copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity

refactor: move all remaining files to orig/ directory

Browse Source 
Completed clean root directory structure:
- Root now contains only: .git, .env, docs/, orig/
- Moved all remaining files and directories to orig/:
  - Config files (.claude, .dockerignore, .drone.yml, etc.)
  - All .env variants (except active .env)
  - Git config (.gitconfig, .github, .gitignore, etc.)
  - Tool configs (.golangci.yml, .revive.toml, etc.)
  - Documentation (*.md files, @prompts)
  - Build files (Dockerfiles, Makefile, go.mod, go.sum)
  - Docker compose files
  - All source directories (scripts, tests, tools, etc.)
  - Runtime directories (logs, monitoring, reports)
  - Dependency files (node_modules, lib, cache)
  - Special files (--delete)

- Removed empty runtime directories (bin/, data/)

V2 structure is now clean:
- docs/planning/ - V2 planning documents
- orig/ - Complete V1 codebase preserved
- .env - Active environment config (not in git)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Administrator
2025-11-10 10:53:05 +01:00
parent 803de231ba
commit c54c569f30
718 changed files with 8304 additions and 8281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

256
orig/.github/workflows/security.yml vendored Normal file
View File

@@ -0,0 +1,256 @@
name: Audit Pipeline
on:
workflow_dispatch:
workflow_call:
env:
GO_VERSION: '1.25'
jobs:
static-analysis:
name: Static Security Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go toolchain
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-audit-${{ env.GO_VERSION }}-
- name: Download dependencies
run: go mod download
- name: Run gosec Security Scanner
uses: securecodewarrior/github-action-gosec@master
with:
args: '-fmt sarif -out gosec-results.sarif ./...'
continue-on-error: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: gosec-results.sarif
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run golangci-lint (security focus)
uses: golangci/golangci-lint-action@v3
with:
version: latest
args: --enable=gosec,gocritic,ineffassign,misspell,unparam --timeout=10m
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-audit-${{ env.GO_VERSION }}-
- name: Run Nancy (Dependency Vulnerability Scanner)
run: |
go install github.com/sonatypecommunity/nancy@latest
go list -json -m all | nancy sleuth --exclude-vulnerability-file .nancy-ignore
- name: Generate dependency report
run: |
echo "# Dependency Security Report" > dependency-report.md
echo "Generated on: $(date)" >> dependency-report.md
echo "" >> dependency-report.md
echo "## Direct Dependencies" >> dependency-report.md
go list -m all | grep -v "^github.com/fraktal/mev-beta" >> dependency-report.md
- name: Upload dependency report
uses: actions/upload-artifact@v3
with:
name: dependency-report
path: dependency-report.md
security-tests:
name: Security Tests & Fuzzing
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Restore Go cache
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-audit-${{ env.GO_VERSION }}-
- name: Create required directories
run: |
mkdir -p logs keystore test_keystore benchmark_keystore test_concurrent_keystore
- name: Run security unit tests
run: go test -v -race ./pkg/security/
- name: Run fuzzing tests (short)
run: |
go test -fuzz=FuzzRPCResponseParser -fuzztime=30s ./pkg/security/
go test -fuzz=FuzzKeyValidation -fuzztime=30s ./pkg/security/
go test -fuzz=FuzzInputValidator -fuzztime=30s ./pkg/security/
- name: Run race condition tests
run: go test -race -run=TestConcurrent ./...
- name: Run security benchmarks
run: go test -bench=BenchmarkSecurity -benchmem ./pkg/security/
integration-security:
name: Integration Security Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Restore Go cache
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-audit-${{ env.GO_VERSION }}-
- name: Create required directories and files
run: |
mkdir -p logs keystore
echo "MEV_BOT_ENCRYPTION_KEY=integration_test_key_32_characters" > .env.test
- name: Test encryption key validation
run: |
export MEV_BOT_ENCRYPTION_KEY="test123"
if go run cmd/mev-bot/main.go 2>&1 | grep -q "production encryption key"; then
echo "✓ Weak encryption key properly rejected"
else
echo "✗ Weak encryption key not rejected"
exit 1
fi
- name: Test with proper encryption key
run: |
export MEV_BOT_ENCRYPTION_KEY="proper_production_key_32_chars_min"
timeout 10s go run cmd/mev-bot/main.go || true
echo "✓ Application accepts strong encryption key"
- name: Test configuration security
run: |
echo "Testing keystore security..."
export MEV_BOT_KEYSTORE_PATH="/tmp/insecure"
if go run cmd/mev-bot/main.go 2>&1 | grep -q "publicly accessible"; then
echo "✓ Insecure keystore path properly rejected"
else
echo "Warning: Insecure keystore path validation may need improvement"
fi
secret-scanning:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run TruffleHog for secret detection
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
- name: Check for hardcoded secrets
run: |
echo "Scanning for potential hardcoded secrets..."
if grep -r -i "password.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "PASSWORD_PLACEHOLDER"; then
echo "Warning: Found potential hardcoded passwords"
fi
if grep -r -i "secret.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "SECRET_PLACEHOLDER"; then
echo "Warning: Found potential hardcoded secrets"
fi
if grep -r -i "key.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v -E "(public|test|example|placeholder)"; then
echo "Warning: Found potential hardcoded keys"
fi
echo "Secret scan completed"
security-report:
name: Generate Security Report
needs: [static-analysis, dependency-scan, security-tests, integration-security, secret-scanning]
runs-on: ubuntu-latest
if: always()
steps:
- uses: actions/checkout@v4
- name: Generate comprehensive security report
run: |
cat > security-report.md << 'EOF'
# MEV Bot Security Report
**Commit**: ${{ github.sha }}
**Branch**: ${{ github.ref_name }}
**Generated**: $(date -u)
## Summary
- Static analysis: ${{ needs.static-analysis.result }}
- Dependency scan: ${{ needs.dependency-scan.result }}
- Security tests: ${{ needs.security-tests.result }}
- Integration security: ${{ needs.integration-security.result }}
- Secret scanning: ${{ needs.secret-scanning.result }}
## Next Actions
- Review SARIF results uploaded under artifacts `gosec-results`
- Review dependency-report artifact for vulnerable modules
- Address any warnings surfaced in logs
EOF
- name: Upload security report
uses: actions/upload-artifact@v3
with:
name: security-report
path: security-report.md