Skip to content

Security and tooling: Rust pin, timeout guard, secret scan, SorobanQueryTool#156

Merged
Dami24-hub merged 5 commits into
Nodal-stellar:mainfrom
micmusjnr20:security-and-tooling-improvements
Jun 25, 2026
Merged

Security and tooling: Rust pin, timeout guard, secret scan, SorobanQueryTool#156
Dami24-hub merged 5 commits into
Nodal-stellar:mainfrom
micmusjnr20:security-and-tooling-improvements

Conversation

@micmusjnr20

Copy link
Copy Markdown
Contributor

Summary

Four related improvements

Add contracts/escrow/rust-toolchain.toml with channel 1.79.0 (the
minimum version supporting soroban-sdk = "20.0.0"). Update all Rust
CI jobs (test-rust, lint-rust, coverage-rust, audit-rust) in
.github/workflows/ci.yml to use 1.79.0 via actions-rs/toolchain@v1.
Introduce SOROBAN_TX_TIMEOUT_SECONDS = 30 as a named exported constant
in SorobanInvokeTool.ts. The constructor now throws if the value is ≤ 0
or > 300 (≤ 0 would produce indefinitely-valid transactions, creating
replay risk). Reuse the same constant in StellarPaymentTool.ts. Add a
test asserting the constant is within the valid range.
Add a secret-scan job to .github/workflows/ci.yml using
trufflesecurity/trufflehog with a custom Stellar S-key detector
pattern (S[A-Z2-7]{55}) defined in .trufflehog.yml. The config's
allowlist excludes the known test key
SBPTNBEQQVQD5NIPZTCXHKM5ZVONK2ENLP5DTZJBGSUPOPWQSIFWZKX.

Add a pre-commit hook in .husky/pre-commit that greps staged files for
S-key patterns and aborts on match (excluding the allowlisted test
key).
Add backend/tools/SorobanQueryTool.ts wrapping SorobanInvokeTool with
simulateOnly forced to true. Define SorobanQueryInputSchema identical
to SorobanInvokeInputSchema but omitting simulateOnly. The execute
method calls simulateSorobanTx and returns the ScVal return value as
{ result: xdr.ScVal }. Register 'soroban_query' in agent.ts TaskType
union, create the tool instance in the PayFiAgent constructor, and add
a dispatch case. Add tests for successful query and simulation failure
propagation.
@drips-wave

drips-wave Bot commented Jun 25, 2026

Copy link
Copy Markdown

Hey @micmusjnr20! 👋 It looks like this PR isn't linked to any issue.

If this PR is for one of the issues assigned to you as part of a Wave, please link it to ensure your contribution is tracked properly. You can do this by adding a keyword to the PR description (e.g., Closes #123), or by clicking a button below:

Issue Title
#111 [Feature] Add SorobanQueryTool — read-only contract state query using simulateOnly without broadcasting Link to this issue
#83 [Security] Pin Rust toolchain version in contracts/escrow — add rust-toolchain.toml to prevent supply chain drift Link to this issue
#84 [Security] Add Stellar transaction timeout validation — reject SorobanInvokeTool transactions with excessive setTimeout Link to this issue
#85 [Security] Add GitHub Actions secret scanning — block PRs that introduce hardcoded Stellar keys Link to this issue

ℹ️ Learn more about linking PRs to issues

@Dami24-hub

Copy link
Copy Markdown
Contributor

close you issue and link it to the issue you worked on
also give a me a detailed PR

@Dami24-hub Dami24-hub merged commit b6f90a6 into Nodal-stellar:main Jun 25, 2026
1 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants