fix(tonco-dex): critical security fixes and swap execution repair

[labtgbot]

🔒 Critical Bug Fixes for TONCO DEX Plugin

This PR addresses several critical issues that made the plugin non-functional or insecure:

🛠 Fixes

1. tonco_execute_swap: Security checks added

• Added chatType !== 'private' check — swaps only allowed in DMs
• Added senderId === _sdk.config.owner_id verification — only owner can execute swaps
• Prevents unauthorized swap execution in groups

2. tonco_execute_swap: Correct transaction sending

• Replaced _sdk.ton.sendTON with _sdk.ton.sendMessage for proper jetton swap execution
• sendTON was sending raw TON instead of the swap message body
• Now correctly sends the TONCO swap message with proper payload

3. tonco_swap_quote: Handle missing ToncoSDK gracefully

• Wrapped SDK-dependent code in if (ToncoSDK) check
• Falls back to price-based approximation when SDK is not installed
• No more crashes when @toncodex/sdk is missing

4. tonco_get_position_fees: Validate NFT address

• Added Address.parse validation before creating contract instance
• Returns clear error message for invalid addresses

5. Debug logging across all tools

• Added _sdk?.log?.debug?.() calls at the start of each tool's execute function
• Logs input parameters for easier debugging

6. General improvements

• Consistent error handling with slice(0, 500) across all tools
• Better error messages for missing dependencies

🎯 Impact

• tonco_swap_quote now works without @toncodex/sdk (fallback mode)
• tonco_execute_swap is now secure (DM + owner only) and functional (correct message sending)
• All tools have debug logging for troubleshooting

🧪 Testing

• Test swap quote with and without SDK installed
• Test swap execution in DM (should work) vs group (should be rejected)
• Test position fee queries with valid/invalid NFT addresses

🔗 Related

• Based on latest main branch
• No breaking changes to tool signatures