npm - @vizzor/cli - Versions diffs - 0.10.0 → 0.10.5 - Mend

@vizzor/cli 0.10.0 → 0.10.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -62,13 +62,13 @@ var init_schema = __esm({
       api: z.object({
         port: z.number().default(3e3),
         host: z.string().default("0.0.0.0"),
-        enableAuth: z.boolean().default(false),
-        corsOrigin: z.string().default("*")
+        enableAuth: z.boolean().default(true),
+        corsOrigin: z.string().default("http://localhost:3000")
       }).default(() => ({
         port: 3e3,
         host: "0.0.0.0",
-        enableAuth: false,
-        corsOrigin: "*"
+        enableAuth: true,
+        corsOrigin: "http://localhost:3000"
       })),
       n8n: z.object({
         enabled: z.boolean().default(false),
@@ -82,7 +82,7 @@ var init_schema = __esm({
 });
 // src/config/loader.ts
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 import yaml from "yaml";
@@ -209,7 +209,8 @@ function saveConfigValue(key, value) {
     raw[key] = value;
   }
   vizzorConfigSchema.parse(raw);
-  writeFileSync(configPath, yaml.stringify(raw), "utf-8");
+  writeFileSync(configPath, yaml.stringify(raw), { encoding: "utf-8", mode: 384 });
+  chmodSync(configPath, 384);
   cachedConfig = null;
   loadConfig();
 }
@@ -250,6 +251,20 @@ var init_loader = __esm({
   }
 });
+// src/utils/validate.ts
+function assertValidAddress(address) {
+  if (!EVM_ADDRESS_RE.test(address)) {
+    throw new Error(`Invalid address format: expected 0x followed by 40 hex characters`);
+  }
+}
+var EVM_ADDRESS_RE;
+var init_validate = __esm({
+  "src/utils/validate.ts"() {
+    "use strict";
+    EVM_ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
+  }
+});
 // src/chains/evm/abi/erc20.ts
 var erc20Abi;
 var init_erc20 = __esm({
@@ -600,6 +615,7 @@ var CHAIN_MAP, EvmAdapter;
 var init_adapter = __esm({
   "src/chains/evm/adapter.ts"() {
     "use strict";
+    init_validate();
     init_erc20();
     init_etherscan();
     init_constants();
@@ -651,18 +667,23 @@ var init_adapter = __esm({
       isConnected() {
         return this.client !== null;
       }
+      /** Validate and cast to viem Address. */
+      toAddress(address) {
+        assertValidAddress(address);
+        return this.toAddress(address);
+      }
       // ── Balances ────────────────────────────────────────────────────────────
       async getBalance(address) {
         const client2 = this.requireClient();
-        return client2.getBalance({ address });
+        return client2.getBalance({ address: this.toAddress(address) });
       }
       async getTokenBalance(address, tokenAddress) {
         const client2 = this.requireClient();
         const balance = await client2.readContract({
-          address: tokenAddress,
+          address: this.toAddress(tokenAddress),
           abi: erc20Abi,
           functionName: "balanceOf",
-          args: [address]
+          args: [this.toAddress(address)]
         });
         return balance;
       }
@@ -687,13 +708,13 @@ var init_adapter = __esm({
       // ── Contracts ───────────────────────────────────────────────────────────
       async getContractCode(address) {
         const client2 = this.requireClient();
-        const code = await client2.getCode({ address });
+        const code = await client2.getCode({ address: this.toAddress(address) });
