aitbc
|
13ada12b49
|
Security fixes: wildcard CORS, JWT auth, zero-address fallback
Phase 1 security remediation from codebase analysis:
CORS fixes:
- Replace wildcard CORS with safe localhost defaults in agent-coordinator
- Replace wildcard CORS with safe localhost defaults in marketplace
- Fix 8 additional wildcard CORS instances in coordinator-api apps:
- hermes_enhanced_app.py
- api_gateway.py
- modality_optimization_app.py
- multimodal_app.py
- gpu_multimodal_app.py
- marketplace_enhanced_app.py
- advanced_ai_service.py
- adaptive_learning_app.py
- Add CORS configuration security tests
Blockchain-node auth fixes:
- JWT authentication now fails closed with clear error message
- X-Wallet-Address already gated behind TRUST_X_WALLET_ADDRESS env var
- Remove zero-address fallback from arbitration vote submission
- Add regression test for zero-address rejection in arbitration
Tests:
- Update dispute auth tests to reflect new JWT error message
- Add test_arbitration_vote_zero_address_rejected
- Add test_cors_configuration.py with 5 CORS validation tests
|
2026-05-24 19:31:26 +02:00 |
|