Chore: Release v3.1.0#16
Merged
Merged
Conversation
docs: add a note in the README
Feat: Encrypt pool passphrase with operator password, add adm-pool CLI and /api/health
Full security review of server/ and web/ per issue #10. Adds input validation and fail-closed config checks on the untrusted-node and payout-destination paths, and hardens the HTTP API. No reward math, accounting invariants, retry behavior, or signing flow changed. - validate node-supplied voter addresses and block ids before any MongoDB query, DB write, or transaction signing, preventing NoSQL operator injection and malformed payout destinations from a malicious/malformed node response (new ADM_ADDRESS_REGEX and utils.isAdmAddress) - validate maintenancewallet/donatewallet ADM address format and reward/donate percentage ranges at startup, failing closed on a typo - default CORS credentials to false (the API is public, read-only, and cookieless; a wildcard origin with credentials is an invalid combination) - add a generic Express error handler so internal errors and stack traces are not disclosed to clients, and disable the X-Powered-By banner - add focused tests for address validation across distribution, payout, and block parsing Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Fix: Address security review findings in server and web
… props, add filtering functionality
Closed
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release ADAMANT Forging Pool v3.1.0 by merging
devintomaster.Closes #15.
Diff Summary
Compared with
master,devis ahead by 93 commits and changes 89 files:Main merged work included in this release:
Chore: Upgrade and refactor pool for v3.1.0Docs: Add AI agent instructionsRefactor: Harden server accounting, logging, and testsFeat: Encrypt pool passphrase with operator password, add adm-pool CLI and /api/healthFix: Address security review findings in server and webRuntime, Dependencies, and Tooling
.eslintignore/.eslintrc.cjsfilesStorage and Migration
server/src/repository/lowdb/for older data and migration testsscripts/migrate-lowdb-mongodb/with migration logic, tests, and package metadataReward, Payout, and Accounting Safety
Secret Safety and Operator Controls
adm-pool encrypt,unlock,lock, andstatusCLI commandsPublic API and Monitoring
/api/healthfor secret-free external monitoringDashboard and Web UI
<picture>markupDocumentation and Governance
CONTRIBUTING.mdAGENTS.mdwith repository-specific AI agent operating rulesRisk Areas
adm-poolCLI flows,/api/health, MongoDB config, and deployment startupVerification
Release PR verification should include:
git diff --check master...devnpm run build:webnpm --prefix server run lintnpm --prefix server testnpm --prefix web run lintnpm --prefix web run buildnpm auditnpm --prefix server auditnpm --prefix web auditnpm --prefix scripts/migrate-lowdb-mongodb auditadm-pool status, dashboard load,/api/health, voter table sorting/filtering, and payout-safe startup logsRelease Notes
After merge, publish
v3.1.0with release notes covering:adm-pooloperator workflow/api/healthmonitoring