diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..50b3d6b --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,33 @@ +# Sponsorship and Funding + +Support the SmartContractAudit project through the following platforms: + +## Sponsorship Options + +### GitHub Sponsors +[GitHub Sponsors placeholder - to be configured] + +### OpenCollective +[OpenCollective placeholder - to be configured] + +## Why Sponsor? + +Your sponsorship helps us: +- Maintain and improve the project +- Provide faster support and bug fixes +- Develop new features +- Cover infrastructure costs +- Support the open-source community + +## Benefits + +Sponsors receive benefits based on their tier. See [docs/partners/sponsorship_tiers.md](../docs/partners/sponsorship_tiers.md) for details. + +## Other Ways to Support + +- Contribute code or documentation +- Report bugs and security issues +- Share the project with others +- Provide feedback and suggestions + +Thank you for supporting open source! diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..a717bc1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,91 @@ +# Issue Template + +Thank you for opening an issue! Please provide as much detail as possible to help us understand and address your concern. + +## Issue Type + +Please select one: +- [ ] Bug Report +- [ ] Feature Request +- [ ] Documentation Issue +- [ ] Security Vulnerability (please report via [SECURITY.md](../SECURITY.md) instead) +- [ ] Question + +--- + +## Bug Report + +### Description +A clear and concise description of the bug. + +### Steps to Reproduce +1. Go to '...' +2. Run '...' +3. See error + +### Expected Behavior +What you expected to happen. + +### Actual Behavior +What actually happened. + +### Environment +- OS: [e.g., Ubuntu 22.04] +- Version: [e.g., v1.0.0] +- Node version: [e.g., 18.x] +- Other relevant details: + +### Logs/Screenshots +If applicable, add logs or screenshots to help explain the problem. + +### Additional Context +Any other context about the problem. + +--- + +## Feature Request + +### Problem Statement +Describe the problem or need this feature would address. + +### Proposed Solution +Describe your proposed solution or feature. + +### Alternatives Considered +Describe any alternative solutions you've considered. + +### Additional Context +Any other context, mockups, or examples. + +--- + +## Documentation Issue + +### Location +Link to the documentation page or file. + +### Issue +Describe what is unclear, incorrect, or missing. + +### Suggested Improvement +How should the documentation be improved? + +--- + +## Question + +### Your Question +Ask your question here. + +### Context +Provide any relevant context or what you've already tried. + +--- + +## Checklist + +Before submitting, please: +- [ ] Search existing issues to avoid duplicates +- [ ] Provide all requested information +- [ ] Use a clear and descriptive title +- [ ] Add appropriate labels (if you have permission) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..84855fe --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,113 @@ +# Pull Request Template + +## Description + +Brief description of the changes in this PR. + +## Type of Change + +Please check the relevant option: + +- [ ] Bug fix (non-breaking change fixing an issue) +- [ ] New feature (non-breaking change adding functionality) +- [ ] Breaking change (fix or feature causing existing functionality to change) +- [ ] Documentation update +- [ ] Code refactoring +- [ ] Performance improvement +- [ ] Test improvement + +## Safety Checklist + +**IMPORTANT**: Please verify before submitting: + +- [ ] **DRY_RUN verified**: All potentially destructive operations default to DRY_RUN=true +- [ ] **No secrets committed**: No API keys, private keys, passwords, or sensitive data in code +- [ ] **No hardcoded credentials**: All credentials use environment variables or secure secrets +- [ ] **Artifacts reviewed**: All generated artifacts (logs, reports) reviewed and safe to commit +- [ ] **Non-destructive by default**: Auto-apply and auto-merge features disabled by default +- [ ] **Permissions reviewed**: Required permissions are minimal and explicitly documented + +## Audit Artifacts Section + +If this PR includes security scanning or audit features: + +### Artifacts Generated +- [ ] SMARTBRAIN.log +- [ ] AUDIT-REPORT.md +- [ ] .quarantine/ directory +- [ ] Other (specify): + +### Artifact Safety +- [ ] Artifacts do not contain secrets or sensitive data +- [ ] Artifacts are properly gitignored or sanitized +- [ ] Redaction policy followed for any included artifacts + +## Testing + +- [ ] Tests pass locally +- [ ] New tests added for new functionality +- [ ] Existing tests updated if needed +- [ ] Manual testing completed + +### Test Commands Run +```bash +# List commands you ran to test +``` + +## Changes Made + +### Files Changed +- List key files and why they were changed + +### Configuration Changes +- Any new environment variables? +- Any new dependencies? +- Any configuration file changes? + +## Security Considerations + +- [ ] No new security vulnerabilities introduced +- [ ] Security best practices followed +- [ ] Input validation added where necessary +- [ ] Output sanitization applied where necessary + +## Documentation + +- [ ] README updated (if needed) +- [ ] Code comments added for complex logic +- [ ] API documentation updated (if applicable) +- [ ] CHANGELOG updated (for releases) + +## Checklist + +- [ ] Code follows project style guidelines +- [ ] Self-review completed +- [ ] Commits are signed off (DCO) +- [ ] PR title is clear and descriptive +- [ ] Linked related issues (closes #123, relates to #456) + +## Additional Notes + +Any additional context, decisions, or considerations for reviewers. + +## Screenshots (if applicable) + +Add screenshots for UI changes or visual features. + +## Rollback Plan + +If this is a significant change, describe how to roll back if issues arise: + +``` +Steps to rollback: +1. +2. +``` + +--- + +**For Reviewers:** +- [ ] Code quality approved +- [ ] Security implications reviewed +- [ ] Tests are adequate +- [ ] Documentation is clear diff --git a/.github/workflows/gitantivirus.yml b/.github/workflows/gitantivirus.yml new file mode 100644 index 0000000..7b70829 --- /dev/null +++ b/.github/workflows/gitantivirus.yml @@ -0,0 +1,264 @@ +name: GitAntivirus Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + inputs: + dry_run: + description: 'Run in dry-run mode (no automated changes)' + required: false + default: 'true' + type: choice + options: + - 'true' + - 'false' + +permissions: + contents: write + pull-requests: write + issues: read + +env: + # SAFETY DEFAULTS - Always enabled unless explicitly disabled + DRY_RUN: true + BOT_PINGS_ENABLED: false + ALLOWLIST_ORGS: '' + AUTO_APPLY: false + AUTO_MERGE: false + +jobs: + security-scan: + name: SmartBrain Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Setup pnpm + uses: pnpm/action-setup@v2 + with: + version: 8 + + - name: Display scan configuration + run: | + echo "===================================" + echo "GitAntivirus Security Scan" + echo "===================================" + echo "Configuration:" + echo " DRY_RUN: ${{ env.DRY_RUN }}" + echo " BOT_PINGS_ENABLED: ${{ env.BOT_PINGS_ENABLED }}" + echo " AUTO_APPLY: ${{ env.AUTO_APPLY }}" + echo " AUTO_MERGE: ${{ env.AUTO_MERGE }}" + echo " ALLOWLIST_ORGS: ${{ env.ALLOWLIST_ORGS }}" + echo "===================================" + echo "" + echo "⚠️ SAFETY MODE ACTIVE" + echo "This workflow runs in DRY_RUN mode by default." + echo "No automatic changes will be applied." + echo "Human review required before merge." + echo "===================================" + + - name: Make scripts executable + run: | + if [ -d "scripts" ]; then + find scripts -type f -name "*.sh" -exec chmod +x {} \; + echo "✓ Scripts made executable" + else + echo "ℹ️ No scripts directory found" + fi + + - name: Run security scan (dry-run) + id: scan + run: | + echo "Starting security scan in DRY_RUN mode..." + echo "" + + # Placeholder for actual scan logic + # In production, this would call scripts/master.sh or similar + + if [ -f "scripts/master.sh" ]; then + echo "Running SmartBrain scan..." + ./scripts/master.sh scan --dry-run || echo "Scan script not yet implemented" + else + echo "ℹ️ SmartBrain scan script not found" + echo "This is a placeholder workflow. Implement scripts/master.sh for actual scanning." + fi + + # Create placeholder log files + mkdir -p .quarantine + + echo "===================================" > SMARTBRAIN.log + echo "SmartBrain Security Scan Results" >> SMARTBRAIN.log + echo "===================================" >> SMARTBRAIN.log + echo "" >> SMARTBRAIN.log + echo "Scan ID: ${{ github.run_id }}" >> SMARTBRAIN.log + echo "Run by: SmartBrain (automated)" >> SMARTBRAIN.log + echo "DRY_RUN: true" >> SMARTBRAIN.log + echo "" >> SMARTBRAIN.log + echo "Status: Scan placeholder active" >> SMARTBRAIN.log + echo "Note: Implement full scanning logic" >> SMARTBRAIN.log + echo "" >> SMARTBRAIN.log + echo "No automated changes were made." >> SMARTBRAIN.log + echo "Human review required." >> SMARTBRAIN.log + + echo "# Security Audit Report" > AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "**Scan ID**: ${{ github.run_id }}" >> AUDIT-REPORT.md + echo "**Date**: $(date -u +%Y-%m-%dT%H:%M:%SZ)" >> AUDIT-REPORT.md + echo "**Mode**: DRY_RUN" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "## Summary" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "This is a placeholder audit report." >> AUDIT-REPORT.md + echo "Implement full scanning logic in scripts/master.sh" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "### Safety Checks" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "- ✓ DRY_RUN enabled" >> AUDIT-REPORT.md + echo "- ✓ BOT_PINGS disabled" >> AUDIT-REPORT.md + echo "- ✓ AUTO_APPLY disabled" >> AUDIT-REPORT.md + echo "- ✓ AUTO_MERGE disabled" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "## Findings" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "No findings (placeholder scan)" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "## Recommendations" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "1. Implement full scanning logic" >> AUDIT-REPORT.md + echo "2. Configure detection rules" >> AUDIT-REPORT.md + echo "3. Set up quarantine procedures" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "---" >> AUDIT-REPORT.md + echo "" >> AUDIT-REPORT.md + echo "**Note**: This workflow is in safe mode. No automated changes were made." >> AUDIT-REPORT.md + + echo "scan_completed=true" >> $GITHUB_OUTPUT + echo "findings_count=0" >> $GITHUB_OUTPUT + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: security-scan-results-${{ github.run_id }} + path: | + SMARTBRAIN.log + AUDIT-REPORT.md + .quarantine/ + retention-days: 90 + + - name: Add PR labels + if: github.event_name == 'pull_request' && steps.scan.outputs.scan_completed == 'true' + continue-on-error: true + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + try { + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + labels: ['security-scanned', 'dry-run'] + }); + console.log('✓ Added security scan labels'); + } catch (error) { + console.log('ℹ️ Could not add labels (labels may not exist yet)'); + console.log(error.message); + } + + - name: Post scan summary + if: github.event_name == 'pull_request' + continue-on-error: true + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require('fs'); + + let reportContent = ''; + try { + reportContent = fs.readFileSync('AUDIT-REPORT.md', 'utf8'); + } catch (error) { + reportContent = 'Audit report not generated'; + } + + const comment = `## 🛡️ SmartBrain Security Scan Results + + **Scan ID**: ${{ github.run_id }} + **Mode**: DRY_RUN (Safe Mode) + **Status**: ✓ Scan completed + + ### Configuration + - **DRY_RUN**: ✓ Enabled + - **BOT_PINGS**: ✗ Disabled + - **AUTO_APPLY**: ✗ Disabled + - **AUTO_MERGE**: ✗ Disabled + + ### Artifacts + - 📄 SMARTBRAIN.log + - 📄 AUDIT-REPORT.md + - 📁 .quarantine/ + +
+ View Audit Report + + ${reportContent} + +
+ + --- + + ⚠️ **Human review required** + This is a dry-run scan. No automated changes have been made. + Review the artifacts and findings before merging. + + *Scan powered by SmartBrain GitAntivirus* + `; + + try { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: comment + }); + console.log('✓ Posted scan summary comment'); + } catch (error) { + console.log('ℹ️ Could not post comment'); + console.log(error.message); + } + + - name: Security reminder + if: always() + run: | + echo "" + echo "===================================" + echo "Security Scan Complete" + echo "===================================" + echo "" + echo "✓ Scan completed in DRY_RUN mode" + echo "✓ Artifacts uploaded for review" + echo "✓ No automated changes were made" + echo "" + echo "Next steps:" + echo "1. Review scan artifacts" + echo "2. Address any findings" + echo "3. Manual review before merge" + echo "" + echo "For production scanning:" + echo "- Implement scripts/master.sh" + echo "- Configure detection rules" + echo "- Set up secrets scanning" + echo "- Configure quarantine procedures" + echo "" + echo "===================================" diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..a474073 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,129 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +**security@cuberai.example**. + +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..f1c3534 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,94 @@ +# Contributing to SmartContractAudit + +Thank you for your interest in contributing to SmartContractAudit! We welcome contributions from the community. + +## Developer Certificate of Origin (DCO) + +All commits must be signed off to indicate that you agree to the Developer Certificate of Origin. This certifies that you have the right to submit the contribution and that you agree to the project license. + +To sign off your commits, use the `-s` flag with `git commit`: + +```bash +git commit -s -m "Your commit message" +``` + +This adds a `Signed-off-by` line to your commit message, certifying that you wrote the code or have the right to submit it as an open-source contribution. + +## Pull Request Process + +1. **Fork the repository** and create a new branch from `main` for your changes. +2. **Make your changes** following the code style guidelines below. +3. **Write or update tests** to cover your changes. +4. **Run all checks locally** before submitting (see below). +5. **Submit a pull request** with a clear description of your changes. +6. **Sign off all commits** using `git commit -s`. +7. **Respond to review feedback** promptly. + +## Code Style + +- Follow existing code conventions in the repository +- Use clear, descriptive variable and function names +- Add comments for complex logic +- Keep functions small and focused on a single task +- Format code consistently (use project's formatting tools if available) + +## Testing + +- Write tests for all new features and bug fixes +- Ensure all existing tests pass before submitting +- Run the test suite locally: + ```bash + # Add specific test commands for your project + npm test # or appropriate test command + ``` + +## Running Local Checks + +Before submitting your pull request, run these checks locally: + +```bash +# Run linter +npm run lint # or appropriate linting command + +# Run tests +npm test + +# Run build +npm run build +``` + +## Security + +- Never commit secrets, private keys, or sensitive data +- Follow security best practices +- Report security vulnerabilities according to [SECURITY.md](SECURITY.md) +- All changes go through security review before merge + +## Documentation + +- Update documentation for any user-facing changes +- Add JSDoc/comments for new public APIs +- Update README.md if adding new features + +## Code Review + +- All submissions require review from maintainers +- Address review feedback promptly +- Be respectful and constructive in discussions +- Reviewers will check for: + - Code quality and style + - Test coverage + - Security implications + - Performance considerations + - Documentation completeness + +## Getting Help + +- Open an issue for bugs or feature requests +- Join our community channels for questions +- Review existing issues and pull requests +- Check documentation and wiki + +## License + +By contributing, you agree that your contributions will be licensed under the Apache-2.0 License. diff --git a/DATA_RETENTION.md b/DATA_RETENTION.md new file mode 100644 index 0000000..9b8a0cd --- /dev/null +++ b/DATA_RETENTION.md @@ -0,0 +1,300 @@ +# Data Retention Policy + +## Overview + +This document outlines how long different types of data are retained in the SmartContractAudit system and the processes for data deletion. + +## Retention Periods + +### Audit Artifacts + +**Default Retention: 90 days** + +Audit artifacts include: +- SMARTBRAIN.log files +- AUDIT-REPORT.md files +- .quarantine/ directory contents +- Scan results and findings + +**After 90 days:** +- Automatically archived or deleted +- Users can request extended retention +- Critical security findings may be retained longer (anonymized) + +### System Logs + +**Default Retention: 30 days** + +System logs include: +- Application logs +- Access logs +- Error logs +- Debug logs + +**Characteristics:** +- Automatically sanitized (see PRIVACY.md) +- Rotated daily +- Compressed after 7 days +- Purged after 30 days + +### Quarantine Data + +**Default Retention: 30 days** + +Quarantined files: +- Suspicious or malicious code samples +- Detected secrets (redacted, hashed only) +- Flagged artifacts + +**After 30 days:** +- Automatically purged +- Only hashes retained for detection +- No plaintext or reversible data kept + +### Audit Reports + +**Retention: Until user deletion or 1 year** + +Published audit reports: +- Retained with user consent +- Can be deleted on request +- Anonymized versions may be retained for research +- Public reports retained indefinitely (with permission) + +### User Submissions + +**Retention: Until processing complete + 7 days** + +Code submitted for audit: +- Processed and analyzed +- Retained during audit period +- Deleted 7 days after report delivery +- Can be deleted immediately on request + +### Scan Metadata + +**Retention: 180 days** + +Metadata includes: +- Scan timestamps +- File hashes (not content) +- Severity counts +- Configuration used + +**Purpose:** +- Historical analysis +- Pattern detection +- Performance metrics + +## Redaction and Hashing + +### Private Keys + +**Retention: NEVER** + +- Private keys are never stored in any form +- Detected keys are immediately redacted +- Only cryptographic hashes retained for future detection +- Hashes retained for 1 year to prevent resubmission + +### Secrets and Credentials + +**Retention: Hashes only, 1 year** + +- Plaintext never stored +- Hash stored for detection purposes +- Original secret cannot be recovered +- User notified for remediation + +### Personal Identifiable Information (PII) + +**Retention: Minimal, user-controlled** + +- Email addresses: Until account deletion +- Names: Optional, user-controlled +- Contact info: Deletable on request +- No unnecessary PII collected + +## Deletion Procedures + +### Automatic Deletion + +Automated processes run: +- **Daily**: Log rotation and compression +- **Weekly**: Expired quarantine purge +- **Monthly**: Artifact cleanup based on retention policy + +### User-Requested Deletion + +Users can request deletion of: + +1. **Immediate deletion** (within 24 hours): + - Submitted code + - Audit reports (unpublished) + - User account data + +2. **Verification required** (within 7 days): + - Published reports + - Shared artifacts + - Collaborative submissions + +3. **Cannot delete**: + - Anonymized aggregate statistics + - Public security findings (already disclosed) + - Legal compliance records + +### Deletion Request Process + +To request deletion: + +1. **Submit request**: Email security@cuberai.example +2. **Verify identity**: Confirm ownership of data +3. **Specify scope**: What data to delete +4. **Receive confirmation**: Deletion confirmed within stated timeframe + +## Data Archival + +### Long-Term Archival + +Some data may be archived beyond retention periods: + +**Anonymized Research Data:** +- No personally identifiable information +- No reversible sensitive data +- Only statistical patterns +- Opt-in only + +**Public Security Findings:** +- Publicly disclosed vulnerabilities +- CVE records +- Advisory publications +- Required for historical reference + +**Legal Compliance:** +- Records required by law +- Audit trails for security incidents +- Minimal retention period required + +## Exceptions and Extensions + +### User-Requested Extension + +Users can request extended retention for: +- Ongoing investigations +- Legal compliance +- Business requirements + +**Process:** +- Submit extension request +- Specify duration needed +- Automatic expiry after extension period + +### Regulatory Requirements + +Some data may be retained longer when: +- Required by law +- Part of legal proceedings +- Security incident under investigation +- Regulatory audit in progress + +## Geographic Considerations + +Data retention may vary by region based on: +- Local data protection laws +- Regulatory requirements +- User location and preferences + +## Backup and Recovery + +### Backup Retention + +- **Daily backups**: Retained 7 days +- **Weekly backups**: Retained 4 weeks +- **Monthly backups**: Retained 12 months + +**Note:** Backups follow same retention and deletion policies as primary data. + +### Recovery Process + +In case of data loss: +- Recovery from most recent backup +- Retention policies apply to recovered data +- Users notified of any recovery events + +## Transparency and Verification + +### Audit Trail + +All data operations logged: +- Creation timestamp +- Access history +- Modification events +- Deletion timestamp + +### User Access + +Users can: +- View retention status of their data +- Request data export before deletion +- Verify deletion completion +- Review access logs + +## Configuration + +### Default Configuration (config/repair.json) + +```json +{ + "retention": { + "artifacts": "90d", + "logs": "30d", + "quarantine": "30d", + "reports": "1y" + } +} +``` + +### Custom Retention + +Organizations can configure custom retention periods: +- Longer retention for compliance +- Shorter retention for privacy +- Per-artifact-type policies +- Geographic-specific rules + +## Updates to Policy + +This retention policy may be updated to: +- Comply with new regulations +- Improve privacy protection +- Reflect technical changes +- Address user feedback + +**Notification:** +- Users notified 30 days before changes +- Opt-out options provided +- Changes logged in repository + +## Contact + +Questions about data retention: + +- **Email**: security@cuberai.example +- **Documentation**: See [PRIVACY.md](PRIVACY.md) +- **Issues**: GitHub issue tracker + +Last updated: 2025-12-31 + +## Summary Table + +| Data Type | Default Retention | Auto-Delete | User-Deletable | +|-----------|------------------|-------------|----------------| +| Private Keys | NEVER STORED | N/A | N/A | +| Secrets (hash) | 1 year | Yes | No | +| Audit Artifacts | 90 days | Yes | Yes | +| System Logs | 30 days | Yes | Request | +| Quarantine Files | 30 days | Yes | Yes | +| Audit Reports | 1 year | No | Yes | +| User Submissions | 7 days | Yes | Yes | +| Metadata | 180 days | Yes | Request | +| Backups | Up to 12 months | Yes | With primary data | diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 0000000..46e113c --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,198 @@ +# Governance + +## Project Overview + +SmartContractAudit is an open-source project for automated smart contract security auditing with AI workers and on-chain automation. This document outlines how the project is governed and how decisions are made. + +## Project Roles + +### Maintainers + +Maintainers have commit access to the repository and are responsible for: + +- Reviewing and merging pull requests +- Triaging and responding to issues +- Making technical decisions for the project +- Ensuring code quality and security standards +- Managing releases +- Enforcing the code of conduct + +**Current Maintainers:** +- [List to be maintained] + +### Security Team + +Security team members are responsible for: + +- Reviewing security vulnerabilities +- Coordinating security disclosures +- Managing security advisories +- Ensuring security best practices + +**Security Team:** +- [List to be maintained] + +### Contributors + +Anyone who submits a pull request, reports an issue, or participates in discussions is a contributor. Contributors are expected to: + +- Follow the [Code of Conduct](CODE_OF_CONDUCT.md) +- Follow the [Contributing Guidelines](CONTRIBUTING.md) +- Sign off commits with DCO +- Participate constructively + +### Sponsors and Partners + +Sponsors and partners provide financial or infrastructure support. They may: + +- Influence the project roadmap through advisory input +- Request features or integrations (subject to maintainer approval) +- Receive priority support (per sponsorship tier) +- Access early releases and beta features + +See [docs/partners/](docs/partners/) for more information on partnerships. + +## Decision Making + +### Consensus Model + +For most decisions, we aim for consensus among maintainers: + +1. **Proposal**: Issues or RFCs are opened for significant changes +2. **Discussion**: Community and maintainers discuss pros/cons +3. **Consensus**: Maintainers reach consensus (typically 2+ maintainer approvals) +4. **Implementation**: Changes are implemented and merged + +### Lazy Consensus + +For routine changes (bug fixes, documentation, minor features): + +- Pull requests can be merged with 1 maintainer approval +- Allow 48 hours for other maintainers to review/object +- No objections = implied consensus + +### Voting + +If consensus cannot be reached, maintainers may vote: + +- Simple majority (>50%) required +- All maintainers are invited to vote +- Voting period: 7 days +- Abstentions do not count toward total + +## Release Process + +### Versioning + +We follow [Semantic Versioning](https://semver.org/): + +- **MAJOR**: Breaking changes +- **MINOR**: New features, backwards compatible +- **PATCH**: Bug fixes, backwards compatible + +### Release Cycle + +- **Patch releases**: As needed for critical bugs +- **Minor releases**: Monthly or as features are ready +- **Major releases**: When breaking changes are necessary + +### Release Procedure + +1. Update version numbers +2. Update CHANGELOG.md +3. Create release branch +4. Run full test suite and security scans +5. Create GitHub release with notes +6. Tag release commit +7. Announce on community channels + +## Roadmap and Feature Requests + +### Roadmap + +The project roadmap is maintained in: +- GitHub Projects +- Milestone planning +- Regular community updates + +### Sponsor Influence + +Sponsors may influence the roadmap through: + +- **Feature Requests**: Submitted as issues, prioritized based on: + - Community benefit + - Technical feasibility + - Alignment with project goals + - Sponsor tier (advisory input) + +- **Priority Support**: Higher-tier sponsors receive: + - Earlier response to issues + - Advisory access to maintainers + - Input on release planning + - Beta access to features + +Final decisions remain with maintainers to ensure project integrity and community benefit. + +## Becoming a Maintainer + +Contributors may become maintainers through: + +1. **Sustained Contributions**: Regular, high-quality contributions over 6+ months +2. **Technical Excellence**: Demonstrated expertise in relevant areas +3. **Community Engagement**: Helpful, constructive participation +4. **Trust**: Aligned with project values and governance +5. **Nomination**: Nominated by existing maintainer +6. **Consensus**: Approved by consensus of current maintainers + +## Removing Maintainers + +Maintainer status may be revoked for: + +- Inactivity (no contributions in 12 months) +- Code of conduct violations +- Abuse of privileges +- Consensus of other maintainers + +## Code Ownership + +### CODEOWNERS + +Specific areas of the codebase may have designated owners who: + +- Automatically review PRs in their area +- Have expertise in that domain +- Help maintain code quality + +CODEOWNERS file defines these areas. + +### Security Ownership + +Security-sensitive code requires review by security team members before merge. + +## Amendments + +This governance document may be amended by: + +1. Opening a pull request with proposed changes +2. Discussion period (minimum 14 days) +3. Consensus or vote of maintainers +4. Approval by 2/3 majority if voting + +## Communication Channels + +- **GitHub Issues**: Bug reports, feature requests +- **Pull Requests**: Code contributions +- **Discussions**: Community Q&A, RFCs +- **Email**: security@cuberai.example (security only) + +## Funding and Sponsorship + +See [FUNDING.yml](.github/FUNDING.yml) for sponsorship options and [docs/partners/](docs/partners/) for partnership details. + +## License + +All contributions are licensed under Apache-2.0 as specified in [LICENSE](LICENSE). + +## Questions + +For questions about governance, contact the maintainers via GitHub Discussions or open an issue. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/PRIVACY.md b/PRIVACY.md new file mode 100644 index 0000000..0bec4ec --- /dev/null +++ b/PRIVACY.md @@ -0,0 +1,206 @@ +# Privacy Policy + +## Overview + +SmartContractAudit is committed to protecting privacy and handling data responsibly. This document outlines our data handling practices. + +## Data Collection + +### What We Don't Collect + +We do **NOT** collect, store, or transmit: + +- Private keys (never in plaintext or any form) +- Wallet mnemonics or seed phrases +- Passwords or credentials +- Personal identifying information without consent +- Sensitive smart contract details without authorization + +### What We May Collect + +When using the service, we may process: + +- **Public blockchain data**: Publicly available on-chain information +- **Code submissions**: Smart contracts submitted for audit (with user consent) +- **Audit results**: Security findings and reports +- **Usage metrics**: Anonymous usage statistics for improvement +- **Logs**: System logs for debugging (sanitized, see below) + +## Public Redaction Policy + +### Private Key Protection + +**Absolute Rule**: Private keys are NEVER stored in any form. + +- Private keys detected in submissions are immediately redacted +- Only cryptographic hashes stored for detection purposes +- Original keys are never logged, cached, or transmitted +- Automated detection flags potential key leaks before storage + +### Sensitive Data Handling + +For any sensitive data detected: + +1. **Immediate Redaction**: Data is redacted at ingestion +2. **Hash Storage**: Only cryptographic hashes stored for future detection +3. **Alert Generation**: Security team notified of detection +4. **User Notification**: Submitter alerted to remediate source +5. **No Plaintext**: Original sensitive data never persists + +### Log Sanitization + +All logs undergo automatic sanitization: + +- Pattern matching for common secret formats +- Redaction before writing to disk +- Hash-based replacement for audit trail +- Regular expression filters for: + - Private keys (various formats) + - API tokens + - Credentials + - Email addresses (optional redaction) + - IP addresses (optional redaction) + +## Data Retention + +See [DATA_RETENTION.md](DATA_RETENTION.md) for detailed retention policies. + +**Summary:** +- Audit artifacts: 90 days default +- Logs: 30 days default +- Reports: Retained with user consent +- Personal data: Minimal retention, deletable on request + +## Data Storage + +### Security Measures + +- **Encryption at rest**: All stored data encrypted +- **Encryption in transit**: TLS 1.3 for all communications +- **Access control**: Role-based access with principle of least privilege +- **Audit logging**: All data access logged for security +- **Geographic location**: Data stored in [REGION TO BE SPECIFIED] + +### Third-Party Services + +We may use third-party services for: + +- Code hosting (GitHub) +- Artifact storage (temporary) +- Analytics (anonymous only) + +These services have their own privacy policies and data handling practices. + +## User Rights + +### Access + +Users have the right to: + +- Request copies of their data +- Review audit reports +- Verify redaction of sensitive data +- Export results in standard formats + +### Deletion + +Users may request: + +- Deletion of submitted code +- Removal of audit reports +- Purging of associated logs (within retention windows) + +### Correction + +Users may: + +- Update contact information +- Correct metadata in reports +- Request re-audit if initial submission contained errors + +## Data Sharing + +### What We Share + +- **Public Reports**: Only with explicit user consent +- **Security Findings**: Aggregate, anonymized statistics +- **Research Data**: De-identified data for security research (opt-in) + +### What We Never Share + +- Private keys or credentials (we don't have them) +- Unapproved audit results +- User code without permission +- Personal information without consent +- Data with third parties for marketing + +## Compliance + +We aim to comply with: + +- GDPR (General Data Protection Regulation) +- CCPA (California Consumer Privacy Act) +- Industry best practices for security data handling + +## Breach Notification + +In the unlikely event of a data breach: + +1. **Immediate Response**: Contain and investigate within 24 hours +2. **User Notification**: Affected users notified within 72 hours +3. **Authority Notification**: Regulators notified per legal requirements +4. **Transparency**: Public disclosure of incident and response +5. **Remediation**: Steps taken to prevent recurrence + +## Cookies and Tracking + +### GitHub Pages (if used) + +The web interface may use: + +- **Session cookies**: For functionality only +- **Analytics**: Optional, anonymous usage data +- **No tracking**: No cross-site tracking or advertising cookies + +Users can disable cookies in browser settings. + +## Children's Privacy + +This service is not intended for users under 13 years of age. We do not knowingly collect data from children. + +## International Data Transfers + +Data may be processed in different jurisdictions. We ensure adequate safeguards through: + +- Standard contractual clauses +- Encryption in transit and at rest +- Compliance with international frameworks + +## Contact + +For privacy questions or requests: + +- **Email**: security@cuberai.example +- **Issue Tracker**: GitHub Issues (for non-sensitive questions) +- **Security Reports**: See [SECURITY.md](SECURITY.md) + +## Changes to Policy + +We may update this policy periodically. Changes will be: + +- Posted on this page +- Announced in project updates +- Effective 30 days after posting + +Last updated: 2025-12-31 + +## Transparency + +This project is open source. You can: + +- Review our code for data handling +- Audit our redaction mechanisms +- Verify our security practices +- Contribute improvements + +We believe in privacy through transparency and technical implementation, not just policy. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8c7f876 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,131 @@ +# Security Policy + +## Reporting a Vulnerability + +The SmartContractAudit team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings. + +### How to Report + +To report a security vulnerability, please use one of the following methods: + +1. **Email**: Send details to **security@cuberai.example** +2. **PGP Encrypted** (recommended for sensitive issues): + - PGP Key ID: [TO BE ADDED] + - Fingerprint: [TO BE ADDED] + - Key available at: [KEY URL TO BE ADDED] + +### What to Include + +When reporting a vulnerability, please include: + +- **Description**: Clear description of the vulnerability +- **Impact**: Potential impact and attack scenarios +- **Reproduction**: Step-by-step instructions to reproduce the issue +- **Proof of Concept**: Code, screenshots, or logs demonstrating the issue +- **Environment**: Relevant version numbers, configurations, etc. +- **Suggested Fix**: If you have ideas for remediation (optional) + +### Reporting Process + +1. **Initial Report**: Submit your report via email +2. **Acknowledgment**: We will acknowledge receipt within **48 hours** +3. **Triage**: We will assess the severity and validity within **5 business days** +4. **Updates**: We will provide status updates every **7 days** during investigation +5. **Resolution**: We will work on a fix and coordinate disclosure timing with you +6. **Credit**: With your permission, we will credit you in our security advisory + +### Response Timeline (SLA) + +- **Critical vulnerabilities**: Response within 24 hours, fix within 7 days +- **High severity**: Response within 48 hours, fix within 14 days +- **Medium severity**: Response within 5 days, fix within 30 days +- **Low severity**: Response within 7 days, fix within 60 days + +## Security Disclosure Policy + +### Coordinated Disclosure + +We follow a coordinated disclosure process: + +1. Security researchers report vulnerabilities privately +2. We work with researchers to understand and fix issues +3. We coordinate on appropriate disclosure timing +4. Public disclosure occurs after fixes are deployed + +### Public Disclosure + +- We will publish security advisories for all confirmed vulnerabilities +- Advisories include severity rating, affected versions, and mitigation steps +- We credit researchers who report issues (unless they request anonymity) + +## Scope + +### In Scope + +- All code in this repository +- Smart contract vulnerabilities +- Authentication and authorization issues +- Injection vulnerabilities (SQL, command, etc.) +- Cryptographic weaknesses +- Information disclosure +- Denial of service issues +- Configuration vulnerabilities + +### Out of Scope + +- Social engineering attacks +- Physical attacks +- Denial of service through resource exhaustion +- Issues in third-party dependencies (report to those projects) +- Issues requiring physical access to systems + +## Security Best Practices + +### For Contributors + +- Never commit secrets, private keys, or credentials +- Use environment variables for configuration +- Run security checks before submitting PRs +- Follow secure coding guidelines +- Use DRY_RUN mode for testing potentially destructive operations + +### For Users + +- Keep dependencies up to date +- Use strong authentication +- Enable all security features +- Monitor security advisories +- Report suspicious activity + +## Security Features + +This project includes: + +- **GitAntivirus Workflow**: Automated security scanning (dry-run by default) +- **Secret Detection**: Prevents accidental commit of sensitive data +- **Code Review**: All changes reviewed for security implications +- **Dependency Scanning**: Regular checks for vulnerable dependencies +- **Conservative Defaults**: DRY_RUN=true, auto_apply=false + +## PGP Key + +For sensitive security reports, please use PGP encryption: + +``` +[PGP PUBLIC KEY BLOCK TO BE ADDED] +``` + +## Contact + +- **Security Email**: security@cuberai.example +- **General Contact**: See [GOVERNANCE.md](GOVERNANCE.md) for maintainer contacts + +## Acknowledgments + +We thank the security researchers who have helped make this project more secure: + +- [List of credited researchers to be maintained here] + +## Updates + +This security policy was last updated on 2025-12-31. diff --git a/config/repair.json b/config/repair.json new file mode 100644 index 0000000..0333f3b --- /dev/null +++ b/config/repair.json @@ -0,0 +1,7 @@ +{ + "auto_apply": false, + "dry_run_default": true, + "allowlist_orgs": [], + "max_prs_per_run": 3, + "pings_enabled": false +} diff --git a/docs/partners/README.md b/docs/partners/README.md new file mode 100644 index 0000000..3fb65e2 --- /dev/null +++ b/docs/partners/README.md @@ -0,0 +1,103 @@ +--- +title: Partners & Sponsors +description: Information for partners and sponsors of SmartContractAudit +keywords: partners, sponsors, collaboration, enterprise, support +--- + +# Partners & Sponsors + +Welcome to the SmartContractAudit Partners and Sponsors hub. This directory contains information for organizations interested in partnering with or sponsoring our project. + +## Contents + +- [Partnerships](partnerships.md) - Overview of partnership opportunities +- [Sponsorship Tiers](sponsorship_tiers.md) - Detailed sponsorship levels and benefits +- [Technical Onboarding](technical_onboarding.md) - Getting started with integration +- [Data Privacy](data_privacy.md) - Privacy and security for partners +- [SLA and Support](sla_and_support.md) - Service level agreements and support options +- [Use Cases](use_cases.md) - Real-world applications and success stories +- [Press Kit](press_kit.md) - Media resources and branding guidelines +- [Contact](contact.md) - Get in touch with the partnership team + +## Quick Links + +- **Become a Sponsor**: See [sponsorship_tiers.md](sponsorship_tiers.md) +- **Partner Integration**: See [technical_onboarding.md](technical_onboarding.md) +- **Security & Privacy**: See [data_privacy.md](data_privacy.md) +- **Get Support**: See [sla_and_support.md](sla_and_support.md) + +## Why Partner With Us? + +SmartContractAudit provides: + +- **Automated Security**: AI-powered smart contract auditing +- **Continuous Monitoring**: On-chain automation for real-time protection +- **Enterprise-Grade**: Scalable solutions for organizations +- **Open Source**: Transparent, auditable, community-driven +- **Expert Team**: Security researchers and blockchain specialists + +## Partnership Types + +### Technology Partners +Integrate our security tools into your platform or workflow. + +### Enterprise Partners +Custom deployments and dedicated support for large organizations. + +### Strategic Sponsors +Financial support with advisory input on roadmap and features. + +### Reseller Partners +Offer our services to your clients with revenue sharing. + +### Academic Partners +Research collaborations and educational programs. + +## Getting Started + +1. **Review the documentation** in this directory +2. **Choose your partnership type** based on your needs +3. **Contact us** using the information in [contact.md](contact.md) +4. **Schedule a call** to discuss your specific requirements +5. **Sign partnership agreement** and begin onboarding + +## Benefits of Partnership + +- Priority support and SLA guarantees +- Early access to new features and releases +- Custom integrations and configurations +- Co-marketing opportunities +- Advisory input on product roadmap +- Revenue sharing (for resellers) +- White-label options (enterprise) + +## Success Stories + +See [use_cases.md](use_cases.md) for examples of how partners are using SmartContractAudit. + +## Community vs Enterprise + +| Feature | Community | Partners/Sponsors | +|---------|-----------|------------------| +| Open Source Access | ✅ | ✅ | +| Public Support | ✅ | ✅ | +| Priority Support | ❌ | ✅ | +| SLA Guarantee | ❌ | ✅ | +| Custom Integration | ❌ | ✅ | +| Dedicated Account Manager | ❌ | ✅ (higher tiers) | +| Early Access | ❌ | ✅ | +| Roadmap Input | Community vote | Advisory | + +## Contact + +Ready to explore partnership opportunities? + +- **Email**: partners@cuberai.example +- **Schedule**: [Calendar link to be added] +- **Form**: [Partnership inquiry form to be added] + +See [contact.md](contact.md) for more ways to reach us. + +--- + +*All partnership agreements are subject to terms and conditions. Contact us for specific details and custom arrangements.