fix: update tests for admin-auth-required GET endpoints (PR #6197 reviewer feedback)#11
Open
BossChaos wants to merge 1769 commits into
Open
fix: update tests for admin-auth-required GET endpoints (PR #6197 reviewer feedback)#11BossChaos wants to merge 1769 commits into
BossChaos wants to merge 1769 commits into
Conversation
Co-authored-by: WaefreBeorn <waefrebeorn@users.noreply.github.com>
Vulnerability: compute_box_id() and compute_tx_id() in utxo_db.py call bytes.fromhex() without try/except, causing ValueError crash. See rustchain-bounties#2819 Co-authored-by: CHY9213 <chy9213@users.noreply.github.com>
* Add opt-in state pruning utility * fix: harden state pruning archive maintenance --------- Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
* feat: add eip1559 fee market helpers * test: document legacy fee rounding semantics --------- Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
* feat: add block randomness beacon * fix: harden randomness proof parsing * docs: update randomness beacon proof result * style: tidy randomness beacon imports * style: satisfy randomness beacon lint * fix: handle legacy randomness table reads * docs: refresh randomness beacon validation evidence --------- Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
* feat: add state diff API * test: cover partial state diff gaps
* feat: add lightweight SPV client helpers * fix: require SPV headers to extend known chain
* feat: add attestation pool monitoring * fix: index attestation history by timestamp
…cjn#5994) * Guard attestation metrics against malformed shapes * Refresh macOS miner checksum pins * Tighten attestation metric path coverage --------- Co-authored-by: Joe <hubeiqiao@users.noreply.github.com>
Co-authored-by: sirakinb <aki.b@pentridgemedia.com>
Co-authored-by: sirakinb <aki.b@pentridgemedia.com>
Co-authored-by: sirakinb <aki.b@pentridgemedia.com>
Co-authored-by: sirakinb <aki.b@pentridgemedia.com>
…cottcjn#6464) - Added cultural-context preamble explaining RustChain's relevance to China's e-waste recycling ecosystem, 闲鱼 second-hand market, and 华强北 refurbishing culture - Enhanced existing translation with CN-native framing throughout - Added special notes for Chinese miners about anti-VM enforcement - Added gaming/nostalgia callouts that resonate with CN tech community - Bounties: #12445 (5-8 RTC)
…(S3) (Scottcjn#6459) Co-authored-by: WaefreBeorn <waefrebeorn@users.noreply.github.com>
… at 256 (A20, A24) (Scottcjn#6455) Co-authored-by: WaefreBeorn <waefrebeorn@users.noreply.github.com>
Co-authored-by: WaefreBeorn <waefrebeorn@users.noreply.github.com>
…ttcjn#6453) Co-authored-by: WaefreBeorn <waefrebeorn@users.noreply.github.com>
) Two hardening fixes to the OTC bridge worker payout (live RTC money path). 1) IDEMPOTENT PAYOUT (prevents double-spend on retry) rtc_transfer_from_worker retries /wallet/transfer on timeout/5xx. Without an idempotency key, a retry after the server already debited (response lost to a timeout, or a double-confirm) pays the recipient twice. The node's wallet_transfer_v2 already dedups on `idempotency_key` (deterministic tx_hash + 409-on-conflict); the client just never sent one, so each retry got a fresh random tx_hash. Fix: send a stable, order-derived key `otc_payout:{order_id}` — unique per payout (one worker payout per order), stable across retries, kept equal to `reason` so the server's reason-consistency check passes. 2) FAIL-CLOSED ADMIN TRANSPORT (prevents RC_ADMIN_KEY leak) The admin key was sent to the env-controlled RUSTCHAIN_NODE with no scheme/TLS enforcement — http:// or RUSTCHAIN_TLS_VERIFY=false would exfiltrate the credential in plaintext / to an unverified host. Added _admin_transport_block_reason(): refuses to send the key over a non-https scheme or with TLS verification disabled to a non-local host. Loopback + an explicit OTC_ALLOW_INSECURE_ADMIN opt-out remain for dev. Refusing strands funds in the worker wallet (alerted + recoverable) — strictly safer than leaking the key. Tests: tests/test_otc_bridge_payout_idempotency.py — stable key sent, retries reuse the identical key, and the transport guard blocks http/TLS-off while allowing loopback + opt-out. 36 otc-bridge tests pass. Co-authored-by: Scott Boudreaux <noreply@anthropic.com>
Illustrative agent.json / BindingCert / ProvenanceRecord / Ergo anchor sample values + mermaid who/what/when verification sequence + threat-coverage table. Format-level only; implementation remains gated.
…potent ALTER (Scottcjn#6800) Two defects in migrate_precision_columns / table_columns (flagged in the otc review, lower severity than the payout fixes but worth closing): 1) SQL INJECTION (latent). table_name was interpolated directly into PRAGMA/ALTER/UPDATE DDL. All current callers pass literals ('orders'/ 'trades'), so there is no live vector — but SQLite cannot parameterize identifiers, so any future dynamic caller would be injectable. Added _KNOWN_TABLES allowlist + _require_known_table() guard before any interpolation; both functions now reject unknown names with ValueError. 2) MIGRATION ATOMICITY. Concurrent workers racing the PRAGMA->ALTER window hit 'duplicate column name' and crash init. ALTER is now idempotent (swallows only that specific OperationalError; everything else still raises). The COALESCE backfill was already idempotent, so no write lock is needed. Tests: tests/test_otc_bridge_migration.py — backfill correctness, run-twice idempotency, concurrent duplicate-column tolerance, unknown-table rejection on both functions, and that non-duplicate OperationalErrors still surface. 42 otc tests pass. Co-authored-by: Scott Boudreaux <noreply@anthropic.com>
…e_escrow (Scottcjn#6801) Three self-contained fixes from the otc-bridge tri-brain review (no money-path logic changed — the settlement-atomicity races are a separate follow-up): 1) init_db at import. The Dockerfile runs `gunicorn otc_bridge:app`, where __name__ != '__main__', so init_db() never ran → fresh container had no tables → 500 on first request. Now called at import (idempotent: CREATE TABLE IF NOT EXISTS + idempotent migration), so WSGI deploys work. NOTE: gunicorn -w 2 imports concurrently → two migrations race; that race is made safe by Scottcjn#6800 (idempotent ALTER) — merge Scottcjn#6800 first or together. 2) list_trades fail-open. `?pair=<unsupported>` fell through to the unfiltered full-history feed. Now a non-empty pair not in SUPPORTED_PAIRS returns 400, mirroring /api/orderbook; empty pair still returns the full feed. 3) Removed rtc_release_escrow — dead code (never called; confirm_order inlines claim/deliver/accept) whose body also didn't match its own docstring. Tests: tests/test_otc_bridge_clean_fixes.py — unsupported-pair 400, valid/empty pair 200, schema present after a bare import (WSGI path), dead fn gone. Co-authored-by: Scott Boudreaux <noreply@anthropic.com>
Zenodo v2 published (record 20516555) with Part III. Switch badge/citation to the concept DOI so it always resolves to the newest archived version.
* Add consensus invariant attractor harness * Reframe UTXO attractor examples for accepted harness
…ineage)
Adds the Provenance Framework: one question ('can I prove where this came
from?'), VERIFY vs AUDIT rigor tiers, and the 5-layer taxonomy (Hardware/
Agent/Content/Knowledge/Economic) mapping each Elyan Labs system + RIP under it.
Existing content-binding spec retained as the canonical Content Provenance
instance (Parts I-III). PoA reframed as evidence under Hardware Provenance,
not the destination.
Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
Co-authored-by: SR <ssr@SRdeMacBook-Pro.local>
…, retro-terminal UX (Scottcjn#6771) Co-authored-by: darlina-bounty-codex <darlina.bounty.codex@gmail.com>
…view) Separate cryptographic CHECK (binary) from bound REFERENT (attested, stated strength). Replace VERIFY/AUDIT with CRYPTOGRAPHIC/ATTESTED/EVIDENTIARY. Add 'does not prove' column per layer. Recast Hardware as attestation prerequisite; narrow Economic to settlement (not work); Knowledge = evidence auditability (not reasoning lineage); accords/reputation = governance on top. Soften 'chain of custody' -> signed/anchored binding (not lifecycle custody). Kill 'binary, non-probabilistic, adversary-proof'.
Per-layer Status column (Hardware/Economic deployed; Content spec-not-built; Agent partial; Knowledge research). Reframe 'unifies into one trust architecture' -> 'proposes a path toward'. Mark the composite chain-of-custody as the TARGET demonstration, not a running system. PoP = framework + roadmap.
…ardware precondition) Codex re-review: 5/7 resolved, 2 partial. Add normative tier rule (CRYPTOGRAPHIC dispositive / ATTESTED spoof-resistant / EVIDENTIARY non-dispositive); recast Hardware explicitly as a precondition layer that underpins the others, not a peer. Both brains: now an honest spec, not deception.
…6197 reviewer feedback) - test_list_passports_empty: unauthenticated GET now returns 401 - test_list_passports_rejects_non_integer_limit: return 401 before parsing - test_list_passports_rejects_negative_offset: return 401 before parsing - test_list_passports_clamps_large_limit: add valid admin auth header - test_get_nonexistent_passport: unauthenticated returns 401 not 404 - test_update_passport_rejects_owner_claim: add auth header to GET call - test_mutating_subresources_fail_closed: add auth header to GET call
|
Welcome to RustChain! Thanks for your first pull request. Before we review, please make sure:
Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150) A maintainer will review your PR soon. Thanks for contributing! |
github-actions
Bot
added
size/XL
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses reviewer feedback on PRs Scottcjn#6191 and Scottcjn#6197.
PR Scottcjn#6197 — test_machine_passport.py fixes
All Machine Passport GET endpoints now require admin auth (
X-Admin-Keyheader). Tests updated accordingly:test_list_passports_emptytest_list_passports_rejects_non_integer_limittest_list_passports_rejects_negative_offsettest_list_passports_clamps_large_limitX-Admin-Key: expected-admin-keytest_get_nonexistent_passporttest_update_passport_rejects_owner_claimGET callX-Admin-Key: expected-admin-keytest_mutating_subresources_fail_closedGET callX-Admin-Key: expected-admin-keyPR Scottcjn#6191 — get_contracts() already fixed
The
get_contracts()innode/beacon_api.pyalready uses admin-only auth in HEAD. The broken agent-signature fallback (_authenticate_contract_agent(get_db(), [], ...)with emptyallowed_agents=[]) was removed by the original PR merge. No additional code change needed.