@sip-protocol/api 0.1.0 → 0.1.1

package/dist/routes/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/routes/index.ts
@@ -23,35 +33,445 @@ __export(routes_exports, {
   default: () => routes_default
 });
 module.exports = __toCommonJS(routes_exports);
-var import_express6 = require("express");
+var import_express7 = require("express");
 
 // src/routes/health.ts
-var import_express = require("express");
-var router = (0, import_express.Router)();
-var startTime = Date.now();
-router.get("/", (req, res) => {
-  const response = {
-    success: true,
-    data: {
-      status: "healthy",
-      version: process.env.npm_package_version || "0.1.0",
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      uptime: Math.floor((Date.now() - startTime) / 1e3)
+var import_express2 = require("express");
+
+// src/logger.ts
+var import_pino = __toESM(require("pino"));
+var import_pino_http = __toESM(require("pino-http"));
+var import_crypto = __toESM(require("crypto"));
+
+// src/config.ts
+var import_envalid = require("envalid");
+var env = (0, import_envalid.cleanEnv)(process.env, {
+  // Server configuration
+  NODE_ENV: (0, import_envalid.str)({
+    choices: ["development", "production", "test"],
+    default: "development",
+    desc: "Application environment"
+  }),
+  PORT: (0, import_envalid.port)({
+    default: 3e3,
+    desc: "Server port"
+  }),
+  // CORS configuration
+  CORS_ORIGINS: (0, import_envalid.str)({
+    default: "",
+    desc: "Comma-separated list of allowed origins (empty = localhost only in dev)"
+  }),
+  // Authentication
+  API_KEYS: (0, import_envalid.str)({
+    default: "",
+    desc: "Comma-separated list of valid API keys (empty = auth disabled in dev)"
+  }),
+  // Rate limiting
+  RATE_LIMIT_MAX: (0, import_envalid.num)({
+    default: 100,
+    desc: "Maximum requests per window"
+  }),
+  RATE_LIMIT_WINDOW_MS: (0, import_envalid.num)({
+    default: 6e4,
+    desc: "Rate limit window in milliseconds"
+  }),
+  // Proxy trust configuration (for X-Forwarded-For header)
+  // Set to number of trusted proxies (e.g., 1 for single nginx)
+  // or 'loopback' for local proxies, or 'uniquelocal' for private IPs
+  TRUST_PROXY: (0, import_envalid.str)({
+    default: "1",
+    desc: 'Express trust proxy setting (number of hops, "loopback", "uniquelocal", or "false")'
+  }),
+  // Logging
+  LOG_LEVEL: (0, import_envalid.str)({
+    choices: ["trace", "debug", "info", "warn", "error", "fatal"],
+    default: "info",
+    desc: "Logging level"
+  }),
+  // Graceful shutdown
+  SHUTDOWN_TIMEOUT_MS: (0, import_envalid.num)({
+    default: 3e4,
+    desc: "Graceful shutdown timeout in milliseconds"
+  }),
+  // Monitoring
+  SENTRY_DSN: (0, import_envalid.str)({
+    default: "",
+    desc: "Sentry DSN for error tracking (optional)"
+  }),
+  METRICS_ENABLED: (0, import_envalid.str)({
+    choices: ["true", "false"],
+    default: "true",
+    desc: "Enable Prometheus metrics endpoint"
+  }),
+  // Webhook configuration
+  HELIUS_WEBHOOK_SECRET: (0, import_envalid.str)({
+    default: "",
+    desc: "Helius webhook HMAC secret for signature verification (optional)"
+  }),
+  WEBHOOK_DELIVERY_MAX_RETRIES: (0, import_envalid.num)({
+    default: 3,
+    desc: "Maximum delivery attempts for webhook notifications"
+  }),
+  WEBHOOK_STORE_MAX_SIZE: (0, import_envalid.num)({
+    default: 1e3,
+    desc: "Maximum number of registered webhooks"
+  })
+});
+var isProduction = env.isProduction;
+var isDevelopment = env.isDevelopment;
+var isTest = env.isTest;
+
+// src/logger.ts
+var loggerConfig = {
+  level: env.LOG_LEVEL,
+  base: {
+    service: "sip-api",
+    version: "0.1.0"
+  },
+  timestamp: import_pino.default.stdTimeFunctions.isoTime
+};
+if (env.isDevelopment) {
+  loggerConfig.transport = {
+    target: "pino-pretty",
+    options: {
+      colorize: true,
+      translateTime: "HH:MM:ss",
+      ignore: "pid,hostname,service,version"
     }
   };
-  res.json(response);
+}
+var logger = (0, import_pino.default)(loggerConfig);
+var requestLogger = (0, import_pino_http.default)({
+  logger,
+  // Use requestId from requestIdMiddleware (set earlier in chain)
+  // Falls back to header or generates new if middleware didn't run
+  genReqId: (req) => {
+    const augmentedReq = req;
+    if (augmentedReq.requestId) {
+      return augmentedReq.requestId;
+    }
+    const existingId = req.headers["x-request-id"];
+    if (existingId && typeof existingId === "string") {
+      return existingId;
+    }
+    return import_crypto.default.randomUUID();
+  },
+  customLogLevel: (_req, res, err) => {
+    if (res.statusCode >= 500 || err) return "error";
+    if (res.statusCode >= 400) return "warn";
+    return "info";
+  },
+  customSuccessMessage: (req, res) => {
+    return `${req.method} ${req.url} ${res.statusCode}`;
+  },
+  customErrorMessage: (req, res, err) => {
+    return `${req.method} ${req.url} ${res.statusCode} - ${err.message}`;
+  },
+  // Don't log health checks in production
+  autoLogging: {
+    ignore: (req) => {
+      return req.url === "/api/v1/health" && env.isProduction;
+    }
+  }
 });
-var health_default = router;
 
-// src/routes/stealth.ts
-var import_express2 = require("express");
+// src/shutdown.ts
+var isShuttingDown = false;
+function isServerShuttingDown() {
+  return isShuttingDown;
+}
+
+// src/stores/swap-store.ts
+var import_lru_cache = require("lru-cache");
+var DEFAULT_MAX_SIZE = 1e4;
+var DEFAULT_TTL_MS = 24 * 60 * 60 * 1e3;
+var SwapStore = class {
+  cache;
+  maxSize;
+  ttlMs;
+  constructor(config = {}) {
+    this.maxSize = config.maxSize ?? DEFAULT_MAX_SIZE;
+    this.ttlMs = config.ttlMs ?? DEFAULT_TTL_MS;
+    this.cache = new import_lru_cache.LRUCache({
+      max: this.maxSize,
+      ttl: this.ttlMs,
+      updateAgeOnGet: false,
+      // Don't reset TTL on read
+      updateAgeOnHas: false,
+      // Log when items are evicted or expired
+      disposeAfter: (_value, key, reason) => {
+        if (reason === "evict") {
+          logger.debug({ swapId: key, reason }, "Swap evicted from cache (LRU)");
+        } else if (reason === "expire") {
+          logger.debug({ swapId: key, reason }, "Swap expired from cache (TTL)");
+        }
+      }
+    });
+    logger.info(
+      { maxSize: this.maxSize, ttlMs: this.ttlMs },
+      "SwapStore initialized"
+    );
+  }
+  /**
+   * Get a swap by ID
+   */
+  get(id) {
+    return this.cache.get(id);
+  }
+  /**
+   * Check if a swap exists
+   */
+  has(id) {
+    return this.cache.has(id);
+  }
+  /**
+   * Set/update a swap
+   */
+  set(id, data) {
+    this.cache.set(id, data);
+  }
+  /**
+   * Delete a swap
+   */
+  delete(id) {
+    return this.cache.delete(id);
+  }
+  /**
+   * Update swap status
+   */
+  updateStatus(id, status, updates) {
+    const existing = this.cache.get(id);
+    if (!existing) {
+      return void 0;
+    }
+    const updated = {
+      ...existing,
+      ...updates,
+      status,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.cache.set(id, updated);
+    return updated;
+  }
+  /**
+   * Get store metrics for monitoring
+   */
+  getMetrics() {
+    const size = this.cache.size;
+    return {
+      size,
+      maxSize: this.maxSize,
+      ttlMs: this.ttlMs,
+      utilizationPercent: Math.round(size / this.maxSize * 100)
+    };
+  }
+  /**
+   * Clear all swaps (for testing)
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Purge stale entries (normally handled automatically by LRU cache)
+   */
+  purgeStale() {
+    this.cache.purgeStale();
+  }
+};
+var swapStore = new SwapStore();
+
+// src/stores/webhook-store.ts
+var import_crypto2 = require("crypto");
+var WebhookStore = class {
+  registrations = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(maxSize) {
+    this.maxSize = maxSize ?? env.WEBHOOK_STORE_MAX_SIZE;
+    logger.info({ maxSize: this.maxSize }, "WebhookStore initialized");
+  }
+  /**
+   * Register a new webhook
+   *
+   * @returns The registration with secret (shown once only)
+   */
+  register(url, viewingPrivateKey, spendingPublicKey) {
+    if (this.registrations.size >= this.maxSize) {
+      throw new Error("WEBHOOK_STORE_FULL");
+    }
+    const id = (0, import_crypto2.randomBytes)(16).toString("hex");
+    const secret = (0, import_crypto2.randomBytes)(32).toString("hex");
+    const registration = {
+      id,
+      url,
+      viewingPrivateKey,
+      spendingPublicKey,
+      secret,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      active: true
+    };
+    this.registrations.set(id, registration);
+    logger.info({ webhookId: id, url }, "Webhook registered");
+    return registration;
+  }
+  /**
+   * Unregister a webhook by ID
+   *
+   * @returns true if found and removed, false if not found
+   */
+  unregister(id) {
+    const existed = this.registrations.delete(id);
+    if (existed) {
+      logger.info({ webhookId: id }, "Webhook unregistered");
+    }
+    return existed;
+  }
+  /**
+   * Get a registration by ID
+   */
+  get(id) {
+    return this.registrations.get(id);
+  }
+  /**
+   * Get all active registrations
+   */
+  getAll() {
+    return Array.from(this.registrations.values()).filter((r) => r.active);
+  }
+  /**
+   * Get all registrations (including inactive) for listing
+   */
+  getAllForList() {
+    return Array.from(this.registrations.values()).map((r) => ({
+      id: r.id,
+      url: r.url,
+      active: r.active,
+      createdAt: r.createdAt
+    }));
+  }
+  /**
+   * Current store size
+   */
+  get size() {
+    return this.registrations.size;
+  }
+  /**
+   * Clear all registrations (for testing)
+   */
+  clear() {
+    this.registrations.clear();
+  }
+};
+var webhookStore = new WebhookStore();
+
+// src/routes/proof.ts
+var import_express = require("express");
 var import_sdk2 = require("@sip-protocol/sdk");
+var import_utils = require("@noble/hashes/utils");
 
 // src/middleware/error-handler.ts
 var import_sdk = require("@sip-protocol/sdk");
 
+// src/monitoring/sentry.ts
+var Sentry = __toESM(require("@sentry/node"));
+
+// src/monitoring/metrics.ts
+var import_prom_client = require("prom-client");
+var register = new import_prom_client.Registry();
+(0, import_prom_client.collectDefaultMetrics)({
+  register,
+  prefix: "sip_api_"
+});
+var httpRequestsTotal = new import_prom_client.Counter({
+  name: "sip_api_http_requests_total",
+  help: "Total number of HTTP requests",
+  labelNames: ["method", "path", "status"],
+  registers: [register]
+});
+var httpRequestDuration = new import_prom_client.Histogram({
+  name: "sip_api_http_request_duration_seconds",
+  help: "Duration of HTTP requests in seconds",
+  labelNames: ["method", "path", "status"],
+  buckets: [1e-3, 5e-3, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10],
+  registers: [register]
+});
+var stealthAddressGenerations = new import_prom_client.Counter({
+  name: "sip_stealth_address_generations_total",
+  help: "Total number of stealth address generations",
+  labelNames: ["chain"],
+  registers: [register]
+});
+var commitmentCreations = new import_prom_client.Counter({
+  name: "sip_commitment_creations_total",
+  help: "Total number of commitment creations",
+  registers: [register]
