Harden scan/repair pipelines with chain-aware validation, traversal defenses, and security-focused test coverage

[Copilot]

PR #16 removed major backdoors but still had gaps in chain/address validation, path-handling hardening, and explicit security regression coverage. This update closes those gaps and aligns scan/repair behavior with production-grade security expectations for automated auditing workflows.

• Address validation and chain support

  • Introduced chain-agnostic validation driven by config/chains.json.
  • Added explicit support for Avalanche C-Chain, Arbitrum One, and Optimism (including chain IDs and EVM checksum-aware validation).
  • Enforced strict failure paths for malformed addresses and unsupported chain inputs.

• Path traversal hardening in scan/repair flows

  • Reworked file-path validation to canonical checks (normalize + resolve + realpath) with strict base-path allowlisting.
  • Blocked ../ escapes, normalized traversal tricks, and symlink-based escape attempts in CLI file inputs.

• CLI security hardening and operational robustness

  • Hardened argument parsing and error handling in script/scan.js and script/repair.js.
  • Added structured JSON logging with severity levels for auditability.
  • Added graceful shutdown handling (SIGTERM/SIGINT) and a --verify self-check mode for scanner integrity checks.

• Security utilities and deterministic behavior

  • Added reusable utilities for:
    • fixed-window rate limiting,
    • conversation history capping,
    • exponential backoff with jitter and timeout bounds,
    • chain/address validation,
    • secure path handling,
    • structured logging.

• Documentation and threat-model alignment

  • Updated README with supported chains, chain extension guidance, rate-limit/environment configuration, and core security assumptions.

// chain-aware address validation (EVM + Solana)
const {
  getSupportedChains,
  validateAddressForChain
} = require('./script/utils/chainValidation');

const chains = getSupportedChains();
const addr = validateAddressForChain(
  '0x742d35Cc6634C0532925a3b844Bc454e4438f44e',
  'arbitrum',
  chains
);

[github-actions]

🔍 PR Security Audit

Scan Time: 2026-06-06T16:36:10.468Z
Files Changed: 13

✅ No security issues detected

📁 Changed Files

• script/repair.js
• script/scan.js
• script/utils/chainValidation.js
• script/utils/conversationHistoryCap.js
• script/utils/logger.js
• script/utils/pathSecurity.js
• script/utils/rateLimit.js
• script/utils/retry.js
• test/chainValidation.test.js
• test/integration.test.js
• test/pathSecurity.test.js
• test/rateLimit.test.js
• test/retryAndHistory.test.js

---

View Run | SmartContractAudit PR Audit

[SolanaRemix]

@copilot Thanks for your hard work on this PR! 🙏 I really like the focus on eliminating gaps in chain/address validation, path-handling, and security coverage. This aligns well with moving our scanning/repair pipelines toward production-grade security expectations.

✅ Address Validation and Chain Support

· Great to see chain-agnostic validation led by config/chains.json, including explicit support for Avalanche C-Chain, Arbitrum One, and Optimism.
· Enforcing strict failure paths for malformed addresses and unsupported chain inputs is a welcome improvement.

✅ Path Traversal Hardening

· The rework of file‑path validation to canonical checks (normalize + resolve + realpath) with strict base‑path allowlisting is a strong defense against ../ and symlink‑based escapes.
· Blocking traversal tricks in CLI file inputs effectively closes a common vector.

✅ CLI and Operational Robustness

· Hardened argument parsing and error handling in script/scan.js and script/repair.js will reduce surprising CLI failures.
· Adding structured JSON logging with severity levels and graceful shutdown (SIGTERM/SIGINT) makes the pipeline more observable and reliable.
· The --verify self‑check mode for scanner integrity is a nice feature for automated health checks.

✅ Security Utilities

· The reusable set of utilities (fixed‑window rate limiting, conversation history capping, exponential backoff with jitter, chain/address validation, secure path handling, structured logging) promotes consistency and reuse across the codebase.

✅ Documentation and Threat Modeling

· The updated README that explains supported chains, chain extension guidance, rate‑limit/environment configuration, and core security assumptions is clear and useful for both users and future maintainers.
· The PR’s own description of closing gaps after the removal of backdoors is transparent and builds trust.

---

Overall, this is a solid, well‑structured security upgrade. 👍

Before merging, please double‑check:

· Are there any remaining hard‑coded paths or un‑validated file inputs outside of the CLI that might still be vulnerable to path traversal?
· Did you test the new chain validation logic with both valid and invalid addresses for each newly added chain? (EVM checksum support looks correct, but a quick manual test on each chain is always good.)
· Are the new security utilities fully covered by unit tests, especially edge cases for rate limiting, backoff, and conversation capping?
· The PR is still in Draft mode – when you are ready, please convert it to “Ready for review” and notify the team for final approval and merge.

Looking forward to seeing this merged. 🚀

---

Feel free to adjust the tone or add any specific technical points you'd like to highlight.

[Copilot]

Pull request overview

This PR strengthens the CLI scan/repair surface by adding chain-aware address validation, safer path handling utilities, structured JSON logging, and a new Node.js test suite to regression-test key security behaviors.

Changes:

• Added reusable security utilities (chain/address validation, canonical path allowlisting, JSON logger, retry/backoff, fixed-window rate limiting, history capping).
• Hardened script/scan.js and script/repair.js to use the new validation/path defenses and emit structured logs.
• Introduced a security-focused Node test suite and updated package.json/CI install behavior accordingly.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
test/retryAndHistory.test.js	Tests for conversation history capping and retry/backoff behavior.
test/rateLimit.test.js	Tests fixed-window rate limiting and proxy keying behavior.
test/pathSecurity.test.js	Tests canonical path allowlisting and traversal/symlink escape defenses.
test/integration.test.js	High-level scan→repair flow and key security regression checks.
test/chainValidation.test.js	Tests new chain metadata support and address validation failures.
script/utils/retry.js	Adds exponential backoff with jitter utility.
script/utils/rateLimit.js	Adds fixed-window in-memory rate limiter + request key helper.
script/utils/pathSecurity.js	Adds canonical path allowlisting (normalize/resolve/realpath).
script/utils/logger.js	Adds structured JSON logger with severity routing.
script/utils/conversationHistoryCap.js	Adds utility to cap conversation history length.
script/utils/chainValidation.js	Adds chain-driven address validation using config/chains.json.
script/scan.js	Updates scanner CLI to use chain/path validation, JSON logging, shutdown handling, and --verify.
script/repair.js	Updates repair CLI to use path validation and structured logging.
README.md	Documents --verify, supported chains, and threat-model assumptions.
package.json	Adds Node test runner, pins deps, and updates audit script/dependency versions.
.github/workflows/pr-audit.yml	Makes dependency install resilient when no npm lockfile exists.
.eslintrc.cjs	Adds minimal ESLint configuration for Node/ES2022.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.