flash-trade-mcp 0.3.0 → 0.3.1

package/dist/index.js

@@ -21063,7 +21063,7 @@ var require_fallback = __commonJS((exports, module) => {
 
 // node_modules/bufferutil/index.js
 var require_bufferutil = __commonJS((exports, module) => {
-  var __dirname = "/Users/kalebrupe/Desktop/flash-trade-MCP/mcp/node_modules/bufferutil";
+  var __dirname = "/home/runner/work/flash-trade-MCP/flash-trade-MCP/mcp/node_modules/bufferutil";
   try {
     module.exports = require_node_gyp_build2()(__dirname);
   } catch (e) {
@@ -21479,7 +21479,7 @@ var require_fallback2 = __commonJS((exports, module) => {
 
 // node_modules/utf-8-validate/index.js
 var require_utf_8_validate = __commonJS((exports, module) => {
-  var __dirname = "/Users/kalebrupe/Desktop/flash-trade-MCP/mcp/node_modules/utf-8-validate";
+  var __dirname = "/home/runner/work/flash-trade-MCP/flash-trade-MCP/mcp/node_modules/utf-8-validate";
   try {
     module.exports = require_node_gyp_build2()(__dirname);
   } catch (e) {
@@ -49053,6 +49053,15 @@ function loadConfig() {
   if (!apiBaseUrl) {
     throw new Error("FLASH_API_URL environment variable is required");
   }
+  let parsed;
+  try {
+    parsed = new URL(apiBaseUrl);
+  } catch {
+    throw new Error(`FLASH_API_URL is not a valid URL: ${apiBaseUrl}`);
+  }
+  if (parsed.protocol !== "https:") {
+    console.error(`[flash-trade-mcp] WARNING: FLASH_API_URL uses ${parsed.protocol} — HTTPS is strongly recommended for production`);
+  }
   return {
     apiBaseUrl: apiBaseUrl.replace(/\/$/, ""),
     timeoutMs: parseInt(process.env.FLASH_API_TIMEOUT ?? "30000", 10),
@@ -49069,8 +49078,8 @@ class FlashApiError extends Error {
     super(`Flash API error [${statusCode}] ${endpoint}: ${message}`);
     this.statusCode = statusCode;
     this.endpoint = endpoint;
-    this.responseBody = responseBody;
     this.name = "FlashApiError";
+    this.responseBody = responseBody?.slice(0, 500);
   }
 }
 
@@ -49137,51 +49146,51 @@ class FlashApiClient {
     return this.get("/markets");
   }
   async getMarket(pubkey) {
-    return this.get(`/markets/${pubkey}`);
+    return this.get(`/markets/${encodeURIComponent(pubkey)}`);
   }
   async getPools() {
     return this.get("/pools");
   }
   async getPool(pubkey) {
-    return this.get(`/pools/${pubkey}`);
+    return this.get(`/pools/${encodeURIComponent(pubkey)}`);
   }
   async getCustodies() {
     return this.get("/custodies");
   }
   async getCustody(pubkey) {
-    return this.get(`/custodies/${pubkey}`);
+    return this.get(`/custodies/${encodeURIComponent(pubkey)}`);
   }
   async getPrices() {
     return this.get("/prices");
   }
   async getPrice(symbol2) {
-    return this.get(`/prices/${symbol2}`);
+    return this.get(`/prices/${encodeURIComponent(symbol2)}`);
   }
   async getPositions(owner) {
-    const query = owner ? `?owner=${owner}` : "";
+    const query = owner ? `?owner=${encodeURIComponent(owner)}` : "";
     return this.get(`/positions${query}`);
   }
   async getPosition(pubkey) {
-    return this.get(`/positions/${pubkey}`);
+    return this.get(`/positions/${encodeURIComponent(pubkey)}`);
   }
   async getOwnerPositions(owner, includePnlInLeverage = false) {
-    return this.get(`/positions/owner/${owner}?includePnlInLeverageDisplay=${includePnlInLeverage}`);
+    return this.get(`/positions/owner/${encodeURIComponent(owner)}?includePnlInLeverageDisplay=${includePnlInLeverage}`);
   }
   async getOrders(owner) {
-    const query = owner ? `?owner=${owner}` : "";
+    const query = owner ? `?owner=${encodeURIComponent(owner)}` : "";
     return this.get(`/orders${query}`);
   }
   async getOrder(pubkey) {
-    return this.get(`/orders/${pubkey}`);
+    return this.get(`/orders/${encodeURIComponent(pubkey)}`);
   }
   async getOwnerOrders(owner) {
-    return this.get(`/orders/owner/${owner}`);
+    return this.get(`/orders/owner/${encodeURIComponent(owner)}`);
   }
   async getPoolData() {
     return this.get("/pool-data");
   }
   async getPoolSnapshot(poolPubkey) {
-    return this.get(`/pool-data/${poolPubkey}`);
+    return this.get(`/pool-data/${encodeURIComponent(poolPubkey)}`);
   }
   async openPosition(req) {
     return this.post("/transaction-builder/open-position", req);
@@ -49307,7 +49316,7 @@ function registerMarketTools(server, client) {
   });
   server.registerTool("get_market", {
     description: "Get detailed information about a specific market by its on-chain account pubkey. Returns full market configuration including permissions and collective position data.",
-    inputSchema: { pubkey: exports_external.string().describe("Solana pubkey of the market account") }
+    inputSchema: { pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Solana pubkey of the market account") }
   }, async ({ pubkey }) => {
     const market = await client.getMarket(pubkey);
     return { content: [{ type: "text", text: JSON.stringify(market, null, 2) }] };
@@ -49324,7 +49333,7 @@ function registerPoolTools(server, client) {
   });
   server.registerTool("get_pool", {
     description: "Get detailed information about a specific pool by its on-chain account pubkey.",
-    inputSchema: { pubkey: exports_external.string().describe("Solana pubkey of the pool account") }
+    inputSchema: { pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Solana pubkey of the pool account") }
   }, async ({ pubkey }) => {
     const pool = await client.getPool(pubkey);
     return { content: [{ type: "text", text: JSON.stringify(pool, null, 2) }] };
@@ -49341,7 +49350,7 @@ function registerCustodyTools(server, client) {
   });
   server.registerTool("get_custody", {
     description: "Get detailed custody information for a specific custody account. Includes utilization, fees, and limits.",
-    inputSchema: { pubkey: exports_external.string().describe("Solana pubkey of the custody account") }
+    inputSchema: { pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Solana pubkey of the custody account") }
   }, async ({ pubkey }) => {
     const custody = await client.getCustody(pubkey);
     return { content: [{ type: "text", text: JSON.stringify(custody, null, 2) }] };
@@ -49366,7 +49375,7 @@ function registerPriceTools(server, client) {
   });
   server.registerTool("get_price", {
     description: 'Get the current oracle price for a specific asset symbol (e.g., "SOL", "BTC", "ETH"). Case-insensitive. Returns price in USD with timestamp.',
-    inputSchema: { symbol: exports_external.string().describe('Asset symbol, e.g. "SOL", "BTC", "ETH"') }
+    inputSchema: { symbol: exports_external.string().max(16).describe('Asset symbol, e.g. "SOL", "BTC", "ETH"') }
   }, async ({ symbol: symbol2 }) => {
     const data = await client.getPrice(symbol2);
     const usd = formatPrice(data.price, data.exponent);
@@ -49400,7 +49409,7 @@ function registerPositionTools(server, client) {
   server.registerTool("get_positions", {
     description: "List perpetual positions, optionally filtered by wallet owner. Without an owner filter, returns ALL open positions (may be large). With owner, returns enriched positions with computed PnL, leverage, and liquidation price.",
     inputSchema: {
-      owner: exports_external.string().optional().describe("Wallet pubkey to filter by. When provided, returns enriched positions with PnL, leverage, and liquidation price.")
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).optional().describe("Wallet pubkey to filter by. When provided, returns enriched positions with PnL, leverage, and liquidation price.")
     }
   }, async ({ owner }) => {
     if (owner) {
@@ -49420,7 +49429,7 @@ ${text}` }] };
   });
   server.registerTool("get_position", {
     description: "Get a single position by its on-chain account pubkey. Returns raw position data. For enriched data (PnL, leverage, liq price), use get_positions with the owner filter instead.",
-    inputSchema: { pubkey: exports_external.string().describe("Position account pubkey") }
+    inputSchema: { pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey") }
   }, async ({ pubkey }) => {
     const position = await client.getPosition(pubkey);
     return { content: [{ type: "text", text: JSON.stringify(position, null, 2) }] };
@@ -49446,7 +49455,7 @@ function registerOrderTools(server, client) {
   server.registerTool("get_orders", {
     description: "List open orders (limit orders, take-profit, stop-loss), optionally filtered by wallet owner. When owner is provided, returns enriched order data with computed trigger prices and sizes.",
     inputSchema: {
-      owner: exports_external.string().optional().describe("Wallet pubkey to filter by. When provided, returns enriched orders.")
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).optional().describe("Wallet pubkey to filter by. When provided, returns enriched orders.")
     }
   }, async ({ owner }) => {
     if (owner) {
@@ -49466,7 +49475,7 @@ ${text}` }] };
   });
   server.registerTool("get_order", {
     description: "Get a single order account by its on-chain pubkey.",
-    inputSchema: { pubkey: exports_external.string().describe("Order account pubkey") }
+    inputSchema: { pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Order account pubkey") }
   }, async ({ pubkey }) => {
     const order = await client.getOrder(pubkey);
     return { content: [{ type: "text", text: JSON.stringify(order, null, 2) }] };
@@ -49478,7 +49487,7 @@ function registerPoolDataTools(server, client) {
   server.registerTool("get_pool_data", {
     description: "Get computed pool metrics including AUM (assets under management), LP token stats, custody ratios, and utilization. Data is cached and refreshed every 15 seconds. Provide a pool_pubkey for a specific pool, or omit for all pools.",
     inputSchema: {
-      pool_pubkey: exports_external.string().optional().describe("Specific pool pubkey. If omitted, returns all pool snapshots.")
+      pool_pubkey: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).optional().describe("Specific pool pubkey. If omitted, returns all pool snapshots.")
     }
   }, async ({ pool_pubkey }) => {
     if (pool_pubkey) {
@@ -49536,17 +49545,17 @@ function registerOpenPositionTool(server, client) {
   server.registerTool("open_position", {
     description: "Build a transaction to open a new perpetual position on Flash Trade. Returns a preview (entry price, fees, leverage, liquidation price) AND an unsigned transaction. The transaction must be signed by the user's wallet and submitted to Solana separately. IMPORTANT: Always present the preview to the user before they sign. This tool does NOT execute the trade. Supports both MARKET and LIMIT orders, with optional take-profit and stop-loss. COLLATERAL WARNING: Limit orders, take-profit, and stop-loss require >$10 collateral AFTER entry fees. A $10 position will have fees deducted, dropping collateral below $10 and preventing TP/SL/limit orders. Use at least $11-12 input_amount when planning to set TP/SL.",
     inputSchema: {
-      input_token_symbol: exports_external.string().describe('Token to pay with: "USDC", "SOL", etc.'),
-      output_token_symbol: exports_external.string().describe('Market to trade: "SOL", "BTC", "ETH", etc.'),
-      input_amount: exports_external.string().describe('Amount of input token, e.g. "100.0"'),
-      leverage: exports_external.string().describe('Leverage multiplier, e.g. "5.0"'),
+      input_token_symbol: exports_external.string().max(16).describe('Token to pay with: "USDC", "SOL", etc.'),
+      output_token_symbol: exports_external.string().max(16).describe('Market to trade: "SOL", "BTC", "ETH", etc.'),
+      input_amount: exports_external.string().max(32).describe('Amount of input token, e.g. "100.0"'),
+      leverage: exports_external.string().max(8).describe('Leverage multiplier, e.g. "5.0"'),
       trade_type: exports_external.enum(["LONG", "SHORT"]).describe("Trade direction"),
-      owner: exports_external.string().describe("Wallet pubkey (required to build the transaction)"),
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Wallet pubkey (required to build the transaction)"),
       order_type: exports_external.enum(["MARKET", "LIMIT"]).optional().describe("Default: MARKET"),
-      limit_price: exports_external.string().optional().describe("Required for LIMIT orders, UI format price"),
-      slippage_percentage: exports_external.string().optional().describe('Default: "0.5" (0.5%)'),
-      take_profit: exports_external.string().optional().describe("TP trigger price in UI format"),
-      stop_loss: exports_external.string().optional().describe("SL trigger price in UI format"),
+      limit_price: exports_external.string().max(32).optional().describe("Required for LIMIT orders, UI format price"),
+      slippage_percentage: exports_external.string().max(8).optional().describe('Default: "0.5" (0.5%)'),
+      take_profit: exports_external.string().max(32).optional().describe("TP trigger price in UI format"),
+      stop_loss: exports_external.string().max(32).optional().describe("SL trigger price in UI format"),
       degen_mode: exports_external.boolean().optional().describe("Enable degen mode (higher leverage limits)")
     }
   }, async (params) => {
@@ -49609,11 +49618,11 @@ function registerClosePositionTool(server, client) {
   server.registerTool("close_position", {
     description: "Build a transaction to close (fully or partially) an existing perpetual position. Returns a preview with PnL, fees, and receive amount, plus an unsigned transaction. For a full close, set input_usd to the position's full size. For a partial close, use a smaller amount. The transaction must be signed and submitted separately.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey to close"),
-      input_usd: exports_external.string().describe('USD amount to close, e.g. "500.00" for full or "250.00" for partial'),
-      withdraw_token_symbol: exports_external.string().describe('Token to receive: "USDC", "SOL", etc.'),
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey to close"),
+      input_usd: exports_external.string().max(32).describe('USD amount to close, e.g. "500.00" for full or "250.00" for partial'),
+      withdraw_token_symbol: exports_external.string().max(16).describe('Token to receive: "USDC", "SOL", etc.'),
       keep_leverage_same: exports_external.boolean().optional().describe("Keep leverage constant during partial close"),
-      slippage_percentage: exports_external.string().optional().describe('Default: "0.5" (0.5%)')
+      slippage_percentage: exports_external.string().max(8).optional().describe('Default: "0.5" (0.5%)')
     }
   }, async (params) => {
     const res = await client.closePosition({
@@ -49672,11 +49681,11 @@ function registerCollateralTools(server, client) {
   server.registerTool("add_collateral", {
     description: "Build a transaction to add collateral to an existing position. This reduces leverage and moves the liquidation price further from the current price (safer). Returns a preview and unsigned transaction.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey"),
-      deposit_amount: exports_external.string().describe("Amount to deposit in UI format"),
-      deposit_token_symbol: exports_external.string().describe('Token to deposit: "USDC", "SOL", etc.'),
-      owner: exports_external.string().describe("Wallet pubkey"),
-      slippage_percentage: exports_external.string().optional().describe('Default: "0.5" (0.5%)')
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey"),
+      deposit_amount: exports_external.string().max(32).describe("Amount to deposit in UI format"),
+      deposit_token_symbol: exports_external.string().max(16).describe('Token to deposit: "USDC", "SOL", etc.'),
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Wallet pubkey"),
+      slippage_percentage: exports_external.string().max(8).optional().describe('Default: "0.5" (0.5%)')
     }
   }, async (params) => {
     const res = await client.addCollateral({
@@ -49691,11 +49700,11 @@ function registerCollateralTools(server, client) {
   server.registerTool("remove_collateral", {
     description: "Build a transaction to remove collateral from an existing position. This increases leverage and moves the liquidation price closer (riskier). WARNING: Removing too much collateral can lead to liquidation. Returns a preview and unsigned transaction.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey"),
-      withdraw_amount_usd: exports_external.string().describe("USD amount to withdraw"),
-      withdraw_token_symbol: exports_external.string().describe('Token to receive: "USDC", "SOL", etc.'),
-      owner: exports_external.string().describe("Wallet pubkey"),
-      slippage_percentage: exports_external.string().optional().describe('Default: "0.5" (0.5%)')
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey"),
+      withdraw_amount_usd: exports_external.string().max(32).describe("USD amount to withdraw"),
+      withdraw_token_symbol: exports_external.string().max(16).describe('Token to receive: "USDC", "SOL", etc.'),
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Wallet pubkey"),
+      slippage_percentage: exports_external.string().max(8).optional().describe('Default: "0.5" (0.5%)')
     }
   }, async (params) => {
     const res = await client.removeCollateral({
@@ -49743,9 +49752,9 @@ function registerReversePositionTool(server, client) {
   server.registerTool("reverse_position", {
     description: "Build a transaction to reverse a position (close current + open opposite direction). For example, close a LONG and open a SHORT with the same collateral. Returns combined close+open preview and a single unsigned transaction.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey to reverse"),
-      owner: exports_external.string().describe("Wallet pubkey"),
-      slippage_percentage: exports_external.string().optional().describe('Default: "0.5" (0.5%)'),
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey to reverse"),
+      owner: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Wallet pubkey"),
+      slippage_percentage: exports_external.string().max(8).optional().describe('Default: "0.5" (0.5%)'),
       degen_mode: exports_external.boolean().optional().describe("Enable degen mode for the new position")
     }
   }, async (params) => {
@@ -49764,11 +49773,11 @@ function registerPreviewTools(server, client) {
   server.registerTool("preview_limit_order_fees", {
     description: "Preview the entry price, fees, liquidation price, and borrow rate for a limit order BEFORE placing it. Use this to evaluate a trade before committing. No transaction is built.",
     inputSchema: {
-      market_symbol: exports_external.string().describe('Market symbol, e.g. "SOL", "BTC", "ETH"'),
-      input_amount: exports_external.string().describe("Collateral amount in UI format"),
-      output_amount: exports_external.string().describe("Position size in target token"),
+      market_symbol: exports_external.string().max(16).describe('Market symbol, e.g. "SOL", "BTC", "ETH"'),
+      input_amount: exports_external.string().max(32).describe("Collateral amount in UI format"),
+      output_amount: exports_external.string().max(32).describe("Position size in target token"),
       side: exports_external.enum(["LONG", "SHORT"]).describe("Trade direction"),
-      limit_price: exports_external.string().optional().describe("Limit price; uses live price if omitted"),
+      limit_price: exports_external.string().max(32).optional().describe("Limit price; uses live price if omitted"),
       trading_fee_discount_percent: exports_external.number().optional().describe("Fee discount from FAF staking (0-100)")
     }
   }, async (params) => {
@@ -49796,8 +49805,8 @@ WARNING: ${res.err}`);
   server.registerTool("preview_exit_fee", {
     description: "Preview the exit fee and exit price for closing a specific amount of a position. Use this to estimate close costs before calling close_position. No transaction is built.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey"),
-      close_amount_usd: exports_external.string().describe("USD amount to close")
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey"),
+      close_amount_usd: exports_external.string().max(32).describe("USD amount to close")
     }
   }, async (params) => {
     const res = await client.previewExitFee({
@@ -49819,14 +49828,14 @@ WARNING: ${res.err}`);
     description: 'Calculate take-profit or stop-loss prices and projected PnL. Three modes: "forward" (trigger price → PnL), "reverse_pnl" (target PnL → trigger price), "reverse_roi" (target ROI% → trigger price). Works for existing positions (by pubkey) or hypothetical orders (provide market_symbol, entry_price, size, collateral, side).',
     inputSchema: {
       mode: exports_external.enum(["forward", "reverse_pnl", "reverse_roi"]).describe("Calculation mode"),
-      position_key: exports_external.string().optional().describe("Position pubkey (for existing positions)"),
-      market_symbol: exports_external.string().optional().describe("Market symbol (for hypothetical orders)"),
-      entry_price: exports_external.string().optional().describe("Entry price (for hypothetical orders)"),
-      size_usd: exports_external.string().optional().describe("Position size USD (for hypothetical orders)"),
-      collateral_usd: exports_external.string().optional().describe("Collateral USD (for hypothetical orders)"),
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).optional().describe("Position pubkey (for existing positions)"),
+      market_symbol: exports_external.string().max(16).optional().describe("Market symbol (for hypothetical orders)"),
+      entry_price: exports_external.string().max(32).optional().describe("Entry price (for hypothetical orders)"),
+      size_usd: exports_external.string().max(32).optional().describe("Position size USD (for hypothetical orders)"),
+      collateral_usd: exports_external.string().max(32).optional().describe("Collateral USD (for hypothetical orders)"),
       side: exports_external.enum(["LONG", "SHORT"]).optional().describe("Side (for hypothetical orders)"),
-      trigger_price: exports_external.string().optional().describe('Trigger price (required for "forward" mode)'),
-      target_pnl_usd: exports_external.string().optional().describe('Target PnL USD (required for "reverse_pnl" mode)'),
+      trigger_price: exports_external.string().max(32).optional().describe('Trigger price (required for "forward" mode)'),
+      target_pnl_usd: exports_external.string().max(32).optional().describe('Target PnL USD (required for "reverse_pnl" mode)'),
       target_roi_percent: exports_external.number().optional().describe('Target ROI% (required for "reverse_roi" mode)')
     }
   }, async (params) => {
@@ -49858,8 +49867,8 @@ WARNING: ${res.err}`);
   server.registerTool("preview_margin", {
     description: "Preview the effect of adding or removing margin (collateral) on a position. Shows new leverage, new liquidation price, and max adjustable amount. Use this before calling add_collateral or remove_collateral. No transaction is built.",
     inputSchema: {
-      position_key: exports_external.string().describe("Position account pubkey"),
-      margin_delta_usd: exports_external.string().describe("Amount in USD to add or remove"),
+      position_key: exports_external.string().regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/).describe("Position account pubkey"),
+      margin_delta_usd: exports_external.string().max(32).describe("Amount in USD to add or remove"),
       action: exports_external.enum(["ADD", "REMOVE"]).describe("ADD to reduce leverage, REMOVE to increase leverage")
     }
   }, async (params) => {
@@ -56796,15 +56805,19 @@ var $VersionedTransaction = VersionedTransaction;
 
 // src/tools/sign-and-send.ts
 import fs from "node:fs";
+
+// src/sanitize.ts
 function sanitizeError(e) {
   const msg = e instanceof Error ? e.message : String(e);
-  return msg.replace(/\[[\d,\s]{20,}\]/g, "[REDACTED]").replace(/[0-9a-fA-F]{40,}/g, "[REDACTED]").replace(/[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{40,}/g, "[REDACTED]");
+  return msg.replace(/\[[\d,\s]{20,}\]/g, "[REDACTED]").replace(/[0-9a-fA-F]{40,}/g, "[REDACTED]").replace(/[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{40,}/g, "[REDACTED]").replace(/[A-Za-z0-9+/]{40,}={0,2}/g, "[REDACTED]");
 }
+
+// src/tools/sign-and-send.ts
 function registerSignAndSendTool(server) {
   server.registerTool("sign_and_send", {
     description: "Sign and submit a base64-encoded unsigned Solana transaction using the locally configured keypair. " + "Call this AFTER a transaction tool (open_position, close_position, add_collateral, remove_collateral, reverse_position) " + "returns a transactionBase64 string AND the user has reviewed and approved the preview. " + "The keypair is read from KEYPAIR_PATH (default: ~/.config/solana/id.json). " + "Returns the confirmed transaction signature and a Solscan link. " + "IMPORTANT: Always show the transaction preview to the user and get their approval BEFORE calling this tool. " + "This tool signs with the local keypair and submits to Solana mainnet — the action is IRREVERSIBLE. " + "NOTE: This tool never exposes private key material in its output.",
     inputSchema: {
-      transaction_base64: exports_external.string().describe("The base64-encoded unsigned transaction returned by a transaction tool")
+      transaction_base64: exports_external.string().max(1e4).describe("The base64-encoded unsigned transaction returned by a transaction tool")
     }
   }, async (params) => {
     const rpcUrl = process.env.SOLANA_RPC_URL ?? "https://api.mainnet-beta.solana.com";
@@ -56960,11 +56973,11 @@ function registerResources(server, client) {
 
 // src/index.ts
 process.on("uncaughtException", (err) => {
-  console.error("[flash-trade-mcp] Uncaught exception:", err);
+  console.error("[flash-trade-mcp] Uncaught exception:", sanitizeError(err));
   process.exit(1);
 });
 process.on("unhandledRejection", (reason) => {
-  console.error("[flash-trade-mcp] Unhandled rejection:", reason);
+  console.error("[flash-trade-mcp] Unhandled rejection:", sanitizeError(reason));
   process.exit(1);
 });
 try {
@@ -56972,7 +56985,7 @@ try {
   const client = new FlashApiClient(config2);
   const server = new McpServer({
     name: "flash-trade",
-    version: "0.2.2"
+    version: "0.3.1"
   }, {
     capabilities: {
       tools: {},
@@ -56986,6 +56999,6 @@ try {
   const transport = new StdioServerTransport;
   await server.connect(transport);
 } catch (err) {
-  console.error("[flash-trade-mcp] Fatal startup error:", err);
+  console.error("[flash-trade-mcp] Fatal startup error:", sanitizeError(err));
   process.exit(1);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "flash-trade-mcp",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "MCP server for Flash Trade — perpetual futures DEX on Solana. Provides AI agents with typed tools for trading, position management, and market data.",
   "module": "src/index.ts",
   "main": "dist/index.js",