Security and tooling: Rust pin, timeout guard, secret scan, SorobanQueryTool#156
Merged
Dami24-hub merged 5 commits intoJun 25, 2026
Conversation
Add contracts/escrow/rust-toolchain.toml with channel 1.79.0 (the minimum version supporting soroban-sdk = "20.0.0"). Update all Rust CI jobs (test-rust, lint-rust, coverage-rust, audit-rust) in .github/workflows/ci.yml to use 1.79.0 via actions-rs/toolchain@v1.
Introduce SOROBAN_TX_TIMEOUT_SECONDS = 30 as a named exported constant in SorobanInvokeTool.ts. The constructor now throws if the value is ≤ 0 or > 300 (≤ 0 would produce indefinitely-valid transactions, creating replay risk). Reuse the same constant in StellarPaymentTool.ts. Add a test asserting the constant is within the valid range.
Add a secret-scan job to .github/workflows/ci.yml using
trufflesecurity/trufflehog with a custom Stellar S-key detector
pattern (S[A-Z2-7]{55}) defined in .trufflehog.yml. The config's
allowlist excludes the known test key
SBPTNBEQQVQD5NIPZTCXHKM5ZVONK2ENLP5DTZJBGSUPOPWQSIFWZKX.
Add a pre-commit hook in .husky/pre-commit that greps staged files for
S-key patterns and aborts on match (excluding the allowlisted test
key).
Add backend/tools/SorobanQueryTool.ts wrapping SorobanInvokeTool with
simulateOnly forced to true. Define SorobanQueryInputSchema identical
to SorobanInvokeInputSchema but omitting simulateOnly. The execute
method calls simulateSorobanTx and returns the ScVal return value as
{ result: xdr.ScVal }. Register 'soroban_query' in agent.ts TaskType
union, create the tool instance in the PayFiAgent constructor, and add
a dispatch case. Add tests for successful query and simulation failure
propagation.
|
Hey @micmusjnr20! 👋 It looks like this PR isn't linked to any issue. If this PR is for one of the issues assigned to you as part of a Wave, please link it to ensure your contribution is tracked properly. You can do this by adding a keyword to the PR description (e.g.,
|
Contributor
|
close you issue and link it to the issue you worked on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four related improvements