fix: wire oracleRegistry into regtest-cashu test service

motxx · claude · motxx · commit 25d58ce0b528 · 2026-04-17T21:20:17.000+09:00
The regtest bounty lifecycle test constructed a QueryService without
an oracle registry. verifyWithQuorum returns "No oracle available"
when resolveOracle returns null, so POST /queries/:id/result responds
400 and the "submit → release" flow fails.

Mirror the production composition (reference-app.ts): inject
createOracleRegistry() + createPreimageStore() + normalizeQueryResult
into the test service, and pass the same registry + preimage store
to buildWorkerApiApp so /oracles and HTLC routes behave as in prod.

Also pin SHA refs on claude-code GitHub actions (supply-chain
hardening from CEO review) and add the pentest suite README that
documents scope/limits honestly.

Co-Authored-By: Claude Opus 4 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -27,13 +27,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@c3d45e8e941e1b2ad7b278c57482d9c5bf1f35b3 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -26,13 +26,13 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@c3d45e8e941e1b2ad7b278c57482d9c5bf1f35b3 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
diff --git a/e2e/pentest/README.md b/e2e/pentest/README.md
@@ -0,0 +1,76 @@
+# Pentest suite
+
+Deterministic penetration tests for the Anchr worker API. All tests run
+against `localhost` only. Never connects to external services.
+
+## What this suite IS
+
+A **smoke-grade defense baseline.** Catches:
+
+- Crashes (5xx) on malformed, oversized, or adversarial input
+- Unauthenticated access to write endpoints
+- Trivial rate-limit bypass via client-supplied headers
+- Preimage leakage on the unverified-result path
+- Prototype pollution reaching the test-process global
+- JSON-response content-type on routes that should never return HTML
+
+## What this suite is NOT
+
+A proof that defenses work. Most assertions use the shape `<500` — that
+only proves the server didn't crash. A malicious response that returns
+200 with leaked data would pass a `<500` assertion.
+
+Specifically, the following attacks are **detected only if they crash
+the server**, not if they succeed silently:
+
+| Attack class | Current assertion | What a real proof would need |
+|---|---|---|
+| SSRF | response body does not echo `"meta-data"` | listener bound to `169.254.169.254`, assert zero inbound connections during the test run |
+| Prototype pollution | test-process `{}.isAdmin` is undefined | server-process introspection endpoint that reveals prototype state (test-process check doesn't see server pollution) |
+| Store pollution / TTL cleanup | `expire-*` entries missing from `GET /queries` | admin endpoint exposing raw store size, to distinguish "cleaned up" from "filtered at read" |
+| Fuzz payloads (18 variants) | `<500` | per-payload assertion on expected rejection code (400 vs 413 vs 422) |
+| ReDoS in regex conditions | `<500` on creation | end-to-end verification path exercised with a time budget |
+
+## Why ship a smoke-grade suite at all
+
+Crash-free handling of adversarial input is a real property. Catching a
+regression that makes `POST /queries` panic on a 10 MB body is
+cheaper as a test than as a prod incident. The tests also guard against
+silent removal of the rate limiter, the write-auth middleware, or the
+preimage-release guard — all things an innocent refactor could break.
+
+Treat green checks as "no crash, no obvious regression." Not as
+"hardened."
+
+## Running locally
+
+```bash
+# Starts a pentest server on port 8091 with HTTP_API_KEYS=pentest-key-001
+deno task test:all       # includes pentest phase
+
+# Or run only the pentest suite against an already-running server:
+PENTEST_APP_URL=http://localhost:8091 HTTP_API_KEYS=pentest-key-001 \
+  deno task test:pentest
+```
+
+## Adding new tests
+
+Follow the existing file conventions:
+
+- One file per attack class (`auth-bypass.test.ts`, `ssrf.test.ts`, ...)
+- Use `helpers.ts` for `APP_BASE`, `API_KEY`, `authedHeaders`
+- Always `await res.body?.cancel()` after `fetch()` to avoid leaks
+- Prefer specific assertions over `<500`. `<500` is the floor, not the goal.
+
+## Known coverage gaps
+
+Not currently exercised:
+
+- `POST /queries/:id/upload` (file size, content-type smuggling, traversal on filename)
+- `POST /queries/:id/quotes` (Cashu quote fuzz)
+- `POST /marketplace/data/:id` (payment middleware: malformed token, replay, zero/negative amount)
+- `POST /marketplace/listings/:id/announce` (relay-publish input fuzz)
+- FROST authz: can signer_index N submit commitments for signer_index M?
+
+These are higher marginal value than deepening assertions on
+already-covered endpoints.
diff --git a/e2e/regtest-cashu.test.ts b/e2e/regtest-cashu.test.ts
@@ -26,6 +26,9 @@ import { spawn } from "../src/runtime/mod.ts";
 import { type Proof, getEncodedToken } from "@cashu/cashu-ts";
 import { buildWorkerApiApp } from "../src/infrastructure/worker-api";
 import { createQueryService } from "../src/application/query-service";
+import { createOracleRegistry } from "../src/infrastructure/oracle/registry";
+import { createPreimageStore } from "../src/infrastructure/cashu/preimage-store";
+import { normalizeQueryResult } from "../src/infrastructure/attachments";
 import {
   checkInfraReady,
   payInvoiceViaLndUser,
@@ -52,10 +55,23 @@ async function mintCashuToken(amountSats: number): Promise<{ token: string; proo
 const suite = INFRA_READY ? describe : describe.ignore;
 
 // Use a QueryService without relay hooks to avoid fire-and-forget WebSocket leaks.
-const testService = createQueryService({ hooks: {} });
+// Wire oracleRegistry + preimageStore so verification can actually succeed
+// (mirrors production composition in src/infrastructure/reference-app.ts).
+const testOracleRegistry = createOracleRegistry();
+const testPreimageStore = createPreimageStore();
+const testService = createQueryService({
+  oracleRegistry: testOracleRegistry,
+  preimageStore: testPreimageStore,
+  normalizeResult: normalizeQueryResult,
+  hooks: {},
+});
 
 suite("e2e: regtest Cashu bounty lifecycle", () => {
-  const app = buildWorkerApiApp({ queryService: testService });
+  const app = buildWorkerApiApp({
+    queryService: testService,
+    oracleRegistry: testOracleRegistry,
+    preimageStore: testPreimageStore,
+  });
 
   beforeAll(() => {
     testService.clearQueryStore();