* diff --git a/docs/partners/contact.md b/docs/partners/contact.md new file mode 100644 index 0000000..491c30b --- /dev/null +++ b/docs/partners/contact.md @@ -0,0 +1,486 @@ +--- +title: Contact Information +description: Get in touch with the SmartContractAudit partnership team +keywords: contact, email, phone, support, partnerships, sales +--- + +# Contact Information + +Get in touch with SmartContractAudit for partnerships, support, media inquiries, and more. + +## Quick Contact + +### General Inquiries +**Email**: hello@cuberai.example +**Response Time**: 1-2 business days + +### Partnership Opportunities +**Email**: partners@cuberai.example +**Response Time**: 1 business day +**Schedule Call**: [Calendly link to be added] + +### Technical Support +**Email**: technical-support@cuberai.example +**Portal**: https://partners.smartcontractaudit.example +**Response Time**: Per SLA (see [sla_and_support.md](sla_and_support.md)) + +### Media and Press +**Email**: press@cuberai.example +**Response Time**: Same business day (typically) +**Press Kit**: [press_kit.md](press_kit.md) + +## By Topic + +### Sponsorship + +**Contact**: sponsors@cuberai.example + +**For**: +- Financial sponsorship inquiries +- Sponsorship tier questions +- Benefits and ROI discussions +- Custom sponsorship packages + +**What to Include**: +- Organization name and type +- Sponsorship interests (tier or custom) +- Budget range +- Goals and objectives +- Preferred contact method + +**Next Steps**: +- Initial consultation call +- Custom proposal +- Agreement and onboarding + +### Technology Partnerships + +**Contact**: tech-partnerships@cuberai.example + +**For**: +- Platform integrations +- API partnerships +- Developer tool integrations +- Ecosystem collaborations + +**What to Include**: +- Company and product overview +- Integration ideas +- Technical architecture +- Timeline expectations +- Existing user base + +**Next Steps**: +- Technical discovery call +- Integration feasibility review +- Partnership proposal +- Technical onboarding + +### Enterprise Sales + +**Contact**: enterprise@cuberai.example +**Phone**: [To be added] + +**For**: +- On-premise deployments +- Custom enterprise agreements +- Large-scale implementations +- White-label solutions + +**What to Include**: +- Company information +- Number of contracts/users +- Deployment requirements +- Compliance needs +- Budget and timeline + +**Next Steps**: +- Discovery call +- Requirements gathering +- Custom proposal and pricing +- Proof of concept + +### Reseller Program + +**Contact**: resellers@cuberai.example + +**For**: +- Reseller partnership inquiries +- Revenue share models +- White-label offerings +- Agency partnerships + +**What to Include**: +- Agency/firm overview +- Current client base +- Service offerings +- Sales capacity +- Geographic focus + +**Next Steps**: +- Partnership evaluation +- Agreement and terms +- Technical enablement +- Go-to-market planning + +### Academic Partnerships + +**Contact**: academic@cuberai.example + +**For**: +- Research collaborations +- Educational programs +- Student projects +- Grant opportunities + +**What to Include**: +- Institution information +- Research area or course details +- Collaboration objectives +- Timeline and scope + +**Next Steps**: +- Initial discussion +- Proposal development +- Agreement execution +- Research/program launch + +### Security and Compliance + +**Contact**: security@cuberai.example +**PGP Key**: [To be added] + +**For**: +- Security vulnerability reports +- Compliance questions +- Data protection inquiries +- Security incidents + +**See Also**: [SECURITY.md](../../SECURITY.md) + +**Response Time**: +- Critical: 24 hours +- Non-critical: 2-3 business days + +### Legal and Contracts + +**Contact**: legal@cuberai.example + +**For**: +- Contract questions +- Terms of service +- Privacy policy +- Licensing questions +- Legal compliance + +**What to Include**: +- Specific question or concern +- Relevant agreement/document +- Your organization details +- Timeline if urgent + +### Billing and Finance + +**Contact**: billing@cuberai.example + +**For**: +- Invoice questions +- Payment methods +- Subscription changes +- Refund requests +- Financial reporting + +**Portal**: Access via partner portal + +**Response Time**: 2 business days + +## Office Locations + +### Headquarters + +**Address**: [To be added] +[City, State ZIP] +[Country] + +**Office Hours**: Monday-Friday, 9 AM - 5 PM PT + +**Note**: Please schedule appointments in advance. Email preferred for initial contact. + +### Regional Offices + +**Europe**: [To be added] + +**Asia Pacific**: [To be added] + +**Latin America**: [To be added] + +## Phone Support + +### General +**Number**: [To be added] +**Hours**: Monday-Friday, 9 AM - 5 PM PT +**Availability**: Silver tier and above + +### Emergency Hotline +**Number**: [To be added] +**Hours**: 24/7 +**Availability**: Platinum tier only +**Use**: Critical production issues only + +## Social Media + +### Official Channels + +**Twitter/X**: [@SmartContractAudit - to be added] +- Product updates +- Security news +- Community engagement + +**LinkedIn**: [Company Page - to be added] +- Professional updates +- Partnership announcements +- Industry insights + +**GitHub**: [github.com/SmartContractAudit - to be added] +- Open source repository +- Technical documentation +- Community contributions + +**Discord**: [Invite link - to be added] +- Community support +- Developer discussions +- Real-time updates + +**Telegram**: [Channel - to be added] +- Announcements +- Community chat +- Quick updates + +### Follow for + +- **Product Updates**: Twitter, LinkedIn +- **Technical News**: GitHub, Discord +- **Community**: Discord, Telegram +- **Business Updates**: LinkedIn +- **Support**: Discord (community), Portal (official) + +## Community + +### Discussion Forums + +**GitHub Discussions**: [Link to be added] +- Feature requests +- Technical Q&A +- Community support + +**Discord Community**: [Link to be added] +- Real-time chat +- Community help +- Announcements + +### Newsletter + +**Subscribe**: [Newsletter signup - to be added] + +**Frequency**: Monthly + +**Content**: +- Product updates +- Security insights +- Partner spotlight +- Industry news +- Best practices + +## Schedule a Meeting + +### Partnership Consultation + +**Duration**: 30 minutes +**Link**: [Calendly link - to be added] +**Best For**: Initial partnership exploration + +**What We'll Cover**: +- Your objectives +- Partnership fit +- Next steps + +### Technical Deep Dive + +**Duration**: 60 minutes +**Link**: [Calendly link - to be added] +**Best For**: Technical integrations, enterprise deployments + +**What We'll Cover**: +- Technical requirements +- Architecture review +- Integration approach +- Timeline and resources + +### Executive Briefing + +**Duration**: 30 minutes +**Link**: [Calendly link - to be added] +**Best For**: Strategic partnerships, enterprise sales + +**What We'll Cover**: +- Business overview +- Strategic fit +- Value proposition +- Investment and ROI + +## Contact Form + +**Web Form**: [Link to be added] + +**Use When**: +- Detailed inquiry +- Multiple topics +- Attachments needed +- Prefer web to email + +**Response Time**: 1-2 business days + +## Office Hours + +### Community Office Hours + +**When**: Every Thursday, 10 AM - 11 AM PT +**Where**: Discord voice channel +**Who**: Open to all community members +**Topic**: Open Q&A, product demos, discussions + +### Partner Office Hours + +**When**: Weekly (scheduled with account manager) +**Where**: Video conference +**Who**: Active partners (Silver and above) +**Topic**: Partner-specific questions and support + +## Response Time Expectations + +| Contact Method | General | Partners | Enterprise | Critical | +|---------------|---------|----------|------------|----------| +| Email | 1-2 days | 1 day | 4 hours | 1 hour | +| Portal | 1-2 days | Per SLA | Per SLA | Per SLA | +| Phone | N/A | Business hours | Business hours | 24/7 (Platinum) | +| Social Media | Best effort | N/A | N/A | N/A | + +## Escalation + +If you're not getting adequate response: + +1. **Check SLA**: Ensure timeframe per your tier +2. **Use Correct Channel**: Email/portal for support +3. **Mark Priority**: Indicate urgency clearly +4. **Escalate**: Use escalations@cuberai.example +5. **Account Manager**: Contact directly (Gold/Platinum) + +## Holiday Schedule + +Office closed: +- New Year's Day +- Memorial Day (US) +- Independence Day (US) +- Labor Day (US) +- Thanksgiving (US) +- Christmas + +**Note**: Critical support (Platinum) available 24/7 including holidays + +## Mailing Address + +**For legal documents, contracts**: + +SmartContractAudit, Inc. +[Address Line 1] +[Address Line 2] +[City, State ZIP] +[Country] + +**Attention**: [Department Name] + +## Time Zone + +**Primary**: Pacific Time (PT) +- UTC-8 (Standard Time) +- UTC-7 (Daylight Time) + +**When Scheduling**: +- Specify time zone clearly +- Use 24-hour format for clarity +- Consider international partners + +## Languages + +**Primary**: English + +**Available**: +- Spanish (limited) +- Mandarin (limited) +- More languages coming soon + +**Translation**: +- Documentation: Community-driven +- Support: English primarily +- Enterprise: Custom arrangements + +## Frequently Asked Questions + +### How quickly will I hear back? + +Response times vary by contact method and partnership tier. See table above for expectations. + +### Can I schedule a call before signing up? + +Yes! Use our scheduling links for partnership consultations. + +### What's the best way to reach you? + +- **Partnerships**: Email partners@cuberai.example +- **Technical**: Partner portal for existing partners +- **Media**: Email press@cuberai.example +- **Urgent**: Phone for active partners + +### Do you have phone support? + +Yes, for Silver tier and above during business hours. Platinum tier has 24/7 emergency hotline. + +### Can I visit your office? + +Yes, please schedule in advance via email. + +### How do I report a bug? + +- Community: GitHub Issues +- Partners: Partner portal +- Security: security@cuberai.example + +### Where's your status page? + +https://status.smartcontractaudit.example + +## Additional Resources + +- **Documentation**: [URL to be added] +- **API Docs**: [URL to be added] +- **Partner Portal**: https://partners.smartcontractaudit.example +- **Blog**: [URL to be added] +- **Help Center**: [URL to be added] + +## Feedback + +We value your feedback! + +**Product Feedback**: feedback@cuberai.example +**Partner Experience**: partner-feedback@cuberai.example +**General Suggestions**: hello@cuberai.example + +## Thank You + +Thank you for your interest in SmartContractAudit. We look forward to hearing from you! + +For urgent matters, use the appropriate contact method above. For everything else, we'll respond as quickly as possible. + +--- + +*Contact information current as of 2025-12-31. For the most up-to-date information, visit our website or check the partner portal.* diff --git a/docs/partners/data_privacy.md b/docs/partners/data_privacy.md new file mode 100644 index 0000000..d093ef9 --- /dev/null +++ b/docs/partners/data_privacy.md @@ -0,0 +1,436 @@ +--- +title: Data Privacy for Partners +description: Privacy and security practices for partner integrations +keywords: privacy, security, compliance, data protection, GDPR +--- + +# Data Privacy for Partners + +This document outlines data privacy and security practices for SmartContractAudit partners. + +## Overview + +We take data privacy seriously and maintain strict policies to protect partner and user data. This document details how data is collected, processed, stored, and protected in partner integrations. + +## Data Collection + +### What We Collect + +From partner integrations: + +**Technical Data**: +- Smart contract source code (temporarily, for scanning) +- API request metadata (timestamps, endpoints, parameters) +- Scan results and findings +- Usage metrics (aggregated) + +**Account Data**: +- Partner organization information +- Technical contact details +- Billing information +- API keys and access tokens (hashed) + +### What We Never Collect + +**Absolutely prohibited**: +- Private keys or mnemonics (in any form) +- Wallet passwords or credentials +- User personal data (unless explicitly needed and authorized) +- Sensitive business information beyond scope +- Data from unauthorized sources + +## Data Processing + +### Scanning Process + +1. **Submission**: Contract code sent via API +2. **Scanning**: Analyzed in isolated environment +3. **Results**: Findings generated and stored +4. **Cleanup**: Source code deleted after processing +5. **Retention**: Results retained per agreement (default 90 days) + +### Processing Location + +- **Primary**: [Region to be specified, e.g., US-East] +- **Backup**: [Backup region to be specified] +- **On-Premise**: Available for enterprise partners +- **Data Residency**: Configurable for compliance + +### Third-Party Processing + +We may use third-party services for: + +- Cloud hosting (AWS/GCP/Azure) +- CDN services +- Analytics (anonymized only) +- Support ticketing + +All third parties are vetted and contractually bound to our privacy standards. + +## Data Storage + +### Storage Duration + +| Data Type | Default Retention | Configurable | +|-----------|------------------|--------------| +| Source Code | 24 hours | Yes (0-7 days) | +| Scan Results | 90 days | Yes (30-365 days) | +| API Logs | 30 days | Yes (7-90 days) | +| Audit Reports | 1 year | Yes | +| Account Data | Active + 30 days | No | +| Billing Records | 7 years | No (legal requirement) | + +### Storage Security + +**Encryption**: +- **At Rest**: AES-256 encryption +- **In Transit**: TLS 1.3 +- **Key Management**: HSM-backed key storage +- **Access Control**: Role-based with MFA + +**Infrastructure**: +- SOC 2 Type II certified facilities +- Physical security controls +- Network segmentation +- DDoS protection +- Regular security audits + +## Data Sharing + +### What We Share + +**With Partners** (your data only): +- Scan results for your contracts +- Usage analytics for your account +- Billing information +- Support interactions + +**Aggregate Data** (anonymized): +- Industry benchmarks +- Vulnerability trends +- Performance metrics + +### What We Never Share + +- Individual partner data with other partners +- Competitive intelligence +- Unaggregated user data +- Source code (except back to submitter) +- Any data without authorization + +### Legal Disclosure + +We may disclose data when: +- Required by law or legal process +- Necessary to protect rights or safety +- Part of business transfer (with notice) +- With explicit partner consent + +We will: +- Challenge overbroad requests +- Notify partners when legally permitted +- Minimize disclosure scope +- Document all disclosures + +## Privacy by Design + +### Principles + +1. **Minimize Collection**: Only collect necessary data +2. **Purpose Limitation**: Use data only for stated purposes +3. **Access Control**: Restrict access to need-to-know basis +4. **Transparency**: Clear communication about practices +5. **User Control**: Partners control their data +6. **Security**: Protect data with appropriate measures +7. **Accountability**: Regular audits and compliance checks + +### Implementation + +**Pseudonymization**: +- Internal IDs instead of identifying information +- Separate storage of identifying data +- Limited access to mapping tables + +**Aggregation**: +- Statistical analysis on aggregated data +- Individual records not identifiable +- K-anonymity for datasets + +**Redaction**: +- Automatic secret detection and redaction +- Hash-based replacement +- Irreversible anonymization + +## Compliance + +### Regulatory Frameworks + +We comply with: + +**GDPR** (General Data Protection Regulation): +- Lawful basis for processing +- Data subject rights +- Privacy by design and default +- Data protection impact assessments +- Breach notification procedures + +**CCPA** (California Consumer Privacy Act): +- Consumer rights to know and delete +- Opt-out of sale (not applicable - we don't sell) +- Non-discrimination +- Disclosure requirements + +**SOC 2 Type II**: +- Security controls +- Availability guarantees +- Processing integrity +- Confidentiality +- Privacy + +**ISO 27001** (in progress): +- Information security management +- Risk assessment and treatment +- Security controls implementation + +### Industry Standards + +- **PCI DSS**: For payment data handling +- **NIST Framework**: Cybersecurity best practices +- **CIS Controls**: Security configuration +- **OWASP**: Web application security + +## Partner Responsibilities + +### Data Protection Obligations + +Partners must: + +- **Secure API Keys**: Store keys securely, rotate regularly +- **Authorize Submissions**: Only scan authorized code +- **Respect User Privacy**: Comply with applicable privacy laws +- **Report Incidents**: Notify us of any security concerns +- **Maintain Compliance**: Ensure own compliance with regulations +- **Limit Access**: Restrict data access to necessary personnel + +### Data Processing Agreement + +Partners agree to: + +- Process data per our instructions +- Maintain confidentiality +- Implement appropriate security +- Assist with data subject requests +- Notify of breaches promptly +- Delete/return data upon termination + +## Data Subject Rights + +Users whose data is processed have rights to: + +### Access +- Request copy of their data +- Receive data in portable format +- Understand how data is used + +### Correction +- Update inaccurate information +- Complete incomplete data +- Maintain accuracy + +### Deletion ("Right to be Forgotten") +- Request deletion of data +- Exceptions: legal obligations, legitimate interests +- Verification required + +### Restriction +- Limit processing in certain circumstances +- Object to processing +- Opt-out of marketing (not applicable) + +### Portability +- Receive data in machine-readable format +- Transfer to another controller +- Where technically feasible + +Partners must: +- Forward data subject requests to us within 2 business days +- Cooperate in fulfilling requests +- Maintain records of requests + +## Security