feat: add Shiora, ZeroID, NoblePay dApps and protocol-wide updates#7
feat: add Shiora, ZeroID, NoblePay dApps and protocol-wide updates#7ramtamilselvan wants to merge 17 commits into
Conversation
…ompliance NoblePay is a UAE-focused cross-border payment platform built on Aethelred with privacy-preserving compliance via Trusted Execution Environments. Smart Contracts (4 Solidity): - NoblePay.sol: Core payments with multi-currency, batching, tiered limits - ComplianceOracle.sol: TEE node registry, attestation, sanctions versioning - BusinessRegistry.sol: UAE business KYC, 3-tier licensing, re-verification - TravelRule.sol: FATF travel rule, VASP-to-VASP encrypted sharing Rust TEE Compliance Engine (9 modules): - Sanctions screening with fuzzy Levenshtein matching (OFAC/UAE/UN/EU) - AML risk scoring with weighted factors (velocity, patterns, geography) - FATF travel rule verification with IVMS101 compliance - TEE attestation generation and Axum HTTP API Next.js Frontend (7 pages + shared components): - Dashboard, Payments, Compliance Center, Business Registry - Analytics & Reporting, Audit Trail, Settings - Glass-morphism dark theme, wagmi wallet integration, recharts Express Backend API (23 endpoints): - Prisma ORM with 7 models, hash-chained audit trail - Prometheus metrics, JWT + API key auth, tiered rate limiting
…readiness - Fix all 12 security audit findings (NP-01 through NP-12) - Add RBAC with permission-based access control on all 39 route endpoints - Implement persist-first-mutate-second treasury pattern with Prisma durability - Harden JWT auth (fail-closed, unique signerId, 401 on forgery) - Remove wildcard CORS default, require explicit CORS_ORIGIN in production - Add production env validation (JWT_SECRET, DATABASE_URL, CORS_ORIGIN) - Add health/readiness probes (/healthz, /readyz) - Harden WebSocket: tenant-aware channel auth, unauthenticated restricted to system - Fix TEE attestation: remove default-to-mock, add REQUIRE_TEE runtime guard - Add file-backed durable gateway store with atomic writes - Add API key auth on all compliance POST routes, configurable CORS - Create GitHub Actions CI (6 jobs, 90% security-critical coverage thresholds) - Add root validate:all release gate (frontend+backend+contracts+gateway+compliance) - Create .eslintrc.json and .prettierignore for non-interactive validation - Add Prisma migration (20260316_init) with production deploy scripts - Add 45 named security regression tests, 64 contract invariant tests - Add 43 tenant isolation integration tests, 22 treasury E2E tests - Add 12 treasury chaos tests, 16 WebSocket security tests - Add 8 production readiness tests, 10 gateway durable store tests Test results: ~4,000+ tests passing across 5 codebases
- validate:backend now runs prisma migrate status + prisma migrate diff to prove the committed migration applies cleanly and has no schema drift - CI workflow adds migration status check and schema drift detection steps - Closes auditor finding: migration committed but not exercised by gate
- Replace invalid --from-migrations-directory with --from-migrations - Add --shadow-database-url for prisma migrate diff (required by Prisma) - Add Postgres 16 service container to backend CI job - CI now runs prisma migrate deploy + status + drift check against real DB - Local validate:backend uses file-existence checks (no DB required) - backend/package.json db:migrate:drift uses correct Prisma 5.x flags
- Turn off testing-library/jest-dom style rules in test files (no-node-access, no-container, no-unnecessary-act, prefer-empty, etc.) These are style preferences, not bugs or security issues - Align validate and validate:frontend to use npm run lint (strict --max-warnings=0) matching CI policy - Result: next lint --max-warnings=0 now passes with 0 warnings/errors - Local validate, validate:frontend, and CI all enforce identical policy
- Create next-sitemap.config.js so the postbuild hook generates sitemap.xml and robots.txt correctly - Add webpack alias to resolve @react-native-async-storage/async-storage as false, eliminating the MetaMask SDK build warning - Add .gitignore to exclude generated sitemap artifacts and build dirs
- Add Shiora dApp (women's health AI platform with ZK-enabled features) - Add ZeroID dApp (self-sovereign identity with ZK proofs and TEE verification) - Update Cruzible dApp with stablecoin pages, SEO sitemap, and security hardening - Add InstitutionalStablecoinBridge contract and MockTimelockController - Update typechain-types for new contract bindings - Add aethelred.io and aethelred.org website pages (use-cases, enterprise corridors, TEE, ZK proofs) - Update SDKs (Go, Python, Rust, TypeScript) with latest versions and docs - Add CODEOWNERS, CODE_OF_CONDUCT, SUPPORT, and governance standards - Add dApps CI workflow, branch protection config, and dependabot improvements - Add pitch deck, banner assets, and GitHub org profile defaults - Add tokenomics and whitepaper PDFs (v2.0) - Update security policies, audit reports, and dependency remediation tracking - Clean up AI model references and dev tooling gitignore entries
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,7 @@ | |||
| module github.com/aethelred/zeroid-sdk-go | |||
Check failure
Code scanning / Trivy
golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh High
| @@ -0,0 +1,7 @@ | |||
| module github.com/aethelred/zeroid-sdk-go | |||
Check warning
Code scanning / Trivy
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication Medium
| @@ -0,0 +1,7 @@ | |||
| module github.com/aethelred/zeroid-sdk-go | |||
Check warning
Code scanning / Trivy
golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages Medium
| @@ -0,0 +1,10 @@ | |||
| module github.com/aethelred/noblepay-gateway | |||
Check warning
Code scanning / Trivy
chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes Medium
| [[package]] | ||
| name = "keccak" | ||
| version = "0.1.5" | ||
| source = "registry+https://github.com/rust-lang/crates.io-index" | ||
| checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654" | ||
| dependencies = [ | ||
| "cpufeatures", | ||
| ] |
Check notice
Code scanning / Trivy
Unsoundness in opt-in ARMv8 assembly backend for `keccak` Low
| name: ZeroID Backend | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: dApps/zeroid/backend | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "npm" | ||
| cache-dependency-path: dApps/zeroid/backend/package-lock.json | ||
| - name: Install dependencies | ||
| run: npm ci --no-fund | ||
| - name: Security audit | ||
| run: npm audit --audit-level=high | ||
| - name: Lint | ||
| run: npm run lint | ||
| - name: Type-check | ||
| run: npx tsc --noEmit | ||
| - name: Run tests | ||
| run: npm test -- --forceExit --ci | ||
| - name: Build | ||
| run: npm run build | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # ZeroID Frontend | ||
| # --------------------------------------------------------------------------- | ||
| zeroid-frontend: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, fix this by explicitly declaring permissions: for the workflow (or each job) so that the GITHUB_TOKEN has only the scopes actually required. For this CI workflow, all jobs just check out code and run Node commands; they do not create releases, modify issues, or push code, so contents: read is sufficient.
The simplest, non‑behavior‑changing fix is to add a single root‑level permissions: block that applies to all jobs. This should be placed near the top of .github/workflows/dapps-ci.yml, after the name: and on: definitions, and before jobs:. Set it to:
permissions:
contents: readNo additional methods, imports, or definitions are needed, and no job steps need to change. This explicitly documents and enforces read‑only repository access for all jobs using GITHUB_TOKEN.
| @@ -13,6 +13,9 @@ | ||
| - '.github/workflows/dapps-ci.yml' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # --------------------------------------------------------------------------- | ||
| # ZeroID Backend |
| name: ZeroID Frontend | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: dApps/zeroid | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "npm" | ||
| cache-dependency-path: dApps/zeroid/package-lock.json | ||
| - name: Install dependencies | ||
| run: npm ci --no-fund | ||
| - name: Lint | ||
| run: npm run lint | ||
| - name: Type-check | ||
| run: npm run type-check | ||
| - name: Format check | ||
| run: npm run format:check | ||
| - name: Run tests with coverage | ||
| run: npm run test:ci | ||
| - name: Build | ||
| run: npm run build | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Cruzible | ||
| # --------------------------------------------------------------------------- | ||
| cruzible: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to add an explicit permissions block that grants only the minimal scopes required by the jobs, preferably at the workflow root so it applies to all jobs. For typical CI that just checks out code and runs tests/builds, contents: read is sufficient; no write permissions are needed.
The best fix here is to add a top-level permissions block after the on: section, setting contents: read. This will apply to all jobs (zeroid-backend, zeroid-frontend, cruzible, noblepay, and dapps-required-gate) because none of them currently define their own permissions. This change does not alter existing functionality since the jobs only read the repository. Concretely, in .github/workflows/dapps-ci.yml, insert:
permissions:
contents: readbetween the on: block (ending at line 15) and the jobs: key (line 16). No additional methods, imports, or definitions are needed.
| @@ -13,6 +13,9 @@ | ||
| - '.github/workflows/dapps-ci.yml' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # --------------------------------------------------------------------------- | ||
| # ZeroID Backend |
| name: Cruzible | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: dApps/cruzible | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "npm" | ||
| cache-dependency-path: dApps/cruzible/package-lock.json | ||
| - name: Install dependencies | ||
| run: npm ci --no-fund | ||
| - name: Validate (type-check + lint + format + test) | ||
| run: npm run validate | ||
| - name: Build | ||
| run: npm run build | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # NoblePay | ||
| # --------------------------------------------------------------------------- | ||
| noblepay: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes to the GITHUB_TOKEN. Since all jobs in this workflow only need to read the repository contents (checkout, install, lint, test, build) and do not push, create releases, or modify issues/PRs, the least-privilege practical setting is contents: read.
The best way to fix this without changing functionality is to add a single permissions: block at the root of the workflow (top level, alongside name: and on:). This block will apply to all jobs (zeroid-backend, zeroid-frontend, cruzible, noblepay, and any others in the omitted section) that don’t declare their own permissions. We don’t need any imports or extra methods; this is a pure YAML configuration change.
Concretely:
-
Edit
.github/workflows/dapps-ci.yml. -
After the
name: dApps CIline (line 1) and before theon:block (line 3), insert:permissions: contents: read
This explicitly restricts the GITHUB_TOKEN to read-only access to repository contents for all jobs, satisfying CodeQL’s recommendation and GitHub’s least-privilege guidance.
| @@ -1,5 +1,8 @@ | ||
| name: dApps CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, develop, release/**] |
| name: NoblePay | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: dApps/noblepay | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| cache: "npm" | ||
| cache-dependency-path: dApps/noblepay/package-lock.json | ||
| - name: Install dependencies | ||
| run: npm ci --no-fund | ||
| - name: Validate all components | ||
| run: npm run validate | ||
| - name: Build | ||
| run: npm run build | ||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Required gate — all dApps must pass before merge | ||
| # --------------------------------------------------------------------------- | ||
| dapps-required-gate: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, fix this by adding an explicit permissions: block that requests only the minimal scopes required. Since this workflow just checks out code and runs Node commands, it only needs read access to repository contents (and possibly packages, which are covered by contents: read for the code itself). The cleanest way, without changing existing behavior, is to define a top-level permissions: block on the workflow so all jobs inherit restricted permissions by default.
Specifically, edit .github/workflows/dapps-ci.yml near the top of the file, after the name: dApps CI line and before the on: block, and add:
permissions:
contents: readThis sets the default GITHUB_TOKEN permissions for all jobs (including noblepay) to read-only repository contents, which is sufficient for actions/checkout and any standard read-only operations. No additional imports, methods, or definitions are needed, and no per-job permissions are required given the current steps.
| @@ -1,5 +1,8 @@ | ||
| name: dApps CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, develop, release/**] |
| name: dApps Required Gate | ||
| runs-on: ubuntu-latest | ||
| needs: | ||
| - zeroid-backend | ||
| - zeroid-frontend | ||
| - cruzible | ||
| - noblepay | ||
| if: always() | ||
| steps: | ||
| - name: Check all jobs passed | ||
| run: | | ||
| if [[ "${{ needs.zeroid-backend.result }}" != "success" ]] || | ||
| [[ "${{ needs.zeroid-frontend.result }}" != "success" ]] || | ||
| [[ "${{ needs.cruzible.result }}" != "success" ]] || | ||
| [[ "${{ needs.noblepay.result }}" != "success" ]]; then | ||
| echo "One or more dApps CI jobs failed:" | ||
| echo " zeroid-backend: ${{ needs.zeroid-backend.result }}" | ||
| echo " zeroid-frontend: ${{ needs.zeroid-frontend.result }}" | ||
| echo " cruzible: ${{ needs.cruzible.result }}" | ||
| echo " noblepay: ${{ needs.noblepay.result }}" | ||
| exit 1 | ||
| fi | ||
| echo "All dApps CI gates passed." |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to add an explicit permissions: block to the workflow (at the root level or per-job) that grants only the minimal required permissions. For this CI workflow, all jobs only check out code, install dependencies, run audits/lint/tests/builds, and perform a logical gate; they do not need to write to the repo or to pull requests. The standard minimal setting for such workflows is permissions: contents: read, which is equivalent to the read-only default.
