Skip to content

Bump @cryptohopper/sdk to ^0.4.0-alpha.2 (auth header fix)#9

Merged
pimfeltkamp merged 3 commits intomainfrom
bump-sdk-dep-to-alpha-2
Apr 28, 2026
Merged

Bump @cryptohopper/sdk to ^0.4.0-alpha.2 (auth header fix)#9
pimfeltkamp merged 3 commits intomainfrom
bump-sdk-dep-to-alpha-2

Conversation

@pimfeltkamp
Copy link
Copy Markdown
Contributor

@pimfeltkamp pimfeltkamp commented Apr 27, 2026

Why

The CLI consumes @cryptohopper/sdk for every API call. Until v0.4.0-alpha.2 of that SDK, the transport sent Authorization: Bearer <token> which the AWS API Gateway in front of api.cryptohopper.com/v1/* rejects with 405 Missing Authentication Token. That means every authenticated CLI command on 0.6.0-alpha.1 currently failscryptohopper whoami, cryptohopper hoppers list, cryptohopper backtest new, all of them.

@cryptohopper/sdk@0.4.0-alpha.2 (PR #9) switches to access-token: <token>, which is what the gateway expects. This CLI PR picks up that fix.

Changes

  • package.json@cryptohopper/sdk dep bumped from ^0.4.0-alpha.1 to ^0.4.0-alpha.2. Note that npm's caret range is strict on pre-release versions: ^0.4.0-alpha.1 does NOT auto-resolve to 0.4.0-alpha.2 (different pre-release identifier), so the bump must be explicit.
  • package.json + src/version.ts — CLI bumped to 0.6.0-alpha.2.
  • CHANGELOG.md — entry under "Fixed" with full root-cause writeup and an upgrade note.

Compatibility

No CLI surface change. Same subcommands, flags, JSON output, exit codes. Only the wire-level header sent by the underlying SDK changes.

Test plan

  • npm run typecheck clean
  • npm run build clean
  • (after merge) npm install -g @cryptohopper/cli@0.6.0-alpha.2 && CRYPTOHOPPER_TOKEN=<real> cryptohopper whoami should succeed where 0.6.0-alpha.1 returned an UNAUTHORIZED-looking error from the gateway.

Blocked on

  • cryptohopper/cryptohopper-node-sdk#9 must merge and @cryptohopper/sdk@0.4.0-alpha.2 must publish to npm before this PR's npm install can resolve the new dep. Do not merge until then.

Companion releases also pending

The auth fix shipped to all 8 SDKs in parallel — see cryptohopper-resources#9 for the full PR list. The CLI is the last piece (it doesn't have its own transport — it consumes the Node SDK's).

Note on existing CLI 0.6.0-alpha.2 PRs

Two other fixes are sitting in the queue for the same release:

  • #7 — version-comparison bugs in upgrade
  • #8 — OAuth state-mismatch ordering + token-exchange timeout

Whichever lands last will need a CHANGELOG merge to consolidate the three entries under one 0.6.0-alpha.2 heading. Happy to do that after #7 and #8 merge if you'd like.

pimfeltkamp and others added 2 commits April 27, 2026 12:25
@pimfeltkamp @claude
Bump @cryptohopper/sdk to ^0.4.0-alpha.2 (auth header fix)
61bf9ab 
The CLI's underlying SDK sent Authorization: Bearer <token>
which the AWS API Gateway rejects on api.cryptohopper.com/v1/*
(returns 405 Missing Authentication Token). The fix in
@cryptohopper/sdk@0.4.0-alpha.2 switches to access-token: <token>.

This PR picks up that fix and bumps the CLI to 0.6.0-alpha.2.
No CLI surface change.

Blocked on: cryptohopper/cryptohopper-node-sdk#9 (must merge and
publish to npm before this CLI release can install the new SDK).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@pimfeltkamp
Drop 'public ticker (no auth)' README claim (matches the dep bump)
7afa9d3 
The Quickstart claimed 'cryptohopper ticker' worked without
authentication. The auth-header fix in the underlying SDK
(@cryptohopper/sdk@0.4.0-alpha.2, picked up by this PR's dep
bump) establishes that EVERY endpoint requires a real token.
The CLI inherits that — every subcommand including 'ticker'
needs you to have run 'cryptohopper login' first.
@pimfeltkamp
Copy link
Copy Markdown
Contributor Author

pimfeltkamp commented Apr 27, 2026

Pushed a small follow-up commit (Drop 'public ticker (no auth)' README claim ...) that strikes the matching # public ticker (no auth) claim from the Quickstart. Same bug surface as the dep bump — the auth fix in the underlying SDK establishes that every endpoint requires a real token, so the README label was misleading. No re-review needed beyond skimming the +1/-1 README diff.

@claude
Regenerate package-lock.json for @cryptohopper/sdk@0.4.0-alpha.2
e100cab 
The original PR bumped package.json's caret to ^0.4.0-alpha.2 but
left the lockfile pinning the older 0.4.0-alpha.1, causing `npm ci`
in CI to fail with EUSAGE (manifest/lockfile mismatch).

Now that 0.4.0-alpha.2 is published to npm (it landed earlier today),
`npm install` resolves the new version cleanly. Lockfile entry now
records:

  node_modules/@cryptohopper/sdk: 0.4.0-alpha.2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@pimfeltkamp pimfeltkamp merged commit 69f7a7f into main Apr 28, 2026
1 check passed
pimfeltkamp added a commit that referenced this pull request Apr 28, 2026
@pimfeltkamp @claude
docs(changelog): document #7 and #8 fixes under 0.6.0-alpha.2
d7ba4a1 
The 0.6.0-alpha.2 entry only mentioned the auth-fix dep bump from #9.
PRs #7 (cryptohopper upgrade version-comparison) and #8 (OAuth
browser-flow state validation + token-exchange timeout) also landed
on main without their own CHANGELOG lines. Folding all four bug
fixes under the same release since none has shipped yet.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pimfeltkamp