C3 (SDK): trust-boundary hardening (signed config + allowlists)#10
Open
marceloceccon wants to merge 2 commits intomainfrom
Open
C3 (SDK): trust-boundary hardening (signed config + allowlists)#10marceloceccon wants to merge 2 commits intomainfrom
marceloceccon wants to merge 2 commits intomainfrom
Conversation
- Ed25519 PaymentConfig verifier (@noble/curves) - rejects tampered config, replay >5min, bad signatures - WEB3SETTLE_PAYMENT_CONFIG_PUBKEY_PRIMARY/SECONDARY constants for rotation overlap (placeholder zero pubkey - replace before publish) - KNOWN_CONTRACT_ADDRESSES per-chain allowlist; signed config can elevate per-storefront - Salted walletDigest: hashWalletAddress(address, storefrontId, dayUtc) - no longer reversible cross-storefront - KNOWN_PERMIT_TOKENS: refuse permit:'auto' for unknown (name,version,chainId,verifyingContract); falls back to approve() - SUPPORTED_ABI_VERSIONS handshake (fail-closed on mismatch) - Exact-pinned runtime deps (i18next, react-i18next, zod) - removes ^ ranges - TRON estimateGas dynamically fetches sun-per-energy from TronGrid (5min cache, hardcoded fallback) - sdk-supplychain workflow + dependabot config (no auto-merge for runtime deps) - 14 files / 171 tests pass (new: 7 verifier, 5 permit-allowlist, 3 telemetry-salt, 3 TRON dynamic-fee)
…into develop # Conflicts: # src/core/telemetry.ts # src/evm/permit.ts # src/index.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the most-dangerous workspace-level failure: poisoned DNS / CDN-edge MITM substitutes the contract address with a clone; users sign against attacker contract. The SDK now refuses to call
payIn*without cryptographic provenance.verifyPaymentConfigrejects tampereddata, replay >5min, bad signatures.WEB3SETTLE_PAYMENT_CONFIG_PUBKEY_PRIMARY/SECONDARYconstants for rotation overlap.KNOWN_CONTRACT_ADDRESSESper-chain allowlist; signed config can elevate per-storefront.hashWalletAddress(address, storefrontId, dayUtc)— no longer reversible cross-storefront (closes GDPR finding).KNOWN_PERMIT_TOKENSquadruple registry — refusepermit:'auto'for unknown tokens; falls back toapprove().SUPPORTED_ABI_VERSIONShandshake (fail-closed on mismatch).estimateGasdynamically fetches sun-per-energy from TronGrid (5min cache, hardcoded fallback).sdk-supplychain.ymlworkflow + Dependabot (no auto-merge for runtime deps).Test plan
npm test— 14 files / 171 tests pass (new: 7 verifier, 5 permit-allowlist, 3 telemetry-salt, 3 TRON dynamic-fee)npm run lint+ typecheck cleanWEB3SETTLE_PAYMENT_CONFIG_PUBKEY_PRIMARYships as all-zero placeholder. Replace with the real public key whose private half lives in Vault before publishing 0.6.0.