Address multiple vulnerabilities found during security review:
- Remove unauthenticated POST /api/crypto/decrypt decryption oracle (route,
handler, dead frontend helper) + regression test. Transport encryption is
one-directional; the server never needs to decrypt arbitrary client payloads.
- Redact secrets in config-update logs: handler_ai_model/handler_exchange logged
%+v of decrypted requests, leaking API keys / secret keys / passphrases /
private keys. Use named types shared with the log sanitizer so the masking
can never drift again; extend masking to passphrase + lighter_api_key_private_key.
- crypto: require a valid timestamp in DecryptPayload (a missing ts previously
skipped replay protection entirely).
- crypto: EncryptedString.Value() now fails closed instead of silently
persisting plaintext secrets when encryption errors.
- auth: per-IP token-bucket rate limiting on /login and /register against online
brute-force; raise registration password minimum 6 -> 8; add dummy bcrypt
compare on unknown-email login to close the user-enumeration timing channel.
- IDOR: getTraderFromQuery no longer falls back to the global in-memory trader
map; trader access is strictly scoped to the authenticated caller.
- Bump Go 1.25.10 -> 1.25.11 to resolve reachable net/textproto and crypto/x509
stdlib advisories (govulncheck now reports 0 affecting vulnerabilities).
- Use PR branch (dev-nofxi) as authority for agent/ module code
- Merge dev's newer model names (MiniMax-M2.7, deepseek-v4-flash)
with PR's blockrun provider entries
- Fix duplicate agent init in main.go, keep defer-based Stop()
- Fix var type bug in store/ai_model.go (model → models)
- Remove dev-only test files incompatible with PR's evolved agent code
(to be re-synced after merge)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Google discontinued gemini-3-pro-preview on 2026-03-26 and directs all
callers to gemini-3.1-pro / gemini-3.1-pro-preview. Users on their own
API key were getting errors from the native Gemini endpoint because the
provider default pointed at the retired ID. Claw402 was unaffected
because its route map already used gemini-3.1-pro.
Align both the native provider default and the handler's preset list
with gemini-3.1-pro so every code path sends a live model ID.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
