fix(security): remove decrypt oracle, redact secret logs, harden auth, bump Go

Address multiple vulnerabilities found during security review:

- Remove unauthenticated POST /api/crypto/decrypt decryption oracle (route,
  handler, dead frontend helper) + regression test. Transport encryption is
  one-directional; the server never needs to decrypt arbitrary client payloads.
- Redact secrets in config-update logs: handler_ai_model/handler_exchange logged
  %+v of decrypted requests, leaking API keys / secret keys / passphrases /
  private keys. Use named types shared with the log sanitizer so the masking
  can never drift again; extend masking to passphrase + lighter_api_key_private_key.
- crypto: require a valid timestamp in DecryptPayload (a missing ts previously
  skipped replay protection entirely).
- crypto: EncryptedString.Value() now fails closed instead of silently
  persisting plaintext secrets when encryption errors.
- auth: per-IP token-bucket rate limiting on /login and /register against online
  brute-force; raise registration password minimum 6 -> 8; add dummy bcrypt
  compare on unknown-email login to close the user-enumeration timing channel.
- IDOR: getTraderFromQuery no longer falls back to the global in-memory trader
  map; trader access is strictly scoped to the authenticated caller.
- Bump Go 1.25.10 -> 1.25.11 to resolve reachable net/textproto and crypto/x509
  stdlib advisories (govulncheck now reports 0 affecting vulnerabilities).

api/utils.go

@@ -15,13 +15,10 @@ func MaskSensitiveString(s string) string {
 	return s[:4] + "****" + s[length-4:]
 }
 
-// SanitizeModelConfigForLog Sanitize model configuration for log output
-func SanitizeModelConfigForLog(models map[string]struct {
-	Enabled         bool   `json:"enabled"`
-	APIKey          string `json:"api_key"`
-	CustomAPIURL    string `json:"custom_api_url"`
-	CustomModelName string `json:"custom_model_name"`
-}) map[string]interface{} {
+// SanitizeModelConfigForLog Sanitize model configuration for log output.
+// Takes the same ModelConfigUpdate type used by the request handler so the two
+// can never drift out of sync.
+func SanitizeModelConfigForLog(models map[string]ModelConfigUpdate) map[string]interface{} {
 	safe := make(map[string]interface{})
 	for modelID, cfg := range models {
 		safe[modelID] = map[string]interface{}{
@@ -34,19 +31,12 @@ func SanitizeModelConfigForLog(models map[string]struct {
 	return safe
 }
 
-// SanitizeExchangeConfigForLog Sanitize exchange configuration for log output
-func SanitizeExchangeConfigForLog(exchanges map[string]struct {
-	Enabled               bool   `json:"enabled"`
-	APIKey                string `json:"api_key"`
-	SecretKey             string `json:"secret_key"`
-	Testnet               bool   `json:"testnet"`
-	HyperliquidWalletAddr string `json:"hyperliquid_wallet_addr"`
-	AsterUser             string `json:"aster_user"`
-	AsterSigner           string `json:"aster_signer"`
-	AsterPrivateKey       string `json:"aster_private_key"`
-	LighterWalletAddr     string `json:"lighter_wallet_addr"`
-	LighterPrivateKey     string `json:"lighter_private_key"`
-}) map[string]interface{} {
+// SanitizeExchangeConfigForLog Sanitize exchange configuration for log output.
+// Takes the same ExchangeConfigUpdate type used by the request handler so every
+// sensitive field is guaranteed to be masked — adding a field to the request
+// type without masking it here would not compile around this helper, but more
+// importantly keeps the masking exhaustive.
+func SanitizeExchangeConfigForLog(exchanges map[string]ExchangeConfigUpdate) map[string]interface{} {
 	safe := make(map[string]interface{})
 	for exchangeID, cfg := range exchanges {
 		safeExchange := map[string]interface{}{
@@ -61,12 +51,18 @@ func SanitizeExchangeConfigForLog(exchanges map[string]struct {
 		if cfg.SecretKey != "" {
 			safeExchange["secret_key"] = MaskSensitiveString(cfg.SecretKey)
 		}
+		if cfg.Passphrase != "" {
+			safeExchange["passphrase"] = MaskSensitiveString(cfg.Passphrase)
+		}
 		if cfg.AsterPrivateKey != "" {
 			safeExchange["aster_private_key"] = MaskSensitiveString(cfg.AsterPrivateKey)
 		}
 		if cfg.LighterPrivateKey != "" {
 			safeExchange["lighter_private_key"] = MaskSensitiveString(cfg.LighterPrivateKey)
 		}
+		if cfg.LighterAPIKeyPrivateKey != "" {
+			safeExchange["lighter_api_key_private_key"] = MaskSensitiveString(cfg.LighterAPIKeyPrivateKey)
+		}
 
 		// Add non-sensitive fields directly
 		if cfg.HyperliquidWalletAddr != "" {