Dev to main - Security, best practices, and fixes

[buzzkillb]

Summary

• Fix tracing import order and remove duplicate doc comment
• Replace static Mutex with tokio::Semaphore for async-friendly rate limiting
• Fix User-Agent spoofing, bind health server to localhost, use absolute db path
• Add fallback price alerts when API fails
• Restrict /status command to server administrators only
• Improve HTML parsing with regex

Security fixes

• User-Agent now identifies as "RustyMcPriceface/1.0" instead of spoofing Chrome
• Health server binds to 127.0.0.1 instead of 0.0.0.0
• Database path uses absolute path /app/shared/prices.db

Best practices

• Added warning logs when fallback prices are used
• /status command now requires admin permissions
• Improved HTML parsing reliability with regex

Note

Low Risk

Overview
This pull request refactors several components for correctness, security, and maintainability. It adjusts the tracing import order, removes a duplicate documentation comment, and replaces a static Mutex with a tokio::Semaphore to provide async‑friendly rate limiting. The User‑Agent string is changed from a Chrome spoof to an identifiable “RustyMcPriceface/1.0”, the health server is bound to 127.0.0.1, and the database path is made absolute. Additional changes include adding fallback price alerts when the primary API fails, restricting the /status Discord command to server administrators, and improving HTML parsing with a regex, along with the corresponding lock‑file update in Cargo.lock.

^{Written by Gitzilla for commit 26cf4fe. This will update automatically on new runs. Configure in the Gitzilla dashboard.}