build(deps): bump actions/setup-node from 4 to 6#2
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
… distribuido
Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":
1. Schema canónico `minedAt` en mineCube.
Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
por el optimistic local update del usuario que minó.
(Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)
2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.
Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
primer block include — un reorg posterior puede revertir el mint
mientras Firestore ya tiene status:completed. User queda sin NFT
on-chain y sin trail para reclamo.
30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
(Agentes #3 CRIT-6 + #8 CRIT-1)
3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.
Antes, `processPendingMints` (onCall admin manual) y
`mintProcessorScheduled` (onSchedule cron 5min) podían correr
concurrentes y enviaban mintGem() con el MISMO nonce de la company
wallet → una falla con "nonce too low", MATIC quemado en gas, race
en doc.status=processing, backlog stuck.
Lock pattern: TX read snapshot, check expiresAt, write si libre.
Auto-release en finally + TTL backup si el worker crashea. Las rules
son default-deny para /runtime/* — cliente no puede tocarlo.
(Agentes #3 CRIT-4 + #8 CRIT-3)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
c727ee9 to
c32cbc9
Compare
miningtheblocks
added a commit
that referenced
this pull request
Jun 18, 2026
…n plural
Cubre 5 hallazgos de los reportes de los 12 agentes que quedaron sin
attended en commits A-Z.
1. HIGH-09-04: App Links autoVerify para deep links HTTPS
- docs/.well-known/assetlinks.json declara SHA-256 BF:8F:25... del
keystore mtb-release-v2 → Android verifica al install que el APK
viene del owner del dominio miningtheblocks.com.
- AndroidManifest.xml: intent-filter android:autoVerify="true" para
scheme=https + host=miningtheblocks.com + pathPrefix=/app/. Sin esto,
otra app maliciosa podría declarar el mismo scheme y secuestrar el
callback.
- App.js DeepLinkHandler reconoce https://miningtheblocks.com/app/<page>
además del scheme mtb:// existente.
- docs/app/index.html: fallback page para users que clickean el link
sin tener la app instalada (los redirige al GitHub releases).
2. HIGH #2/#12 (Firestore rules): query.limit caps explícitos
- activityFeed: limit <= 100 (sin cap, cliente authed traía la
colección entera en bucle).
- mined: limit <= 500 (servidor con 6 capas = ~50k cubos).
Cost amplification prevention. Deployed via firebase deploy.
3. P3 defense-in-depth (firebase.json hosting headers):
- Cross-Origin-Opener-Policy: same-origin (isola browsing context al
window.open).
- Cross-Origin-Resource-Policy: same-origin (mis assets no embebibles
cross-origin como <img>/<script>/etc.).
- Permissions-Policy extendida: autoplay, display-capture,
encrypted-media, fullscreen=(self), picture-in-picture, screen-wake-lock,
sync-xhr, web-share, xr-spatial-tracking, etc. — cierra ~10 features
no usadas que el browser exponía por default.
- STS preload directive agregado (`includeSubDomains; preload`).
- COEP `require-corp` evaluado y descartado: rompería verify.html
(Firebase SDK desde gstatic.com sin CORP headers).
4. CRIT-10-04 follow-up: pluralization helper tn(key, count, vars)
- CLDR plural rules para en/es (binary: one / other).