         return code ?? "0x";
       }
       async readContract(address, abi, functionName, args2) {
         const client2 = this.requireClient();
         return client2.readContract({
-          address,
+          address: this.toAddress(address),
           abi,
           functionName,
           args: args2
@@ -702,7 +723,7 @@ var init_adapter = __esm({
       async getContractEvents(address, abi, eventName, options) {
         const client2 = this.requireClient();
         const logs = await client2.getContractEvents({
-          address,
+          address: this.toAddress(address),
           abi,
           eventName,
           fromBlock: options?.fromBlock,
@@ -720,7 +741,7 @@ var init_adapter = __esm({
       // ── Tokens ──────────────────────────────────────────────────────────────
       async getTokenInfo(address) {
         const client2 = this.requireClient();
-        const tokenAddr = address;
+        const tokenAddr = this.toAddress(address);
         const [name, symbol, decimals, totalSupply] = await Promise.all([
           client2.readContract({
             address: tokenAddr,
@@ -1342,6 +1363,7 @@ __export(scan_exports, {
 import chalk from "chalk";
 import ora from "ora";
 async function handleScan(project, options) {
+  assertValidAddress(project);
   const spinner = ora(`Scanning ${project} on ${options.chain}...`).start();
   try {
     const adapter = getAdapter(options.chain);
@@ -1396,6 +1418,7 @@ var init_scan = __esm({
     init_loader();
     init_project_analyzer();
     init_risk_scorer();
+    init_validate();
   }
 });
@@ -1718,7 +1741,7 @@ async function fetchJson2(url) {
 }
 async function fetchTickerPrice(symbol) {
   const pair = resolvePair(symbol);
-  const data = await fetchJson2(`${BASE_URL3}/ticker/24hr?symbol=${pair}`);
+  const data = await fetchJson2(`${BASE_URL3}/ticker/24hr?symbol=${encodeURIComponent(pair)}`);
   return {
     symbol: symbol.toUpperCase(),
     price: parseFloat(data.lastPrice),
@@ -1728,7 +1751,7 @@ async function fetchTickerPrice(symbol) {
 async function fetchKlines(symbol, interval, limit = 100) {
   const pair = resolvePair(symbol);
   const data = await fetchJson2(
-    `${BASE_URL3}/klines?symbol=${pair}&interval=${interval}&limit=${limit}`
+    `${BASE_URL3}/klines?symbol=${encodeURIComponent(pair)}&interval=${interval}&limit=${limit}`
   );
   return data.map((k) => ({
     openTime: Number(k[0]),
@@ -1744,7 +1767,7 @@ async function fetchKlines(symbol, interval, limit = 100) {
 }
 async function fetchFundingRate(symbol) {
   const pair = resolvePair(symbol);
-  const data = await fetchJson2(`${FUTURES_URL}/premiumIndex?symbol=${pair}`);
+  const data = await fetchJson2(`${FUTURES_URL}/premiumIndex?symbol=${encodeURIComponent(pair)}`);
   const item = data[0];
   if (!item) throw new Error(`No funding data for ${pair}`);
   return {
@@ -1758,9 +1781,11 @@ async function fetchOpenInterest(symbol) {
   const pair = resolvePair(symbol);
   const [oiData, tickerData] = await Promise.all([
     fetchJson2(
-      `${FUTURES_URL}/openInterest?symbol=${pair}`
+      `${FUTURES_URL}/openInterest?symbol=${encodeURIComponent(pair)}`
     ),
-    fetchJson2(`${FUTURES_URL}/ticker/price?symbol=${pair}`)
+    fetchJson2(
+      `${FUTURES_URL}/ticker/price?symbol=${encodeURIComponent(pair)}`
