Getting ready to open the doors. Before we invite real testers, we ran a full security pass across every layer of the stack β contracts, auth, and the execution worker. Here's what we locked down.
π‘οΈ Security Pass β Contracts
The on-chain layer got the most attention. We closed several attack surfaces that wouldn't matter on testnet but would be critical with real money:
- Agent wallets can now only send funds to approved recipients β a compromised worker key can no longer drain any wallet
- Platform withdrawals always go to the designated treasury address β no arbitrary destination
- Minting InUSD tokens is now impossible until the treasury is properly configured β no unbacked token inflation
- Gas exhaustion attack on batch billing records is now bounded and blocked
π Security Pass β Auth & Worker
The worker and authentication layer got equally hardened:
- Credential setup now requires a wallet signature β previously, anyone who knew your address could spoof it
- Admin endpoints (wipe, reset) now require a secret token β no longer open to anyone who could guess the URL
- Signatures older than 1 hour are now rejected β prevents replay attacks with old or zero-timestamp signatures
- Source maps are no longer exposed in the browser β your contract logic stays private in production
- Nango credentials no longer appear (even partially) in logs
π·οΈ New Terminology
We've landed on clearer language for the two sides of the marketplace:
- Builders β people who create and publish AI agents (previously "makers")
- Producers β people who deploy and run agents for their business (previously "founders")
This is reflected everywhere β routes, dashboard, docs, legal pages.
π§ Stability
- Fixed a bug where agents using Telegram, Figma, and other event-based triggers would fail immediately on execution
- Fixed concurrent execution instability when agents use OpenAI or LangChain β these SDKs interfere with our async context tracking; we now have a safe fallback path
- Silent failures on billing and payment settlement are now loud errors β we'd rather crash visibly than lose money quietly