Skip to content

chore(infra): harden verifier runtime#9

Open
Canvinus wants to merge 4 commits into
mainfrom
chore/harden-runtime-build
Open

chore(infra): harden verifier runtime#9
Canvinus wants to merge 4 commits into
mainfrom
chore/harden-runtime-build

Conversation

@Canvinus

@Canvinus Canvinus commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • make the backend image deterministic and smaller with exact Node 24.17.0, Rust 1.96.1, Docker 29.6.1, and near-cli-rs 0.27.0 pins
  • build near-cli-rs in a separate stage and keep Rust, Cargo, npm, Buildx, Compose, and compiler tooling out of production
  • add Docker/API health checks, dependency-gated Compose startup, and configurable host-side IPFS ports
  • upgrade Kubo to 0.40.1 and nginx to 1.30.3 Alpine slim; replace APR1-MD5 htpasswd generation with SHA-512 crypt and restrictive file permissions
  • pin GitHub Actions by commit and add a production critical-advisory gate while keeping legacy CI limited to build and test

No API routes, payloads, frontend behavior, or contract verification selection logic changed.

Why

The previous image installed an unpinned latest near-cli-rs and a full Rust toolchain at runtime, and used older nginx/Kubo images. The old Compose health/startup checks could also mask IPFS failures and coupled host IPFS ports to container-network ports.

Validation

All builds and tests ran in a disposable amd64 Ubuntu VM, not on the host or production:

  • Docker Buildx check: no warnings
  • lint: passed
  • Jest: 9 suites and 44 tests passed
  • production dependency critical-advisory gate: passed
  • final image DIND/API/cleanup smoke: passed
  • full three-service Compose stack: all services healthy
  • public verifier API: HTTP 200
  • IPFS RPC: HTTP 401 without auth and HTTP 200 with auth
  • alternate host IPFS ports: passed
  • nginx htpasswd: SHA-512 crypt, root:nginx, mode 640
  • real read-only verification of sputnik-dao.near: reproduced BXd5idTXSnC7WRfxHmi7z4crw2F5WXQJ6MZUEv8DfnnY using the contract-pinned Rust 1.86 image

The runtime and Compose checks above were one-time pre-merge validation; ongoing CI intentionally remains limited to build and test for this legacy maintenance repository.

A checksum-verified Grype 0.112.0 scan drove the Node, Docker, nginx, and libcurl upgrades. The nginx candidate has no critical/high findings.

Known follow-ups

  • near-cli-rs 0.28.0 was published after this work began and adds broad nearcore 2.13 gas-key and post-quantum support. Keep the already verified 0.27.0 pin here; test 0.28.0 as a separate focused upgrade.
  • The unchanged npm lockfile still has 10 high production advisories, with no critical advisories. Patch/minor dependency updates should be a separate focused PR so lockfile churn and near-api-js's major migration remain reviewable.
  • Kubo 0.40.1 is the latest stable release and keeps repo format 18, but reachability-aware govulncheck still reports upstream Go/Kubo findings. Its API and gateway remain loopback-bound and the RPC is authenticated; update to the next stable Kubo release as a priority rather than using the 0.41 release candidate or an unreviewed custom build.
  • Grype flags gRPC metadata in containerd 2.2.5, but the advisory requires path-based gRPC authorization interceptors and containerd does not link the affected grpc/authz package.

Rollout

Ready for review. Keep this unmerged and undeployed until the diff and residual-risk notes are approved.

@Canvinus
Canvinus marked this pull request as ready for review July 11, 2026 19:54

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0db4ec19b6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread nest/Dockerfile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant