Harden .gitignore: ignore .env files#2
Merged
Conversation
Extend the secrets ignore list to cover .env / .env.* (allowing a committed .env.example), plus the coverage/ test-output directory. Wallet .json/.crypt and lib/ were already ignored. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
Wallet key files were encrypted with an AES-256-CBC key derived from an unsalted MD5 of the password — fast to brute-force and identical for identical passwords. Switch to memory-hard scrypt (N=16384, r=8, p=1) with a per-file random salt. New payloads carry a "GMBTv1" magic prefix and store the salt inline: [magic][salt][iv][ciphertext]. decrypt() detects the prefix and falls back to the legacy MD5 path for wallets created before this change, so existing .crypt files keep working with no re-encryption step. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
- Remove unused deps: express, lowdb, node-notifier, log-update (and their @types). None were imported anywhere. - Delete the unregistered encrypt/decrypt command handlers. They were never wired into gambit.ts and their per-chunk stream transform was incompatible with the salted crypt format. Wallet encryption lives in setup-wallet; decryption in the sniper's wallet loader. - Remove the commented-out node-notifier blocks in snipe.ts and replace the console.dir(receipt) dumps with a concise logMinedTransaction() helper that logs the tx hash + explorer link through pino. - Drop the debug console.log allowance dumps and a stray target-token approve() from Primary.buyNative's estimate path (a native ETH->token swap needs no token approval). - Remove the commented pair-cache block in dex.ts and a stale "TODO: Loop spend" (the loop is implemented). - Add package-lock.json for reproducible installs. - Fill in the package.json description. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
Passwords and private keys passed as CLI arguments leak into shell history and the process listing (ps auxww). Add a prompt service that resolves secrets from, in order: an explicit flag (discouraged), an environment variable, or a hidden interactive prompt. - snipe: --password is now optional and discouraged. When the wallet is encrypted the password is prompted for (hidden) or read from GAMBIT_PASSWORD. - setup-wallet: drop the positional <password> and <secretKey> args. Both are now prompted for (hidden, password confirmed) or read from GAMBIT_PASSWORD / GAMBIT_WALLET_KEY. Signature is now `setup-wallet <walletName> <address>`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
By default the router is granted an unlimited (max-uint) allowance so a single approval covers every future trade — the right latency/gas tradeoff for sniping, but it leaves the full token balance exposed to a compromised or malicious router indefinitely. Collapse approveSourceToken/approveTargetToken onto one approveToken() helper and add a chain-level exactApproval flag, surfaced as the snipe `-e, --exactApproval` option. When set, only the current trade's spend amount is approved. The default behaviour is unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
Extract the numeric trade-construction logic (slippage tolerance and the gas-limit policy) out of Pair into a pure src/libs/execution.ts module, and export the pair/factory adapter selectors, so they can be tested without an RPC, wallet, or live chain. Fix a latent bug uncovered while extracting the gas policy: the block gas ceiling was computed as blockGasLimit * (GAS_LIMIT_THRESHOLD * BP_DIVISOR) / BP_DIVISOR = blockGasLimit * 60, i.e. 60x the block limit, so the ceiling never bound. GAS_LIMIT_THRESHOLD is documented "As percent", so blockGasCeiling now takes 60% of the (normalized) block gas limit using integer basis points. Tests (24) cover: - slippage math incl. 0% / 25% / 100% edges and 18-decimal precision - block-gas normalization, the percentage ceiling, and the 1.4x multiplier — including basis-point integer safety - clampGas pass-through vs. clamp-at-ceiling behaviour - crypt round-trip, GMBTv1 prefix, per-file salt, wrong-password rejection, and legacy MD5 decryption - adapter selection: camelot -> Camelot, unknown -> Primary; glacier -> GlacierFactory, else PrimaryFactory Wire up `npm test` (vitest run) and scope tsc to src via include/exclude. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
GitHub Actions job on push to main and on pull requests: npm ci, tsc build, then the vitest suite. Gives the repo a green-checkmark signal and guards the build/tests on every change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
- configs/chains/base.toml: Uniswap V2's official Base deployment (router 0x4752ba5D..., factory 0x8909Dc15...), which uses the standard V2 router interface and works with the Primary adapter unchanged. Sources: WETH (native) and native USDC (stable). - CHANGELOG.md documenting the 2026 modernization pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
Rewrite the README to lead with the engineering rather than the sniping use case: - New one-liner: a low-latency EVM execution engine with a pluggable multi-DEX adapter layer. - Feature the pair/factory adapter pattern (Camelot referrer-arg, Glacier stable-flag) as the centerpiece — the production-quirk abstraction that's the strongest "shipped real bots" signal. - Add a rendered Mermaid architecture diagram plus a layer table (CLI -> Sniper -> Chain -> Dex -> Pair -> adapters -> TypeChain). - Candid "Design observations, gaps & risks" section split into what this pass fixed (MD5->scrypt, secrets off argv, gas-ceiling bug) and remaining tradeoffs (unlimited approvals, public mempool, ethers v5). - "What I'd build differently in 2026": private orderflow, ERC-4337, L2 calldata fee modeling, ethers v6/viem, pre-submission simulation. - Portfolio note up top (sanitized; no keys/edge). Update install/usage for npm and the new prompt-based secret handling. Drop the rot-prone hotlinked banner image. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extend the secrets ignore list to cover .env / .env.* (allowing a
committed .env.example), plus the coverage/ test-output directory.
Wallet .json/.crypt and lib/ were already ignored.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_019wRXFoSyPB5awSkHXSW4rn