+    )
   ]);
   const oi = parseFloat(oiData.openInterest);
   const price = parseFloat(tickerData.lastPrice);
@@ -1790,7 +1815,7 @@ async function fetchTopGainersLosers(limit = 10) {
 async function isValidSymbol(symbol) {
   try {
     const pair = resolvePair(symbol);
-    await fetchJson2(`${BASE_URL3}/ticker/price?symbol=${pair}`);
+    await fetchJson2(`${BASE_URL3}/ticker/price?symbol=${encodeURIComponent(pair)}`);
     return true;
   } catch {
     return false;
@@ -2811,6 +2836,7 @@ __export(track_exports, {
 import chalk3 from "chalk";
 import ora3 from "ora";
 async function handleTrack(wallet, options) {
+  assertValidAddress(wallet);
   const spinner = ora3(`Analyzing wallet ${wallet.slice(0, 10)}... on ${options.chain}`).start();
   try {
     const adapter = getAdapter(options.chain);
@@ -2871,6 +2897,7 @@ var init_track = __esm({
     init_registry();
     init_loader();
     init_wallet_analyzer();
+    init_validate();
   }
 });
@@ -3163,6 +3190,7 @@ __export(audit_exports, {
 import chalk5 from "chalk";
 import ora5 from "ora";
 async function handleAudit(contract, options) {
+  assertValidAddress(contract);
   const spinner = ora5(`Auditing contract ${contract.slice(0, 10)}... on ${options.chain}`).start();
   try {
     const adapter = getAdapter(options.chain);
@@ -3240,6 +3268,7 @@ var init_audit = __esm({
     init_registry();
     init_loader();
     init_contract_auditor();
+    init_validate();
   }
 });
@@ -4292,7 +4321,9 @@ async function fetchJson6(url) {
 }
 async function checkTokenSecurity(contractAddress, chain) {
   const chainId = resolveChainId(chain);
-  const data = await fetchJson6(`${BASE_URL6}/token_security/${chainId}?contract_addresses=${contractAddress.toLowerCase()}`);
+  const data = await fetchJson6(
+    `${BASE_URL6}/token_security/${encodeURIComponent(chainId)}?contract_addresses=${encodeURIComponent(contractAddress.toLowerCase())}`
+  );
   if (data.code !== 1) return null;
   const addr = contractAddress.toLowerCase();
   const raw = data.result[addr];
@@ -4347,7 +4378,9 @@ async function checkTokenSecurity(contractAddress, chain) {
 }
 async function checkAddressSecurity(address, chain) {
   const chainId = resolveChainId(chain);
-  const data = await fetchJson6(`${BASE_URL6}/address_security/${chainId}?address=${address.toLowerCase()}`);
+  const data = await fetchJson6(
+    `${BASE_URL6}/address_security/${encodeURIComponent(chainId)}?address=${encodeURIComponent(address.toLowerCase())}`
+  );
   if (data.code !== 1) return null;
   const raw = data.result;
   const toBool = (v) => v === "1" || v === 1 || v === true;
@@ -4379,6 +4412,77 @@ var init_goplus = __esm({
   }
 });
+// src/ai/sanitize.ts
+function sanitizeExternalData(text, maxLen = LIMITS.generic) {
+  let cleaned = text;
+  for (const pattern of INJECTION_PATTERNS) {
+    cleaned = cleaned.replace(pattern, "[FILTERED]");
+  }
+  cleaned = cleaned.replace(/^#{1,6}\s+/gm, "");
+  cleaned = cleaned.replace(/```[\s\S]*?```/g, "[CODE]");
+  if (cleaned.length > maxLen) {
+    cleaned = cleaned.slice(0, maxLen) + "...";
+  }
+  return cleaned;
+}
+function sanitizeTokenName(name) {
+  return sanitizeExternalData(name, LIMITS.tokenName);
+}
+function sanitizeHeadline(headline) {
+  return sanitizeExternalData(headline, LIMITS.headline);
+}
+function wrapUntrustedData(label, data) {
+  return `[BEGIN EXTERNAL DATA: ${label}]
+${data}
+[END EXTERNAL DATA: ${label}]`;
+}
+function sanitizeToolResult(result) {
+  if (typeof result === "string") {
+    return sanitizeExternalData(result);
+  }
+  if (Array.isArray(result)) {
+    return result.map(sanitizeToolResult);
+  }
+  if (result !== null && typeof result === "object") {
+    const sanitized = {};
+    for (const [key, value] of Object.entries(result)) {
+      sanitized[key] = sanitizeToolResult(value);
+    }
+    return sanitized;
+  }
+  return result;
+}
+var INJECTION_PATTERNS, LIMITS;
+var init_sanitize = __esm({
+  "src/ai/sanitize.ts"() {
+    "use strict";
+    INJECTION_PATTERNS = [
+      /ignore\s+(all\s+)?previous\s+instructions/gi,
+      /ignore\s+(all\s+)?above/gi,
+      /you\s+are\s+now/gi,
+      /system\s*:/gi,
+      /assistant\s*:/gi,
+      /\[system\]/gi,
+      /\[instruction\]/gi,
+      /<\/?system>/gi,
+      /repeat\s+(everything|the\s+prompt|your\s+instructions)/gi,
+      /reveal\s+(your|the)\s+(prompt|instructions|config)/gi,
+      /forget\s+(everything|your\s+instructions)/gi,
+      /override\s+(previous|your|all)/gi,
+      /new\s+instructions?\s*:/gi,
+      /\bdo\s+not\s+follow\b/gi,
+      /\bact\s+as\b/gi,
+      /\brole\s*:\s*(system|assistant)\b/gi
+    ];
+    LIMITS = {
+      tokenName: 60,
+      headline: 250,
+      description: 500,
+      generic: 1e3
+    };
+  }
+});
 // src/ai/context-injector.ts
 async function buildContextBlock(userMessage) {
   const lower = userMessage.toLowerCase();
@@ -4601,7 +4705,8 @@ async function buildContextBlock(userMessage) {
   }
   output.push(...buildInstructions(queryType, hasSpecificToken, isComplexQuery));
   output.push("");
-  return output.join("\n");
+  const raw = output.join("\n");
+  return wrapUntrustedData("MARKET_CONTEXT", raw);
 }
 function buildInstructions(queryType, hasSpecificToken, isComplexQuery) {
   const base2 = [
@@ -4685,7 +4790,7 @@ async function fetchTokenData(tokens, address) {
       const pair = pairs[0];
       if (pair) {
         lines.push(
-          `${pair.baseToken.name} (${pair.baseToken.symbol}) on ${pair.chainId}:`,
+          `${sanitizeTokenName(pair.baseToken.name)} (${sanitizeTokenName(pair.baseToken.symbol)}) on ${pair.chainId}:`,
           `  Price: $${pair.priceUsd ?? "?"}`,
           `  24h Volume: $${(pair.volume?.h24 ?? 0).toLocaleString()}`,
           `  Liquidity: $${(pair.liquidity?.usd ?? 0).toLocaleString()}`,
@@ -4754,7 +4859,7 @@ async function fetchTokenData(tokens, address) {
       const pair = pairs[0];
       if (pair) {
         lines.push(
-          `${pair.baseToken.name} (${pair.baseToken.symbol}) on ${pair.chainId}:`,
+          `${sanitizeTokenName(pair.baseToken.name)} (${sanitizeTokenName(pair.baseToken.symbol)}) on ${pair.chainId}:`,
           `  Price: $${pair.priceUsd ?? "?"}`,
           `  24h Volume: $${(pair.volume?.h24 ?? 0).toLocaleString()}`,
           `  24h Change: ${(pair.priceChange?.h24 ?? 0) > 0 ? "+" : ""}${(pair.priceChange?.h24 ?? 0).toFixed(2)}%`,
@@ -4773,7 +4878,7 @@ async function fetchTrendingData() {
     const lines = ["## Trending Tokens (live)"];
     for (const t of trending.slice(0, 10)) {
       lines.push(
