feat(audit-guard): add RelayerTxScanner for unauthorized TX detection (closes #25)#87
Open
gbengaeben wants to merge 1 commit into
Open
Conversation
…closes Vero-protocol#25) Adds a new RelayerTxScanner alongside the existing LogicErrorDetector (issue Vero-protocol#16) to authorize transactions before the relayer submits them to the Stellar network. - 11-pattern library covering signer auth, denylist precedence, multi-sig, replay, malformed inputs, opt-in trusted-source + per-op fee checks. - Tri-state AuthorizationStatus (AUTHORIZED / REQUIRES_REVIEW / UNAUTHORIZED) with severity-driven rollup. - Additive CLI command `scan-tx` keyed on TX_DATA_FILE + VERO_RELAYER_* environment variables; mirrors detect-logic exit semantics. - Coarse Rego mirror (policies/relayer_authz.rego) for orgs that centralise policy in OPA. - 77 jest tests (new + existing) green; RelayerContext export path corrected in src/index.ts.
Contributor
|
please resolve conflicts |
mrnetwork0001
pushed a commit
to mrnetwork0001/vero-audit-guard
that referenced
this pull request
Jun 28, 2026
…e-revert fix: add governance proposal cancel/revert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #25 by adding a
RelayerTxScanneralongside the existingLogicErrorDetector(issue #16). The new scanner authorizes transactions before the relayer submits them to the Stellar network, with:AuthorizationStatus(AUTHORIZED/REQUIRES_REVIEW/UNAUTHORIZED) with severity-driven rollup.scan-txkeyed onTX_DATA_FILE+VERO_RELAYER_*env vars. Exit codes mirrordetect-logic(0 = AUTHORIZED/REQUIRES_REVIEW, 1 = UNAUTHORIZED) so wire-up parity is trivial.policies/relayer_authz.rego) for orgs that centralise policy in OPA.What ships
src/audit-guard/src/relayer-scanner.ts— types +RelayerTxScannerorchestrator +generateReport(). Pure (no I/O, no global state), mirrors theLogicErrorDetectorshape exactly.src/audit-guard/src/relayer-patterns.ts— frozenObject.freezelibrary of 11 pure check patterns, each with id/title/description/severity/optional references.RELAYER_PATTERNSandRELAYER_PATTERN_IDSexported.src/audit-guard/policies/relayer_authz.rego— OPA mirror underpackage relayer.authz.INVALID_HASH_FORMATis intentionally delegated to the TS engine (see inline comment) because OPA regex support varies by version.src/audit-guard/src/cli.ts— additivescan-txcommand, grouped with the other async handlers aboveprintHelp; every existing command preserved.src/audit-guard/src/index.ts— additive exports; all existingLogicErrorDetectorexports intact;RelayerContextre-exported from the correct module.src/audit-guard/README.md— new## Relayer Tx Scan (Issue #25)section as a peer of## Logic Error Detection (Issue #16).Pattern library
DENYLISTED_SIGNERUNKNOWN_SIGNERMISSING_SIGNATURESINSUFFICIENT_SIGNATURESmultiSigThreshold(CRITICAL when zero).DUPLICATE_SIGNATUREMALFORMED_SIGNATURE_ENTRYsignerKeyorsignatureValue.INVALID_HASH_FORMATREPLAY_DETECTEDknownHashesset.UNTRUSTED_SOURCE_ACCOUNTsourceAccountnot intrustedSourceAccounts(opt-in).UNSUPPORTED_OPERATIONallowedOperationTypes(opt-in).FEE_OVER_LIMITfee / opCountexceedsmaxFeePerOp(opt-in).Note on pre-existing TS errors
tsc --buildfor the fullaudit-guardpackage is RED on issues outside this PR scope and unrelated to the RelayerTxScanner:--jsxflag +reactpackage (src/ui/BountyForm.tsx,src/ui/BreakerButton.tsx)node-fetchtypes (src/webhook.ts)startvariable (src/policy-engine.ts)These are pre-existing on
mainand not regressions introduced by this PR. The new code paths typecheck cleanly whentsc --noEmitis scoped to the changed files; 77/77 jest tests pass in the relayer-scanner + logic-detector suites. A separate follow-up issue should address them.Test plan
Mirrors and intent
PR #69 from gbengaeben addresses the same issue but REPLACES the existing
LogicErrorDetectorexports and thedetect-logicCLI command, which would regress our current## Logic Error Detection (Issue #16)surface. This PR is strictly additive:detect-logic.Reviewers familiar with the existing LogicErrorDetector will recognize the orchestrator shape (
RelayerTxScanner<-LogicErrorDetector), the frozen pattern library (RELAYER_PATTERNS<-LOGIC_PATTERNS), the severity-sorted findings, and the markdown report.Followups needed before this can merge
The OPA Policy Compliance and Anomaly Detector Tests CI jobs fail because of pre-existing TS/dependency issues in src/audit-guard that are not caused by this PR. A separate upstream PR (see search for fix/audit-guard-build-ci) addresses them; once that merges, the CI matrix for this PR will go green.
Until then, treat the OPA Policy Compliance and Anomaly Detector Tests (TypeScript) failures as expected noise — they are not regressions from this PR.