Skip to content

fluid-server: dependency scans (#674) and inner tx signer-weight preflight (#686)#798

Merged
0xVida merged 2 commits into
Stellar-Fluid:mainfrom
josephchimebuka:feat/issues-674-686-dependency-scan-signer-weight
Jun 1, 2026
Merged

fluid-server: dependency scans (#674) and inner tx signer-weight preflight (#686)#798
0xVida merged 2 commits into
Stellar-Fluid:mainfrom
josephchimebuka:feat/issues-674-686-dependency-scan-signer-weight

Conversation

@josephchimebuka
Copy link
Copy Markdown
Contributor

@josephchimebuka josephchimebuka commented Jun 1, 2026

Summary

This PR implements two fluid-server hardening items:

Changes

CI / supply chain (#674)

  • .github/workflows/dependency-audit.yml – PR/push matrix (cargo-audit, npm-audit)
  • fluid-server/audit.toml – cargo-audit config stub for reviewed advisories
  • fluid-server/verification/dependency-scans-integration.txt – verification notes

Resilience (#686)

  • fluid-server/src/signer_weight.rs – weight calculation + validation
  • fluid-server/src/horizon.rsfetch_account_auth
  • fluid-server/src/main.rs – preflight hook in process_fee_bump_request
  • fluid-server/src/mock_horizon.rs – per-account auth overrides for tests
  • fluid-server/tests/signer_weight_integration.rs – end-to-end /fee-bump checks
  • fluid-server/docs/inner-transaction-signer-weight-validation.md

Test plan

From fluid-server/:

# Signer-weight unit tests
cargo test signer_weight::tests -- --nocapture

# Signer-weight integration (mock Horizon + live server)
cargo test --test signer_weight_integration -- --nocapture

# Dependency scans (local)
cargo install cargo-audit --locked && cargo audit
cd wasm-demo && npm ci && npm audit --audit-level=high

Verified locally:

  • cargo test signer_weight::tests – 4 passed
  • cargo test --test signer_weight_integration – 1 passed (reject insufficient weight + accept sufficient weight)

Screenshots / terminal output

Reviewer verification files:

  • fluid-server/verification/dependency-scans-integration.txt
  • fluid-server/verification/inner-transaction-signer-weight.txt

Closes #674
Closes #686

Made with Cursor

josephchimebuka and others added 2 commits June 1, 2026 10:54
@josephchimebuka @cursoragent
ops: dependency-scans-integration
3b2ecac 
Add CI matrix workflow for cargo-audit and npm audit on fluid-server,
with JSON report artifacts and failure on high/critical advisories.

Closes Stellar-Fluid#674

Co-authored-by: Cursor <cursoragent@cursor.com>
@josephchimebuka @cursoragent
feat: pre-flight-validation-of-inner-transaction-signer-weight
ea8caf4 
Validate inner transaction signature weight against the source account
med_threshold via Horizon before fee-bumping, with unit and integration tests.

Closes Stellar-Fluid#686

Co-authored-by: Cursor <cursoragent@cursor.com>
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Jun 1, 2026

@josephchimebuka Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@0xVida 0xVida merged commit f52de92 into Stellar-Fluid:main Jun 1, 2026
8 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@josephchimebuka @0xVida