Skip to content

Commit e5e06e8

Browse files
authored
Merge pull request #200 from paritytech/chore/opensourcing-fixes
2 parents 59544fb + c3b3573 commit e5e06e8

9 files changed

Lines changed: 169 additions & 4 deletions

File tree

.claude/skills/playground-local-stack/SKILL.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,23 +45,26 @@ configuration, `tmux split-window -c <dir>` only sets a new pane's cwd, and a
4545
freshly-created pane may swallow the first keys before its shell is ready.
4646

4747
```bash
48+
# 0. Resolve the repo root so the commands work on any machine.
49+
REPO_ROOT=$(git rev-parse --show-toplevel)
50+
4851
# 1. Create the servers window and capture the initial pane id.
4952
DOTLI_PANE=$(
5053
tmux new-window -t truapi: -n servers -d -P -F '#{pane_id}' \
51-
-c /home/pg/github/truapi
54+
-c "$REPO_ROOT"
5255
)
5356

5457
# 2. Split horizontally for the playground pane and capture its pane id.
5558
PLAYGROUND_PANE=$(
5659
tmux split-window -t "$DOTLI_PANE" -h -d -P -F '#{pane_id}' \
57-
-c /home/pg/github/truapi/playground
60+
-c "$REPO_ROOT/playground"
5861
)
5962

6063
# 3. Launch each process WITH an explicit cd in the same send-keys.
6164
tmux send-keys -t "$DOTLI_PANE" \
62-
'cd /home/pg/github/truapi/hosts/dotli && bun run preview' Enter
65+
"cd $REPO_ROOT/hosts/dotli && bun run preview" Enter
6366
tmux send-keys -t "$PLAYGROUND_PANE" \
64-
'cd /home/pg/github/truapi/playground && yarn dev' Enter
67+
"cd $REPO_ROOT/playground && yarn dev" Enter
6568
```
6669

6770
Use `bun run preview:debugger` (i.e. `VITE_APP_DEBUG=true`) instead of

.gitignore

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,11 @@ lerna-debug.log*
1111
node_modules
1212
target
1313

14+
# Environment / secrets (never commit real env files; keep example templates)
15+
.env
16+
.env.*
17+
!.env.example
18+
1419
# Editor / OS
1520
.vscode/*
1621
!.vscode/extensions.json

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,4 @@ members = ["rust/crates/*"]
44

55
[workspace.package]
66
edition = "2024"
7+
license = "MIT"

SECURITY.md

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
# Security policy
2+
3+
## Security status
4+
5+
This repository contains reference and proof-of-concept code: the TrUAPI protocol
6+
definitions (Rust traits and types), the codegen toolchain, the generated TypeScript
7+
client, and an interactive playground. It is intended for reference and
8+
experimentation, not as a production-ready artefact.
9+
10+
Unless a specific release states otherwise, this repository has **not** received a full
11+
security audit. Use in production or production-like deployments should only follow an
12+
independent security review of the relevant code, configuration, generated output, and
13+
deployment environment.
14+
15+
Even where no Parity-operated production deployment exists today, this code may be used
16+
by third parties on live networks, or reused in future production contexts once
17+
published.
18+
19+
## Supported versions
20+
21+
Security fixes are provided only for versions, packages, or branches actively maintained
22+
by Parity. Experimental, archived, deprecated, or explicitly-unsupported packages,
23+
examples, or branches may not be triaged unless the issue affects maintained packages,
24+
Parity-operated infrastructure, user funds, private keys, signing flows, or transaction
25+
integrity.
26+
27+
## Bug bounty scope
28+
29+
This repository is **not** in scope for Parity's paid bug bounty programme unless
30+
explicitly listed in the official bounty scope at the time of submission. Reports may
31+
still be reviewed through responsible disclosure, but bounty eligibility applies only
32+
where the affected asset or vulnerability class is explicitly in scope.
33+
34+
## What to report
35+
36+
Report an issue only if it demonstrates realistic impact against one or more of:
37+
38+
- Parity-operated production infrastructure or deployed services;
39+
- maintained SDK packages downstream users are expected to consume;
40+
- user funds or assets;
41+
- private keys, seed phrases, signer flows, or key-management boundaries;
42+
- transaction construction, integrity, or signing intent;
43+
- remote code execution or credential compromise in a realistic deployment.
44+
45+
## Out of scope (unless shown to cause realistic high-impact harm)
46+
47+
Local-development-only issues; demo/example/testnet-only issues; missing security headers
48+
on non-production demos; missing rate limiting in local examples; dependency reports
49+
without a working exploit path or that don't affect shipped packages; hypothetical attack
50+
paths; "this code is unaudited"; documented known limitations; unsafe SDK use contrary to
51+
documented warnings; issues requiring access to internal Parity systems not in scope.
52+
53+
## Reporting a qualifying issue
54+
55+
Do **not** open a public issue for a qualifying vulnerability. Email
56+
**security@parity.io** with:
57+
58+
- the affected repository, package, commit, branch, or release;
59+
- clear reproduction steps and realistic impact;
60+
- whether it affects production infrastructure, maintained packages, user funds, keys,
61+
signing, or only local/demo/testnet usage;
62+
- any proof of concept, logs, or generated code involved;
63+
- assumptions required for exploitation.
64+
65+
## Researcher expectations
66+
67+
Don't access, modify, or delete data that isn't yours; don't disrupt services; don't
68+
extract keys or secrets beyond what's needed to demonstrate impact safely; don't test
69+
against production systems not in scope; no social engineering or physical attacks; don't
70+
disclose publicly until Parity has had a reasonable opportunity to remediate.
71+
72+
## Safe-use guidance
73+
74+
Before any production or production-like deployment, review at minimum: how
75+
keys/seeds/signers are generated, stored, and destroyed; whether signing prompts display
76+
transaction intent before approval; whether transactions are built against the intended
77+
chain/account/network; whether generated apps default to testnet/devnet; whether storage
78+
assumptions are appropriate; whether any cloud or statement-store data is
79+
public/private/encrypted; whether examples rely on internal/test/unstable endpoints;
80+
whether dependencies are pinned and reviewed; whether generated code has been manually
81+
reviewed before execution; and whether deployment configuration, CORS, auth, admin
82+
routes, logging, and telemetry suit the intended environment.

