explorer-monorepo

d-bis/explorer-monorepo

Fork 0

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Devin	fdb14dc420	security: tighten gitleaks regex for escaped form, document history-purge audit trail Some checks failed CI / Backend (go 1.23.x) (pull_request) Successful in 56s Details CI / Backend security scanners (pull_request) Failing after 40s Details CI / Frontend (node 20) (pull_request) Successful in 2m19s Details CI / gitleaks (secret scan) (pull_request) Failing after 7s Details e2e-full / e2e-full (pull_request) Has been skipped Details Two small follow-ups to the out-of-band git-history rewrite that purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and tag: .gitleaks.toml: - Regex was L@kers?\$?2010 which catches the expanded form but NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3 in scripts/setup-database.sh. PR #13 fixed the live leak but did not tighten the detector. New regex L@kers?\\?\$?2010 catches both forms so future pastes of either form fail CI. - Description rewritten without the literal password (the previous description was redacted by the history rewrite itself and read 'Legacy hardcoded ... (*REDACTED-LEGACY-PW* / *REDACTED-LEGACY-PW)' which was cryptic). docs/SECURITY.md: - New 'History-purge audit trail' section recording what was done, how it was verified (0 literal password matches in any blob or commit message; 0 legacy-password findings from a post-rewrite gitleaks scan), and what operator cleanup is still required on the Gitea host to drop the 13 refs/pull//head refs that still pin the pre-rewrite commits (the update hook declined those refs over HTTPS, so only an admin on the Gitea VM can purge them via 'git update-ref -d' + 'git gc --prune=now' in the bare repo). - New 'Re-introduction guard' subsection pointing at the tightened regex and commit `78e1ff5`. Verification: gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy hits git log --all -p \| grep -cE 'L@ker\$2010\|L@kers2010' # 0	2026-04-18 20:08:13 +00:00
Devin	f4e235edc6	chore(ci): align Go to 1.23.x, add staticcheck/govulncheck/gitleaks gates .github/workflows/ci.yml: - Go version: 1.22 -> 1.23.4 (matches go.mod's 'go 1.23.0' declaration). - Split into four jobs with explicit names: * test-backend: go vet + go build + go test * scan-backend: staticcheck + govulncheck (installed from pinned tags) * test-frontend: npm ci + eslint + tsc --noEmit + next build * gitleaks: full-history secret scan on every PR - Branches triggered: master + main + develop (master is the repo default; the previous workflow only triggered on main/develop and would never have run on the repo's actual PRs). - actions/checkout@v4, actions/setup-go@v5, actions/setup-node@v4. - Concurrency group cancels stale runs on the same ref. - Node and Go caches enabled for faster CI. .gitleaks.toml (new): - Extends gitleaks defaults. - Custom rule 'explorer-legacy-db-password-L@ker' keeps the historical password pattern L@kers?\$?2010 wedged in the detection set even after rotation, so any re-introduction (via copy-paste from old branches, stale docs, etc.) fails CI. - Allowlists docs/SECURITY.md and CHANGELOG.md where the string is cited in rotation context. backend/staticcheck.conf (new): - Enables the full SA* correctness set. - Temporarily disables ST1000/1003/1005/1020/1021/1022, U1000, S1016, S1031. These are stylistic/cosmetic checks; the project has a long tail of pre-existing hits there that would bloat every PR. Each is commented so the disable can be reverted in a dedicated cleanup. Legit correctness issues surfaced by staticcheck and fixed in this PR: - backend/analytics/token_distribution.go: 'best-effort MV refresh' block no longer dereferences a shadowed 'err'; scope-tight 'if err :=' used for the subsequent QueryRow. - backend/api/rest/middleware.go: compressionMiddleware() was parsing Accept-Encoding and doing nothing with it. Now it's a literal pass-through with a TODO comment pointing at gorilla/handlers. - backend/api/rest/mission_control.go: shadowed 'err' from json.Unmarshal was assigned to an ignored outer binding via fmt.Errorf; replaced with a scoped 'if uerr :=' that lets the RPC fallback run as intended. - backend/indexer/traces/tracer.go: best-effort CREATE TABLE no longer discards the error implicitly. - backend/indexer/track2/block_indexer.go: 'latestBlock - uint64(i) >= 0' was a tautology on uint64. Replaced with an explicit 'if uint64(i) > latestBlock { break }' guard so operators running count=1000 against a shallow chain don't underflow. - backend/tracing/tracer.go: introduces a local ctxKey type and two constants so WithValue calls stop tripping SA1029. Verification: - go build ./... clean. - go vet ./... clean. - go test ./... all existing tests PASS. - staticcheck ./... clean except for the SA1029 hits in api/middleware/auth.go and api/track4/operator_scripts_test.go, which are resolved by PR #4 once it merges to master. Advances completion criterion 4 (CI in good health).	2026-04-18 19:10:20 +00:00

Devin

fdb14dc420

security: tighten gitleaks regex for escaped form, document history-purge audit trail

