@sip-protocol/api 0.1.0 → 0.1.1

package/dist/server.js

@@ -30,69 +30,615 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/server.ts
 var server_exports = {};
 __export(server_exports, {
-  default: () => server_default
+  default: () => server_default,
+  isServerShuttingDown: () => isServerShuttingDown
 });
 module.exports = __toCommonJS(server_exports);
-var import_express7 = __toESM(require("express"));
-var import_cors = __toESM(require("cors"));
+var import_express9 = __toESM(require("express"));
 var import_helmet = __toESM(require("helmet"));
 var import_compression = __toESM(require("compression"));
-var import_morgan = __toESM(require("morgan"));
 
 // src/routes/index.ts
-var import_express6 = require("express");
+var import_express7 = require("express");
 
 // src/routes/health.ts
-var import_express = require("express");
-var router = (0, import_express.Router)();
-var startTime = Date.now();
-router.get("/", (req, res) => {
-  const response = {
-    success: true,
-    data: {
-      status: "healthy",
-      version: process.env.npm_package_version || "0.1.0",
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      uptime: Math.floor((Date.now() - startTime) / 1e3)
+var import_express2 = require("express");
+
+// src/logger.ts
+var import_pino = __toESM(require("pino"));
+var import_pino_http = __toESM(require("pino-http"));
+var import_crypto = __toESM(require("crypto"));
+
+// src/config.ts
+var import_envalid = require("envalid");
+var env = (0, import_envalid.cleanEnv)(process.env, {
+  // Server configuration
+  NODE_ENV: (0, import_envalid.str)({
+    choices: ["development", "production", "test"],
+    default: "development",
+    desc: "Application environment"
+  }),
+  PORT: (0, import_envalid.port)({
+    default: 3e3,
+    desc: "Server port"
+  }),
+  // CORS configuration
+  CORS_ORIGINS: (0, import_envalid.str)({
+    default: "",
+    desc: "Comma-separated list of allowed origins (empty = localhost only in dev)"
+  }),
+  // Authentication
+  API_KEYS: (0, import_envalid.str)({
+    default: "",
+    desc: "Comma-separated list of valid API keys (empty = auth disabled in dev)"
+  }),
+  // Rate limiting
+  RATE_LIMIT_MAX: (0, import_envalid.num)({
+    default: 100,
+    desc: "Maximum requests per window"
+  }),
+  RATE_LIMIT_WINDOW_MS: (0, import_envalid.num)({
+    default: 6e4,
+    desc: "Rate limit window in milliseconds"
+  }),
+  // Proxy trust configuration (for X-Forwarded-For header)
+  // Set to number of trusted proxies (e.g., 1 for single nginx)
+  // or 'loopback' for local proxies, or 'uniquelocal' for private IPs
+  TRUST_PROXY: (0, import_envalid.str)({
+    default: "1",
+    desc: 'Express trust proxy setting (number of hops, "loopback", "uniquelocal", or "false")'
+  }),
+  // Logging
+  LOG_LEVEL: (0, import_envalid.str)({
+    choices: ["trace", "debug", "info", "warn", "error", "fatal"],
+    default: "info",
+    desc: "Logging level"
+  }),
+  // Graceful shutdown
+  SHUTDOWN_TIMEOUT_MS: (0, import_envalid.num)({
+    default: 3e4,
+    desc: "Graceful shutdown timeout in milliseconds"
+  }),
+  // Monitoring
+  SENTRY_DSN: (0, import_envalid.str)({
+    default: "",
+    desc: "Sentry DSN for error tracking (optional)"
+  }),
+  METRICS_ENABLED: (0, import_envalid.str)({
+    choices: ["true", "false"],
+    default: "true",
+    desc: "Enable Prometheus metrics endpoint"
+  }),
+  // Webhook configuration
+  HELIUS_WEBHOOK_SECRET: (0, import_envalid.str)({
+    default: "",
+    desc: "Helius webhook HMAC secret for signature verification (optional)"
+  }),
+  WEBHOOK_DELIVERY_MAX_RETRIES: (0, import_envalid.num)({
+    default: 3,
+    desc: "Maximum delivery attempts for webhook notifications"
+  }),
+  WEBHOOK_STORE_MAX_SIZE: (0, import_envalid.num)({
+    default: 1e3,
+    desc: "Maximum number of registered webhooks"
+  })
+});
+function logConfigWarnings(logger2) {
+  if (env.isProduction) {
+    if (!env.API_KEYS) {
+      logger2.warn("API_KEYS not set in production - authentication disabled");
+    }
+    if (!env.CORS_ORIGINS) {
+      logger2.warn("CORS_ORIGINS not set in production - only localhost allowed");
+    }
+  }
+}
+var isProduction = env.isProduction;
+var isDevelopment = env.isDevelopment;
+var isTest = env.isTest;
+
+// src/logger.ts
+var loggerConfig = {
+  level: env.LOG_LEVEL,
+  base: {
+    service: "sip-api",
+    version: "0.1.0"
+  },
+  timestamp: import_pino.default.stdTimeFunctions.isoTime
+};
+if (env.isDevelopment) {
+  loggerConfig.transport = {
+    target: "pino-pretty",
+    options: {
+      colorize: true,
+      translateTime: "HH:MM:ss",
+      ignore: "pid,hostname,service,version"
     }
   };
-  res.json(response);
+}
+var logger = (0, import_pino.default)(loggerConfig);
+var requestLogger = (0, import_pino_http.default)({
+  logger,
+  // Use requestId from requestIdMiddleware (set earlier in chain)
+  // Falls back to header or generates new if middleware didn't run
+  genReqId: (req) => {
+    const augmentedReq = req;
+    if (augmentedReq.requestId) {
+      return augmentedReq.requestId;
+    }
+    const existingId = req.headers["x-request-id"];
+    if (existingId && typeof existingId === "string") {
+      return existingId;
+    }
+    return import_crypto.default.randomUUID();
+  },
+  customLogLevel: (_req, res, err) => {
+    if (res.statusCode >= 500 || err) return "error";
+    if (res.statusCode >= 400) return "warn";
+    return "info";
+  },
+  customSuccessMessage: (req, res) => {
+    return `${req.method} ${req.url} ${res.statusCode}`;
+  },
+  customErrorMessage: (req, res, err) => {
+    return `${req.method} ${req.url} ${res.statusCode} - ${err.message}`;
+  },
+  // Don't log health checks in production
+  autoLogging: {
+    ignore: (req) => {
+      return req.url === "/api/v1/health" && env.isProduction;
+    }
+  }
 });
-var health_default = router;
 
-// src/routes/stealth.ts
-var import_express2 = require("express");
+// src/shutdown.ts
+var isShuttingDown = false;
+function isServerShuttingDown() {
+  return isShuttingDown;
+}
+function setupGracefulShutdown(server, cleanup) {
+  const shutdown = async (signal) => {
+    if (isShuttingDown) {
+      logger.warn({ signal }, "Shutdown already in progress, ignoring signal");
+      return;
+    }
+    isShuttingDown = true;
+    logger.info({ signal }, "Received shutdown signal, starting graceful shutdown...");
+    server.close(async (err) => {
+      if (err) {
+        logger.error({ err }, "Error closing HTTP server");
+        process.exit(1);
+      }
+      logger.info("HTTP server closed, no longer accepting connections");
+      if (cleanup) {
+        try {
+          logger.info("Running cleanup tasks...");
+          await cleanup();
+          logger.info("Cleanup completed successfully");
+        } catch (cleanupErr) {
+          logger.error({ err: cleanupErr }, "Error during cleanup");
+        }
+      }
+      logger.info("Graceful shutdown complete, exiting");
+      process.exit(0);
+    });
+    setTimeout(() => {
+      logger.error(
+        { timeoutMs: env.SHUTDOWN_TIMEOUT_MS },
+        "Graceful shutdown timeout exceeded, forcing exit"
+      );
+      process.exit(1);
+    }, env.SHUTDOWN_TIMEOUT_MS);
+  };
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("uncaughtException", (err) => {
+    logger.fatal({ err }, "Uncaught exception, shutting down");
+    shutdown("uncaughtException");
+  });
+  process.on("unhandledRejection", (reason) => {
+    logger.fatal({ reason }, "Unhandled rejection, shutting down");
+    shutdown("unhandledRejection");
+  });
+  logger.debug("Graceful shutdown handlers registered");
+}
+function shutdownMiddleware(req, res, next) {
+  if (isShuttingDown) {
+    if (req.path === "/api/v1/health") {
+      return next();
+    }
+    res.status(503).json({
+      success: false,
+      error: {
+        code: "SERVICE_UNAVAILABLE",
+        message: "Server is shutting down"
+      }
+    });
+    return;
+  }
+  next();
+}
+
+// src/stores/swap-store.ts
+var import_lru_cache = require("lru-cache");
+var DEFAULT_MAX_SIZE = 1e4;
+var DEFAULT_TTL_MS = 24 * 60 * 60 * 1e3;
+var SwapStore = class {
+  cache;
+  maxSize;
+  ttlMs;
+  constructor(config = {}) {
+    this.maxSize = config.maxSize ?? DEFAULT_MAX_SIZE;
+    this.ttlMs = config.ttlMs ?? DEFAULT_TTL_MS;
+    this.cache = new import_lru_cache.LRUCache({
+      max: this.maxSize,
+      ttl: this.ttlMs,
+      updateAgeOnGet: false,
+      // Don't reset TTL on read
+      updateAgeOnHas: false,
+      // Log when items are evicted or expired
+      disposeAfter: (_value, key, reason) => {
+        if (reason === "evict") {
+          logger.debug({ swapId: key, reason }, "Swap evicted from cache (LRU)");
+        } else if (reason === "expire") {
+          logger.debug({ swapId: key, reason }, "Swap expired from cache (TTL)");
+        }
+      }
+    });
+    logger.info(
+      { maxSize: this.maxSize, ttlMs: this.ttlMs },
+      "SwapStore initialized"
+    );
+  }
+  /**
+   * Get a swap by ID
+   */
+  get(id) {
+    return this.cache.get(id);
+  }
+  /**
+   * Check if a swap exists
+   */
+  has(id) {
+    return this.cache.has(id);
+  }
+  /**
+   * Set/update a swap
+   */
+  set(id, data) {
+    this.cache.set(id, data);
+  }
+  /**
+   * Delete a swap
+   */
+  delete(id) {
+    return this.cache.delete(id);
+  }
+  /**
+   * Update swap status
+   */
+  updateStatus(id, status, updates) {
+    const existing = this.cache.get(id);
+    if (!existing) {
+      return void 0;
+    }
+    const updated = {
+      ...existing,
+      ...updates,
+      status,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.cache.set(id, updated);
+    return updated;
+  }
+  /**
+   * Get store metrics for monitoring
+   */
+  getMetrics() {
+    const size = this.cache.size;
+    return {
+      size,
+      maxSize: this.maxSize,
+      ttlMs: this.ttlMs,
+      utilizationPercent: Math.round(size / this.maxSize * 100)
+    };
+  }
+  /**
+   * Clear all swaps (for testing)
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Purge stale entries (normally handled automatically by LRU cache)
+   */
+  purgeStale() {
+    this.cache.purgeStale();
+  }
+};
+var swapStore = new SwapStore();
+
+// src/stores/webhook-store.ts
+var import_crypto2 = require("crypto");
+var WebhookStore = class {
+  registrations = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(maxSize) {
+    this.maxSize = maxSize ?? env.WEBHOOK_STORE_MAX_SIZE;
+    logger.info({ maxSize: this.maxSize }, "WebhookStore initialized");
+  }
+  /**
+   * Register a new webhook
+   *
+   * @returns The registration with secret (shown once only)
+   */
+  register(url, viewingPrivateKey, spendingPublicKey) {
+    if (this.registrations.size >= this.maxSize) {
+      throw new Error("WEBHOOK_STORE_FULL");
+    }
+    const id = (0, import_crypto2.randomBytes)(16).toString("hex");
+    const secret = (0, import_crypto2.randomBytes)(32).toString("hex");
+    const registration = {
+      id,
+      url,
+      viewingPrivateKey,
+      spendingPublicKey,
+      secret,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      active: true
+    };
+    this.registrations.set(id, registration);
+    logger.info({ webhookId: id, url }, "Webhook registered");
+    return registration;
+  }
+  /**
+   * Unregister a webhook by ID
+   *
+   * @returns true if found and removed, false if not found
+   */
+  unregister(id) {
+    const existed = this.registrations.delete(id);
+    if (existed) {
+      logger.info({ webhookId: id }, "Webhook unregistered");
+    }
+    return existed;
+  }
+  /**
+   * Get a registration by ID
+   */
+  get(id) {
+    return this.registrations.get(id);
+  }
+  /**
+   * Get all active registrations
+   */
+  getAll() {
+    return Array.from(this.registrations.values()).filter((r) => r.active);
+  }
+  /**
+   * Get all registrations (including inactive) for listing
+   */
+  getAllForList() {
+    return Array.from(this.registrations.values()).map((r) => ({
+      id: r.id,
+      url: r.url,
+      active: r.active,
+      createdAt: r.createdAt
+    }));
+  }
+  /**
+   * Current store size
+   */
+  get size() {
+    return this.registrations.size;
+  }
+  /**
+   * Clear all registrations (for testing)
+   */
+  clear() {
+    this.registrations.clear();
+  }
+};
+var webhookStore = new WebhookStore();
+
+// src/routes/proof.ts
+var import_express = require("express");
 var import_sdk2 = require("@sip-protocol/sdk");
+var import_utils = require("@noble/hashes/utils");
 
 // src/middleware/error-handler.ts
 var import_sdk = require("@sip-protocol/sdk");
+
+// src/monitoring/sentry.ts
+var Sentry = __toESM(require("@sentry/node"));
+var isInitialized = false;
+function initSentry() {
+  if (isInitialized) return;
+  if (!env.SENTRY_DSN) {
+    if (env.isProduction) {
+      console.warn("[Sentry] SENTRY_DSN not set - error monitoring disabled");
+    }
+    return;
+  }
+  Sentry.init({
+    dsn: env.SENTRY_DSN,
+    environment: env.NODE_ENV,
+    release: `sip-api@${process.env.npm_package_version || "0.1.0"}`,
+    // Performance monitoring
+    tracesSampleRate: env.isProduction ? 0.1 : 1,
+    // Filter out noisy errors
+    ignoreErrors: [
+      // Expected client errors
+      "Request validation failed",
+      "Unauthorized",
+      // Network issues
+      "ECONNRESET",
+      "EPIPE"
+    ],
+    // Add extra context
+    beforeSend(event) {
+      if (env.NODE_ENV === "test") {
+        return null;
+      }
+      const requestId = event.request?.headers?.["x-request-id"];
+      if (requestId && typeof requestId === "string") {
+        event.tags = { ...event.tags, requestId };
+      }
+      if (event.request?.headers) {
+        delete event.request.headers["authorization"];
+        delete event.request.headers["x-api-key"];
+        delete event.request.headers["cookie"];
+      }
+      return event;
+    },
+    // Capture breadcrumbs for debugging
+    beforeBreadcrumb(breadcrumb) {
+      if (breadcrumb.category === "http" && breadcrumb.data?.url?.includes("/health")) {
+        return null;
+      }
+      return breadcrumb;
+    }
+  });
+  isInitialized = true;
+  console.log("[Sentry] Initialized for environment:", env.NODE_ENV);
+}
+function isSentryEnabled() {
+  return isInitialized && !!env.SENTRY_DSN;
+}
+function captureException2(error, context) {
+  if (!isSentryEnabled()) return void 0;
+  return Sentry.captureException(error, {
+    extra: context
+  });
+}
+function setupSentryErrorHandler(app2) {
+  if (!isSentryEnabled()) return;
+  Sentry.setupExpressErrorHandler(app2);
+}
+async function flushSentry(timeout = 2e3) {
+  if (!isSentryEnabled()) return true;
+  return Sentry.close(timeout);
+}
+
+// src/monitoring/metrics.ts
+var import_prom_client = require("prom-client");
+var register = new import_prom_client.Registry();
+(0, import_prom_client.collectDefaultMetrics)({
