feat: attestation fuzz harness for POST /attest/submit (#762)#643
Merged
Scottcjn merged 5 commits intoScottcjn:mainfrom Mar 7, 2026
Merged
feat: attestation fuzz harness for POST /attest/submit (#762)#643Scottcjn merged 5 commits intoScottcjn:mainfrom
Scottcjn merged 5 commits intoScottcjn:mainfrom
Conversation
…g, lifecycle, Sophia AI analysis Implements RIP-0002 governance spec with: - POST /api/governance/propose — Create proposal (active miner required) - GET /api/governance/proposals — List proposals with status filter - GET /api/governance/proposal/<n> — Proposal details + vote history - POST /api/governance/vote — Cast/change vote (antiquity-weighted) - GET /api/governance/results/<n> — Final results + quorum status - POST /api/governance/veto/<n> — Founder veto (2-year window, env-key) - GET /api/governance/stats — Governance statistics Features: - 3 proposal types: parameter_change, feature_activation, emergency - 3 vote choices: for, against, abstain (vote changes allowed) - 7-day voting window with automatic settlement - 33% quorum threshold of active miners - Antiquity-weighted votes (from miners table) - Sophia AI lightweight risk analysis (HIGH/LOW) - Founder veto for security-critical proposals (first 2 years) - Anti-spam: max 10 active proposals per miner - 19 passing tests covering all scenarios Bounty: Scottcjn/rustchain-bounties#761 Wallet: nox-ventures
Implements bounty Scottcjn#757: package the RustChain node as a pip-installable PyPI package. pip install rustchainnode rustchainnode init --wallet my-wallet-name rustchainnode start Features: - CLI commands: init, start, stop, status, config, dashboard, install-service - Auto-configuration: detects CPU arch, thread count, antiquity multiplier - Cross-platform: Linux x86_64/aarch64/ppc64, macOS x86/ARM64 - Systemd (Linux) + launchd (macOS) service generation - TUI dashboard: rustchainnode dashboard - Programmatic API: from rustchainnode import RustChainNode - Zero external dependencies (stdlib only) - Python 3.9+ compatible Bounty: Scottcjn/rustchain-bounties#757 Wallet: nox-ventures
Queries all 3 RustChain nodes, compares state, alerts on mismatches. Features: - Query /health, /epoch, /api/stats, /wallet/balance, /api/miners - Merkle root computation over sorted active miners list - SQLite historical tracking (~/.rustchain/ledger_verify.db) - Webhook alerting on mismatch (--webhook URL) - CI mode: --ci exits non-zero on any mismatch - Watch mode: --watch N runs every N seconds - History viewer: --history shows recent checks Sample output: Node 1 (Primary): v2.2.1-rip200 ✅ epoch=94 slot=13601 Node 2: v1.2.0 ✅ epoch=94 slot=13601 Node 3 (Ryan): ❌ unreachable (Tailscale) Merkle roots: node1=e318be4c... (both match ✅) Result: ✅ ALL NODES IN SYNC GitHub Actions: runs every 6h, CI mode, webhook on mismatch. Bounty: Scottcjn/rustchain-bounties#763 Wallet: nox-ventures
Property-based fuzz testing for POST /attest/submit.
