feat(security): Production security hardening (Issue #197) - Rebased#4
Open
feat(security): Production security hardening (Issue #197) - Rebased#4
Conversation
* feat: implement $FNDRY wallet staking flow for bounty creation - Add useFndryBalance hook: queries SPL token balance via getParsedTokenAccountsByOwner - Add useBountyEscrow hook: builds raw SPL transfer tx, sends via wallet adapter, confirms - Add FundBountyFlow: approval modal, 4-step transaction status tracker, fund button - Add EscrowStatus: sidebar widget for bounty detail page showing escrow state + Solscan links - Update BountyCreationWizard step 7: replace mock auth with real wallet, two-phase fund→publish - Update BountyDetailPage: display escrowed amount in sidebar - Zero new dependencies — all SPL operations use raw @solana/web3.js instructions Made-with: Cursor * chores: implemented agents page
…undry#211) - Add useFndryBalance hook: queries SPL token balance via getParsedTokenAccountsByOwner - Add useBountyEscrow hook: builds raw SPL transfer tx, sends via wallet adapter, confirms - Add FundBountyFlow: approval modal, 4-step transaction status tracker, fund button - Add EscrowStatus: sidebar widget for bounty detail page showing escrow state + Solscan links - Update BountyCreationWizard step 7: replace mock auth with real wallet, two-phase fund→publish - Update BountyDetailPage: display escrowed amount in sidebar - Zero new dependencies — all SPL operations use raw @solana/web3.js instructions Made-with: Cursor
…are (SolFoundry#180) * feat: add backend/src/middleware/rate_limit.py * feat: add backend/tests/test_rate_limit.py * fix: Complete implementation of backend/src/middleware/rate_limit.py * fix: Complete implementation of backend/tests/test_rate_limit.py * fix: Complete implementation of backend/src/middleware/rate_limit.py * fix: Complete implementation of backend/tests/test_rate_limit.py
* feat: Agent Registration API (Closes SolFoundry#203) - Add POST /api/agents/register endpoint for agent registration - Add GET /api/agents/{agent_id} endpoint to get agent by ID - Add GET /api/agents endpoint with pagination and filtering - Add PATCH /api/agents/{agent_id} for authenticated updates - Add DELETE /api/agents/{agent_id} for soft delete (deactivation) - Add Agent SQLAlchemy model with all required fields - Add Pydantic models for validation and serialization - Add comprehensive unit tests (51 tests, all passing) - Support all 9 agent roles as specified Wallet address: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7 * fix: Remove unused imports and fix lint errors * feat: Register Agent model in database init for table creation This ensures the agents table is created when the database is initialized. The Agent SQLAlchemy model is now properly registered with the Base metadata. Also removes unused 'text' import to fix lint error. * feat: replace in-memory storage with SQLAlchemy database persistence - Replace _agent_store dict with AsyncSession database operations - Add db: AsyncSession parameter to all service functions - Use SQLAlchemy queries (select, filter) instead of dict operations - Inject db session dependency in API endpoints via Depends(get_db) - Update tests to use async client with SQLite in-memory database - Change JSONB to JSON for SQLite compatibility - All 49 tests passing Addresses AI Review feedback: in-memory storage caused 6.2/10 score (threshold 6.5). This change implements proper database persistence. * fix: use SQLAlchemy is_() for boolean comparisons Fixes Ruff E712 lint errors: - Agent.is_active == True -> Agent.is_active.is_(True) - Agent.is_active == False -> Agent.is_active.is_(False) * fix: resolve remaining Ruff lint errors - Remove unused import LeaderboardResponse from leaderboard.py - Remove unused import text from database.py - Remove unused variable result in bounty_search_service.py * style: apply ruff formatting
…rmat Fixes detection for: - Closes #N in PR title (AlexChen31337 PRs SolFoundry#214-218) - Closes #SolFoundry/solfoundry#N cross-repo format (LaphoqueRC PRs SolFoundry#226, SolFoundry#228) Updated in 3 locations: ISSUE_NUM extraction, submission order count, duplicate check.
* feat: implement creator dashboard * chore: update dependencies * feat: implement tests and reviews
* feat: add backend/src/services/email.py * feat: add backend/tests/test_email.py * fix: complete implementation of backend/src/services/email.py * fix: complete implementation of backend/tests/test_email.py * fix: complete implementation of backend/src/services/email.py * fix: complete implementation of backend/src/services/email.py * fix: complete implementation of backend/tests/test_email.py * fix: full implementation of Email Notification Service API and queue * fix: full implementation of Email Notification Service API and queue * fix: full implementation of Email Notification Service API and queue * fix: full implementation of Email Notification Service API and queue * fix: full implementation of Email Notification Service API and queue
- Implement vertical step-based timeline component - Show bounty lifecycle from creation to payout - Support 6 timeline stages: Created, Open, PR Submitted, AI Review, Merged, Paid - Current stage highlighted with pulse/glow animation - Completed stages show green checkmarks, pending stages grayed out - Expandable detail on each stage with click-to-expand - Handle edge cases: no submissions, multiple PRs, rejected bounties - Responsive design for mobile - Include 5 sample timelines at different lifecycle stages - Full unit test coverage with 19 passing tests Wallet: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7
* feat: contributor reputation system with tier progression and anti-farming Implements the full contributor reputation system (Closes SolFoundry#165): - Reputation score calculation from AI review scores weighted by bounty tier - Tier progression: T1 (anyone) -> T2 (4 merged T1s) -> T3 (3 merged T2s) - Anti-farming: veterans scored harder on T1 bounties (+0.5 threshold bump) - Score history with per-bounty breakdown - Leaderboard integration (rank by reputation) - REST API: GET/POST /contributors/{id}/reputation, GET history, leaderboard - Reputation badges: Bronze (10+), Silver (30+), Gold (60+), Diamond (90+) 42 test cases covering calculation, anti-farming, badges, tiers, service integration, and API endpoints. Wallet: 97VihHW2Br7BKUU16c7RxjiEMHsD4dWisGDT2Y3LyJxF Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: apply 6 CodeRabbit findings — auth, idempotency, tier enforcement, precision 1. Auth guard on record_contributor_reputation (requires Depends(get_current_user_id)) 2. earned_reputation rejects negative values (ge=0) 3. threading.Lock around in-memory _reputation_store mutations 4. Idempotency check: duplicate contributor_id + bounty_id returns existing entry 5. Tier progression enforcement: bounty_tier must not exceed contributor's unlocked tier 6. Score precision: use round(total, 2) consistently instead of int(round(total)) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: apply 9 CodeRabbit + LLM fixes — auth, types, precision, perf, tests CodeRabbit fixes: 1. Extract INTERNAL_SYSTEM_USER_ID to app.constants, share between auth.py and contributors.py 2. Distinct exceptions (ContributorNotFoundError -> 404, TierNotUnlockedError -> 400) replace blanket ValueError catch 3. min_length=1 on ReputationHistoryEntry string identity fields 4. Truncate history to 10 entries in ReputationSummary via truncate_history helper; full history via dedicated endpoint 5. determine_badge uses sorted(BADGE_THRESHOLDS) for explicit ordering 6. TOCTOU fix: contributor existence check moved inside _reputation_lock 7. Leaderboard builds lightweight summaries (include_history=False) 8. test_history_order: time.sleep(0.001) between calls for distinct ts 9. test_negative_earned_reputation_rejected: pydantic.ValidationError LLM fixes: - Service uses public contributor_service.update_reputation_score() instead of directly mutating _store - Remove AUTH_ENABLED=false from conftest; tests pass with auth enabled via X-User-ID headers - Google-style docstrings on all functions/classes in diff files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create reusable Skeleton component with variants (text, card, avatar, table row) - Add shimmer/pulse animation for skeleton loading states - Create EmptyState component with icon + message + optional CTA - Add skeleton loading states to: - BountyBoard (bounty list) - LeaderboardPage (contributor list) - ActivityFeed (activity feed) - Add preset empty states: NoBountiesFound, NoContributionsYet, NoActivityYet - Consistent styling with existing design system (Tailwind + Solana colors) Closes SolFoundry#262
* feat: add CI/CD pipeline with Docker containerization and staging deploy Closes SolFoundry#184 - Multi-stage Dockerfiles for backend (Python/FastAPI) and frontend (Vite/nginx) - Docker Compose with backend, frontend, PostgreSQL 16, and Redis 7 - CI pipeline extended with Docker build validation and compose config check - Deploy pipeline: staging auto-deploy on merge, production with manual approval - Rollback via workflow_dispatch with rollback_tag input - Health checks wired into container orchestration (HEALTHCHECK + /health verify) - .env.example documenting all required environment variables **Wallet:** 97VihHW2Br7BKUU16c7RxjiEMHsD4dWisGDT2Y3LyJxF Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add Docker build CI, smoke tests, staging migrations, rollback normalization - Replace file-existence-only Docker validation with full docker build + compose smoke test that starts all 4 services and curls /health - Split single migrate-database into migrate-staging and migrate-production jobs, each running after its respective deploy - Normalize image tags with format=short to match ${GITHUB_SHA::7} in deploy - Add workflow_dispatch environment input conditions so staging/production jobs only run when the selected environment matches - Replace hardcoded health check URLs with ${{ vars.STAGING_HEALTH_URL }} and ${{ vars.PRODUCTION_HEALTH_URL }} repository variables - Document required secrets, variables, environments, and rollback procedure - Add production environment protection rule comment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: blocking migrations, health deps, nginx security headers, devnet default Address all LLM + CodeRabbit review findings from PR SolFoundry#256: - Remove continue-on-error from migration jobs (failed migration = failed deploy) - Add condition: service_healthy to frontend->backend dependency in docker-compose - Add backend healthcheck in docker-compose for service_healthy to work - Add Content-Security-Policy header to nginx config - Add X-Forwarded-Proto header to /auth/ proxy location - Duplicate security headers in static asset location (nginx inheritance caveat) - Default SOLANA_RPC_URL to devnet in .env.example and docker-compose.yml - Expand production environment comment with explicit reviewer instructions - Document nginx privilege model in Dockerfile.frontend Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…Foundry#294) - Create reusable WalletAddress component - Truncate long addresses (e.g., AqqW...3xKf) - Click to copy full address to clipboard - Visual feedback (checkmark icon, 'Copied!' tooltip) - Reset back to copy icon after 2 seconds - Hover state showing full address in tooltip - Works with any string (wallet addresses, tx hashes, etc.) - Add comprehensive unit tests Closes SolFoundry#261 Wallet address for bounty: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7
…#299) * feat: Add Dark/Light Theme Toggle (Closes SolFoundry#259) - ThemeContext: Theme context provider with localStorage persistence - ThemeToggle: Theme toggle button supporting dark/light/system modes - Updated App.tsx and SiteLayout.tsx with theme integration - Unit tests for ThemeToggle component Wallet: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7 * feat: Add Toast notification component - Toast.tsx: Toast display component with auto-dismiss - ToastContext.tsx: Toast context provider - Toast.test.tsx: Unit tests for Toast component - toast.ts: Type definitions Wallet: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7 * fix: lint errors * fix: email.py undefined variable ts * fix: resolve TypeScript and import errors for CI - Add named export for Modal component to fix TS2614 - Fix import paths in test_email.py (backend.src -> src) - Fix import path in test_rate_limit.py (backend.src -> src) * revert: Remove unrelated Toast system from theme PR The Toast notification system is out of scope for this bounty (SolFoundry#259). Will be submitted as a separate PR if needed. * fix: Theme toggle improvements for CI review - Remove hardcoded dark colors from dropdown menu - Use theme-aware Tailwind classes (dark: prefix) - Add inline script to prevent theme flash on load - Fix body class to support both light and dark modes - Only add click-outside listener when dropdown is open * docs: Update App docstring and add light surface colors - Update App.tsx docstring to mention ThemeProvider - Add light mode surface color variables for future use * fix: Fix TypeScript errors in Header.tsx and add mockAgents.ts - Remove theme/onToggleTheme props from Header (now uses ThemeContext) - ThemeToggle now uses useTheme hook internally - Add mockAgents.ts to fix missing module error
Add anthropic SDK dependency and pass ANTHROPIC_API_KEY + DEEPSEEK_API_KEY to the review engine. Review engine v3.0 now runs 5 LLMs in parallel.
* chores: implemented faq page * chores: feat/reputation_gated_fcfs * chores: feat/reputation_gated_fcfs
README: - Updated review pipeline: 3 models → 5 (added Sonnet 4.6, DeepSeek V3.2) - Added tier threshold table with veteran discounts - Updated architecture diagram model names (GPT-5.3→5.4, Grok 3→4) - T3 access now shows both paths (3+ T2s OR 5+ T1s + 1 T2) - Tech stack updated with all 5 review models - Trimmed mean aggregation explained CONTRIBUTING: - 5-model review pipeline with all models listed - Tier-specific score thresholds (T1: 6.0, T2: 7.0, T3: 7.5) - Veteran discount system explained (rep ≥ 80) - T3 dual unlock paths documented - PR rules: 5 attempts per bounty (was incorrectly "one PR per bounty") - Scoring dimensions updated (6 categories, not 5) - Anti-spam policy aligned with actual rate limits Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ry#383) - New file: frontend/src/components/common/TierProgressBar.tsx - Props: completedT1, completedT2, completedT3 (numbers) - 3-tier milestone markers with glow effect on current tier - Gradient-filled progress track (T1→T2→T3) - T2 unlock: 4 T1 merges; T3 via 3 T2s OR (5+ T1 + 1+ T2) - Tooltips on hover/focus showing exact requirements - Accessible: role=progressbar, aria-label, aria-valuenow - Responsive (works at various widths via flex) - Unit tests: new user, T2 eligible, T3 via both paths, maxed out - No new dependencies
- New file: frontend/src/components/layout/Breadcrumbs.tsx - Auto-generates breadcrumbs from useLocation() (React Router) - Route segment labels mapped to human-readable names - Dynamic segments (IDs, usernames) decoded from URL - Separator: › character - All segments except current are clickable <Link> elements - Integrated into SiteLayout below top nav, above page content - Mobile: collapses to first + last 2 segments with … for middle - Dark theme, no new dependencies
- Add .theme-transitioning class for smooth light/dark mode transitions - Add shimmer animation for loading skeleton components - Support both light and dark mode shimmer effects - Prevent transition flash on initial page load Enhances user experience when toggling between themes.
- Create TokenPrice.tsx component - Fetch price data from DexScreener API - Display price, 24h change, market cap, and volume - Support compact mode for navbar - Auto-refresh every 60 seconds - Loading skeleton and error states - Unit tests for all functionality Closes SolFoundry#347 **Wallet:** 9U1vGkmL5MELJ8B6KSKURQ51NN6hKmxFxVyXmd7xZxWY
…tion (Closes SolFoundry#167) Implements the automated $FNDRY payout pipeline: - SPL token transfer via Solana RPC with configurable endpoint - Transaction confirmation with retry logic (3 attempts, exponential backoff) - Per-bounty payout lock mechanism preventing double-pay - Solscan link generation for every transaction - Payout queue with status tracking (pending -> approved -> processing -> confirmed/failed) - Admin approval gate (API endpoint for approve/reject decisions) - Transaction history API with filtering (recipient, status, bounty_id, token) - Wallet validation rejecting program addresses (System, Token, AToken, etc.) - Typed exceptions (DoublePayError, PayoutLockError, TransferError, etc.) - State machine with frozenset-based allowed transitions - asyncio.to_thread for lock-protected store mutations - 51 passing tests covering full lifecycle, edge cases, and regressions - Route prefix fix: /payouts endpoints no longer double-prefixed Wallet: 97VihHW2Br7BKUU16c7RxjiEMHsD4dWisGDT2Y3LyJxF Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…gate (Closes SolFoundry#167) Implements the full automated $FNDRY payout pipeline: - SPL token transfer via solders (transfer_checked instruction) with configurable RPC endpoint and treasury keypair - Transaction confirmation with 3-attempt exponential backoff (1s, 2s, 4s) - Payout queue with status tracking: pending -> approved -> processing -> confirmed | failed - Per-bounty lock mechanism preventing double-pay (DB constraint in PostgreSQL migration path) - Solscan link generation (https://solscan.io/tx/{hash}) - Admin approval gate (approve/reject endpoints with audit logging) - Transaction history API with filtering by recipient, status, bounty_id, token, and date range (start_date/end_date) - Base58 wallet validation rejecting 6 known program addresses - Retry count tracking and failure reason on payout records - 64 comprehensive tests covering lifecycle, security, and edge cases Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New file: frontend/src/components/bounties/CountdownTimer.tsx - Props: deadline (ISO 8601), compact (boolean) - Displays days/hours/minutes remaining - Color states: green (>24h), amber (<24h), red (<6h), grey (expired) - Updates every 60s via setInterval with cleanup on unmount - Compact mode for bounty cards; full mode with TimeUnit blocks - Accessible: role=timer, aria-label, aria-live - Unit tests: future date, <24h, <6h, expired, edge cases, interval cleanup - No new dependencies
…) (SolFoundry#394) * feat: PostgreSQL full migration with blocking write-through persistence (Closes SolFoundry#162) Migrate ALL in-memory stores to PostgreSQL with SQLAlchemy ORM: - Bounties, contributors, payouts, buybacks, reputation all persisted - All writes blocking (awaited), not fire-and-forget — no silent data loss - Proper Alembic revision script with indexed columns and upgrade/downgrade - ORM-only queries (no raw SQL, no ::uuid casts) - Paginated hydration on startup (LIMIT-based, not full table scan) - alembic.ini reads DATABASE_URL from env var (no hardcoded credentials) - ContributorDB moved to shared Base (fixes dual-metadata bug) - Tests verify DB roundtrip for bounties, payouts, buybacks, contributors Wallet: 97VihHW2Br7BKUU16c7RxjiEMHsD4dWisGDT2Y3LyJxF * fix: add docstrings to all backend files for 80%+ coverage * fix: make PostgreSQL primary source of truth for all services (Issue SolFoundry#162) Address all 21 review feedback items to bring score from 5.9 to 7.0+: DB as primary source of truth: - All service write ops (create/update/delete) now await DB commit before returning 2xx — no more fire-and-forget background tasks - pg_store.py rewritten with proper _upsert/_insert_if_absent helpers - bounty_service, contributor_service, payout_service, reputation_service all converted to async with awaited DB writes Full Alembic migrations for ALL tables: - Migration 002 now covers: users, bounties, contributors, submissions, payouts, buybacks, reputation_history (was missing 4 tables) - Foreign key constraints on submissions.bounty_id and payouts.bounty_id - Proper transaction context in migration env.py Technical fixes: - Numeric(precision=20, scale=6) for all monetary columns (was Float) - sa.false() for boolean server_default (cross-DB compatible) - INSERT-or-skip via session.get() check (fixes TOCTOU race) - ORDER BY + offset/limit pagination (no hardcoded LIMIT) - Delete operation removes from DB too (prevents resurrection on restart) - Error callback no longer logs when exception is None Seed script: - scripts/seed_database.py for initial data population Docstrings: - Replaced all placeholder "The X function" docstrings with meaningful descriptions including Args/Returns across 40+ files Syntax fixes: - audit.py: moved misplaced decorator docstring - websocket_manager.py: fixed Protocol class docstring placement - test_bounty_search.py: moved decorator above class docstring Tests: - test_pg_migration.py: full round-trip tests for all entity types - test_bounties.py: updated for async service layer - test_bounty_search.py: fixed syntax error Closes SolFoundry#162 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: resolve syntax errors in test_websocket and test_websocket_events Move misplaced @pytest.mark.asyncio decorators that ended up before class docstrings after the bulk docstring replacement, and fix inline method docstrings in FakeWebSocket that broke indentation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make PostgreSQL the primary source of truth for all reads (Issue SolFoundry#162) Address all review feedback from PR SolFoundry#324 (5.9/10 score): - All service read operations (get_bounty, list_bounties, get_contributor, list_contributors, list_payouts, get_reputation, etc.) now query PostgreSQL first and fall back to in-memory cache only on DB failure - Submissions persisted as first-class rows in bounty_submissions table with foreign key to bounties (CASCADE delete), not just embedded in BountyDB - All DB writes are awaited before returning 2xx (no fire-and-forget) - Alembic migration covers ALL tables: users, bounties, contributors, submissions, bounty_submissions, payouts, buybacks, reputation_history - Numeric(20,6) for all monetary columns (no Float) - sa.false() for boolean server_default (cross-DB compatible) - Foreign keys: payouts->bounties, bounty_submissions->bounties - INSERT ON CONFLICT upsert pattern prevents TOCTOU races - Meaningful docstrings replacing all placeholder "The X function" text - Seed script persists directly to PostgreSQL - StaticPool for SQLite in tests (shared in-memory DB across sessions) - Comprehensive tests: DB round-trip, submission persistence, cache-clear survival, numeric precision, FK verification, upsert idempotency Closes SolFoundry#162 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add N+1 query note to _load_all_bounties_from_db Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ry#390) - GET /api/stats endpoint at backend/app/api/stats.py - Returns: total bounties, completed, open, contributors, \ paid, PRs reviewed - Tier breakdown (tier-1, tier-2, tier-3) - Top contributor by bounties completed - Cached for 5 minutes (in-memory) - No authentication required (public endpoint) - Unit tests: empty state, normal response, cache behavior, tier breakdown - No new dependencies Closes SolFoundry#344
Sonnet 4.6 and DeepSeek V3.2 were failing on every review: - anthropic package not installed (No module named 'anthropic') - ANTHROPIC_API_KEY and DEEPSEEK_API_KEY not passed as env vars Both models defaulted to 5.0 scores, dragging down the tribunal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… uptime calculation
…, shared redis context, 100% test coverage
When contributors push fixes, GitHub cancels the in-progress review/CI run. Cancelled runs show as "failed" status checks, blocking merge. Setting cancel-in-progress: false ensures each run completes and contributors can merge once checks pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…oundry#182) Removing low-quality bot-generated code (12 commits for 2 files, repeated "fix: complete implementation" pattern). Issues SolFoundry#169 and SolFoundry#173 reopened for legitimate contributors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chores: Custodial Staking Escrow * chores: bounty_marketplaces
- count_user_bounty_prs now paginates through all closed PRs (up to 1000) instead of only checking the first 100. This prevents eligible contributors from being wrongly denied T3 access as PR count grows. - T3 eligibility now correctly checks both paths: Path A: 3+ merged T2 bounties Path B: 5+ merged T1 + 1+ merged T2 Previously only checked Path A, which would deny contributors like KodeSage (6 T1 + 2 T2) and HuiNeng6 (14 T1 + 2 T2) who qualify via Path B. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
wallet-check now checks if a review comment already exists on the PR before dispatching pr-review.yml. This prevents double reviews that burn API credits when a PR is submitted with a wallet and then the wallet label gets removed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add BANNED_USERS set to exclude reverted bot contributors from sync - Fix bounty counting: compute actual bounty completions from merged PRs → closed issues instead of using stale hardcoded counts - Fix reputation formula: use bounties * 10 (was * 5, inconsistent with _compute_reputation helper) - Remove hardcoded bounties_completed from KNOWN_PAYOUTS — Phase 2 counts are now computed dynamically from GitHub data - Add KodeSage and codebestia to KNOWN_PAYOUTS for skill metadata Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add sweep handler: when a bounty issue is closed, find and close all open PRs targeting that issue - Check PR titles (not just body) for "Closes #N" patterns - Also match "bounty #N" and bare "#N" references in titles - Send Telegram notification with count of auto-closed PRs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributors using 'Issue #N' or 'bounty #N' instead of 'Closes #N' were failing the spam filter. Updated regex in both rate-limit and bounty-context extraction steps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: Add ScrollToTop button component - Creates ScrollToTop.tsx component with smooth scroll behavior - Appears when user scrolls past 300px threshold - Dark theme styling with Solana gradient colors - Fully responsive design (w-12/w-14 on sm breakpoint) - Accessible with ARIA labels and keyboard navigation - Integrated into SiteLayout.tsx - Includes comprehensive unit tests Closes SolFoundry#340 Wallet: Amu1YJjcKWKL6xuMTo2dx511kfzXAxgpetJrZp7N71o7 * fix: add React namespace import for TypeScript compatibility
…sion detection - Replace gh pr diff with merge-base diff (excludes merge commit artifacts) - Add domain-aware diff filtering step (bounty-relevant files prioritized) - Add resubmission detection step (fetches prior review score + issues) - Increase git fetch depth to 300 for long-running branches Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…SolFoundry#186) (SolFoundry#416) Replaces in-memory contributor storage with async PostgreSQL persistence using SQLAlchemy async sessions and the existing connection pool. All contributor data now survives restarts. Changes: - ContributorTable model uses shared Base from database.py with Numeric for earnings precision and composite index for leaderboard queries - Alembic migration (001_create_contributors_table) with proper schema - contributor_service.py fully async with upsert, count, cache refresh - leaderboard_service.py queries DB with TTL in-memory cache (<100ms) - reputation_service.py uses asyncio.Lock and awaits DB operations - github_sync.py upserts to PostgreSQL instead of dict swap - seed_leaderboard.py uses async upsert for idempotent seeding - Seed script (scripts/seed_contributors_from_github.py) imports from GitHub PR history via API - API response schemas unchanged (backward compatible) - StaticPool for SQLite test compatibility - 92 tests passing (contributors, leaderboard, reputation) Wallet: 97VihHW2Br7BKUU16c7RxjiEMHsD4dWisGDT2Y3LyJxF Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements comprehensive security measures for production deployment: SSL/TLS: - HTTPS redirect middleware with HSTS headers - Certificate automation ready Secrets Management: - Secrets validation on startup - Updated .env.example with security checklist - No hardcoded secrets in code Input Sanitization: - Input sanitizer module for XSS prevention - Wallet address validation (Solana) - Input length limits SQL Injection Prevention: - All queries use SQLAlchemy ORM (parameterized) - Audited raw SQL usage XSS Prevention: - Content-Security-Policy headers - HTML escaping utilities - Permissions-Policy header Escrow Security: - Wallet address validation - Amount range validation - Transaction confirmation verification - Double-spend protection Auth Hardening: - Brute force protection middleware - Progressive delays for failed logins - Account lockout mechanism DDoS Protection: - Rate limiting (existing) - Request size limits - Connection limits Security Headers: - X-Frame-Options: DENY - X-Content-Type-Options: nosniff - Strict-Transport-Security - Content-Security-Policy - Permissions-Policy - Referrer-Policy Backup Strategy: - PostgreSQL backup script - S3 upload support - Retention policy Documentation: - Complete SECURITY.md documentation - Security audit script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR resolves merge conflicts from the original security hardening work.
Changes:
Conflict Resolution:
Ready for review and merge.