Add Coinbase Advanced Trade API support

- Add coinbase_api_key and coinbase_api_secret to config
- Create src/coinbase.rs module with spot trading support
  - spot_order() for limit buy/sell orders
  - get_accounts() for balance retrieval
  - get_orders() for open order listing
  - cancel_order() for order cancellation
  - HMAC-SHA256 request signing
- Update all command files to handle 'coinbase' exchange:
  - order.rs: route spot orders to Coinbase
  - perp.rs: error for Coinbase (perps not supported)
  - options.rs: error for Coinbase (options not supported)
  - balance.rs: route to coinbase::get_accounts()
  - positions.rs: error for Coinbase (spot-only exchange)
  - orders.rs: route to coinbase::get_orders()
  - cancel.rs: handle 'coinbase:ORDER_ID' format
- Update resolve_exchange() auto priority: Hyperliquid > Coinbase > Binance
- Add uuid dependency for client_order_id generation
- Update config.toml.default with Coinbase API key fields
- Zero clippy warnings, clean release build

Author: Michael Yuan

Cargo.toml

@@ -28,3 +28,4 @@ regex = "1"
 openssl = { version = "0.10", features = ["vendored"] }
 hmac = "0.12"
 sha2 = "0.10"
+uuid = { version = "1", features = ["v4"] }

config.toml.default

@@ -37,3 +37,8 @@ testnet = false
 # Sign up at https://www.binance.com/
 # binance_api_key = "..."
 # binance_api_secret = "..."
+
+# Coinbase Advanced Trade API credentials — enables spot trading on Coinbase
+# Sign up at https://www.coinbase.com/
+# coinbase_api_key = "..."
+# coinbase_api_secret = "..."

src/coinbase.rs

@@ -0,0 +1,309 @@
+use anyhow::{bail, Context, Result};
+use hmac::{Hmac, Mac};
+use reqwest::Client;
+use serde_json::json;
+use sha2::Sha256;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+type HmacSha256 = Hmac<Sha256>;
+
+const BASE_URL: &str = "https://api.coinbase.com";
+
+/// Sign a request with HMAC-SHA256
+/// timestamp + method + requestPath + body
+pub fn sign_request(secret: &str, timestamp: &str, method: &str, path: &str, body: &str) -> String {
+    let message = format!("{}{}{}{}", timestamp, method, path, body);
+    let mut mac =
+        HmacSha256::new_from_slice(secret.as_bytes()).expect("HMAC can take key of any size");
+    mac.update(message.as_bytes());
+    let result = mac.finalize();
+    hex::encode(result.into_bytes())
+}
+
+/// Get current timestamp in seconds
+fn timestamp() -> String {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs()
+        .to_string()
+}
+
+/// Place a spot limit order on Coinbase
+#[allow(clippy::too_many_arguments)]
+pub async fn spot_order(
+    client: &Client,
+    api_key: &str,
+    api_secret: &str,
+    symbol: &str,
+    side: &str, // "BUY" or "SELL"
+    size: f64,
+    price: f64,
+    json_output: bool,
+) -> Result<()> {
+    let ts = timestamp();
+    let path = "/api/v3/brokerage/orders";
+
+    // Generate client_order_id
+    let client_order_id = uuid::Uuid::new_v4().to_string();
+
+    // Coinbase uses BTC-USD format (not BTCUSDT)
+    let product_id = format!("{}-USD", symbol.to_uppercase());
+
+    let body = json!({
+        "client_order_id": client_order_id,
+        "product_id": product_id,
+        "side": side,
+        "order_configuration": {
+            "limit_limit_gtc": {
+                "base_size": format!("{:.8}", size),
+                "limit_price": format!("{:.2}", price),
+            }
+        }
+    });
+
+    let body_str = serde_json::to_string(&body)?;
+    let signature = sign_request(api_secret, &ts, "POST", path, &body_str);
+
+    let url = format!("{}{}", BASE_URL, path);
+
+    let response = client
+        .post(&url)
+        .header("CB-ACCESS-KEY", api_key)
+        .header("CB-ACCESS-SIGN", signature)
+        .header("CB-ACCESS-TIMESTAMP", ts)
+        .header("Content-Type", "application/json")
+        .body(body_str)
+        .send()
+        .await
+        .context("Failed to send Coinbase spot order")?;
+
+    let status = response.status();
+    let response_body: serde_json::Value =
+        response.json().await.context("Failed to parse response")?;
+
+    if !status.is_success() {
+        let error_msg = if let Some(msg) = response_body.get("message") {
+            format!("Coinbase API error: {}", msg)
+        } else if let Some(msg) = response_body.get("error") {
+            format!("Coinbase API error: {}", msg)
+        } else {
+            format!("Coinbase API error: {:?}", response_body)
+        };
+        bail!(error_msg);
+    }
+
+    let result = json!({
+        "exchange": "coinbase",
+        "market": "spot",
+        "action": side.to_lowercase(),
+        "symbol": product_id,
+        "quantity": size,
+        "price": price,
+        "response": response_body,
+    });
+
+    if json_output {
+        println!("{}", serde_json::to_string_pretty(&result)?);
+    } else {
+        println!("\n  ✅ Coinbase spot {} order placed!", side.to_lowercase());
+        println!(
+            "  Order ID: {}",
+            response_body.get("order_id").unwrap_or(&json!(null))
+        );
+        println!("  Product:  {}", product_id);
+        println!("  Quantity: {:.8}", size);
+        println!("  Price:    ${:.2}\n", price);
+    }
+
+    Ok(())
+}
+
+/// Get account balances
+pub async fn get_accounts(
+    client: &Client,
+    api_key: &str,
+    api_secret: &str,
+    json_output: bool,
+) -> Result<()> {
+    let ts = timestamp();
+    let path = "/api/v3/brokerage/accounts";
+    let signature = sign_request(api_secret, &ts, "GET", path, "");
+
+    let url = format!("{}{}", BASE_URL, path);
+
+    let response = client
+        .get(&url)
+        .header("CB-ACCESS-KEY", api_key)
+        .header("CB-ACCESS-SIGN", signature)
+        .header("CB-ACCESS-TIMESTAMP", ts)
+        .send()
+        .await
+        .context("Failed to fetch Coinbase accounts")?;
+
+    let status = response.status();
+    let body: serde_json::Value = response.json().await.context("Failed to parse response")?;
+
+    if !status.is_success() {
+        let error_msg = if let Some(msg) = body.get("message") {
+            format!("Coinbase API error: {}", msg)
+        } else {
+            format!("Coinbase API error: {:?}", body)
+        };
+        bail!(error_msg);
+    }
+
+    if json_output {
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&json!({
+                "exchange": "coinbase",
+                "accounts": body,
+            }))?
+        );
+        return Ok(());
+    }
+
+    println!("\n  💰 Coinbase Account Balance\n");
+
+    if let Some(accounts) = body.get("accounts").and_then(|v| v.as_array()) {
+        for account in accounts {
+            let currency = account
+                .get("currency")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            let available_balance: f64 = account
+                .get("available_balance")
+                .and_then(|v| v.get("value"))
+                .and_then(|v| v.as_str())
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(0.0);
+            let hold: f64 = account
+                .get("hold")
+                .and_then(|v| v.get("value"))
+                .and_then(|v| v.as_str())
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(0.0);
+
+            if available_balance > 0.0 || hold > 0.0 {
+                use colored::Colorize;
+                println!(
+                    "  {}: {} (available: {}, hold: {})",
+                    currency.cyan(),
+                    available_balance + hold,
+                    available_balance,
+                    hold
+                );
+            }
+        }
+    }
+
+    println!();
+    Ok(())
+}
+
+/// Get open orders
+pub async fn get_orders(
+    client: &Client,
+    api_key: &str,
+    api_secret: &str,
+    symbol: Option<&str>,
+    _json_output: bool,
+) -> Result<serde_json::Value> {
+    let ts = timestamp();
+    let mut path = "/api/v3/brokerage/orders/historical/batch?order_status=OPEN".to_string();
+
+    if let Some(sym) = symbol {
+        let product_id = format!("{}-USD", sym.to_uppercase());
+        path.push_str(&format!("&product_id={}", product_id));
+    }
+
+    let signature = sign_request(api_secret, &ts, "GET", &path, "");
+
+    let url = format!("{}{}", BASE_URL, path);
+
+    let response = client
+        .get(&url)
+        .header("CB-ACCESS-KEY", api_key)
+        .header("CB-ACCESS-SIGN", signature)
+        .header("CB-ACCESS-TIMESTAMP", ts)
+        .send()
+        .await
+        .context("Failed to fetch Coinbase orders")?;
+
+    let status = response.status();
+    let body: serde_json::Value = response.json().await.context("Failed to parse response")?;
+
+    if !status.is_success() {
+        let error_msg = if let Some(msg) = body.get("message") {
+            format!("Coinbase API error: {}", msg)
+        } else {
+            format!("Coinbase API error: {:?}", body)
+        };
+        bail!(error_msg);
+    }
+
+    Ok(body)
+}
+
+/// Cancel an order
+pub async fn cancel_order(
+    client: &Client,
+    api_key: &str,
+    api_secret: &str,
+    order_id: &str,
+    json_output: bool,
+) -> Result<()> {
+    let ts = timestamp();
+    let path = "/api/v3/brokerage/orders/batch_cancel";
+
+    let body = json!({
+        "order_ids": [order_id]
+    });
+
+    let body_str = serde_json::to_string(&body)?;
+    let signature = sign_request(api_secret, &ts, "POST", path, &body_str);
+
+    let url = format!("{}{}", BASE_URL, path);
+
+    let response = client
+        .post(&url)
+        .header("CB-ACCESS-KEY", api_key)
+        .header("CB-ACCESS-SIGN", signature)
+        .header("CB-ACCESS-TIMESTAMP", ts)
+        .header("Content-Type", "application/json")
+        .body(body_str)
+        .send()
+        .await
+        .context("Failed to cancel Coinbase order")?;
+
+    let status = response.status();
+    let response_body: serde_json::Value =
+        response.json().await.context("Failed to parse response")?;
+
+    if !status.is_success() {
+        let error_msg = if let Some(msg) = response_body.get("message") {
+            format!("Coinbase API error: {}", msg)
+        } else {
+            format!("Coinbase API error: {:?}", response_body)
+        };
+        bail!(error_msg);
+    }
+
+    if json_output {
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&json!({
+                "exchange": "coinbase",
+                "order_id": order_id,
+                "result": response_body,
+            }))?
+        );
+    } else {
+        use colored::Colorize;
+        println!("\n  ✅ Coinbase order cancelled!");
+        println!("  Order ID: {}\n", order_id.cyan());
+    }
+
+    Ok(())
+}

src/commands/balance.rs

@@ -3,7 +3,7 @@ use colored::Colorize;
 use serde_json::{json, Value};
 use tabled::{settings::Style, Table, Tabled};
 
-use crate::{binance, config};
+use crate::{binance, coinbase, config};
 
 #[derive(Tabled)]
 struct BalanceRow {
@@ -20,24 +20,25 @@ struct BalanceRow {
 /// Resolve which exchange to use
 fn resolve_exchange(exchange: &str) -> Result<String> {
     match exchange {
-        "hyperliquid" | "binance" => Ok(exchange.to_string()),
+        "hyperliquid" | "binance" | "coinbase" => Ok(exchange.to_string()),
         "auto" => {
             let has_hl = config::load_hl_config().is_ok();
+            let has_coinbase = config::coinbase_credentials().is_some();
             let has_binance = config::binance_credentials().is_some();
 
-            if has_hl && !has_binance {
+            // Priority: Hyperliquid > Coinbase > Binance
+            if has_hl {
                 Ok("hyperliquid".to_string())
-            } else if has_binance && !has_hl {
+            } else if has_coinbase {
+                Ok("coinbase".to_string())
+            } else if has_binance {
                 Ok("binance".to_string())
-            } else if has_hl && has_binance {
-                // Default to Hyperliquid
-                Ok("hyperliquid".to_string())
             } else {
-                bail!("No exchange configured. Set up Hyperliquid wallet or Binance API keys in ~/.fintool/config.toml")
+                bail!("No exchange configured. Set up Hyperliquid wallet, Coinbase API keys, or Binance API keys in ~/.fintool/config.toml")
             }
         }
         _ => bail!(
-            "Invalid exchange: {}. Use hyperliquid, binance, or auto",
+            "Invalid exchange: {}. Use hyperliquid, binance, coinbase, or auto",
             exchange
         ),
     }
@@ -46,6 +47,14 @@ fn resolve_exchange(exchange: &str) -> Result<String> {
 pub async fn run(exchange: &str, json_output: bool) -> Result<()> {
     let exchange = resolve_exchange(exchange)?;
 
+    if exchange == "coinbase" {
+        let (api_key, api_secret) = config::coinbase_credentials()
+            .ok_or_else(|| anyhow::anyhow!("Coinbase API credentials not configured"))?;
+
+        let client = reqwest::Client::new();
+        return coinbase::get_accounts(&client, &api_key, &api_secret, json_output).await;
+    }
+
     if exchange == "binance" {
         let (api_key, api_secret) = config::binance_credentials()
             .ok_or_else(|| anyhow::anyhow!("Binance API credentials not configured"))?;