Fix critical security issues and implement core functionality improvements

Co-authored-by: 0xrinegade <[email protected]>

Author: Copilot

src/cli/utils/solana.ts

@@ -3,6 +3,7 @@
  */
 
 import { Connection, Keypair, LAMPORTS_PER_SOL, PublicKey, SystemProgram, Transaction } from '@solana/web3.js';
+import { createMemoInstruction } from '@solana/spl-memo';
 import bs58 from 'bs58';
 import { isTestMode } from './config';
 
@@ -98,9 +99,15 @@ export async function sendPayment(
 
     // Add memo if provided
     if (memo) {
-      // Note: This would require importing @solana/spl-memo
-      // For now, we'll skip the memo functionality
-      console.log(`Note: Memo "${memo}" would be added to transaction`);
+      // Truncate memo to 566 character limit for Solana
+      const truncatedMemo = memo.length > 566 ? memo.substring(0, 563) + '...' : memo;
+      const memoInstruction = createMemoInstruction(truncatedMemo, [fromKeypair.publicKey]);
+      transaction.add(memoInstruction);
+      console.log(`✓ Added memo to transaction: "${truncatedMemo}"`);
+      
+      if (memo.length > 566) {
+        console.warn(`⚠ Memo was truncated from ${memo.length} to 566 characters due to Solana limit`);
+      }
     }
 
     // Get recent blockhash

src/core/metadata.ts

@@ -189,7 +189,7 @@ export function createNetworkMemoInstruction(
 }
 
 /**
- * Optimize memo content for size and readability
+ * Optimize memo content for size and readability with improved heuristics
  * 
  * @param metadata The metadata to optimize
  * @returns Optimized metadata that fits within limits
@@ -200,6 +200,7 @@ export function optimizeMemoContent(metadata: {
   memo?: string;
 }): { label?: string; message?: string; memo?: string } {
   const maxLength = 566; // Solana memo limit
+  let wasOptimized = false;
 
   // Calculate current length
   const memoParts: string[] = [];
@@ -213,24 +214,83 @@ export function optimizeMemoContent(metadata: {
     return metadata; // No optimization needed
   }
 
-  // Optimize by truncating in order of priority: memo > message > label
+  console.warn(`⚠ Memo content exceeds ${maxLength} character limit (current: ${currentLength} chars)`);
+  console.warn('   Applying intelligent truncation to fit within Solana memo constraints...');
+  
+  // Prioritize message over label, and preserve custom memo content when possible
   const optimized = { ...metadata };
-  const overhead = ' | '.length * (memoParts.length - 1);
-  let availableLength = maxLength - overhead;
+  const separator = ' | ';
+  const separatorOverhead = separator.length * (memoParts.length - 1);
+  let availableLength = maxLength - separatorOverhead;
+  
+  // Strategy: Allocate space dynamically based on content priority and length
+  // Priority: 1) Custom memo (most important), 2) Message (context), 3) Label (identification)
+  
+  // Reserve space for custom memo first (it's usually the most important)
+  let memoSpace = 0;
+  if (optimized.memo) {
+    memoSpace = Math.min(optimized.memo.length, Math.floor(availableLength * 0.6)); // 60% for memo
+    availableLength -= memoSpace;
+  }
+  
+  // Allocate remaining space between label and message (favor message for context)
+  const remainingSpace = availableLength;
+  const messageSpace = Math.min(
+    optimized.message ? optimized.message.length : 0,
+    Math.floor(remainingSpace * 0.7) // 70% of remaining for message
+  );
+  const labelSpace = remainingSpace - messageSpace;
+  
+  // Apply truncation with ellipsis
+  if (optimized.label && `Label: ${optimized.label}`.length > labelSpace) {
+    const availableForLabel = Math.max(0, labelSpace - 10); // Reserve space for "Label: ..."
+    if (availableForLabel > 3) { // Only truncate if we have meaningful space
+      optimized.label = optimized.label.substring(0, availableForLabel - 3) + '...';
+      wasOptimized = true;
+    } else {
+      // If no meaningful space, remove label entirely
+      optimized.label = undefined;
+      wasOptimized = true;
+      console.warn('   ⚠ Label removed due to space constraints');
+    }
+  }
 
-  // Allocate space: label (50), message (150), memo (rest)
-  if (optimized.label && optimized.label.length > 50) {
-    optimized.label = optimized.label.substring(0, 47) + '...';
+  if (optimized.message && `Message: ${optimized.message}`.length > messageSpace) {
+    const availableForMessage = Math.max(0, messageSpace - 12); // Reserve space for "Message: ..."
+    if (availableForMessage > 3) {
+      optimized.message = optimized.message.substring(0, availableForMessage - 3) + '...';
+      wasOptimized = true;
+    } else {
+      optimized.message = undefined;
+      wasOptimized = true;
+      console.warn('   ⚠ Message removed due to space constraints');
+    }
   }
-  availableLength -= optimized.label ? `Label: ${optimized.label}`.length : 0;
 
