Changelog

Platform updates, improvements, and release notes. Most recent first.

2026-03-30 — Identity Security + Infra Hardening + Test Infrastructure

Security fixes, infrastructure stabilisation, and major test coverage improvements.

Identity security (9 fixes):

Nonce plaintext log removed from auth.service — eliminated complete auth-bypass exposure
SIWE domain validation is now server-authoritative (client-supplied domain no longer trusted)
tokenHash comparison uses crypto.timingSafeEqual (was ===)
HS256 fallback gated behind ALLOW_HS256_VERIFY_MIGRATION flag; ES256 enforced by default
publicId duplicate now returns 409 instead of leaking an E11000 Mongo error
JWT audience pinned in verifyAccessToken; iat freshness window enforced (10 min)
getClientIp replaced with req.ip (trust proxy respected)
WalletAccount unique index enforced; refresh throttle and JWT jti rate limit added
227 identity tests across 11 files covering controllers, adapters, JWKS, and SSE

Infrastructure (6 fixes):

.env.vercel-check untracked and gitignored — live secrets removed from repository
NODE_OPTIONS memory reduced from 3072 MB to 768 MB to prevent frontend OOM in 1 GB containers
Frontend container port bind restricted; HEALTHCHECK directive added to Dockerfile
Base image pinned from rolling trixie-slim to bookworm-slim; rust:latest → 1.92-bookworm in CI
timeout-minutes added to all 25 CI jobs; chaos MONGODB_URI variable expansion fixed
.dockerignore extended to exclude .env* patterns

Test infrastructure:

Proto CI drift gate added (scripts/ci/check-proto-drift.sh) — silent proto drift is now a build failure
4 NestJS E2E suites added: auth, guard chain, MCP, and agent onboarding (53 tests)
15 false-positive tests replaced with real assertions; 7 guard tests migrated to Reflect.getMetadata
gRPC field-mapping + callback contract tests (92 cases, 15 RPCs)
49 Rust integration tests across 4 crates
Test score improved from 5/10 to 8.5/10

Six sprint cycles closed all 25 BLOCKERs, 5 API mismatches, and major warnings found in the studio audit.

Studio audit (6 sprints, 43 commits):

Sprint 1–2 (P0/P1): XSS fix, auth unified, 27-endpoint IDOR sweep, config IDOR, widget ownership, botId hijack, route collision, domain verify
Sprint 3–4 (P2/P3): Cascade delete across 14 collections, soft-delete wiring, bot count filter, LLM model fallback, context window catalog lookup, RAG similarity threshold, LRU cache replacing unbounded Map
Sprint 5 (API): 5 API field mismatches fixed (knowledge, trading source, walletMode, chainId), 13 idempotency decorators, SKIP_CAPTCHA prod guard
Sprint 6 (cleanup): Moderation fail-open, max_tokens 256→1024, UsageTier and RateLimit tier schemas removed, fee constant extracted, showPoweredBy wired from config
Studio audit score: 8.5/10 (up from 4/10)

Monitoring sprint (7 commits, 57 findings resolved):

7 dead alert rules fixed; 1 low-value alert deleted
26 broken Grafana dashboard panels repaired
9 dead backend metrics wired to live code paths; 8 new backend metrics registered
4 dead trading metrics wired; 7 new trading metrics registered
Active orders gauge leak fixed

Follow-on hardening after the 2026-03-18 migration.

Fund safety (5 fixes):

Fee ledger write guaranteed after every swap (Solana and EVM)
partner_user_id and partner_wallet_address proto fields added to JupiterSwap and EvmSwap
Double-swap prevention: no retry when a transaction hash is already persisted; sweeper skips broadcast orders
Pre-trade disable flags now panic! in production (previously silent no-op)
1inch approval gap fixed — allowance check uses tx.to (not sender)

Architecture (6 fixes):

EVM transaction reconciliation added (alloy provider receipt check)
Reconciler fill data: completedAt and executionHistory populated on promotion
reconciledStatus field updated correctly (confirmed / failed_onchain / not_found)
Panic supervision: all 4 scheduler jobs wrapped in tokio::task::spawn supervisor
Dead RPC cleanup: 14 FAILED_PRECONDITION + 7 UNIMPLEMENTED → consistent Status::unimplemented
Dynamic Solana priority fee: P50 + 20% with 30 s cache, fallback to static env value

DCA and price monitoring:

Tests: 225 new Rust tests (112 execution-path + 113 zero-coverage crates); total 311 Rust tests.

Docs moved from a separate Docusaurus site into the main Balchemy frontend as integrated Next.js MDX pages.

34 documentation pages now live at /docs/* within the main app — same design system, same authentication context
Full-text search powered by Fuse.js with ⌘K keyboard shortcut
Tetsukon design system applied throughout: warm paper surfaces, Space Grotesk headings, JetBrains Mono code blocks, rehype-pretty-code syntax highlighting

The NestJS trading service was replaced with a purpose-built Rust gRPC engine.

Memory footprint reduced to 5.8 MB — 26x reduction from the NestJS predecessor
13 gRPC service implementations: trading, Solana executor, EVM executor, config, wallet, health, circuit breaker, external data, strategy, referral, buyback, blockchain, and research
Idempotency locks, retry logic (up to 3 attempts), and execution history are now managed by the Rust engine
TRADING_TRANSPORT environment variable enables zero-downtime rollback: set to grpc for the new engine, tcp to revert

A full platform audit followed by a five-phase improvement cycle covering 24 commits and over 12,000 lines changed.

6 critical and 14 warning findings resolved across security, performance, and correctness categories
UI overhaul across 5 pages: upgraded KPI typography, luxury spacing, helper panel with mascot, wallet modal z-index fix
Production hardening: Redis-backed rate limiting, 6 new Prometheus alert rules, CSP headers migration
SDK marked publish-ready with full exports, README, and CHANGELOG
40+ integration tests added covering fee calculation, circuit breaker, widget auth, and channel rules

FAQ