The single best fix with no functional change is to add a root-level permissions: block (applies to all jobs) right after the name: dApps CI line. This will ensure every job’s GITHUB_TOKEN is limited to read-only repository contents (sufficient for actions/checkout@v4 if needed) while not enabling any write scopes. No other lines or behavior need to change, and no imports or extra methods are required since this is a YAML configuration change only.
Concretely: edit .github/workflows/dapps-ci.yml to insert:
permissions:
contents: readbetween line 1 (name: dApps CI) and line 3 (on:). This documents the intended permissions and prevents the workflow from accidentally gaining broader permissions if repository/organization defaults change in the future.
| @@ -1,5 +1,8 @@ | ||
| name: dApps CI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, develop, release/**] |
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
Revert over-aggressive removal of AI provider references that were used in general context (AI model lists, protocol enum values, env config).
- NoblePay: MIT → Apache 2.0, app URL → thenoble.one - ZeroID: MIT → Apache 2.0, app URL → aethelred.io - Cruzible: MIT badge → Apache 2.0, added App link to aethelred.io
- NoblePay: app.thenoble.one - Shiora: app.shiora.health - ZeroID: zeroid.aethelred.io - Cruzible: cruzible.aethelred.io
Reverted temporary static export configs. All 4 dApps will be deployed on Vercel with full SSR support.
Build the full VitePress documentation site with all 44 pages: - Guide: 17 pages covering getting started, architecture, core concepts (digital seals, TEE attestation, zkML, sovereign data), compute (runtime, tensors, neural networks, distributed, quantization), and blockchain (network, jobs, model registry, validators) - API Reference: Go SDK (6 pages), Rust SDK (6 pages), TypeScript SDK (4 pages), Python SDK (1 page) - Cryptography: overview, security parameters, HSM deployment, key mgmt - CLI: installation, configuration, commands, shell completions - Changelog with v1.0.0 through v2.0.0 Infrastructure: - Add ESM support to package.json for VitePress 1.6 compatibility - Create API doc generator stubs (scripts/) - Add favicon.svg and logo.svg brand assets - Generate package-lock.json - Fix dead link in Go API index - Fix elvish syntax highlighting fallback Build verified: 45 HTML pages generated, zero dead links, zero errors. GitHub Pages enabled with custom domain docs.aethelred.io.
Allow the docs-deploy workflow to run from the current feature branch so the documentation site goes live before merging to main. Also trigger on workflow file changes.
ramtamilselvan
had a problem deploying
to
github-pages
GitHub Actions
Failure
ramtamilselvan
temporarily deployed
to
github-pages
GitHub Actions
Inactive
Set VitePress base to /aethelred/ and remove CNAME from deploy so the site is accessible at aethelred-foundation.github.io/aethelred/ without requiring custom domain DNS setup.
ramtamilselvan
temporarily deployed
to
github-pages
GitHub Actions
Inactive
The docs.aethelred.io custom domain DNS is not yet configured, so update the badge link to aethelred-foundation.github.io/aethelred/ where the VitePress site is now deployed and accessible.
ramtamilselvan
force-pushed
the
feat/dapps-protocol-updates-2026-03-16
branch
2 times, most recently
from
4b2b197 to
d615c08
Compare
ramtamilselvan
temporarily deployed
to
github-pages
GitHub Actions
Inactive
ramtamilselvan
force-pushed
the
feat/dapps-protocol-updates-2026-03-16
branch
from
687c2da to
6a6421c
Compare
|
Closing as superseded by the current protocol-first and ecosystem de-duplication strategy plus later merged protocol and docs work. This branch no longer reflects the intended repository structure. |
2 participants
Summary
Major release adding three new dApps to the Aethelred ecosystem alongside comprehensive protocol, SDK, and infrastructure updates.
New dApps
Cruzible Updates
Protocol & Contracts
SDKs
Infrastructure & CI/CD
Documentation & Governance
Websites
Test plan