- Uso: tn('gem.found', 5, { tier: 3 }) → busca 'gem.found_one' o
'gem.found_other' con `{count}` autoinyectado como var.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
c32cbc9 to
d6d441e
Compare
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1): - Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified) - AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER - Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000] - tokenURI canónico por tier (caller no controla URI) - renounceRole(ADMIN) bloqueado (anti-bricking) - functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_) Backend fixes (batch 3): - #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from - #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos - #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded) - #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis - #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone Build / Deploy (batch 1): - #9 HIGH-1 credentialsSource:local en eas.json production - #9 HIGH-3 versionCode:5 en app.json - #9 HIGH-4 runtimeVersion appVersion en app.json - #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/ - #9 HIGH-8 download URL -> releases/latest Supply chain (batch 1+2): - #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1 - #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0 - #5 HIGH-4 npm audit en root agregado al CI - #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest) Privacy / Legal (batch 1+2): - #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES) - #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES) - #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES) Frontend security (batch 2): - #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline - #3 HIGH-2 el() helper sin innerHTML Web / SEO / a11y (batch 1+2): - #10 HIGH-5 frame-buster JS anti-clickjacking - #10 HIGH-6 docs/robots.txt + docs/sitemap.xml - #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html - #10 HIGH-8 label for=... en form inputs + .sr-only utility Smart contract tooling: - contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests) Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos en docs y constantes role de OpenZeppelin. Pendiente acción manual (documentado en PENDING_FIXES.md): - cd functions && npm install - firebase deploy --only functions / --only hosting - GitHub Settings -> Pages -> Enforce HTTPS - DNS records SPF/DMARC/CAA en Cloudflare Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Doc en RUNBOOK de las copias offline del keystore release v2 hechas el 2026-06-23: - Copia #1: Hitachi sda /run/media/code/datos/keystore-backup-2026-06-23/ - Copia #2: USB Kingston DT 101 G2 (DataTraveler, extraído físicamente) - Copia #3: off-site (pendiente) Test recovery EXITOSO 2026-06-23: descifrado con password de Bitwarden, SHA-256 raw matches 36785fb2...af9f6f64. Próximo test recovery 2027-Q1. Pre-fix: 1 keystore + 1 .gpg, ambos en el MISMO disco sdb (PNY SSD). Disk failure = bricked release line forever (mismo modo del v1 perdido). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Pre-fix: el monto SIEMPRE era $15.XX random (15.01-15.99) para
identificar de qué user es cada pago USDC (USDC no tiene memo field
como otras cryptos). UX confusa ("¿por qué me cobran $15.55?") + costo
extra de 1-99¢ por crédito sobre el user.
Sistema híbrido:
- Si el caller pasa senderWalletAddress (la wallet del user):
* Monto: $15.00 redondo
* docId: walletpay_${senderWalletAddress}
* Processor matchea por `from` address del Transfer event (lógica
ya implementada commit a5cb3aa audit #2 HIGH-1)
- Si NO pasa senderWalletAddress (legacy/sin wallet linked):
* Monto: $15.XX con cents random (1..99)
* docId: amt_${amountUnits}
* Processor matchea por amount (comportamiento original)
Frontend (BuyCredits.js): lee userData.walletAddress del onSnapshot del
user doc. Si está populated → pasa la wallet a callCreateCryptoPayment.
Si user no tiene wallet linked (registro reciente) → omite el param.
src/firebase/functions.js: signature actualizado para aceptar el
senderWalletAddress como argumento opcional.
Backend tx atómica: si ya hay un pending para esa walletpay_${addr}, lo
re-usa en vez de fallar (soporta retries del cliente). Si está expired
o de otro status, lo sobreescribe.
Impact: 90%+ de users (que tienen wallet linked al usar la app a fondo)
ahora pagan $15.00 limpio. Usuarios nuevos sin wallet → siguen con $15.XX.
38/38 tests passing.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
d6d441e to
060ed68
Compare
miningtheblocks
added a commit
that referenced
this pull request
Jun 25, 2026
PROBLEMA — Apretar botón de cara terminaba en cara incorrecta: Reproducción: estando en grid mode mirando "left", apretar "back" iba a "front". El render loop salía/entraba a grid mode durante la animación de goToFaceCenter (3 fases: zoom out a 650 → rotar → zoom in a 118.85). La fase 1 (distance=650 > EXIT_GRID_DIST=275) disparaba la transición auto grid→cube que limpiaba requestedFaceRef. Al volver a grid en fase 3, la cara solicitada se había perdido → fallback a lastDetectedFaceIndexRef que durante el zoom out apuntaba a 'front'. Fix (DynamicCube201.js render loop ~L3491): Agregar `suppressedAutoGrid = nowTs < suppressAutoGridRef.current` y sumarlo a las condiciones de shouldUseCameraMode / stickyGrid. Durante los ~1860ms de animación que goToFaceCenter cubre vía suppressAutoGridRef, el modo grid y requestedFaceRef se mantienen → la cámara aterriza en la cara correcta. BACKEND — firestore.rules cap subido de 500 a 2500: El listener de mined pedía limit(2500) pero las rules cap eaban a 500 (Round 2 #2/#12 HIGH). Quedó desincronizado en algún commit anterior → query del listener fallaba con permission-denied → minedCubes nunca se poblaba en cold start → parches no persistían. Confirmado via logcat. LIMPIEZA: - Quitar toasts de diagnóstico (Mineds DB / ERR Firestore) — eran solo para identificar el bug de rules, ya cumplió su función. - Mantener console.warn en error handler del onSnapshot. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 4 to 6.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)