Skip to content

merging master into experiimental#351

Open
dellams wants to merge 509 commits into
Experimentalfrom
master
Open

merging master into experiimental#351
dellams wants to merge 509 commits into
Experimentalfrom
master

Conversation

@dellams

@dellams dellams commented Dec 22, 2025

Copy link
Copy Markdown
Collaborator

Note

Medium Risk
Moderate risk because it changes CI orchestration by adding a new test-starapi-client job and making release builds depend on it; failures or environment assumptions in the PowerShell test suite could block packaging. Other changes are documentation and .gitignore hygiene with minimal runtime impact.

Overview
CI now runs the STARAPIClient automated suite by adding a new test-starapi-client job that executes OASIS Omniverse/STARAPIClient/run_star_api_test_suite.ps1, uploads TestResults/ artifacts, and is required for build-and-package.

Repo hygiene and docs were expanded: .gitignore now excludes common deployment secrets/config (e.g. .env, hardhat.config.js, deployed-addresses.json, *.key/*.pem) and STAR CLI publish/install artifacts; a stale Dockerfile.star-api.new was removed; and multiple new Docs/Devs/* guides were added/linked covering smart-contract deployment and cross-platform getting-started/installer workflows.

Written by Cursor Bugbot for commit d69b90f. This will update automatically on new commits. Configure here.

Comment thread OASIS Architecture/NextGenSoftware.OASIS.OASISBootLoader/OASISBootLoader.cs Outdated
Comment thread .gitignore Outdated
Comment thread .gitignore
Comment thread .github/workflows/ci-cd.yml
Comment thread .gitignore
Comment thread .gitignore
Comment thread Docs/Devs/CONTRACT_DEPLOYMENT.md Outdated
npx hardhat run scripts/deploy.js --network optimism
# ... etc for each chain
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation references non-existent script directory paths

High Severity

The deployment documentation instructs users to run commands like node scripts/deploy-evm-chain.js and cp scripts/hardhat.config.template.js hardhat.config.js, but these scripts are actually located at Scripts/Smart Contracts/, not scripts/. Every command users run following the documentation will fail with "file not found" errors. The deployment scripts exist but at the wrong path documented.

Additional Locations (2)

Fix in Cursor Fix in Web

npm run deploy:all:testnet
npm run deploy:aptos:testnet
npm run deploy:sui:mainnet
# ... see package.json for all scripts

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing npm scripts referenced in documentation

High Severity

The documentation claims users can run npm scripts like npm run check-status, npm run deploy:ethereum:testnet, and npm run deploy:all:testnet, but the root package.json contains no scripts section at all—only a devDependency for mermaid-cli. Users attempting to run these documented commands will get "missing script" errors.

Additional Locations (1)

Fix in Cursor Fix in Web

3. **Checklist**: `DEPLOYMENT_CHECKLIST.md` - Step-by-step checklist
4. **Status**: `DEPLOYMENT_STATUS.md` - Current deployment status
5. **Scripts**: `scripts/README.md` - Scripts documentation
6. **Summary**: `scripts/DEPLOYMENT_AUTOMATION_SUMMARY.md` - Automation overview

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation index references non-existent files

Medium Severity

The documentation index references scripts/QUICK_START.md and scripts/README.md as available documentation files, but these files don't exist at the specified paths. Users looking for the Quick Start guide or Scripts documentation will encounter broken references.

Additional Locations (1)

Fix in Cursor Fix in Web

shell: pwsh
run: |
& "OASIS Omniverse/STARAPIClient/run_star_api_test_suite.ps1" -Configuration Release -KillStaleTestHosts $true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

STARAPIClient tests likely fail on Ubuntu

High Severity

The new test-starapi-client job runs run_star_api_test_suite.ps1 on ubuntu-latest via pwsh, but related STARAPIClient scripts in the same area use Windows-only tooling/paths (e.g., C:\..., MSVC). If run_star_api_test_suite.ps1 has similar assumptions, the workflow will fail and block build-and-package via needs.

Additional Locations (1)

Fix in Cursor Fix in Web

Comment thread .gitignore
STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/DNA/Default/OASIS_DNA.json
STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/DNA/CelestialBodyDNA.json
STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/Cosmos.CRTCompat.dll
STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/installers/star-cli-3.4.0-win-x64.exe

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Entire publish gitignore block duplicated from merge

Low Severity

The entire block of publish directory entries (lines 315–877) is exactly duplicated at lines 878–1440, adding ~560 redundant lines from what appears to be a merge artifact. Additionally, most entries under publish/ subdirectories are already covered by the existing publish/ pattern on line 139, making them doubly unnecessary. Only the publishwin-x64/ entries aren't covered by the existing pattern.

Additional Locations (1)

Fix in Cursor Fix in Web

@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 26, 2026 05:10 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 06:43 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 08:12 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 19:04 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 19:11 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 20:29 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 20:31 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 20:31 Inactive
@railway-app railway-app Bot temporarily deployed to invigorating-recreation / production February 27, 2026 21:04 Inactive
dellams added 30 commits July 3, 2026 00:22
PrepareHolonForSaving: IsNewHolon now based only on Id == Guid.Empty.
The previous CreatedDate == DateTime.MinValue check incorrectly treated
every save from a stateless JS/REST client as a new insert.

MongoDBOASIS.SaveHolonAsync: switch from ProviderUniqueStorageKey check
to IsNewHolon, matching the sync SaveHolon path. The storage key is an
internal MongoDB detail that external clients should never need to know.

Old code preserved as comments in both files for review.
HolonRepository.UpdateAsync: if the MongoDB ObjectId (_id) is missing
from the incoming holon (because a stateless JS/REST client has no way
to know it), fetch the existing document by HolonId first and copy its
_id across before calling ReplaceOneAsync. Without this, ReplaceOneAsync
writes _id:null onto the replacement which MongoDB rejects with error
code 66 (immutable field altered).
- Finding 4: Remove JWT bearer token logging to stdout in ONODE JwtMiddleware
- Finding 9: Add issuer/audience validation to JWT in ONODE, STAR, AvatarManager, and AvatarService
- Finding 1: Gate AvatarType changes behind Wizard check in all three Update overloads
- Finding 2: Add ownership check (self or Wizard) to add/remove karma endpoints
- Finding 3: Add [Authorize] to karma read endpoints (get-karma, get-akashic-records)
- Finding 5: Replace wildcard CORS + AllowCredentials with explicit origin allowlist in ONODE
- Finding 6: Guard UseDeveloperExceptionPage behind IsDevelopment() check in ONODE Startup
- Finding 7: Add ownership check to GetAvatarDetailByEmail and GetAvatarDetailByUsername
- Finding 8: Add [Authorize] to avatar search endpoints
- Finding 10: Add JwtMiddleware + AuthorizeAttribute to WEB6-WEB10; apply [Authorize] to all controller bases
- Finding 11: Fix STAR JwtMiddleware pipeline halt on auth failure (return bool, stop pipeline); remove Avatar context-poisoning from pre-load middleware
- Finding 12: Escape user input with Regex.Escape() in MongoDB search repository
- Finding 13 (partial): Credentials in OASIS_DNA.json are already gitignored — manual rotation required (see audit report)
…packages

- Replace AllowAnyOrigin() with explicit WithOrigins() allowlist on STAR WebAPI and WEB6/WEB7/WEB8/WEB9/WEB10 Program.cs (matches ONODE fix from earlier)
- Update AutoMapper 11.0.1 → 13.0.1 (GHSA-rvv3-g6hj-g44x HIGH) in Core.csproj
- Update MailKit 2.11.1 → 4.12.0 (GHSA-9j88-vvj5-vhgr MODERATE) in Core.csproj; MimeKit updates transitively
- AutoMapper 16.2.0, MailKit 4.17.0 in Core.csproj (CVE fixes)
- AutoMapper 16.2.0, MailKit 4.17.0, System.IdentityModel.Tokens.Jwt 8.19.1 in ONODE.WebAPI
- SharpCompress 0.49.1 in ONODE.Core and MongoDBOASIS (transitive override)
- Snappier 1.3.1 in MongoDBOASIS (transitive override)
- EF Core 10.0.9 in SQLLiteDBOASIS (replaces 8.0.2)
- PeterO.Cbor 4.5.5, SharpZipLib 1.4.2 in IPFSOASIS (transitive overrides)
- Nethereum 4.25.0 in Arbitrum/Avalanche/Base/BNB/Fantom/Optimism/Web3Core providers
  (removes <9.0.0 upper bound on Microsoft.Extensions.Logging.Abstractions)
- Add Microsoft.Extensions.Hosting using in Startup.cs (IsDevelopment fix)
- One unfixable: SQLitePCLRaw.lib.e_sqlite3 (GHSA-2m69-gcr7-jv3q, no fixed version published)
…g.Abstractions 10.0.0 override to all Nethereum providers; remove duplicate JwtMiddleware in WEB6
- RadixOASIS: implement GetPrivateKey(Mnemonic) via BIP44 derivation and GetPrivateKeyFromHex using PrivateKey.NewEd25519(bytes)
- EOSIOOASIS Block.cs: replace WriteJson throw with InvalidOperationException (CanWrite=false)
- EOSIOOASIS PackingSerializer: replace throw with descriptive InvalidOperationException
- EOSIOOASIS TransactionReceiptTrxArray: implement WriteToStream with VarUint32 encoding and packed_trx hex decoding
- EOSIOOASIS HolonEosProviderRepository: remove stale TODO comments from already-implemented methods
- MidenOASIS BridgeService/MidenService: replace TODO comments with explanatory inline notes
- AzureCosmosDBOASIS: remove stale TODO comment from implemented LoadAllAvatarDetails
- WRLD3DOASIS: implement all 31 IOASISMapProvider methods returning true (Unity SDK, work done client-side)
- SQLLiteDBOASIS Asteroid/Comet: replace all throws with no-op game mechanics, error-returning save/load, and empty zome collections
- RadixOASIS RadixService: implement GetAddress using DerivePreallocatedAccountAddressFromPublicKey; implement ExecuteTransactionAsync with full ManifestV1Builder + TransactionHeaderV1 + NotarizedTransactionV1 build and submit via Radix Core API
- HoloOASIS: implement GenerateRustFromCelestialBody - iterates ICelestialBodyCore.Zomes, loads child holons, reflects on domain properties, generates Rust CRUD code using the same templates as the DNA folder path
- ThreeFoldOASIS: implement GenerateKeyPairAsync with cryptographically random 32-byte ed25519 seed, SHA-256 derived public key, and KeyHelper wallet structure
- MongoOASIS SearchRepository: add ModifiedDate and DeletedDate filter blocks for both Avatar and Holon date-group search; remove stale TODO comments from number-group and sync Search() method
- AzureCosmosDBOASIS: replace TODO comment on deferred child-loading with an explanatory note about the recursive-load design decision
- ThreeFoldOASIS: KeyHelper is in NextGenSoftware.Utilities, not Core.Helpers
- HoloOASIS: IHolonBase is directly in Core.Interfaces, not Core.Interfaces.Holons
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants