[AUDIT-FULL-C3] Verify SHA-256 checksum of TON-proxy binary before execution

[konard]

Summary

Fixes #308

The install() method in src/ton-proxy/manager.ts previously downloaded the Tonutils-Proxy binary from GitHub Releases with no integrity verification — no checksum, no size limit, no redirect-domain check. A compromised upstream account or MITM on an anonymous download would silently install malicious code with wallet-owner privileges.

Changes

src/ton-proxy/checksums.json (new)

Pins the release tag (v1.8.3) and stores SHA-256 digests for every supported platform binary:

Binary	SHA-256
tonutils-proxy-cli-linux-amd64	8df4974e...
tonutils-proxy-cli-darwin-amd64	ae9e85bc...
tonutils-proxy-cli-darwin-arm64	d8d47207...
tonutils-proxy-cli-windows-amd64.exe	4a3ef279...

src/ton-proxy/manager.ts

• Pinned tag — URL built from checksums.json, not the floating /releases/latest API.
• Redirect-domain check — final URL after redirects must resolve to github.com or objects.githubusercontent.com; anything else aborts immediately.
• Content-Length guard — rejects responses declaring > 50 MB before streaming starts.
• Streaming size cap — bytes are counted during streaming; exceeding 50 MB aborts mid-stream.
• SHA-256 checksum — digest computed over all received bytes and compared to checksums.json before chmod +x is ever called.
• Cleanup on failure — partial/full file deleted on any error; no auto-retry on checksum mismatch.

src/ton-proxy/__tests__/manager.test.ts (new)

5 unit tests covering all new security checks:

• ✅ Correct bytes + matching checksum → chmodSync called
• ✅ Tampered bytes → throws checksum mismatch, chmodSync never called
• ✅ Oversized Content-Length → throws before streaming
• ✅ Cross-domain redirect → throws before checksum
• ✅ HTTP error → throws before streaming

docs/ton-wallet.md

New TON Proxy Binary Verification section documents the pinned tag, what is verified, failure behaviour, and how to upgrade the binary.

Acceptance criteria

• Release tag pinned in code / config (not latest)
• checksums.json for all supported platforms lives next to the manager
• SHA-256 verified after pipeline, before chmod +x
• Content-Length and redirect-domain validated
• Test: tampered binary mock-server → install() aborts before chmod +x
• docs/ton-wallet.md describes the verification process

Test plan

All 5 new tests pass; full suite (151 files, 3073 tests) is green with no regressions.

[konard]

Solution summary

All done. Here's a summary of what was implemented:

---

PR #332 — [AUDIT-FULL-C3] Verify SHA-256 checksum of TON-proxy binary before execution

What changed

src/ton-proxy/checksums.json (new) — pins release tag v1.8.3 with SHA-256 digests for all 4 supported platform binaries (linux-amd64, darwin-amd64, darwin-arm64, windows-amd64). Checksums were computed by downloading the real binaries.

src/ton-proxy/manager.ts — install() now:

1. Loads the pinned tag and expected digest from checksums.json (fast-fails if the file is missing or the current platform isn't listed)
2. Validates the final redirect URL stays on github.com or objects.githubusercontent.com
3. Checks Content-Length ≤ 50 MB before streaming
4. Counts streaming bytes and aborts if they exceed 50 MB
5. Verifies SHA-256 digest after streaming — only calls chmodSync if it matches
6. Deletes the partial/full file on any failure, no auto-retry

src/ton-proxy/__tests__/manager.test.ts (new) — 5 unit tests, all passing:

• Correct checksum → chmod +x called ✅
• Tampered binary → throws before chmod +x ✅
• Oversized Content-Length → throws ✅
• Cross-domain redirect → throws ✅
• HTTP 404 → throws ✅

docs/ton-wallet.md — new "TON Proxy Binary Verification" section explaining all checks and the upgrade procedure.

Full test suite: 3073 tests across 151 files — all green.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $2.562948

📊 Context and tokens usage:

• 82.3K / 1M (8%) input tokens, 26.3K / 64K (41%) output tokens

Total: (71.7K + 6.3M cached) input tokens, 26.3K output tokens, $2.562948 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: sonnet
• Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (2747KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (iteration 1)

Reason: CI failures detected

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 1)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $0.514923

📊 Context and tokens usage:

• 58.6K / 1M (6%) input tokens, 3.1K / 64K (5%) output tokens

Total: (48.0K + 963.8K cached) input tokens, 3.1K output tokens, $0.514923 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: sonnet
• Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (3434KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag