotates both tokens, keeping the chain alive
-   * even when no tool calls are happening (idle heartbeat gaps, gateway restarts).
+   * Schedule a repeating background token refresh. Uses setInterval so the
+   * chain cannot silently break if a single cycle fails to re-schedule.
+   *
+   * Interval = min(50% refresh-token TTL, accessTokenTtl - 2.5 min buffer),
+   * clamped between 2 min and 20 min. Falls back to 10 min when TTLs unknown.
+   *
+   * Goes through unifiedRefresh() so it shares the same mutex as on-demand
+   * callers and can fall back to the full challenge flow when refresh tokens
+   * are permanently revoked.
    */
   scheduleProactiveRefresh() {
     if (this.proactiveRefreshTimer) {
-      clearTimeout(this.proactiveRefreshTimer);
+      clearInterval(this.proactiveRefreshTimer);
       this.proactiveRefreshTimer = null;
     }
     const MIN_INTERVAL_MS = 2 * 60 * 1e3;
@@ -394,17 +408,20 @@ var SessionManager = class {
     } else {
       intervalMs = DEFAULT_INTERVAL_MS;
     }
-    this.proactiveRefreshTimer = setTimeout(async () => {
+    if (this.accessTokenTtlMs > 0) {
+      const accessBasedMs = Math.max(MIN_INTERVAL_MS, this.accessTokenTtlMs - 15e4);
+      intervalMs = Math.min(intervalMs, accessBasedMs);
+    }
+    this.log.info(`[session] Proactive refresh scheduled every ${Math.round(intervalMs / 1e3)}s`);
+    this.proactiveRefreshTimer = setInterval(async () => {
       if (this.proactiveRefreshRunning) return;
       this.proactiveRefreshRunning = true;
       try {
-        if (!this.refreshTokenValue) return;
         this.log.info(`[session] Proactive token refresh (interval: ${Math.round(intervalMs / 1e3)}s)...`);
-        await this.refresh();
+        await this.unifiedRefresh();
         this.log.info("[session] Proactive refresh succeeded \u2014 token chain extended.");
       } catch (err) {
-        this.log.warn(`[session] Proactive refresh failed: ${err.message}. Will retry next cycle or on-demand.`);
-        this.scheduleProactiveRefresh();
+        this.log.warn(`[session] Proactive refresh failed: ${err.message}. Will retry next interval or on-demand.`);
       } finally {
         this.proactiveRefreshRunning = false;
       }
@@ -415,7 +432,7 @@ var SessionManager = class {
   }
   destroy() {
     if (this.proactiveRefreshTimer) {
-      clearTimeout(this.proactiveRefreshTimer);
+      clearInterval(this.proactiveRefreshTimer);
       this.proactiveRefreshTimer = null;
     }
   }

package/dist/index.js

@@ -9,7 +9,7 @@ import {
 } from "./chunk-T4YWGIIR.js";
 import {
   SessionManager
-} from "./chunk-QSICXLW7.js";
+} from "./chunk-GYXPEC7O.js";
 
 // index.ts
 import { Type } from "@sinclair/typebox";
@@ -1254,14 +1254,31 @@ var solanaTraderPlugin = {
     });
     api.registerTool({
       name: "solana_trade_precheck",
-      description: "Pre-trade risk check \u2014 validates a proposed trade against risk rules, kill switch, entitlement limits, and on-chain conditions. Returns approved/denied with reasons and capped size. Always call this before executing a trade. Buy: sizeSol required; do not send sizeTokens or sellPct. Sell: send exactly one of sizeTokens or sellPct (not sizeSol). If both sellPct and sizeTokens are sent, sellPct is preferred and sizeTokens is ignored.",
+      description: "Pre-trade risk check \u2014 validates a proposed trade against risk rules, kill switch, entitlement limits, and on-chain conditions. Returns approved/denied with reasons and capped size. Always call this before executing a trade. Buy: sizeSol required; do not send sizeTokens or sellPct. Sell: send exactly one of sizeTokens or sellPct (not sizeSol). If both sellPct and sizeTokens are sent, sellPct is preferred and sizeTokens is ignored. Optional exit fields (trailingStopPct, trailingStop) are accepted to mirror execute payloads; sizing logic ignores them.",
       parameters: Type.Object({
         tokenAddress: Type.String({ description: "Solana token mint address" }),
         side: Type.Union([Type.Literal("buy"), Type.Literal("sell")], { description: "Trade direction" }),
         sizeSol: Type.Optional(Type.Number({ description: "Position size in SOL \u2014 required for buy, omit for sell" })),
         sellPct: Type.Optional(Type.Number({ description: "Sell percentage 1\u2013100 (100 = full exit) \u2014 sell only; preferred over sizeTokens if both sent" })),
         sizeTokens: Type.Optional(Type.Number({ description: "Token amount to sell \u2014 sell only; ignored if sellPct is also provided" })),
-        slippageBps: Type.Optional(Type.Number({ description: "Slippage tolerance in basis points (e.g., 300 = 3%)" }))
+        slippageBps: Type.Optional(Type.Number({ description: "Slippage tolerance in basis points (e.g., 300 = 3%)" })),
+        trailingStopPct: Type.Optional(Type.Number({ description: "Optional \u2014 same as execute; ignored for policy sizing" })),
+        trailingStop: Type.Optional(
+          Type.Object({
+            levels: Type.Array(
+              Type.Object({
+                percentage: Type.Number({ description: "Trailing drawdown % from the armed high once the level is active" }),
+                amount: Type.Optional(Type.Number({ description: "% of position to sell at this level (1\u2013100). Server default 100." })),
+                triggerAboveATH: Type.Optional(
+                  Type.Number({
+                    description: "Optional. % above session ATH before this level arms. If omitted, API defaults to 100 (2\xD7 ATH)."
+                  })
+                )
+              }),
+              { minItems: 1, maxItems: 5, description: "Multi-level trailing (optional on precheck)" }
+            )
+          })
+        )
       }),
       execute: wrapExecute(async (_id, params) => {
         const body = {
@@ -1269,6 +1286,13 @@ var solanaTraderPlugin = {
           side: params.side,
           slippageBps: params.slippageBps
         };
+        if (params.trailingStopPct !== void 0) {
+          body.trailingStopPct = params.trailingStopPct;
+        }
+        const ts = params.trailingStop;
+        if (ts?.levels && Array.isArray(ts.levels) && ts.levels.length > 0) {
+          body.trailingStop = ts;
+        }
         if (params.side === "buy") {
           body.sizeSol = params.sizeSol;
         } else {
@@ -1283,7 +1307,7 @@ var solanaTraderPlugin = {
     });
     api.registerTool({
       name: "solana_trade_execute",
-      description: "Execute a trade on Solana via the SpyFly bot. Enforces risk rules before proxying to on-chain execution. Returns trade ID, position ID, and transaction signature. IMPORTANT: tpLevels alone (e.g. [10, 15]) means EACH level sells 100% of the position at that gain \u2014 use tpExits for partials (e.g. +10% sell 50%, +15% sell 100%). Buy: sizeSol required; do not send sizeTokens or sellPct. Sell: send exactly one of sizeTokens or sellPct (not sizeSol). If both sellPct and sizeTokens are sent, sellPct is preferred and sizeTokens is ignored.",
+      description: "Execute a trade on Solana via the SpyFly bot. Enforces risk rules before proxying to on-chain execution. Returns trade ID, position ID, and transaction signature. IMPORTANT: tpLevels alone (e.g. [10, 15]) means EACH level sells 100% of the position at that gain \u2014 use tpExits for partials (e.g. +10% sell 50%, +15% sell 100%). Trailing: use `trailingStopPct` for a single simple trailing %, or `trailingStop.levels` (1\u20135) for multi-level trailing with optional `triggerAboveATH` per level (% above session ATH before that level arms; if omitted, server defaults to 100 i.e. 2\xD7 ATH). When both are sent, `trailingStop` wins. Buy: sizeSol required; do not send sizeTokens or sellPct. Sell: send exactly one of sizeTokens or sellPct (not sizeSol). If both sellPct and sizeTokens are sent, sellPct is preferred and sizeTokens is ignored.",
       parameters: Type.Object({
         tokenAddress: Type.String({ description: "Solana token mint address" }),
         side: Type.Union([Type.Literal("buy"), Type.Literal("sell")], { description: "Trade direction" }),
@@ -1318,7 +1342,37 @@ var solanaTraderPlugin = {
             { description: "Multi-level stop-loss with partial exits (optional). Otherwise use slPct for a single full exit." }
           )
         ),
-        trailingStopPct: Type.Optional(Type.Number({ description: "Trailing stop percentage" })),