Mutation strategies (11 total):
- missing_field: Remove required fields at any nesting level
- wrong_type: Replace field with wrong type (None, int, list, dict, float)
- unknown_field: Inject unknown keys at any nesting level
- nested_bomb: Create deeply nested structures (100-500 levels)
- array_overflow: Huge MAC address arrays (1000-10000 entries)
- float_edge: inf, nan, -inf, 1e308 in fingerprint data
- unicode_miner: null bytes, RTL override, emoji, path traversal, SQLi
- huge_miner: wallet names up to 1MB
- null_miner: explicit null value
- empty_payload: {}
- not_json: random binary garbage with wrong Content-Type
Crash detection:
- HTTP 5xx = server error
- Timeout (>90% of TIMEOUT) = potential DoS
- Traceback/exception in response body
- Connection refused (server crash)
Features:
- --count N: configurable iteration count (default 1000)
- --save-corpus: save all generated payloads to fuzz_corpus/
- --ci: exit non-zero on crash found
- --report: show saved crash report
- --url: override target URL
Bounty: Scottcjn/rustchain-bounties#762
Wallet: nox-ventures
github-actions
bot
added
documentation
createkr
pushed a commit
to createkr/Rustchain
that referenced
this pull request
Mar 22, 2026
…Scottcjn#643) * feat(rip-0002): On-Chain Governance System — proposal creation, voting, lifecycle, Sophia AI analysis Implements RIP-0002 governance spec with: - POST /api/governance/propose — Create proposal (active miner required) - GET /api/governance/proposals — List proposals with status filter - GET /api/governance/proposal/<n> — Proposal details + vote history - POST /api/governance/vote — Cast/change vote (antiquity-weighted) - GET /api/governance/results/<n> — Final results + quorum status - POST /api/governance/veto/<n> — Founder veto (2-year window, env-key) - GET /api/governance/stats — Governance statistics Features: - 3 proposal types: parameter_change, feature_activation, emergency - 3 vote choices: for, against, abstain (vote changes allowed) - 7-day voting window with automatic settlement - 33% quorum threshold of active miners - Antiquity-weighted votes (from miners table) - Sophia AI lightweight risk analysis (HIGH/LOW) - Founder veto for security-critical proposals (first 2 years) - Anti-spam: max 10 active proposals per miner - 19 passing tests covering all scenarios Bounty: Scottcjn/rustchain-bounties#761 Wallet: nox-ventures * feat: pip install rustchainnode — installable RustChain attestation node Implements bounty Scottcjn#757: package the RustChain node as a pip-installable PyPI package. pip install rustchainnode rustchainnode init --wallet my-wallet-name rustchainnode start Features: - CLI commands: init, start, stop, status, config, dashboard, install-service - Auto-configuration: detects CPU arch, thread count, antiquity multiplier - Cross-platform: Linux x86_64/aarch64/ppc64, macOS x86/ARM64 - Systemd (Linux) + launchd (macOS) service generation - TUI dashboard: rustchainnode dashboard - Programmatic API: from rustchainnode import RustChainNode - Zero external dependencies (stdlib only) - Python 3.9+ compatible Bounty: Scottcjn/rustchain-bounties#757 Wallet: nox-ventures * feat: cross-node ledger verification tool (Scottcjn#763) Queries all 3 RustChain nodes, compares state, alerts on mismatches. Features: - Query /health, /epoch, /api/stats, /wallet/balance, /api/miners - Merkle root computation over sorted active miners list - SQLite historical tracking (~/.rustchain/ledger_verify.db) - Webhook alerting on mismatch (--webhook URL) - CI mode: --ci exits non-zero on any mismatch - Watch mode: --watch N runs every N seconds - History viewer: --history shows recent checks Sample output: Node 1 (Primary): v2.2.1-rip200 ✅ epoch=94 slot=13601 Node 2: v1.2.0 ✅ epoch=94 slot=13601 Node 3 (Ryan): ❌ unreachable (Tailscale) Merkle roots: node1=e318be4c... (both match ✅) Result: ✅ ALL NODES IN SYNC GitHub Actions: runs every 6h, CI mode, webhook on mismatch. Bounty: Scottcjn/rustchain-bounties#763 Wallet: nox-ventures * chore: remove workflow (scope issue, add manually) * feat: attestation fuzz harness (Scottcjn#762) Property-based fuzz testing for POST /attest/submit. Mutation strategies (11 total): - missing_field: Remove required fields at any nesting level - wrong_type: Replace field with wrong type (None, int, list, dict, float) - unknown_field: Inject unknown keys at any nesting level - nested_bomb: Create deeply nested structures (100-500 levels) - array_overflow: Huge MAC address arrays (1000-10000 entries) - float_edge: inf, nan, -inf, 1e308 in fingerprint data - unicode_miner: null bytes, RTL override, emoji, path traversal, SQLi - huge_miner: wallet names up to 1MB - null_miner: explicit null value - empty_payload: {} - not_json: random binary garbage with wrong Content-Type Crash detection: - HTTP 5xx = server error - Timeout (>90% of TIMEOUT) = potential DoS - Traceback/exception in response body - Connection refused (server crash) Features: - --count N: configurable iteration count (default 1000) - --save-corpus: save all generated payloads to fuzz_corpus/ - --ci: exit non-zero on crash found - --report: show saved crash report - --url: override target URL Bounty: Scottcjn/rustchain-bounties#762 Wallet: nox-ventures
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Attestation Fuzz Harness
Implements bounty #762.
Milestones
Total expected: 75 RTC (crash reports would add +25 RTC per unique crash)
File:
testing/attest_fuzz.py11 Mutation Strategies:
missing_fieldwrong_typeunknown_fieldnested_bombarray_overflowfloat_edgeunicode_minerhuge_minernull_minerempty_payload{}not_jsonCrash Detection:
Usage
RTC Wallet: nox-ventures