docs: standardize node URL to rustchain.org#2844
Merged
Merged
Conversation
- Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue Scottcjn#2802
- Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves Scottcjn#2780
- Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves Scottcjn#2651
…PI spec
- Document /balance/{miner_pk} endpoint for miner balance queries
- Document /wallet/balance endpoint for wallet balance queries
- Resolves Scottcjn#2610
- Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves Scottcjn#2622
github-actions
Bot
added
documentation
Emanon4
added a commit
to Emanon4/rustchain-test-fork
that referenced
this pull request
May 14, 2026
Scottcjn
pushed a commit
that referenced
this pull request
May 14, 2026
Scottcjn
added a commit
that referenced
this pull request
May 18, 2026
…on outputs (#5113) * docs: fix broken whitepaper link in README (#2693) The whitepaper filename is v0.97.pdf, not v0.97-1.pdf. This fixes the broken link to the whitepaper document. First PR - looking forward to contributing to RustChain! Co-authored-by: Hermes Agent <hermes-agent@nous.dev> * deps(deps): update python-telegram-bot requirement from >=20.0 to >=22.7 (#2789) Updates the requirements on [python-telegram-bot](https://github.com/python-telegram-bot/python-telegram-bot) to permit the latest version. - [Release notes](https://github.com/python-telegram-bot/python-telegram-bot/releases) - [Commits](https://github.com/python-telegram-bot/python-telegram-bot/compare/v20.0...v22.7) --- updated-dependencies: - dependency-name: python-telegram-bot dependency-version: '22.7' dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update pyyaml requirement from >=6.0 to >=6.0.3 (#2788) Updates the requirements on [pyyaml](https://github.com/yaml/pyyaml) to permit the latest version. - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES) - [Commits](https://github.com/yaml/pyyaml/compare/6.0...6.0.3) --- updated-dependencies: - dependency-name: pyyaml dependency-version: 6.0.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update pynacl requirement from >=1.5.0 to >=1.6.2 (#2787) Updates the requirements on [pynacl](https://github.com/pyca/pynacl) to permit the latest version. - [Changelog](https://github.com/pyca/pynacl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pynacl/compare/1.5.0...1.6.2) --- updated-dependencies: - dependency-name: pynacl dependency-version: 1.6.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update ruff requirement from >=0.1.0 to >=0.15.12 (#2786) Updates the requirements on [ruff](https://github.com/astral-sh/ruff) to permit the latest version. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.0...0.15.12) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.12 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update prometheus-client requirement (#2785) Updates the requirements on [prometheus-client](https://github.com/prometheus/client_python) to permit the latest version. - [Release notes](https://github.com/prometheus/client_python/releases) - [Commits](https://github.com/prometheus/client_python/compare/v0.19.0...v0.25.0) --- updated-dependencies: - dependency-name: prometheus-client dependency-version: 0.25.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(security): auth for bounty claim, SSL verification, remove hardcoded admin key (#2800) 1. beacon_api.py: Add X-Admin-Key authentication to /api/bounties/<id>/claim - Previously anyone could claim bounties without authentication - Now requires RC_ADMIN_KEY via X-Admin-Key header (same as complete_bounty) 2. beacon_api.py: Enable SSL verification in sync_bounties - Previously disabled SSL verification unconditionally - Now verifies by default; opt-out via RC_DISABLE_SSL_VERIFY=1 env var 3. fleet_immune_system.py: Remove hardcoded admin key fallback - Previously fell back to 'rustchain_admin_key_2025_secure64' when RC_ADMIN_KEY env var was not set - Now requires RC_ADMIN_KEY to be set; endpoints return 503 if missing - Also uses hmac.compare_digest for timing-safe comparison RTC: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba Co-authored-by: haoyousun60-create <cdsun88@users.noreply.github.com> * docs: add Good First Issues link to CONTRIBUTING.md (#2303) * Security Audit — Bounty #2867: 29 vulnerabilities across 5 subsystems (2 Critical PoC confirmed) (#2744) * Security Audit — Bounty #2867: 29 vulnerabilities across 5 subsystems Full report: tests/security_audit/SECURITY_AUDIT_2867.md PoC tests: tests/security_audit/test_security_findings_2867.py CRITICAL (6): C1: manage_tx undefined in mempool_add() — masked crash C2: PNCounter CRDT max() merge — permanent balance inflation C3: Shared HMAC key — arbitrary message forgery C4: Unregistered peer Ed25519 bypass C5: Miner identity spoofing via --miner-id C6: Header SHA-512 signature — complete forgery HIGH (6): H1: Withdrawal TOCTOU race — balance overdraw H2: Auth CRDT no sender namespace restriction H3: EpochConsensus forged voter identity H4: Hardcoded plaintext HTTP peer URLs H5: /p2p/state and /p2p/peers unauthenticated H6: Miner wallet deterministic weak hash MEDIUM (7): M1: Timing attacks on admin key (7 endpoints) M2: Float precision loss in amounts M3: Legacy signature fee manipulation M4: GossipMessage no input validation M5: /p2p/gossip no rate limit M6: tx_type not whitelisted M7: RUSTCHAIN_TLS_VERIFY global bypass LOW (9): L1: to_address unvalidated L2: nonce type/length unvalidated L3: spending_proof not verified in UtxoDB L4-L9: Hardware fingerprint checks bypassable Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 * fix: add SPDX header to SECURITY_AUDIT_2867.md --------- Co-authored-by: BossChaos <bosschaos@proton.me> * security: comprehensive audit of wallet, bridge, agent economy, and webhooks (#2764) 19 findings: 5 critical, 6 high, 6 medium, 1 low, 1 informational BCOS-L2 Critical: unsigned transfers, escrow double-spend, broken bridge import High: SSL disabled, TOCTOU race, token in /proc, SQL injection, XSS, overflow * ci(deps): bump actions/upload-artifact from 4 to 7 (#2379) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump actions/checkout from 4 to 6 (#2378) Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump actions/setup-python from 5 to 6 (#2377) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: fix two broken documentation links (#2263) Co-authored-by: Hermes Agent <hermes@example.com> * [P2P-BUG] Thread Safety Race Condition in Message Deduplication - Bounty #2819 (#2205) Co-authored-by: koreysmith123 <70450023+koreysmith123@users.noreply.github.com> * fix: C1 manage_tx undefined in mempool_add (closes #2867 finding C1) (#2812) The 7 ROLLBACK paths in mempool_add() referenced manage_tx, which was never defined in scope. Every error path raised NameError, caught by the bare-except at the bottom, causing ALL mempool admissions on error paths to silently fail. mempool_add() always opens its own connection and starts its own BEGIN IMMEDIATE transaction, so manage_tx = True unconditionally. Set it explicitly at the top of the method. Verified: mempool_add() with invalid input now returns False cleanly instead of raising NameError. Audit credit: BossChaos #2744 (audit) + Scottcjn (fix) Bounty: #2867 fix-bounty Critical-tier Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: M1 use hmac.compare_digest for all admin key comparisons (closes #2867 finding M1) (#2813) 15+ endpoints in node/rustchain_v2_integrated_v2.2.1_rip200.py used direct string comparison (`!=`) for admin key validation: - 9× `admin_key != os.environ.get("RC_ADMIN_KEY", "")` - 5× `admin_key != ADMIN_KEY` - 1× `provided_key != admin_key` - 1× `key != ADMIN_KEY` (decorator) Direct string compare leaks key length and prefix via timing side channel — an attacker can recover the admin key byte-by-byte by measuring response time differences. Replaced all with `hmac.compare_digest()` which is constant-time. Added `or ""` null-guards where ADMIN_KEY is from os.getenv() with no default (returns None on unset). Audit credit: BossChaos #2744 (M1, paid 10 RTC for the find) Bounty: #2867 fix-bounty Low-tier Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: M2 use Decimal for RTC amount parsing — float() lost precision and overflowed (closes #2867 M2) (#2814) The /utxo/transfer endpoint parsed amounts via float(), which has two bugs: 1. Precision loss: float(0.29) * 100_000_000 = 28999999.999... → int() = 28999999. User sent 0.29 RTC, system credited 0.28999999 RTC (1 nrtc lost per tx). 2. OverflowError on large input: float('1e308') = inf → int(inf * UNIT) raises. Crashes the request handler instead of returning a clean 400. Replaced with _parse_rtc_amount() helper using Decimal: - Decimal(str(0.29)) is exact: 29000000 nrtc as expected - Bounds check (<= 2^53 RTC) catches overflow before int() conversion - Rejects Infinity, NaN, negative - Returns clean 400 with error message instead of 500 Verified all 8 edge cases pass including the headline 0.29 precision bug. Audit credit: BossChaos #2744 M2 (paid 25 RTC for the find) Bounty: #2867 fix-bounty Medium-tier Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: M5 add per-IP rate limit on /p2p/gossip endpoint (closes #2867 M5) (#2815) The /p2p/gossip POST endpoint did signature verification + CRDT merge + SQLite I/O on every request with no throttling. A single attacker could saturate the node by hammering it with junk messages — DoS amplifier. Added per-IP token-bucket rate limit: 10 requests per second per IP. That's well above legitimate gossip traffic (peers normally < 1 msg/sec each) but caps a misbehaving IP at ~10x background rate. Implementation: - collections.deque per IP storing request timestamps - threading.Lock for thread safety (Gunicorn worker concurrency) - Window-based eviction (timestamps outside 1s dropped on each check) - Periodic dict pruning when size > 10k IPs - Reads X-Forwarded-For for nginx proxy correctness Verified with 3 unit tests: 1. 