chore: remove .bak files, add requirements.txt, Dockerfile, and .env.example#1
Merged
MoltyCel merged 2 commits intoApr 2, 2026
Merged
Conversation
…example Remove 11 backup files that contained outdated code including the old hardcoded API key. Add .bak* to .gitignore to prevent future commits. Add requirements.txt documenting all Python dependencies, Dockerfile for containerized deployment, .dockerignore for clean builds, and .env.example documenting all required and optional environment variables. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…b.sql Found during local testing with docker-compose: - apscheduler is imported at startup but was missing from requirements.txt - DB host was hardcoded to localhost, now reads DB_HOST env var - init_db.sql schema was outdated — updated to match current codebase columns (agent_type, base_tx_hash, erc8004_agent_id, wallet fields, from_did/to_did in ratings, credentials table, api_keys, etc.) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
This was referenced Apr 1, 2026
Owner
|
Good cleanup — all 11 .bak files confirmed safe to remove, no active code affected. One note on init_db.sql: the updated schema doesn't yet include columns added this week (public_key_hex, key_anchor_tx, key_anchor_block, swarm_seeds, trust_score_cache, swarm_graph). This is fine since init_db.sql is for fresh dev/test environments only — production DB was migrated separately. Worth aligning in a follow-up PR so new dev setups match production schema. requirements.txt: consider pinning exact versions (== instead of >=) for better reproducibility in CI. Merging now. Thanks Harald. |
MoltyCel
pushed a commit
that referenced
this pull request
May 18, 2026
Follow-up to commit d25e70c (SSRF). After running CodeQL default-setup on the fork, 17 additional findings surfaced. Triage outcome: Already closed by earlier commits this PR: 1 (SSRF) False positives (dismissed via CodeQL UI): 4 Real findings fixed in this commit: 5 Stack-trace-exposure (deferred to design): 7 FIXES IN THIS COMMIT #1 [LOG SANITISATION] credit_middleware exception swallows DB password - app/main.py (logger.error in credit_middleware) `logger.error("…: %s", caller_did, e)` — the raw exception `e` can be an asyncpg ConnectionError whose repr() includes the Postgres connection string (with the password). Log only `type(e).__name__` instead. #2 [DEFENSIVE URL ENCODING] /join?ref= referrer parameter - app/main.py /join handler The redirect target is HARDCODED to https://moltrust.ch — the host is not user-controlled. But `f"https://moltrust.ch?ref={ref}"` interpolates `ref` raw, and a payload like `ref="x&malparam=…"` could corrupt the query string. Use `urllib.parse.quote(ref)` to percent-encode the value before interpolation. #3 [STDOUT TOKEN LEAK] telegram_hn_remind print(r.text) - scripts/telegram_hn_remind.py `print(f'Status: {r.status_code}, Response: {r.text}')` — if Telegram error responses ever echo the request URL (which contains the bot token in the path), the body lands in stdout / CI scrollback. Print only the status code. #4 [ReDoS] mpp authorization header regex - packages/mpp/index.js `auth.match(/^(?:Payment|MPP)\s+(.+)$/i)` on an unbounded header is polynomial-quadratic. This package is published to npm, so consumer servers carry the risk. Cap header at 8 KiB and use bounded `\s{1,8}` with a non-greedy first char. #5 [ReDoS] moltrust-openclaw-v2 base URL trim - moltrust-openclaw-v2/src/client.ts `.replace(/\/+$/, "")` is polynomial on pathological inputs. Replace with a `while (str.endsWith("/")) str = str.slice(0, -1)` loop, which is linear. DISMISSED AS FALSE POSITIVES (no code change) #14 py/clear-text-logging-sensitive-data at SPIFFE bind log Logs spiffe_uri, did, caller_did — none are passwords. CodeQL misfires on the "did" → "id" → "password" name-similarity heuristic. #13, #12 py/clear-text-logging-sensitive-data in scripts/threadwatch.py Telegram bot token flows into the request URL but never into a logger or print() call — only to requests.post (which doesn't log URLs by default). #16 py/weak-sensitive-data-hashing in _reg_tracker This is in-memory rate-limit bucket-key derivation, not password storage. bcrypt/argon2 would be wrong here (slow + salted breaks the lookup). SHA-256 of the full API key is the correct primitive for an O(1) tracker. EXPLICITLY DEFERRED (7 stack-trace-exposure findings) Multiple endpoints currently return `{"error": str(e)[:100]}` to callers. CodeQL flags these as info disclosure. Fixing them means changing the API contract — clients that parse the `error` field would break. This is a design call for the maintainer; deferring to a separate PR + discussion rather than including in this hardening pass. VERIFICATION Python 3.12 AST parse — app/main.py + scripts/telegram_hn_remind.py compile cleanly. `node -c packages/mpp/index.js` clean. The TS file change is a syntactically-trivial loop, not type-impacting. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.bakfiles containing outdated code (including the old hardcoded API keymt_test_key_2026)*.bak*to.gitignoreto prevent future backup file commitsrequirements.txtdocumenting all Python dependenciesDockerfilefor containerized deployment (Python 3.12-slim, uvicorn).dockerignorefor clean Docker builds.env.exampledocumenting all required and optional environment variablesMotivation
The
.bakfiles contained 6,900+ lines of dead code, including security-sensitive defaults from before the API key hardcoding was fixed. The project had no dependency documentation or container support, making it difficult for new contributors to set up a dev environment.Test plan
docker build -t moltrust-api .succeedspip install -r requirements.txtinstalls all needed dependencies🤖 Generated with Claude Code