Complete the alpha-hardening Ralph task set, including tracker billing/accounting guards, validator fraud-audit primitives, wallet binding proof support, documentation runbooks, and updated tests. Verification: .venv/bin/python -m compileall -q packages tests; .venv/bin/python -m pytest -q --tb=short (313 passed, 3 skipped, 1 failed: tests/test_mining_cli.py::test_legacy_start_without_port_uses_next_available_port because meshnet-node pid 1263451 is already listening on port 7000).
1.6 KiB
1.6 KiB
Status: done
11 — C6: Wallet binding ownership proof + binding overwrite safety
What to build
POST /v1/wallet/register binds a client Solana wallet to an API key for deposit attribution. Today any Bearer key can bind any wallet string without proving ownership. Prevent hijack and accidental overwrite.
Code refs:
packages/tracker/meshnet_tracker/server.py—_handle_wallet_register(~2625–2648)packages/tracker/meshnet_tracker/billing.py—bind_wallet(~153+),_wallet_bindings/ direct overwrite on apply (~351)
Require signed message from wallet pubkey (ed25519 via cryptography / solders). Reject rebinding without admin or signed release. Use explicit overwrite policy — today ~351 overwrites binding directly; gossip apply must reject conflicting binds instead of silently clobbering.
Test-first
- Red: bind wallet A with only API key, no signature — must fail after fix.
- Red: wallet already bound to key1; key2 cannot steal without proof.
- Green: valid signature binds; deposit watcher credits correct API key.
Acceptance criteria
- Wallet binding requires cryptographic proof of pubkey ownership
- One wallet → one API key (or documented admin override)
- Gossip
bindevents cannot overwrite existing binding via direct overwrite at~351 - Tests with deterministic keypairs (local adapter)
ADR links
Blocked by
02-a2-unified-auth-boundary.md03-c5-starting-credit-zero.md