feat(audit-guard): add RelayerTxScanner for unauthorized TX detection (closes #25)#69
Open
gbengaeben wants to merge 2 commits into
Open
feat(audit-guard): add RelayerTxScanner for unauthorized TX detection (closes #25)#69gbengaeben wants to merge 2 commits into
gbengaeben wants to merge 2 commits into
Conversation
… (issue Vero-protocol#25) Resolves Vero-protocol#25: relayer unauthorized tx scan. Implements a RelayerTxScanner class that screens relayed transactions against an allowlist of authorized signers, with optional hard denylist, multi-sig threshold support, and a trusted source-account list. Every scanned TX produces a structured TxScanResult with violations, warnings, and an AUTHORIZED / REQUIRES_REVIEW / UNAUTHORIZED status flag that the incident-response pipeline can consume. Highlights: - Configurable via JSON file or env vars (RELAYER_CONFIG, RELAYER_AUTHORIZED_SIGNERS, RELAYER_DENYLIST, RELAYER_MULTISIG_THRESHOLD). - Fail-closed default: an empty allowlist rejects every TX until a config is supplied. - Defense in depth: denylisted signers produce CRITICAL violations regardless of allowlist membership; threshold misses combined with a foreign signer escalate to HIGH. - OPA/Rego mirror in policies/relayer_authz.rego for orgs that centralize policy in OPA. - New CLI command: 'scan-tx <tx-data.json>'. Drive-by fix: src/policy-engine.ts had a pre-existing TS2339 error referencing result.maintenance_alert on EvaluationResult. Added the optional field and populated it from prData.maintenance_mode / maintenance_message so the package typechecks cleanly under strict mode. Tests: 27/27 in src/relayer-scanner.test.ts (allowlist, denylist, multi-sig escalation + warning, source-account warnings, env-var overrides, discover(), boundary letter-spacing). 48/48 of the audit-guard test suite as a whole passes.
Contributor
|
Please resolve conflicts |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #25 (
feat: relayer unauthorized tx scan).Adds a
RelayerTxScannerthat screens every relayed transaction against an allowlist of authorized signers, with optional hard denylist, optional multi-sig threshold, and an optional trusted source-account list. Every scanned TX produces a structuredTxScanResultwith violations, warnings, and anAUTHORIZED/REQUIRES_REVIEW/UNAUTHORIZEDstatus flag that the incident-response pipeline can consume.What is new
src/audit-guard/src/relayer-scanner.tsRelayerTxScannerclass + types (TxData,WhitelistConfig,TxScanResult,RELAYER_RULES)src/audit-guard/src/relayer-scanner.test.tssrc/audit-guard/policies/relayer_authz.regosrc/audit-guard/src/cli.tsscan-txcommand (TX_DATA_FILE,RELAYER_CONFIG,RELAYER_AUTHORIZED_SIGNERS,RELAYER_DENYLIST,RELAYER_MULTISIG_THRESHOLD,REPORT_FILE)src/audit-guard/src/index.tsRelayerTxScanner,RELAYER_RULES, typessrc/audit-guard/README.mdStatus semantics
AUTHORIZEDREQUIRES_REVIEWUNAUTHORIZEDRules emitted
EMPTY_SIGNERSDENYLISTED_SIGNERUNAUTHORIZED_SIGNERMULTISIG_THRESHOLD_NOT_METUNVERIFIED_SOURCE_ACCOUNTConfiguration
Configurable via JSON file or env vars. Fail-closed default — an empty allowlist rejects every TX until a config is supplied.
{ "authorizedSigners": ["G...alice", "G...bob"], "denylist": ["G...banned"], "multisigThreshold": 2, "sourceAccounts": ["G...trusted-relayer"] }RELAYER_CONFIGRELAYER_AUTHORIZED_SIGNERSRELAYER_DENYLISTRELAYER_MULTISIG_THRESHOLDCLI
Exit code is
1onUNAUTHORIZED,0otherwise (suitable for CI gates).Drive-by fix
src/audit-guard/src/policy-engine.tshad a pre-existingTS2339referencing the undeclaredresult.maintenance_alertonEvaluationResult. That error blockedtsc --noEmitfor the whole package (so any PR here would have failed CI). Added the optional field on the interface and populated it fromprData.maintenance_mode/prData.maintenance_messagein theevaluate()method. Without this, the upstream CI would reject this PR on a red check before reviewers even saw the content.Tests
npx tsc --noEmit— clean.npx jest— 48/48 insrc/audit-guard(27 new scanner tests + the existing policy-engine / backup suites).discover()env-path are all asserted.Out of scope (left for follow-ups)
multisigThresholdis a plain authorized-count threshold).verifiable-audit-trailpackage to persist findings as part of the audit trail automatically.scan-txinto CI.