From 61bf9ab6924bc5c06f341bbdf923300cefbdbec7 Mon Sep 17 00:00:00 2001
From: Pim Feltkamp <pim@cryptohopper.com>
Date: Mon, 27 Apr 2026 12:25:20 +0200
Subject: [PATCH 1/3] Bump @cryptohopper/sdk to ^0.4.0-alpha.2 (auth header
 fix)

The CLI's underlying SDK sent Authorization: Bearer <token>
which the AWS API Gateway rejects on api.cryptohopper.com/v1/*
(returns 405 Missing Authentication Token). The fix in
@cryptohopper/sdk@0.4.0-alpha.2 switches to access-token: <token>.

This PR picks up that fix and bumps the CLI to 0.6.0-alpha.2.
No CLI surface change.

Blocked on: cryptohopper/cryptohopper-node-sdk#9 (must merge and
publish to npm before this CLI release can install the new SDK).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md   | 14 ++++++++++++++
 package.json   |  4 ++--
 src/version.ts |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 409b651..d02c991 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## 0.6.0-alpha.2 — Unreleased
+
+### Fixed
+- **Critical: every authenticated API call was rejected by the gateway.** The CLI's underlying `@cryptohopper/sdk` v0.4.0-alpha.1 sent `Authorization: Bearer <token>` on every request, which the AWS API Gateway in front of `api.cryptohopper.com/v1/*` rejects with `405 Missing Authentication Token`. The Public API v1 actually uses an `access-token: <token>` header — confirmed via the official [API documentation](https://www.cryptohopper.com/api-documentation/how-the-api-works) and the legacy iOS/Android SDKs. Picks up the fix from [`@cryptohopper/sdk@0.4.0-alpha.2`](https://github.com/cryptohopper/cryptohopper-node-sdk/pull/9).
+
+### Compatibility
+No CLI surface change. Same flags, same JSON output, same exit codes. The only thing that changes is what the underlying SDK sends on the wire.
+
+### Upgrade
+- **npm**: `npm install -g @cryptohopper/cli@latest` (or `@0.6.0-alpha.2` explicitly).
+- **Standalone binary**: `cryptohopper upgrade` (or download from [GitHub Releases](https://github.com/cryptohopper/cryptohopper-cli/releases)).
+
+If you ran `cryptohopper login` on `0.6.0-alpha.1` and your saved token at `~/.cryptohopper/config.json` worked back then somehow (it shouldn't have — every authenticated call returned 405), no action needed. The token itself is still valid; only the header carrying it changes.
+
 ## 0.6.0-alpha.1 — 2026-04-25
 
 ### Added
diff --git a/package.json b/package.json
index d563d5d..12420c7 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cryptohopper/cli",
-  "version": "0.6.0-alpha.1",
+  "version": "0.6.0-alpha.2",
   "description": "Command-line interface for Cryptohopper",
   "type": "module",
   "bin": {
@@ -18,7 +18,7 @@
     "compile:all": "npm run compile:linux-x64 && npm run compile:darwin-x64 && npm run compile:darwin-arm64 && npm run compile:windows-x64"
   },
   "dependencies": {
-    "@cryptohopper/sdk": "^0.4.0-alpha.1",
+    "@cryptohopper/sdk": "^0.4.0-alpha.2",
     "cli-table3": "^0.6.5",
     "commander": "^14.0.0",
     "picocolors": "^1.1.1"
diff --git a/src/version.ts b/src/version.ts
index 101b3c2..59b750c 100644
--- a/src/version.ts
+++ b/src/version.ts
@@ -1,2 +1,2 @@
-export const CURRENT_VERSION = "0.6.0-alpha.1";
+export const CURRENT_VERSION = "0.6.0-alpha.2";
 export const RELEASE_REPO = "cryptohopper/cryptohopper-cli";

From 7afa9d3e7c4c72871f147d440831f5ef5a66ab0c Mon Sep 17 00:00:00 2001
From: Pim Feltkamp <pim@cryptohopper.com>
Date: Mon, 27 Apr 2026 13:26:45 +0200
Subject: [PATCH 2/3] Drop 'public ticker (no auth)' README claim (matches the
 dep bump)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Quickstart claimed 'cryptohopper ticker' worked without
authentication. The auth-header fix in the underlying SDK
(@cryptohopper/sdk@0.4.0-alpha.2, picked up by this PR's dep
bump) establishes that EVERY endpoint requires a real token.
The CLI inherits that — every subcommand including 'ticker'
needs you to have run 'cryptohopper login' first.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5a83585..95facb8 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ cryptohopper login                     # opens your browser to authorize via OAu
 cryptohopper whoami                    # confirm identity
 cryptohopper hoppers list              # list your bots
 cryptohopper positions <hopper-id>     # open positions
-cryptohopper ticker binance BTC/USDT   # public ticker (no auth)
+cryptohopper ticker binance BTC/USDT   # spot price (still requires `cryptohopper login`)
 cryptohopper backtest new <hopper-id> --from 2026-01-01 --to 2026-03-01
 cryptohopper backtest status <backtest-id>
 cryptohopper upgrade                   # self-update to latest release

From e100cabc6b56818e5de2e19dbf29961467b525a2 Mon Sep 17 00:00:00 2001
From: Pim Feltkamp <pimfeltkamp@gmail.com>
Date: Tue, 28 Apr 2026 11:18:34 +0200
Subject: [PATCH 3/3] Regenerate package-lock.json for
 @cryptohopper/sdk@0.4.0-alpha.2

The original PR bumped package.json's caret to ^0.4.0-alpha.2 but
left the lockfile pinning the older 0.4.0-alpha.1, causing `npm ci`
in CI to fail with EUSAGE (manifest/lockfile mismatch).

Now that 0.4.0-alpha.2 is published to npm (it landed earlier today),
`npm install` resolves the new version cleanly. Lockfile entry now
records:

  node_modules/@cryptohopper/sdk: 0.4.0-alpha.2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 package-lock.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a68abba..a115dbd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,15 +1,15 @@
 {
   "name": "@cryptohopper/cli",
-  "version": "0.5.0-alpha.1",
+  "version": "0.6.0-alpha.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@cryptohopper/cli",
-      "version": "0.5.0-alpha.1",
+      "version": "0.6.0-alpha.2",
       "license": "MIT",
       "dependencies": {
-        "@cryptohopper/sdk": "^0.4.0-alpha.1",
+        "@cryptohopper/sdk": "^0.4.0-alpha.2",
         "cli-table3": "^0.6.5",
         "commander": "^14.0.0",
         "picocolors": "^1.1.1"
@@ -37,9 +37,9 @@
       }
     },
     "node_modules/@cryptohopper/sdk": {
-      "version": "0.4.0-alpha.1",
-      "resolved": "https://registry.npmjs.org/@cryptohopper/sdk/-/sdk-0.4.0-alpha.1.tgz",
-      "integrity": "sha512-2iiaSVZcVaYfB2xfFyME86E7fpr8lDON4ydPoGit72sTaUWuKEaTTXy4JFyPF6I9fRLcIAXndPj5O7VSJ6hI+A==",
+      "version": "0.4.0-alpha.2",
+      "resolved": "https://registry.npmjs.org/@cryptohopper/sdk/-/sdk-0.4.0-alpha.2.tgz",
+      "integrity": "sha512-I7ZMj7v92XlvV/p7vTXz0YYCcAso7w4c9x4pcI7+Uk8jG1MOXr1OGRYvpDz7p2LohLjlvvHbzjzFxrNG4AyXXw==",
       "license": "MIT",
       "engines": {
         "node": ">=20"