Skip to content

BCOS: fair scoring, ledger anchor endpoint, attest epoch, rustchain.org routing#7890

Merged
Scottcjn merged 4 commits into
mainfrom
bcos/ledger-anchor-and-routing
Jul 5, 2026
Merged

BCOS: fair scoring, ledger anchor endpoint, attest epoch, rustchain.org routing#7890
Scottcjn merged 4 commits into
mainfrom
bcos/ledger-anchor-and-routing

Conversation

@Scottcjn

@Scottcjn Scottcjn commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Lands the BCOS work that is already running on the production node, plus the nginx routing it depends on.

What is in here

  • fair scoring (tools/bcos_engine.py): the vulnerability and dependency-freshness checks audited whatever Python packages were installed on the machine running the scan, not the repo being certified. A pure C/retro project scored 57 or 85 depending on the host. Now both checks scan the project's own declared dependencies (osv-scanner on the tree, pip-audit only against the project's requirements files); a project with no manifest is scored clean, not on the scanner's environment. Verified: a repo pinning a vulnerable jinja2 is still flagged.
  • ledger anchor endpoint (node/bcos_routes.py): POST /api/v1/bcos/anchor {cert_id} records an attested cert's commitment as a permanent zero-value memo entry in the RustChain ledger, stamps anchored_epoch + anchor_tx, and is idempotent. Adds the anchor_tx column (CREATE + idempotent ALTER). This endpoint previously 404'd.
  • attest epoch fix (node/bcos_routes.py): attest tried to read the epoch via a module that has no current_slot, so every attestation stored a null epoch into anchored_epoch (conflating attested with anchored). Now attest stamps a separate attested_epoch and leaves anchored_epoch for the anchor step; both read the epoch from a shared helper that asks the node's own /epoch.
  • nginx routing (site/nginx-rustchain-org.conf): capture the two location blocks added to production so rustchain.org actually serves the BCOS routes (/bcos/ as ^~ so the badge SVG is proxied, and /api/v1/bcos/).

Deployed + verified

All of this is live on node 50.28.86.131 and the whole cert fleet (46/46) is now anchored and publicly verifiable, e.g. https://rustchain.org/bcos/verify/BCOS-5664a2af returns verified: true, anchored_epoch, anchor_tx.

🤖 Generated with Claude Code

The vulnerability and dependency-freshness checks audited whatever Python
packages happened to be installed on the machine running the scan, not the
repository being certified. Bare pip-audit reports the ambient environment,
and osv-scanner (which does scan the repo tree) only ran when pip-audit was
absent. A pure C or retro project with no Python dependencies of its own was
scored on the scanning host's unrelated packages, which is both unfair and
wrong: the same repo could score 57 or 85 depending on which machine ran it.

Make both checks project-scoped and language-aware. Prefer osv-scanner
against the repo tree (it reads lockfiles and committed CycloneDX/SPDX SBOMs,
so it covers C, Rust, Go and npm, not just Python), and run pip-audit only
against the project's own requirements files. A project that declares no
dependency manifest genuinely has nothing that can be vulnerable or outdated
and is scored clean, with a note saying so. A project that does declare deps
is still fully scanned and penalized for real CVEs (verified: a repo pinning
jinja2 2.10 is still flagged). The result no longer depends on the scanner's
host environment.

Signed-off-by: Scott <scottbphone12@gmail.com>
Implement the on-chain anchor step that was previously missing (the endpoint
returned 404). POST /api/v1/bcos/anchor {cert_id} records an already-attested
certificate's commitment as a permanent zero-value memo entry in the RustChain
ledger, stamps the attestation with the resulting tx hash and the current
epoch, and is idempotent (an already-anchored cert returns its existing tx hash
rather than writing a second row). Admin-key gated, like attest.

Details:
- adds the anchor_tx column to bcos_attestations (in the CREATE for fresh
  installs, and via an idempotent ALTER migration in register_bcos_routes for
  existing ones)
- reads the authoritative epoch/slot from the node's own /epoch endpoint over
  localhost, since the main module is not importable (its filename has dots)
  and rip_200_round_robin_1cpu1vote has no current_slot
- the verify endpoint now returns anchor_tx so the ledger anchor is visible to
  anyone verifying a cert

Deploy dependency: the public vhost must proxy /bcos/ and /api/v1/bcos/ to the
node. On rustchain.org this meant adding two nginx location blocks (the /bcos/
one as ^~ so the badge .svg is proxied and not caught by the static-file regex
location). Without those, the routes are only reachable on the node address.

Signed-off-by: Scott <scottbphone12@gmail.com>
…choring

The attest route tried to record the epoch via `from
rip_200_round_robin_1cpu1vote import current_slot`, but that module has no
current_slot, so the import always failed and every attestation stored a null
epoch. It also wrote the result into anchored_epoch, which conflates "recorded
in the registry" with "written to the ledger."

Separate the two honestly. Attest now stamps a new attested_epoch column and
leaves anchored_epoch NULL; anchored_epoch is set only by /api/v1/bcos/anchor.
Both attest and anchor read the epoch from a shared _node_epoch_slot() helper
that asks the node's own /epoch endpoint (verified: a fresh attest now returns
attested_epoch 213, anchored_epoch null). The new column is added in the CREATE
for fresh installs and via an idempotent ALTER for existing ones, and the
verify endpoint now returns attested_epoch alongside anchored_epoch and
anchor_tx.

Signed-off-by: Scott <scottbphone12@gmail.com>
The public rustchain.org vhost was missing proxy blocks for the BCOS routes,
so the node served them but they 404'd through the domain (the catch-all
location fell through to try_files). Capture the two location blocks that were
added to production: /bcos/ as ^~ so the badge SVG is proxied and not caught by
the static .svg regex location, and /api/v1/bcos/ for the anchor API. Same
upstream (127.0.0.1:8099) as the other node routes.

Signed-off-by: Scott <scottbphone12@gmail.com>
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) BCOS-L2 Beacon Certified Open Source tier BCOS-L2 (required for non-doc PRs) node Node server related size/L PR: 201-500 lines labels Jul 5, 2026
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

⚠️ BCOS v2 Scan Results

Metric Value
Trust Score 48/100
Certificate ID BCOS-9018b53f
Tier L1 (not met)

BCOS Badge

What does this mean?

The BCOS (Beacon Certified Open Source) engine scans for:

  • SPDX license header compliance
  • Known CVE vulnerabilities (OSV database)
  • Static analysis findings (Semgrep)
  • SBOM completeness
  • Dependency freshness
  • Test infrastructure evidence
  • Review attestation tier

Full report | What is BCOS?


BCOS v2 Engine - Free & Open Source (MIT) - Elyan Labs

@Scottcjn Scottcjn merged commit 8c5c99a into main Jul 5, 2026
11 of 12 checks passed
@Scottcjn Scottcjn deleted the bcos/ledger-anchor-and-routing branch July 5, 2026 20:02
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

RTC Reward

This merged PR earned 5 RTC — sent to Scottcjn.

RustChain Bounty Program

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) BCOS-L2 Beacon Certified Open Source tier BCOS-L2 (required for non-doc PRs) node Node server related size/L PR: 201-500 lines

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants