docs(audit): full-repo audit FULL_AUDIT_REPORT.md for v3.0

[konard]

Summary

Adds FULL_AUDIT_REPORT.md — a comprehensive follow-up to the first audit (#250/#251) covering the modules that were not in the original scope. All 23 prior findings are already fixed; this audit finds 24 new reproducible issues across plugins, MCP, Management API, TON/Telegram/deals, services, CLI, installer, and dependencies.

Also adds improvements/work2/ — a ready-to-file issue template per finding (per reviewer request), mirroring the format used for the first audit in improvements/work/.

Closes #304.

Scope audited

Full repository (src/**, bin/, install.sh, package.json, Dockerfile, .github/**, docs/**) except node_modules/ and the web/ React frontend. Version: package.json 0.8.11, schema 1.20.0.

Baseline: AUDIT_REPORT.md (issue #250) — 23 findings, all remediated per improvements/work/AUDIT_WORK_REPORT.md. New findings here are distinct from the baseline.

Headline findings

Severity	Count	Top items
🔴 Critical	3	External plugins load with no isolation (FULL-C1); exec allowlist is a prefix match (FULL-C2); TON-proxy binary downloaded without integrity check (FULL-C3).
🟠 High	8	createSafeDb block-list misses loadExtension/backup/pragma/function (FULL-H1); MCP tools without schema register anyway (FULL-H2); sendTon returns a fabricated hash (FULL-H3); dependent tasks re-enter as unsanitized prompts (FULL-H4); admin_ids leaked to plugins (FULL-H5); /v1/agent/restart has no lock (FULL-H6); secrets via argv / shell history (FULL-H7); installer pulls from existing remote without verification (FULL-H8).
🟡 Medium	9	HookRunner reentrancy is a process-global counter (FULL-M1); webhook SSRF (FULL-M2); workspace validator TOCTOU/symlink (FULL-M3); ATTACH DATABASE unescaped path (FULL-M4); transcripts unbounded (FULL-M5); SSE listener leak (FULL-M6); WorkflowScheduler no dedupe (FULL-M7); Telegram HTML link-text not escaped (FULL-M8); 14 npm audit vulns (FULL-M9).
🟢 Low	4	Config port envs silently dropped (FULL-L1); doctor skips wallet decryption (FULL-L2); secretKey retained for process lifetime (FULL-L3); provider error bodies forwarded raw (FULL-L4).

Ready-to-file issue templates — improvements/work2/

Each finding above has a stand-alone Markdown template in
improvements/work2/ with YAML front-matter
(title, labels, milestone, severity, category, effort, priority) and a
body (source, description, location, impact, remediation, acceptance
criteria). Filing them as issues is a one-liner:

cd improvements/work2
for f in full-*.md; do
  title=$(awk -F'"' '/^title:/{print $2; exit}' "$f")
  body=$(awk '/^---$/{c++; next} c==2' "$f")
  gh issue create \
    --repo xlabtg/teleton-agent \
    --title "$title" --body "$body" \
    --label "bug,audit-finding-full" \
    --milestone "v3.0 - Production Ready"
done

See improvements/work2/README.md
for the full index grouped by priority (P0/P1/P2/P3).

Go/No-Go recommendation

🟠 Conditional Go. Safe in no-plugin, no-MCP, non-allowlist exec, TON ≤ 0.1/day configuration. Before enabling plugins/MCP or autonomous transfers, land the 6 P0 items (FULL-C1, FULL-C2, FULL-C3, FULL-H1, FULL-H2, FULL-H5).

Methodology

• Read the full prior audit + its 23 remediation notes.
• Four parallel deep-scans (CLI+config+installer; API+services+SDK; TON+Telegram+bot+deals; agent+plugins+MCP+memory+providers+workspace+session+utils).
• Cross-verified by direct file read for every finding referenced in this report.
• npm audit --audit-level=low + npm outdated for dependency hygiene.
• One pre-write finding was corrected during review (the /v1/ton-proxy Management API endpoint manages the external proxy binary lifecycle, not TON signing — recast as FULL-C3).

Test plan

• Review FULL_AUDIT_REPORT.md — confirm each finding's location + evidence + remediation is accurate and distinct from the 23 already-fixed items.
• Review improvements/work2/ — confirm each template mirrors the corresponding finding in the report.
• Land the 6 P0 items as separate PRs, one per template in improvements/work2/full-c*.md + full-h1/h2/h5, each with its own regression test.
• Run npm audit fix in a separate branch; verify no regressions; bump audit-ci.jsonc to fail on high.
• Wire renovate/dependabot for the next wave.

What this audit did NOT cover

• Runtime tracing / load testing.
• web/ React frontend and node_modules/ source.
• @ton/* cryptographic correctness.

---

This PR was created in response to #304. No source code changes — documentation only.

[konard]

Solution summary

Audit delivered. PR #305 is now ready for review with FULL_AUDIT_REPORT.md at the repo root.

Summary:

• 24 new reproducible findings (3 critical / 8 high / 9 medium / 4 low), distinct from the 23 already-fixed findings in the prior audit.
• Headline risks are the plugin/MCP trust boundary (FULL-C1, H1, H2, H5), exec allowlist prefix bypass (FULL-C2), unverified TON-proxy binary download (FULL-C3), and money-path integrity (sendTon pseudo-hash, FULL-H3).
• npm audit surfaced 14 transitive-dep CVEs including hono, @hono/node-server, and axios; all auto-fixable.
• Go/No-Go: 🟠 Conditional Go. Safe with no plugins, no MCP, non-allowlist exec, TON ≤ 0.1/day. Report includes a P0→P3 action plan and per-finding validation tests.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $12.814733

📊 Context and tokens usage:

• 121.9K / 1M (12%) input tokens, 77.6K / 128K (61%) output tokens

Total: (734.3K + 12.6M cached) input tokens, 77.6K output tokens, $12.814733 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.7 (claude-opus-4-7)

📎 Log file uploaded as Gist (4748KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (iteration 1)

Reason: CI failures detected

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[xlabtg]

Okay, create a ready-made document for each problem to create an issue based on it and put it in the improvements folder. Create a work2 folder in it and put all these ready-made templates there.

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 1)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $7.046304

📊 Context and tokens usage:

• 162.3K / 1M (16%) input tokens, 26.2K / 128K (20%) output tokens

Total: (160.0K + 10.8M cached) input tokens, 26.2K output tokens, $7.046304 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.7 (claude-opus-4-7)

📎 Log file uploaded as Gist (7301KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (iteration 2)

Reason: New comment(s) from non-bot user(s): xlabtg

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[xlabtg]

Okay, create a ready-made document for each problem to create an issue based on it and put it in the improvements folder. Create a work2 folder in it and put all these ready-made templates there.

[xlabtg]

Everything is fine, but you didn't create the WORK2 folder in the improvements folder and create a ready-made document for each problem.

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 2)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $3.310089

📊 Context and tokens usage:

• 121.4K / 1M (12%) input tokens, 37.1K / 128K (29%) output tokens

Total: (116.7K + 3.3M cached) input tokens, 37.1K output tokens, $3.310089 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.7 (claude-opus-4-7)

📎 Log file uploaded as Gist (8523KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (iteration 3)

Reason: New comment(s) from non-bot user(s): xlabtg, xlabtg

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[konard]

Quick correction in response to your latest review.

The 24 ready-to-file templates already exist in improvements/work2/ (committed in 3229ade):

• improvements/work2/README.md — index by priority (P0/P1/P2/P3) with one-liner gh issue create snippet
• improvements/work2/full-c1…c3.md, full-h1…h8.md, full-m1…m9.md, full-l1…l4.md — one self-contained issue template per finding (YAML front-matter + body: source / description / location / impact / remediation / acceptance criteria), mirroring the format of improvements/work/audit-*.md from the prior audit

The previous restart accidentally moved FULL_AUDIT_REPORT.md into improvements/work2/, which broke the ../../FULL_AUDIT_REPORT.md cross-references in all 25 files (README + 24 templates) and the PR-description link to ./FULL_AUDIT_REPORT.md. Fix in d0e918e: moved FULL_AUDIT_REPORT.md back to the repo root, matching the precedent of AUDIT_REPORT.md from the first audit (#250/#251).

Final layout now matches the prior audit:

Prior audit (#250/#251)	Full-repo audit (#304/this PR)
AUDIT_REPORT.md (root)	FULL_AUDIT_REPORT.md (root)
improvements/work/AUDIT_WORK_REPORT.md	improvements/work2/README.md (priority index)
improvements/work/audit-*.md (23 files)	improvements/work2/full-*.md (24 files)

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 3)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $1.918325

📊 Context and tokens usage:

• 81.9K / 1M (8%) input tokens, 9.9K / 128K (8%) output tokens

Total: (75.8K + 2.4M cached) input tokens, 9.9K output tokens, $1.918325 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.7 (claude-opus-4-7)

📎 Log file uploaded as Gist (9508KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.