+        trailingStopPct: Type.Optional(
+          Type.Number({
+            description: "Single trailing-stop % (legacy). Ignored if `trailingStop` is provided."
+          })
+        ),
+        trailingStop: Type.Optional(
+          Type.Object({
+            levels: Type.Array(
+              Type.Object({
+                percentage: Type.Number({
+                  description: "Once armed, sell when price drops this % from the high (trailing drawdown)."
+                }),
+                amount: Type.Optional(
+                  Type.Number({
+                    description: "% of position to sell when this level fires (1\u2013100). Server default 100."
+                  })
+                ),
+                triggerAboveATH: Type.Optional(
+                  Type.Number({
+                    description: "Optional. Session price must reach this % above session ATH before this level arms (e.g. 50 \u2192 1.5\xD7 ATH). If omitted, API defaults to 100 (2\xD7 ATH)."
+                  })
+                )
+              }),
+              {
+                minItems: 1,
+                maxItems: 5,
+                description: "Ordered trailing-stop levels (up to 5)."
+              }
+            )
+          })
+        ),
         managementMode: Type.Optional(
           Type.Union([Type.Literal("LOCAL_MANAGED"), Type.Literal("SERVER_MANAGED")], {
             description: "Advisory only \u2014 server decides position mode internally. Sent for future compatibility."
@@ -1337,9 +1391,14 @@ var solanaTraderPlugin = {
           symbol: params.symbol,
           slippageBps: params.slippageBps,
           slPct: params.slPct,
-          trailingStopPct: params.trailingStopPct,
           managementMode: params.managementMode
         };
+        const tsExecute = params.trailingStop;
+        if (tsExecute?.levels && Array.isArray(tsExecute.levels) && tsExecute.levels.length > 0) {
+          body.trailingStop = tsExecute;
+        } else if (params.trailingStopPct !== void 0) {
+          body.trailingStopPct = params.trailingStopPct;
+        }
         if (params.side === "buy") {
           body.sizeSol = params.sizeSol;
         } else {
@@ -1507,7 +1566,7 @@ var solanaTraderPlugin = {
     });
     api.registerTool({
       name: "solana_capital_status",
-      description: "Get your current capital status \u2014 SOL balance, open position count, unrealized PnL, daily notional used, daily loss, and effective limits (adjusted by entitlements).",
+      description: "Get your current capital status \u2014 SOL balance, open position count, unrealized/realized PnL, daily notional used, daily loss, and effective limits. **PnL:** `totalUnrealizedPnl` / `totalRealizedPnl` are USD (DB); use `totalUnrealizedPnlSol` / `totalRealizedPnlSol` / `totalPnlSol` for SOL (derived via `solPriceUsd`, same as positions API).",
       parameters: Type.Object({}),
       execute: wrapExecute(
         async () => get(`/api/capital/status?walletId=${walletId}`)
@@ -1515,7 +1574,7 @@ var solanaTraderPlugin = {
     });
     api.registerTool({
       name: "solana_positions",
-      description: "List your current trading positions with unrealized PnL, entry price, current price, stop-loss/take-profit settings, and management mode. Call at the START of every trading cycle for interrupt check. Also use to detect dead money (flat positions).",
+      description: "List trading positions with mark-to-market. **PnL:** `realizedPnl` / `unrealizedPnl` are USD as stored; prefer `realizedPnlSol` / `unrealizedPnlSol` when reasoning in SOL. `unrealizedReturnPct` is ROI on cost basis (for sweep-dead-tokens logic). See response `pnlNote`.",
       parameters: Type.Object({
         status: Type.Optional(Type.String({ description: "Filter by status: 'open', 'closed', or omit for all" }))
       }),
@@ -1525,6 +1584,38 @@ var solanaTraderPlugin = {
         return get(path2);
       })
     });
+    api.registerTool({
+      name: "solana_wallet_token_balance",
+      description: "Read on-chain SPL token balance (UI amount) for your trading wallet and a token mint. Same balance path as server exit monitoring (`balanceOf`).",
+      parameters: Type.Object({
+        tokenAddress: Type.String({ description: "SPL token mint address" })
+      }),
+      execute: wrapExecute(
+        async (_id, params) => post("/api/wallet/token-balance", {
+          walletId,
+          tokenAddress: params.tokenAddress
+        })
+      )
+    });
+    api.registerTool({
+      name: "solana_sweep_dead_tokens",
+      description: "Sell 100% of each OPEN position whose unrealizedReturnPct is \u2264 -maxLossPct (default 80), using the same mark-to-market as positions. Use dryRun:true first to list candidates. Executes sequential full exits (sellPct 100). Requires trade:execute scope.",
+      parameters: Type.Object({
+        maxLossPct: Type.Optional(
+          Type.Number({ description: "Threshold: sweep when unrealizedReturnPct <= -maxLossPct (default 80)" })
+        ),
+        slippageBps: Type.Optional(Type.Number({ description: "Per-exit slippage in bps (default 300)" })),
+        dryRun: Type.Optional(Type.Boolean({ description: "If true, only return candidate tokens without selling" }))
+      }),
+      execute: wrapExecute(
+        async (_id, params) => post("/api/wallet/sweep-dead-tokens", {
+          walletId,
+          maxLossPct: params.maxLossPct,
+          slippageBps: params.slippageBps,
+          dryRun: params.dryRun
+        })
+      )
+    });
     api.registerTool({
       name: "solana_funding_instructions",
       description: "Get deposit instructions for funding your trading wallet with SOL.",

package/dist/src/session-manager.js

@@ -1,6 +1,6 @@
 import {
   SessionManager
-} from "../chunk-QSICXLW7.js";
+} from "../chunk-GYXPEC7O.js";
 export {
   SessionManager
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "solana-traderclaw",
-  "version": "1.0.36",
+  "version": "1.0.38",
   "description": "TraderClaw V1 — autonomous Solana memecoin trading for OpenClaw (team edition: X/Twitter journal and engagement tools)",
   "type": "module",
   "main": "./dist/index.js",

package/skills/solana-trader/SKILL.md

@@ -14,7 +14,7 @@ The orchestrator gathers data, enforces execution policy, applies entitlement li
 
 ## How You Access the Orchestrator
 
-You interact with the orchestrator **exclusively through plugin tools** (e.g. `solana_system_status`, `solana_scan`, `solana_alpha_signals`, `solana_trade`, etc.). You have no other access method.
+You interact with the orchestrator **exclusively through plugin tools** (e.g. `solana_system_status`, `solana_scan_hot_pairs`,`solana_scan_launches` , `solana_alpha_signals`, `solana_trade_precheck`, `solana_trade_execute`, etc.). You have no other access method.
 
 **Critical rules:**
 - **You do NOT have direct HTTP/API access.** Never attempt to call REST endpoints, use curl/fetch, or construct API URLs. You cannot reach the orchestrator that way.
@@ -234,8 +234,14 @@ All values are internal targets that must still comply with server policy caps.
 | Position size (exploratory) | 3–8% of capital | 5–10% of capital |
 | Max correlated cluster exposure | 40% of capital | 40% of capital |
 | Consecutive losses → kill switch | 5 | 7 |
-| Rapid drawdown defense trigger | -20% on any position | -15% on any position |
-| Partial profit trigger | +40–60% (optional) | +25–50% (take partial quickly) |
+| Stop loss (slExits) | -20% on every position | -40% on every position |
+| Trailing Stop loss ("trailingStop": {
+      "levels": [
+        { "percentage": 25, "amount": 50 },
+        { "percentage": 35, "amount": 100, "triggerAboveATH": 100 }
+      ]
+    }) where percent is the price decrease from entry price and amount is the size of position in percentage and in token holding  | -20% on every position and optional triggerAboveATH | -40% on every position |
+| Multiple Take Profit exits (tpExits) (e.g [{"percent": 100, "amountPct": 30},{ "percent": 200, "amountPct": 100" }], where percent is the price increase from entry price and amountPct is the size of position in percentage and in token holding) | +100–300% (multiple) | +200–500% (multiple) |
 | Exploration ratio | 20% experimental / 80% proven | 50% experimental / 50% proven |
 | Weight evolution (minimum trades) | ≥20 closed trades | ≥20 closed trades |
 | Max weight delta per update | ±0.10 | ±0.15 |
@@ -330,7 +336,7 @@ There is no context loss from this separation. Cron outputs flow into the persis
        ↓
 2. Step 0: INTERRUPT CHECK — identify wake-up trigger, check kill switch, check dead money, STRATEGY INTEGRITY CHECK
        ↓
-3. Step 1: SCAN — call solana_scan for broad discovery, process Bitquery subscriptions
+3. Step 1: SCAN — call solana_scan_launches and solana_scan_hot_pairs for broad discovery, process Bitquery subscriptions
        ↓
 4. Step 1.5b: ALPHA SIGNALS — poll solana_alpha_signals, score, classify priority
        ↓
@@ -902,10 +908,6 @@ Discovery subscriptions complement — not replace — scan endpoints and alpha
 
 When multiple paths independently surface the same token = convergence = highest conviction. Log convergence events via `solana_memory_write` with tag `signal_convergence`.
 