+});
+var proofGenerations = new import_prom_client.Counter({
+  name: "sip_proof_generations_total",
+  help: "Total number of proof generations",
+  labelNames: ["type"],
+  registers: [register]
+});
+var proofGenerationDuration = new import_prom_client.Histogram({
+  name: "sip_proof_generation_duration_seconds",
+  help: "Duration of proof generation in seconds",
+  labelNames: ["type"],
+  buckets: [0.1, 0.5, 1, 2.5, 5, 10, 30, 60],
+  registers: [register]
+});
+var activeConnections = new import_prom_client.Gauge({
+  name: "sip_api_active_connections",
+  help: "Number of active connections",
+  registers: [register]
+});
+var swapRequests = new import_prom_client.Counter({
+  name: "sip_swap_requests_total",
+  help: "Total number of swap requests",
+  labelNames: ["from_chain", "to_chain", "status"],
+  registers: [register]
+});
+var quoteRequests = new import_prom_client.Counter({
+  name: "sip_quote_requests_total",
+  help: "Total number of quote requests",
+  labelNames: ["from_chain", "to_chain"],
+  registers: [register]
+});
+
 // src/middleware/validation.ts
 var import_zod = require("zod");
+var MAX_UINT256 = 2n ** 256n - 1n;
+var amountSchema = import_zod.z.string().regex(/^[1-9]\d*$/, "Amount must be positive integer without leading zeros").max(78, "Amount exceeds maximum uint256 length").refine(
+  (v) => {
+    try {
+      const n = BigInt(v);
+      return n > 0n && n <= MAX_UINT256;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Invalid amount: must be positive integer <= 2^256-1" }
+);
+var minAmountSchema = import_zod.z.string().regex(/^(0|[1-9]\d*)$/, "Amount must be non-negative integer without leading zeros").max(78, "Amount exceeds maximum uint256 length").refine(
+  (v) => {
+    try {
+      const n = BigInt(v);
+      return n >= 0n && n <= MAX_UINT256;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Invalid amount: must be non-negative integer <= 2^256-1" }
+);
+function calculateMinAmount(input, slippageBps) {
+  if (slippageBps < 0 || slippageBps > 1e4) {
+    throw new Error("Invalid slippage: must be 0-10000 basis points");
+  }
+  const bps = BigInt(Math.floor(slippageBps));
+  const multiplier = 10000n - bps;
+  return input * multiplier / 10000n;
+}
+function percentToBps(percent) {
+  return Math.floor(percent * 100);
+}
 function validateRequest(schema) {
   return async (req, res, next) => {
     try {
@@ -62,7 +482,9 @@ function validateRequest(schema) {
         req.query = await schema.query.parseAsync(req.query);
       }
       if (schema.params) {
-        req.params = await schema.params.parseAsync(req.params);
+        req.params = await schema.params.parseAsync(
+          req.params
+        );
       }
       next();
     } catch (error) {
@@ -72,7 +494,8 @@ function validateRequest(schema) {
           error: {
             code: "VALIDATION_ERROR",
             message: "Invalid request data",
-            details: error.errors
+            // Zod 4 renamed 'errors' to 'issues'
+            details: error.issues
           }
         });
       }
@@ -91,19 +514,19 @@ var schemas = {
     })
   }),
   createCommitment: import_zod.z.object({
-    value: import_zod.z.string().regex(/^\d+$/),
-    // bigint as string
+    value: amountSchema,
     blindingFactor: import_zod.z.string().regex(/^0x[0-9a-fA-F]+$/).optional()
   }),
   generateFundingProof: import_zod.z.object({
-    balance: import_zod.z.string().regex(/^\d+$/),
-    minRequired: import_zod.z.string().regex(/^\d+$/),
+    balance: amountSchema,
+    minRequired: minAmountSchema,
+    // Zero allowed: "prove I have >= 0" is valid
     balanceBlinding: import_zod.z.string().regex(/^0x[0-9a-fA-F]+$/)
   }),
   getQuote: import_zod.z.object({
     inputChain: import_zod.z.enum(["solana", "ethereum", "near", "zcash", "polygon", "arbitrum", "optimism", "base", "bitcoin", "aptos", "sui", "cosmos", "osmosis", "injective", "celestia", "sei", "dydx"]),
     inputToken: import_zod.z.string().min(1),
-    inputAmount: import_zod.z.string().regex(/^\d+$/),
+    inputAmount: amountSchema,
     outputChain: import_zod.z.enum(["solana", "ethereum", "near", "zcash", "polygon", "arbitrum", "optimism", "base", "bitcoin", "aptos", "sui", "cosmos", "osmosis", "injective", "celestia", "sei", "dydx"]),
     outputToken: import_zod.z.string().min(1),
     slippageTolerance: import_zod.z.number().min(0).max(100).optional()
@@ -119,105 +542,269 @@ var schemas = {
   })
 };
 
-// src/routes/stealth.ts
-var router2 = (0, import_express2.Router)();
-router2.post(
-  "/generate",
-  validateRequest({ body: schemas.generateStealth }),
-  async (req, res) => {
-    const { chain, recipientMetaAddress } = req.body;
-    const result = (0, import_sdk2.generateStealthAddress)(recipientMetaAddress);
-    const response = {
-      success: true,
-      data: {
-        stealthAddress: {
-          address: result.stealthAddress.address,
-          ephemeralPublicKey: result.stealthAddress.ephemeralPublicKey,
-          viewTag: result.stealthAddress.viewTag
+// src/middleware/rate-limit.ts
+var import_express_rate_limit = __toESM(require("express-rate-limit"));
+var import_rate_limit_redis = require("rate-limit-redis");
+var import_ioredis = require("ioredis");
+var WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);
+var MAX_REQUESTS = parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || "100", 10);
+var SKIP_FAILED = process.env.RATE_LIMIT_SKIP_FAILED === "true";
+var STORE_TYPE = process.env.RATE_LIMIT_STORE || "memory";
+var REDIS_URL = process.env.REDIS_URL;
+var redisClient = null;
+var redisConnectionFailed = false;
+function getRedisClient() {
+  if (redisConnectionFailed) {
+    return null;
+  }
+  if (!redisClient && REDIS_URL) {
+    redisClient = new import_ioredis.Redis(REDIS_URL, {
+      maxRetriesPerRequest: 3,
+      retryStrategy: (times) => {
+        if (times > 3) {
+          console.warn("[rate-limit] Redis connection failed, falling back to memory store");
+          redisConnectionFailed = true;
+          return null;
+        }
+        return Math.min(times * 100, 1e3);
+      },
+      lazyConnect: true
+    });
+    redisClient.on("error", (err) => {
+      console.warn("[rate-limit] Redis error:", err.message);
+    });
+    redisClient.on("connect", () => {
+      console.log("[rate-limit] Redis connected successfully");
+    });
+  }
+  return redisClient;
+}
+function getRedisStatus() {
+  const client = getRedisClient();
+  return {
+    storeType: client && !redisConnectionFailed ? "redis" : "memory",
+    configured: !!REDIS_URL,
+    connected: client?.status === "ready"
+  };
+}
+function createStore(prefix) {
+  if (STORE_TYPE === "redis" || REDIS_URL) {
+    const client = getRedisClient();
+    if (client && !redisConnectionFailed) {
+      const sendCommand = async (...args) => {
+        return client.call(args[0], ...args.slice(1));
+      };
+      return new import_rate_limit_redis.RedisStore({
+        sendCommand,
+        prefix: `rl:${prefix}:`
+      });
+    }
+  }
+  return void 0;
+}
+var rateLimiter = (0, import_express_rate_limit.default)({
+  windowMs: WINDOW_MS,
+  max: MAX_REQUESTS,
+  skipFailedRequests: SKIP_FAILED,
+  standardHeaders: true,
+  // Return rate limit info in `RateLimit-*` headers
+  legacyHeaders: false,
+  // Disable `X-RateLimit-*` headers
+  // Use Redis store if available, otherwise memory
+  store: createStore("api"),
+  handler: (_req, res) => {
+    res.status(429).json({
+      success: false,
+      error: {
+        code: "RATE_LIMIT_EXCEEDED",
+        message: "Too many requests, please try again later",
+        details: {
+          retryAfter: Math.ceil(WINDOW_MS / 1e3),
+          limit: MAX_REQUESTS,
+          windowMs: WINDOW_MS
         }
       }
-    };
-    res.json(response);
+    });
+  },
+  skip: (req) => {
+    return req.path === "/api/v1/health" || req.path === "/";
   }
-);
-var stealth_default = router2;
+});
+var strictRateLimiter = (0, import_express_rate_limit.default)({
+  windowMs: 6e4,
+  // 1 minute
+  max: 10,
+  // 10 requests per minute
+  skipFailedRequests: false,
+  standardHeaders: true,
+  legacyHeaders: false,
+  // Use Redis store if available with different prefix
+  store: createStore("strict"),
+  handler: (_req, res) => {
+    res.status(429).json({
+      success: false,
+      error: {
+        code: "RATE_LIMIT_EXCEEDED",
+        message: "Rate limit exceeded for sensitive endpoint",
+        details: {
+          retryAfter: 60,
+          limit: 10,
+          windowMs: 6e4
+        }
+      }
+    });
+  }
+});
 
-// src/routes/commitment.ts
-var import_express3 = require("express");
-var import_sdk3 = require("@sip-protocol/sdk");
+// src/middleware/auth.ts
+var API_KEYS = (process.env.API_KEYS || "").split(",").filter(Boolean);
+var NODE_ENV = process.env.NODE_ENV || "development";
+var AUTH_ENABLED = process.env.AUTH_ENABLED !== "false" && NODE_ENV === "production";
+var SKIP_PATHS = (process.env.AUTH_SKIP_PATHS || "/health,/,/webhooks/internal/helius").split(",").map((p) => p.trim());
 
-// ../../../../node_modules/@noble/hashes/esm/utils.js
-var hasHexBuiltin = /* @__PURE__ */ (() => (
-  // @ts-ignore
-  typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function"
-))();
-var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-function asciiToBase16(ch) {
-  if (ch >= asciis._0 && ch <= asciis._9)
-    return ch - asciis._0;
-  if (ch >= asciis.A && ch <= asciis.F)
-    return ch - (asciis.A - 10);
-  if (ch >= asciis.a && ch <= asciis.f)
-    return ch - (asciis.a - 10);
-  return;
+// src/middleware/cors.ts
+var import_cors = __toESM(require("cors"));
+var NODE_ENV2 = process.env.NODE_ENV || "development";
+var CORS_ORIGINS = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()).filter(Boolean) || [];
+var CORS_CREDENTIALS = process.env.CORS_CREDENTIALS !== "false";
+var CORS_MAX_AGE = parseInt(process.env.CORS_MAX_AGE || "86400", 10);
+var DEV_ORIGINS = [
+  "http://localhost:3000",
+  "http://localhost:3001",
+  "http://localhost:4000",
+  "http://localhost:5173",
+  // Vite
+  "http://127.0.0.1:3000",
+  "http://127.0.0.1:3001",
+  "http://127.0.0.1:4000",
+  "http://127.0.0.1:5173"
+];
+function getAllowedOrigins() {
+  if (CORS_ORIGINS.length > 0) {
+    return CORS_ORIGINS;
+  }
+  if (NODE_ENV2 === "development" || NODE_ENV2 === "test") {
+    return DEV_ORIGINS;
+  }
+  return [];
 }
-function hexToBytes(hex) {
-  if (typeof hex !== "string")
-    throw new Error("hex string expected, got " + typeof hex);
-  if (hasHexBuiltin)
-    return Uint8Array.fromHex(hex);
-  const hl = hex.length;
-  const al = hl / 2;
-  if (hl % 2)
-    throw new Error("hex string expected, got unpadded hex of length " + hl);
-  const array = new Uint8Array(al);
-  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-    const n1 = asciiToBase16(hex.charCodeAt(hi));
-    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
-    if (n1 === void 0 || n2 === void 0) {
-      const char = hex[hi] + hex[hi + 1];
-      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+function isOriginAllowed(origin) {
+  if (!origin) {
+    return true;
+  }
+  const allowedOrigins = getAllowedOrigins();
+  if (allowedOrigins.includes(origin)) {
+    return true;
+  }
+  let originUrl;
+  try {
+    originUrl = new URL(origin);
+  } catch {
+    console.warn(`[CORS] Rejected malformed origin: ${origin}`);
+    return false;
+  }
+  for (const allowed of allowedOrigins) {
+    if (allowed.startsWith("*.")) {
+      const baseDomain = allowed.slice(2);
+      const originHost = originUrl.host;
+      if (NODE_ENV2 === "production" && originUrl.protocol !== "https:") {
+        console.warn(`[CORS] Rejected non-HTTPS origin in production: ${origin}`);
+        continue;
+      }
+      if (originHost === baseDomain || originHost.endsWith("." + baseDomain)) {
+        return true;
+      }
     }
-    array[ai] = n1 * 16 + n2;
   }
-  return array;
+  return false;
 }
-
-// src/routes/commitment.ts
-var router3 = (0, import_express3.Router)();
-router3.post(
-  "/create",
-  validateRequest({ body: schemas.createCommitment }),
-  async (req, res) => {
-    const { value, blindingFactor } = req.body;
-    const valueBigInt = BigInt(value);
-    const blindingBytes = blindingFactor ? hexToBytes(blindingFactor) : void 0;
-    const result = (0, import_sdk3.commit)(valueBigInt, blindingBytes);
-    const response = {
-      success: true,
-      data: {
-        commitment: result.commitment,
-        blindingFactor: result.blinding
-      }
-    };
-    res.json(response);
+var corsOptionsDelegate = (req, callback) => {
+  const origin = req.headers.origin;
+  const allowed = isOriginAllowed(origin);
+  const options = {
+    origin: allowed ? origin : false,
+    credentials: CORS_CREDENTIALS,
+    maxAge: CORS_MAX_AGE,
+    methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+    allowedHeaders: [
+      "Content-Type",
+      "Authorization",
+      "X-API-Key",
+      "X-Request-ID",
+      "X-Forwarded-For"
+    ],
+    exposedHeaders: [
+      "RateLimit-Limit",
+      "RateLimit-Remaining",
+      "RateLimit-Reset",
+      "X-Request-ID"
+    ]
+  };
+  if (!allowed && origin) {
+    console.warn(`[CORS] Blocked request from origin: ${origin}`);
   }
-);
-var commitment_default = router3;
+  callback(null, options);
+};
+var secureCors = (0, import_cors.default)(corsOptionsDelegate);
 
 // src/routes/proof.ts
-var import_express4 = require("express");
-var import_sdk4 = require("@sip-protocol/sdk");
-var router4 = (0, import_express4.Router)();
-var proofProvider = new import_sdk4.MockProofProvider();
-router4.post(
+var router = (0, import_express.Router)();
+var proofProvider = new import_sdk2.MockProofProvider();
+var proofProviderReady = false;
+var proofInitError = null;
+var MAX_INIT_RETRIES = 3;
+var RETRY_DELAY_MS = 2e3;
+async function initializeProofProvider() {
+  for (let attempt = 1; attempt <= MAX_INIT_RETRIES; attempt++) {
+    try {
+      await proofProvider.initialize();
+      proofProviderReady = true;
+      proofInitError = null;
+      logger.info({ attempt }, "Proof provider initialized successfully");
+      return;
+    } catch (err) {
+      proofInitError = err instanceof Error ? err : new Error(String(err));
+      logger.warn(
+        { attempt, maxRetries: MAX_INIT_RETRIES, error: proofInitError.message },
+        "Proof provider initialization failed, retrying..."
+      );
+      if (attempt < MAX_INIT_RETRIES) {
+        await new Promise((resolve) => setTimeout(resolve, RETRY_DELAY_MS * attempt));
+      }
+    }
+  }
+  logger.error(
+    { error: proofInitError?.message },
+    "Proof provider initialization failed after all retries"
+  );
+}
+initializeProofProvider();
+function isProofProviderReady() {
+  return proofProviderReady;
+}
+function getProofInitError() {
+  return proofInitError;
+}
+router.post(
   "/funding",
   validateRequest({ body: schemas.generateFundingProof }),
   async (req, res) => {
+    if (!proofProviderReady) {
+      const errorMsg = proofInitError?.message || "Proof provider is initializing";
+      logger.warn({ error: errorMsg }, "Proof request rejected - provider not ready");
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "PROOF_PROVIDER_NOT_READY",
+          message: "Proof generation service is not ready",
+          details: { reason: errorMsg }
+        }
+      });
+    }
     const { balance, minRequired, balanceBlinding } = req.body;
     const balanceBigInt = BigInt(balance);
     const minRequiredBigInt = BigInt(minRequired);
-    const balanceBlindingBytes = hexToBytes(balanceBlinding);
+    const balanceBlindingBytes = (0, import_utils.hexToBytes)(balanceBlinding.replace(/^0x/, ""));
     const result = await proofProvider.generateFundingProof({
       balance: balanceBigInt,
       minimumRequired: minRequiredBigInt,
@@ -237,14 +824,109 @@ router4.post(
     res.json(response);
   }
 );
-var proof_default = router4;
+var proof_default = router;
+
+// src/routes/health.ts
+var router2 = (0, import_express2.Router)();
+var startTime = Date.now();
+router2.get("/", (req, res) => {
+  const shuttingDown = isServerShuttingDown();
+  const status = shuttingDown ? "shutting_down" : "healthy";
+  const statusCode = shuttingDown ? 503 : 200;
+  const cacheMetrics = swapStore.getMetrics();
+  const proofReady = isProofProviderReady();
+  const proofError = getProofInitError();
+  const redisStatus = getRedisStatus();
+  const response = {
+    success: !shuttingDown,
+    data: {
+      status,
+      version: process.env.npm_package_version || "0.1.0",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      uptime: Math.floor((Date.now() - startTime) / 1e3),
+      services: {
+        proofProvider: {