Measures + +### Technical Controls + +**Access Control**: +- Multi-factor authentication (MFA) +- Role-based access control (RBAC) +- Principle of least privilege +- Regular access reviews + +**Network Security**: +- Firewalls and IDS/IPS +- Network segmentation +- VPN for administrative access +- DDoS mitigation + +**Application Security**: +- Secure coding practices +- Regular security testing +- Vulnerability management +- Dependency scanning + +**Monitoring**: +- 24/7 security monitoring +- Intrusion detection +- Anomaly detection +- Incident response procedures + +### Organizational Controls + +**Personnel**: +- Background checks +- Security training +- Confidentiality agreements +- Access termination procedures + +**Policies**: +- Information security policy +- Acceptable use policy +- Incident response plan +- Business continuity plan + +**Audits**: +- Annual third-party audits +- Internal security assessments +- Penetration testing +- Compliance reviews + +## Breach Notification + +### Our Commitment + +In event of a data breach affecting partner data: + +**Within 24 hours**: +- Initial assessment +- Containment measures +- Internal notification + +**Within 72 hours**: +- Partner notification +- Regulatory notification (if required) +- Public disclosure (if required) + +**Ongoing**: +- Investigation updates +- Remediation progress +- Prevention measures + +### Notification Content + +Breach notifications include: + +- Nature and scope of breach +- Data types affected +- Number of affected records +- Actions taken +- Recommended partner actions +- Contact information for questions + +### Partner Obligations + +Partners must: +- Report suspected breaches to us immediately +- Cooperate in investigation +- Take recommended remediation steps +- Notify their users if required + +## Cross-Border Data Transfers + +### Mechanisms + +For international data transfers: + +**EU-US Data Privacy Framework**: [To be certified] + +**Standard Contractual Clauses**: Available for GDPR compliance + +**Adequacy Decisions**: Compliant with approved jurisdictions + +**On-Premise Solutions**: Keep data in specific regions + +### Partner Options + +Partners can request: + +- Specific data residency +- Regional processing only +- On-premise deployment +- Data localization + +## Subprocessors + +We use subprocessors for: + +| Service | Provider | Location | Purpose | +|---------|----------|----------|---------| +| Cloud Hosting | [TBD] | [Region] | Infrastructure | +| CDN | [TBD] | Global | Content delivery | +| Support | [TBD] | [Region] | Customer service | +| Analytics | [TBD] | [Region] | Usage metrics | + +**Notification**: Partners notified 30 days before new subprocessors + +**Objection**: Partners may object to new subprocessors + +**List**: Updated list maintained in partner portal + +## Privacy Impact Assessments + +We conduct DPIAs for: + +- New features with privacy implications +- Significant processing changes +- New data types collected +- Changes in third-party services + +Results shared with: +- Gold and Platinum partners (summary) +- Enterprise partners (full report) +- Regulators (as required) + +## Contact and DPO + +### Data Protection Officer + +**Email**: dpo@cuberai.example +**Role**: Privacy compliance and data subject requests + +### Privacy Questions + +**General**: privacy@cuberai.example +**Partners**: partner-privacy@cuberai.example +**Security**: security@cuberai.example + +### Supervisory Authority + +For EU/EEA partners, supervisory authority: +[To be specified based on primary establishment] + +## Updates + +This privacy policy updated: +- As needed for regulatory changes +- Annually at minimum +- Before implementing significant changes + +**Partner Notification**: +- Email notification +- 30-day notice period +- Option to terminate if unacceptable + +Last updated: 2025-12-31 + +--- + +*This document is part of our partnership agreement. Partners should review with legal counsel. For questions, contact partner-privacy@cuberai.example.* diff --git a/docs/partners/partnerships.md b/docs/partners/partnerships.md new file mode 100644 index 0000000..7be0f72 --- /dev/null +++ b/docs/partners/partnerships.md @@ -0,0 +1,298 @@ +--- +title: Partnership Opportunities +description: Learn about partnership models and collaboration opportunities +keywords: partnerships, collaboration, integration, business development +--- + +# Partnership Opportunities + +SmartContractAudit offers various partnership models to suit different organizational needs and goals. + +## Partnership Models + +### 1. Technology Partners + +**Overview**: Integrate SmartContractAudit into your platform, toolchain, or workflow. + +**Ideal For**: +- Developer tool providers +- Blockchain platforms +- IDE integrations +- CI/CD platforms +- Security tool vendors + +**Benefits**: +- Technical integration support +- API access and documentation +- Co-marketing opportunities +- Joint webinars and content +- Early access to new features +- Technical account manager + +**Requirements**: +- Active development commitment +- Public integration announcement +- Joint case study (optional) + +**Examples**: +- IDE plugin integration +- CI/CD pipeline integration +- Blockchain explorer integration +- Wallet security checks + +### 2. Enterprise Partners + +**Overview**: Large-scale deployments with custom requirements and dedicated support. + +**Ideal For**: +- Fortune 500 companies +- Financial institutions +- Government agencies +- Large blockchain projects +- Enterprise software vendors + +**Benefits**: +- Dedicated account team +- Custom SLA agreements +- On-premise deployment options +- White-label capabilities +- Custom feature development +- 24/7 priority support +- Compliance assistance +- Training and workshops + +**Requirements**: +- Minimum commitment (annual contract) +- Security and compliance requirements met +- Integration planning session + +**Customizations**: +- Private instance deployment +- Custom branding +- Specific compliance frameworks +- Industry-specific rules +- Air-gapped environments + +### 3. Strategic Sponsors + +**Overview**: Financial support with strategic advisory input. + +**Ideal For**: +- Venture capital firms +- Blockchain foundations +- Industry consortiums +- Corporate innovation labs +- Ecosystem funds + +**Benefits**: +- Advisory board participation +- Roadmap influence +- Investment updates and metrics +- Co-branding opportunities +- Speaking slots at events +- Preferred partner status +- Logo placement +- Public recognition + +**Tiers**: See [sponsorship_tiers.md](sponsorship_tiers.md) + +### 4. Reseller Partners + +**Overview**: Offer SmartContractAudit services to your clients with revenue sharing. + +**Ideal For**: +- Security consultancies +- Blockchain development agencies +- Managed service providers +- System integrators +- Audit firms + +**Benefits**: +- Revenue share model (30-40% typical) +- White-label options +- Sales and marketing materials +- Lead sharing +- Partner portal access +- Joint proposals +- Technical presales support + +**Requirements**: +- Proven sales capability +- Technical competency certification +- Minimum quarterly quota +- Client support capability + +### 5. Academic Partners + +**Overview**: Research collaborations and educational programs. + +**Ideal For**: +- Universities and research institutions +- Security research labs +- Blockchain education programs +- Computer science departments + +**Benefits**: +- Research collaboration +- Access to datasets (anonymized) +- Co-authored publications +- Student internships +- Grant opportunities +- Academic licensing +- Conference sponsorship + +**Opportunities**: +- Novel algorithm research +- Machine learning improvements +- Vulnerability pattern analysis +- Blockchain security research + +### 6. Ecosystem Partners + +**Overview**: Blockchain ecosystem integration and support. + +**Ideal For**: +- Layer 1 blockchain projects +- Layer 2 solutions +- DeFi protocols +- NFT platforms +- DAO tools + +**Benefits**: +- Native blockchain support +- Ecosystem-specific rules +- Joint security initiatives +- Developer grants +- Community collaboration +- Event participation + +**Integration Areas**: +- Pre-deployment scanning +- Continuous monitoring +- Governance integration +- Treasury protection + +## Partnership Process + +### Step 1: Initial Contact + +- Submit partnership inquiry via [contact.md](contact.md) +- Initial call to discuss objectives and fit +- NDA signing (if needed for sensitive discussions) + +### Step 2: Discovery + +- Detailed needs assessment +- Technical requirements gathering +- Use case validation +- ROI projection +- Timeline definition + +### Step 3: Proposal + +- Custom partnership proposal +- Pricing and terms +- Success metrics definition +- Legal review + +### Step 4: Agreement + +- Contract negotiation +- Security and compliance review +- Integration planning +- Kick-off meeting + +### Step 5: Onboarding + +- Technical onboarding (see [technical_onboarding.md](technical_onboarding.md)) +- Account setup +- Training sessions +- Integration support +- Go-live planning + +### Step 6: Launch + +- Integration deployment +- Testing and validation +- Public announcement (if agreed) +- Marketing campaign + +### Step 7: Ongoing + +- Regular business reviews +- Support and optimization +- Roadmap discussions +- Success measurement + +## Partner Expectations + +### From Partners + +We expect partners to: +- Maintain active communication +- Provide feedback on product and process +- Meet agreed-upon commitments +- Maintain security and quality standards +- Promote collaboration opportunities +- Share success stories (when appropriate) + +### From SmartContractAudit + +Partners can expect us to: +- Deliver on SLA commitments +- Provide responsive support +- Maintain product quality and security +- Communicate roadmap changes +- Honor partnership agreements +- Protect partner data and confidentiality + +## Partner Success Team + +Our partner success team includes: + +- **Partnership Manager**: Overall relationship and business outcomes +- **Technical Account Manager**: Integration and technical support +- **Customer Success Manager**: Adoption and value realization +- **Solutions Architect**: Custom implementations and best practices + +## Metrics and Reporting + +Partners receive: + +- Monthly/quarterly business reviews +- Usage analytics and insights +- Security findings summaries +- Performance metrics +- ROI tracking +- Health scores + +## Termination and Changes + +Partnerships can be: + +- **Modified**: By mutual agreement at any time +- **Renewed**: Annually or per contract terms +- **Terminated**: With 30-90 day notice (per agreement) +- **Transitioned**: To different tier or model + +## Competitive Partners + +We maintain strict confidentiality: + +- Separate account teams for competitors +- Information barriers in place +- No sharing of proprietary information +- Transparent conflict management + +## Next Steps + +Ready to become a partner? + +1. Read [sponsorship_tiers.md](sponsorship_tiers.md) for financial sponsorship +2. Review [technical_onboarding.md](technical_onboarding.md) for technical requirements +3. Check [data_privacy.md](data_privacy.md) for security and privacy details +4. Contact us via [contact.md](contact.md) to start the conversation + +--- + +*Partnership terms and availability subject to change. Contact us for the most current information and custom arrangements.* diff --git a/docs/partners/press_kit.md b/docs/partners/press_kit.md new file mode 100644 index 0000000..ef3e888 --- /dev/null +++ b/docs/partners/press_kit.md @@ -0,0 +1,486 @@ +--- +title: Press Kit +description: Media resources and branding guidelines for partners +keywords: press kit, media, branding, logos, guidelines, marketing +--- + +# Press Kit + +Media resources, branding guidelines, and marketing materials for SmartContractAudit partners and press. + +## Quick Downloads + +### Logos + +**Primary Logo Package**: [Download ZIP - to be hosted] + +Includes: +- Full color (PNG, SVG, AI) +- White version (PNG, SVG) +- Black version (PNG, SVG) +- Icon only (PNG, SVG) +- Multiple sizes + +### Partner Badges + +**Sponsor Badges**: [Download ZIP - to be hosted] + +Available for: +- Bronze Sponsor +- Silver Sponsor +- Gold Sponsor +- Platinum Sponsor +- Technology Partner +- Certified Integration + +### Marketing Templates + +**Social Media Templates**: [Download ZIP - to be hosted] + +Includes: +- Twitter/X headers and posts +- LinkedIn banners and posts +- Facebook covers and posts +- Instagram story templates + +## Brand Identity + +### Logo Variations + +#### Primary Logo +- **Use**: Default for most applications +- **Colors**: Full brand colors +- **Minimum Size**: 120px wide (digital), 1 inch wide (print) +- **Clear Space**: Minimum 1/4 logo height on all sides + +#### Icon/Symbol Only +- **Use**: Small spaces, social media avatars, app icons +- **Minimum Size**: 32px × 32px (digital) +- **Use independently when space constrained** + +#### Wordmark Only +- **Use**: Horizontal layouts, footer credits +- **Minimum Size**: 100px wide (digital) + +### Color Palette + +#### Primary Colors + +**Brand Blue** +- Hex: #0066CC +- RGB: 0, 102, 204 +- CMYK: 100, 50, 0, 20 +- Pantone: [TBD] + +**Deep Navy** +- Hex: #001F3F +- RGB: 0, 31, 63 +- CMYK: 100, 75, 0, 75 + +**White** +- Hex: #FFFFFF +- RGB: 255, 255, 255 +- CMYK: 0, 0, 0, 0 + +#### Secondary Colors + +**Accent Green** (Success) +- Hex: #00CC66 +- RGB: 0, 204, 102 + +**Warning Orange** +- Hex: #FF9900 +- RGB: 255, 153, 0 + +**Alert Red** +- Hex: #CC0033 +- RGB: 204, 0, 51 + +**Neutral Gray** +- Hex: #6C757D +- RGB: 108, 117, 125 + +### Typography + +#### Primary Font +**Inter** (Open source, free to use) +- Headings: Inter Bold +- Body: Inter Regular +- UI: Inter Medium + +**Fallback**: system-ui, -apple-system, sans-serif + +#### Secondary Font +**JetBrains Mono** (for code) +- Code snippets +- Technical documentation +- Terminal output + +**Fallback**: monospace + +### Logo Usage + +#### ✅ Do + +- Use official logo files provided +- Maintain proper clear space +- Use approved color variations +- Scale proportionally +- Ensure adequate contrast with background +- Use on approved backgrounds + +#### ❌ Don't + +- Distort, rotate, or modify the logo +- Change logo colors +- Add effects (shadows, glows, etc.) +- Place on busy backgrounds +- Use outdated versions +- Recreate or redraw the logo +- Use unapproved variations + +### Minimum Sizes + +**Digital**: +- Full logo: 120px wide +- Icon only: 32px × 32px +- Wordmark: 100px wide + +**Print**: +- Full logo: 1 inch wide +- Icon only: 0.25 inch +- Wordmark: 0.75 inch wide + +### Clear Space + +Maintain clear space around logo equal to: +- **Minimum**: 1/4 of logo height +- **Recommended**: 1/2 of logo height + +No text, graphics, or other elements should intrude into this space. + +### Background Usage + +#### Approved Backgrounds + +**Light backgrounds**: +- White +- Light gray (#F8F9FA) +- Light blue (#E3F2FD) + +**Dark backgrounds**: +- Black +- Deep navy (#001F3F) +- Dark gray (#212529) + +**Overlays**: +- Use white logo on dark images +- Use dark logo on light images +- Ensure contrast ratio ≥ 4.5:1 + +#### Not Approved + +- Busy patterns +- Low-contrast backgrounds +- Gradients (without testing) +- Photos (without sufficient contrast) + +## Partner Branding + +### Co-Branding Guidelines + +When featuring SmartContractAudit alongside your brand: + +**Logo Placement**: +- Equal prominence with partner logo +- Appropriate clear space maintained +- Aligned consistently (top, center, or baseline) + +**Sizing**: +- Similar visual weight +- Neither logo should dominate +- Maintain proportions + +**Spacing**: +- Adequate separation between logos +- Use divider if needed (vertical line, "&" symbol, "+" symbol) + +### Sponsor Badges + +Partners may display sponsor badges: + +**Bronze Tier**: +- Badge text: "Bronze Sponsor" +- Color: #CD7F32 +- Size: Standard or small + +**Silver Tier**: +- Badge text: "Silver Sponsor" +- Color: #C0C0C0 +- Size: Standard or medium + +**Gold Tier**: +- Badge text: "Gold Sponsor" +- Color: #FFD700 +- Size: Standard, medium, or large + +**Platinum Tier**: +- Badge text: "Platinum Sponsor" +- Color: #E5E4E2 +- Size: Any size + +### Partner Descriptions + +#### Approved Descriptions + +**Short** (Twitter, bios): +> "SmartContractAudit: AI-powered smart contract security auditing with on-chain automation." + +**Medium** (Web pages): +> "SmartContractAudit provides automated security auditing for smart contracts using AI workers and on-chain automation. Detect vulnerabilities early, deploy with confidence." + +**Long** (Press releases, about pages): +> "SmartContractAudit is an open-source platform for automated smart contract security auditing. Using AI-powered analysis and on-chain automation, it helps developers and organizations detect vulnerabilities, maintain security best practices, and deploy smart contracts with confidence. Trusted by leading DeFi protocols, NFT marketplaces, and blockchain enterprises." + +### Terminology + +**Correct**: +- SmartContractAudit (one word, camelCase) +- Smart contract auditing +- Security scanning +- Vulnerability detection +- AI-powered analysis + +**Avoid**: +- Smart Contract Audit (three words) +- SCA (ambiguous acronym) +- Contract checker +- Bug finder + +## Messaging + +### Key Messages + +**1. Security First** +- "Detect vulnerabilities before they become exploits" +- "Proactive security for blockchain applications" +- "Peace of mind for smart contract deployments" + +**2. AI-Powered** +- "Advanced AI analysis catches what manual reviews miss" +- "Machine learning trained on thousands of vulnerabilities" +- "Continuous improvement through AI" + +**3. Developer-Friendly** +- "Integrates with your existing workflow" +- "Real-time feedback during development" +- "Clear, actionable security recommendations" + +**4. Open Source** +- "Transparent, auditable, community-driven" +- "Trust through openness" +- "Contribute and customize" + +**5. Enterprise-Ready** +- "Scales from startups to enterprises" +- "Compliance and audit support" +- "On-premise deployment options" + +### Value Propositions + +**For Developers**: +- Catch bugs early when they're cheap to fix +- Learn security best practices +- Ship with confidence + +**For Security Teams**: +- Automate routine checks +- Focus on complex analysis +- Comprehensive coverage + +**For Organizations**: +- Reduce risk of exploits +- Faster development cycles +- Meet compliance requirements + +## Media Assets + +### Screenshots + +**Dashboard**: [Link to hosted image] +- Overview of scan results +- Use for: Product demos, presentations + +**IDE Integration**: [Link to hosted image] +- VS Code with real-time warnings +- Use for: Developer-focused content + +**Scan Report**: [Link to hosted image] +- Detailed vulnerability report +- Use for: Feature highlights + +**CLI Output**: [Link to hosted image] +- Terminal scan execution +- Use for: Technical documentation + +### Product Images + +**High-Resolution**: [Link to hosted images] +- Product screenshots (PNG, 300 DPI) +- Use for: Print, high-quality web + +**Web-Optimized**: [Link to hosted images] +- Product screenshots (JPG, optimized) +- Use for: Web, email + +### Team Photos + +**Founders/Leadership**: [Link to hosted images] +- Professional headshots +- Use for: About pages, press releases + +**Team**: [Link to hosted images] +- Group photos +- Use for: Culture, recruitment + +### Demo Videos + +**Product Demo** (2 minutes): [Link to video] +- Overview of key features +- Use for: Landing pages, presentations + +**Integration Tutorial** (5 minutes): [Link to video] +- Step-by-step integration guide +- Use for: Onboarding, documentation + +**Case Study Video** (3 minutes): [Link to video] +- Partner success story +- Use for: Marketing, sales + +## Press Information + +### Boilerplate + +**Short** (50 words): +> SmartContractAudit is an AI-powered security platform for smart contracts. The open-source tool integrates into development workflows to detect vulnerabilities and ensure secure blockchain deployments. Used by leading DeFi protocols, NFT marketplaces, and enterprises worldwide. + +**Long** (100 words): +> SmartContractAudit is an open-source platform providing automated security auditing for smart contracts through AI-powered analysis and on-chain automation. The platform integrates seamlessly into developer workflows via IDE plugins, CI/CD pipelines, and API integrations, enabling teams to detect vulnerabilities early and deploy with confidence. Founded in [Year], SmartContractAudit serves developers, security teams, and organizations across DeFi, NFTs, gaming, and enterprise blockchain applications. The platform combines automated scanning with human expertise, offering solutions from community tiers to enterprise deployments. Learn more at [URL]. + +### Key Facts + +- **Founded**: [Year] +- **Type**: Open Source +- **License**: Apache 2.0 +- **Headquarters**: [Location] +- **Employees**: [Number] +- **Contracts Scanned**: [Number] and growing +- **Partners**: [Number] across [Number] countries + +### Leadership + +**[Name]** - Founder & CEO +- Bio: [To be added] +- LinkedIn: [Link] +- Twitter: [Link] + +**[Name]** - CTO +- Bio: [To be added] +- LinkedIn: [Link] +- Twitter: [Link] + +### Press Contacts + +**Media Inquiries**: +- Email: press@cuberai.example +- Phone: [To be added] + +**Partnership Inquiries**: +- Email: partners@cuberai.example + +**General Information**: +- Website: [URL] +- Twitter: [@handle] +- LinkedIn: [Company page] +- GitHub: [Org page] + +## Recent News + +### Press Releases + +**[Date]** - [Title] +- Summary: [Brief description] +- Link: [URL] + +**[Date]** - [Title] +- Summary: [Brief description] +- Link: [URL] + +### Media Coverage + +**[Date]** - [Publication] +- Article: "[Title]" +- Link: [URL] + +**[Date]** - [Publication] +- Article: "[Title]" +- Link: [URL] + +## Partner Marketing + +### Co-Marketing Opportunities + +**Blog Posts**: +- Guest posts on partner blogs +- Cross-promotion +- Technical tutorials + +**Webinars**: +- Joint educational webinars +- Product demonstrations +- Q&A sessions + +**Events**: +- Conference sponsorship +- Booth presence +- Speaking opportunities + +**Social Media**: +- Cross-promotion +- Tag mentions +- Shared content + +**Case Studies**: +- Success stories +- Video testimonials +- Written case studies + +### Approval Process + +**Required for**: +- Press releases mentioning SmartContractAudit +- Co-branded materials +- Use of logo in marketing +- Public case studies + +**Contact**: partners@cuberai.example + +**Timeline**: 5 business days for review + +## Contact + +### Press Kit Questions + +- **Email**: press@cuberai.example +- **Download Full Kit**: [Link to ZIP] +- **Request Custom Assets**: [Contact form] + +### Partner Marketing + +- **Email**: partnerships@cuberai.example +- **Co-Marketing Opportunities**: [Calendar link] +- **Approval Requests**: partners@cuberai.example + +--- + +*Press kit and brand guidelines last updated: 2025-12-31. All trademarks and logos are property of their respective owners. Usage subject to brand guidelines and partnership agreements.