-**Future enhancement (not yet available):**
-
-When `solana_firehose_config` and `solana_firehose_status` tools become available, you will be able to configure advanced filter parameters (volume thresholds, buyer counts, whale detection) directly on the orchestrator or local worker, and check health/stats. For now, use the existing `solana_bitquery_subscribe` with the available template keys and evolve your subscription strategy based on outcomes.
-
 ---
 
 ### Step 2: ANALYZE — Deep Dive
@@ -1128,9 +1130,11 @@ If BUY, you must define before executing:
 - `tpLevels` — staged take-profit levels as percentages
   - HARDENED: `[50, 100, 200]` (patient, ride trends)
   - DEGEN: `[25, 50, 100]` (lock gains faster)
-- `trailingStopPct` — trailing stop activation
-  - HARDENED: 12–18%
-  - DEGEN: 8–15%
+- `trailingStopPct` — single trailing stop (% drawdown from session high once active). Legacy/simple path on the server.
+- **`trailingStop`** (preferred for staging) — `{ levels: [ ... ] }` with **1–5** levels. Each level:
+  - `percentage` — trailing drawdown % from the armed high once that level is active (required).
+  - `amount` — % of position to sell at this level (1–100; server default **100**).
+  - `triggerAboveATH` — **optional.** Price must reach this **% above the session ATH** before this level arms (e.g. `50` → 1.5× ATH). **If omitted, the API defaults to `100` (2× ATH).** Use a smaller value (e.g. `25`) to arm earlier; use `trailingStopPct` instead if you want the simpler single-level trailing that keys off ATH without this gate.
 - `managementMode` — LOCAL_MANAGED or SERVER_MANAGED
 - `slippageBps` — must scale with liquidity:
   - Pool depth > $500K: 100–200 bps
@@ -1227,7 +1231,7 @@ Call `solana_trade_execute` with:
 - **For buy:** `sizeSol` (amount in SOL to spend) — required
 - **For sell:** `sellPct` (percentage of position to sell, 1–100 where 100 = full exit) **or** `sizeTokens` (exact token count) — one is required. If both sent, `sellPct` wins. Do NOT send `sizeSol` for sells.
 - `slippageBps` (scaled to liquidity as defined in your exit plan — hard cap 800bps)
-- `slPct`, `tpLevels`, `trailingStopPct`
+- `slPct`, `tpLevels`, **`trailingStopPct` and/or `trailingStop`** (see **Define Exit Plan** above — if both are sent, `trailingStop` wins)
 - `managementMode`
 
 Record the returned `tradeId` and `positionId`. You will need these for monitoring and review.
@@ -1669,7 +1673,6 @@ Your discovery subscriptions (Step 1.75) should evolve alongside your strategy w
    - **Adjusting discovery subscriptions** (broad, for token detection):
      Discovery subscriptions like `pumpFunTokenCreation` and `raydiumNewPools` are fire-and-forget — you set them up once and they run until you unsubscribe. Evolution here means deciding which broad subscriptions to keep vs remove, not changing their parameters.
    
-   When `solana_firehose_config` becomes available, you will be able to configure advanced filter parameters (volume thresholds, buyer counts, whale detection) on the orchestrator or local worker side without the unsub/resub cycle.
 
 5. Mode switches should trigger subscription review:
    - Switching to DEGEN → add more discovery subscriptions, broaden parameters
@@ -2064,8 +2067,10 @@ All authenticated endpoints use `Authorization: Bearer <accessToken>`.
 | `POST` | `/api/session/logout` | `refreshToken` | No auth needed. Revokes session |
 | `GET` | `/api/wallets` | — | List all wallets. Optional `?refresh=true` |
 | `POST` | `/api/wallet/create` | — | Create wallet. Optional: `label`, `publicKey`, `chain` (solana/bsc), `ownerRef`, `includePrivateKey`. Status `201` |
-| `GET` | `/api/capital/status` | `?walletId=<uuid>` | Wallet capital and daily limits |
-| `GET` | `/api/wallet/positions` | `?walletId=<uuid>` | Open positions. Optional `?status=` |
+| `GET` | `/api/capital/status` | `?walletId=<uuid>` | Wallet capital and daily limits. **PnL:** `totalUnrealizedPnl` / `totalRealizedPnl` are **USD** (stored); `totalUnrealizedPnlSol` / `totalRealizedPnlSol` / `totalPnlSol` are **SOL** derived with `solPriceUsd` (agent-safe). |
+| `GET` | `/api/wallet/positions` | `?walletId=<uuid>` | Positions. **`realizedPnl` / `unrealizedPnl` = USD** in DB; use **`realizedPnlSol` / `unrealizedPnlSol`** for SOL. `unrealizedReturnPct` = ROI vs cost (for sweep). |
+| `POST` | `/api/wallet/token-balance` | `walletId`, `tokenAddress` | On-chain SPL **uiAmount** for the wallet (same as server `balanceOf`) |
+| `POST` | `/api/wallet/sweep-dead-tokens` | `walletId` | Optional: `maxLossPct` (default **80**), `slippageBps`, `dryRun`. Sells **100%** of each **open** position with `unrealizedReturnPct` ≤ **-maxLossPct**. **trade:execute** scope. |
 | `GET` | `/api/funding/instructions` | `?walletId=<uuid>` | Deposit instructions |
 | `GET` | `/api/killswitch/status` | `?walletId=<uuid>` | Kill switch state |
 | `POST` | `/api/killswitch` | `walletId`, `enabled` | Toggle kill switch. Optional: `mode` (TRADES_ONLY / TRADES_AND_STREAMS). **Pro tier required** |
@@ -2073,7 +2078,7 @@ All authenticated endpoints use `Authorization: Bearer <accessToken>`.
 | `POST` | `/api/strategy/update` | `walletId`, `featureWeights` | Update weights. Optional: `strategyVersion`, `mode` (HARDENED/DEGEN) |
 | `POST` | `/api/thesis/build` | `walletId`, `tokenAddress` | Build full thesis package |
 | `POST` | `/api/trade/precheck` | `walletId`, `tokenAddress`, `side` (buy/sell), `slippageBps`. Buy: `sizeSol`. Sell: `sellPct` or `sizeTokens` | Risk/policy check, no execution |
-| `POST` | `/api/trade/execute` | `walletId`, `tokenAddress`, `side`, `slippageBps`. Buy: `sizeSol`. Sell: `sellPct` or `sizeTokens` | Execute trade. Optional: `symbol`, `tpLevels[]`, `slPct`, `trailingStopPct`. Header: `x-idempotency-key` |
+| `POST` | `/api/trade/execute` | `walletId`, `tokenAddress`, `side`, `slippageBps`. Buy: `sizeSol`. Sell: `sellPct` or `sizeTokens` | Execute trade. Optional: `symbol`, `tpLevels[]`, `slPct`, `trailingStopPct`, `trailingStop: { levels: [{ percentage, amount?, triggerAboveATH? }] }` (1–5 levels; **omitted `triggerAboveATH` defaults to 100** = 2× ATH). Header: `x-idempotency-key` |
 | `POST` | `/api/trade/review` | `walletId`, `outcome` (win/loss/neutral), `notes` | Post-trade review. Optional: `tradeId`, `tokenAddress`, `pnlSol`, `tags[]`, `strategyVersion` (strict semver). Status `201` |
 | `POST` | `/api/memory/write` | `walletId`, `notes` | Journal entry. Optional: `tokenAddress`, `outcome` (win/loss/neutral), `tags[]`, `strategyVersion` (strict semver). Status `201` |
 | `POST` | `/api/memory/search` | `walletId`, `query` | Search memory entries |
@@ -2701,8 +2706,10 @@ Each user configures their own X/Twitter API developer account tokens in the plu
 | Thesis | `solana_build_thesis` | Full context package |
 | Trade | `solana_trade_precheck` | Pre-trade risk validation |
 | Trade | `solana_trade_execute` | Execute trade |
-| Monitor | `solana_positions` | Position tracking |
-| Monitor | `solana_capital_status` | Portfolio status |
+| Monitor | `solana_positions` | Position tracking (USD PnL in DB; use `*PnlSol` fields for SOL) |
+| Monitor | `solana_capital_status` | Portfolio status (same USD vs SOL split as API) |
+| Risk | `solana_sweep_dead_tokens` | Full-exit open positions below **-maxLossPct** ROI (default 80%); use `dryRun` first |
+| Wallet | `solana_wallet_token_balance` | On-chain SPL balance for a mint |
 | Review | `solana_trade_review` | Post-trade review |
 | Memory | `solana_memory_write` | Write journal entry (deployer profiles, filter evolution, convergence) |
 | Memory | `solana_memory_search` | Search memories (check deployer history before profiling) |