-        `- ${t.name} (${t.symbol}) on ${t.chain}: $${t.priceUsd} | 24h: ${t.priceChange24h > 0 ? "+" : ""}${t.priceChange24h.toFixed(1)}% | Vol: $${t.volume24h.toLocaleString()} [${t.source}]`
+        `- ${sanitizeTokenName(t.name)} (${sanitizeTokenName(t.symbol)}) on ${t.chain}: $${t.priceUsd} | 24h: ${t.priceChange24h > 0 ? "+" : ""}${t.priceChange24h.toFixed(1)}% | Vol: $${t.volume24h.toLocaleString()} [${t.source}]`
       );
     }
     return lines.join("\n");
@@ -4797,7 +4902,9 @@ async function fetchNewsData(symbol) {
               const n = headlines[i];
               const ml = mlResults[i];
               const label = ml ? `${ml.sentiment.toUpperCase()} (${(ml.confidence * 100).toFixed(0)}%)` : n.sentiment.toUpperCase();
-              lines.push(`- [${label}] ${n.title} (${n.source.title}, ${n.publishedAt})`);
+              lines.push(
+                `- [${label}] ${sanitizeHeadline(n.title)} (${sanitizeTokenName(n.source.title)}, ${n.publishedAt})`
+              );
             }
             const avgScore = mlResults.reduce((s, r) => s + r.score, 0) / mlResults.length;
             const avgSentiment = avgScore > 0.2 ? "BULLISH" : avgScore < -0.2 ? "BEARISH" : "NEUTRAL";
@@ -4810,7 +4917,7 @@ ML Aggregate Sentiment: ${avgSentiment} (score: ${avgScore.toFixed(3)})`);
       }
       for (const n of headlines) {
         lines.push(
-          `- [${n.sentiment.toUpperCase()}] ${n.title} (${n.source.title}, ${n.publishedAt})`
+          `- [${n.sentiment.toUpperCase()}] ${sanitizeHeadline(n.title)} (${sanitizeTokenName(n.source.title)}, ${n.publishedAt})`
         );
       }
       return lines.join("\n");
@@ -4850,7 +4957,7 @@ async function fetchRaisesData() {
       const amount = r.amount ? r.amount >= 1e9 ? `$${(r.amount / 1e9).toFixed(1)}B` : r.amount >= 1e6 ? `$${(r.amount / 1e6).toFixed(1)}M` : r.amount >= 1e3 ? `$${(r.amount / 1e3).toFixed(0)}K` : `$${r.amount.toLocaleString()}` : "undisclosed";
       const date = new Date(r.date * 1e3).toISOString().split("T")[0];
       lines.push(
-        `- ${r.name} \u2014 ${r.round} (${amount}) on ${r.chains.join(", ") || "multi-chain"} [${date}]${r.leadInvestors.length > 0 ? ` Led by: ${r.leadInvestors.join(", ")}` : ""}`
+        `- ${sanitizeTokenName(r.name)} \u2014 ${sanitizeExternalData(r.round, 50)} (${amount}) on ${r.chains.join(", ") || "multi-chain"} [${date}]${r.leadInvestors.length > 0 ? ` Led by: ${r.leadInvestors.map((inv) => sanitizeTokenName(inv)).join(", ")}` : ""}`
       );
     }
     return lines.join("\n");
@@ -4865,7 +4972,9 @@ async function fetchPumpData() {
     const lines = ["## Latest Pump.fun Launches (Solana)"];
     for (const c of coins) {
       const mcap = c.usd_market_cap ? `$${c.usd_market_cap.toFixed(0)}` : "?";
-      lines.push(`- ${c.name} (${c.symbol}) \u2014 MC: ${mcap} | Replies: ${c.reply_count}`);
+      lines.push(
+        `- ${sanitizeTokenName(c.name)} (${sanitizeTokenName(c.symbol)}) \u2014 MC: ${mcap} | Replies: ${c.reply_count}`
+      );
     }
     return lines.join("\n");
   } catch {
@@ -5785,6 +5894,7 @@ var init_context_injector = __esm({
     init_loader();
     init_constants();
     init_client();
+    init_sanitize();
     PRICE_KEYWORDS = ["price", "worth", "cost", "value", "how much"];
     TRENDING_KEYWORDS = ["trending", "hot", "popular", "top", "best", "hype"];
     NEWS_KEYWORDS = ["news", "latest", "update", "happening", "announcement"];