+  register,
+  prefix: "sip_api_"
+});
+var httpRequestsTotal = new import_prom_client.Counter({
+  name: "sip_api_http_requests_total",
+  help: "Total number of HTTP requests",
+  labelNames: ["method", "path", "status"],
+  registers: [register]
+});
+var httpRequestDuration = new import_prom_client.Histogram({
+  name: "sip_api_http_request_duration_seconds",
+  help: "Duration of HTTP requests in seconds",
+  labelNames: ["method", "path", "status"],
+  buckets: [1e-3, 5e-3, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10],
+  registers: [register]
+});
+var stealthAddressGenerations = new import_prom_client.Counter({
+  name: "sip_stealth_address_generations_total",
+  help: "Total number of stealth address generations",
+  labelNames: ["chain"],
+  registers: [register]
+});
+var commitmentCreations = new import_prom_client.Counter({
+  name: "sip_commitment_creations_total",
+  help: "Total number of commitment creations",
+  registers: [register]
+});
+var proofGenerations = new import_prom_client.Counter({
+  name: "sip_proof_generations_total",
+  help: "Total number of proof generations",
+  labelNames: ["type"],
+  registers: [register]
+});
+var proofGenerationDuration = new import_prom_client.Histogram({
+  name: "sip_proof_generation_duration_seconds",
+  help: "Duration of proof generation in seconds",
+  labelNames: ["type"],
+  buckets: [0.1, 0.5, 1, 2.5, 5, 10, 30, 60],
+  registers: [register]
+});
+var activeConnections = new import_prom_client.Gauge({
+  name: "sip_api_active_connections",
+  help: "Number of active connections",
+  registers: [register]
+});
+var swapRequests = new import_prom_client.Counter({
+  name: "sip_swap_requests_total",
+  help: "Total number of swap requests",
+  labelNames: ["from_chain", "to_chain", "status"],
+  registers: [register]
+});
+var quoteRequests = new import_prom_client.Counter({
+  name: "sip_quote_requests_total",
+  help: "Total number of quote requests",
+  labelNames: ["from_chain", "to_chain"],
+  registers: [register]
+});
+function normalizePath(path) {
+  return path.replace(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, ":id").replace(/0x[0-9a-fA-F]{40,}/g, ":address").replace(/\/\d+/g, "/:id").replace(/\/+/g, "/");
+}
+function metricsMiddleware(req, res, next) {
+  if (req.path === "/metrics") {
+    return next();
+  }
+  const startTime2 = process.hrtime.bigint();
+  activeConnections.inc();
+  res.on("finish", () => {
+    const endTime = process.hrtime.bigint();
+    const durationSeconds = Number(endTime - startTime2) / 1e9;
+    const path = normalizePath(req.route?.path || req.path);
+    const labels = {
+      method: req.method,
+      path,
+      status: res.statusCode.toString()
+    };
+    httpRequestsTotal.inc(labels);
+    httpRequestDuration.observe(labels, durationSeconds);
+    activeConnections.dec();
+  });
+  next();
+}
+
+// src/middleware/error-handler.ts
 function errorHandler(err, req, res, next) {
-  console.error("[API Error]", {
+  logger.error({
     path: req.path,
     method: req.method,
     error: err.message,
     stack: err.stack
-  });
+  }, "API Error");
   if ((0, import_sdk.isSIPError)(err)) {
     const sipError = err;
+    const isValidationError = err instanceof import_sdk.ValidationError;
     return res.status(400).json({
       success: false,
       error: {
         code: sipError.code,
         message: sipError.message,
         details: {
-          field: sipError.field,
-          expected: sipError.expected
+          ...isValidationError && { field: err.field },
+          ...sipError.context
         }
       }
     });
   }
+  captureException2(err, {
+    path: req.path,
+    method: req.method
+  });
   res.status(500).json({
     success: false,
     error: {
       code: "INTERNAL_SERVER_ERROR",
       message: "An unexpected error occurred",
-      details: process.env.NODE_ENV === "development" ? err.message : void 0
+      details: env.isDevelopment ? err.message : void 0
     }
   });
 }
@@ -108,6 +654,40 @@ function notFoundHandler(req, res) {
 
 // src/middleware/validation.ts
 var import_zod = require("zod");
+var MAX_UINT256 = 2n ** 256n - 1n;
+var amountSchema = import_zod.z.string().regex(/^[1-9]\d*$/, "Amount must be positive integer without leading zeros").max(78, "Amount exceeds maximum uint256 length").refine(
+  (v) => {
+    try {
+      const n = BigInt(v);
+      return n > 0n && n <= MAX_UINT256;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Invalid amount: must be positive integer <= 2^256-1" }
+);
+var minAmountSchema = import_zod.z.string().regex(/^(0|[1-9]\d*)$/, "Amount must be non-negative integer without leading zeros").max(78, "Amount exceeds maximum uint256 length").refine(
+  (v) => {
+    try {
+      const n = BigInt(v);
+      return n >= 0n && n <= MAX_UINT256;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Invalid amount: must be non-negative integer <= 2^256-1" }
+);
+function calculateMinAmount(input, slippageBps) {
+  if (slippageBps < 0 || slippageBps > 1e4) {
+    throw new Error("Invalid slippage: must be 0-10000 basis points");
+  }
+  const bps = BigInt(Math.floor(slippageBps));
+  const multiplier = 10000n - bps;
+  return input * multiplier / 10000n;
+}
+function percentToBps(percent) {
+  return Math.floor(percent * 100);
+}
 function validateRequest(schema) {
   return async (req, res, next) => {
     try {
@@ -118,7 +698,9 @@ function validateRequest(schema) {
         req.query = await schema.query.parseAsync(req.query);
       }
       if (schema.params) {
-        req.params = await schema.params.parseAsync(req.params);
+        req.params = await schema.params.parseAsync(
+          req.params
+        );
       }
       next();
     } catch (error) {
@@ -128,7 +710,8 @@ function validateRequest(schema) {
           error: {
             code: "VALIDATION_ERROR",
             message: "Invalid request data",
-            details: error.errors
+            // Zod 4 renamed 'errors' to 'issues'
+            details: error.issues
           }
         });
       }
@@ -147,19 +730,19 @@ var schemas = {
     })
   }),
   createCommitment: import_zod.z.object({
-    value: import_zod.z.string().regex(/^\d+$/),
-    // bigint as string
+    value: amountSchema,
     blindingFactor: import_zod.z.string().regex(/^0x[0-9a-fA-F]+$/).optional()
   }),
   generateFundingProof: import_zod.z.object({
-    balance: import_zod.z.string().regex(/^\d+$/),
-    minRequired: import_zod.z.string().regex(/^\d+$/),
+    balance: amountSchema,
+    minRequired: minAmountSchema,
+    // Zero allowed: "prove I have >= 0" is valid
     balanceBlinding: import_zod.z.string().regex(/^0x[0-9a-fA-F]+$/)
   }),
   getQuote: import_zod.z.object({
     inputChain: import_zod.z.enum(["solana", "ethereum", "near", "zcash", "polygon", "arbitrum", "optimism", "base", "bitcoin", "aptos", "sui", "cosmos", "osmosis", "injective", "celestia", "sei", "dydx"]),
     inputToken: import_zod.z.string().min(1),
-    inputAmount: import_zod.z.string().regex(/^\d+$/),
+    inputAmount: amountSchema,
     outputChain: import_zod.z.enum(["solana", "ethereum", "near", "zcash", "polygon", "arbitrum", "optimism", "base", "bitcoin", "aptos", "sui", "cosmos", "osmosis", "injective", "celestia", "sei", "dydx"]),
     outputToken: import_zod.z.string().min(1),
     slippageTolerance: import_zod.z.number().min(0).max(100).optional()
@@ -175,132 +758,476 @@ var schemas = {
   })
 };
 
-// src/routes/stealth.ts
-var router2 = (0, import_express2.Router)();
-router2.post(
-  "/generate",
-  validateRequest({ body: schemas.generateStealth }),
+// src/middleware/rate-limit.ts
+var import_express_rate_limit = __toESM(require("express-rate-limit"));
+var import_rate_limit_redis = require("rate-limit-redis");
+var import_ioredis = require("ioredis");
+var WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10);
+var MAX_REQUESTS = parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || "100", 10);
+var SKIP_FAILED = process.env.RATE_LIMIT_SKIP_FAILED === "true";
+var STORE_TYPE = process.env.RATE_LIMIT_STORE || "memory";
+var REDIS_URL = process.env.REDIS_URL;
+var redisClient = null;
+var redisConnectionFailed = false;
+function getRedisClient() {
+  if (redisConnectionFailed) {
+    return null;
+  }
+  if (!redisClient && REDIS_URL) {
+    redisClient = new import_ioredis.Redis(REDIS_URL, {
+      maxRetriesPerRequest: 3,
+      retryStrategy: (times) => {
+        if (times > 3) {
+          console.warn("[rate-limit] Redis connection failed, falling back to memory store");
+          redisConnectionFailed = true;
+          return null;
+        }
+        return Math.min(times * 100, 1e3);
+      },
+      lazyConnect: true
+    });
+    redisClient.on("error", (err) => {
+      console.warn("[rate-limit] Redis error:", err.message);
+    });
+    redisClient.on("connect", () => {
+      console.log("[rate-limit] Redis connected successfully");
+    });
+  }
+  return redisClient;
+}
+function getRedisStatus() {
+  const client = getRedisClient();
+  return {
+    storeType: client && !redisConnectionFailed ? "redis" : "memory",
+    configured: !!REDIS_URL,
+    connected: client?.status === "ready"
+  };
+}
+function createStore(prefix) {
+  if (STORE_TYPE === "redis" || REDIS_URL) {
+    const client = getRedisClient();
+    if (client && !redisConnectionFailed) {
+      const sendCommand = async (...args) => {
+        return client.call(args[0], ...args.slice(1));
+      };
+      return new import_rate_limit_redis.RedisStore({
+        sendCommand,
+        prefix: `rl:${prefix}:`
+      });
+    }
+  }
+  return void 0;
+}
+var rateLimiter = (0, import_express_rate_limit.default)({
+  windowMs: WINDOW_MS,
+  max: MAX_REQUESTS,
+  skipFailedRequests: SKIP_FAILED,
+  standardHeaders: true,
+  // Return rate limit info in `RateLimit-*` headers
+  legacyHeaders: false,
+  // Disable `X-RateLimit-*` headers
+  // Use Redis store if available, otherwise memory
+  store: createStore("api"),
+  handler: (_req, res) => {
+    res.status(429).json({
+      success: false,
+      error: {
+        code: "RATE_LIMIT_EXCEEDED",
+        message: "Too many requests, please try again later",
+        details: {
+          retryAfter: Math.ceil(WINDOW_MS / 1e3),
+          limit: MAX_REQUESTS,
+          windowMs: WINDOW_MS
+        }
+      }
+    });
+  },
+  skip: (req) => {
+    return req.path === "/api/v1/health" || req.path === "/";
+  }
+});
+var strictRateLimiter = (0, import_express_rate_limit.default)({
+  windowMs: 6e4,
+  // 1 minute
+  max: 10,
+  // 10 requests per minute
+  skipFailedRequests: false,
+  standardHeaders: true,
+  legacyHeaders: false,
+  // Use Redis store if available with different prefix
+  store: createStore("strict"),
+  handler: (_req, res) => {
+    res.status(429).json({
+      success: false,
+      error: {
+        code: "RATE_LIMIT_EXCEEDED",
+        message: "Rate limit exceeded for sensitive endpoint",
+        details: {
+          retryAfter: 60,
+          limit: 10,
+          windowMs: 6e4
+        }
+      }
+    });
+  }
+});
+
+// src/middleware/auth.ts
+var import_crypto3 = require("crypto");
+var API_KEYS = (process.env.API_KEYS || "").split(",").filter(Boolean);
+var NODE_ENV = process.env.NODE_ENV || "development";
+var AUTH_ENABLED = process.env.AUTH_ENABLED !== "false" && NODE_ENV === "production";
+var SKIP_PATHS = (process.env.AUTH_SKIP_PATHS || "/health,/,/webhooks/internal/helius").split(",").map((p) => p.trim());
+function safeCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  try {
+    return (0, import_crypto3.timingSafeEqual)(Buffer.from(a), Buffer.from(b));
+  } catch {
+    return false;
+  }
+}
+function isValidApiKey(key) {
+  return API_KEYS.some((validKey) => safeCompare(key, validKey));
+}
+function extractApiKey(req) {
+  const apiKeyHeader = req.headers["x-api-key"];
+  if (typeof apiKeyHeader === "string" && apiKeyHeader) {
+    return apiKeyHeader;
+  }
+  const authHeader = req.headers.authorization;
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return null;
+}
+function authenticate(req, res, next) {
+  if (!AUTH_ENABLED) {
+    return next();
+  }
+  const path = req.path.replace("/api/v1", "");
+  if (SKIP_PATHS.some((skipPath) => path === skipPath || path.startsWith(skipPath + "/"))) {
+    return next();
+  }
+  if (API_KEYS.length === 0) {
+    console.warn("[Auth] No API keys configured. Set API_KEYS environment variable.");
+    return res.status(500).json({
+      success: false,
+      error: {
+        code: "AUTH_NOT_CONFIGURED",
+        message: "Authentication is enabled but no API keys are configured"
+      }
+    });
+  }
+  const apiKey = extractApiKey(req);
+  if (!apiKey) {
+    return res.status(401).json({
+      success: false,
+      error: {
+        code: "UNAUTHORIZED",
+        message: "API key required. Provide via X-API-Key header or Authorization: Bearer <key>"
+      }
+    });
+  }
+  if (!isValidApiKey(apiKey)) {
+    return res.status(401).json({
+      success: false,
+      error: {
+        code: "INVALID_API_KEY",
+        message: "Invalid API key"
+      }
+    });
+  }
+  next();
+}
+function isAuthEnabled() {
+  return AUTH_ENABLED;
+}
+
+// src/middleware/cors.ts
+var import_cors = __toESM(require("cors"));
+var NODE_ENV2 = process.env.NODE_ENV || "development";
+var CORS_ORIGINS = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()).filter(Boolean) || [];
+var CORS_CREDENTIALS = process.env.CORS_CREDENTIALS !== "false";
+var CORS_MAX_AGE = parseInt(process.env.CORS_MAX_AGE || "86400", 10);
+var DEV_ORIGINS = [
+  "http://localhost:3000",
+  "http://localhost:3001",
+  "http://localhost:4000",
+  "http://localhost:5173",
+  // Vite
+  "http://127.0.0.1:3000",
+  "http://127.0.0.1:3001",
+  "http://127.0.0.1:4000",
+  "http://127.0.0.1:5173"
+];
+function getAllowedOrigins() {
+  if (CORS_ORIGINS.length > 0) {
+    return CORS_ORIGINS;
+  }
+  if (NODE_ENV2 === "development" || NODE_ENV2 === "test") {
+    return DEV_ORIGINS;
+  }
+  return [];
+}
+function isOriginAllowed(origin) {
+  if (!origin) {
+    return true;
+  }
+  const allowedOrigins = getAllowedOrigins();
+  if (allowedOrigins.includes(origin)) {
+    return true;
+  }
+  let originUrl;
+  try {
+    originUrl = new URL(origin);
+  } catch {
+    console.warn(`[CORS] Rejected malformed origin: ${origin}`);
+    return false;
+  }
+  for (const allowed of allowedOrigins) {
+    if (allowed.startsWith("*.")) {
+      const baseDomain = allowed.slice(2);
+      const originHost = originUrl.host;
+      if (NODE_ENV2 === "production" && originUrl.protocol !== "https:") {
+        console.warn(`[CORS] Rejected non-HTTPS origin in production: ${origin}`);
+        continue;
+      }
+      if (originHost === baseDomain || originHost.endsWith("." + baseDomain)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+var corsOptionsDelegate = (req, callback) => {
