#1 requirements.lock was incomplete (missing python-multipart, mcp, chain deps)
- Switch Dockerfile to use requirements.txt (loose pins)
- Add python-multipart>=0.0.9 and mcp>=1.25.0 to requirements.txt
#2 main.py wrong import: AuditTrail does not exist
- core/audit.py defines AuditLog, not AuditTrail
- Updated import + usage
#3 main.py wrong import path: _PersistentStore doesn't exist
- Actual class is PersistentStore (no underscore prefix)
- Lives in routers/_persistent_store.py (not routers/chain_vault.py)
- Updated import path + name
#4 DB volume permissions broken
- Added entrypoint.sh that chowns /data to walletpress:walletpress as root
- Reordered Dockerfile: COPY entrypoint + chmod before USER directive
- Added /data mkdir + chown in Dockerfile for build-time setup
After fixes:
- walletpress-backend container Up (healthy)
- 112 API endpoints accessible at /backend/*
- Tailscale access works, direct IP requires basic auth
P3-1 — ruff cleanup (93 → 28 errors, fixed 65)
Auto-fixed with 'ruff check . --fix'. Remaining 28 are intentional
E402 (module-level imports for circular-dep avoidance in mcp_server,
main.py, routers/airdrop.py, tests/) and F401 on plugin re-exports
(documented via __all__ in plugins/__init__.py). Will silence the
intentional E402s via per-file ruff overrides in a follow-up.
P3-4 — Fixed cli/verify_receipt.py missing 'timestamp' name
The script used 'timestamp' without importing 'time'.
P3-6 — Removed dead qrcode import in core/pdf.py
Was imported but never used.
P3-7 — Removed unused coincurve.ecdsa.recover in core/smart_wallet.py
Kept cdata import (used elsewhere).
P3-3 — Fixed missing 'os' import in core/hosting.py and core/smart_wallet.py
Both used os.getenv() without importing os.
P3-12 — Fixed generators that ran in nested f-string with same quotes
tests/test_address_vectors.py: xrp_path, xtz_priv, ton_priv, algo_priv,
nano_priv, fil_path were extracted to local variables so the test
passes on Python 3.10+ (the original test used 3.12 nested-quote
f-strings). All paths now use hardened derivation correctly for
SLIP-10 Ed25519.
P2-16 — chain_vault.py: Fixed _webhooks undefined names
Two endpoints (test_webhook, retry_webhook) iterated over a global
'_webhooks' list that never existed. Now uses _PersistentStore.all('webhooks')
consistent with the list_webhooks endpoint.
P3-11 — Removed stub imports from plugins/__init__.py
Added __all__ to document the re-exports as public plugin API.
P2-1 — generator.py: removed unused ecdsa.SigningKey + nacl imports
Generator doesn't use them anywhere; only nacl.bindings.crypto_sign_seed_keypair.
Refs: AUDIT.md P2-1, P2-16, P3-1..P3-7, P3-11, P3-12
Five P0 security/correctness bugs fixed in this commit:
WP-002 (P0-1) — Free x402 credits
x402_service.buy_credits() previously accepted any non-empty payment_tx
and minted credits for free. Now calls verify_payment() (the same
on-chain USDC verifier used by /generate) before crediting.
Direct theft vector closed.
WP-003 (P0-2) — Unsalted SHA-256 hosted passwords
hosting.py used hashlib.sha256(password.encode()).hexdigest() with
no salt — rainbow-table crackable. Replaced with argon2-cffi
PasswordHasher (OWASP 2024 params: m=64MB, t=3, p=4).
Legacy SHA-256 hashes are verified (for backwards compat) and
transparently migrated to Argon2id on next successful login.
login() now also strips password_hash from the response (P2-11).
WP-004 (P0-3) — In-memory _team_keys + no role enforcement
main.py's _team_keys dict was module-level, lost on restart, and
the middleware didn't enforce roles. Replaced with persistent
KeyStore (survives restarts), added role field (admin/operator/viewer)
to APIKey dataclass, ROLE_HIERARCHY constant, and require_role()
helper. Middleware now:
- attaches verified APIKey to request.state.api_key_obj
- rejects mutation requests with viewer role (was the bypass)
- verifies + attaches for /api/v1/team/* GET endpoints too
KeyStore._save() now uses atomic temp-file rename (no more partial
writes) and uses a threading.Lock for safety. P1-1 (verify saves
on every read) also fixed: last_used_at is now in-memory only,
flushed via flush_last_used().
WP-005 (P0-5) — Env-only vault KEK
config.py now resolves the vault KEK in priority order:
1. WP_VAULT_PASSWORD env var (legacy, dev only)
2. ~/.walletpress/vault.key file (mode 0600)
3. {data_dir}/vault.key file (mode 0600)
4. Auto-generate on first run, persisted to vault.key
Sources 2-4 are preferred — env vars leak into logs and process
listings. Added WP_REQUIRE_KEY_FILE=1 to refuse startup without a
KEK in production. _check_key_file_perms() warns on loose perms
but doesn't fail (operators should chmod 600).
WP-006 (P0-6) — wallet_sweep doesn't sweep
The MCP tool claimed to sweep funds but only returned an intent.
Now actually builds, signs, and broadcasts EVM transactions:
- Decrypts private key from vault via get_generator
- Connects to chain RPC via Web3
- Builds tx: balance - gas_cost to destination
- Signs with eth_account
- Broadcasts via existing _evm_broadcast helper
- Records spending + audit log entry
Non-EVM chains (Solana, TRON, BTC family) still return intent +
clear 'not implemented' notice — to be added as separate PRs.
Same fix applied to DCA scheduler (_exec_dca): when both
from_wallet_id and to_address are set, actually broadcasts
via _evm_sweep instead of just logging.
Test results:
pytest tests/ tests/test_address_vectors.py
# 80 + 22 = 102 passed, 5 skipped, no regressions
Refs: AUDIT.md, SECURITY.md, BUILDER.md
Closes: WP-002, WP-003, WP-004, WP-005, WP-006