security: round 3 hardening (CSRF double-submit, TRX MITM, container hardening)

apps/api/src/index.ts

@@ -1,13 +1,31 @@
 import app from './app';
 import { env, initEnv } from './config/env';
 import { refreshAllKeys, startKeyRotation, stopKeyRotation } from './services/key-rotation.service';
+import { isCryptoReady } from './services/crypto.service';
 import { logger } from './lib/logger';
 
+// Global error handlers — иначе unhandled errors идут в stderr без sanitization (leak secrets)
+process.on('unhandledRejection', (reason: any) => {
+  logger.error(`Unhandled rejection: ${reason?.stack || reason?.message || reason}`);
+});
+process.on('uncaughtException', (err: Error) => {
+  logger.error(`Uncaught exception: ${err.stack || err.message}`);
+  // Process state could be corrupt — exit cleanly
+  process.exit(1);
+});
+
 async function main() {
   logger.info(`Wallet service instance started with id ${logger.instanceId}`);
 
   await initEnv();
   await refreshAllKeys();
+
+  // Custodial: без master-key сервис не может расшифровать ни одну мнемонику — fail fast.
+  if (!isCryptoReady()) {
+    logger.error('Crypto master key not loaded — refusing to start (custodial wallets require it)');
+    process.exit(1);
+  }
+
   startKeyRotation();
 
   const server = app.listen(env.port, () => {