+  const origin = req.headers.origin;
+  const allowed = isOriginAllowed(origin);
+  const options = {
+    origin: allowed ? origin : false,
+    credentials: CORS_CREDENTIALS,
+    maxAge: CORS_MAX_AGE,
+    methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+    allowedHeaders: [
+      "Content-Type",
+      "Authorization",
+      "X-API-Key",
+      "X-Request-ID",
+      "X-Forwarded-For"
+    ],
+    exposedHeaders: [
+      "RateLimit-Limit",
+      "RateLimit-Remaining",
+      "RateLimit-Reset",
+      "X-Request-ID"
+    ]
+  };
+  if (!allowed && origin) {
+    console.warn(`[CORS] Blocked request from origin: ${origin}`);
+  }
+  callback(null, options);
+};
+var secureCors = (0, import_cors.default)(corsOptionsDelegate);
+function getCorsConfig() {
+  return {
+    origins: getAllowedOrigins(),
+    credentials: CORS_CREDENTIALS,
+    maxAge: CORS_MAX_AGE,
+    environment: NODE_ENV2
+  };
+}
+
+// src/middleware/request-id.ts
+var import_crypto4 = __toESM(require("crypto"));
+var requestIdMiddleware = (req, res, next) => {
+  const clientId = req.headers["x-request-id"];
+  const requestId = typeof clientId === "string" && clientId.length > 0 ? clientId : import_crypto4.default.randomUUID();
+  req.requestId = requestId;
+  res.setHeader("X-Request-ID", requestId);
+  next();
+};
+
+// src/routes/proof.ts
+var router = (0, import_express.Router)();
+var proofProvider = new import_sdk2.MockProofProvider();
+var proofProviderReady = false;
+var proofInitError = null;
+var MAX_INIT_RETRIES = 3;
+var RETRY_DELAY_MS = 2e3;
+async function initializeProofProvider() {
+  for (let attempt = 1; attempt <= MAX_INIT_RETRIES; attempt++) {
+    try {
+      await proofProvider.initialize();
+      proofProviderReady = true;
+      proofInitError = null;
+      logger.info({ attempt }, "Proof provider initialized successfully");
+      return;
+    } catch (err) {
+      proofInitError = err instanceof Error ? err : new Error(String(err));
+      logger.warn(
+        { attempt, maxRetries: MAX_INIT_RETRIES, error: proofInitError.message },
+        "Proof provider initialization failed, retrying..."
+      );
+      if (attempt < MAX_INIT_RETRIES) {
+        await new Promise((resolve) => setTimeout(resolve, RETRY_DELAY_MS * attempt));
+      }
+    }
+  }
+  logger.error(
+    { error: proofInitError?.message },
+    "Proof provider initialization failed after all retries"
+  );
+}
+initializeProofProvider();
+function isProofProviderReady() {
+  return proofProviderReady;
+}
+function getProofInitError() {
+  return proofInitError;
+}
+router.post(
+  "/funding",
+  validateRequest({ body: schemas.generateFundingProof }),
   async (req, res) => {
-    const { chain, recipientMetaAddress } = req.body;
-    const result = (0, import_sdk2.generateStealthAddress)(recipientMetaAddress);
+    if (!proofProviderReady) {
+      const errorMsg = proofInitError?.message || "Proof provider is initializing";
+      logger.warn({ error: errorMsg }, "Proof request rejected - provider not ready");
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "PROOF_PROVIDER_NOT_READY",
+          message: "Proof generation service is not ready",
+          details: { reason: errorMsg }
+        }
+      });
+    }
+    const { balance, minRequired, balanceBlinding } = req.body;
+    const balanceBigInt = BigInt(balance);
+    const minRequiredBigInt = BigInt(minRequired);
+    const balanceBlindingBytes = (0, import_utils.hexToBytes)(balanceBlinding.replace(/^0x/, ""));
+    const result = await proofProvider.generateFundingProof({
+      balance: balanceBigInt,
+      minimumRequired: minRequiredBigInt,
+      blindingFactor: balanceBlindingBytes,
+      assetId: "SOL",
+      // Default asset
+      userAddress: "0x0000000000000000000000000000000000000000",
+      ownershipSignature: new Uint8Array(64)
+    });
     const response = {
       success: true,
       data: {
-        stealthAddress: {
-          address: result.stealthAddress.address,
-          ephemeralPublicKey: result.stealthAddress.ephemeralPublicKey,
-          viewTag: result.stealthAddress.viewTag
-        }
+        proof: result.proof.proof,
+        publicInputs: result.proof.publicInputs
       }
     };
     res.json(response);
   }
 );
-var stealth_default = router2;
+var proof_default = router;
 
-// src/routes/commitment.ts
+// src/routes/health.ts
+var router2 = (0, import_express2.Router)();
+var startTime = Date.now();
+router2.get("/", (req, res) => {
+  const shuttingDown = isServerShuttingDown();
+  const status = shuttingDown ? "shutting_down" : "healthy";
+  const statusCode = shuttingDown ? 503 : 200;
+  const cacheMetrics = swapStore.getMetrics();
+  const proofReady = isProofProviderReady();
+  const proofError = getProofInitError();
+  const redisStatus = getRedisStatus();
+  const response = {
+    success: !shuttingDown,
+    data: {
+      status,
+      version: process.env.npm_package_version || "0.1.0",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      uptime: Math.floor((Date.now() - startTime) / 1e3),
+      services: {
+        proofProvider: {
+          ready: proofReady,
+          error: proofError?.message || null
+        },
+        rateLimiter: {
+          store: redisStatus.storeType,
+          redisConfigured: redisStatus.configured,
+          redisConnected: redisStatus.connected
+        }
+      },
+      cache: {
+        swaps: {
+          size: cacheMetrics.size,
+          maxSize: cacheMetrics.maxSize,
+          utilizationPercent: cacheMetrics.utilizationPercent
+        }
+      }
+    }
+  };
+  res.status(statusCode).json(response);
+});
+var health_default = router2;
+
+// src/routes/stealth.ts
 var import_express3 = require("express");
 var import_sdk3 = require("@sip-protocol/sdk");
-
-// ../../../../node_modules/@noble/hashes/esm/utils.js
-var hasHexBuiltin = /* @__PURE__ */ (() => (
-  // @ts-ignore
-  typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function"
-))();
-var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-function asciiToBase16(ch) {
-  if (ch >= asciis._0 && ch <= asciis._9)
-    return ch - asciis._0;
-  if (ch >= asciis.A && ch <= asciis.F)
-    return ch - (asciis.A - 10);
-  if (ch >= asciis.a && ch <= asciis.f)
-    return ch - (asciis.a - 10);
-  return;
-}
-function hexToBytes(hex) {
-  if (typeof hex !== "string")
-    throw new Error("hex string expected, got " + typeof hex);
-  if (hasHexBuiltin)
-    return Uint8Array.fromHex(hex);
-  const hl = hex.length;
-  const al = hl / 2;
-  if (hl % 2)
-    throw new Error("hex string expected, got unpadded hex of length " + hl);
-  const array = new Uint8Array(al);
-  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-    const n1 = asciiToBase16(hex.charCodeAt(hi));
-    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
-    if (n1 === void 0 || n2 === void 0) {
-      const char = hex[hi] + hex[hi + 1];
-      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
-    }
-    array[ai] = n1 * 16 + n2;
-  }
-  return array;
-}
-
-// src/routes/commitment.ts
 var router3 = (0, import_express3.Router)();
 router3.post(
-  "/create",
-  validateRequest({ body: schemas.createCommitment }),
+  "/generate",
+  validateRequest({ body: schemas.generateStealth }),
   async (req, res) => {
-    const { value, blindingFactor } = req.body;
-    const valueBigInt = BigInt(value);
-    const blindingBytes = blindingFactor ? hexToBytes(blindingFactor) : void 0;
-    const result = (0, import_sdk3.commit)(valueBigInt, blindingBytes);
+    const { chain, recipientMetaAddress } = req.body;
+    const result = (0, import_sdk3.generateStealthAddress)(recipientMetaAddress);
     const response = {
       success: true,
       data: {
-        commitment: result.commitment,
-        blindingFactor: result.blinding
+        stealthAddress: {
+          address: result.stealthAddress.address,
+          ephemeralPublicKey: result.stealthAddress.ephemeralPublicKey,
+          viewTag: result.stealthAddress.viewTag
+        }
       }
     };
     res.json(response);
   }
 );
-var commitment_default = router3;
+var stealth_default = router3;
 
-// src/routes/proof.ts
+// src/routes/commitment.ts
 var import_express4 = require("express");
 var import_sdk4 = require("@sip-protocol/sdk");
+var import_utils2 = require("@noble/hashes/utils");
 var router4 = (0, import_express4.Router)();
-var proofProvider = new import_sdk4.MockProofProvider();
 router4.post(
-  "/funding",
-  validateRequest({ body: schemas.generateFundingProof }),
+  "/create",
+  validateRequest({ body: schemas.createCommitment }),
   async (req, res) => {
-    const { balance, minRequired, balanceBlinding } = req.body;
-    const balanceBigInt = BigInt(balance);
-    const minRequiredBigInt = BigInt(minRequired);
-    const balanceBlindingBytes = hexToBytes(balanceBlinding);
-    const result = await proofProvider.generateFundingProof({
-      balance: balanceBigInt,
-      minimumRequired: minRequiredBigInt,
-      blindingFactor: balanceBlindingBytes,
-      assetId: "SOL",
-      // Default asset
-      userAddress: "0x0000000000000000000000000000000000000000",
-      ownershipSignature: new Uint8Array(64)
-    });
+    const { value, blindingFactor } = req.body;
+    const valueBigInt = BigInt(value);
+    const blindingBytes = blindingFactor ? (0, import_utils2.hexToBytes)(blindingFactor.replace(/^0x/, "")) : void 0;
+    const result = (0, import_sdk4.commit)(valueBigInt, blindingBytes);
     const response = {
       success: true,
       data: {
-        proof: result.proof.proof,
-        publicInputs: result.proof.publicInputs
+        commitment: result.commitment,
+        blindingFactor: result.blinding
       }
     };
     res.json(response);
   }
 );
-var proof_default = router4;
+var commitment_default = router4;
 
 // src/routes/swap.ts
 var import_express5 = require("express");
 var import_sdk5 = require("@sip-protocol/sdk");
 var router5 = (0, import_express5.Router)();
 var sip = new import_sdk5.SIP({ network: "testnet" });
-var swaps = /* @__PURE__ */ new Map();
+var MOCK_MODE_ENABLED = env.NODE_ENV !== "production";
+if (!MOCK_MODE_ENABLED) {
+  logger.warn("Production mode: Mock quotes and swaps are DISABLED");
+}
 router5.post(
   "/",
   validateRequest({ body: schemas.getQuote }),
@@ -313,37 +1240,66 @@ router5.post(
       outputToken,
       slippageTolerance
     } = req.body;
+    if (!MOCK_MODE_ENABLED) {
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "QUOTE_SERVICE_UNAVAILABLE",
+          message: "Real quote aggregator not configured. This API is not ready for production use.",
+          details: {
+            hint: "Configure QUOTE_AGGREGATOR_URL or use development mode"
+          }
+        }
+      });
+    }
+    if (!(0, import_sdk5.isKnownToken)(inputToken, inputChain)) {
+      return res.status(400).json({
+        success: false,
+        error: {
+          code: "UNKNOWN_TOKEN",
+          message: `Unknown input token: ${inputToken} on ${inputChain}`
+        }
+      });
+    }
+    if (!(0, import_sdk5.isKnownToken)(outputToken, outputChain)) {
+      return res.status(400).json({
+        success: false,
+        error: {
+          code: "UNKNOWN_TOKEN",
+          message: `Unknown output token: ${outputToken} on ${outputChain}`
+        }
+      });
+    }
+    const inputAsset = (0, import_sdk5.getAsset)(inputToken, inputChain);
+    const outputAsset = (0, import_sdk5.getAsset)(outputToken, outputChain);
+    const inputAmountBigInt = BigInt(inputAmount);
+    const slippagePercent = slippageTolerance ?? 1;
+    const slippageBps = percentToBps(slippagePercent);
     const intent = await sip.createIntent({
       input: {
-        asset: {
-          chain: inputChain,
-          address: null,
-          // Native token
-          symbol: inputToken,
-          decimals: 9
-        },
-        amount: BigInt(inputAmount)
+        asset: inputAsset,
+        amount: inputAmountBigInt
       },
       output: {
-        asset: {
-          chain: outputChain,
-          address: null,
-          // Native token
-          symbol: outputToken,
-          decimals: 9
-        },
-        minAmount: BigInt(inputAmount) * 95n / 100n,
-        // 5% slippage
-        maxSlippage: (slippageTolerance || 1) / 100
+        asset: outputAsset,
+        minAmount: calculateMinAmount(inputAmountBigInt, slippageBps),
+        maxSlippage: slippagePercent / 100
       },
       privacy: import_sdk5.PrivacyLevel.TRANSPARENT
       // Default to transparent for quote
     });
+    logger.warn({
+      inputChain,
+      inputToken,
+      outputChain,
+      outputToken,
+      inputAmount
+    }, "Returning MOCK quote - not for production use");
     const mockQuote = {
       quoteId: `quote-${Date.now()}`,
       inputAmount,
+      // Mock: 5% fee (clearly fake rate)
       outputAmount: (BigInt(inputAmount) * 95n / 100n).toString(),
-      // Mock 5% fee
       rate: "0.95",
       estimatedTime: 30,
       fees: {
@@ -363,7 +1319,10 @@ router5.post(
     };
     const response = {
       success: true,
-      data: mockQuote
+      data: {
+        ...mockQuote,
+        _warning: "MOCK_DATA: This quote uses simulated pricing. Do not use for real transactions."
+      }
     };
     res.json(response);
   }
@@ -372,23 +1331,45 @@ router5.post(
   "/swap",
   validateRequest({ body: schemas.executeSwap }),
   async (req, res) => {
-    const { intentId, quoteId, privacy, viewingKey } = req.body;
+    const { intentId, quoteId, inputAmount } = req.body;
+    if (!MOCK_MODE_ENABLED) {
+      return res.status(503).json({
+        success: false,
+        error: {
+          code: "SWAP_SERVICE_UNAVAILABLE",
+          message: "Real swap executor not configured. This API is not ready for production use.",
+          details: {
+            hint: "Configure SWAP_EXECUTOR_URL or use development mode"
+          }
+        }
+      });
+    }
     const swapId = `swap-${Date.now()}`;
+    const actualInputAmount = inputAmount || "0";
+    if (!inputAmount) {
+      logger.warn({ swapId, quoteId, intentId }, "Swap created without inputAmount - using 0");
+    }
     const swap = {
       id: swapId,
       status: "pending",
-      inputAmount: "1000000000",
-      // Mock value
+      inputAmount: actualInputAmount,
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       updatedAt: (/* @__PURE__ */ new Date()).toISOString()
     };
-    swaps.set(swapId, swap);
+    swapStore.set(swapId, swap);
+    logger.warn({
+      swapId,
+      quoteId,
+      intentId,
+      inputAmount: actualInputAmount
+    }, "Creating MOCK swap - not for production use");
     const response = {
       success: true,
       data: {
         swapId,
         status: "pending",
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        _warning: "MOCK_DATA: This swap is simulated. No real transaction will be executed."
       }
     };
     res.json(response);
@@ -399,13 +1380,14 @@ router5.get(
   validateRequest({ params: schemas.swapStatus }),
   async (req, res) => {
     const { id } = req.params;
-    const swap = swaps.get(id);
+    const swapId = Array.isArray(id) ? id[0] : id;
+    const swap = swapStore.get(swapId);
     if (!swap) {
       return res.status(404).json({
         success: false,
         error: {
           code: "SWAP_NOT_FOUND",
-          message: `Swap ${id} not found`
+          message: `Swap ${swapId} not found`
         }
       });
     }
@@ -418,32 +1400,344 @@ router5.get(
 );
 var swap_default = router5;
 
-// src/routes/index.ts
+// src/routes/webhook.ts
+var import_express6 = require("express");
+var import_zod2 = require("zod");
+
+// src/services/helius-listener.ts
+var import_sdk6 = require("@sip-protocol/sdk");
+
+// src/services/webhook-delivery.ts
+var import_hmac = require("@noble/hashes/hmac");
+var import_sha256 = require("@noble/hashes/sha256");
+var import_utils3 = require("@noble/hashes/utils");
+function computeHmacSignature(secret, body) {
+  const encoder = new TextEncoder();
+  const sig = (0, import_utils3.bytesToHex)((0, import_hmac.hmac)(import_sha256.sha256, encoder.encode(secret), encoder.encode(body)));
+  return `sha256=${sig}`;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var WebhookDeliveryService = class {
+  maxRetries;
+  pendingDeliveries = /* @__PURE__ */ new Set();
+  constructor(maxRetries) {
+    this.maxRetries = maxRetries ?? env.WEBHOOK_DELIVERY_MAX_RETRIES;
+  }
+  /**
+   * Build the delivery payload from a scan result
+   */
+  buildPayload(registration, payment) {
+    return {
+      event: "payment.received",
+      webhookId: registration.id,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      data: {
+        txSignature: payment.txSignature,
+        stealthAddress: payment.stealthAddress,
+        ephemeralPublicKey: payment.ephemeralPublicKey,
+        amount: payment.amount.toString(),
+        mint: payment.mint,
+        tokenSymbol: payment.tokenSymbol,
+        slot: payment.slot,
+        blockTime: payment.timestamp
+      }
+    };
+  }
+  /**
+   * Deliver a payment notification to a registered webhook
+   *
+   * Retries with exponential backoff on failure.
+   */
+  async deliver(registration, payment) {
+    const payload = this.buildPayload(registration, payment);
+    const body = JSON.stringify(payload);
+    const signature = computeHmacSignature(registration.secret, body);
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      try {
+        const response = await fetch(registration.url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "X-SIP-Signature": signature,
+            "X-SIP-Webhook-Id": registration.id
+          },
+          body,
+          signal: AbortSignal.timeout(1e4)
+        });
+        if (response.ok) {
+          logger.info(
+            { webhookId: registration.id, attempt, status: response.status },
+            "Webhook delivered"
+          );
+          return true;
+        }
+        logger.warn(
+          { webhookId: registration.id, attempt, status: response.status },
+          "Webhook delivery failed (non-2xx)"
+        );
+      } catch (error) {
+        logger.warn(
+          { webhookId: registration.id, attempt, error: error.message },
+          "Webhook delivery error"
+        );
+      }
+      if (attempt < this.maxRetries) {
+        const backoffMs = Math.pow(4, attempt) * 1e3;
+        await sleep(backoffMs);
+      }
+    }
+    logger.error(
+      { webhookId: registration.id, maxRetries: this.maxRetries },
+      "Webhook delivery exhausted all retries"
+    );
+    return false;
+  }
+  /**
+   * Queue a delivery (fire-and-forget with tracking)
+   */
+  queueDelivery(registration, payment) {
+    const promise = this.deliver(registration, payment).then(() => {
+    }).catch((err) => {
+      logger.error({ webhookId: registration.id, err }, "Unhandled webhook delivery error");
+    }).finally(() => {
+      this.pendingDeliveries.delete(promise);
+    });
+    this.pendingDeliveries.add(promise);
+  }
+  /**
+   * Wait for all pending deliveries to complete (graceful shutdown)
+   */
+  async drainPending() {
+    if (this.pendingDeliveries.size > 0) {
+      logger.info({ pending: this.pendingDeliveries.size }, "Draining pending webhook deliveries");
+      await Promise.allSettled(this.pendingDeliveries);
+      logger.info("All webhook deliveries drained");
+    }
+  }
+};
+var webhookDeliveryService = new WebhookDeliveryService();
+
+// src/services/helius-listener.ts
+var HeliusListenerService = class {
+  /**
+   * Process an incoming Helius webhook payload
+   *
+   * 1. Verify Helius signature (if configured)
+   * 2. For each active registration, check if payment is for them
+   * 3. On match, queue delivery to the agent's URL
+   *
+   * @returns Number of matched deliveries queued
+   */
+  async processIncoming(payload, headers) {
+    if (env.HELIUS_WEBHOOK_SECRET && headers.rawBody) {
+      const valid = (0, import_sdk6.verifyWebhookSignature)(
+        headers.rawBody,
+        headers.signature,
+        env.HELIUS_WEBHOOK_SECRET
+      );
+      if (!valid) {
+        logger.warn("Helius webhook signature verification failed");
+        throw new Error("HELIUS_SIGNATURE_INVALID");
+      }
+    }
+    const transactions = Array.isArray(payload) ? payload : [payload];
+    const registrations = webhookStore.getAll();
+    if (registrations.length === 0) {
+      logger.debug("No active webhook registrations, skipping processing");
+      return 0;
+    }
+    let matchCount = 0;
+    for (const tx of transactions) {
+      for (const registration of registrations) {
+        try {
+          const payment = await (0, import_sdk6.processWebhookTransaction)(
+            tx,
+            registration.viewingPrivateKey,
+            registration.spendingPublicKey
+          );
+          if (payment) {
+            matchCount++;
+            webhookDeliveryService.queueDelivery(registration, payment);
+            logger.info(
+              {
+                webhookId: registration.id,
+                txSignature: payment.txSignature
+              },
+              "Payment matched, delivery queued"
+            );
+          }
+        } catch (error) {
+          logger.warn(
+            {
+              webhookId: registration.id,
+              error: error.message
+            },
+            "Error checking transaction against registration"
+          );
+        }
+      }
+    }
+    logger.info(
+      {
+        transactions: transactions.length,
+        registrations: registrations.length,
+        matches: matchCount
+      },
+      "Helius webhook processed"
+    );
+    return matchCount;
+  }
+};
+var heliusListenerService = new HeliusListenerService();
+
+// src/routes/webhook.ts
 var router6 = (0, import_express6.Router)();
-router6.use("/health", health_default);
-router6.use("/stealth", stealth_default);
-router6.use("/commitment", commitment_default);
-router6.use("/proof", proof_default);
-router6.use("/quote", swap_default);
-router6.use("/swap", swap_default);
-var routes_default = router6;
+var webhookSchemas = {
+  register: import_zod2.z.object({
+    url: import_zod2.z.string().url("Must be a valid URL"),
+    viewingPrivateKey: import_zod2.z.string().regex(/^0x[0-9a-fA-F]{64}$/, "Must be 0x-prefixed 32-byte hex"),
+    spendingPublicKey: import_zod2.z.string().regex(/^0x[0-9a-fA-F]{64}$/, "Must be 0x-prefixed 32-byte hex")
+  }),
+  unregister: import_zod2.z.object({
+    id: import_zod2.z.string().min(1)
+  })
+};
+router6.post(
+  "/register",
+  validateRequest({ body: webhookSchemas.register }),
+  (req, res) => {
+    const { url, viewingPrivateKey, spendingPublicKey } = req.body;
+    try {