THIRD_PARTY_NOTICES.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# Third-party notices
2+
3+
This project (outbound licence: MIT) depends on third-party software listed below.
4+
All bundled dependencies are under permissive licences compatible with MIT. The
5+
summaries are generated with `cargo deny check licenses` (Rust) and
6+
`license-checker-rseidelsohn` (npm); regenerate after dependency changes.
7+
8+
## Rust crates (`truapi`, `truapi-codegen`, `truapi-macros`)
9+
10+
73 transitive dependencies, all permissive:
11+
12+
| Licence | Notes |
13+
|---------|-------|
14+
| `MIT OR Apache-2.0`, `MIT`, `Apache-2.0` | Permissive, MIT-compatible |
15+
| `Zlib` | Permissive |
16+
| `Unicode-3.0` | Permissive (Unicode data tables) |
17+
| `Unlicense OR MIT` | Permissive (MIT selected) |
18+
19+
`cargo deny check licenses` passes against the allowlist in `deny.toml`. No copyleft
20+
(GPL/LGPL/AGPL/MPL) dependencies are present.
21+
22+
Regenerate:
23+
24+
```bash
25+
cargo deny check licenses
26+
```
27+
28+
## Published npm package (`@parity/truapi`)
29+
30+
The published client has no third-party runtime dependencies bundled into its
31+
distribution beyond peer/dev tooling. Its own licence is MIT.
32+
33+
Regenerate:
34+
35+
```bash
36+
( cd js/packages/truapi && npx license-checker-rseidelsohn --production --summary )
37+
```
38+
39+
## Applications (`playground`, `explorer`)
40+
41+
These are not published as libraries; they are built and deployed as static sites.
42+
Their dependency trees are overwhelmingly permissive (MIT, Apache-2.0, ISC, BSD,
43+
0BSD, CC0-1.0, MPL-2.0). One weak-copyleft dependency is present:
44+
45+
- `@img/sharp-libvips-*`**LGPL-3.0-or-later**. Pulled in transitively by Next.js
46+
image optimization. It is dynamically loaded and not modified or statically linked;
47+
the LGPL notice is preserved here. It is not part of the published `@parity/truapi`
48+
library.
49+
50+
The `UNLICENSED` entries reported by the licence checker are the repository's own
51+
private, unpublished workspace packages (`truapi-playground`, `truapi-explorer`), not
52+
third-party code.
53+
54+
Regenerate:
55+
56+
```bash
57+
( cd playground && npx license-checker-rseidelsohn --summary )
58+
( cd explorer && npx license-checker-rseidelsohn --summary )
59+
```

deny.toml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# cargo-deny configuration. Run `cargo deny check licenses`.
2+
# Outbound licence is MIT; only permissive inbound licences are allowed.
3+
4+
[licenses]
5+
allow = [
6+
"MIT",
7+
"Apache-2.0",
8+
"Unicode-3.0",
9+
"Unlicense",
10+
"Zlib",
11+
]
12+
confidence-threshold = 0.8

rust/crates/truapi-codegen/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
name = "truapi-codegen"
33
version = "0.1.0"
44
edition.workspace = true
5+
license.workspace = true
56
description = "TrUAPI code generator: rustdoc JSON to TS client + Rust glue"
67

78
[[bin]]

rust/crates/truapi-macros/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
name = "truapi-macros"
33
version = "0.1.0"
44
edition.workspace = true
5+
license.workspace = true
56
description = "Proc-macros for TrUAPI trait annotations (wire ids)"
67

78
[lib]

rust/crates/truapi/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
name = "truapi"
33
version = "0.3.0"
44
edition.workspace = true
5+
license.workspace = true
56
description = "TrUAPI trait and type definitions"
67

78
[dependencies]

0 commit comments

Comments
 (0)