Quick wins: auth error msg, pay_to validation, scorer rate-limit, dev CORS port, setup.sh warn#13
Open
madjin wants to merge 2 commits into
Open
Quick wins: auth error msg, pay_to validation, scorer rate-limit, dev CORS port, setup.sh warn#13madjin wants to merge 2 commits into
madjin wants to merge 2 commits into
Conversation
… CORS port, setup.sh warn Cleanup of small audit-derived fixes scoped to app.py and setup.sh. Five behavior-preserving changes; no protocol or breaking-change work. Refs: #11 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 7, 2026
Self-review pass surfaced micro-cleanups across the five sub-changes: - validate_solana_address: drop the what-docstring (the function name and signature already say it). - verify_wallet_auth auto-populate: drop the 4-line rationale comment block. The why belongs in the commit message and PR body. - update_pay_to_address: drop the now-redundant length check (Pubkey decode handles it) and the stale "(basic Solana address validation)" comment. - Privacy cache: drop the 2-line "what this is" comment block and the "Cache hit?" comment. Move the OrderedDict import to the top-of-file imports and drop the _ScoreOrderedDict alias. Replace the while-loop in _privacy_cache_set with an if (each call adds at most one entry, so the loop iterated at most once anyway). - CORS dev allowlist: drop the "(app default port is 8765 per CLAUDE.md)" parenthetical — citing the project's own instructions inside source is awkward; the change itself stands on its own. - setup.sh: drop the "Detect ENVIRONMENT setting" what-comment. No behavior change. Smoke verified: /health 200. Refs: #11 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refs #11
Five small audit-derived cleanups scoped strictly to
app.pyandsetup.sh. All behavior-preserving; no protocol changes.What this PR does
verify_wallet_auth) — no longer leaksstr(e)from signature/key decode failures back to the caller; logsauth.wallet_verify: failed exc=%sserver-side without pubkey/signature payload. (parent: Production-default hardening + minimal CI #5)pay_to_addressSolana Pubkey validation — newvalidate_solana_address()helper usingsolders.pubkey.Pubkey.from_string; applied at (a) the dashboardPOST /api/config/pay-to-addresssettings update and (b) the auto-populate-on-first-sign-in path insideverify_wallet_auth. Both reject with400 Invalid Solana address. (parent: Production-default hardening + minimal CI #5)@limiter.limit("5/minute")tightened to2/minuteonPOST /api/wallet-privacy-score; added in-memoryOrderedDict-based per-wallet cache with 1-hour TTL and a 1000-entry bound. Cache hits skip the Helius call. (parent: P2: Privacy logging audit + input validation hygiene #9)localhost:8080/localhost:3000/127.0.0.1:8080entries with the actual app port (localhost:8765,127.0.0.1:8765). (parent: Production-default hardening + minimal CI #5)setup.shENVIRONMENT warning banner — at the end of setup, readsENVIRONMENTfrom the generated.env(or falls back to the live env var) and, if notproduction, prints a multi-line banner explaining which dev-mode security checks are still permissive, how to flip to production, and a pointer toCLAUDE.md. (parent: P2: Privacy logging audit + input validation hygiene #9)What this PR explicitly does NOT do
These remain scoped to their parent issues:
PRODUCTION_ORIGINset" is a behavior change requiring its own review.verify_wallet_authexception log was sanitized here; a sweep across alllogger.*call-sites is out of scope for this PR.Acceptance criteria (Worktree-1)
verify_wallet_authno longer interpolatesstr(e)into the HTTP 401 detail; server-side warning logs the exception without wallet/signature material.validate_solana_addresshelper added and used at everypay_to_addressmutation site (dashboard settings + first-sign-in auto-populate)./api/wallet-privacy-scorerate-limit lowered to2/minuteand now serves from a 1-hour TTL in-memory cache before hitting Helius.:8765(the actual app port) instead of stale:8080/:3000.setup.shprints a clearly-formatted warning banner whenENVIRONMENTis notproduction, with remediation steps and a doc pointer.Test plan
git diff --statshows changes inapp.pyandsetup.shonly.uv run python -c "import ast; ast.parse(open('app.py').read())"passes.bash -n setup.shpasses.uv run python app.py initcompletes cleanly.uv run python app.py serverboots;GET /healthreturns 200.validate_solana_addressreturnsTruefor"11111111111111111111111111111111"andFalsefor"hello-not-a-pubkey-but-44-chars-long-padding-x", empty string, and"abc".pay_to_addressagainst the live/api/config/pay-to-addressendpoint — skipped, requires a signed-in session (wallet flow). Endpoint returned 401 without auth as expected; reaching the validation branch needs a SIWS sign-in not easily scripted from this worktree.Generated with Claude Code