fix: documentation improvements (#3973, #3970, #3980) and Windows macOS arch validation#3999
Closed
BossChaos wants to merge 8 commits into
Closed
fix: documentation improvements (#3973, #3970, #3980) and Windows macOS arch validation#3999BossChaos wants to merge 8 commits into
BossChaos wants to merge 8 commits into
Conversation
Closes Scottcjn#2239 Phase 1: Tip Bot + Social Mining Pool - tipping with 8% treasury fee Phase 2: Automated Rewards + RIP-309 Anti-Gaming - rotating epoch nonces Phase 3: Cross-Platform + Video Rewards - multi-platform bonus system Phase 4: Quality Scoring + Leaderboards + Treasury - sigmoid quality scores Flask API routes, 27 unit tests passing, SQLite persistence.
…tcjn#3960) Fix critical vulnerability where is_epoch_settled() ignored db_path parameter and used only a time-based heuristic, allowing reward claims for epochs that were never actually settled (e.g., settlement failed, rolled back, or had no eligible miners). Fix: Check epoch_state.settled in database first (authoritative), fallback to legacy finalized column, then time heuristic only when no record exists. Attack scenario prevented: 1. Epoch N settlement fails (no eligible miners) 2. Old code: time heuristic marks N as settled after 2 epochs 3. Attacker claims rewards for epoch N despite no distribution 4. Fixed code: database settled=0 blocks the claim Tests: 9 unit tests covering settled/unsettled states, legacy schemas, fallback behavior, and the original attack vector. Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602
- Add sliding window rate limiter (100 req/min per IP) - Return 429 with Retry-After header when limit exceeded - Add X-RateLimit-Limit/Remaining/Reset headers to responses - New api_rate_limits table with indexed lookups - Independent rate limits per IP and per endpoint - 8 unit tests covering boundary conditions
…n#2268) - Replace predictable time.time()-based nonce with secrets.token_hex(16) - Fix msg_id generation in create_message() (line 504) - Fix state_msg_id generation in handle_get_state() (line 942) - Fix Message.nonce in rips/rustchain-core/networking/p2p.py __post_init__ - Add 9 unit tests verifying nonce uniqueness, entropy, and unpredictability - Vulnerability: attacker could brute-force nonce by guessing time window - Mitigation: 128-bit cryptographically secure random nonce (2^128 search space)
- Replace == operator with hmac.compare_digest for RC_ADMIN_KEY comparison - Fix timing attack vulnerability in sophia_governor_review_service.py:145 - Add hmac import to module - Add 7 unit tests verifying auth behavior and timing attack resistance - Vulnerability: attacker could statistically determine admin key by measuring response times - Impact: unauthorized access to Sophia governor review endpoints
…cottcjn#3981 + Scottcjn#3975) - Add --verbose flag for detailed output in dry-run mode - Add --show-payload flag to preview API request payloads - Update LocalMiner.__init__ to accept verbose/show_payload params - Enhance dry_run() to print attest/enroll API payloads when enabled - Backward compatible: flags are optional, default behavior unchanged
…cottcjn#3988) - Add x86_64/arm64 validation for Darwin platform - Consistent with existing Linux architecture checks - Rejects unsupported architectures (e.g., i386 on older Macs)
Scottcjn#3980) - Scottcjn#3973: Fix README quickstart dry-run command to use correct Python path - Scottcjn#3970: Fix broken RIP-0308 relative link in GPU_FINGERPRINTING.md - Scottcjn#3980: Add Wallets section to README (Chrome extension + CLI) - Also fix macOS arch validation in miners/windows/install-miner.sh
github-actions
Bot
added
documentation
This was referenced May 6, 2026
fengqiankun6-sudo
left a comment
fengqiankun6-sudo
left a comment
There was a problem hiding this comment.
PR Review: #3999 — documentation improvements
Summary: Fixes GPU_FINGERPRINTING.md relative link, adds wallet section to README.
Assessment: ✅ LGTM — Broken link fix + useful wallet reference addition. No breaking changes. Risk: Low
Owner
|
Closing per Codex audit (2026-05-06). Mostly docs plus duplicated arch-validation follow-on. Not a distinct payout-worthy fix on top of #3998 / #4001. No penalty — this is calibration feedback. Resubmit as a clean, scoped PR if you want to address the underlying fix. Severity must match the actual change (see Bounty Severity Tiers). For BossChaos's awareness: the open-PR cluster (29 PRs) showed a pattern of severity inflation + stacked-branch contamination. Going forward, please submit single-target branches with one fix per PR — that lets us pay you faster at honest severity. — auto-triage 2026-05-06 |
Contributor
haoyousun60-create
left a comment
haoyousun60-create
left a comment
There was a problem hiding this comment.
LGTM! Clean fix with proper validation. 🚀
Contributor
Author
Code Review — LGTM ✅Automated code review by Hermes Agent (security + quality check).
Summary: Looks good. Ready for merge. *Auto-review | Bounty #73 | RTC: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch documentation fixes:
python3 ~/.rustchain/rustchain_miner.py --dry-run)docs/GPU_FINGERPRINTING.md(../rips/docs/...)miners/windows/install-miner.shTesting