Unbounded Canvas Field in createStrategySchema Enables Memory Exhaustion DoS Risk

A MEDIUM-severity security vulnerability has been identified in the `createStrategySchema` validation schema, where the `canvas` field permits unlimited record keys and arbitrary JSON values without size constraints. The offending code, located at `src/index.ts:59`, uses `z.record(z.string(), z.unknown()).optional()`, which accepts an unlimited number of entries with no length cap and allows any JSON structure as values. Security researchers note this pattern mirrors a denial-of-service flaw previously addressed in `#148` for `importStrategySchema.canvas.connections`, suggesting incomplete remediation of the same vulnerability class.

The schema as written accepts records with unbounded keys and arbitrary nested structures. An attacker could craft a `create_strategy` payload containing millions of canvas entries or deeply nested unknown values. The combination of no count cap on entries and `z.unknown()` permitting any JSON structure creates conditions for memory exhaustion and degraded parsing performance. The use of `z.unknown()` rather than a constrained object definition means the schema enforces no validation on the actual shape or depth of canvas data.

Developers are urged to replace the unbounded record with a structured schema that matches the actual canvas data shape. The proposed fix constrains keys to 100 characters via `.max(100)`, limits total entries to 200 via `.refine()`, and defines explicit numeric `x` and `y` position fields rather than permitting arbitrary values. Organizations running affected versions should assess exposure and prioritize patching given the low barrier to exploitation and measurable impact on server resources.