feat(fuzz): add governance lifecycle fuzz target#1
Open
devnWisdom wants to merge 1 commit into
Open
Conversation
Adds fuzz_governance fuzz target covering the full proposal lifecycle: propose → vote → finalize → execute. Verifies: - proposal IDs are always positive - vote counts match the approval pattern - finalize() always produces a terminal status - execute() succeeds after Passed + timelock Closes AnnabelJoe#558
🔍 Vercel Preview DeploymentURL: Learn More: https://err.sh/vercel/missing-token-value
|
AnnabelJoe
pushed a commit
that referenced
this pull request
Jun 25, 2026
## [1.16.0](AnnabelJoe/solarproof@v1.15.0...v1.16.0) (2026-06-08) ### Features * add bulk certificate retirement API and UI ([AnnabelJoe#347](AnnabelJoe#347)) ([196ab0c](AnnabelJoe@196ab0c)) * add GET/DELETE /api/meters/:id with admin auth ([AnnabelJoe#269](AnnabelJoe#269)) ([444a447](AnnabelJoe@444a447)) * add input validation and sanitization to all API endpoints ([AnnabelJoe#338](AnnabelJoe#338)) ([964d4b8](AnnabelJoe@964d4b8)) * add loading skeletons for async data fetches ([AnnabelJoe#255](AnnabelJoe#255)) ([3fc2fcd](AnnabelJoe@3fc2fcd)) * add pentest scope and report placeholder ([AnnabelJoe#342](AnnabelJoe#342)) ([d27703e](AnnabelJoe@d27703e)) * add public v1 verify API and OpenAPI spec ([AnnabelJoe#352](AnnabelJoe#352)) ([71dc4a9](AnnabelJoe@71dc4a9)) * admin interface and fractional kWh support ([49bd5fe](AnnabelJoe@49bd5fe)) * **api:** versioning — 301 redirects from /api/* to /api/v1/*, API-Version header ([fa8bf84](AnnabelJoe@fa8bf84)) * **auth:** configure token expiry, rotation, and revocation list ([d4117a7](AnnabelJoe@d4117a7)) * build analytics dashboard for energy generation statistics ([AnnabelJoe#350](AnnabelJoe#350)) ([971c19c](AnnabelJoe@971c19c)) * certificate transfer endpoint and UI ([#1](AnnabelJoe#1)) ([477a577](AnnabelJoe@477a577)) * **ci:** Docker image scanning with Trivy — block on CRITICAL CVEs ([164dbc7](AnnabelJoe@164dbc7)) * **contracts:** add upgrade timelock tests for community_governance ([AnnabelJoe#284](AnnabelJoe#284)) ([79f5662](AnnabelJoe@79f5662)) * **crypto:** add verifyReadingSignature and 100% unit test coverage ([2b79205](AnnabelJoe@2b79205)) * **db:** add perf indexes on readings, certificates, audit_anchors ([7e37584](AnnabelJoe@7e37584)) * **e2e:** add Playwright tests for dashboard, certificate detail, and public verifier ([1ecf24e](AnnabelJoe@1ecf24e)) * enable Turborepo remote caching for all CI steps ([AnnabelJoe#297](AnnabelJoe#297)) ([9385ff4](AnnabelJoe@9385ff4)) * **governance:** add proposed_action field to create proposal form ([515ed8d](AnnabelJoe@515ed8d)) * **governance:** configurable quorum/threshold with admin guard and edge-case tests ([ecda905](AnnabelJoe@ecda905)) * I-REC XML export for certificates ([#4](AnnabelJoe#4)) ([232bf4a](AnnabelJoe@232bf4a)) * implement BullMQ+Redis async job queue for Stellar tx ([AnnabelJoe#272](AnnabelJoe#272)) ([a4b425c](AnnabelJoe@a4b425c)) * implement certificate retirement API endpoint ([AnnabelJoe#270](AnnabelJoe#270)) ([861bcce](AnnabelJoe@861bcce)) * implement cooperative multi-meter management ([AnnabelJoe#351](AnnabelJoe#351)) ([640d0b9](AnnabelJoe@640d0b9)) * implement meter key revocation mechanism ([AnnabelJoe#339](AnnabelJoe#339)) ([ce90af9](AnnabelJoe@ce90af9)) * implement webhook notifications for certificate lifecycle events ([AnnabelJoe#353](AnnabelJoe#353)) ([4205191](AnnabelJoe@4205191)) * **load-test:** add k6 baseline + breakpoint scenarios, p95<500ms threshold ([f019ccc](AnnabelJoe@f019ccc)) * mock Freighter wallet for CI testing ([#2](AnnabelJoe#2)) ([325b565](AnnabelJoe@325b565)) * **notifications:** email alerts for mint, retire, and mint failure ([AnnabelJoe#140](AnnabelJoe#140)) ([7ce4a12](AnnabelJoe@7ce4a12)) * **security:** add HTTP security headers ([AnnabelJoe#129](AnnabelJoe#129)) ([944c5b9](AnnabelJoe@944c5b9)) * **security:** add RLS policies for multi-tenant isolation ([AnnabelJoe#274](AnnabelJoe#274)) ([9b2ce49](AnnabelJoe@9b2ce49)) * **security:** API key auth for meter submissions ([AnnabelJoe#131](AnnabelJoe#131)) ([a437a9b](AnnabelJoe@a437a9b)) * **security:** HTTPS redirect and HSTS headers ([45c9c81](AnnabelJoe@45c9c81)) * **security:** restrict Supabase service role key usage ([AnnabelJoe#134](AnnabelJoe#134)) ([037e825](AnnabelJoe@037e825)) * staging environment deployment pipeline ([AnnabelJoe#295](AnnabelJoe#295)) ([8169df0](AnnabelJoe@8169df0)) * support fractional kWh tokens with 3 decimal places ([84ee9a6](AnnabelJoe@84ee9a6)), closes [AnnabelJoe#354](AnnabelJoe#354) * **testing:** add mutation testing for Rust contracts and TS utilities ([AnnabelJoe#331](AnnabelJoe#331)) ([29135d5](AnnabelJoe@29135d5)) * **web:** real-time energy chart with WebSocket + polling fallback ([AnnabelJoe#260](AnnabelJoe#260)) ([7881a7e](AnnabelJoe@7881a7e)) ### Bug Fixes * **ci:** add dependency license compliance check ([AnnabelJoe#344](AnnabelJoe#344)) ([ab4b39e](AnnabelJoe@ab4b39e)) * resolve conflicts, reconcile retirement model, and fix tests ([a0d4332](AnnabelJoe@a0d4332)) * resolve JSX parse errors in dashboard and verify pages ([a1ec4b7](AnnabelJoe@a1ec4b7)) * resolve residual merge conflict markers ([1c8b371](AnnabelJoe@1c8b371)) * resolve workspace compilation and type errors ([042221a](AnnabelJoe@042221a)) * **security:** add security headers to all HTTP responses ([AnnabelJoe#340](AnnabelJoe#340)) ([1d6db6b](AnnabelJoe@1d6db6b)) * **security:** implement audit logging for sensitive operations ([AnnabelJoe#341](AnnabelJoe#341)) ([34d0971](AnnabelJoe@34d0971)) * **security:** implement CSP headers for Next.js web app ([AnnabelJoe#333](AnnabelJoe#333)) ([2834203](AnnabelJoe@2834203)) ### Documentation * add hardware meter integration guide ([AnnabelJoe#320](AnnabelJoe#320)) ([f5c4b3e](AnnabelJoe@f5c4b3e)) * add inline comments and required/optional markers to .env.example ([AnnabelJoe#318](AnnabelJoe#318)) ([92ea4da](AnnabelJoe@92ea4da)) * add mainnet deployment process and checklist to deployments.md ([AnnabelJoe#285](AnnabelJoe#285)) ([c08ad58](AnnabelJoe@c08ad58)) * add operational runbooks ([AnnabelJoe#315](AnnabelJoe#315)) ([2638a9f](AnnabelJoe@2638a9f)) * add OWASP Top 10 security review and remediate misconfiguration ([AnnabelJoe#334](AnnabelJoe#334)) ([092e901](AnnabelJoe@092e901)) * add SECRETS.md — centralized secrets management guide ([AnnabelJoe#289](AnnabelJoe#289)) ([90eed76](AnnabelJoe@90eed76)) * add Stellar mainnet deployment checklist and go-live plan ([120d730](AnnabelJoe@120d730)), closes [AnnabelJoe#142](AnnabelJoe#142) * add user guide for web dashboard (closes [AnnabelJoe#317](AnnabelJoe#317)) ([eb1a425](AnnabelJoe@eb1a425)) * **audit:** add security audit engagement tracking and remediation policy ([bca11a2](AnnabelJoe@bca11a2)) * **contracts:** add/enhance Rust doc comments on all public functions ([AnnabelJoe#319](AnnabelJoe#319)) ([18c472a](AnnabelJoe@18c472a)) * create SECURITY.md with vulnerability disclosure policy ([AnnabelJoe#314](AnnabelJoe#314)) ([7698660](AnnabelJoe@7698660)) * **performance:** ensure load test baseline + breaking point documentation ([9a0056a](AnnabelJoe@9a0056a)) * standardize CHANGELOG.md and update PR template [AnnabelJoe#312](AnnabelJoe#312) ([8281f08](AnnabelJoe@8281f08))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
fuzz_governancefuzz target covering the fullcommunity_governanceproposal lifecycle: propose → vote → finalize → execute.What's included
fuzz/fuzz_targets/fuzz_governance.rs— fuzz target with arbitrary voter count, voting period, and approve/reject bit pattern[[bin]]infuzz/Cargo.tomlInvariants verified
propose()always returns a positive proposal IDfinalize()always produces a terminal status (Passed / Rejected / Expired)execute()only runs after Passed + timelock, and results in Executed statusTesting
Run with:
cargo +nightly fuzz run fuzz_governancefromapps/contracts/fuzz/Closes AnnabelJoe#558