CI / Backend (go 1.23.x) (pull_request) Successful in 56s

Details

CI / Backend security scanners (pull_request) Failing after 40s

Details

CI / Frontend (node 20) (pull_request) Successful in 2m19s

Details

CI / gitleaks (secret scan) (pull_request) Failing after 7s

Details

e2e-full / e2e-full (pull_request) Has been skipped

Details

Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:

.gitleaks.toml:
  - Regex was L@kers?\$?2010 which catches the expanded form but
    NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
    in scripts/setup-database.sh. PR #13 fixed the live leak but did
    not tighten the detector. New regex L@kers?\\?\$?2010 catches
    both forms so future pastes of either form fail CI.
  - Description rewritten without the literal password (the previous
    description was redacted by the history rewrite itself and read
    'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
    which was cryptic).

docs/SECURITY.md:
  - New 'History-purge audit trail' section recording what was done,
    how it was verified (0 literal password matches in any blob or
    commit message; 0 legacy-password findings from a post-rewrite
    gitleaks scan), and what operator cleanup is still required on
    the Gitea host to drop the 13 refs/pull/*/head refs that still
    pin the pre-rewrite commits (the update hook declined those refs
    over HTTPS, so only an admin on the Gitea VM can purge them via
    'git update-ref -d' + 'git gc --prune=now' in the bare repo).
  - New 'Re-introduction guard' subsection pointing at the tightened
    regex and commit 78e1ff5.

Verification:
  gitleaks detect --no-git --source . --config .gitleaks.toml   # 0 legacy hits
  git log --all -p | grep -cE 'L@ker\$2010|L@kers2010'         # 0

2026-04-18 20:08:13 +00:00

Devin

f4e235edc6

chore(ci): align Go to 1.23.x, add staticcheck/govulncheck/gitleaks gates

.github/workflows/ci.yml:
- Go version: 1.22 -> 1.23.4 (matches go.mod's 'go 1.23.0' declaration).
- Split into four jobs with explicit names:
    * test-backend: go vet + go build + go test
    * scan-backend: staticcheck + govulncheck (installed from pinned tags)
    * test-frontend: npm ci + eslint + tsc --noEmit + next build
    * gitleaks: full-history secret scan on every PR
- Branches triggered: master + main + develop (master is the repo
  default; the previous workflow only triggered on main/develop and
  would never have run on the repo's actual PRs).
- actions/checkout@v4, actions/setup-go@v5, actions/setup-node@v4.
- Concurrency group cancels stale runs on the same ref.
- Node and Go caches enabled for faster CI.

.gitleaks.toml (new):
- Extends gitleaks defaults.
- Custom rule 'explorer-legacy-db-password-L@ker' keeps the historical
  password pattern L@kers?\$?2010 wedged in the detection set even
  after rotation, so any re-introduction (via copy-paste from old
  branches, stale docs, etc.) fails CI.
- Allowlists docs/SECURITY.md and CHANGELOG.md where the string is
  cited in rotation context.

backend/staticcheck.conf (new):
- Enables the full SA* correctness set.
- Temporarily disables ST1000/1003/1005/1020/1021/1022, U1000, S1016,
  S1031. These are stylistic/cosmetic checks; the project has a long
  tail of pre-existing hits there that would bloat every PR. Each is
  commented so the disable can be reverted in a dedicated cleanup.

Legit correctness issues surfaced by staticcheck and fixed in this PR:
- backend/analytics/token_distribution.go: 'best-effort MV refresh'
  block no longer dereferences a shadowed 'err'; scope-tight 'if err :='
  used for the subsequent QueryRow.
- backend/api/rest/middleware.go: compressionMiddleware() was parsing
  Accept-Encoding and doing nothing with it. Now it's a literal
  pass-through with a TODO comment pointing at gorilla/handlers.
- backend/api/rest/mission_control.go: shadowed 'err' from
  json.Unmarshal was assigned to an ignored outer binding via
  fmt.Errorf; replaced with a scoped 'if uerr :=' that lets the RPC
  fallback run as intended.
- backend/indexer/traces/tracer.go: best-effort CREATE TABLE no longer
  discards the error implicitly.
- backend/indexer/track2/block_indexer.go: 'latestBlock - uint64(i) >= 0'
  was a tautology on uint64. Replaced with an explicit
  'if uint64(i) > latestBlock { break }' guard so operators running
  count=1000 against a shallow chain don't underflow.
- backend/tracing/tracer.go: introduces a local ctxKey type and two
  constants so WithValue calls stop tripping SA1029.

Verification:
- go build ./... clean.
- go vet ./... clean.
- go test ./... all existing tests PASS.
- staticcheck ./... clean except for the SA1029 hits in
  api/middleware/auth.go and api/track4/operator_scripts_test.go,
  which are resolved by PR #4 once it merges to master.

Advances completion criterion 4 (CI in good health).

2026-04-18 19:10:20 +00:00

2 Commits