security: comprehensive security fixes based on audit report

- Fix sensitive config file exposure (add logger/config.telegram.json to .gitignore)
- Create logger/config.telegram.json.example template
- Fix CORS configuration to use ALLOWED_ORIGINS env var (api/server.go)
- Enforce JWT_SECRET requirement in production (main.go)

- Fix 20+ unsafe type assertions across trader modules
  - trader/aster_trader.go: 8 fixes
  - trader/binance_futures.go: 3 fixes
  - trader/auto_trader.go: 7 fixes
  - trader/hyperliquid_trader.go: 2 fixes
- Create trader/utils.go with safe type conversion helpers
  - SafeFloat64(), SafeString(), SafeInt()
- Remove sensitive console.log in production
  - web/src/components/traders/ExchangeConfigModal.tsx
  - web/src/components/AITradersPage.tsx

- Fix undefined variable $RAW_KEY -> $DATA_KEY (scripts/generate_data_key.sh)

- Update .env.example with new security variables
- Update docker-compose.yml environment variables
- Update README.md Quick Start with security setup steps

- Prevents runtime panics from unsafe type assertions
- Enforces secure configuration in production
- Restricts CORS to authorized origins only
- Protects sensitive data from console output

- Fixed issues from audit report dated 2025/11/17
- Addressed 1 Critical + 31 High priority issues
- Total: 829 issues reviewed, P0/P1 issues resolved

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: the-dev-z

.env.example

@@ -12,3 +12,33 @@ NOFX_FRONTEND_PORT=3000
 # System timezone for container time synchronization
 NOFX_TIMEZONE=Asia/Shanghai
 
+# ============================================================================
+# 🔐 Security Configuration (Required for Production)
+# ============================================================================
+
+# JWT Secret Key (REQUIRED in production)
+# Used for JWT token signing and verification
+# Generate a secure random key: openssl rand -base64 64
+# JWT_SECRET=your-secure-jwt-secret-minimum-32-characters
+
+# Environment Type (Optional)
+# Options: development, production, prod
+# In production mode, JWT_SECRET is mandatory
+# ENVIRONMENT=development
+
+# CORS Allowed Origins (Optional)
+# Comma-separated list of allowed origins for API access
+# Default: http://localhost:5173,http://localhost:3000
+# Production example: https://your-domain.com,https://app.your-domain.com
+# ALLOWED_ORIGINS=http://localhost:5173,http://localhost:3000
+
+# ============================================================================
+# 📊 Market Data API Configuration (Optional - Free Tier)
+# ============================================================================
+
+# Alpha Vantage API Key (Optional)
+# Used for US stock market data (S&P 500 status) to enhance AI decision context
+# Free tier: 500 API calls/day (sufficient for trading bot usage)
+# Register free API key at: https://www.alphavantage.co/support/#api-key
+# If not set, the system will skip US stock data (VIX and Binance data still work)
+# ALPHA_VANTAGE_API_KEY=

.gitignore

@@ -34,6 +34,9 @@ config.db*
 nofx.db
 configbak.json
 
+# Logger 配置（包含敏感信息）
+logger/config.telegram.json
+
 # 决策日志
 decision_logs/
 coin_pool_cache/

README.md

@@ -277,14 +277,28 @@ Docker automatically handles all dependencies (Go, Node.js, TA-Lib, SQLite) and
 
 #### Step 1: Prepare Configuration
 ```bash
-# Copy configuration template
+# 1. Copy environment variables template
+cp .env.example .env
+
+# 2. Generate security keys (Important for production!)
+# Generate JWT secret
+openssl rand -base64 64
+
+# Edit .env and set JWT_SECRET with the generated key
+nano .env  # Add: JWT_SECRET=your-generated-key
+
+# 3. Copy configuration template
 cp config.json.example config.json
 
-# Edit and fill in your API keys
+# 4. Edit and fill in your API keys
 nano config.json  # or use any editor
 ```
 
-⚠️ **Note**: Basic config.json is still needed for some settings, but ~~trader configurations~~ are now done through the web interface.
+⚠️ **Security Notes**:
+- **JWT_SECRET** is required for production environments
+- Set **ENVIRONMENT=production** in .env for production deployment
+- Configure **ALLOWED_ORIGINS** if deploying to a custom domain
+- Basic config.json is still needed for some settings, but ~~trader configurations~~ are now done through the web interface.
 
 #### Step 2: One-Click Start
 ```bash

api/server.go

@@ -15,6 +15,7 @@ import (
 	"nofx/hook"
 	"nofx/manager"
 	"nofx/trader"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -63,7 +64,32 @@ func NewServer(traderManager *manager.TraderManager, database *config.Database,
 // corsMiddleware CORS中间件
 func corsMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		origin := c.GetHeader("Origin")
+
+		// 從環境變數讀取允許的來源，多個來源用逗號分隔
+		allowedOrigins := os.Getenv("ALLOWED_ORIGINS")
+		if allowedOrigins == "" {
+			// 開發環境預設值
+			allowedOrigins = "http://localhost:5173,http://localhost:3000"
+		}
+
+		// 檢查請求來源是否在允許列表中
+		allowed := false
+		for _, allowedOrigin := range strings.Split(allowedOrigins, ",") {
+			allowedOrigin = strings.TrimSpace(allowedOrigin)
+			if origin == allowedOrigin {
+				c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
+				c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+				allowed = true
+				break
+			}
+		}
+
+		// 如果來源不在允許列表中，仍然設置其他 CORS headers 但不設置 Allow-Origin
+		if !allowed && origin != "" {
+			log.Printf("⚠️ CORS: 拒絕來自未授權來源的請求: %s", origin)
+		}
+
 		c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 		c.Writer.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
 

docker-compose.yml

@@ -22,6 +22,8 @@ services:
       - AI_MAX_TOKENS=4000  # AI响应的最大token数（默认2000，建议4000-8000）
       - DATA_ENCRYPTION_KEY=${DATA_ENCRYPTION_KEY}  # 数据库加密密钥
       - JWT_SECRET=${JWT_SECRET}  # JWT认证密钥
+      - ENVIRONMENT=${ENVIRONMENT:-production}  # 环境类型 (development/production)
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:5173,http://localhost:3000}  # CORS允许的来源
     networks:
       - nofx-network
     healthcheck:

logger/config.telegram.json.example

@@ -0,0 +1,33 @@
+{
+  "traders": [
+    {
+      "id": "trader1",
+      "name": "AI Trader 1",
+      "enabled": true,
+      "ai_model": "deepseek",
+      "exchange": "binance",
+      "binance_api_key": "YOUR_BINANCE_API_KEY_HERE",
+      "binance_secret_key": "YOUR_BINANCE_SECRET_KEY_HERE",
+      "deepseek_key": "YOUR_DEEPSEEK_API_KEY_HERE",
+      "initial_balance": 1000,
+      "scan_interval_minutes": 3
+    }
+  ],
+  "use_default_coins": true,
+  "default_coins": ["BTCUSDT", "ETHUSDT", "SOLUSDT"],
+  "api_server_port": 8080,
+  "leverage": {
+    "btc_eth_leverage": 5,
+    "altcoin_leverage": 5
+  },
+  "log": {
+    "level": "info",
+    "telegram": {
+      "enabled": true,
+      "bot_token": "YOUR_TELEGRAM_BOT_TOKEN_HERE",
+      "chat_id": -1001234567890,
+      "min_level": "error"
+    }
+  },
+  "_comment": "日志配置说明：level 可选值为 debug/info/warn/error，默认 info。telegram 部分作为可选配置, Telegram 推送默认为 error/fatal/panic 级别，min_level 如果设置为warn，则推送warn级别及以上的日志"
+}

main.go

@@ -209,13 +209,25 @@ func main() {
 		// 回退到数据库配置
 		jwtSecret, _ = database.GetSystemConfig("jwt_secret")
 		if jwtSecret == "" {
-			jwtSecret = "your-jwt-secret-key-change-in-production-make-it-long-and-random"
-			log.Printf("⚠️  使用默认JWT密钥，建议使用加密设置脚本生成安全密钥")
+			// 檢查是否為生產環境
+			env := strings.ToLower(os.Getenv("ENVIRONMENT"))
+			if env == "" {
+				env = strings.ToLower(os.Getenv("GO_ENV"))
+			}
+
+			if env == "production" || env == "prod" {
+				log.Fatalf("❌ 生產環境必須設置 JWT_SECRET 環境變數或在數據庫中配置 jwt_secret！")
+			}
+
+			// 開發環境允許使用默認值，但發出警告
+			jwtSecret = "dev-jwt-secret-do-not-use-in-production"
+			log.Printf("⚠️  使用開發環境默認JWT密鑰")
+			log.Printf("⚠️  生產環境請務必設置 JWT_SECRET 環境變數或使用加密設置腳本")
 		} else {
-			log.Printf("🔑 使用数据库中JWT密钥")
+			log.Printf("🔑 使用數據庫中的JWT密鑰")
 		}
 	} else {
-		log.Printf("🔑 使用环境变量JWT密钥")
+		log.Printf("🔑 使用環境變數JWT密鑰")
 	}
 	auth.SetJWTSecret(jwtSecret)
 

scripts/generate_data_key.sh

@@ -121,23 +121,23 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
                 # 替换现有密钥
                 if [[ "$OSTYPE" == "darwin"* ]]; then
                     # macOS
-                    sed -i '' "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$RAW_KEY/" .env
+                    sed -i '' "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$DATA_KEY/" .env
                 else
                     # Linux
-                    sed -i "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$RAW_KEY/" .env
+                    sed -i "s/^DATA_ENCRYPTION_KEY=.*/DATA_ENCRYPTION_KEY=$DATA_KEY/" .env
                 fi
                 echo -e "${GREEN}✓ .env 文件中的密钥已更新${NC}"
             else
                 echo -e "${BLUE}ℹ️  保持现有密钥不变${NC}"
             fi
         else
             # 追加新密钥
-            echo "DATA_ENCRYPTION_KEY=$RAW_KEY" >> .env
+            echo "DATA_ENCRYPTION_KEY=$DATA_KEY" >> .env
             echo -e "${GREEN}✓ 密钥已保存到 .env 文件${NC}"
         fi
     else
         # 创建新的 .env 文件
-        echo "DATA_ENCRYPTION_KEY=$RAW_KEY" > .env
+        echo "DATA_ENCRYPTION_KEY=$DATA_KEY" > .env
         echo -e "${GREEN}✓ 密钥已保存到 .env 文件${NC}"
     fi
 fi

trader/aster_trader.go

@@ -489,12 +489,27 @@ func (t *AsterTrader) GetBalance() (map[string]interface{}, error) {
 	totalMarginUsed := 0.0
 	realUnrealizedPnl := 0.0
 	for _, pos := range positions {
-		markPrice := pos["markPrice"].(float64)
-		quantity := pos["positionAmt"].(float64)
+		// 安全地提取浮点数值，避免 panic
+		markPrice, err := SafeFloat64(pos, "markPrice")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 markPrice: %v", err)
+			continue
+		}
+
+		quantity, err := SafeFloat64(pos, "positionAmt")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 positionAmt: %v", err)
+			continue
+		}
 		if quantity < 0 {
 			quantity = -quantity
 		}
-		unrealizedPnl := pos["unRealizedProfit"].(float64)
+
+		unrealizedPnl, err := SafeFloat64(pos, "unRealizedProfit")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 unRealizedProfit: %v", err)
+			continue
+		}
 		realUnrealizedPnl += unrealizedPnl
 
 		leverage := 10
@@ -544,11 +559,21 @@ func (t *AsterTrader) GetPositions() ([]map[string]interface{}, error) {
 			continue // 跳过空仓位
 		}
 
-		entryPrice, _ := strconv.ParseFloat(pos["entryPrice"].(string), 64)
-		markPrice, _ := strconv.ParseFloat(pos["markPrice"].(string), 64)
-		unRealizedProfit, _ := strconv.ParseFloat(pos["unRealizedProfit"].(string), 64)
-		leverageVal, _ := strconv.ParseFloat(pos["leverage"].(string), 64)
-		liquidationPrice, _ := strconv.ParseFloat(pos["liquidationPrice"].(string), 64)
+		// 安全地提取并解析价格数据
+		entryPriceStr, _ := SafeString(pos, "entryPrice")
+		entryPrice, _ := strconv.ParseFloat(entryPriceStr, 64)
