feat: Contract Security Audit, Deployment Rollback, Call Graph, SQLite DB (#329 #330 #331 #339)

[leojay-net]

Summary

This PR implements four feature issues and fixes pre-existing compilation errors that prevented the project from building.

#329 D-13 — Contract Security Audit Integration

• New command: starforge security audit [path] [--slither] [--mythril] [--format json|text] [--out file] [--min-score N]
• Slither and Mythril subprocess integration (runs tools if installed)
• Built-in static analysis via existing security checklist module
• Security scoring 0–100 with severity-weighted penalties (critical ×30, high ×15, medium ×7.5, low ×2.5)
• Remediation suggestions for each finding
• CI-friendly --min-score exit-code gate

#330 D-14 — Deployment Rollback System

• New subcommand group: starforge deployments history|rollback|verify|dashboard|approve
• Deployment history persisted at ~/.starforge/deploy_history.json
• rollback generates a ready-to-run stellar contract invoke … upgrade command with the exact wasm hash
• verify checks on-chain wallet liveness and marks the record verified
• dashboard shows per-network statistics with success rates
• approve marks pending deployments as approved/successful

#331 D-15 — Cross-Contract Call Visualization

• New command: starforge contract call-graph [path] [--format ascii|dot|json] [--out file] [--patterns]
• Extracts invoke_contract!, Client::new, and ::Client patterns from Rust source
• ASCII tree, Graphviz DOT, and JSON output modes
• Pattern analysis: re-entrancy risk, deep call chains, missing auth checks, circular dependencies

#339 D-2 — SQLite Database Backend

• New subcommand group: starforge config db init|migrate|query|backup|export|status|check
• Uses rusqlite with the bundled feature — no system SQLite installation required
• Schema: meta, wallets, networks, config_kv, plugins, templates tables with indices
• migrate imports existing TOML config into SQLite; export writes SQLite back to TOML
• query accepts SELECT-only SQL statements for safe ad-hoc inspection
• backup copies the database file, check runs SQLite integrity check

Pre-existing compilation fixes

The project had a broken dependency (async-graphql = "0.12" does not exist on crates.io) that prevented any build. The following pre-existing bugs were also fixed as part of making the build succeed:

• Removed non-existent async-graphql 0.12, async-graphql-actix-web, actix-web, actix-rt, and direct tokio deps from Cargo.toml
• Fixed wasm-bindgen-test version (1.3 → 0.3)
• Fixed ureq 2.x: removed invalid .ok() calls in registry.rs (ureq returns Err for HTTP errors)
• Fixed self usage in static methods in test_automation.rs
• Fixed use-of-moved TestStatus value in test_automation.rs
• Fixed duplicate struct fields in test.rs
• Fixed multisig_builder.rs import alias (multisig_builder as multisig) and p::step arity
• Fixed colored::Colorize on &String (changed to .as_str()) in multisig_builder.rs and registry.rs
• Made load_team, load_review, load_discussion pub in utils/social.rs
• Added base64::Engine as _ import in registry.rs
• Removed unused root parameter from collect_files in registry.rs
• Added pub mod social to utils/mod.rs

Test plan

• cargo fmt --all -- --check — passes
• cargo build --locked — passes
• cargo test --locked — 28 tests pass, 0 failures
• cargo clippy --all-features --locked -- -D warnings — passes with 0 errors
• starforge security audit --help — shows audit subcommand
• starforge deployments --help — shows history/rollback/verify/dashboard/approve
• starforge contract call-graph --help — shows call-graph subcommand
• starforge config db --help — shows db subcommands

Closes #329
Closes #330
Closes #331
Closes #339

[drips-wave]

@leojay-net Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits