k 4c34abcd55 fix: sign /positions/hl reads, make HL key mask consistent across save/reload
- /positions/hl/{wallet} was unauthenticated — knowing a wallet address alone
  exposed that wallet's live Hyperliquid positions + already_adopted status.
  Its docstring claimed "same trust model as /positions/open", but that route
  IS signed. Now requires the same view signature (view_positions/view_user,
  allow_replay). The Telegram /adopt path calls list_hl_positions() directly,
  so it's unaffected.

- HL API key masked hint was inconsistent: set_hl_api_key returns the real
  key's last 6 chars ("...abc123"), but get_user returned 6 chars of
  sha256(encrypted_blob) — a different string. After a reload the suffix
  changed, making users think their key was altered. get_user now decrypts
  only to take the real last 6 chars (matching save), with a neutral
  "…(set)" fallback if decryption fails.

72 tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 14:59:24 +08:00
2026-04-20 23:05:59 +08:00
2026-04-20 23:05:59 +08:00
2026-04-21 19:33:24 +08:00
2026-04-21 19:33:24 +08:00

  1. 填 backend .env(生产值):

POSTGRES_PASSWORD=强密码 FRONTEND_URL=https://你的前端域名 ENCRYPTION_KEY=之前生成的那个 AI_API_KEY=sk-... ENVIRONMENT=production 2. 改前端 .env.local

NEXT_PUBLIC_API_URL=https://api.你的域名.com NEXT_PUBLIC_WS_URL=wss://api.你的域名.com 启动:

cd backend docker compose up -d

S
Description
No description provided
Readme 718 KiB
Languages
Python 99.6%
Shell 0.3%
Dockerfile 0.1%