Commit Graph

11 Commits

Author SHA1 Message Date
shinchan-zhai
85b9d1dc4e docs: update nofxi-tasks.md — record 12:37 batch 2026-03-25 01:05:54 +08:00
shinchan-zhai
14aaa87117 docs: update nofxi-tasks.md — record 12:22 batch 2026-03-25 01:05:54 +08:00
shinchan-zhai
6987d7e886 docs: update nofxi-tasks.md with panic prevention work 2026-03-25 01:05:54 +08:00
shinchan-zhai
7df11f65ff docs: update nofxi-tasks.md — record 11:22 batch 2026-03-25 01:05:54 +08:00
shinchan-zhai
9235d9cd24 docs: update nofxi-tasks.md — record 10:52 batch progress 2026-03-25 01:05:54 +08:00
shinchan-zhai
456570c37c security: add safe.ReadAllLimited — bound all HTTP response body reads to 10MB
- Created safe/io.go with ReadAllLimited helper (default 10MB limit)
- Replaced 62 unbounded io.ReadAll(resp.Body) calls across 32 files
- Covers all exchange traders (Hyperliquid, Bybit, Binance, OKX, Aster,
  KuCoin, Gate, Bitget, Lighter, Indodax), providers (CoinAnk, Alpaca,
  TwelveData), MCP client/x402, market data, wallet, telegram, kernel
- Prevents OOM from malicious/buggy exchange API responses
- Previously fixed: brain.go, sentinel.go already had manual LimitReader
2026-03-25 01:05:54 +08:00
shinchan-zhai
82a35a8cae security: sanitize internal error messages in API responses
- handler_trader.go: remove loadErr.Error() from 500 responses (2 instances)
- handler_ai_cost.go: replace err.Error() with generic message, add logging
- Internal errors now logged server-side, not exposed to clients
2026-03-25 01:05:54 +08:00
shinchan-zhai
f1394d779a docs: update nofxi-tasks.md — record complete panic recovery coverage 2026-03-25 01:05:54 +08:00
shinchan-zhai
e671268763 docs: update nofxi-tasks.md — record 10:07 batch progress 2026-03-25 01:05:54 +08:00
shinchan-zhai
edeac8a0d2 docs: update nofxi-tasks.md — mark completed, clean false positives 2026-03-25 01:05:54 +08:00
shinchan-zhai
6acf925a0b security: configurable CORS origins, limit sentinel response body
- Add CORS_ALLOWED_ORIGINS config (comma-separated origins, default allow-all)
- CORS middleware now validates Origin header against allowlist
- Add io.LimitReader to sentinel.go (was unbounded, now 256KB)
- Include previous: agent chat auth middleware + frontend token header
2026-03-25 01:05:54 +08:00