docs: config/dependency inventory + replay & recovery verification runbook#407
Merged
Merged
Conversation
…nbook CONFIG_AND_DEPENDENCIES.md: full inventory of YAA's secrets/private keys, endpoints/services, and chain config, each tagged for the zero-backend target — eliminate (server secret → relay/API-key), user-configurable (AAStar default OR your own = decentralization choice), dev-only (must not ship), or runtime flag. Feeds beta security hygiene + the config-center design. REPLAY_AND_RECOVERY_VERIFICATION.md: beta-pre #3 (replay) + #1 (recovery) are live/integration flows (funded account, KMS, 2-day timelock) — records the protection mechanism (single-use challenge + 10min TTL + EntryPoint nonce; guardian flow + timelock) and an owner runbook with verified-by-design vs needs-live-run status.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
clestons
approved these changes
Jul 2, 2026
clestons
left a comment
There was a problem hiding this comment.
Review: #407 — docs: config inventory + replay & recovery runbook
纯文档 PR,2 个新 Markdown 文件,无代码变更。
CONFIG_AND_DEPENDENCIES.md
- 🔴/🟢/🟡/⚙️ 分类与代码现状吻合:
DEPLOYER_PRIVATE_KEY映射自ETH_PRIVATE_KEY(account.service.ts 中的 config alias),ETH_PRIVATE_KEY独立作为 recovery 的executeRecovery()relay key — 均正确标 🔴 eliminate ✓ - 🟡 dev-only EOA 私钥(PRIVATE_KEY_JASON/ANNI/BOB…)明确标注"must not ship to beta/prod" + 与 DoD #8 secret scan 挂钩 ✓
- 🟢 endpoints 中指出
lib/api-key-store.ts已在 migration 分支支持 KMS/bundler URL override,config page 扩展至 RPC+RELAY — 与 #400/#405 代码一致 ✓
REPLAY_AND_RECOVERY_VERIFICATION.md
- Replay 机制分析准确:KMS single-use challenge(ChallengeId consumed)+ EntryPoint nonce 单调递增两层,app 层无独立单元可测 ✓
- Recovery 分拆合理:fast-path(add/remove guardian、initiate、support、cancel、replay-rejection)不需 timelock 可立即跑;full execute 需 2-day on-chain timelock → 推到 mainnet 前 ✓
- 现有 runbook 引用正确(
docs/social-recovery-e2e-test.md)
无问题项。
APPROVE
| 轮次 | 执行者 | 裁决 |
|---|---|---|
| R1 | Sonnet 4.6 | APPROVE(纯文档,内容扎实) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two docs:
CONFIG_AND_DEPENDENCIES.md(your 'help me inventory what YAA depends on'): every secret/private key, endpoint/service, and chain-config var, tagged 🔴 eliminate (server secret → relay/API-key) / 🟢 user-configurable (AAStar default or your own = decentralization choice) / 🟡 dev-only (must not ship) / ⚙️ runtime flag. Feeds beta security hygiene + the config-center design.REPLAY_AND_RECOVERY_VERIFICATION.md(beta-pre Validator enhancement #3 replay + Feature/validator #1 recovery): these are live/integration flows (funded account, KMS, 2-day timelock) not headless-testable — records the protection mechanism (single-use challenge + 10-min TTL + EntryPoint nonce; guardian flow + timelock) + an owner runbook with verified-by-design vs needs-live-run status.No code changes.