15 rapid requests from same IP → 10 allowed, 5 denied (429) 2. Different IP not affected by another's rate limit 3. After 1.1s window passes, same IP allowed again Audit credit: BossChaos #2744 M5 (paid 25 RTC for the find) Bounty: #2867 fix-bounty Medium-tier Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: F2 atomic UPDATE WHERE status for escrow state transitions (closes #2764 F2) (#2816) The /agent/jobs/<id>/accept and /agent/jobs/<id>/cancel endpoints did: 1. SELECT job 2. Check status in Python 3. UPDATE status without WHERE-clause guard 4. _adjust_balance for escrow Concurrent calls between steps 2 and 3 cause double-spend: Thread A (cancel): status=OPEN → passes check → reads escrow=100 Thread B (accept): status=OPEN → passes check → reads escrow=100 Thread A: UPDATE status='cancelled', refunds 100 to poster Thread B: UPDATE status='completed', releases 100 to worker Net: 200 RTC paid out from a 100 RTC escrow Fix: move the UPDATE before the balance adjustment, and add a WHERE clause guarding the status. If c.rowcount == 0, the row was already claimed by another request — return 409 with STATE_RACE code instead of touching balances. Audit credit: 15183848750 #2764 F2 (paid 50 RTC for the find) Bounty: #2867 fix-bounty High-tier Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: remove C-style // comment from line 1 of contributor_registry.py (Python SyntaxError) (#2817) contributor_registry.py had `// SPDX-License-Identifier: MIT` (C-style) on line 1, immediately followed by `# SPDX-License-Identifier: MIT` (correct Python form) on line 2. The C-style comment is invalid Python syntax — any `import contributor_registry` raises SyntaxError on line 1. Practical impact: the Flask app could not be imported in production. Also blocks FlintLeng's PR #2695 (test_contributor_registry.py) from passing CI — pytest can't collect tests for a module that won't import. Found during M1 hmac.compare_digest fix verification. Verified: `python3 -c 'import ast; ast.parse(...)'` now passes. Co-authored-by: Scottcjn <scottbphone12@gmail.com> * test: Add unit tests for contributor_registry.py (#1589) (#2695) * fix: load contributor_registry secret_key from environment (#2773) CVE-2026-XXXX: Remove hardcoded Flask secret_key which was exposed in the public GitHub repository and must be treated as compromised. Before: app.secret_key = 'rustchain_contributor_secret_2024' After: - Load from CONTRIBTOR_SECRET_KEY env var - Random fallback with warning when unset (session non-persistence) - Refuse placeholder value to prevent accidental deployment Fixes: Scottcjn/Rustchain#2772 Co-authored-by: universe7creator <universe7creator@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add haoyousun60-create to CONTRIBUTORS.md (#2711) * fix: correct misleading architecture error message in install-miner.sh Error message incorrectly says 'ARM64 only for Pi' when the script actually supports x86_64 and ppc64le architectures. Changed to list actual supported architectures: aarch64, x86_64, ppc64le. Fixes issue #2624 * docs: add haoyousun60-create to CONTRIBUTORS.md --------- Co-authored-by: AI-Agent <agent@rustchain.ai> Co-authored-by: haoyousun60-create <cdsun88@users.noreply.github.com> * fix(docs): repair broken markdown row + add @jaxint to CONTRIBUTORS.md (#2818) Two CONTRIBUTORS.md PRs landed today with a row-on-the-same-line bug: - @haoyousun60-create added via #2711, but landed on the same row as @lam1688 because the source file was missing a trailing newline. - Result: `| @lam1688 | ... Python development || @haoyousun60-create | ...` which renders as one corrupt row. @jaxint had #2689 still open with the same bug; it conflicts with main since #2711 landed. This commit: 1. Splits the broken row into two clean rows 2. Adds @jaxint's entry properly (closes #2689 effort) 3. Adds the missing trailing newline so future appends don't recreate this bug @haoyousun60-create payment from #2711 stands. @jaxint payment for contributing — 1 RTC + already-paid via cumulative jaxint queue. Affected PRs: - #2711 (haoyousun60-create): already merged with the bug; this fixes the artifact - #2689 (jaxint): can be closed as covered by this commit Co-authored-by: Scottcjn <scottbphone12@gmail.com> * [Bounty #2389] Fork Choice Graph Visualizer — Interactive Dashboard for Real-Time Fork Analysis (#2675) * Add fork choice graph HTML dashboard * Add fork choice graph Python API backend * Add fork choice visualizer README * docs: fix incorrect license reference in INSTALL.md (#2819) INSTALL.md stated 'MIT License' but the repository is actually licensed under Apache License 2.0 (see LICENSE file and README badge). This corrects the discrepancy. Co-authored-by: FlintLeng <lengxinyu@example.com> * fix(C4): delete .tmp files leaking internal IPs (#2821) Closes: Scottcjn/Rustchain#2867 (Finding 4 - CRITICAL) Co-authored-by: Wuying Created Local Users <admin@wkkqgq1txed4xzl.CN-HANGZHOU-198-12-1.WUYING.LOCAL> * fix(C5): replace hardcoded infrastructure IP with localhost + env var (#2822) Closes: Scottcjn/Rustchain#2867 (Finding 5 - CRITICAL) Co-authored-by: Wuying Created Local Users <admin@wkkqgq1txed4xzl.CN-HANGZHOU-198-12-1.WUYING.LOCAL> * fix(H4): add field whitelist to prevent SQL injection in _update_reputation (#2823) Closes: Scottcjn/Rustchain#2867 (Finding 9 - HIGH) Co-authored-by: Wuying Created Local Users <admin@wkkqgq1txed4xzl.CN-HANGZHOU-198-12-1.WUYING.LOCAL> * fix(M1): atomic keystore writes with temp file + fsync + rename (#2824) Closes: Scottcjn/Rustchain#2867 (Finding 12 - MEDIUM) Co-authored-by: Wuying Created Local Users <admin@wkkqgq1txed4xzl.CN-HANGZHOU-198-12-1.WUYING.LOCAL> * fix(M3): add API key authentication to webhook admin endpoints (#2825) Closes: Scottcjn/Rustchain#2867 (Finding 14 - MEDIUM) Co-authored-by: Wuying Created Local Users <admin@wkkqgq1txed4xzl.CN-HANGZHOU-198-12-1.WUYING.LOCAL> * fix(test): use mkstemp instead of insecure mktemp in security audit PoC (#2826) bandit B306: tempfile.mktemp() is deprecated/insecure (race condition between filename creation and file open). Replace with