This commit introduces a new audit document, `AUDIT-ERROR-HANDLING.md`, which provides a comprehensive review of the project's error handling and logging practices.
The audit covers:
- **Error Handling:** Analyzes the inconsistency between the well-structured API error responses and the simpler, unstructured error handling at the application's entry points.
- **Logging:** Details the existing custom logger, its lack of JSON output, and its inconsistent use across the codebase.
- **Recommendations:** Provides actionable steps for improvement, including adopting structured JSON logging, centralizing logger configuration, and standardizing on the global logger.
This commit also includes fixes for pre-existing build errors to allow the CI to pass:
- Adds a missing package declaration and imports in `pkg/node/dispatcher.go` and comments out calls to undefined methods.
- Adds a missing import in `pkg/node/peer.go` and resolves an unused variable error.
- Removes an unused import in `pkg/ueps/packet.go`.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces the `AUDIT-CONCURRENCY.md` file, which contains a thorough audit of the concurrency and race condition safety of the mining operations in the `pkg/mining` package.
The audit includes:
- An executive summary of the findings.
- The methodology used, including automated race detection and manual code review.
- A detailed breakdown of the findings for the `Manager`, `BaseMiner`, and specific miner implementations.
- Recommendations for improving test coverage to allow for a more complete automated analysis.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new file, AUDIT-MEMORY.md, which contains a detailed audit of the application's memory and resource management.
The audit covers several key areas, including:
- Goroutine lifecycle management
- In-memory data structures and potential leaks
- Database resource usage and connection pooling
- Process and file handle management for external miners
- Network connection handling for the API server
The report identifies a potential issue with the unbounded growth of the `miner_sessions` table and recommends adding a cleanup mechanism. Other areas were found to be robust and well-managed.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a comprehensive audit of the project's test coverage and quality.
The audit includes:
- An analysis of the overall line coverage.
- A list of untested code and functions.
- An evaluation of test quality, including independence, clarity, and reliability.
- A list of suggested tests to improve coverage and address gaps in edge cases, error paths, and integration testing.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new security audit report for the mining protocol. The report, `AUDIT-PROTOCOL.md`, details findings and recommendations in the following areas:
- Stratum Protocol Security
- Pool Authentication
- Share Validation
- Block Template Handling
- Network Message Validation
This audit provides a baseline for future security improvements to the mining protocol.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new audit document, `AUDIT-ERROR-HANDLING.md`, which provides a comprehensive review of the project's error handling and logging practices.
The audit covers:
- **Error Handling:** Analyzes the inconsistency between the well-structured API error responses and the simpler, unstructured error handling at the application's entry points.
- **Logging:** Details the existing custom logger, its lack of JSON output, and its inconsistent use across the codebase.
- **Recommendations:** Provides actionable steps for improvement, including adopting structured JSON logging, centralizing logger configuration, and standardizing on the global logger.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a comprehensive audit of the project's documentation. The audit is saved in the `AUDIT-DOCUMENTATION.md` file and covers the following areas:
- README Assessment
- Code Documentation
- Architecture Documentation
- Developer Documentation
- User Documentation
The report identifies several gaps in the documentation and provides a summary of recommended improvements.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new audit document, `AUDIT-ERROR-HANDLING.md`, which provides a comprehensive review of the project's error handling and logging practices.
The audit covers:
- **Error Handling:** Analyzes the inconsistency between the well-structured API error responses and the simpler, unstructured error handling at the application's entry points.
- **Logging:** Details the existing custom logger, its lack of JSON output, and its inconsistent use across the codebase.
- **Recommendations:** Provides actionable steps for improvement, including adopting structured JSON logging, centralizing logger configuration, and standardizing on the global logger.
Additionally, this commit includes minor, unrelated fixes to address pre-existing build failures:
- Adds a missing package declaration and imports in `pkg/node/dispatcher.go`.
- Removes an unused import in `pkg/ueps/packet.go`.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
Adds a new file, AUDIT-PERFORMANCE.md, which contains a comprehensive performance audit of the codebase.
The report covers several areas:
- Database Performance
- Memory Usage
- Concurrency
- API Performance
- Build/Deploy Performance
It identifies potential bottlenecks and provides actionable recommendations for optimization, such as:
- Implementing pagination for history endpoints.
- Parallelizing builds in the Makefile and GoReleaser config.
- Implementing response compression.
- Optimizing blocking operations in miner implementations.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new audit file, `AUDIT-COMPLEXITY.md`, which provides a detailed analysis of the codebase's quality and maintainability.
The audit identifies several key areas for improvement, including:
- A "God Class" (`Manager`) that violates the Single Responsibility Principle.
- Code duplication in miner installation and verification logic.
- Several long and complex methods with high cognitive complexity.
For each finding, the audit provides concrete recommendations for refactoring, including the application of design patterns such as the Template Method and the use of the Extract Method technique. This document will serve as a valuable guide for future refactoring efforts to improve the long-term health of the codebase.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a security audit report that details findings related to exposed secrets and insecure configurations. The report, `AUDIT-SECRETS.md`, documents placeholder credentials, default passwords, and insecure default settings in various configuration files.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit introduces a new security audit report in AUDIT-INPUT-VALIDATION.md.
The audit report provides a comprehensive analysis of the application's input validation and sanitization mechanisms. It includes:
- An inventory of all input entry points, including API endpoints and WebSocket connections.
- A detailed analysis of validation gaps in the existing Config.Validate() method.
- A description of discovered injection vectors, such as command injection via CLIArgs and path traversal in config file creation.
- Actionable remediation recommendations with code examples to strengthen the application's security posture.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
- Create miner/README.md documenting standalone C++ mining tools
- Update miner/core and miner/proxy READMEs with EUPL-1.2 license
- Add GitHub Actions workflow for multi-platform miner releases
- Add Makefile targets: build-miner, build-miner-core, build-miner-proxy
- Update main README with standalone miner usage instructions
The miner/ directory contains standalone CPU/GPU miner and stratum
proxy that can be used independently without the GUI. Pre-built
binaries will be published alongside Go releases.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HIGH-015: Improve TLS certificate validation
- Enable SSL_VERIFY_PEER with system CA store
- Support certificate pinning via fingerprint
- Chain validation OR fingerprint match required
- HIGH-019: Document libuv single-thread model for Client state
- TOCTOU pattern is safe due to event loop serialization
- MED-005: Fix potential alignment issues in Keccak
- Use memcpy for unaligned uint8_t* to uint64_t access
- Prevents undefined behavior on strict alignment architectures
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security fixes:
- HIGH-014: Use OpenSSL's RAND_bytes() for cryptographic random instead
of std::mt19937 when libsodium not available
- HIGH-021: Use find() instead of operator[] in SimpleSplitter::submit()
to avoid inserting nullptr into map
- HIGH-024: Use CRYPTO_memcmp() for constant-time token comparison in
Httpd::auth() to prevent timing attacks
- HIGH-026: Add overflow detection and slot reuse in Storage::add()
counter to prevent ID collisions after many connections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Critical fixes:
- CRIT-008: Enable TLS peer certificate verification in client connections
- CRIT-010: Add null pointer checks throughout ExtraNonceSplitter
- CRIT-011: Validate JSON error message field before access in Client
- CRIT-013: Make event system thread-safe with atomic<bool> and CAS
- CRIT-018: Add bounds checking in NonceSplitter vector access
High priority fixes:
- HIGH-002: Set 0600 permissions on generated private key files
- HIGH-004: Add strtol error checking and overflow validation
- HIGH-007: Handle integer overflow in ExtraNonceStorage nonce counter
- HIGH-018: Add comprehensive JSON field validation in Miner::parse()
These fixes address TLS security, thread safety, memory safety, and
input validation issues identified during parallel code review.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
