Skip to content

feat: Web3 analysis tooling, CI/security pipeline, docs + review hardening#1

Open
NetVar1337 wants to merge 3 commits into
mainfrom
feat/audit-tooling-and-review-hardening
Open

feat: Web3 analysis tooling, CI/security pipeline, docs + review hardening#1
NetVar1337 wants to merge 3 commits into
mainfrom
feat/audit-tooling-and-review-hardening

Conversation

@NetVar1337

Copy link
Copy Markdown
Owner

Summary

Submits the reviewed Web3 audit-toolkit changeset:

  • New analysis tooling (opencode plugin): first-class slither/mythril/halmos/echidna wrappers, fetch_contract_source, a queryable .vigilo/kg knowledge-graph store, and a typed audit-plan pipeline — all routed through a single sandboxed command runner (mandatory cwd pin, wall-clock timeout, output cap, scrubbed env, no shell).
  • CI/CD + security: ci.yml + security.yml workflows, a composite vigilo-audit action, a Solidity Semgrep ruleset with regression fixtures, and pre-commit/markdownlint/yamllint/typos configs.
  • Docs: rewritten architecture/benchmark/getting-started/agents/knowledge-graph/models/security docs; MIT relicense.
  • Cleanup: removes the legacy simulated Python benchmark tree, docker-compose, root package scaffolding, and the dead providers module.

Review hardening (applied in this branch)

A multi-agent review of the changeset surfaced and fixed real issues — most importantly a CI-breaking regression:

  • CI: the prior pins oven-sh/setup-bun@735343b… and actions/setup-node@a309ff8… exist in no upstream ref and would hard-fail every workflow. Repinned to verified upstream SHAs (setup-bun v2.2.0, setup-node v6.2.0/v4.1.0); corrected checkout/codeql version comments.
  • Runner: output cap now bounds peak memory (incremental capped reads); timeout kills the whole process group (reaps solc/forge/solver grandchildren).
  • Tools: mythril -o json (was a non-existent flag); foundry surfaces timeout/missing-binary; echidna reports concrete call-sequence args; ast-grep fails closed on unverified downloads + pins 0.40.5; contract-source validates api_url (https + host allowlist → no SSRF/key-leak).
  • Other: plan reports out-of-order phase completion; concurrency global-slot leak fixed; dead max_tokens config removed; bench cost/stability reporting corrected; semgrep validation path + coverage gaps closed (with fixtures); doctor probes analyzer binaries.

Verification

  • opencode: typecheck clean, 392 pass / 0 fail
  • bench: typecheck clean, 49 pass / 0 fail
  • semgrep regression: 3 pass / 0 fail (vulnerable fixtures trip, safe fixtures clean)

🤖 Generated with Claude Code

…ening

Adds first-class external-analysis tool wrappers (slither/mythril/halmos/echidna), contract-source fetch, a queryable .vigilo/kg knowledge-graph store, and a typed audit-plan pipeline, all routed through a single sandboxed command runner (cwd pin, timeout, output cap, env scrub). Introduces CI + security workflows, a composite vigilo-audit action, a Solidity Semgrep ruleset with regression fixtures, pre-commit/lint configs, and a rewritten docs set. Removes the legacy simulated Python benchmark tree, docker-compose, root package scaffolding, and dead providers module; relicenses to MIT.

Review hardening included in this changeset:

- CI: repin setup-bun (v2.2.0) and setup-node (v6.2.0/v4.1.0) to real upstream SHAs (the prior pins existed in no upstream ref and broke every workflow); correct checkout/codeql version comments.

- runner: bound peak memory via incremental capped stream reads; kill the whole process group on timeout so solc/forge/solver grandchildren are reaped.

- mythril: use the real -o json flag; foundry tools surface timeout/missing-binary; echidna reports concrete call-sequence arguments.

- ast-grep: fail closed on unverified downloads (opt-out env) + pin 0.40.5 checksums; contract-source: https+host allowlist for api_url (SSRF/key-leak); plan: report out-of-order phase completion; concurrency: fix global-slot leak; drop dead max_tokens config.

- bench: total scoring cost across --runs, render stability, accurate timeout/dedupe messages. Docs: MIT license consistency, marketplace name, phase numbering, hardcoded paths. Semgrep: real validation path + coverage (compound reentrancy, modifier-gated selfdestruct, compound tx.origin, modifier zero-address) with fixtures. doctor: probe analyzer binaries.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

Comment on lines +244 to +252
body: JSON.stringify({
model: modelName,
messages: [
{ role: "system", content: SCORER_SYSTEM_PROMPT },
{ role: "user", content: prompt },
],
temperature: 0,
max_tokens: 1024,
}),
if (titleLine) {
title = titleLine.replace(/^#\s+/, "").trim();
let data: Record<string, unknown> = {};
let body = rawContent;

const { writeFileSync } = await import("node:fs")
writeFileSync(archivePath, Buffer.from(arrayBuffer))
writeFileSync(archivePath, buf)
NetVar1337 and others added 2 commits June 16, 2026 09:16
…am SHAs

Two more pins resolved to non-existent commits (dependency-review-action v4.7.1, scorecard-action v2.4.3), failing/short-circuiting the security workflow. Repinned to the verified upstream SHAs. All 11 action pins now resolve.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
The dependency-review action requires GitHub's Dependency Graph (plus GHAS on private repos), which isn't available on this fork, so it hard-failed every PR with 'Dependency review is not supported on this repository'. Mark the step continue-on-error so it no longer blocks PRs while still reporting high-severity dependency issues on repos where the graph is enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants