Commit graph

5 commits

Author SHA1 Message Date
crmuncher
fbbe8db260
fix(backend): resolve 4 deployment blockers
Some checks are pending
AI PR Review / ai-review (pull_request) Waiting to run
CI / lint (pull_request) Waiting to run
CI / test (pull_request) Waiting to run
CI / security (pull_request) Waiting to run
CI / pre-commit (pull_request) Waiting to run
CI / license (pull_request) Waiting to run
CI / ai-review (pull_request) Waiting to run
#1 requirements.lock was incomplete (missing python-multipart, mcp, chain deps)
   - Switch Dockerfile to use requirements.txt (loose pins)
   - Add python-multipart>=0.0.9 and mcp>=1.25.0 to requirements.txt

#2 main.py wrong import: AuditTrail does not exist
   - core/audit.py defines AuditLog, not AuditTrail
   - Updated import + usage

#3 main.py wrong import path: _PersistentStore doesn't exist
   - Actual class is PersistentStore (no underscore prefix)
   - Lives in routers/_persistent_store.py (not routers/chain_vault.py)
   - Updated import path + name

#4 DB volume permissions broken
   - Added entrypoint.sh that chowns /data to walletpress:walletpress as root
   - Reordered Dockerfile: COPY entrypoint + chmod before USER directive
   - Added /data mkdir + chown in Dockerfile for build-time setup

After fixes:
- walletpress-backend container Up (healthy)
- 112 API endpoints accessible at /backend/*
- Tailscale access works, direct IP requires basic auth
2026-07-02 01:51:40 +07:00
85d8ef5eac
refactor(routers): split chain_vault.py god router — WP-085..WP-087
Extracted admin endpoints from chain_vault.py (2,178 lines) into
wallet_admin.py (768 lines). chain_vault.py is now 1,469 lines.

What moved to wallet_admin.py (29 routes):
- API keys: /api-keys, /api-keys/revoke
- Alerts: /alerts, /alerts/delete
- Webhooks: /webhooks, /webhooks/{id}, /webhooks/{id}/test,
  /webhooks/{id}/retry, /webhooks/deliveries
- Audit trail: /audit-trail
- Bulk ops: /bulk/filter, /bulk/delete, /bulk/export, /export
- 2FA: /admin/2fa/{setup,verify-setup,disable,status}
- Config: /config
- Proof of Generation: /proof/{commit,provenance,verify,roots,stats}

What stayed in chain_vault.py (32 routes):
- Chain metadata: /chains, /stats, /healthz, /health-score
- RPC config: /rpc-chains
- Wallet gen: /generate, /generate/batch, /generate/all,
  /import, /from-mnemonic, /derive-address, /hd-wallet
- Vault CRUD: /vault, /vault/{id}, /vault/{id}/full, DELETE
- Wallet ops: /tree, /cluster, /rotate, /rotate-sweep, /rotations,
  /distribute, /sweep, /escrow, /escrow/release, /paper-wallet, /tx
- Validation: /validate/{chain}/{address}, /validate/all
- Balances: /balances, /balances/snapshot
- PDF: /paper-wallet/{id}/pdf, /wallet/{id}/birth-certificate

Helpers extracted to _persistent_store.py:
- _PersistentStore class (webhooks/alerts/payments SQLite store)
  P3-7 fix: removed dead _webhooks global references in test/retry
  endpoints — now uses _PersistentStore.all('webhooks')

Added to wallet_admin.py:
- _require_totp() helper (also kept in chain_vault.py for the
  /vault/{id}/full endpoint that needs it)
- WebhookCreateRequest, BulkFilterRequest, BulkDeleteRequest models
  (these were inlined in original chain_vault.py body — now in
  the request schemas section)

P3-10 — WP plugin supported_chains() rewritten
  Plugin used to advertise chains the backend doesn't support
  ('bitcoin' vs backend 'btc', 'ethereum' vs 'eth', etc.). Rewrote
  to use correct backend keys + added a 'backend' field for clarity.
  Now matches ADDRESS_GENERATION.md truth table.

main.py: updated import + include_router for wallet_admin.router.

Test results: 80 passed, 5 skipped (no regressions).

Refs: AUDIT.md P2-16, P3-7, P3-10, P3-17
2026-06-30 21:40:45 +07:00
b88212878a
fix(audit): Wave 4 — ruff cleanup + dead code + bugs (WP-080..WP-084)
P3-1 — ruff cleanup (93 → 28 errors, fixed 65)
  Auto-fixed with 'ruff check . --fix'. Remaining 28 are intentional
  E402 (module-level imports for circular-dep avoidance in mcp_server,
  main.py, routers/airdrop.py, tests/) and F401 on plugin re-exports
  (documented via __all__ in plugins/__init__.py). Will silence the
  intentional E402s via per-file ruff overrides in a follow-up.

P3-4 — Fixed cli/verify_receipt.py missing 'timestamp' name
  The script used 'timestamp' without importing 'time'.

P3-6 — Removed dead qrcode import in core/pdf.py
  Was imported but never used.

P3-7 — Removed unused coincurve.ecdsa.recover in core/smart_wallet.py
  Kept cdata import (used elsewhere).

P3-3 — Fixed missing 'os' import in core/hosting.py and core/smart_wallet.py
  Both used os.getenv() without importing os.

P3-12 — Fixed generators that ran in nested f-string with same quotes
  tests/test_address_vectors.py: xrp_path, xtz_priv, ton_priv, algo_priv,
  nano_priv, fil_path were extracted to local variables so the test
  passes on Python 3.10+ (the original test used 3.12 nested-quote
  f-strings). All paths now use hardened derivation correctly for
  SLIP-10 Ed25519.

P2-16 — chain_vault.py: Fixed _webhooks undefined names
  Two endpoints (test_webhook, retry_webhook) iterated over a global
  '_webhooks' list that never existed. Now uses _PersistentStore.all('webhooks')
  consistent with the list_webhooks endpoint.

P3-11 — Removed stub imports from plugins/__init__.py
  Added __all__ to document the re-exports as public plugin API.

P2-1 — generator.py: removed unused ecdsa.SigningKey + nacl imports
  Generator doesn't use them anywhere; only nacl.bindings.crypto_sign_seed_keypair.

Refs: AUDIT.md P2-1, P2-16, P3-1..P3-7, P3-11, P3-12
2026-06-30 21:25:54 +07:00
8b8e85a24d
fix(security): WP-002..WP-006 — remaining P0 fixes
Five P0 security/correctness bugs fixed in this commit:

WP-002 (P0-1) — Free x402 credits
  x402_service.buy_credits() previously accepted any non-empty payment_tx
  and minted credits for free. Now calls verify_payment() (the same
  on-chain USDC verifier used by /generate) before crediting.
  Direct theft vector closed.

WP-003 (P0-2) — Unsalted SHA-256 hosted passwords
  hosting.py used hashlib.sha256(password.encode()).hexdigest() with
  no salt — rainbow-table crackable. Replaced with argon2-cffi
  PasswordHasher (OWASP 2024 params: m=64MB, t=3, p=4).
  Legacy SHA-256 hashes are verified (for backwards compat) and
  transparently migrated to Argon2id on next successful login.
  login() now also strips password_hash from the response (P2-11).

WP-004 (P0-3) — In-memory _team_keys + no role enforcement
  main.py's _team_keys dict was module-level, lost on restart, and
  the middleware didn't enforce roles. Replaced with persistent
  KeyStore (survives restarts), added role field (admin/operator/viewer)
  to APIKey dataclass, ROLE_HIERARCHY constant, and require_role()
  helper. Middleware now:
    - attaches verified APIKey to request.state.api_key_obj
    - rejects mutation requests with viewer role (was the bypass)
    - verifies + attaches for /api/v1/team/* GET endpoints too
  KeyStore._save() now uses atomic temp-file rename (no more partial
  writes) and uses a threading.Lock for safety. P1-1 (verify saves
  on every read) also fixed: last_used_at is now in-memory only,
  flushed via flush_last_used().

WP-005 (P0-5) — Env-only vault KEK
  config.py now resolves the vault KEK in priority order:
    1. WP_VAULT_PASSWORD env var (legacy, dev only)
    2. ~/.walletpress/vault.key file (mode 0600)
    3. {data_dir}/vault.key file (mode 0600)
    4. Auto-generate on first run, persisted to vault.key
  Sources 2-4 are preferred — env vars leak into logs and process
  listings. Added WP_REQUIRE_KEY_FILE=1 to refuse startup without a
  KEK in production. _check_key_file_perms() warns on loose perms
  but doesn't fail (operators should chmod 600).

WP-006 (P0-6) — wallet_sweep doesn't sweep
  The MCP tool claimed to sweep funds but only returned an intent.
  Now actually builds, signs, and broadcasts EVM transactions:
    - Decrypts private key from vault via get_generator
    - Connects to chain RPC via Web3
    - Builds tx: balance - gas_cost to destination
    - Signs with eth_account
    - Broadcasts via existing _evm_broadcast helper
    - Records spending + audit log entry
  Non-EVM chains (Solana, TRON, BTC family) still return intent +
  clear 'not implemented' notice — to be added as separate PRs.

  Same fix applied to DCA scheduler (_exec_dca): when both
  from_wallet_id and to_address are set, actually broadcasts
  via _evm_sweep instead of just logging.

Test results:
  pytest tests/ tests/test_address_vectors.py
  # 80 + 22 = 102 passed, 5 skipped, no regressions

Refs: AUDIT.md, SECURITY.md, BUILDER.md
Closes: WP-002, WP-003, WP-004, WP-005, WP-006
2026-06-30 20:20:39 +07:00
1127786e2d
feat: backend, installers, legal pages, pre-commit, docs — v1.0.0-beta follow-up 2026-06-29 17:21:45 +07:00