* diff --git a/docs/partners/sla_and_support.md b/docs/partners/sla_and_support.md new file mode 100644 index 0000000..9234df7 --- /dev/null +++ b/docs/partners/sla_and_support.md @@ -0,0 +1,497 @@ +--- +title: SLA and Support +description: Service level agreements and support options for partners +keywords: SLA, support, uptime, response time, service level agreement +--- + +# SLA and Support + +This document outlines service level agreements (SLAs) and support commitments for SmartContractAudit partners. + +## Service Level Agreements + +### Uptime Commitments + +| Tier | Monthly Uptime | Downtime Allowance | Credits | +|------|---------------|-------------------|---------| +| Bronze | 99.0% | ~7.2 hours | 10% | +| Silver | 99.5% | ~3.6 hours | 25% | +| Gold | 99.9% | ~43 minutes | 50% | +| Platinum | 99.95% | ~21 minutes | 100% | + +**Measured**: Based on API availability monitoring +**Exclusions**: Scheduled maintenance (with 7-day notice) +**Credits**: Applied to next billing cycle + +### Response Time SLAs + +#### Critical Issues +*Service completely unavailable, data loss, security breach* + +| Tier | Acknowledgment | First Response | Resolution Target | +|------|---------------|----------------|------------------| +| Bronze | 4 hours | 8 hours | 24 hours | +| Silver | 2 hours | 4 hours | 12 hours | +| Gold | 1 hour | 2 hours | 8 hours | +| Platinum | 30 minutes | 1 hour | 4 hours | + +#### High Priority +*Major functionality impaired, significant performance degradation* + +| Tier | Acknowledgment | First Response | Resolution Target | +|------|---------------|----------------|------------------| +| Bronze | 8 hours | 1 business day | 3 business days | +| Silver | 4 hours | 12 hours | 2 business days | +| Gold | 2 hours | 4 hours | 1 business day | +| Platinum | 1 hour | 2 hours | 12 hours | + +#### Medium Priority +*Partial functionality affected, workarounds available* + +| Tier | Acknowledgment | First Response | Resolution Target | +|------|---------------|----------------|------------------| +| Bronze | 1 business day | 2 business days | 5 business days | +| Silver | 12 hours | 1 business day | 3 business days | +| Gold | 4 hours | 8 hours | 2 business days | +| Platinum | 2 hours | 4 hours | 1 business day | + +#### Low Priority +*Minor issues, feature requests, questions* + +| Tier | Acknowledgment | First Response | Resolution Target | +|------|---------------|----------------|------------------| +| Bronze | 2 business days | 3 business days | Best effort | +| Silver | 1 business day | 2 business days | 7 business days | +| Gold | 8 hours | 1 business day | 5 business days | +| Platinum | 4 hours | 8 hours | 3 business days | + +**Business Hours**: Monday-Friday, 9 AM - 5 PM PT (except holidays) +**24/7 Coverage**: Platinum tier only (for critical issues) + +### Performance SLAs + +#### API Response Times (95th percentile) + +| Tier | Scan Request | Result Retrieval | Other Endpoints | +|------|-------------|------------------|----------------| +| Bronze | < 5 seconds | < 2 seconds | < 1 second | +| Silver | < 3 seconds | < 1 second | < 500ms | +| Gold | < 2 seconds | < 500ms | < 250ms | +| Platinum | < 1 second | < 250ms | < 100ms | + +#### Scan Completion Times + +| Contract Size | Target Time | SLA | +|--------------|------------|-----| +| < 100 lines | 30 seconds | 2 minutes | +| 100-500 lines | 2 minutes | 5 minutes | +| 500-1000 lines | 5 minutes | 15 minutes | +| 1000-5000 lines | 15 minutes | 45 minutes | +| > 5000 lines | 60 minutes | 3 hours | + +**Note**: Complex contracts may take longer; estimates provided during submission + +## Support Channels + +### Email Support + +**Available to**: All tiers + +**Email addresses**: +- General: support@cuberai.example +- Technical: technical-support@cuberai.example +- Security: security@cuberai.example + +**Response times**: Per SLA table above + +### Partner Portal + +**Available to**: All tiers + +**Features**: +- Ticket submission and tracking +- Knowledge base access +- Documentation +- API key management +- Usage dashboards +- Billing information + +**URL**: https://partners.smartcontractaudit.example + +### Chat Support + +**Available to**: Silver tier and above + +**Platforms**: +- Slack Connect (preferred) +- Discord (for open source partners) +- Microsoft Teams (enterprise) + +**Hours**: +- Silver: Business hours +- Gold: Extended hours (6 AM - 8 PM PT) +- Platinum: 24/7 + +### Phone Support + +**Available to**: Gold and Platinum tiers + +**Numbers**: +- US: [To be provided] +- EU: [To be provided] +- APAC: [To be provided] + +**Hours**: +- Gold: Business hours +- Platinum: 24/7 emergency hotline + +### Dedicated Account Manager + +**Available to**: Gold and Platinum tiers + +**Responsibilities**: +- Strategic relationship management +- Quarterly business reviews +- Escalation point +- Roadmap discussions +- Success planning + +**Contact**: Direct email and phone + +### Technical Account Manager + +**Available to**: Platinum tier + +**Responsibilities**: +- Integration support +- Architecture guidance +- Performance optimization +- Custom development coordination +- Technical escalations + +**Contact**: Direct access via Slack/Teams + +## Support Scope + +### Included Support + +✅ **In Scope**: +- Product functionality questions +- API usage guidance +- Integration troubleshooting +- Bug reports and fixes +- Performance issues +- Security concerns +- Account management +- Billing questions + +### Excluded Support + +❌ **Out of Scope**: +- Custom development (billable) +- Third-party integrations (unless documented) +- Smart contract development advice +- General blockchain education +- Partner's internal infrastructure +- End-user support (partner's users) +- Code review (outside scanning) + +**Note**: Out-of-scope items may be available as paid services + +## Incident Management + +### Severity Definitions + +**Critical (P0)**: +- Complete service outage +- Data breach or loss +- Security vulnerability +- Affects all users + +**High (P1)**: +- Major functionality unavailable +- Significant performance degradation +- Affects multiple partners +- Revenue impact + +**Medium (P2)**: +- Partial functionality impaired +- Workarounds available +- Limited user impact +- Minor performance issues + +**Low (P3)**: +- Cosmetic issues +- Feature requests +- Documentation errors +- Minor bugs + +### Escalation Process + +**Level 1**: Support Engineer +- Initial triage and troubleshooting +- Resolution of common issues +- Documentation of complex issues + +**Level 2**: Senior Engineer +- Complex technical issues +- Integration problems +- Performance optimization +- Escalations from Level 1 + +**Level 3**: Engineering Team +- Product bugs +- Architecture issues +- Security concerns +- Code-level fixes + +**Level 4**: Leadership +- Service outages +- Major incidents +- Business-critical issues +- Emergency escalations + +### Partner Escalation + +Partners can escalate via: + +1. **Account Manager** (Gold/Platinum) +2. **Email**: escalations@cuberai.example +3. **Emergency Hotline** (Platinum, critical only) +4. **Partner Portal** (mark as urgent) + +**When to escalate**: +- SLA at risk +- Inadequate response +- Business-critical impact +- Urgent security concerns + +## Maintenance Windows + +### Scheduled Maintenance + +**Frequency**: Monthly (typically) +**Duration**: 1-4 hours +**Notice**: 7 days advance +**Window**: Sundays, 2-6 AM PT + +**Communication**: +- Email notification +- Status page update +- In-app notification +- API headers (upcoming maintenance) + +### Emergency Maintenance + +**When**: Critical security or stability issues +**Notice**: As much as possible (minimum 2 hours) +**Duration**: Minimized +**Communication**: Real-time updates + +### Zero-Downtime Deployments + +Most updates deployed without downtime: +- Feature releases +- Bug fixes +- Performance improvements +- Minor updates + +## Status and Monitoring + +### Status Page + +**URL**: https://status.smartcontractaudit.example + +**Information**: +- Current system status +- Incident history +- Scheduled maintenance +- Performance metrics +- Subscribe for alerts + +**Components Monitored**: +- API endpoints +- Web interface +- Scanning service +- Authentication service +- Webhook delivery + +### Monitoring and Alerts + +**Real-time Monitoring**: +- Uptime (1-minute intervals) +- Response times +- Error rates +- Queue depths +- Resource utilization + +**Alerting**: +- Partners notified of issues affecting them +- Status page updates +- Email notifications +- Slack/Discord updates (if configured) + +## Credits and Refunds + +### Service Credits + +**Calculation**: +``` +Credit = (Monthly Fee / 30 / 24) × Hours Down +``` + +**Example**: +- Gold tier: $5,000/month +- Outage: 2 hours +- Credit: ($5,000 / 30 / 24) × 2 = $13.89 + +**Application**: +- Automatically calculated +- Applied to next invoice +- Must request within 30 days +- Maximum: 100% of monthly fee + +### Refund Policy + +**Pro-rated Refunds**: +- Annual plans: Unused months refunded +- Cancellation: 30-day notice required +- First month: Full refund if < 14 days + +**No Refunds**: +- Service credits (in lieu of refunds) +- Monthly subscriptions +- Usage-based charges already incurred + +## Support Best Practices + +### For Partners + +**Effective Support Requests**: +- Clear description of issue +- Steps to reproduce +- Expected vs actual behavior +- Environment details +- Error messages/logs +- Impact assessment +- Urgency justification + +**Example Good Request**: +``` +Subject: [Critical] API 500 errors on scan submission + +Description: Receiving consistent 500 errors when submitting +scans via API since 2025-12-31 10:00 AM PT. + +Impact: All production scans failing. ~50 customers affected. + +Reproduction: +1. POST to /v1/scan +2. Sample payload: {...} +3. Response: 500 Internal Server Error + +Environment: +- API Key: pk_live_abc... +- Endpoint: api.smartcontractaudit.example +- Request ID: req_xyz123 + +Urgency: Critical - production down, revenue impact +``` + +### Response Expectations + +**What We Provide**: +- Acknowledgment within SLA +- Regular status updates +- Clear communication +- Root cause analysis (post-mortem) +- Prevention steps + +**What We Need**: +- Accurate information +- Timely responses +- Testing cooperation +- Feedback on resolutions + +## Training and Onboarding + +### Included Training + +**All Tiers**: +- Self-service documentation +- Video tutorials +- Webinar recordings + +**Silver and Above**: +- Live onboarding session (1 hour) +- Q&A sessions (monthly) + +**Gold and Above**: +- Custom training sessions (2/year) +- Dedicated onboarding (4 hours) +- Best practices workshop + +**Platinum**: +- On-site training (2/year) +- Custom curriculum +- Executive briefings +- Ongoing education program + +### Additional Training + +**Available as Add-on**: +- Advanced technical training +- Security best practices +- Integration workshops +- Team enablement + +**Pricing**: $2,000-$5,000 per day + +## Feedback and Improvement + +### Satisfaction Surveys + +**After Each Ticket**: +- Resolution satisfaction +- Response time +- Support quality + +**Quarterly**: +- Overall satisfaction +- Product feedback +- Feature requests +- Improvement suggestions + +### Continuous Improvement + +**We Use Feedback To**: +- Improve support processes +- Enhance documentation +- Prioritize features +- Train support team +- Refine SLAs + +**Partner Advisory Board**: +- Quarterly meetings +- Gold and Platinum partners +- Product direction input +- Support policy feedback + +## Contact + +### Support Contacts + +- **General Support**: support@cuberai.example +- **Technical**: technical-support@cuberai.example +- **Escalations**: escalations@cuberai.example +- **Account Management**: accounts@cuberai.example + +### Emergency Contacts + +- **Critical Issues**: [Phone number - Platinum only] +- **Security Incidents**: security@cuberai.example (monitored 24/7) +- **Status Page**: https://status.smartcontractaudit.example + +--- + +*SLAs and support terms effective 2025-12-31. Subject to partnership agreement. For questions, contact your account manager or support@cuberai.example.* diff --git a/docs/partners/sponsorship_tiers.md b/docs/partners/sponsorship_tiers.md new file mode 100644 index 0000000..f1a9669 --- /dev/null +++ b/docs/partners/sponsorship_tiers.md @@ -0,0 +1,350 @@ +--- +title: Sponsorship Tiers +description: Financial sponsorship levels and benefits +keywords: sponsorship, funding, tiers, benefits, support +--- + +# Sponsorship Tiers + +Support SmartContractAudit through financial sponsorship and receive benefits based on your commitment level. + +## Overview + +Sponsorships help us: +- Maintain and improve the project +- Provide security updates and patches +- Develop new features +- Support the open-source community +- Cover infrastructure and operational costs +- Host events and create educational content + +## Tier Structure + +### 🥉 Bronze Tier +**$500/month or $5,000/year** + +**Benefits**: +- Logo on README and website (small) +- Mention in release notes +- Sponsor badge on GitHub +- Public thank you on social media +- Access to sponsor-only updates +- Community support (public channels) +- 2 support tickets/month (2-day response) + +**Ideal For**: Small teams, startups, community supporters + +--- + +### 🥈 Silver Tier +**$2,000/month or $20,000/year** + +**All Bronze benefits, plus**: +- Larger logo placement on website +- Quarterly sponsor showcase +- Priority support tickets (4/month, 1-day response) +- Early access to new features (beta) +- Invitation to quarterly roadmap discussions +- Co-marketing opportunity (1 blog post/year) +- Listed as Silver Sponsor in documentation + +**Ideal For**: Growing companies, active blockchain projects + +--- + +### 🥇 Gold Tier +**$5,000/month or $50,000/year** + +**All Silver benefits, plus**: +- Premium logo placement (top of page) +- Dedicated account manager +- Priority support (10 tickets/month, 4-hour response) +- Monthly 1:1 check-ins +- Advisory input on roadmap +- Early access to all features +- Custom integration support (up to 40 hours/year) +- Co-marketing opportunities (quarterly) +- Case study development +- Speaking slot at annual event +- Listed as Gold Sponsor across all materials + +**Ideal For**: Established companies, major protocols, enterprise users + +--- + +### 💎 Platinum Tier +**$10,000/month or $100,000/year** + +**All Gold benefits, plus**: +- Exclusive top-tier logo placement +- Executive sponsor relationship +- Unlimited priority support (2-hour response) +- Weekly sync calls (optional) +- Significant roadmap influence +- Custom feature development (up to 160 hours/year) +- Dedicated Slack/Discord channel +- White-label options +- Private instance deployment option +- On-site visits and training (2/year) +- Prominent brand association +- Board observer seat (optional) +- Premier sponsor recognition + +**Ideal For**: Fortune 500, major foundations, strategic investors + +--- + +### 🌟 Custom / Strategic +**Contact for pricing** + +**Fully customized package** tailored to your: +- Budget and business needs +- Technical requirements +- Marketing objectives +- Strategic goals + +**May Include**: +- Joint venture arrangements +- Equity partnerships +- Revenue sharing models +- Exclusive partnerships +- Custom development contracts +- Market-specific deployments + +**Contact**: partners@cuberai.example + +--- + +## Comparison Matrix + +| Benefit | Bronze | Silver | Gold | Platinum | +|---------|--------|--------|------|----------| +| **Price (monthly)** | $500 | $2,000 | $5,000 | $10,000+ | +| **Logo Placement** | Small | Medium | Large | Premium | +| **Support Tickets/month** | 2 | 4 | 10 | Unlimited | +| **Response Time** | 2 days | 1 day | 4 hours | 2 hours | +| **Account Manager** | ❌ | ❌ | ✅ | ✅ (Executive) | +| **Early Access** | ❌ | Beta | All | All + Custom | +| **Roadmap Input** | ❌ | Quarterly | Monthly | Weekly | +| **Custom Integration** | ❌ | ❌ | 40h/year | 160h/year | +| **Co-marketing** | ❌ | 1/year | 4/year | Unlimited | +| **Private Instance** | ❌ | ❌ | ❌ | ✅ | +| **On-site Visits** | ❌ | ❌ | ❌ | 2/year | + +## Payment Options + +### GitHub Sponsors +- Monthly or annual billing +- Credit card payments +- Displayed on GitHub profile +- Tax receipts available + +### OpenCollective +- Transparent budget +- Multiple payment methods +- Non-profit fiscal hosting +- Public ledger + +### Direct Payment +- Invoice billing (annual only) +- Wire transfer or ACH +- Purchase order supported +- Custom terms available + +### Cryptocurrency +- Bitcoin, Ethereum accepted +- Stablecoin options (USDC, USDT) +- Multi-sig custody +- Annual commitment required + +## Enterprise Packages + +Beyond sponsorship, we offer enterprise packages with: + +### On-Premise Deployment +- Self-hosted instance +- Air-gapped environments +- Custom security requirements +- Data residency compliance + +### White Label Solutions +- Custom branding +- Private repositories +- Dedicated infrastructure +- SLA guarantees + +**Pricing**: Custom (typically $50k-$200k/year) + +## Add-Ons + +Available for Silver tier and above: + +| Add-On | Price | Description | +|--------|-------|-------------| +| Extra Support Hours | $200/hour | Beyond tier allocation | +| Custom Development | $250/hour | Bespoke features | +| Training Workshop | $5,000/day | On-site or virtual | +| Security Audit | $10,000 | Code review by experts | +| Dedicated Hosting | $2,000/month | Private infrastructure | +| Premium Support | $1,000/month | 24/7 coverage | + +## Non-Profit and Academic + +Special pricing available: + +### Non-Profit Organizations +- 50% discount on all tiers +- Verification required (501(c)(3) or equivalent) +- Mission-aligned projects prioritized + +### Academic Institutions +- 60% discount for research use +- Free for educational programs +- Student projects eligible for Bronze tier free +- Must be accredited institution + +### Open Source Projects +- Free Bronze tier for qualifying projects +- 70% discount on Silver/Gold tiers +- Requirements: + - OSI-approved license + - Active community + - Public repository + - Security focus + +## Commitment Terms + +### Monthly Sponsorship +- Cancel anytime +- 30-day notice for tier changes +- Prorated refunds not available +- Benefits active while current + +### Annual Sponsorship +- Save 16-20% vs monthly +- 12-month commitment +- Benefits for full year +- Renewal discount available + +### Multi-Year Deals +- Contact for pricing +- Additional discounts +- Price lock guarantee +- Priority roadmap consideration + +## Renewal and Upgrades + +### Renewals +- Automatic renewal by default +- 60-day notice for cancellation +- Renewal discount (5-10%) +- Grandfathered pricing on tier changes + +### Upgrades +- Prorated for remainder of period +- Immediate benefit activation +- No penalty fees +- Anytime during term + +### Downgrades +- Applied at next renewal +- Current tier benefits maintained until then +- No mid-term downgrades + +## Brand Usage + +Sponsors receive: + +### Logo Kit +- High-resolution logos +- Multiple formats (PNG, SVG, AI) +- Light and dark versions +- Usage guidelines + +### Marketing Materials +- Sponsor badge graphics +- Social media templates +- Press release template +- Approved messaging + +### Usage Rights +- Sponsor may display "Sponsor of SmartContractAudit" +- Use project logo in sponsor context +- Subject to brand guidelines +- No exclusive claims + +## Reporting and Transparency + +Sponsors receive: + +### Financial Transparency +- Budget reports (OpenCollective) +- Spending allocation +- Project milestones +- Impact metrics + +### Technical Metrics +- Usage statistics (aggregated) +- Security findings data +- Performance benchmarks +- Adoption trends + +### Community Health +- Contributor growth +- Issue resolution rates +- Release cadence +- Satisfaction scores + +## Sponsor Showcase + +Sponsors featured in: + +- **Website**: Sponsor page with logos and descriptions +- **GitHub**: FUNDING.yml and README badges +- **Documentation**: Acknowledgments section +- **Releases**: Special thanks in release notes +- **Events**: Recognition at sponsored events +- **Social Media**: Regular sponsor spotlights + +## Frequently Asked Questions + +### Can we sponsor specific features? +Yes! Contact us for custom sponsorship of features, research areas, or initiatives. + +### What if we outgrow our tier mid-year? +You can upgrade anytime with prorated pricing. Benefits activate immediately. + +### Do you offer quarterly payments? +Annual sponsorships only. Monthly sponsors billed monthly. + +### Can we remain anonymous? +Yes, though some benefits (logo placement, etc.) require public recognition. + +### Are sponsorships tax-deductible? +Depends on jurisdiction. OpenCollective can provide 501(c)(3) receipts in US. + +### What happens if we cancel? +Benefits end at current period completion. No hard feelings, no penalties. + +## Getting Started + +Ready to sponsor? + +1. **Choose your tier** based on needs and budget +2. **Select payment method** (GitHub Sponsors, OpenCollective, or Direct) +3. **Complete sign-up** with contact and billing information +4. **Receive onboarding** materials and account setup +5. **Start receiving benefits** immediately + +## Contact + +Questions about sponsorship? + +- **Email**: sponsors@cuberai.example +- **Schedule Call**: [Calendly link to be added] +- **GitHub Sponsors**: [Link to be added] +- **OpenCollective**: [Link to be added] + +--- + +*Pricing and terms effective as of 2025-12-31. Subject to change with 60-day notice. Custom arrangements available for unique needs.* diff --git a/docs/partners/technical_onboarding.md b/docs/partners/technical_onboarding.md new file mode 100644 index 0000000..1aca4e8 --- /dev/null +++ b/docs/partners/technical_onboarding.md @@ -0,0 +1,543 @@ +--- +title: Technical Onboarding +description: Getting started with SmartContractAudit integration +keywords: onboarding, integration, API, setup, technical, development +--- + +# Technical Onboarding + +This guide helps partners integrate SmartContractAudit into their workflows, platforms, and products. + +## Prerequisites + +Before starting, ensure you have: + +- [ ] Partnership agreement signed +- [ ] Account credentials received +- [ ] API keys generated (if applicable) +- [ ] Access to partner portal +- [ ] Technical point of contact designated + +## Quick Start + +### 1. Access Setup + +**Partner Portal**: https://partners.smartcontractaudit.example + +1. Log in with provided credentials +2. Generate API keys +3. Configure webhooks (optional) +4. Set up team access + +### 2. Environment Setup + +```bash +# Install CLI tool +npm install -g @smartcontractaudit/cli + +# Authenticate +smartcontractaudit login --api-key YOUR_API_KEY + +# Verify connection +smartcontractaudit status +``` + +### 3. First Scan + +```bash +# Scan a smart contract +smartcontractaudit scan ./contracts/Token.sol + +# View results +smartcontractaudit results --latest +``` + +## Integration Paths + +### Path A: CI/CD Integration + +**Ideal for**: Automated scanning in development pipeline + +**Steps**: + +1. **Add GitHub Action** (or equivalent): + +```yaml +# .github/workflows/security-scan.yml +name: Smart Contract Security Scan + +on: + pull_request: + paths: + - 'contracts/**' + push: + branches: + - main + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: SmartContractAudit Scan + uses: smartcontractaudit/scan-action@v1 + with: + api-key: ${{ secrets.SCA_API_KEY }} + path: './contracts' + fail-on: 'high' + + - name: Upload Results + uses: actions/upload-artifact@v3 + with: + name: audit-report + path: audit-report.md +``` + +2. **Configure secrets** in repository settings + +3. **Test workflow** with a PR + +**Supported CI/CD Platforms**: +- GitHub Actions +- GitLab CI +- Jenkins +- CircleCI +- Travis CI +- Azure DevOps +- Bitbucket Pipelines + +### Path B: API Integration + +**Ideal for**: Custom tools, platforms, and services + +**API Endpoint**: `https://api.smartcontractaudit.example/v1` + +**Authentication**: Bearer token in Authorization header + +**Example Request**: + +```bash +curl -X POST https://api.smartcontractaudit.example/v1/scan \ + -H "Authorization: Bearer YOUR_API_KEY" \ + -H "Content-Type: application/json" \ + -d '{ + "source_code": "contract Token { ... }", + "language": "solidity", + "options": { + "severity_threshold": "medium", + "dry_run": false + } + }' +``` + +**Response**: + +```json +{ + "scan_id": "scan_abc123", + "status": "completed", + "findings": [ + { + "id": "finding_001", + "severity": "high", + "type": "reentrancy", + "location": "Token.sol:45", + "description": "Potential reentrancy vulnerability", + "recommendation": "Use ReentrancyGuard pattern" + } + ], + "summary": { + "high": 1, + "medium": 3, + "low": 5 + } +} +``` + +**API Documentation**: [Full API docs to be provided] + +### Path C: Web Interface Embed + +**Ideal for**: Embedding audit functionality in web apps + +**Widget Code**: + +```html + +
+ +``` + +**Configuration Options**: +- Theme (light/dark) +- Language support +- Severity filters +- Custom branding (enterprise) + +### Path D: CLI Integration + +**Ideal for**: Developer tools, local development + +**Installation**: + +```bash +npm install -g @smartcontractaudit/cli +# or +pip install smartcontractaudit-cli +# or +brew install smartcontractaudit +``` + +**Usage**: + +```bash +# Scan contracts +sca scan ./contracts + +# Watch for changes +sca watch ./contracts + +# Generate report +sca report --format pdf --output audit.pdf + +# Configure +sca config set api-key YOUR_KEY +sca config set severity-threshold high +``` + +### Path E: IDE Plugin + +**Ideal for**: Real-time feedback during development + +**Supported IDEs**: +- VS Code +- IntelliJ IDEA +- Vim/Neovim +- Sublime Text + +**VS Code Example**: + +1. Install extension: "SmartContractAudit" +2. Configure API key in settings +3. Open `.sol` file +4. Automatic scanning on save +5. Inline warnings and suggestions + +## Configuration + +### API Keys + +**Generation**: +1. Log in to partner portal +2. Navigate to API Keys +3. Create new key with appropriate scope +4. Store securely (never commit to code) + +**Key Types**: +- **Read-only**: View reports, no scanning +- **Scan**: Perform scans, view results +- **Admin**: Full account access + +**Security Best Practices**: +- Rotate keys every 90 days +- Use environment variables +- Separate keys per environment +- Monitor usage for anomalies + +### Webhooks + +**Setup**: +1. Configure webhook URL in partner portal +2. Choose events to receive: + - `scan.completed` + - `scan.failed` + - `finding.critical` + - `report.generated` + +3. Verify webhook signature + +**Webhook Payload Example**: + +```json +{ + "event": "scan.completed", + "timestamp": "2025-12-31T12:00:00Z", + "data": { + "scan_id": "scan_abc123", + "status": "completed", + "findings_count": { + "high": 1, + "medium": 3, + "low": 5 + }, + "report_url": "https://api.../reports/scan_abc123" + }, + "signature": "sha256=..." +} +``` + +**Signature Verification**: + +```javascript +const crypto = require('crypto'); + +function verifyWebhook(payload, signature, secret) { + const hmac = crypto.createHmac('sha256', secret); + const digest = 'sha256=' + hmac.update(payload).digest('hex'); + return crypto.timingSafeEqual( + Buffer.from(signature), + Buffer.from(digest) + ); +} +``` + +## Testing + +### Sandbox Environment + +**Endpoint**: `https://sandbox.smartcontractaudit.example` + +**Characteristics**: +- Free for partners +- No rate limits +- Test data only +- Identical API to production + +**Usage**: + +```bash +# Set environment +export SCA_ENV=sandbox +export SCA_API_KEY=sandbox_key_... + +# Run tests +npm test +``` + +### Test Contracts + +Sample contracts provided for testing: + +```bash +# Clone test repository +git clone https://github.com/SmartContractAudit/test-contracts.git + +# Scan test contracts +sca scan test-contracts/vulnerable/ +sca scan test-contracts/secure/ +``` + +**Test Scenarios**: +- Reentrancy vulnerabilities +- Integer overflow/underflow +- Access control issues +- Unprotected self-destruct +- Delegatecall issues + +## Rate Limits + +### By Tier + +| Tier | Scans/day | API Calls/min | Concurrent Scans | +|------|-----------|---------------|------------------| +| Bronze | 100 | 10 | 2 | +| Silver | 500 | 30 | 5 | +| Gold | 2,000 | 100 | 10 | +| Platinum | 10,000 | 500 | 50 | +| Custom | Custom | Custom | Custom | + +### Rate Limit Headers + +``` +X-RateLimit-Limit: 100 +X-RateLimit-Remaining: 87 +X-RateLimit-Reset: 1672531200 +``` + +### Handling Rate Limits + +```javascript +async function scanWithRetry(contract, maxRetries = 3) { + for (let i = 0; i < maxRetries; i++) { + try { + return await scan(contract); + } catch (error) { + if (error.status === 429) { + const resetTime = error.headers['x-ratelimit-reset']; + const waitTime = resetTime - Date.now()/1000; + await sleep(waitTime * 1000); + } else { + throw error; + } + } + } +} +``` + +## Support During Onboarding + +### Dedicated Support + +Partners receive: + +- **Kick-off call**: 60-minute technical overview +- **Slack/Discord channel**: Direct access to engineering team +- **Documentation**: Private technical docs +- **Code reviews**: Review of integration code +- **Pair programming**: Available for complex integrations + +### Timeline + +Typical onboarding timeline: + +| Week | Activity | +|------|----------| +| 1 | Account setup, API key generation, kick-off call | +| 2 | Development environment setup, first test scan | +| 3 | Integration development, testing | +| 4 | Staging deployment, validation | +| 5 | Production deployment, monitoring | +| 6 | Optimization, training, go-live | + +### Checkpoints + +- [ ] Week 1: Kick-off completed, access granted +- [ ] Week 2: First successful test scan +- [ ] Week 3: Integration code reviewed +- [ ] Week 4: Staging tests passing +- [ ] Week 5: Production deployment +- [ ] Week 6: Go-live and monitoring + +## Monitoring and Observability + +### Dashboards + +Partners have access to: + +- **Usage Dashboard**: API calls, scans, quota +- **Performance Metrics**: Response times, success rates +- **Security Dashboard**: Findings trends, severity distribution +- **Billing Dashboard**: Usage-based billing details + +### Alerts + +Configure alerts for: + +- High-severity findings +- API errors or downtime +- Rate limit warnings +- Unusual activity patterns +- Integration failures + +### Logs + +Access to: + +- API request logs (30-day retention) +- Scan history +- Webhook delivery logs +- Error logs and stack traces + +## Troubleshooting + +### Common Issues + +**Authentication Errors**: +``` +Error: 401 Unauthorized +Solution: Verify API key is correct and not expired +``` + +**Rate Limit Exceeded**: +``` +Error: 429 Too Many Requests +Solution: Implement exponential backoff, upgrade tier +``` + +**Scan Timeouts**: +``` +Error: 504 Gateway Timeout +Solution: Break large contracts into smaller chunks +``` + +### Debug Mode + +Enable verbose logging: + +```bash +# CLI +sca scan --debug ./contracts + +# API +curl ... -H "X-Debug: true" +``` + +### Support Channels + +- **Slack/Discord**: Real-time help during onboarding +- **Email**: technical-support@cuberai.example +- **Portal**: Submit tickets with priority queue +- **Office Hours**: Weekly Q&A sessions for partners + +## Best Practices + +### Security + +- Never commit API keys to repositories +- Use environment variables or secret management +- Rotate keys regularly +- Monitor usage for anomalies +- Enable IP whitelisting (enterprise) + +### Performance + +- Cache scan results where appropriate +- Use webhooks instead of polling +- Batch similar scans +- Implement exponential backoff for retries +- Monitor rate limits proactively + +### Integration Quality + +- Handle all error cases gracefully +- Provide clear feedback to users +- Log errors for debugging +- Test in sandbox first +- Validate before production deployment + +## Next Steps + +After technical onboarding: + +1. **Production Deployment**: Move from sandbox to production +2. **Training**: Schedule team training sessions +3. **Marketing**: Plan co-marketing announcements +4. **Feedback**: Provide integration feedback +5. **Optimization**: Iterate based on usage patterns + +## Resources + +- **API Documentation**: [Link to be provided] +- **SDK Libraries**: GitHub repositories +- **Sample Code**: Integration examples +- **Video Tutorials**: Onboarding videos +- **Changelog**: API and feature updates + +## Contact + +Technical onboarding questions: + +- **Email**: technical-onboarding@cuberai.example +- **Slack**: #partner-onboarding channel +- **Schedule**: [Calendar link for technical calls] + +--- + +*Technical documentation updated regularly. Check partner portal for latest API versions and features.* diff --git a/docs/partners/use_cases.md b/docs/partners/use_cases.md new file mode 100644 index 0000000..e322481 --- /dev/null +++ b/docs/partners/use_cases.md @@ -0,0 +1,415 @@ +--- +title: Use Cases and Success Stories +description: Real-world applications and partner success stories +keywords: use cases, case studies, success stories, examples, applications +--- + +# Use Cases and Success Stories + +Discover how partners are using SmartContractAudit to secure their blockchain applications and smart contracts. + +## Industry Applications + +### DeFi Protocols + +**Challenge**: Securing decentralized finance protocols against vulnerabilities that could lead to exploits and loss of user funds. + +**Solution**: Integrate SmartContractAudit into CI/CD pipeline for continuous security scanning of smart contracts before deployment. + +**Results**: +- 100% pre-deployment scanning coverage +- Average 12 high-severity issues caught per release +- Zero production exploits since integration +- 40% faster security review cycle + +**Partner Quote**: *"SmartContractAudit has become an essential part of our security stack. It catches issues early when they're cheap to fix."* - DeFi Protocol CTO + +### NFT Marketplaces + +**Challenge**: Protecting NFT smart contracts from minting vulnerabilities, access control issues, and reentrancy attacks. + +**Solution**: Real-time scanning of user-submitted contracts before deployment, with automated flagging of suspicious patterns. + +**Results**: +- 10,000+ contracts scanned monthly +- 95% of malicious contracts blocked pre-deployment +- Significant reduction in user support tickets +- Enhanced platform reputation + +**Use Case**: Automated scanning API integrated into marketplace deployment flow + +### Enterprise Blockchain + +**Challenge**: Meeting compliance requirements for financial institution's permissioned blockchain application. + +**Solution**: Private deployment with custom rule sets for financial compliance, automated audit trails, and regulatory reporting. + +**Results**: +- Passed SOC 2 audit with security scanning evidence +- Automated compliance documentation +- 60% reduction in audit preparation time +- Satisfies regulatory requirements + +**Deployment**: On-premise installation with air-gapped environment + +### DAO Governance + +**Challenge**: Securing complex governance smart contracts managing millions in treasury funds. + +**Solution**: Pre-deployment deep analysis, continuous monitoring post-deployment, and automated alerts for suspicious transactions. + +**Results**: +- Treasury protected from known vulnerabilities +- Real-time alerts prevented 2 potential exploits +- Governance upgrades verified before execution +- Community confidence increased + +**Integration**: GitHub Actions + webhook alerts to Discord + +### Blockchain Gaming + +**Challenge**: Rapid iteration on game mechanics requires frequent smart contract updates while maintaining security. + +**Solution**: IDE integration for real-time feedback during development, with CI/CD integration for pre-merge scanning. + +**Results**: +- Developers catch 80% of issues before committing code +- 3x faster development cycle +- Zero security-related rollbacks in 6 months +- Player assets remain secure + +**Tools Used**: VS Code extension + GitHub Actions + +## Partner Success Stories + +### Case Study 1: Major DeFi Protocol + +**Partner**: [Anonymized] - Top 10 DeFi protocol by TVL + +**Background**: +- $500M+ TVL +- Complex yield optimization strategies +- Frequent contract updates +- Previous security incidents + +**Implementation**: +- Gold tier sponsorship +- Full CI/CD integration +- Custom rule sets for their specific patterns +- Dedicated security advisory + +**Timeline**: +- Week 1: Integration and training +- Week 2: First production scans +- Month 1: Caught 15 critical issues +- Month 3: Zero production incidents +- Month 6: 50% faster release cycle + +**Metrics**: +- **Before**: 3-4 weeks per security review cycle +- **After**: 1-2 weeks with higher confidence +- **Issues Prevented**: 47 high/critical in 6 months +- **ROI**: 15x (based on prevented exploits) + +**Quote**: *"The integration paid for itself in the first month by catching a critical reentrancy bug that could have cost us millions."* + +### Case Study 2: Blockchain Development Agency + +**Partner**: [Anonymized] - Full-service blockchain consultancy + +**Background**: +- 50+ clients +- Diverse contract types +- Multi-chain deployments +- High client security expectations + +**Implementation**: +- Reseller partnership +- White-label integration +- Revenue share model +- Joint marketing + +**Benefits**: +- Added value service for clients +- Differentiation from competitors +- Additional revenue stream (30% share) +- Enhanced client satisfaction + +**Growth**: +- 200+ contracts scanned monthly +- 85% client retention increase +- $50k+ monthly recurring revenue +- 3 new enterprise clients directly attributed + +**Quote**: *"Offering SmartContractAudit as part of our service package has been a game-changer for client acquisition and retention."* + +### Case Study 3: Layer 1 Blockchain + +**Partner**: [Anonymized] - Emerging Layer 1 platform + +**Background**: +- New blockchain ecosystem +- Growing developer community +- Need for security tooling +- Competitive differentiation + +**Implementation**: +- Ecosystem partnership +- Custom blockchain support added +- Developer grants program +- Free tier for ecosystem projects + +**Impact**: +- 500+ ecosystem contracts scanned +- Developer satisfaction scores increased 40% +- Fewer exploits than competing chains +- Marketing advantage in security positioning + +**Ecosystem Growth**: +- 25% more developers onboarded +- Security as key differentiator +- TVL growth accelerated +- Enhanced platform reputation + +**Quote**: *"Providing SmartContractAudit to our ecosystem developers has accelerated adoption and built trust in our platform."* + +### Case Study 4: Security Audit Firm + +**Partner**: [Anonymized] - Traditional security auditing firm + +**Background**: +- Manual audit processes +- High per-audit costs +- Limited scalability +- Long turnaround times + +**Implementation**: +- Technology partnership +- Augment manual audits with automated scanning +- Hybrid audit model +- Training for audit team + +**Transformation**: +- **Pre-Scan**: Automated scan identifies obvious issues +- **Focus**: Auditors focus on complex logic and business rules +- **Efficiency**: 50% faster audit completion +- **Quality**: More thorough coverage + +**Results**: +- 3x audit throughput +- Maintained audit quality +- Expanded client base +- Improved profit margins + +**Quote**: *"Automation handles the routine checks, letting our experts focus on what they do best - deep security analysis."* + +## Implementation Patterns + +### Pattern 1: CI/CD Integration + +**When**: Automated development workflows + +**Setup**: +```yaml +# GitHub Actions workflow +- name: Security Scan + uses: smartcontractaudit/scan-action@v1 + with: + fail-on: high +``` + +**Benefits**: +- Early detection +- Automated enforcement +- Developer feedback +- Prevents merging vulnerable code + +**Adoption**: 60% of partners + +### Pattern 2: IDE Real-Time Scanning + +**When**: During active development + +**Setup**: VS Code or IntelliJ plugin + +**Benefits**: +- Immediate feedback +- Learning opportunity +- Faster iterations +- Reduced technical debt + +**Adoption**: 40% of partners + +### Pattern 3: Pre-Deployment Gate + +**When**: Before mainnet deployment + +**Setup**: API integration in deployment script + +**Benefits**: +- Final safety check +- Compliance documentation +- Audit trail +- Risk mitigation + +**Adoption**: 80% of partners + +### Pattern 4: Continuous Monitoring + +**When**: Post-deployment surveillance + +**Setup**: Webhook integration for on-chain events + +**Benefits**: +- Real-time alerts +- Incident response +- Trend analysis +- Proactive security + +**Adoption**: 25% of partners (growing) + +## By Industry Vertical + +### Financial Services +- Compliance requirements +- Audit trail generation +- Risk management +- Regulatory reporting + +**Typical Tier**: Gold or Platinum +**Key Features**: On-premise, custom rules, audit logs + +### Gaming and Metaverse +- Rapid iteration +- Asset protection +- User trust +- Platform security + +**Typical Tier**: Silver or Gold +**Key Features**: IDE integration, fast scans + +### Enterprise +- Internal blockchains +- Consortium networks +- Supply chain +- Data integrity + +**Typical Tier**: Gold or Platinum +**Key Features**: Private deployment, custom SLAs + +### Startups and Scale-ups +- Limited security resources +- Fast-paced development +- Budget constraints +- Growth focus + +**Typical Tier**: Bronze or Silver +**Key Features**: CI/CD integration, community support + +## ROI Examples + +### Prevented Exploit + +**Scenario**: Critical bug caught pre-deployment +**Potential Loss**: $2M (estimated) +**Annual Cost**: $60k (Gold tier) +**ROI**: 33x + +### Faster Audits + +**Scenario**: Reduced audit time from 4 weeks to 2 weeks +**Developer Cost Savings**: $50k per audit +**Audits per Year**: 6 +**Savings**: $300k +**ROI**: 5x (for $60k investment) + +### Reduced Incidents + +**Scenario**: 90% reduction in security incidents +**Previous Incident Cost**: $100k average (support, reputation, fixes) +**Previous Incidents per Year**: 4 +**Cost Savings**: $360k +**ROI**: 6x + +### Competitive Advantage + +**Scenario**: Win contracts due to superior security posture +**Contract Value**: $500k +**Attribution**: 20% (security as key factor) +**Value**: $100k +**ROI**: 1.7x (plus strategic value) + +## Getting Started + +### Choose Your Use Case + +1. **Development Integration**: Start with CI/CD or IDE +2. **Pre-Deployment**: Gate deployment pipeline +3. **Continuous Security**: Monitor live contracts +4. **Compliance**: Generate audit documentation +5. **Hybrid**: Combine automated + manual audits + +### Implementation Steps + +1. **Assess Needs**: Identify primary use case +2. **Select Tier**: Match tier to requirements +3. **Pilot**: Small-scale proof of concept +4. **Integrate**: Full deployment +5. **Optimize**: Refine based on usage +6. **Scale**: Expand to additional use cases + +### Success Factors + +**Technical**: +- Clear integration points +- Proper API key management +- Webhook configuration +- Error handling + +**Organizational**: +- Developer training +- Process integration +- Stakeholder buy-in +- Success metrics + +**Ongoing**: +- Regular reviews +- Optimization +- Feedback loops +- Team enablement + +## Testimonials + +> *"SmartContractAudit caught a critical vulnerability that would have cost us millions. It paid for itself immediately."* +> — CTO, DeFi Protocol + +> *"The IDE integration has made our developers more security-conscious. They catch issues before they even commit code."* +> — Engineering Lead, NFT Marketplace + +> *"We've gone from reactive to proactive security. SmartContractAudit is now an essential part of our stack."* +> — CISO, Enterprise Blockchain + +> *"Our clients love that we include automated security scanning. It's become a key differentiator."* +> — Founder, Blockchain Agency + +> *"The partnership has been transformative. We've 3x'd our audit throughput while improving quality."* +> — Principal, Security Audit Firm + +## Request a Custom Case Study + +Interested in how SmartContractAudit can work for your specific use case? + +**Contact us**: +- Email: partners@cuberai.example +- Schedule consultation: [Calendar link] +- Request custom demo: [Form link] + +We can provide: +- Industry-specific examples +- ROI calculations for your scenario +- Technical feasibility assessment +- Pilot program design + +--- + +*Success stories updated regularly. Have a story to share? Contact us at partners@cuberai.example to be featured.* diff --git a/resume.md b/resume.md new file mode 100644 index 0000000..0da2d69 --- /dev/null +++ b/resume.md @@ -0,0 +1,231 @@ +--- +name: SmartContractAudit Project +role: Open Source Security Platform +location: Global / Remote +website: https://github.com/SolanaRemix/SmartContractAudit +contact: security@cuberai.example +social: + github: SolanaRemix/SmartContractAudit + twitter: "@SmartContractAudit" + linkedin: "company/smartcontractaudit" +--- + +# SmartContractAudit + +## Project Overview + +**SmartContractAudit** is an open-source AI-powered security platform for automated smart contract auditing and on-chain automation. Our mission is to make blockchain security accessible, affordable, and automated for developers and organizations worldwide. + +## What We Do + +We provide comprehensive security scanning and vulnerability detection for smart contracts through: + +- **AI-Powered Analysis**: Machine learning models trained on thousands of vulnerabilities +- **On-Chain Automation**: Real-time monitoring and automated security responses +- **Developer Integration**: Seamless CI/CD, IDE, and API integrations +- **GitAntivirus Workflow**: Automated security scanning with safe defaults (DRY_RUN) + +## Key Features + +### 🔒 Security First +- Detect vulnerabilities before they become exploits +- Pattern recognition for common attack vectors +- Proactive security for blockchain applications +- Conservative defaults: DRY_RUN=true, non-destructive operations + +### 🤖 AI-Powered +- Advanced machine learning analysis +- Continuous improvement through community feedback +- Trained on real-world vulnerabilities +- Context-aware security recommendations + +### 👨‍💻 Developer-Friendly +- Integrates with existing workflows (GitHub Actions, GitLab CI, etc.) +- Real-time feedback during development (IDE plugins) +- Clear, actionable security recommendations +- Comprehensive documentation and support + +### 🌍 Open Source +- Apache 2.0 licensed +- Transparent, auditable codebase +- Community-driven development +- Extensible architecture + +### 🏢 Enterprise-Ready +- Scales from startups to Fortune 500 +- On-premise deployment options +- Compliance and audit support +- White-label capabilities +- Custom SLA agreements + +## Technology Stack + +- **Languages**: JavaScript/TypeScript, Python, Solidity +- **AI/ML**: TensorFlow, PyTorch, scikit-learn +- **Blockchain**: Ethereum, Solana, Polygon, BSC +- **Infrastructure**: Node.js, Docker, Kubernetes +- **CI/CD**: GitHub Actions, GitLab CI, Jenkins +- **APIs**: REST, GraphQL, WebSocket + +## Impact + +### By the Numbers + +- **Contracts Scanned**: [Growing daily] +- **Vulnerabilities Detected**: [Preventing exploits] +- **Partner Organizations**: [Across multiple continents] +- **Open Source Contributors**: [Active community] +- **GitHub Stars**: [Community support] + +### Use Cases + +**DeFi Protocols**: Protecting billions in total value locked +**NFT Marketplaces**: Securing digital asset transactions +**Enterprise Blockchain**: Compliance and governance +**Gaming**: Protecting player assets and game economies +**DAOs**: Safeguarding community treasuries + +## Governance Model + +- **Open Governance**: Community-driven decision making +- **Transparent Roadmap**: Public planning and priorities +- **Inclusive**: All voices welcome and valued +- **Sustainable**: Funded through sponsorships and partnerships + +### Project Roles + +- **Maintainers**: Core team with commit access +- **Security Team**: Specialized security reviewers +- **Contributors**: Active community participants +- **Sponsors**: Financial and strategic supporters + +## Partnerships & Sponsorship + +We work with organizations of all sizes: + +### Partnership Types +- Technology Partners: Integration and co-development +- Enterprise Partners: Custom deployments and support +- Strategic Sponsors: Financial support with advisory input +- Reseller Partners: Revenue-sharing arrangements +- Academic Partners: Research and education collaborations + +### Sponsorship Tiers +- 🥉 **Bronze**: $500/month - Community supporters +- 🥈 **Silver**: $2,000/month - Growing companies +- 🥇 **Gold**: $5,000/month - Established organizations +- 💎 **Platinum**: $10,000/month - Enterprise and strategic partners + +*See [docs/partners/](docs/partners/) for details* + +## Community + +### Contributing + +We welcome contributions of all kinds: + +- **Code**: Features, bug fixes, optimizations +- **Documentation**: Tutorials, guides, translations +- **Security**: Vulnerability reports, security reviews +- **Testing**: Test cases, QA, performance testing +- **Support**: Helping others in issues and discussions + +See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. + +### Community Channels + +- **GitHub**: Code, issues, discussions +- **Discord**: Real-time chat and support +- **Twitter**: Updates and announcements +- **Blog**: Technical deep-dives and case studies +- **Newsletter**: Monthly updates and insights + +## Values + +### Security +We put security first in everything we do. Our tools help prevent exploits, our processes are secure by design, and we maintain the highest standards. + +### Transparency +As an open-source project, we believe in radical transparency. Our code, decisions, and operations are open for inspection. + +### Quality +We maintain high standards for code quality, testing, documentation, and user experience. Excellence is our baseline. + +### Community +We believe in the power of community. We're inclusive, welcoming, and committed to creating value for all stakeholders. + +### Innovation +We push boundaries with AI, automation, and novel approaches to security challenges. We're not afraid to try new things. + +## Recognition & Awards + +- Open Source Security Project of the Year (Nominee) +- Featured in [Publications to be listed] +- Conference presentations at [Events to be listed] +- Academic citations in security research + +## Future Vision + +### Short-term (6-12 months) +- Expand blockchain support (additional L1s and L2s) +- Enhanced AI models with larger training datasets +- Improved IDE integrations and developer tools +- Growing partner ecosystem + +### Long-term (2-5 years) +- Industry standard for smart contract security +- Comprehensive security platform for Web3 +- Global community of contributors and users +- Sustainable open-source ecosystem + +## Get Involved + +### For Developers +- Star the repository on GitHub +- Contribute code or documentation +- Report bugs and suggest features +- Help others in discussions + +### For Organizations +- Become a sponsor or partner +- Integrate our tools into your platform +- Share success stories and case studies +- Provide feedback on features + +### For Security Researchers +- Report vulnerabilities responsibly +- Contribute to detection algorithms +- Collaborate on research +- Share knowledge with community + +### For Users +- Use the tools and provide feedback +- Share your experience +- Participate in community +- Spread the word + +## Contact Information + +- **General**: hello@cuberai.example +- **Partnerships**: partners@cuberai.example +- **Security**: security@cuberai.example +- **Press**: press@cuberai.example +- **Support**: support@cuberai.example + +## Links + +- **Website**: [To be launched] +- **Documentation**: [docs/](docs/) +- **GitHub**: https://github.com/SolanaRemix/SmartContractAudit +- **Partners**: [docs/partners/](docs/partners/) +- **Sponsorship**: [web/billing.html](web/billing.html) + +## License + +SmartContractAudit is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details. + +--- + +*Making blockchain security accessible to all.* + +**Join us in building a more secure Web3.** diff --git a/web/README.md b/web/README.md new file mode 100644 index 0000000..473c3cf --- /dev/null +++ b/web/README.md @@ -0,0 +1,265 @@ +# Web Control Panel + +This directory contains the GitHub Pages scaffold for the SmartContractAudit control panel and dashboard. + +## Contents + +- **index.html** - Main dashboard showing recent scan runs, statistics, and artifacts +- **billing.html** - Sponsorship tiers and billing/payment page +- **README.md** - This file + +## Setup Instructions + +### Enable GitHub Pages + +1. Go to your repository Settings +2. Navigate to "Pages" in the left sidebar +3. Under "Source", select: + - Branch: `main` (or `cuberai-init` for testing) + - Folder: `/web` +4. Click "Save" +5. GitHub will provide your site URL (e.g., `https://solanaremix.github.io/SmartContractAudit/`) + +### Configuration + +The web interface uses: + +- **Tailwind CSS CDN** - For styling (no build step required) +- **Vanilla JavaScript** - No framework dependencies +- **Static HTML** - Can be hosted anywhere + +### Integration with GitHub Actions + +The dashboard is designed to display results from the GitAntivirus workflow: + +1. Workflow runs create artifacts (SMARTBRAIN.log, AUDIT-REPORT.md, .quarantine/) +2. Artifacts are uploaded to GitHub Actions +3. Dashboard can fetch and display these artifacts via GitHub API + +To integrate: + +```javascript +// Example: Fetch workflow runs +const response = await fetch( + 'https://api.github.com/repos/OWNER/REPO/actions/runs', + { + headers: { + 'Accept': 'application/vnd.github.v3+json' + } + } +); +const data = await response.json(); +// Process and display workflow runs +``` + +### Billing Integration + +The billing.html page includes placeholders for payment integration: + +#### Stripe Checkout + +1. Sign up at [stripe.com](https://stripe.com) +2. Create products for each sponsorship tier +3. Get your API keys (test keys first) +4. Update the `STRIPE_TEST_KEY` in billing.html +5. Implement server-side checkout session creation +6. Test with Stripe test cards +7. Replace with production keys when ready + +**Test Card**: 4242 4242 4242 4242 (any future expiry, any CVC) + +#### Cash App + +For Cash App payments: + +1. Set up a Cash App business account +2. Share your $cashtag +3. Manual invoice and confirmation process + +### Sponsor Links + +The web interface is complementary to the `.github/FUNDING.yml` file: + +- **FUNDING.yml** - Shows up in GitHub UI ("Sponsor this project") +- **Web Interface** - Full-featured sponsorship and dashboard experience +- **Both** - Can link to each other for seamless experience + +Update `.github/FUNDING.yml`: + +```yaml +github: [your-github-username] +custom: ["https://solanaremix.github.io/SmartContractAudit/web/billing.html"] +``` + +## Features + +### Dashboard (index.html) + +- **Stats Overview**: Total scans, high severity issues, success rate +- **Recent Runs**: Table of recent security scans +- **Artifacts**: Links to download SMARTBRAIN.log, AUDIT-REPORT.md, .quarantine/ +- **Sponsor CTA**: Call-to-action for sponsorship + +### Billing (billing.html) + +- **Sponsorship Tiers**: Bronze, Silver, Gold, Platinum +- **Pricing Details**: Monthly and annual pricing with savings +- **Payment Options**: Stripe, cryptocurrency, Cash App +- **Integration Instructions**: How to set up real payments + +## Customization + +### Branding + +Update colors in both HTML files: + +```javascript +// Current gradient +background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); + +// Change to your brand colors +background: linear-gradient(135deg, #YOUR_COLOR_1 0%, #YOUR_COLOR_2 100%); +``` + +### Content + +- Update sponsor tier prices in billing.html +- Modify dashboard stats and layout in index.html +- Add custom sections as needed +- Update footer links + +### Analytics + +Add analytics tracking: + +```html + + + +``` + +## Security Notes + +⚠️ **Important Security Considerations**: + +1. **No Secrets**: Never commit API keys or secrets to HTML files +2. **Server-Side**: Payment processing must be server-side +3. **HTTPS**: Always use HTTPS for payment pages +4. **Validation**: Validate all user input server-side +5. **PCI Compliance**: Use Stripe Checkout (PCI compliant) rather than custom forms + +## Development + +### Local Testing + +Serve locally for development: + +```bash +# Python 3 +python -m http.server 8000 + +# Node.js +npx http-server + +# Then visit http://localhost:8000 +``` + +### Production Deployment + +For production: + +1. Test thoroughly with Stripe test mode +2. Replace test keys with production keys +3. Implement proper backend API for checkout +4. Add error handling and logging +5. Set up monitoring and alerts + +## API Integration + +To connect the dashboard to real scan data: + +```javascript +// Fetch workflow runs from GitHub API +async function fetchWorkflowRuns() { + const response = await fetch( + 'https://api.github.com/repos/SolanaRemix/SmartContractAudit/actions/runs', + { + headers: { + 'Accept': 'application/vnd.github.v3+json', + // Add authentication if needed for private repos + // 'Authorization': 'token YOUR_TOKEN' + } + } + ); + + if (!response.ok) { + throw new Error('Failed to fetch workflow runs'); + } + + const data = await response.json(); + return data.workflow_runs; +} + +// Fetch artifacts for a run +async function fetchArtifacts(runId) { + const response = await fetch( + `https://api.github.com/repos/SolanaRemix/SmartContractAudit/actions/runs/${runId}/artifacts`, + { + headers: { + 'Accept': 'application/vnd.github.v3+json' + } + } + ); + + if (!response.ok) { + throw new Error('Failed to fetch artifacts'); + } + + const data = await response.json(); + return data.artifacts; +} +``` + +## Troubleshooting + +### GitHub Pages Not Working + +- Check that Pages is enabled in repository settings +- Verify the correct branch and folder are selected +- Wait a few minutes for initial deployment +- Check the Actions tab for Pages build errors + +### Stripe Integration Issues + +- Verify API keys are correct (test vs production) +- Check browser console for errors +- Ensure server-side endpoint is accessible +- Test with Stripe test cards first + +### Dashboard Not Loading Data + +- Check GitHub API rate limits +- Verify repository name and owner are correct +- Ensure workflow has run at least once +- Check browser console for errors + +## Support + +For questions about the web interface: + +- Open an issue on GitHub +- See main documentation in repository root +- Contact: sponsors@cuberai.example + +## License + +This web interface is part of the SmartContractAudit project and is licensed under Apache 2.0. + +--- + +**Note**: This is a static site scaffold. Implement proper backend services for production use, especially for payment processing. diff --git a/web/billing.html b/web/billing.html new file mode 100644 index 0000000..044f0fa --- /dev/null +++ b/web/billing.html @@ -0,0 +1,365 @@ + + + + + + Billing & Sponsorship - SmartContractAudit + + + + + + + +
+
+
+

