fix(audit): S-001 webhook leak, S-003 payment gate, Dockerfile CMD malformation#195
Merged
Merged
Conversation
…+ fix Dockerfile CMD S-001: DISCORD_WEBHOOK_PAYMENTS was committed as a plaintext value in a public repo. Rotated to sync:false — set the new webhook URL in Render dashboard only, never in source. Dockerfile: --max-requests-jitter and core.app:create_app() were merged into a single array element, which would cause gunicorn to reject the jitter value as non-integer and never receive the WSGI app argument. Split into separate elements.
When _issue_invoice() raises (402Proof unreachable, timeout, 5xx), the decorator returns HTTP 503 instead of granting free access. Revenue-protecting behavior: no invoice = no access, not a free pass.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Previous llms.txt listed tools that don't exist (squeeze_scan, ftd_cycle, full_regime) with wrong prices. Full rewrite with all 35 actual MCP tools, correct RLUSD prices, payment flow, headers, futures/settlement/marketplace descriptions, and operator-only tool section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013D1bVEB4VVWiT6v6JMWeh6
…idation
Security fixes applied during institutional-grade audit:
1. **HTTP Security Headers** (core/app.py): Added missing
X-XSS-Protection, Referrer-Policy, and Content-Security-Policy
headers. Changed X-Frame-Options from SAMEORIGIN to DENY.
2. **CORS** (core/app.py): Replaced open wildcard CORS(*) with an
allowlist of known frontend origins (CORS_ORIGINS env var,
defaulting to canonical dashboard domains).
3. **Dockerfile**: Added non-root appuser to eliminate running gunicorn
as root inside the container.
4. **Symbol Input Validation** (core/api/premium_bp.py): Added
_validate_symbol() helper using regex ^[A-Z0-9.]{1,10}$ applied to
/api/council and /api/options symbol inputs before passing to engines.
5. **Rate Limiting** (core/rate_limiter.py, core/api/premium_bp.py):
Added RateLimiter class (fixed-window, in-memory, thread-safe).
Premium blueprint enforces 30 req/min per IP via before_request hook.
6. **Error Handling** (core/api/keys_bp.py): Replaced bare str(e) HTTP
responses with jsonify({"error": "internal error..."}) + exc_info
logging so tracebacks never reach the client.
7. **Wallet Address Masking** (proof402_integration.py): Masked full
wallet addresses in warning logs to first-6...last-4 chars only.
8. **MCP Tool Sync** (.well-known/mcp.json): Synced free_tools and
paid_tools arrays to match the _TOOLS list in mcp_bp.py (source of
truth). Added autopilot_start, autopilot_stop, circuit_breaker_reset,
iam_resolve, iam_truth. Removed stale ftd_*/notary_*/triple_lock_*
entries that were removed from mcp_bp.py. Updated tool count to 35.
9. **CI Workflow** (.github/workflows/ci.yml): Fixed invalid action
versions (checkout@v6 → v4, setup-python@v6 → v5). Added
permissions: contents: read. Added bandit security scan and
safety dependency vulnerability check steps.
10. **.env.example**: Documented CORS_ORIGINS environment variable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013D1bVEB4VVWiT6v6JMWeh6
Adds service-monitor.yml — scheduled every 10 min — that checks all SML services and sends a Discord alert the moment any service degrades. Hard failures (5xx, timeout) fail the job; 403 Vercel auth-gate is reported as a warning with actionable remediation text in the alert embed. Services monitored: scriptmasterlabs.com, SqueezeOS API, Ghost Layer, 402Proof, SML Rails, SML Copy-Trader, SML Launchpad, TipMaster. Also updates keepalive.yml to accept 403 as a valid keep-alive response for scriptmasterlabs.com (Vercel returns 403 when auth gate is active — the service is alive, just gated; monitoring is handled separately). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013D1bVEB4VVWiT6v6JMWeh6
…flow + pin all actions to SHA CRITICAL: NK (Neynar API key) and RK (Render API key) were plaintext in tipmaster-autosetup.yml job env block — visible in public git history. Moved to GitHub Actions secrets: NEYNAR_API_KEY, RENDER_API_KEY. ACTION REQUIRED: Rotate both keys immediately in their dashboards. Also pins all workflow actions to 40-char commit SHAs to prevent supply-chain tag hijacking attacks.
…h-npm, publish-pypi, sml-agent)
…sync, uptime, xdeo-*, service-monitor)
…ied 49933ea cdca7d6dd16c72fb5d9c5b2d47aaddfca8fd94e2 is not a valid commit SHA for actions/setup-node. Replaced with verified commit SHA 49933ea5288caeca8642d1e84afbd3f7d6820020 (v4) across all affected workflow files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ScriptMaster Labs Institutional Audit — SqueezeOS Remediations
Findings Fixed
render.yamlsync: false— set the real value in Render dashboard onlyproof402_integration.pyDockerfile--max-requests-jitterandcore.app:create_app()were merged into one string element, causing gunicorn startup failurellms.txtS-001 — Discord Webhook Rotation Required
The previously committed webhook URL must be revoked immediately.
render.yamlDISCORD_WEBHOOK_PAYMENTSin the Render dashboard under EnvironmentS-003 — Payment Gate Behavior Change
Before: If
four02proof.onrender.comwas unreachable,_issue_invoice()raised, the decorator caught it, logged a warning, and called the protected route handler — granting free premium access during 402Proof downtime.After: Unreachable 402Proof returns HTTP 503 with
ERR_PAYMENT_GATE_UNAVAILABLE. Premium endpoints are gated even when the invoice server is down. Revenue protected.llms.txt Accuracy Fix
Previous
llms.txtdescribed tools that do not exist (squeeze_scan,ftd_cycle,full_regime) with incorrect pricing. Rewritten with all 35 actual MCP tools including free/paid/operator-only tiers, correct RLUSD prices, payment flow, and key headers.Operator Action Required
render.yaml(details above)DISCORD_WEBHOOK_PAYMENTSis set correctly in Render dashboardPROOF402_TOKEN_SECRETmatches the value onfour02proof.onrender.comGenerated by Claude Code