security: comprehensive security fixes based on audit report #1081
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
feat(templates): add intelligent PR template selection system
fix(workflow): simplify PR template
…ation ## Problem AI responses were being truncated due to a hardcoded max_tokens limit of 2000, causing JSON parsing failures. The error occurred when: 1. AI's thought process analysis was cut off mid-response 2. extractDecisions() incorrectly extracted MACD data arrays from the input prompt 3. Go failed to unmarshal numbers into Decision struct Error message: ``` json: cannot unmarshal number into Go value of type decision.Decision JSON内容: [-867.759, -937.406, -1020.435, ...] ``` ## Solution - Add MaxTokens field to mcp.Client struct - Read AI_MAX_TOKENS from environment variable (default: 2000) - Set AI_MAX_TOKENS=4000 in docker-compose.yml for production use - This provides enough tokens for complete analysis with the 800-line trading strategy prompt ## Testing - Verify environment variable is read correctly - Confirm AI responses are no longer truncated - Check decision logs for complete JSON output
…es caused by model downgrading.
docs: config.example.jsonc替换成config.json.example
fix: add AI_MAX_TOKENS environment variable to prevent response truncation
fix(AI): Change the default model to qwen3-max to mitigate output quality issues caused by model downgrading.
fix(setup): hyperliquid setup, no need to enter the wallet address, improve user experience
…iquid-testnet-clean fix(trader): add missing HyperliquidTestnet configuration in loadSing…
…p-422 fix: resolve login redirect loop issue (NoFxAiOS#422)
Updates dependencies by replacing ioutil with io. Adds .tool-versions and web/yarn.lock to .gitignore.
## Fixes ### 1. Typewriter Component - Missing First Character - Fix character loss issue where first character of each line was missing - Add proper state reset logic before starting typing animation - Extract character before setState to avoid closure issues - Add setTimeout(0) to ensure state is updated before typing starts - Change dependency from `lines` to `sanitizedLines` for correct updates - Use `??` instead of `||` for safer null handling ### 2. Chinese Translation - Leading Spaces - Remove leading spaces from startupMessages1/2/3 in Chinese translations - Ensures proper display of startup messages in terminal simulation ### 3. Dynamic GitHub Stats with Animation - Add useGitHubStats hook to fetch real-time GitHub repository data - Add useCounterAnimation hook with easeOutExpo easing for smooth number animation - Display dynamic star count with smooth counter animation (2s duration) - Display dynamic days count (static, no animation) - Support bilingual display (EN/ZH) with proper formatting ## Changes - web/src/components/Typewriter.tsx: Fix first character loss bug - web/src/i18n/translations.ts: Remove leading spaces in Chinese messages - web/src/components/landing/HeroSection.tsx: Add dynamic GitHub stats - web/src/hooks/useGitHubStats.ts: New hook for GitHub API integration - web/src/hooks/useCounterAnimation.ts: New hook for number animations Fixes NoFxAiOS#365 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Install ESLint 9 with TypeScript and React support - Install Prettier with custom configuration (no semicolons) - Add husky and lint-staged for pre-commit hooks - Configure lint-staged to auto-fix and format on commit - Relax ESLint rules to avoid large-scale code changes - Format all existing code with Prettier (no semicolons) Co-Authored-By: Claude <[email protected]>
Feature/eslint&prettier
用户在使用Aster交易员时发现,即使没有开始交易,P&L统计也显示了12.5 USDT (83.33%)的盈亏。经过调查发现: **根本原因**: - 实际Aster账户余额:27.5 USDT - Web界面配置的InitialBalance:15 USDT ❌ - 错误的P&L计算:27.5 - 15 = 12.5 USDT (83.33%) **问题根源**: 1. Web界面创建交易员时默认initial_balance为1000 USDT 2. 用户手动修改时容易输入错误的值 3. 缺少自动获取实际余额的功能 4. 缺少明确的警告提示 **文件**: `trader/aster_trader.go` - ✅ 验证Aster API完全兼容Binance格式 - 添加详细的注释说明字段含义 - 添加调试日志以便排查问题 - 确认balance字段不包含未实现盈亏(与Binance一致) **关键确认**: ```go // ✅ Aster API完全兼容Binance API格式 // balance字段 = wallet balance(不包含未实现盈亏) // crossUnPnl = unrealized profit(未实现盈亏) // crossWalletBalance = balance + crossUnPnl(全仓钱包余额,包含盈亏) ``` **文件**: `web/src/components/TraderConfigModal.tsx` **新增功能**: 1. **编辑模式**:添加"获取当前余额"按钮 - 一键从交易所API获取当前账户净值 - 自动填充到InitialBalance字段 - 显示加载状态和错误提示 2. **创建模式**:添加警告提示 -⚠️ 提醒用户必须输入交易所的当前实际余额 - 警告:如果输入不准确,P&L统计将会错误 3. **改进输入体验**: - 支持小数输入(step="0.01") - 必填字段标记(创建模式) - 实时错误提示 **代码实现**: ```typescript const handleFetchCurrentBalance = async () => { const response = await fetch(`/api/account?trader_id=${traderData.trader_id}`); const data = await response.json(); const currentBalance = data.total_equity; // 当前净值 setFormData(prev => ({ ...prev, initial_balance: currentBalance })); }; ``` 通过查阅Binance官方文档确认: | 项目 | Binance | Aster (修复后) | |------|---------|----------------| | **余额字段** | balance = 钱包余额(不含盈亏) | ✅ 相同 | | **盈亏字段** | crossUnPnl = 未实现盈亏 | ✅ 相同 | | **总权益** | balance + crossUnPnl | ✅ 相同 | | **P&L计算** | totalEquity - initialBalance | ✅ 相同 | 1. 编辑交易员配置 2. 点击"获取当前余额"按钮 3. 系统自动填充正确的InitialBalance 4. 保存配置 1. 查看交易所账户的实际余额 2. 准确输入到InitialBalance字段 3. 注意查看警告提示 4. 完成创建 - [x] 确认Aster API返回格式与Binance一致 - [x] 验证"获取当前余额"功能正常工作 - [x] 确认P&L计算公式正确 - [x] 前端构建成功 - [x] 警告提示正常显示 - **修复**: 解决InitialBalance配置错误导致的P&L统计不准确问题 - **改进**: 提升用户体验,减少配置错误 - **兼容**: 完全向后兼容,不影响现有功能 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Added interactive help icons with tooltips for Aster exchange fields (user, signer, privateKey) to guide users through correct configuration. Changes: - Added HelpCircle icon from lucide-react - Created reusable Tooltip component with hover/click interaction - Added bilingual help descriptions in translations.ts - User field: explains main wallet address (login address) - Signer field: explains API wallet address generation - Private Key field: clarifies local-only usage, never transmitted This prevents user confusion and configuration errors when setting up Aster exchange. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Added warning message to inform users that Aster only tracks USDT balance, preventing P&L calculation errors from asset price fluctuations. Why this is important: - Aster trader only tracks USDT balance (aster_trader.go:453) - If users use BNB/ETH as margin, price fluctuations will cause: * Initial balance becomes inaccurate * P&L statistics will be wrong * Example: 10 BNB @ $100 = $1000, if BNB drops to $90, real equity is $900 but system still shows $1000 Changes: - Added asterUsdtWarning translation in both EN and ZH - Added red warning box below Aster private key field - Clear message: "Please use USDT as margin currency" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
主要优化点: 强化风险控制框架 明确单笔风险≤2%,总风险≤6% 添加连续亏损后的仓位调整规则 设置单日和每周最大亏损限制 提高开仓标准 要求至少3个技术指标支持 必须有多时间框架趋势确认 入场时机要求更具体 完善决策流程 增加市场环境评估环节 明确风险回报比计算要求 添加资金保护检查点 细化行为准则 明确等待最佳机会的重要性 强调分批止盈和严格止损 添加情绪控制具体方法 增强绩效反馈机制 不同夏普比率区间的具体行动指南 亏损状态下的仓位控制要求 盈利状态下的纪律保持提醒 这个优化版本更加注重风险控制和稳健性,同时保持了交易的专业性和灵活性。
Merged standalone USDT warning into existing security warning section for cleaner UI. Changes: - Removed separate red warning box for USDT - Added USDT warning as first item in security warning box (conditional on Aster exchange) - Now shows 4 warnings for Aster: USDT requirement + 3 general security warnings - Cleaner, more organized warning presentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Added direct links to Aster API wallet page in help tooltips for easier access. Changes: - Added English link: https://www.asterdex.com/en/api-wallet - Added Chinese link: https://www.asterdex.com/zh-CN/api-wallet - Updated asterSignerDesc with API wallet URL - Updated asterPrivateKeyDesc with API wallet URL and security note - Users can now directly access the API wallet page from tooltips 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
## Fixes ### 1. Typewriter Component - Missing First Character - Fix character loss issue where first character of each line was missing - Add proper state reset logic before starting typing animation - Extract character before setState to avoid closure issues - Add setTimeout(0) to ensure state is updated before typing starts - Change dependency from `lines` to `sanitizedLines` for correct updates - Use `??` instead of `||` for safer null handling ### 2. Chinese Translation - Leading Spaces - Remove leading spaces from startupMessages1/2/3 in Chinese translations - Ensures proper display of startup messages in terminal simulation ### 3. Dynamic GitHub Stats with Animation - Add useGitHubStats hook to fetch real-time GitHub repository data - Add useCounterAnimation hook with easeOutExpo easing for smooth number animation - Display dynamic star count with smooth counter animation (2s duration) - Display dynamic days count (static, no animation) - Support bilingual display (EN/ZH) with proper formatting ## Changes - web/src/components/Typewriter.tsx: Fix first character loss bug - web/src/i18n/translations.ts: Remove leading spaces in Chinese messages - web/src/components/landing/HeroSection.tsx: Add dynamic GitHub stats - web/src/hooks/useGitHubStats.ts: New hook for GitHub API integration - web/src/hooks/useCounterAnimation.ts: New hook for number animations Fixes NoFxAiOS#365 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Extract formattedStars calculation to avoid duplication - Keep tabular-nums span for consistent number width during animation - Address code review feedback from @xqliu 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
feat(log): add logrus log lib and add telegram notification push as an option
…AiOS#1008) ## Problem When multiple users create traders with the same exchange + AI model combination within the same second, they generate identical traderIDs, causing data conflicts. Old code (Line 496): ```go traderID := fmt.Sprintf("%s_%s_%d", req.ExchangeID, req.AIModelID, time.Now().Unix()) ``` ## Solution Use UUID to guarantee 100% uniqueness while preserving prefix for debugging: ```go traderID := fmt.Sprintf("%s_%s_%s", req.ExchangeID, req.AIModelID, uuid.New().String()) ``` Example output: `binance_gpt-4_a1b2c3d4-e5f6-7890-abcd-ef1234567890` ## Changes - `api/server.go:495-497`: Use UUID for traderID generation - `api/traderid_test.go`: New test file with 3 comprehensive tests ## Tests ✅ All tests passed (0.189s) ✅ TestTraderIDUniqueness - 100 unique IDs generated ✅ TestTraderIDFormat - 3 exchange/model combinations validated ✅ TestTraderIDNoCollision - 1000 iterations without collision Fixes NoFxAiOS#893 Co-authored-by: the-dev-z <[email protected]>
* Add files via upload * Revise Git workflow guidelines and branch strategies * Update git workflow * Chores
…oFxAiOS#1023) * refactor(web): restructure AITradersPage into modular architecture Refactored the massive 2652-line AITradersPage.tsx into a clean, modular architecture following React best practices. **Changes:** - Decomposed 2652-line component into 12 focused modules - Introduced Zustand stores for config and modal state management - Extracted all business logic into useTraderActions custom hook (633 lines) - Created reusable section components (PageHeader, TradersGrid, etc.) - Separated complex modal logic into dedicated components - Added TraderConfig type, eliminated all any types - Fixed critical bugs in configuredExchanges logic and getState() usage **File Structure:** - Main page reduced from 2652 → 234 lines (91% reduction) - components/traders/: 7 UI components + 5 section components - stores/: tradersConfigStore, tradersModalStore - hooks/: useTraderActions (all business logic) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> * chore: ignore PR_DESCRIPTION.md * fix(web): restore trader dashboard navigation functionality Fixed missing navigation logic in refactored AITradersPage. The "查看" (View) button now correctly navigates to the trader dashboard. **Root Cause:** During refactoring, the `useNavigate` hook and default navigation logic were inadvertently omitted from the main page component. **Changes:** - Added `useNavigate` import from react-router-dom - Implemented `handleTraderSelect` function with fallback navigation - Restored original behavior: use `onTraderSelect` prop if provided, otherwise navigate to `/dashboard?trader=${traderId}` **Testing:** - ✅ Click "查看" button navigates to trader dashboard - ✅ Query parameter correctly passed to dashboard 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> * fix(web): correct type definitions for trader configuration Fixed TypeScript build errors by using the correct `TraderConfigData` type instead of the incorrect `TraderConfig` type. **Root Cause:** During refactoring, a new `TraderConfig` type was incorrectly created that extended `CreateTraderRequest` (with fields like `name`, `ai_model_id`). However, the `TraderConfigModal` component and API responses actually use `TraderConfigData` (with fields like `trader_name`, `ai_model`). **Changes:** - Replaced all `TraderConfig` references with `TraderConfigData`: - stores/tradersModalStore.ts - hooks/useTraderActions.ts - lib/api.ts - Removed incorrect `TraderConfig` type definition from types.ts - Added null check for `editingTrader.trader_id` to satisfy TypeScript **Build Status:** - ✅ TypeScript compilation: PASS - ✅ Vite production build: PASS 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]>
问题:AI 返回 adjust_stop_loss 导致决策验证失败 根因:prompt 只列出 6 个 action,缺少 3 个有效 action 修复(TDD): 1. 添加测试验证 prompt 包含所有 9 个有效 action 2. 最小修改:在 action 列表中补充 3 个缺失项 - update_stop_loss - update_take_profit - partial_close 测试: - TestBuildSystemPrompt_ContainsAllValidActions ✅ - TestBuildSystemPrompt_ActionListCompleteness ✅ Fixes: 无效的action: adjust_stop_loss
…ke_profit actions (NoFxAiOS#993) * fix(decision): clarify field names for update_stop_loss and update_take_profit actions 修复 AI 决策中的字段名混淆问题: **问题**: AI 在使用 update_stop_loss 时错误地使用了 `stop_loss` 字段, 导致解析失败(backend 期望 `new_stop_loss` 字段) **根因**: 系统 prompt 的字段说明不够明确,AI 无法知道 update_stop_loss 应该使用 new_stop_loss 字段而非 stop_loss **修复**: 1. 在字段说明中明确标注: - update_stop_loss 时必填: new_stop_loss (不是 stop_loss) - update_take_profit 时必填: new_take_profit (不是 take_profit) 2. 在 JSON 示例中增加 update_stop_loss 的具体用法示例 **验证**: decision_logs 中的错误 "新止损价格必须大于0: 0.00" 应该消失 * test(decision): add validation tests for update actions 添加针对 update_stop_loss、update_take_profit 和 partial_close 动作的字段验证单元测试: **测试覆盖**: 1. TestUpdateStopLossValidation - 验证 new_stop_loss 字段 - 正确使用 new_stop_loss 字段(应通过) - new_stop_loss 为 0(应报错) - new_stop_loss 为负数(应报错) 2. TestUpdateTakeProfitValidation - 验证 new_take_profit 字段 - 正确使用 new_take_profit 字段(应通过) - new_take_profit 为 0(应报错) - new_take_profit 为负数(应报错) 3. TestPartialCloseValidation - 验证 close_percentage 字段 - 正确使用 close_percentage 字段(应通过) - close_percentage 为 0(应报错) - close_percentage 超过 100(应报错) **测试结果**:所有测试用例通过 ✓ --------- Co-authored-by: Shui <[email protected]>
…xAiOS#986) ## Problem PR NoFxAiOS#906 changed healthcheck commands from `wget` to `curl`, but Alpine Linux (our base image) does not include `curl` by default, causing all containers to fail healthchecks with: ``` exec: "curl": executable file not found in $PATH ``` This creates a configuration mismatch: - docker/Dockerfile.backend uses `wget` (✅ works) - docker-compose.yml uses `curl` (❌ fails) ## Root Cause Analysis Alpine Linux philosophy is minimalism: - ✅ `wget` is pre-installed (part of busybox) - ❌ `curl` requires `apk add curl` (~3MB extra) The original PR NoFxAiOS#906 made two commits: 1. First commit (3af8760): `curl` → `wget` (✅ correct fix) 2. Second commit (333b2ef): `wget` → `curl` (❌ introduced bug) The second commit was based on incorrect assumption that "curl is more widely available than wget in Docker images". This is false for Alpine. ## Solution Revert healthcheck commands back to `wget` to match: 1. Alpine's pre-installed tools 2. Dockerfile.backend healthcheck (line 68) 3. Docker and Kubernetes best practices ## Testing ✅ Verified `wget` exists in Alpine containers: ```bash docker run --rm alpine:latest which wget # Output: /usr/bin/wget ``` ✅ Added new CI workflow to prevent regression: - `.github/workflows/pr-docker-compose-healthcheck.yml` - Validates healthcheck compatibility with Alpine - Ensures containers reach healthy status ## Impact - **Before**: Containers show (unhealthy), potential auto-restart loops - **After**: Containers show (healthy), monitoring systems happy - **Scope**: Only affects docker-compose deployments - **Breaking**: None - this is a bug fix ## References - PR NoFxAiOS#906: Original (incorrect) fix - Alpine Linux: https://alpinelinux.org/about/ - Dockerfile.backend L68: Existing `wget` healthcheck 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: the-dev-z <[email protected]> Co-authored-by: Claude <[email protected]> Co-authored-by: Shui <[email protected]>
* improve(interface): replace with interface * feat(mcp): 添加构建器模式支持 新增功能: - RequestBuilder 构建器,支持流式 API - 多轮对话支持(AddAssistantMessage) - Function Calling / Tools 支持 - 精细参数控制(temperature, top_p, penalties 等) - 3个预设场景(Chat, CodeGen, CreativeWriting) - 完整的测试套件(19个新测试) 修复问题: - Config 字段未使用(MaxRetries、Temperature 等) - DeepSeek/Qwen SetAPIKey 的冗余 nil 检查 向后兼容: - 保留 CallWithMessages API - 新增 CallWithRequest API 测试: - 81 个测试全部通过 - 覆盖率 80.6% 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: zbhan <[email protected]> Co-authored-by: Claude <[email protected]>
…ing (NoFxAiOS#1061) * fix(web): remove duplicate PasswordChecklist in error block - Remove duplicate PasswordChecklist component from error message area - Keep only the real-time password validation checklist - Error block now displays only the error message text Bug was introduced in commit aa0bd93 (PR NoFxAiOS#872) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> * refactor(web): redesign httpClient with axios and unified error handling Major refactoring to improve error handling architecture: ## Changes ### 1. HTTP Client Redesign (httpClient.ts) - Replaced native fetch with axios for better interceptor support - Implemented request/response interceptors for centralized error handling - Added automatic Bearer token injection in request interceptor - Network errors and system errors (404, 403, 500) now intercepted and shown via toast - Only business logic errors (4xx except 401/403/404) returned to caller - New ApiResponse<T> interface for type-safe responses ### 2. API Migration (api.ts) - Migrated all 31 API methods from legacy fetch-style to new httpClient - Updated pattern: from `res.ok/res.json()` to `result.success/result.data` - Removed getAuthHeaders() helper (token now auto-injected) - Added TypeScript generics for better type safety ### 3. Component Updates - AuthContext.tsx: Updated register() to use new API - TraderConfigModal.tsx: Migrated 3 API calls (config, templates, balance) - RegisterPage.tsx: Simplified error display (error type handling now in API layer) ### 4. Removed Legacy Code - Removed legacyHttpClient compatibility wrapper (~30 lines) - Removed legacyRequest() method - Clean separation: API layer handles all error classification ## Benefits - Centralized error handling - no need to check network/system errors in components - Better UX - automatic toast notifications for system errors - Type safety - generic ApiResponse<T> provides compile-time checks - Cleaner business components - only handle business logic errors - Consistent error messages across the application 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> --------- Co-authored-by: Claude <[email protected]>
the-dev-z
requested review from
Icyoung,
SkywalkerJi,
hzb1115 and
tangmengqiu
as code owners
🤖 Advisory Check ResultsThese are advisory checks to help improve code quality. They won't block your PR from being merged. 📋 PR InformationTitle Format: ✅ Good - Follows Conventional Commits 🔧 Backend ChecksGo Formatting: Files needing formattingGo Vet: ✅ Good Fix locally: go fmt ./... # Format code
go vet ./... # Check for issues
go test ./... # Run tests⚛️ Frontend ChecksBuild & Type Check: ✅ Success Fix locally: cd web
npm run build # Test build (includes type checking)📖 ResourcesQuestions? Feel free to ask in the comments! 🙏 These checks are advisory and won't block your PR from being merged. This comment is automatically generated from pr-checks-run.yml. |
the-dev-z
force-pushed
the
security/audit-fixes-2025-11
branch
from
96954de to
0586484
Compare
Collaborator
Author
🔄 PR 更新說明經過深入評估,已將本 PR 的修改範圍調整為更加聚焦於實際安全修復,移除了 CORS 白名單相關的變更。 ✅ 保留的修復(核心安全問題)
❌ 移除的變更(CORS 白名單)理由:
詳細分析: 關於 CORS 安全性的完整評估,請參閱 NOFX_CORS_Security_Analysis.md(正在整理中) 📊 修改統計
🎯 建議的安全優先級
感謝審閱!🙏 |
🤖 Advisory Check ResultsThese are advisory checks to help improve code quality. They won't block your PR from being merged. 📋 PR InformationTitle Format: ✅ Good - Follows Conventional Commits 💡 Suggestion: This is a large PR. Consider breaking it into smaller, focused PRs for easier review. 🔧 Backend ChecksGo Formatting: Files needing formattingGo Vet: ✅ Good Fix locally: go fmt ./... # Format code
go vet ./... # Check for issues
go test ./... # Run tests⚛️ Frontend ChecksBuild & Type Check: ✅ Success Fix locally: cd web
npm run build # Test build (includes type checking)📖 ResourcesQuestions? Feel free to ask in the comments! 🙏 These checks are advisory and won't block your PR from being merged. This comment is automatically generated from pr-checks-run.yml. |
Collaborator
Author
🔄 PR 已清理並重新提交感謝指出問題!原先的 PR 確實包含了不應該提交到上游的自定義功能。 ✅ 現在的狀態(已修復)基礎分支: 變更統計: 14 files, +314/-35 ❌ 之前的問題(已清除)之前錯誤地包含了以下來自
這些功能已全部移除,現在是一個乾淨的 PR,只包含安全修復。 ✅ 當前包含的修復
現在這是一個完全乾淨的 PR,可以安全合併到上游 🎉 |
the-dev-z
force-pushed
the
security/audit-fixes-2025-11
branch
from
0586484 to
8af054b
Compare
🤖 Advisory Check ResultsThese are advisory checks to help improve code quality. They won't block your PR from being merged. 📋 PR InformationTitle Format: ✅ Good - Follows Conventional Commits 🔧 Backend ChecksGo Formatting: Files needing formattingGo Vet: ✅ Good Fix locally: go fmt ./... # Format code
go vet ./... # Check for issues
go test ./... # Run tests⚛️ Frontend ChecksBuild & Type Check: ✅ Success Fix locally: cd web
npm run build # Test build (includes type checking)📖 ResourcesQuestions? Feel free to ask in the comments! 🙏 These checks are advisory and won't block your PR from being merged. This comment is automatically generated from pr-checks-run.yml. |
- Fix sensitive config file exposure (add logger/config.telegram.json to .gitignore) - Create logger/config.telegram.json.example template - Enforce JWT_SECRET requirement in production (main.go) - Update .env.example and docker-compose.yml with security best practices - Fix 20+ unsafe type assertions across trader modules - trader/aster_trader.go: 8 fixes - trader/binance_futures.go: 3 fixes - trader/auto_trader.go: 7 fixes - trader/hyperliquid_trader.go: 2 fixes - Create trader/utils.go with safe type conversion helpers - SafeFloat64(), SafeString(), SafeInt() - Remove sensitive console.log in production - web/src/components/traders/ExchangeConfigModal.tsx - web/src/components/AITradersPage.tsx - Fix undefined variable $RAW_KEY -> $DATA_KEY (scripts/generate_data_key.sh) - Prevents runtime panics from unsafe type assertions - Enforces secure configuration in production - Protects sensitive data from console output and version control - Fixed issues from audit report dated 2025/11/17 - Addressed 1 Critical + 6 High priority issues (type assertions + sensitive files) - Note: CORS configuration kept as Access-Control-Allow-Origin: * for deployment simplicity (JWT verification provides primary security; see NOFX_CORS_Security_Analysis.md for details) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
the-dev-z
force-pushed
the
security/audit-fixes-2025-11
branch
from
8af054b to
1f1c43b
Compare
🤖 Advisory Check ResultsThese are advisory checks to help improve code quality. They won't block your PR from being merged. 📋 PR InformationTitle Format: ✅ Good - Follows Conventional Commits 🔧 Backend ChecksGo Formatting: Files needing formattingGo Vet: ✅ Good Fix locally: go fmt ./... # Format code
go vet ./... # Check for issues
go test ./... # Run tests⚛️ Frontend ChecksBuild & Type Check: ✅ Success Fix locally: cd web
npm run build # Test build (includes type checking)📖 ResourcesQuestions? Feel free to ask in the comments! 🙏 These checks are advisory and won't block your PR from being merged. This comment is automatically generated from pr-checks-run.yml. |
tinkle-community
force-pushed
the
dev
branch
from
43aad91 to
5517269
Compare
tinkle-community
requested review from
heronsbillC,
mykelio1001 and
tinkle-community
as code owners
tinkle-community
force-pushed
the
dev
branch
3 times, most recently
from
02cb78a to
7bd5ca0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔐 Security Fixes Overview
This PR addresses critical security issues identified in the code audit report (2025/11/17), resolving 1 Critical + 31 High priority issues out of 829 total findings.
📋 Changes Summary
Stage 1: Configuration & Environment Variables
logger/config.telegram.jsonto.gitignorelogger/config.telegram.json.exampletemplateapi/server.go)*with environment-basedALLOWED_ORIGINShttp://localhost:5173,http://localhost:3000main.go)JWT_SECRETenv var in production modeStage 2: Code Safety
trader/aster_trader.go: 8 fixes (markPrice, positionAmt, unRealizedProfit, etc.)trader/binance_futures.go: 3 fixestrader/auto_trader.go: 7 fixestrader/hyperliquid_trader.go: 2 fixestrader/utils.go)SafeFloat64(),SafeString(),SafeInt()web/src/components/traders/ExchangeConfigModal.tsxweb/src/components/AITradersPage.tsximport.meta.env.DEVStage 3: Shell Script Fixes
scripts/generate_data_key.sh)$RAW_KEY→$DATA_KEY(4 occurrences)Documentation & Configuration
.env.exampleJWT_SECRET,ENVIRONMENT,ALLOWED_ORIGINSwith detailed commentsdocker-compose.ymlENVIRONMENTandALLOWED_ORIGINSenvironment variablesREADME.md🔍 Testing
Backend
go build # ✅ PassesFrontend
Docker
docker compose up -d --build # ✅ Works with updated env vars📊 Impact
Prevents Runtime Panics
Enforces Secure Configuration
Restricts API Access
*)ALLOWED_ORIGINS)Protects Sensitive Data
🔒 Security Considerations
Breaking Changes
JWT_SECRETenvironment variableMigration guide:
Non-Breaking Changes
localhostorigins (development-friendly)📚 Audit Report Reference
✅ Checklist
🤖 Generated with Claude Code
Co-Authored-By: Claude [email protected]