+
+		markPriceStr, _ := SafeString(pos, "markPrice")
+		markPrice, _ := strconv.ParseFloat(markPriceStr, 64)
+
+		unRealizedProfitStr, _ := SafeString(pos, "unRealizedProfit")
+		unRealizedProfit, _ := strconv.ParseFloat(unRealizedProfitStr, 64)
+
+		leverageStr, _ := SafeString(pos, "leverage")
+		leverageVal, _ := strconv.ParseFloat(leverageStr, 64)
+
+		liquidationPriceStr, _ := SafeString(pos, "liquidationPrice")
+		liquidationPrice, _ := strconv.ParseFloat(liquidationPriceStr, 64)
 
 		// 判断方向（与Binance一致）
 		side := "long"
@@ -718,7 +743,12 @@ func (t *AsterTrader) CloseLong(symbol string, quantity float64) (map[string]int
 
 		for _, pos := range positions {
 			if pos["symbol"] == symbol && pos["side"] == "long" {
-				quantity = pos["positionAmt"].(float64)
+				qty, err := SafeFloat64(pos, "positionAmt")
+				if err != nil {
+					log.Printf("⚠️ 无法解析 positionAmt: %v", err)
+					continue
+				}
+				quantity = qty
 				break
 			}
 		}
@@ -801,7 +831,12 @@ func (t *AsterTrader) CloseShort(symbol string, quantity float64) (map[string]in
 		for _, pos := range positions {
 			if pos["symbol"] == symbol && pos["side"] == "short" {
 				// Aster的GetPositions已经将空仓数量转换为正数，直接使用
-				quantity = pos["positionAmt"].(float64)
+				qty, err := SafeFloat64(pos, "positionAmt")
+				if err != nil {
+					log.Printf("⚠️ 无法解析 positionAmt: %v", err)
+					continue
+				}
+				quantity = qty
 				break
 			}
 		}

trader/auto_trader.go

@@ -517,11 +517,35 @@ func (at *AutoTrader) buildTradingContext() (*decision.Context, error) {
 	currentPositionKeys := make(map[string]bool)
 
 	for _, pos := range positions {
-		symbol := pos["symbol"].(string)
-		side := pos["side"].(string)
-		entryPrice := pos["entryPrice"].(float64)
-		markPrice := pos["markPrice"].(float64)
-		quantity := pos["positionAmt"].(float64)
+		symbol, err := SafeString(pos, "symbol")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 symbol: %v", err)
+			continue
+		}
+
+		side, err := SafeString(pos, "side")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 side: %v", err)
+			continue
+		}
+
+		entryPrice, err := SafeFloat64(pos, "entryPrice")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 entryPrice: %v", err)
+			continue
+		}
+
+		markPrice, err := SafeFloat64(pos, "markPrice")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 markPrice: %v", err)
+			continue
+		}
+
+		quantity, err := SafeFloat64(pos, "positionAmt")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 positionAmt: %v", err)
+			continue
+		}
 		if quantity < 0 {
 			quantity = -quantity // 空仓数量为负，转为正数
 		}
@@ -531,8 +555,17 @@ func (at *AutoTrader) buildTradingContext() (*decision.Context, error) {
 			continue
 		}
 
-		unrealizedPnl := pos["unRealizedProfit"].(float64)
-		liquidationPrice := pos["liquidationPrice"].(float64)
+		unrealizedPnl, err := SafeFloat64(pos, "unRealizedProfit")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 unRealizedProfit: %v", err)
+			continue
+		}
+
+		liquidationPrice, err := SafeFloat64(pos, "liquidationPrice")
+		if err != nil {
+			log.Printf("⚠️ 无法解析 liquidationPrice: %v", err)
+			continue
+		}
 
 		// 计算占用保证金（估算）
 		leverage := 10 // 默认值，实际应该从持仓信息获取