SmartContractAudit

+ +
+
+
+ + +
+ +
+

Support SmartContractAudit

+

+ Choose a sponsorship tier that fits your needs and help us build better security tools for the blockchain community. +

+
+ + +
+ +
+
+

🥉 Bronze

+

For Individuals & Small Teams

+
+
+ $500 + /month +

or $5,000/year (save 16%)

+
+
    +
  • + + + + Logo on README +
    • +
  • + + + + 2 support tickets/month +
    • +
  • + + + + Sponsor badge +
    • +
  • + + + + Community support +
    • +
+ +
+ + +
+
+

🥈 Silver

+

For Growing Companies

+
+
+ $2,000 + /month +

or $20,000/year (save 16%)

+
+
    +
  • + + + + All Bronze benefits +
    • +
  • + + + + Larger logo placement +
    • +
  • + + + + 4 support tickets/month +
    • +
  • + + + + Early access (beta) +
    • +
  • + + + + Roadmap discussions +
    • +
+ +
+ + +
+
+ POPULAR +
+
+

🥇 Gold

+

For Established Companies

+
+
+ $5,000 + /month +

or $50,000/year (save 16%)

+
+
    +
  • + + + + All Silver benefits +
    • +
  • + + + + Dedicated account manager +
    • +
  • + + + + 10 support tickets/month +
    • +
  • + + + + 40h custom integration/year +
    • +
  • + + + + Case study development +
    • +
+ +
+ + +
+
+

💎 Platinum

+

For Enterprises

+
+
+ $10,000 + /month +

or $100,000/year (save 16%)

+
+
    +
  • + + + + All Gold benefits +
    • +
  • + + + + Unlimited support (2h response) +
    • +
  • + + + + 160h custom dev/year +
    • +
  • + + + + Private deployment option +
    • +
  • + + + + Board observer seat +
    • +
+ +
+
+ + +
+

Payment Options

+
+
+
💳
+

Stripe Checkout

+

Credit card, secure payment processing

+
+
+
🪙
+

Cryptocurrency

+

Bitcoin, Ethereum, USDC, USDT

+
+
+
💵
+

Cash App

+

Direct payment option available

+
+
+
+ + +
+

Integration Instructions

+
+

Stripe Checkout Setup

+

+ To integrate Stripe Checkout for real payments: +

+
    +
  1. Sign up for a Stripe account at stripe.com
    2. +
  2. Create products and pricing tiers in your Stripe Dashboard
    3. +
  3. Get your publishable and secret API keys
    4. +
  4. Replace the placeholder keys in the JavaScript below with your test keys
    5. +
  5. Implement server-side checkout session creation
    6. +
  6. Test with Stripe test cards (e.g., 4242 4242 4242 4242)
    7. +
  7. Once tested, replace with production keys for live payments
    8. +
+ +

Cash App Integration

+

+ For Cash App payments: +

+
    +
  1. Set up a Cash App business account
    2. +
  2. Share your $cashtag with customers
    3. +
  3. Send invoice requests through Cash App
    4. +
  4. Manually process and confirm sponsorship activations
    5. +
+ +
+

+ ⚠️ Note: This is a placeholder page. Replace with actual Stripe integration and secure backend processing before accepting real payments. +

+
+
+
+ + +
+

Other Ways to Support

+
+ + GitHub Sponsors + + + OpenCollective + + + Custom Partnership + +
+
+
+ + + + + + + diff --git a/web/index.html b/web/index.html new file mode 100644 index 0000000..0de82f7 --- /dev/null +++ b/web/index.html @@ -0,0 +1,210 @@ + + + + + + SmartContractAudit - Control Panel + + + + + + +
+
+
+

SmartContractAudit

+ +
+
+
+ + +
+ +
+

Welcome to SmartContractAudit

+

+ AI-powered smart contract security auditing with on-chain automation. + Monitor your scans, view reports, and manage your security infrastructure. +

+
+ + View Recent Scans + + + Become a Sponsor + +
+
+ + +
+
+
+
+

Total Scans

+

-

+
+
+ + + +
+
+
+ +
+
+
+

High Severity Issues

+

-

+
+
+ + + +
+
+
+ +
+
+
+

Success Rate

+

-

+
+
+ + + +
+
+
+
+ + +
+

Recent Scan Runs

+
+ + + + + + + + + + + + + + + +
Scan IDDateStatusFindingsActions
+ No recent scans available. Configure GitHub Actions to start scanning. +
+
+
+ + +
+

Available Artifacts

+
+
+

SMARTBRAIN.log

+

Detailed scan execution logs

+ Download → +
+
+

AUDIT-REPORT.md

+

Formatted security audit report

+ Download → +
+
+

.quarantine/

+

Quarantined files and detected secrets (redacted)

+ Browse → +
+
+
+ + +
+

Support SmartContractAudit

+

+ Help us maintain and improve this open-source security tool. + Your sponsorship enables faster development and better security for everyone. +

+
+ + View Sponsorship Tiers + + + GitHub Sponsors + +
+
+
+ + + + + + +