feat: transient storage, PII encryption, k6 load testing, webhook signatures#486
Open
shaaibu7 wants to merge 4 commits into
Open
feat: transient storage, PII encryption, k6 load testing, webhook signatures#486shaaibu7 wants to merge 4 commits into
shaaibu7 wants to merge 4 commits into
Conversation
…e & proration Move short-lived contract state out of persistent/instance storage into auto-expiring transient (temporary) storage for gas optimization: - charge_subscription: add a transient TmpChargeNonce guard (1-ledger TTL) that prevents a duplicate charge within the same ledger close - request_transfer/accept_transfer: pending transfer offers now use TmpPendingTransfer transient storage with a 7-day TTL instead of instance storage, so unaccepted offers auto-expire and stop accruing rent - preview_proration: cache the previewed prorated amount in TmpProrationScratch (TTL = one billing interval) as intermediate state - types: append TmpPendingTransfer storage key (version 7) - document storage-type selection criteria, access-pattern analysis, data-consistency rules and gas benchmarking in contracts/subscription/STORAGE.md
Add a new subtrackr-security Soroban contract plus a matching client service that encrypt subscriber PII, with interoperable ciphertext formats. Contract (contracts/security): - hash-CTR stream cipher (SHA-256 keystream) with encrypt-and-MAC integrity, since Soroban exposes no native symmetric cipher - encrypt_data / decrypt_data with self-describing EncryptedData envelope (key version + per-record nonce + MAC) - versioned keys with rotate_key: old versions retained for decrypting historical records, deactivated for new encryptions - access-control list (grant_access/revoke_access/is_authorized) gating both encryption and decryption; admin implicitly authorized - export_encrypted re-encrypts records under the current key for data export - registered in the contracts workspace Client (app/services/encryptionService.ts): - mirrors the contract algorithm (pure-JS SHA-256) so formats interoperate - PII_FIELDS registry, record-level encrypt/decrypt helpers - versioned key store (AsyncStorage) with rotation, pluggable AccessController - exportEncrypted for GDPR data export Docs: contracts/security/README.md covering algorithm, key management, rotation, access control and edge cases (key loss, performance).
… CI matrix
Build out automated load testing on top of the existing k6 scenarios:
- Per-endpoint custom metrics (endpoint_latency/errors/requests, tagged) so
reports attribute latency and errors to a specific operation
- Report generation (utils/summary.js handleSummary): writes
reports/summary.{json,md,html} plus a stdout summary with a slowest-first
per-endpoint breakdown for bottleneck identification
- Performance baseline (baseline.json) + comparison (utils/baseline.js) that
flags metrics exceeding baseline beyond a tolerance, embedded in the report
- Per-endpoint latency + error thresholds in config/options.js (CI gate)
- contract load scenario wired into run.js (execute_payment + charge_subscription)
- CI load-test job runs a scenario matrix (subscription/billing/contract),
fails on threshold breach, and uploads the report as an artifact
- npm scripts per scenario; SCALABILITY.md bottleneck guide; load-tests/README.md
- gitignore generated reports but keep the directory
The webhook contract module, RN management UI (src/screens/WebhookSettingsScreen, wired into AppNavigator) and store (src/store/webhookStore) already exist; the one unmet acceptance criterion was signature verification for security, which was stubbed as a hardcoded 'sample-signature'. - add src/utils/webhookSignature.ts: pure-JS HMAC-SHA256 signing/verification (sha256=<hex> convention, à la Stripe/GitHub), constant-time verify, payload serialization, and secret generation - sign each delivery payload with the webhook secret in sendTestEvent instead of the placeholder signature - auto-generate a signing secret at registration when none is supplied, so every webhook's deliveries are verifiable Note: the issue listed app/stores/webhookStore.ts and app/screens/WebhookSettingsScreen.tsx, but the feature is already implemented under src/; enhanced the existing wired implementation rather than adding unwired duplicates.
|
@shaaibu7 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements four issues across the Soroban contracts, the React Native app, and CI tooling.
Closes #174
Closes #436
Closes #192
Closes #177
1. Transient storage refactor (gas optimization)
Moves short-lived contract state out of persistent/instance storage into auto-expiring transient (temporary) storage:
charge_subscription: transientTmpChargeNonceguard (1-ledger TTL) preventing a duplicate charge within the same ledger close (charge state machine state).request_transfer/accept_transfer: pending transfer offers now useTmpPendingTransfer(7-day TTL) instead of instance storage, so unaccepted offers auto-expire and stop accruing rent (pending operations + temporary authorization).preview_proration: previewed amount cached inTmpProrationScratch(intermediate calculation).contracts/subscription/STORAGE.mddocumenting storage-type selection criteria, access-pattern analysis, data-consistency rules and gas benchmarking.2. PII encryption at rest (GDPR)
contracts/securitySoroban contract: hash-CTR stream cipher (SHA-256 keystream) with encrypt-and-MAC integrity,encrypt_data/decrypt_data, versioned keys withrotate_key(old versions retained for decryption), access-control list, andexport_encryptedfor data export.app/services/encryptionService.tsmirroring the contract algorithm (pure-JS SHA-256), with a PII field registry, record-level encrypt/decrypt, versioned key store, rotation, and a pluggable access controller.contracts/security/README.mdcovering algorithm, key management, rotation, access control and edge cases (key loss, performance).3. k6 load testing
reports/summary.{json,md,html}+ stdout) with a slowest-first per-endpoint breakdown.baseline.json) + regression comparison embedded in the report.config/options.js(CI gate).load-testjob now runs a scenario matrix (subscription/billing/contract), fails on threshold breach, and uploads the report as an artifact.SCALABILITY.mdbottleneck guide andload-tests/README.md.4. Webhook delivery signatures
The webhook contract module, store (
src/store/webhookStore.ts) and management UI (src/screens/WebhookSettingsScreen.tsx, wired intoAppNavigator) already existed; the unmet criterion was signature verification, which was a hardcoded'sample-signature'.src/utils/webhookSignature.ts: pure-JS HMAC-SHA256 signing/verification (sha256=<hex>convention), constant-time verify, payload serialization, secret generation.Notes
revenue/proration/etc.) unrelated to these changes; the transient-storage changes add no new errors and thetypes/securitycrates compile cleanly.