mkstemp() which atomically creates and opens the file, then close the fd we don't need (sqlite3.connect opens its own). Was failing CI on main since #2744 merged yesterday — blocking all subsequent PRs from green CI. Affected: tests/security_audit/test_security_findings_2867.py:127 Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix(test): remove os.chdir at module scope from #2867 PoC (broke collection of other tests) (#2827) The audit PoC test (#2744) had os.chdir(_node_dir) at module scope, which ran during pytest collection and mutated cwd for ALL subsequent test modules in the same session. This broke tests/test_vintage_hardware_attestation.py which does sys.path.insert(0, 'vintage_miner') AFTER import-time — by then cwd was node/ and 'vintage_miner' didn't exist relative to that. The PoC tests don't need cwd=node — they take absolute db_path arguments from tempfile.mkstemp(). Removed the chdir + added a comment explaining why. Verified locally: pytest now collects both files cleanly. Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: post-audit-fix test regressions (M2 Decimal JSON, M1 admin auth, C1 PoC, RC_P2P_SECRET) (#2859) Five tests on main were broken by yesterday's audit fixes (#2812-#2816 + #2800): 1. test_mempool_add_manage_tx_undefined (#2812 follow-up) - Was asserting the BUG exists (manage_tx undefined). After fix, manage_tx IS defined. Updated to assert FIX is in place + smoke-test no NameError. 2. test_pncounter_max_merge_inflation - Imports rustchain_p2p_gossip which raises SystemExit if RC_P2P_SECRET not set. CI workflow didn't set it. Added RC_P2P_SECRET to ci.yml env. 3. test_bounty_lifecycle_workflow (#2800 follow-up) - haoyousun60-create's #2800 added admin auth on /api/bounties/<id>/claim. Test was sending request without X-Admin-Key. Added the header. 4. test_utxo_transfer_rejects_duplicate_nonce (#2814 M2 follow-up) 5. test_utxo_transfer_failed_attempt_does_not_burn_nonce (#2814 M2 follow-up) - M2 fix made amount_rtc / fee_rtc Decimal types internally for precision. Decimal isn't JSON-serializable, so signed-payload construction (json.dumps) and response jsonify both broke. - Cast to float for the signed payload (preserves byte-identical signature bytes vs what wallets compute) and for the response jsonify. - Decimal arithmetic still happens internally for the int(amount * UNIT) conversion, so the precision-loss + overflow guards from M2 are intact. All 6 tests pass locally with the env vars set. Co-authored-by: Scottcjn <scottbphone12@gmail.com> * fix: replace hardcoded CURRENT_YEAR with dynamic datetime (#2840) - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> * docs: fix wallet address character count in CLAIMS_GUIDE.md (#2841) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * fix: handle explorer URL with/without trailing slash (#2842) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec (#2843) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: standardize node URL to rustchain.org (#2844) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: replace hardcoded IP in sprint documentation (#2848) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: standardize documentation URLs to rustchain.org/docs (#2849) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 * docs: standardize documentation URLs to rustchain.org/docs - Fix docs.rustchain.net -> rustchain.org/docs - Fix docs.rustchain.org -> rustchain.org/docs - Consistent documentation URL across all files --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: fix broken whitepaper links in multilingual READMEs (#2850) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 * docs: standardize documentation URLs to rustchain.org/docs - Fix docs.rustchain.net -> rustchain.org/docs - Fix docs.rustchain.org -> rustchain.org/docs - Consistent documentation URL across all files * docs: fix broken whitepaper links in multilingual READMEs - Fix v0.97-1.pdf -> v0.97.pdf (actual file name) - Affects: README_JA, README_ES, README_HI, README_DE, README_ZH-TW - Also fixes integrations/mcp-server README and IMPLEMENTATION --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: fix broken relative links in RIP305_AIRDROP_V2.md (#2851) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 * docs: standardize documentation URLs to rustchain.org/docs - Fix docs.rustchain.net -> rustchain.org/docs - Fix docs.rustchain.org -> rustchain.org/docs - Consistent documentation URL across all files * docs: fix broken whitepaper links in multilingual READMEs - Fix v0.97-1.pdf -> v0.97.pdf (actual file name) - Affects: README_JA, README_ES, README_HI, README_DE, README_ZH-TW - Also fixes integrations/mcp-server README and IMPLEMENTATION * docs: fix broken relative links in RIP305_AIRDROP_V2.md - Fix node/README.md -> ../node/README.md - Fix wallet/rustchain_wallet_secure.py -> ../wallet/rustchain_wallet_secure.py - Fix node/x402_config.py -> ../node/x402_config.py - All links now resolve correctly from docs/ directory --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: replace hardcoded IP in registry submissions and campaigns (#2852) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 * docs: standardize documentation URLs to rustchain.org/docs - Fix docs.rustchain.net -> rustchain.org/docs - Fix docs.rustchain.org -> rustchain.org/docs - Consistent documentation URL across all files * docs: fix broken whitepaper links in multilingual READMEs - Fix v0.97-1.pdf -> v0.97.pdf (actual file name) - Affects: README_JA, README_ES, README_HI, README_DE, README_ZH-TW - Also fixes integrations/mcp-server README and IMPLEMENTATION * docs: fix broken relative links in RIP305_AIRDROP_V2.md - Fix node/README.md -> ../node/README.md - Fix wallet/rustchain_wallet_secure.py -> ../wallet/rustchain_wallet_secure.py - Fix node/x402_config.py -> ../node/x402_config.py - All links now resolve correctly from docs/ directory * docs: replace hardcoded IP in registry submissions and campaigns - discord-bot-nodejs-v2/README.md: 2 occurrences - rustchainnode/README.md: 1 occurrence - mining-calculator/README.md: 1 occurrence - registry-submissions/: 6 occurrences across 4 files - campaigns/antiquity_championship/: 4 occurrences across 2 files - Standardizes to https://rustchain.org --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: replace remaining hardcoded IPs (#2853) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain * docs: replace hardcoded IP in sprint documentation - miner-setup-guide.md: 16 occurrences - python-sdk-tutorial.md: 4 occurrences - api-reference.md: 8 occurrences - node-operator-guide.md: 4 occurrences - Standardizes to http://rustchain.org:8088 * docs: standardize documentation URLs to rustchain.org/docs - Fix docs.rustchain.net -> rustchain.org/docs - Fix docs.rustchain.org -> rustchain.org/docs - Consistent documentation URL across all files * docs: fix broken whitepaper links in multilingual READMEs - Fix v0.97-1.pdf -> v0.97.pdf (actual file name) - Affects: README_JA, README_ES, README_HI, README_DE, README_ZH-TW - Also fixes integrations/mcp-server README and IMPLEMENTATION * docs: fix broken relative links in RIP305_AIRDROP_V2.md - Fix node/README.md -> ../node/README.md - Fix wallet/rustchain_wallet_secure.py -> ../wallet/rustchain_wallet_secure.py - Fix node/x402_config.py -> ../node/x402_config.py - All links now resolve correctly from docs/ directory * docs: replace hardcoded IP in registry submissions and campaigns - discord-bot-nodejs-v2/README.md: 2 occurrences - rustchainnode/README.md: 1 occurrence - mining-calculator/README.md: 1 occurrence - registry-submissions/: 6 occurrences across 4 files - campaigns/antiquity_championship/: 4 occurrences across 2 files - Standardizes to https://rustchain.org * docs: replace remaining hardcoded IPs - README_JA.md: Node table - campaigns/museum_of_living_compute/README.md: Block explorer link - proposals/RIP-306_CONTRIBUTOR_TIERS.md: Deployment note - BOUNTY_2298_RISCV_MINER_PORT.md: Node URL config - Standardizes to https://rustchain.org --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: add missing total_supply_rtc field to /epoch API docs (#2845) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: add --dry-run parameter to miner quickstart (#2846) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * docs: replace hardcoded IP 50.28.86.131 with rustchain.org (#2847) * fix: replace hardcoded CURRENT_YEAR with dynamic datetime - Replace CURRENT_YEAR = 2025 with datetime.now().year - Fixes stale antiquity multiplier calculations - Resolves issue #2802 * docs: fix wallet address character count in CLAIMS_GUIDE.md - Update 'Minimum 23 characters' to '43 characters total' - Clarify format: RTC prefix + 40 hex characters - Resolves #2780 * fix: handle explorer URL with/without trailing slash - Add strict_slashes=False to /explorer route - Prevents 301 redirect when URL lacks trailing slash - Resolves #2651 * docs: add missing /balance and /wallet/balance API endpoints to OpenAPI spec - Document /balance/{miner_pk} endpoint for miner balance queries - Document /wallet/balance endpoint for wallet balance queries - Resolves #2610 * docs: standardize node URL to rustchain.org - Replace hardcoded IP 50.28.86.131 with https://rustchain.org - Affects telegram_bot, chart-widget, and ghost machine bounty docs - Resolves #2622 * docs: add missing total_supply_rtc field to /epoch API docs - Document total_supply_rtc field returned by /epoch endpoint - Resolves #2584 * docs: add --dry-run parameter to miner quickstart - Document rustchain-miner --dry-run for testing hardware fingerprint - Resolves #2576 * docs: replace hardcoded IP 50.28.86.131 with rustchain.org - WALLET_SETUP.md: 20+ occurrences - FAQ.md, GLOSSARY.md, protocol-overview.md - VINTAGE_MINING_EXPLAINED.md, rip201_bucket_spoof.md - state-of-rustchain-ergo-march-2026.md - Standardizes documentation to use official domain --------- Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> Co-authored-by: BossChaos <boss@vectorize.io> * deps(deps): update python-socketio requirement from >=5.10.0 to >=5.16.1 (#2830) Updates the requirements on [python-socketio](https://github.com/miguelgrinberg/python-socketio) to permit the latest version. - [Release notes](https://github.com/miguelgrinberg/python-socketio/releases) - [Changelog](https://github.com/miguelgrinberg/python-socketio/blob/main/CHANGES.md) - [Commits](https://github.com/miguelgrinberg/python-socketio/compare/v5.10.0...v5.16.1) --- updated-dependencies: - dependency-name: python-socketio dependency-version: 5.16.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update pytest requirement from >=7.0.0 to >=7.4.4 (#2831) Updates the requirements on [pytest](https://github.com/pytest-dev/pytest) to permit the latest version. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.0...7.4.4) --- updated-dependencies: - dependency-name: pytest dependency-version: 7.4.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update mnemonic requirement from >=0.20 to >=0.21 (#2832) Updates the requirements on [mnemonic](https://github.com/trezor/python-mnemonic) to permit the latest version. - [Changelog](https://github.com/trezor/python-mnemonic/blob/master/CHANGELOG.rst) - [Commits](https://github.com/trezor/python-mnemonic/compare/v0.20...v0.21) --- updated-dependencies: - dependency-name: mnemonic dependency-version: '0.21' dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update python-dotenv requirement from >=1.0.0 to >=1.2.2 (#2833) Updates the requirements on [python-dotenv](https://github.com/theskumar/python-dotenv) to permit the latest version. - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](https://github.com/theskumar/python-dotenv/compare/v1.0.0...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps): update locust requirement from >=2.20.0 to >=2.43.4 (#2834) Updates the requirements on [locust](https://github.com/locustio/locust) to permit the latest version. - [Release notes](https://github.com/locustio/locust/releases) - [Changelog](https://github.com/locustio/locust/blob/master/CHANGELOG.md) - [Commits](https://github.com/locustio/locust/compare/2.32.0...2.43.4) --- updated-dependencies: - dependency-name: locust dependency-version: 2.43.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: replace hardcoded CURRENT_YEAR with dynamic datetime (#2828) - node/rip_200_round_robin_1cpu1vote_v2.py: CURRENT_YEAR = datetime.now().year - rips/rustchain-core/validator/setup_validator.py: added datetime import + dynamic CURRENT_YEAR Note: cpu_architecture_detection.py has CRLF line endings which would cause a large diff. That file needs to be normalized separately. Bounty: #305 Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> * fix: fix memory leak in P2P message deduplication cache (#2829) - Replace unbounded set with TTLCache (TTL=3600s, max_size=10000) - Automatic LRU eviction when cache reaches capacity - Automatic TTL-based eviction matching DB cleanup interval - Remove flawed manual cleanup logic Fixes: #2755 Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 Co-authored-by: BossChaos <BossChaos@users.noreply.github.com> * docs: fix broken whitepaper link in zh-CN README (#2837) - Corrected link from docs/RustChain_Whitepaper_Flameholder_v0.97-1.pdf to docs/RustChain_Whitepaper_Flameholder_v0.97.pdf - Fixes broken documentation link for Chinese readers - Closes Scottcjn/Rustchain#2277 Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 (#2835) - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 (#2836) - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Reject mining rewards from public mempool (#2858) * Fix 3 broken relative links in documentation (Bounty #444) (#2854) * Fix broken link in IMPLEMENTATION_SUMMARY.md - [siyu-s] * Fix broken relative link in bridge/README.md - [siyu-s] * Fix broken relative link in homebrew/BCOS-INSTALL.md - [siyu-s] * docs: fix good first issue link in CONTRIBUTING.md (#2839) * docs(contributing): fix good first issue link (good-first-issue → good first issue) * docs(contributing): enhance PR with review guidelines and contributor tips * Self-Audit: bridge_api.py + utxo_db.py — 6 security findings (BossChaos) (#3147) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * Self-Audit: node/bridge_api.py — 3 findings (admin bypass, replay attack, float precision) * Self-Audit: node/utxo_db.py — 3 findings (tx_id malleability, silent ROLLBACK failure, mempool cleanup) --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: anti_double_mining.py (#7458) — 5 findings (2H, 2M, 1L) (#3161) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for anti_double_mining.py (#7458) - Fingerprint Profile Spoofing (HIGH, CVSS 8.2) - Stale Attestation Data in Fallback (HIGH, CVSS 7.8) - SQL Injection via Dynamic Placeholders (MEDIUM, CVSS 6.5) - Reward Distribution Rounding Manipulation (MEDIUM, CVSS 6.1) - Duplicate Detection Only Checks Same Epoch (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: arch_cross_validation.py (#7457) — 5 findings (2H, 2M, 1L) (#3162) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for arch_cross_validation.py (#7457) - No Enforcement — Security Theater (HIGH, CVSS 9.1) - Score Manipulation via Feature Omission (HIGH, CVSS 7.6) - Permissive Substring Architecture Matching (MEDIUM, CVSS 6.5) - Cache Latency Self-Report Bypass (MEDIUM, CVSS 6.1) - No Anti-Emulation Enforcement (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: rip_200_round_robin_1cpu1vote.py (#7448) — 5 findings (2H, 2M, 1L) (#3164) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for rip_200_round_robin_1cpu1vote.py (#7448) - Griefable Block Producer Selection (HIGH, CVSS 8.0) - Stale Attestation Fallback in Delayed Settlement (HIGH, CVSS 7.8) - RIP-309 Active Check Selection is Fully Predictable (MEDIUM, CVSS 6.5) - Reward Distribution Rounding Bias (MEDIUM, CVSS 6.1) - Miner ID Ordering Enables Position Manipulation (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: warthog_verification.py (#7446) — 5 findings (1C, 1H, 2M, 1L) (#3165) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for warthog_verification.py (#7446) - No Actual Proof-of-Work Verification (CRITICAL, CVSS 9.8) - Proof Freshness Uses Client-Supplied Timestamp (HIGH, CVSS 7.5) - Balance Validation with Float Comparison (MEDIUM, CVSS 6.5) - No Pool API Verification (MEDIUM, CVSS 6.3) - No Rate Limiting on Proof Submissions (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: sophia_governor_review_service.py (#7442) — 5 findings (2H, 2M, 1L) (#3166) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for sophia_governor_review_service.py (#7442) - Prompt Injection via Unsanitized Event Payload (HIGH, CVSS 8.1) - Ollama SSRF via Configurable URL (HIGH, CVSS 7.4) - Admin Key Timing Attack (MEDIUM, CVSS 6.3) - Full Prompt Leaked in Response (MEDIUM, CVSS 6.5) - No Input Validation on /review Endpoint (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: hall_of_rust.py (#7438) — 5 findings (3M, 2L) (#3167) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for hall_of_rust.py (#7438) - No Authentication on /hall/induct (MEDIUM, CVSS 6.5) - Exception Detail Disclosure (MEDIUM, CVSS 5.3) - Truncated SHA-256 Fingerprint (MEDIUM, CVSS 6.0) - Rust Score Manipulation via Self-Reported Data (LOW, CVSS 4.3) - No Rate Limiting on Hall Endpoints (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: machine_passport.py (#7436) — 5 findings (3M, 2L) (#3168) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add self-audit report for machine_passport.py (#7436) - No Authentication on Passport Operations (MEDIUM, CVSS 6.5) - Exception Detail Disclosure (MEDIUM, CVSS 5.3) - Unsanitized User Input in PDF Generation (MEDIUM, CVSS 6.1) - No Input Validation on MachinePassport Dataclass (LOW, CVSS 4.3) - No Access Control on Passport Modification (LOW, CVSS 4.3) Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: hall_of_rust.py (#7439) — Claude deep audit with 12 findings (2C, 4H, 4M, 2L) (#3182) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: sophia_governor_review_service.py (#7442) — Deep security audit with Claude (#3184) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: arch_cross_validation.py (#7457) — Deep security audit with Claude (#3190) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: anti_double_mining.py (#7458) — Deep security audit with Claude (#3191) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: rustchain_p2p_gossip.py (#7440) — Deep security audit with Claude (#3183) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: bcos_pdf.py + beacon_identity.py (#7444) — Deep security audit with Claude (#3185) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: rustchain_p2p_sync_secure.py (#7446) — Deep security audit with Claude (#3187) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Self-Audit: sophia_attestation_inspector.py (#7448) — Deep security audit with Claude (#3188) Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * Security Audit: UTXO DB — 2 Critical (CVSS 9.1), 3 High, 4 Medium vulnerabilities (#3193) * Self-Audit: anti_double_mining.py (#7458) — Deep security audit with Claude * Security Audit: UTXO DB - 2 Critical, 3 High, 4 Medium vulnerabilities Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602 Findings: - Critical: Bypassable minting restriction (CVSS 9.1) - Critical: Unverified mempool transaction inputs (CVSS 9.1) - High: Race condition in concurrent UTXO spending - High: SQLite injection via malformed box IDs - High: Missing input validation in transaction construction - Medium: Dust attack vector - Medium: Fee manipulation potential - Medium: Resource exhaustion via large transactions - Medium: Timestamp manipulation in block validation --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * fix: float precision loss in amount_i64 quantization (#2771) (#3186) Replace with to avoid floating-point precision loss. Testing shows 178/10000 micro-RTC amounts produce incorrect results with float arithmetic (e.g., 0.000249 RTC → 248 instead of 249 micro-RTC). Uses Python's decimal.Decimal for precision-safe quantization while preserving the existing int() return type for backward compatibility. 🤖 OpenClaw Team (司雨-S) * fix: enforce CAN_POST_HIGH_VALUE gate in check_eligibility (#2768) (#3189) CAN_POST_HIGH_VALUE was defined but never used as a gate in check_eligibility(). A trusted agent could claim a 10,000 RTC job bypassing the high-value guard. Changes: - Add HIGH_VALUE_THRESHOLD = 50 RTC constant - Add high-value gate: jobs > 50 RTC require veteran level - Add can_post_high_value to check_eligibility response - Update reason message for high-value rejections 🤖 OpenClaw Team (司雨-S) * fix: ZeroDivisionError in reward distribution when total_weight=0 (#305) (#3194) When all miners have zero weight (e.g., all fail fingerprint validation), dividing by total_weight causes ZeroDivisionError, crashing the epoch reward distribution. Affected files: - node/rip_200_round_robin_1cpu1vote_v2.py (3 instances) - node/rip_200_round_robin_1cpu1vote.py (4 instances) - node/anti_double_mining.py (2 instances) - node/rustchain_v2_integrated_v2.2.1_rip200.py (1 instance) Fix: Guard all total_weight divisions with ternary zero-check. When total_weight == 0, miners receive 0 reward instead of crash. 