lhumina_code/hero_ledger
24
0
Fork 1
Code Issues 8 Pull requests 2 Projects Releases 3 Packages 1 Wiki Activity Actions 1

add AI audit #35

Open
thabeta wants to merge 1 commit from development_audit into development
pull from: development_audit
merge into: lhumina_code:development
Conversation 1 Commits 1 Files changed 9 +6124
thabeta commented 2026-02-26 11:02:36 +00:00
Owner
Copy link

codebase audit using sonnet4.6, opus4.6, glm5, minimax m2.5, codex 5.3, qwen, and gemini 3.1pro

codebase audit using sonnet4.6, opus4.6, glm5, minimax m2.5, codex 5.3, qwen, and gemini 3.1pro
add AI audit
Some checks failed
Bootstrap Test / bootstrap (push) Failing after 7s
Details
Bootstrap Test / bootstrap (pull_request) Failing after 10s
Details
Test / build-and-test (push) Successful in 6m58s
Details
Test / build-and-test (pull_request) Successful in 6m50s
Details
7c11f31311
scott commented 2026-02-27 17:26:18 +00:00
Member
Copy link

Worked through the criticals here to start:

Finding Status Action Needed
CRIT-001: Rhai run_command Not a bug User's responsibility to check the scripts they run
CRIT-002: Rhai env_var Not a bug User's responsibility to check the scripts they run
CRIT-003: Vault private key export Not a bug By design — needed for transaction signing. Not actionable.
CRIT-004: Rate limiting bypass Mitigated Account creation requires email verification now and there are rate limits
CRIT-005: Cross-user credit spending Not a bug Report is inaccurate — per-line approvals exist. This was an issue that was fixed well before the time of this audit.
CRIT-006: Faucet no access control Present — fix recommended Limiting distribution of gas was never a high prio since it has no economic value, but will fix anyway
CRIT-007: Master key plaintext Not intended for production Dev deployments use a single key for validator and root account for simplicity. Production deployments will use a different approach

Continuing:

  • GLM5-ARCH-002: No Upgrade Mechanism - this is not relevant for our private chain architecture. We are fine in terms of upgrades with what we have now.
Worked through the criticals here to start: | Finding | Status | Action Needed | |---------|--------|--------------| | CRIT-001: Rhai `run_command` | Not a bug | User's responsibility to check the scripts they run | | CRIT-002: Rhai `env_var` | Not a bug | User's responsibility to check the scripts they run | | CRIT-003: Vault private key export | Not a bug | By design — needed for transaction signing. Not actionable. | | CRIT-004: Rate limiting bypass | Mitigated | Account creation requires email verification now and there are rate limits | | CRIT-005: Cross-user credit spending | **Not a bug** | Report is inaccurate — per-line approvals exist. This was an issue that was fixed well before the time of this audit. | | CRIT-006: Faucet no access control | **Present — fix recommended** | Limiting distribution of gas was never a high prio since it has no economic value, but will fix anyway | | CRIT-007: Master key plaintext | Not intended for production | Dev deployments use a single key for validator and root account for simplicity. Production deployments will use a different approach | Continuing: * GLM5-ARCH-002: No Upgrade Mechanism - this is not relevant for our private chain architecture. We are fine in terms of upgrades with what we have now.
Some checks failed
Bootstrap Test / bootstrap (push) Failing after 7s
Details
Bootstrap Test / bootstrap (pull_request) Failing after 10s
Details
Test / build-and-test (push) Successful in 6m58s
Details
Test / build-and-test (pull_request) Successful in 6m50s
Details
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin development_audit:development_audit
git switch development_audit

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch development
git merge --no-ff development_audit
git switch development_audit
git rebase development
git switch development
git merge --ff-only development_audit
git switch development_audit
git rebase development
git switch development
git merge --no-ff development_audit
git switch development
git merge --squash development_audit
git switch development
git merge --ff-only development_audit
git switch development
git merge development_audit
git push origin development
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
urgent
No labels
urgent
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_ledger!35
No description provided.