+          ready: proofReady,
+          error: proofError?.message || null
+        },
+        rateLimiter: {
+          store: redisStatus.storeType,
+          redisConfigured: redisStatus.configured,
+          redisConnected: redisStatus.connected
+        }
+      },
+      cache: {
+        swaps: {
+          size: cacheMetrics.size,
+          maxSize: cacheMetrics.maxSize,
+          utilizationPercent: cacheMetrics.utilizationPercent
+        }
+      }
+    }
+  };
+  res.status(statusCode).json(response);
+});
+var health_default = router2;
+
+// src/routes/stealth.ts
+var import_express3 = require("express");
+var import_sdk3 = require("@sip-protocol/sdk");
+var router3 = (0, import_express3.Router)();
+router3.post(
+  "/generate",
+  validateRequest({ body: schemas.generateStealth }),
+  async (req, res) => {
+    const { chain, recipientMetaAddress } = req.body;
+    const result = (0, import_sdk3.generateStealthAddress)(recipientMetaAddress);
+    const response = {
+      success: true,
+      data: {
+        stealthAddress: {
+          address: result.stealthAddress.address,
+          ephemeralPublicKey: result.stealthAddress.ephemeralPublicKey,
+          viewTag: result.stealthAddress.viewTag
+        }
+      }
+    };
+    res.json(response);
+  }
+);
+var stealth_default = router3;
+
+// src/routes/commitment.ts
+var import_express4 = require("express");
+var import_sdk4 = require("@sip-protocol/sdk");
+var import_utils2 = require("@noble/hashes/utils");
+var router4 = (0, import_express4.Router)();
+router4.post(
+  "/create",
+  validateRequest({ body: schemas.createCommitment }),
+  async (req, res) => {
+    const { value, blindingFactor } = req.body;
+    const valueBigInt = BigInt(value);
+    const blindingBytes = blindingFactor ? (0, import_utils2.hexToBytes)(blindingFactor.replace(/^0x/, "")) : void 0;
+    const result = (0, import_sdk4.commit)(valueBigInt, blindingBytes);
+    const response = {
+      success: true,
+      data: {
+        commitment: result.commitment,
+        blindingFactor: result.blinding
+      }
+    };
+    res.json(response);
+  }
+);
+var commitment_default = router4;
 
 // src/routes/swap.ts
 var import_express5 = require("express");
 var import_sdk5 = require("@sip-protocol/sdk");
 var router5 = (0, import_express5.Router)();
 var sip = new import_sdk5.SIP({ network: "testnet" });
-var swaps = /* @__PURE__ */ new Map();
+var MOCK_MODE_ENABLED = env.NODE_ENV !== "production";
+if (!MOCK_MODE_ENABLED) {
+  logger.warn("Production mode: Mock quotes and swaps are DISABLED");
+}
 router5.post(
   "/",
   validateRequest({ body: schemas.getQuote }),
@@ -257,37 +939,66 @@ router5.post(
       outputToken,
       slippageTolerance
     } = req.body;
+    if (!MOCK_MODE_ENABLED) {
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "QUOTE_SERVICE_UNAVAILABLE",
+          message: "Real quote aggregator not configured. This API is not ready for production use.",
+          details: {
+            hint: "Configure QUOTE_AGGREGATOR_URL or use development mode"
+          }
+        }
+      });
+    }
+    if (!(0, import_sdk5.isKnownToken)(inputToken, inputChain)) {
+      return res.status(400).json({
+        success: false,
+        error: {
+          code: "UNKNOWN_TOKEN",
+          message: `Unknown input token: ${inputToken} on ${inputChain}`
+        }
+      });
+    }
+    if (!(0, import_sdk5.isKnownToken)(outputToken, outputChain)) {
+      return res.status(400).json({
+        success: false,
+        error: {
+          code: "UNKNOWN_TOKEN",
+          message: `Unknown output token: ${outputToken} on ${outputChain}`
+        }
+      });
+    }
+    const inputAsset = (0, import_sdk5.getAsset)(inputToken, inputChain);
+    const outputAsset = (0, import_sdk5.getAsset)(outputToken, outputChain);
+    const inputAmountBigInt = BigInt(inputAmount);
+    const slippagePercent = slippageTolerance ?? 1;
+    const slippageBps = percentToBps(slippagePercent);
     const intent = await sip.createIntent({
       input: {
-        asset: {
-          chain: inputChain,
-          address: null,
-          // Native token
-          symbol: inputToken,
-          decimals: 9
-        },
-        amount: BigInt(inputAmount)
+        asset: inputAsset,
+        amount: inputAmountBigInt
       },
       output: {
-        asset: {
-          chain: outputChain,
-          address: null,
-          // Native token
-          symbol: outputToken,
-          decimals: 9
-        },
-        minAmount: BigInt(inputAmount) * 95n / 100n,
-        // 5% slippage
-        maxSlippage: (slippageTolerance || 1) / 100
+        asset: outputAsset,
+        minAmount: calculateMinAmount(inputAmountBigInt, slippageBps),
+        maxSlippage: slippagePercent / 100
       },
       privacy: import_sdk5.PrivacyLevel.TRANSPARENT
       // Default to transparent for quote
     });
+    logger.warn({
+      inputChain,
+      inputToken,
+      outputChain,
+      outputToken,
+      inputAmount
+    }, "Returning MOCK quote - not for production use");
     const mockQuote = {
       quoteId: `quote-${Date.now()}`,
       inputAmount,
+      // Mock: 5% fee (clearly fake rate)
       outputAmount: (BigInt(inputAmount) * 95n / 100n).toString(),
-      // Mock 5% fee
       rate: "0.95",
       estimatedTime: 30,
       fees: {
@@ -307,7 +1018,10 @@ router5.post(
     };
     const response = {
       success: true,
-      data: mockQuote
+      data: {
+        ...mockQuote,
+        _warning: "MOCK_DATA: This quote uses simulated pricing. Do not use for real transactions."
+      }
     };
     res.json(response);
   }
@@ -316,23 +1030,45 @@ router5.post(
   "/swap",
   validateRequest({ body: schemas.executeSwap }),
   async (req, res) => {
-    const { intentId, quoteId, privacy, viewingKey } = req.body;
+    const { intentId, quoteId, inputAmount } = req.body;
+    if (!MOCK_MODE_ENABLED) {
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "SWAP_SERVICE_UNAVAILABLE",
+          message: "Real swap executor not configured. This API is not ready for production use.",
+          details: {
+            hint: "Configure SWAP_EXECUTOR_URL or use development mode"
+          }
+        }
+      });
+    }
     const swapId = `swap-${Date.now()}`;
+    const actualInputAmount = inputAmount || "0";
+    if (!inputAmount) {
+      logger.warn({ swapId, quoteId, intentId }, "Swap created without inputAmount - using 0");
+    }
     const swap = {
       id: swapId,
       status: "pending",
-      inputAmount: "1000000000",
-      // Mock value
+      inputAmount: actualInputAmount,
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
     };
-    swaps.set(swapId, swap);
+    swapStore.set(swapId, swap);
+    logger.warn({
+      swapId,
+      quoteId,
+      intentId,
+      inputAmount: actualInputAmount
+    }, "Creating MOCK swap - not for production use");
     const response = {
       success: true,
       data: {
         swapId,
         status: "pending",
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        _warning: "MOCK_DATA: This swap is simulated. No real transaction will be executed."
       }
     };
     res.json(response);
@@ -343,13 +1079,14 @@ router5.get(
   validateRequest({ params: schemas.swapStatus }),
   async (req, res) => {
     const { id } = req.params;
-    const swap = swaps.get(id);
+    const swapId = Array.isArray(id) ? id[0] : id;
+    const swap = swapStore.get(swapId);
     if (!swap) {
       return res.status(404).json({
         success: false,
         error: {
           code: "SWAP_NOT_FOUND",
-          message: `Swap ${id} not found`
+          message: `Swap ${swapId} not found`
         }
       });
     }
@@ -362,17 +1099,299 @@ router5.get(
 );
 var swap_default = router5;
 
-// src/routes/index.ts
+// src/routes/webhook.ts
+var import_express6 = require("express");
+var import_zod2 = require("zod");
+
+// src/services/helius-listener.ts
+var import_sdk6 = require("@sip-protocol/sdk");
+
+// src/services/webhook-delivery.ts
+var import_hmac = require("@noble/hashes/hmac");
+var import_sha256 = require("@noble/hashes/sha256");
+var import_utils3 = require("@noble/hashes/utils");
+function computeHmacSignature(secret, body) {
+  const encoder = new TextEncoder();
+  const sig = (0, import_utils3.bytesToHex)((0, import_hmac.hmac)(import_sha256.sha256, encoder.encode(secret), encoder.encode(body)));
+  return `sha256=${sig}`;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var WebhookDeliveryService = class {
+  maxRetries;
+  pendingDeliveries = /* @__PURE__ */ new Set();
+  constructor(maxRetries) {
+    this.maxRetries = maxRetries ?? env.WEBHOOK_DELIVERY_MAX_RETRIES;
+  }
+  /**
+   * Build the delivery payload from a scan result
+   */
+  buildPayload(registration, payment) {
+    return {
+      event: "payment.received",
+      webhookId: registration.id,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      data: {
+        txSignature: payment.txSignature,
+        stealthAddress: payment.stealthAddress,
+        ephemeralPublicKey: payment.ephemeralPublicKey,
+        amount: payment.amount.toString(),
+        mint: payment.mint,
+        tokenSymbol: payment.tokenSymbol,
+        slot: payment.slot,
+        blockTime: payment.timestamp
+      }
+    };
+  }
+  /**
+   * Deliver a payment notification to a registered webhook
+   *
+   * Retries with exponential backoff on failure.
+   */
+  async deliver(registration, payment) {
+    const payload = this.buildPayload(registration, payment);
+    const body = JSON.stringify(payload);
+    const signature = computeHmacSignature(registration.secret, body);
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      try {
+        const response = await fetch(registration.url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "X-SIP-Signature": signature,
+            "X-SIP-Webhook-Id": registration.id
+          },
+          body,
+          signal: AbortSignal.timeout(1e4)
+        });
+        if (response.ok) {
+          logger.info(
+            { webhookId: registration.id, attempt, status: response.status },
+            "Webhook delivered"
+          );
+          return true;
+        }
+        logger.warn(
+          { webhookId: registration.id, attempt, status: response.status },
+          "Webhook delivery failed (non-2xx)"
+        );
+      } catch (error) {
+        logger.warn(
+          { webhookId: registration.id, attempt, error: error.message },
+          "Webhook delivery error"
+        );
+      }
+      if (attempt < this.maxRetries) {
+        const backoffMs = Math.pow(4, attempt) * 1e3;
+        await sleep(backoffMs);
+      }
+    }
+    logger.error(
+      { webhookId: registration.id, maxRetries: this.maxRetries },
+      "Webhook delivery exhausted all retries"
+    );
+    return false;
+  }
+  /**
+   * Queue a delivery (fire-and-forget with tracking)
+   */
+  queueDelivery(registration, payment) {
+    const promise = this.deliver(registration, payment).then(() => {
+    }).catch((err) => {
+      logger.error({ webhookId: registration.id, err }, "Unhandled webhook delivery error");
+    }).finally(() => {
+      this.pendingDeliveries.delete(promise);
+    });
+    this.pendingDeliveries.add(promise);
+  }
+  /**
+   * Wait for all pending deliveries to complete (graceful shutdown)
+   */
+  async drainPending() {
+    if (this.pendingDeliveries.size > 0) {
+      logger.info({ pending: this.pendingDeliveries.size }, "Draining pending webhook deliveries");
+      await Promise.allSettled(this.pendingDeliveries);
+      logger.info("All webhook deliveries drained");
+    }
+  }
+};
+var webhookDeliveryService = new WebhookDeliveryService();
+
+// src/services/helius-listener.ts
+var HeliusListenerService = class {
+  /**
+   * Process an incoming Helius webhook payload
+   *
+   * 1. Verify Helius signature (if configured)
+   * 2. For each active registration, check if payment is for them
+   * 3. On match, queue delivery to the agent's URL
+   *
+   * @returns Number of matched deliveries queued
+   */
+  async processIncoming(payload, headers) {
+    if (env.HELIUS_WEBHOOK_SECRET && headers.rawBody) {
+      const valid = (0, import_sdk6.verifyWebhookSignature)(
+        headers.rawBody,
+        headers.signature,
+        env.HELIUS_WEBHOOK_SECRET
+      );
+      if (!valid) {
+        logger.warn("Helius webhook signature verification failed");
+        throw new Error("HELIUS_SIGNATURE_INVALID");
+      }
+    }
+    const transactions = Array.isArray(payload) ? payload : [payload];
+    const registrations = webhookStore.getAll();
+    if (registrations.length === 0) {
+      logger.debug("No active webhook registrations, skipping processing");
+      return 0;
+    }
+    let matchCount = 0;
+    for (const tx of transactions) {
+      for (const registration of registrations) {
+        try {
+          const payment = await (0, import_sdk6.processWebhookTransaction)(
+            tx,
+            registration.viewingPrivateKey,
+            registration.spendingPublicKey
+          );
+          if (payment) {
+            matchCount++;
+            webhookDeliveryService.queueDelivery(registration, payment);
+            logger.info(
+              {
+                webhookId: registration.id,
+                txSignature: payment.txSignature
+              },
+              "Payment matched, delivery queued"
+            );
+          }
+        } catch (error) {
+          logger.warn(
+            {
+              webhookId: registration.id,
+              error: error.message
+            },
+            "Error checking transaction against registration"
+          );
+        }
+      }
+    }
+    logger.info(
+      {
+        transactions: transactions.length,
+        registrations: registrations.length,
+        matches: matchCount
+      },
+      "Helius webhook processed"
+    );
+    return matchCount;
+  }
+};
+var heliusListenerService = new HeliusListenerService();
+
+// src/routes/webhook.ts
 var router6 = (0, import_express6.Router)();
-router6.use("/health", health_default);
-router6.use("/stealth", stealth_default);
-router6.use("/commitment", commitment_default);
-router6.use("/proof", proof_default);
-router6.use("/quote", swap_default);
-router6.use("/swap", swap_default);
-var routes_default = router6;
-/*! Bundled license information:
+var webhookSchemas = {
+  register: import_zod2.z.object({
+    url: import_zod2.z.string().url("Must be a valid URL"),
+    viewingPrivateKey: import_zod2.z.string().regex(/^0x[0-9a-fA-F]{64}$/, "Must be 0x-prefixed 32-byte hex"),
+    spendingPublicKey: import_zod2.z.string().regex(/^0x[0-9a-fA-F]{64}$/, "Must be 0x-prefixed 32-byte hex")
+  }),
+  unregister: import_zod2.z.object({
+    id: import_zod2.z.string().min(1)
+  })
+};
+router6.post(
+  "/register",
+  validateRequest({ body: webhookSchemas.register }),
+  (req, res) => {
+    const { url, viewingPrivateKey, spendingPublicKey } = req.body;
+    try {
+      const registration = webhookStore.register(url, viewingPrivateKey, spendingPublicKey);
+      const response = {
+        success: true,
+        data: {
+          id: registration.id,
+          url: registration.url,
+          secret: registration.secret,
+          createdAt: registration.createdAt
+        }
+      };
+      res.status(201).json(response);
+    } catch (error) {
+      if (error.message === "WEBHOOK_STORE_FULL") {
+        res.status(503).json({
+          success: false,
+          error: {
+            code: "WEBHOOK_STORE_FULL",
+            message: "Maximum webhook registrations reached"
+          }
+        });
+        return;
+      }
+      throw error;
+    }
+  }
+);
+router6.delete(
+  "/:id",
+  validateRequest({ params: webhookSchemas.unregister }),
+  (req, res) => {
+    const removed = webhookStore.unregister(req.params.id);
+    if (!removed) {
+      res.status(404).json({
+        success: false,
+        error: {
+          code: "WEBHOOK_NOT_FOUND",
+          message: "Webhook not found"
+        }
+      });
+      return;
+    }
+    res.status(204).send();
+  }
+);
+router6.get("/", (_req, res) => {
+  const webhooks = webhookStore.getAllForList();
+  const response = {
+    success: true,
+    data: { webhooks }
+  };
+  res.json(response);
+});
+router6.post("/internal/helius", async (req, res) => {
+  const headers = {
+    signature: req.headers["x-helius-signature"],
+    rawBody: typeof req.body === "string" ? req.body : JSON.stringify(req.body)
+  };
+  try {
+    const matchCount = await heliusListenerService.processIncoming(req.body, headers);
+    res.status(200).json({ success: true, matched: matchCount });
+  } catch (error) {
+    if (error.message === "HELIUS_SIGNATURE_INVALID") {
+      res.status(401).json({
+        success: false,
+        error: {
+          code: "HELIUS_SIGNATURE_INVALID",
+          message: "Invalid Helius webhook signature"
+        }
+      });
+      return;
+    }
+    throw error;
+  }
+});
+var webhook_default = router6;
 
-@noble/hashes/esm/utils.js:
-  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
-*/
+// src/routes/index.ts
+var router7 = (0, import_express7.Router)();
+router7.use("/health", health_default);
+router7.use("/stealth", stealth_default);
+router7.use("/commitment", commitment_default);
+router7.use("/proof", proof_default);
+router7.use("/quote", swap_default);
+router7.use("/swap", swap_default);
+router7.use("/webhooks", webhook_default);
+var routes_default = router7;