@@ -6524,7 +6634,12 @@ function getCached(key) {
     getDb().prepare("DELETE FROM cache WHERE key = ?").run(key);
     return null;
   }
-  return JSON.parse(row.value);
+  try {
+    return JSON.parse(row.value);
+  } catch {
+    getDb().prepare("DELETE FROM cache WHERE key = ?").run(key);
+    return null;
+  }
 }
 function setCache(key, value, ttlSeconds) {
   const now = Math.floor(Date.now() / 1e3);
@@ -6556,12 +6671,14 @@ var init_engine = __esm({
     logger = createLogger("agent-engine");
     AgentEngine = class {
       timer = null;
+      running = false;
       state;
       strategy;
       constructor(config2) {
         this.strategy = getStrategy(config2.strategy);
+        const interval = Math.max(30, config2.interval);
         this.state = {
-          config: config2,
+          config: { ...config2, interval },
           status: "idle",
           lastCycle: null,
           cycleCount: 0,
@@ -6575,20 +6692,30 @@ var init_engine = __esm({
         if (this.state.status === "running") return;
         this.state.status = "running";
         this.state.error = null;
+        this.running = true;
         logger.info(`Agent ${this.state.config.name} started (${this.strategy.name})`);
-        void this.runCycle();
-        this.timer = setInterval(() => {
-          void this.runCycle();
-        }, this.state.config.interval * 1e3);
+        void this.scheduleNextCycle(true);
       }
       stop() {
+        this.running = false;
         if (this.timer) {
-          clearInterval(this.timer);
+          clearTimeout(this.timer);
           this.timer = null;
         }
         this.state.status = "stopped";
         logger.info(`Agent ${this.state.config.name} stopped`);
       }
+      async scheduleNextCycle(immediate = false) {
+        if (!this.running) return;
+        if (!immediate) {
+          await new Promise((resolve4) => {
+            this.timer = setTimeout(resolve4, this.state.config.interval * 1e3);
+          });
+        }
+        if (!this.running) return;
+        await this.runCycle();
+        void this.scheduleNextCycle(false);
+      }
       async runCycle() {
         for (const symbol of this.state.config.pairs) {
           try {
@@ -7011,11 +7138,15 @@ function deleteAgent(id) {
 function startAgent(id) {
   const config2 = getAgentById(id);
   if (!config2) throw new Error(`Agent not found: ${id}`);
-  let engine = engines.get(id);
-  if (!engine) {
-    engine = new AgentEngine(config2);
-    engines.set(id, engine);
+  const existing = engines.get(id);
+  if (existing) {
+    const state = existing.getState();
+    if (state.status === "running") {
+      return state;
+    }
   }
+  const engine = new AgentEngine(config2);
+  engines.set(id, engine);
   engine.start();
   return engine.getState();
 }
@@ -7052,23 +7183,43 @@ function logDecision(result) {
     JSON.stringify(result.signals),
     result.timestamp
   );
+  pruneCounter++;
+  if (pruneCounter >= 100) {
+    pruneCounter = 0;
+    pruneDecisions(result.agentId, 1e3);
+  }
+}
+function pruneDecisions(agentId, keep = 1e3) {
+  ensureAgentTables();
+  const result = getDb().prepare(
+    `DELETE FROM agent_decisions WHERE agent_id = ? AND id NOT IN (
+        SELECT id FROM agent_decisions WHERE agent_id = ? ORDER BY created_at DESC LIMIT ?
+      )`
+  ).run(agentId, agentId, keep);
+  return result.changes;
 }
 function getRecentDecisions(agentId, limit = 20) {
   ensureAgentTables();
   const rows = getDb().prepare(`SELECT * FROM agent_decisions WHERE agent_id = ? ORDER BY created_at DESC LIMIT ?`).all(agentId, limit);
-  return rows.map((r) => ({
-    agentId: r.agent_id,
-    symbol: r.symbol,
-    timestamp: r.created_at,
-    signals: JSON.parse(r.signals),
-    decision: {
-      action: r.action,
-      confidence: r.confidence,
-      reasoning: JSON.parse(r.reasoning)
+  return rows.map((r) => {
+    try {
+      return {
+        agentId: r.agent_id,
+        symbol: r.symbol,
+        timestamp: r.created_at,
+        signals: JSON.parse(r.signals),
+        decision: {
+          action: r.action,
+          confidence: r.confidence,
+          reasoning: JSON.parse(r.reasoning)
+        }
+      };
+    } catch {
+      return null;
     }
-  }));
+  }).filter((r) => r !== null);
 }
-var STRATEGIES, engines;
+var STRATEGIES, engines, pruneCounter;
 var init_manager = __esm({
   "src/core/agent/manager.ts"() {
     "use strict";
@@ -7083,6 +7234,7 @@ var init_manager = __esm({
       "ml-adaptive": mlAdaptiveStrategy
     };
     engines = /* @__PURE__ */ new Map();
+    pruneCounter = 0;
   }
 });
@@ -7549,6 +7701,10 @@ var init_store_factory = __esm({
 // src/ai/tool-handler.ts
 async function handleTool(name, input) {
+  const raw = await handleToolUnsafe(name, input);
+  return sanitizeToolResult(raw);
+}
+async function handleToolUnsafe(name, input) {
   const params = input;
   switch (name) {
     case "get_token_info": {
@@ -8248,6 +8404,7 @@ var init_tool_handler = __esm({
     init_client();
     init_feature_engineer();
     init_store_factory();
+    init_sanitize();
   }
 });
@@ -9288,13 +9445,16 @@ async function startDiscordBot() {
   client2.on("messageCreate", async (message) => {
     if (message.author.bot) return;
     if (!client2.user || !message.mentions.has(client2.user)) return;
-    const text = message.content.replace(/<@!?\d+>/g, "").trim();
+    let text = message.content.replace(/<@!?\d+>/g, "").trim();
     if (!text) {
       await message.reply(
         "Mention me with a question! e.g. `@Vizzor what is BTC price?`\nOr use slash commands: `/scan` `/trends` `/track` `/ico` `/audit` `/help`"
       );
       return;
     }
+    if (text.length > 2e3) {
+      text = text.slice(0, 2e3);
+    }
     await message.reply("\u{1F52E} Analyzing...");
     try {
       const response = await analyze(buildChatSystemPrompt(), text, VIZZOR_TOOLS);
@@ -9964,8 +10124,11 @@ async function startTelegramBot() {
   bot.use(rateLimitMiddleware);
   registerCommands(bot);
   bot.on("message:text", async (ctx) => {
-    const text = ctx.message.text;
+    let text = ctx.message.text;
     if (text.startsWith("/")) return;
+    if (text.length > 4e3) {
+      text = text.slice(0, 4e3);
+    }
     await ctx.reply("\u{1F52E} Analyzing...");
     try {
       const response = await analyze(buildChatSystemPrompt(), text, VIZZOR_TOOLS);
@@ -10543,19 +10706,26 @@ var init_keys2 = __esm({
 });
 // src/api/auth/middleware.ts
+import { timingSafeEqual } from "crypto";
 async function authMiddleware(request, reply) {
-  if (PUBLIC_PATHS.some((p) => request.url === p) || request.url.startsWith("/docs/")) {
+  if (PUBLIC_PATHS.some((p) => request.url === p)) {
+    return;
+  }
+  if (request.url === "/docs" || request.url.startsWith("/docs/")) {
+    if (process.env["NODE_ENV"] === "production") {
+      return reply.status(404).send({ error: "Not found" });
+    }
     return;
   }
   const apiKey = request.headers["x-api-key"];
-  if (!apiKey) {
+  if (!apiKey || apiKey.length > 256) {
     return reply.status(401).send({
       error: "Unauthorized",
-      message: "Missing X-API-Key header"
+      message: "Missing or invalid X-API-Key header"
     });
   }
   const keyHash = hashApiKey(apiKey);
-  const valid = await validateKey2(keyHash);
+  const valid = validateKey2(keyHash);
   if (!valid) {
     return reply.status(403).send({
       error: "Forbidden",
@@ -10563,20 +10733,43 @@ async function authMiddleware(request, reply) {
     });
   }
 }
-async function validateKey2(keyHash) {
-  const store = getStoreInstance();
-  if (!store) return false;
-  const cached = await store.getCached(`apikey:${keyHash}`);
-  if (cached !== null) return cached.valid;
-  return true;
+function validateKey2(keyHash) {
+  try {
+    const db2 = getDb();
+    db2.exec(`
+      CREATE TABLE IF NOT EXISTS api_keys (
+        id TEXT PRIMARY KEY,
+        label TEXT NOT NULL,
+        key_hash TEXT NOT NULL UNIQUE,
+        key_prefix TEXT NOT NULL,
+        rate_limit INTEGER NOT NULL DEFAULT 100,
+        created_at INTEGER NOT NULL,
+        revoked_at INTEGER
+      )
+    `);
+    const row = db2.prepare("SELECT key_hash FROM api_keys WHERE revoked_at IS NULL").all();
+    if (row.length === 0) {
+      return false;
+    }
+    const inputBuf = Buffer.from(keyHash, "hex");
+    for (const r of row) {
+      const storedBuf = Buffer.from(r.key_hash, "hex");
+      if (inputBuf.length === storedBuf.length && timingSafeEqual(inputBuf, storedBuf)) {
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
 }
 var PUBLIC_PATHS;
 var init_middleware = __esm({
   "src/api/auth/middleware.ts"() {
     "use strict";
     init_keys2();
-    init_store_factory();
-    PUBLIC_PATHS = ["/health", "/docs", "/docs/"];
+    init_cache();
+    PUBLIC_PATHS = ["/health"];
   }
 });
@@ -10613,7 +10806,11 @@ import swagger from "@fastify/swagger";
 import swaggerUi from "@fastify/swagger-ui";
 async function startApiServer(options) {
   const server = Fastify({ logger: false });
-  await server.register(cors, { origin: true });
+  const isProd = process.env["NODE_ENV"] === "production";
+  const origin = options.corsOrigin ?? "http://localhost:3000";
+  await server.register(cors, {
+    origin: isProd ? origin : true
+  });
   await server.register(rateLimit, {
     max: 100,
     timeWindow: "1 minute"
@@ -10623,7 +10820,7 @@ async function startApiServer(options) {
       info: {
         title: "Vizzor API",
         description: "AI-powered crypto intelligence REST API",
-        version: "0.7.0"
+        version: "0.10.5"
       },
       servers: [{ url: `http://${options.host}:${options.port}` }],
       components: {
@@ -10637,25 +10834,36 @@ async function startApiServer(options) {
       }
     }
   });
-  await server.register(swaggerUi, {
-    routePrefix: "/docs"
-  });
-  if (options.enableAuth) {
+  if (!isProd) {
+    await server.register(swaggerUi, {
+      routePrefix: "/docs"
+    });
+  }
+  if (options.enableAuth !== false) {
     server.addHook("onRequest", authMiddleware);
+  } else if (isProd) {
+    log3.warn("API authentication is DISABLED in production \u2014 this is insecure");
   }
   server.setErrorHandler(errorHandler);
-  server.get("/health", async () => ({
-    status: "ok",
-    version: "0.7.0",
-    uptime: process.uptime(),
-    timestamp: (/* @__PURE__ */ new Date()).toISOString()
-  }));
+  server.get("/health", async () => {
+    if (isProd) {
+      return { status: "ok" };
+    }
+    return {
+      status: "ok",
+      version: "0.10.5",
+      uptime: process.uptime(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  });
   await server.register(registerMarketRoutes, { prefix: "/v1/market" });
   await server.register(registerAnalysisRoutes, { prefix: "/v1/analysis" });
   await server.register(registerSecurityRoutes, { prefix: "/v1/security" });
   await server.listen({ port: options.port, host: options.host });
   log3.info(`Vizzor API listening on ${options.host}:${options.port}`);
-  log3.info(`OpenAPI docs at http://${options.host}:${options.port}/docs`);
+  if (!isProd) {
+    log3.info(`OpenAPI docs at http://${options.host}:${options.port}/docs`);
+  }
 }
 var log3;
 var init_server = __esm({