feat: Web3 analysis tooling, CI/security pipeline, docs + review hardening#1
Open
NetVar1337 wants to merge 3 commits into
Open
feat: Web3 analysis tooling, CI/security pipeline, docs + review hardening#1NetVar1337 wants to merge 3 commits into
NetVar1337 wants to merge 3 commits into
Conversation
…ening Adds first-class external-analysis tool wrappers (slither/mythril/halmos/echidna), contract-source fetch, a queryable .vigilo/kg knowledge-graph store, and a typed audit-plan pipeline, all routed through a single sandboxed command runner (cwd pin, timeout, output cap, env scrub). Introduces CI + security workflows, a composite vigilo-audit action, a Solidity Semgrep ruleset with regression fixtures, pre-commit/lint configs, and a rewritten docs set. Removes the legacy simulated Python benchmark tree, docker-compose, root package scaffolding, and dead providers module; relicenses to MIT. Review hardening included in this changeset: - CI: repin setup-bun (v2.2.0) and setup-node (v6.2.0/v4.1.0) to real upstream SHAs (the prior pins existed in no upstream ref and broke every workflow); correct checkout/codeql version comments. - runner: bound peak memory via incremental capped stream reads; kill the whole process group on timeout so solc/forge/solver grandchildren are reaped. - mythril: use the real -o json flag; foundry tools surface timeout/missing-binary; echidna reports concrete call-sequence arguments. - ast-grep: fail closed on unverified downloads (opt-out env) + pin 0.40.5 checksums; contract-source: https+host allowlist for api_url (SSRF/key-leak); plan: report out-of-order phase completion; concurrency: fix global-slot leak; drop dead max_tokens config. - bench: total scoring cost across --runs, render stability, accurate timeout/dedupe messages. Docs: MIT license consistency, marketplace name, phase numbering, hardcoded paths. Semgrep: real validation path + coverage (compound reentrancy, modifier-gated selfdestruct, compound tx.origin, modifier zero-address) with fixtures. doctor: probe analyzer binaries. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Comment on lines
+244
to
+252
| body: JSON.stringify({ | ||
| model: modelName, | ||
| messages: [ | ||
| { role: "system", content: SCORER_SYSTEM_PROMPT }, | ||
| { role: "user", content: prompt }, | ||
| ], | ||
| temperature: 0, | ||
| max_tokens: 1024, | ||
| }), |
| if (titleLine) { | ||
| title = titleLine.replace(/^#\s+/, "").trim(); | ||
| let data: Record<string, unknown> = {}; | ||
| let body = rawContent; |
|
|
||
| const { writeFileSync } = await import("node:fs") | ||
| writeFileSync(archivePath, Buffer.from(arrayBuffer)) | ||
| writeFileSync(archivePath, buf) |
…am SHAs Two more pins resolved to non-existent commits (dependency-review-action v4.7.1, scorecard-action v2.4.3), failing/short-circuiting the security workflow. Repinned to the verified upstream SHAs. All 11 action pins now resolve. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
The dependency-review action requires GitHub's Dependency Graph (plus GHAS on private repos), which isn't available on this fork, so it hard-failed every PR with 'Dependency review is not supported on this repository'. Mark the step continue-on-error so it no longer blocks PRs while still reporting high-severity dependency issues on repos where the graph is enabled. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Submits the reviewed Web3 audit-toolkit changeset:
slither/mythril/halmos/echidnawrappers,fetch_contract_source, a queryable.vigilo/kgknowledge-graph store, and a typed audit-plan pipeline — all routed through a single sandboxed command runner (mandatory cwd pin, wall-clock timeout, output cap, scrubbed env, no shell).ci.yml+security.ymlworkflows, a compositevigilo-auditaction, a Solidity Semgrep ruleset with regression fixtures, and pre-commit/markdownlint/yamllint/typos configs.docker-compose, root package scaffolding, and the deadprovidersmodule.Review hardening (applied in this branch)
A multi-agent review of the changeset surfaced and fixed real issues — most importantly a CI-breaking regression:
oven-sh/setup-bun@735343b…andactions/setup-node@a309ff8…exist in no upstream ref and would hard-fail every workflow. Repinned to verified upstream SHAs (setup-bun v2.2.0, setup-node v6.2.0/v4.1.0); correctedcheckout/codeqlversion comments.solc/forge/solver grandchildren).-o json(was a non-existent flag); foundry surfaces timeout/missing-binary; echidna reports concrete call-sequence args; ast-grep fails closed on unverified downloads + pins 0.40.5; contract-source validatesapi_url(https + host allowlist → no SSRF/key-leak).max_tokensconfig removed; bench cost/stability reporting corrected; semgrep validation path + coverage gaps closed (with fixtures);doctorprobes analyzer binaries.Verification
🤖 Generated with Claude Code