Mainnet Readiness: API Audit Summary — 30 open PRs to review

[0x-SquidSol]

Summary

Over the past 4 audit passes, we identified and submitted fixes for every confirmed bug found in the API codebase. All PRs have passing tests (189/189) and are ready for review.

PRs to Close (2)

PR	Reason
#159	Redundant — SDK migrated to @percolatorct/sdk on npm, this synced the old GitHub-pinned lockfile
#153	Superseded by #154 (timeout + fallback is a superset of timeout-only)

PRs to Merge — Priority Order

Tier 1: Critical for Mainnet (merge first)

PR	Fix	Risk if Unmerged
#169	Copy openapi.yaml into Docker image	/docs returns 500 in production — guaranteed
#154	RPC fallback + timeout for on-chain reads	fetchSlab/getSlot hang indefinitely if RPC is slow
#147	Validate API_AUTH_KEY at startup in production	Misconfigured auth key not caught until first request
#146	Clean up eventBus listeners on shutdown/re-entry	Listener leak on hot reload or shutdown race
#149	Wrap all WS sends in safeSend()	Uncaught throws on closed WebSocket connections
#164	DB stale-cache fallback for /stats, /prices, /crank	4 dashboard endpoints return hard 500 during DB outage
#174	NODE_ENV validation: process.exit not throw	Uncaught throw on invalid NODE_ENV confuses operators

Tier 2: High Priority (security, consistency, observability)

PR	Fix
#165	Request ID tracking (X-Request-Id header + Sentry tag)
#162	Log auth failures in requireApiKey middleware
#161	Normalize netLpPosition → netLpPos field name
#167	Align price validation ceiling ($1B in both endpoints)
#166	Add blocklist filter to /prices/markets
#168	WS token NaN timestamp guard
#163	WS legacy subscribe reports actual subscribed channels
#160	Rename SOLANA_RPC_URL → RPC_URL in .env.example
#175	Truncate error details in non-production responses

Tier 3: Spec & Documentation (audit compliance)

PR	Fix
#155	Add 3 missing endpoints to OpenAPI spec
#156	Document /ws/stats API key requirement in spec
#157	Add ws field to HealthResponse in spec
#158	Fix funding history limit (1000 → 500) in spec
#170	Fix README endpoint table (remove non-existent /v1/ prefix)
#173	Add missing columns to stats endpoints per OpenAPI schema

Tier 4: Hardening & Optimization

PR	Fix
#142	IP blocklist: normalize and validate exact-IP entries
#143	Oracle router: stale-cache fallback on upstream failure
#144	Oracle router: coalesce concurrent requests (dedup)
#145	DB cache fallback: honest discriminated return types
#148	WS: bound subscribe handler's initial-price query
#150	Rate limit: prefer evicting expired buckets over FIFO
#151	ADL: promote cached entries on hit (LRU not FIFO)
#152	Price value sanitization for oracle_prices and markets_with_stats
#171	OI history ascending order for charts
#172	Validate BLOCKED_MARKET_ADDRESSES entries as base58

Remaining Task (Not a PR)

Upgrade SDK from @percolatorct/sdk@1.0.0-beta.13 to latest beta — the API is 10 versions behind the keeper and indexer. This should happen after the SDK repo stabilizes its open PRs.

Audit Methodology

• 4 passes with 10 specialized agents per pass (40 unique audit roles)
• Every finding triple-confirmed before implementation
• Every fix verified by review agent after implementation
• All PRs: tsc --noEmit clean + vitest run 189/189 passing
• False positives documented and rejected (60+ findings rejected across 4 passes)

🤖 Generated with Claude Code