4c34abcd55
- /positions/hl/{wallet} was unauthenticated — knowing a wallet address alone
exposed that wallet's live Hyperliquid positions + already_adopted status.
Its docstring claimed "same trust model as /positions/open", but that route
IS signed. Now requires the same view signature (view_positions/view_user,
allow_replay). The Telegram /adopt path calls list_hl_positions() directly,
so it's unaffected.
- HL API key masked hint was inconsistent: set_hl_api_key returns the real
key's last 6 chars ("...abc123"), but get_user returned 6 chars of
sha256(encrypted_blob) — a different string. After a reload the suffix
changed, making users think their key was altered. get_user now decrypts
only to take the real last 6 chars (matching save), with a neutral
"…(set)" fallback if decryption fails.
72 tests pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>