🤖 OpenClaw Team (司雨-S) * fix: timing-unsafe admin key comparison enables timing attack (#3200) (#3201) Several endpoints use == for admin key comparison, which is vulnerable to timing side-channel attacks. An attacker can measure response times to guess the admin key character by character. lock_ledger.py already uses hmac.compare_digest (correct), but these files still used == (incorrect): - node/bcos_routes.py:172 — is_admin check - node/bridge_api.py:682 — admin_initiated check - node/rustchain_v2_integrated_v2.2.1_rip200.py:6057 — is_admin check Fix: Replace all == comparisons with hmac.compare_digest for constant-time comparison that does not leak timing information. 🤖 OpenClaw Team (司雨-S) * security: fix auto-release endpoint unauthenticated when RC_WORKER_KEY not set (#3203) (#3204) * security: fix auto-release endpoint authentication + timing attack (#3203) Two issues fixed: 1. When RC_WORKER_KEY was not configured, the auth check was skipped entirely, allowing anyone to trigger auto-release of locks. Now requires RC_WORKER_KEY to be set (returns 503 if not configured). 2. worker_key comparison used == (timing-unsafe) instead of hmac.compare_digest (constant-time), enabling timing attacks to extract the worker key. 🤖 OpenClaw Team (司雨-S) * fix: correct indentation in auto_release_endpoint (#3204 review) The auth check code was at 4-space indent (outside the function body) instead of 8-space indent (inside auto_release_endpoint()). hmac was already imported on line 22, no change needed there. 🤖 OpenClaw Team (司雨-S) * docs: fix wrong filename in install.sh comment (#2302, #2322) (#3205) Comment referenced install-rtc-miner.sh but the actual file is install.sh. This confused users trying to follow the manual installation instructions. 🤖 OpenClaw Team (司雨-S) * fix: Python 2/3 compatibility bugs (#2864, #2865) (#3178) * fix: Python 2/3 compatibility bugs (#2864, #2865) - wallet/rustchain_wallet_ppc.py: Replace Python 2 print statement with print() function call (line 106) - wallet/rustchain_wallet_ppc.py: Replace 'except Exception, e:' with 'except Exception as e:' (lines 233, 292) - miners/linux/rustchain_living_museum.py: Extract backslash escape from f-string expression to variable (line 462) for Python 3.12+ compatibility Refs: #2864, #2865 🤖 OpenClaw Team (司雨-S) * fix: Python syntax errors in 13 files — C++ comments, BOM, broken string literals - 10 files: Replace C++ style '// SPDX' comment with '# SPDX' at line 1 (prometheus_exporter.py, agent_economy_sdk.py, agent_sdk_demo.py, bcos_directory.py, build_static.py, hardware_spoof_lib.py, init_contributor_db.py, profile_badge_generator.py, security_test_payment_widget.py, xss_poc_templates.py) - integrations/beacon_demo/beacon_demo.py: Remove UTF-8 BOM - tools/rustchain_packet_radio_sender.py: Fix unclosed f-string spanning two lines - tools/rustchain_packet_radio_validator.py: Fix unclosed f-string and two missing closing quotes These files had SyntaxError under Python 3, making them unusable. Refs: #2863, #305 🤖 OpenClaw Team (司雨-S) * fix: add idempotency check in DramaArcEngine.start_arc (#2733) (#3192) start_arc() previously allowed duplicate arcs for the same agent pair. If called concurrently (e.g., simultaneous bounty completions), it would overwrite the existing arc, causing duplicate/contradictory arc states in the drama log. Fix: Check if an arc already exists for the agent pair before creating a new one. Return the existing arc with idempotent=True if found. 🤖 OpenClaw Team (司雨-S) * Fix 3 more broken links (batch 2) — Bounty #444 (#2862) * Fix broken link in contracts/base/README.md - [siyu-S] * Fix broken link in tools/floppy-witness/README.md - [siyu-S] * Fix broken image link in bridge-dashboard/README.md - [siyu-S] * Fix broken link in bounties/issue-684/README.md - [siyu-S] * Fix broken links in CHALLENGE_GUIDE.md - [siyu-S] * Fix broken links in bounties/issue-2296/README.md - [siyu-S] * Add SPDX license header to bounties/issue-684/README.md - siyu-S * Add SPDX license header to bounties/issue-684/docs/CHALLENGE_GUIDE.md - siyu-S * Add SPDX license header to bounties/issue-2296/README.md - siyu-S * Add SPDX license header to contracts/base/README.md - siyu-S * Add SPDX license header to tools/floppy-witness/README.md - siyu-S * Add SPDX license header to bridge-dashboard/README.md - siyu-S * feat: add Xeophon to CONTRIBUTORS.md (#2861) * fix: improve --dry-run help text to mention hardware fingerprint output (#3944) Fixes #3267 The --dry-run flag help text now explains that it runs in test mode, outputting hardware fingerprint without actual mining. Co-authored-by: haoyousun60-create <cdsun88@users.noreply.github.com> * feat: add GitHub Action to auto-award RTC tokens on PR merge (Bounty #2864) (#3933) * deps: update python-socketio requirement from >=5.10.0 to >=5.16.1 - Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn/Rustchain#2830 * feat: add GitHub Action to auto-award RTC tokens on PR merge (Bounty #2864) --------- Co-authored-by: BossChaos <bosschaos@users.noreply.github.com> * security: fix info leakage and CI syntax errors (#3936) - Replace str(e) with generic error messages in AP…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
50.28.86.131withhttps://rustchain.orgtelegram_bot/README.md,dashboards/chart-widget/README.md, andBOUNTY_2314_GHOST_MACHINE.mdTesting
https://rustchain.orgChecklist
Bounty Claim: RTC6d1f27d28961279f1034d9561c2403697eb55602