-  if (optimized.message && optimized.message.length > 150) {
-    optimized.message = optimized.message.substring(0, 147) + '...';
+  if (optimized.memo && optimized.memo.length > memoSpace) {
+    if (memoSpace > 3) {
+      optimized.memo = optimized.memo.substring(0, memoSpace - 3) + '...';
+      wasOptimized = true;
+    } else {
+      optimized.memo = undefined;
+      wasOptimized = true;
+      console.warn('   ⚠ Custom memo removed due to space constraints');
+    }
   }
-  availableLength -= optimized.message ? `Message: ${optimized.message}`.length : 0;
 
-  if (optimized.memo && optimized.memo.length > availableLength) {
-    optimized.memo = optimized.memo.substring(0, availableLength - 3) + '...';
+  // Final verification
+  const finalParts: string[] = [];
+  if (optimized.label) finalParts.push(`Label: ${optimized.label}`);
+  if (optimized.message) finalParts.push(`Message: ${optimized.message}`);
+  if (optimized.memo) finalParts.push(optimized.memo);
+  
+  const finalLength = finalParts.join(' | ').length;
+  
+  if (wasOptimized) {
+    console.warn(`   ✓ Memo optimized: ${currentLength} → ${finalLength} characters`);
+    if (finalLength > maxLength) {
+      console.error(`   ❌ ERROR: Optimization failed, still exceeds limit (${finalLength}/${maxLength})`);
+    }
   }
 
   return optimized;

src/core/transaction-handler.ts

@@ -18,13 +18,51 @@ interface PaymentStore {
   delete(id: string): Promise<boolean>;
 }
 
+/**
+ * Simple async mutex implementation for concurrency safety
+ */
+class AsyncMutex {
+  private locked = false;
+  private waitQueue: Array<() => void> = [];
+  
+  async acquire(): Promise<void> {
+    return new Promise<void>((resolve) => {
+      if (!this.locked) {
+        this.locked = true;
+        resolve();
+      } else {
+        this.waitQueue.push(resolve);
+      }
+    });
+  }
+  
+  release(): void {
+    if (this.waitQueue.length > 0) {
+      const next = this.waitQueue.shift();
+      if (next) next();
+    } else {
+      this.locked = false;
+    }
+  }
+  
+  async withLock<T>(fn: () => Promise<T>): Promise<T> {
+    await this.acquire();
+    try {
+      return await fn();
+    } finally {
+      this.release();
+    }
+  }
+}
+
 /**
  * In-memory payment store implementation
  * 
  * ⚠️  CONCURRENCY & SCALING LIMITATIONS:
- * This in-memory store is NOT suitable for production use beyond demos due to:
+ * This in-memory store includes basic concurrency safety via async mutex but is still
+ * NOT suitable for production use beyond demos due to:
  * 
- * 1. NO CONCURRENCY SAFETY: Multiple concurrent operations can cause data corruption
+ * 1. LIMITED CONCURRENCY: Basic mutex prevents corruption but reduces throughput
  * 2. NO PERSISTENCE: Data is lost when the process restarts
  * 3. NO SCALING: Limited by single-process memory constraints
  * 4. NO DISTRIBUTION: Cannot share data across multiple instances
@@ -37,43 +75,31 @@ interface PaymentStore {
  */
 class MemoryPaymentStore implements PaymentStore {
   private payments = new Map<string, PaymentRecord>();
-  
-  // Track concurrent operations to warn about potential issues
-  private activeOperations = 0;
+  private mutex = new AsyncMutex();
 
   async save(record: PaymentRecord): Promise<void> {
-    this.activeOperations++;
-    if (this.activeOperations > 1) {
-      console.warn('⚠️  CONCURRENCY WARNING: Multiple concurrent operations detected in MemoryPaymentStore');
-      console.warn('   This can lead to data corruption. Consider upgrading to a database-backed store.');
-    }
-    
-    try {
+    await this.mutex.withLock(async () => {
       this.payments.set(record.id, { ...record });
-    } finally {
-      this.activeOperations--;
-    }
+    });
   }
 
   async load(id: string): Promise<PaymentRecord | null> {
-    const record = this.payments.get(id);
-    return record ? { ...record } : null;
+    return this.mutex.withLock(async () => {
+      const record = this.payments.get(id);
+      return record ? { ...record } : null;
+    });
   }
 
   async loadByType(type: RequestType): Promise<PaymentRecord[]> {
-    return Array.from(this.payments.values())
-      .filter(record => record.request.type === type)
-      .map(record => ({ ...record }));
+    return this.mutex.withLock(async () => {
+      return Array.from(this.payments.values())
+        .filter(record => record.request.type === type)
+        .map(record => ({ ...record }));
+    });
   }
 
   async update(id: string, updates: Partial<PaymentRecord>): Promise<PaymentRecord> {
-    this.activeOperations++;
-    if (this.activeOperations > 1) {
-      console.warn('⚠️  CONCURRENCY WARNING: Multiple concurrent operations detected in MemoryPaymentStore');
-      console.warn('   This can lead to race conditions. Consider upgrading to a database with transactions.');
-    }
-    
-    try {
+    return this.mutex.withLock(async () => {
       const existing = this.payments.get(id);
       if (!existing) {
         throw new Error(`Payment record not found: ${id}`);
@@ -87,55 +113,106 @@ class MemoryPaymentStore implements PaymentStore {
 
       this.payments.set(id, updated);
       return { ...updated };
-    } finally {
-      this.activeOperations--;
-    }
+    });
   }
 
   async delete(id: string): Promise<boolean> {
-    return this.payments.delete(id);
+    return this.mutex.withLock(async () => {
+      return this.payments.delete(id);
+    });
   }
 }
 
 /**
  * Payment ID parser for extracting type and network information
  */
 class PaymentIdParser {
+  // Regex pattern for valid payment ID format
+  private static readonly ID_PATTERN = /^([a-zA-Z]+)_([a-zA-Z0-9]+)_(\d+)_([a-zA-Z0-9]+)$/;
+  
   /**
-   * Parse payment ID to extract metadata
+   * Parse payment ID to extract metadata with robust validation
    */
   static parse(paymentId: string): {
     id: string;
     type?: RequestType;
     network?: SVMNetwork;
     timestamp?: number;
   } {
-    // Expected format: {type}_{network}_{timestamp}_{random}
-    const parts = paymentId.split('_');
+    if (!paymentId || typeof paymentId !== 'string') {
+      throw new Error('Invalid payment ID: must be a non-empty string');
+    }
 
-    if (parts.length >= 4) {
-      const [typeStr, networkStr, timestampStr] = parts;
+    // Test against expected format: {type}_{network}_{timestamp}_{random}
+    const match = this.ID_PATTERN.exec(paymentId);
+    
+    if (match) {
+      const [, typeStr, networkStr, timestampStr] = match;
+      
+      // Validate type
+      const type = typeStr.toUpperCase() as RequestType;
+      if (!Object.values(RequestType).includes(type)) {
+        console.warn(`Warning: Unknown request type '${typeStr}' in payment ID ${paymentId}`);
+      }
+      
+      // Validate network
+      const network = networkStr.toUpperCase() as SVMNetwork;
+      if (!Object.values(SVMNetwork).includes(network)) {
+        console.warn(`Warning: Unknown network '${networkStr}' in payment ID ${paymentId}`);
+      }
+      
+      // Validate timestamp
+      const timestamp = parseInt(timestampStr, 10);
+      if (isNaN(timestamp) || timestamp <= 0) {
+        throw new Error(`Invalid timestamp in payment ID: ${paymentId}`);
+      }
 
       return {
         id: paymentId,
-        type: typeStr.toUpperCase() as RequestType,
-        network: networkStr.toUpperCase() as SVMNetwork,
-        timestamp: parseInt(timestampStr, 10)
+        type,
+        network,
+        timestamp
       };
     }
 
+    // Log warning for malformed IDs but don't throw to maintain backward compatibility
+    console.warn(`Warning: Payment ID '${paymentId}' does not match expected format. Using as simple ID.`);
+    console.warn('Expected format: {type}_{network}_{timestamp}_{random}');
+    
     // Fallback for simple IDs
     return { id: paymentId };
   }
 
   /**
-   * Generate a structured payment ID
+   * Generate a structured payment ID with validation
    */
   static generate(type: RequestType, network: SVMNetwork): string {
+    if (!type || !network) {
+      throw new Error('Type and network are required to generate payment ID');
+    }
+    
+    if (!Object.values(RequestType).includes(type)) {
+      throw new Error(`Invalid request type: ${type}`);
+    }
+    
+    if (!Object.values(SVMNetwork).includes(network)) {
+      throw new Error(`Invalid network: ${network}`);
+    }
+    
     const timestamp = Date.now();
     const random = Math.random().toString(36).substring(2, 8);
     return `${type.toLowerCase()}_${network.toLowerCase()}_${timestamp}_${random}`;
   }
+  
+  /**
+   * Validate payment ID format without parsing
+   */
+  static isValid(paymentId: string): boolean {
+    if (!paymentId || typeof paymentId !== 'string') {
+      return false;
+    }
+    return this.ID_PATTERN.test(paymentId);
+  }
 }
 
 /**