+      const registration = webhookStore.register(url, viewingPrivateKey, spendingPublicKey);
+      const response = {
+        success: true,
+        data: {
+          id: registration.id,
+          url: registration.url,
+          secret: registration.secret,
+          createdAt: registration.createdAt
+        }
+      };
+      res.status(201).json(response);
+    } catch (error) {
+      if (error.message === "WEBHOOK_STORE_FULL") {
+        res.status(503).json({
+          success: false,
+          error: {
+            code: "WEBHOOK_STORE_FULL",
+            message: "Maximum webhook registrations reached"
+          }
+        });
+        return;
+      }
+      throw error;
+    }
+  }
+);
+router6.delete(
+  "/:id",
+  validateRequest({ params: webhookSchemas.unregister }),
+  (req, res) => {
+    const removed = webhookStore.unregister(req.params.id);
+    if (!removed) {
+      res.status(404).json({
+        success: false,
+        error: {
+          code: "WEBHOOK_NOT_FOUND",
+          message: "Webhook not found"
+        }
+      });
+      return;
+    }
+    res.status(204).send();
+  }
+);
+router6.get("/", (_req, res) => {
+  const webhooks = webhookStore.getAllForList();
+  const response = {
+    success: true,
+    data: { webhooks }
+  };
+  res.json(response);
+});
+router6.post("/internal/helius", async (req, res) => {
+  const headers = {
+    signature: req.headers["x-helius-signature"],
+    rawBody: typeof req.body === "string" ? req.body : JSON.stringify(req.body)
+  };
+  try {
+    const matchCount = await heliusListenerService.processIncoming(req.body, headers);
+    res.status(200).json({ success: true, matched: matchCount });
+  } catch (error) {
+    if (error.message === "HELIUS_SIGNATURE_INVALID") {
+      res.status(401).json({
+        success: false,
+        error: {
+          code: "HELIUS_SIGNATURE_INVALID",
+          message: "Invalid Helius webhook signature"
+        }
+      });
+      return;
+    }
+    throw error;
+  }
+});
+var webhook_default = router6;
+
+// src/routes/index.ts
+var router7 = (0, import_express7.Router)();
+router7.use("/health", health_default);
+router7.use("/stealth", stealth_default);
+router7.use("/commitment", commitment_default);
+router7.use("/proof", proof_default);
+router7.use("/quote", swap_default);
+router7.use("/swap", swap_default);
+router7.use("/webhooks", webhook_default);
+var routes_default = router7;
+
+// src/routes/metrics.ts
+var import_express8 = require("express");
+var router8 = (0, import_express8.Router)();
+router8.get("/", async (req, res) => {
+  try {
+    res.set("Content-Type", register.contentType);
+    res.end(await register.metrics());
+  } catch (err) {
+    res.status(500).end();
+  }
+});
+var metrics_default = router8;
 
 // src/server.ts
-var app = (0, import_express7.default)();
-var PORT = process.env.PORT || 3e3;
-var NODE_ENV = process.env.NODE_ENV || "development";
-var CORS_ORIGIN = process.env.CORS_ORIGIN || "*";
+initSentry();
+var app = (0, import_express9.default)();
+var trustProxy = env.TRUST_PROXY;
+if (trustProxy !== "false") {
+  const parsedValue = /^\d+$/.test(trustProxy) ? parseInt(trustProxy, 10) : trustProxy;
+  app.set("trust proxy", parsedValue);
+  logger.info({ trustProxy: parsedValue }, "Proxy trust configured");
+}
+if (env.METRICS_ENABLED === "true") {
+  app.use(metricsMiddleware);
+}
+app.use(shutdownMiddleware);
+app.use(requestIdMiddleware);
 app.use((0, import_helmet.default)());
-app.use((0, import_cors.default)({
-  origin: CORS_ORIGIN,
-  credentials: true
-}));
-app.use(import_express7.default.json({ limit: "1mb" }));
-app.use(import_express7.default.urlencoded({ extended: true, limit: "1mb" }));
+app.use(secureCors);
+app.use(rateLimiter);
+app.use(authenticate);
+app.use(import_express9.default.json({ limit: "1mb" }));
+app.use(import_express9.default.urlencoded({ extended: true, limit: "1mb" }));
 app.use((0, import_compression.default)());
-app.use((0, import_morgan.default)(NODE_ENV === "development" ? "dev" : "combined"));
+app.use(requestLogger);
 app.use("/api/v1", routes_default);
+if (env.METRICS_ENABLED === "true") {
+  app.use("/metrics", metrics_default);
+}
 app.get("/", (req, res) => {
+  const corsConfig = getCorsConfig();
   res.json({
     name: "@sip-protocol/api",
     version: "0.1.0",
@@ -456,28 +1750,75 @@ app.get("/", (req, res) => {
       proof: "POST /api/v1/proof/funding",
       quote: "POST /api/v1/quote",
       swap: "POST /api/v1/swap",
-      swapStatus: "GET /api/v1/swap/:id/status"
+      swapStatus: "GET /api/v1/swap/:id/status",
+      webhookRegister: "POST /api/v1/webhooks/register",
+      webhookUnregister: "DELETE /api/v1/webhooks/:id",
+      webhookList: "GET /api/v1/webhooks",
+      heliusIngest: "POST /api/v1/webhooks/internal/helius"
+    },
+    security: {
+      authentication: isAuthEnabled() ? "enabled" : "disabled",
+      cors: {
+        origins: corsConfig.origins.length > 0 ? corsConfig.origins.length + " configured" : "none (blocked)",
+        credentials: corsConfig.credentials
+      },
+      rateLimit: "enabled"
     }
   });
 });
 app.use(notFoundHandler);
+setupSentryErrorHandler(app);
 app.use(errorHandler);
 if (require.main === module) {
-  app.listen(PORT, () => {
-    console.log(`
+  logConfigWarnings(logger);
+  const corsConfig = getCorsConfig();
+  const server = app.listen(env.PORT, () => {
+    logger.info({
+      port: env.PORT,
+      environment: env.NODE_ENV,
+      auth: isAuthEnabled() ? "enabled" : "disabled",
+      corsOrigins: corsConfig.origins.length,
+      logLevel: env.LOG_LEVEL,
+      sentry: isSentryEnabled() ? "enabled" : "disabled",
+      metrics: env.METRICS_ENABLED === "true" ? "enabled" : "disabled"
+    }, "SIP Protocol API started");
+    if (env.isDevelopment) {
+      console.log(`
 \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
 \u2551  SIP Protocol REST API                             \u2551
 \u2551  Version: 0.1.0                                    \u2551
-\u2551  Port: ${PORT}                                         \u2551
-\u2551  Environment: ${NODE_ENV}                              \u2551
-\u2551  Documentation: http://localhost:${PORT}/              \u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  Port: ${String(env.PORT).padEnd(43)}\u2551
+\u2551  Environment: ${env.NODE_ENV.padEnd(37)}\u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  Security:                                         \u2551
+\u2551  \u2022 Auth: ${(isAuthEnabled() ? "ENABLED" : "disabled (dev mode)").padEnd(42)}\u2551
+\u2551  \u2022 CORS: ${(corsConfig.origins.length + " origins").padEnd(42)}\u2551
+\u2551  \u2022 Rate Limit: enabled                             \u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  Monitoring:                                       \u2551
+\u2551  \u2022 Sentry: ${(isSentryEnabled() ? "ENABLED" : "disabled").padEnd(40)}\u2551
+\u2551  \u2022 Metrics: ${(env.METRICS_ENABLED === "true" ? "/metrics" : "disabled").padEnd(39)}\u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  Logging: ${env.LOG_LEVEL.padEnd(41)}\u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551  Documentation: http://localhost:${String(env.PORT).padEnd(17)}\u2551
 \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-    `);
+      `);
+    }
+  });
+  setupGracefulShutdown(server, async () => {
+    logger.info("Draining webhook deliveries...");
+    await webhookDeliveryService.drainPending();
+    if (isSentryEnabled()) {
+      logger.info("Flushing Sentry events...");
+      await flushSentry(2e3);
+    }
+    logger.info("Flushing logs...");
   });
 }
 var server_default = app;
-/*! Bundled license information:
-
-@noble/hashes/esm/utils.js:
-  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
-*/
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  isServerShuttingDown
+});