Merge pull request #20 from theredguild/develop

(refactor): Added security considerations. Renamed `isolated` to `hardened` to more explicit description. Added Codespaces variant.

Author: mattaereal

.devcontainer/airgapped/devcontainer.json

@@ -55,19 +55,19 @@
   "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'",
 
 
-    // Mount isolation configuration for security and development workflow
+    // Mount hardening configuration for security and development workflow
     // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
     // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
-    // Disables mounting the host workspace into the container for isolation.
+    // Disables mounting the host workspace into the container for hardening.
     "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
-    // Sets a workspace path entirely isolated within the container
+    // Sets a hardened workspace
     "workspaceFolder": "/workspace",
 
     // Docker run arguments for security hardening and resource management
     "runArgs": [
 
       // Temporary filesystem mounts with security restrictions
-      // These provide isolated, size-limited temporary storage
+      // These provide size-limited temporary storage
       "--tmpfs=/tmp:rw,noexec,nosuid,size=512m",      // Main temporary directory
       "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m",  // System temporary directory
       "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m",   // Shared memory directory
@@ -76,7 +76,7 @@
       // This reduces the attack surface by removing unnecessary privileges
       "--cap-drop=ALL",
 
-      // Security options for container isolation
+      // Security options for container hardening
       // A few security additions (AppArmor & no new privileges)
       "--security-opt", "no-new-privileges",           // Prevent privilege escalation
       "--security-opt", "apparmor:docker-default",     // Use Docker's default AppArmor profile

.devcontainer/auditor/devcontainer.json

@@ -58,9 +58,9 @@
         }
     },
 
-    // Mount copying host folder into container, no isolation.
+    // Mount copying host folder into container, no hardening.
     "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
-    // Sets a workspace path entirely isolated within the container
+    // Sets a hardened workspace path 
     "workspaceFolder": "/workspace",
 
     // Docker run arguments for security hardening and resource management

.devcontainer/codespaces/devcontainer.json

@@ -0,0 +1,38 @@
+{
+    // For format details, see https://aka.ms/devcontainer.json.
+    // This is a Dev Container for Github Codespaces based on eth-security-toolbox image created by Trail of Bits
+    // check https://github.com/trailofbits/eth-security-toolbox for more information.
+    "name": "Codespaces TRG's DevContainer",
+    
+    // Build configuration - uses the eth-security-toolbox image
+    "image": "ghcr.io/trailofbits/eth-security-toolbox:nightly",
+    // Configure tool-specific properties for VS Code
+    "customizations": {
+        "vscode": {
+            // Specialized extensions for smart contract auditing and development
+            "extensions": [ 
+                // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information
+                "tintinweb.ethereum-security-bundle", // includes what is listed above ^
+                "tintinweb.vscode-ethover",
+                "trailofbits.weaudit",
+                "trailofbits.contract-explorer",
+                "trailofbits.sarif-explorer"
+            ],
+            // VS Code settings optimized for auditing workflows
+            "settings": {
+                    // Security settings - killswitch for automated tasks
+                    "task.autoDetect": "off",                    // Disable automatic task detection
+                    "task.problemMatchers.autoDetect": "off",    // Disable automatic problem matchers
+                    
+                    // Trust and security configuration
+                    "security.workspace.trust.enabled": false,   // Trust no one by default
+                    
+                    // Privacy settings - killswitch for telemetry
+                    "telemetry.telemetryLevel": "off",           // Disable all telemetry collection
+                    
+                    // Terminal configuration
+                    "terminal.integrated.defaultProfile.linux": "bash"
+            }
+        }
+    },
+}

.devcontainer/codespaces/motd

@@ -0,0 +1,29 @@
+
+┌──        ┌──┐      ──┬──
+├─         └──┐        │
+└──THEREUM─┴──┴ECURITY─┴OOLBOX
+
+https://github.com/trailofbits/eth-security-toolbox
+
+by   ################
+    ##########TRAIL#
+         ####       
+        ####    ###########
+       ####    ###########
+      \###    ####     ####
+     /\\# of ####     ####
+    /  \    ############ 
+    \__/   ####      ####
+          \###      ####
+         /\\#########
+        /__\\##BITS#
+
+Security Tools and Resources Installed:
+
+https://github.com/crytic/echidna
+https://github.com/crytic/medusa
+https://github.com/crytic/slither
+https://github.com/crytic/building-secure-contracts
+
+Use `solc-select` to switch between different versions of `solc`
+

.devcontainer/eth-security-toolbox/devcontainer.json

@@ -36,9 +36,9 @@
         }
     },
 
-    // Mount copying host folder into container, no isolation.
+    // Mount copying host folder into container, no hardening.
     "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
-    // Sets a workspace path entirely isolated within the container
+    // Sets a workspace path entirely hardened within the container
     "workspaceFolder": "/workspace",
 
     // Docker run arguments for security hardening and resource management
@@ -48,7 +48,7 @@
       // "--read-only",
 
       // Temporary filesystem mounts with security restrictions
-      // These provide isolated, size-limited temporary storage
+      // These provide hardened, size-limited temporary storage
       "--tmpfs=/tmp:rw,noexec,nosuid,size=512m",      // Main temporary directory
       "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m",  // System temporary directory
       "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m",   // Shared memory directory
@@ -57,7 +57,7 @@
       // This reduces the attack surface by removing unnecessary privileges
       "--cap-drop=ALL",
 
-      // Security options for container isolation
+      // Security options for container hardening
       // A few security additions (AppArmor & no new privileges)
       "--security-opt", "no-new-privileges",           // Prevent privilege escalation
       "--security-opt", "apparmor:docker-default",     // Use Docker's default AppArmor profile

.devcontainer/isolated/Dockerfile .devcontainer/hardened/Dockerfile.devcontainer/isolated/Dockerfile renamed to .devcontainer/hardened/Dockerfile

@@ -3,7 +3,7 @@
   // This is the HARDENED version of TRG's DevContainer - provides enhanced security
   // with capability dropping, security options, and resource limits while maintaining
   // network connectivity for development.
-  "name": "Isolated TRG's DevContainer",
+  "name": "Hardened TRG's DevContainer",
 
   // Build configuration - uses the local Dockerfile in this directory
   "build": {
@@ -23,7 +23,7 @@
   // Container environment variables
   "containerEnv": {
     "SHELL": "/bin/zsh",  // Use zsh as the default shell
-    "DEVCONTAINER_ID_LABEL": "isolated-web3-devcontainer"  // Label for container identification
+    "DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer"  // Label for container identification
   },
 
   // Configure tool-specific properties for VS Code
@@ -65,19 +65,18 @@
   "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'",
 
 
-    // Mount isolation configuration for security and development workflow
+    // Mount hardening configuration for security and development workflow
     // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
     // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
-    // Disables mounting the host workspace into the container for isolation.
+    // Disables mounting the host workspace into the container for hardening.
     "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
-    // Sets a workspace path entirely isolated within the container
     "workspaceFolder": "/workspace",
 
     // Docker run arguments for security hardening and resource management
     "runArgs": [
 
       // Temporary filesystem mounts with security restrictions
-      // These provide isolated, size-limited temporary storage
+      // These provide hardened, size-limited temporary storage
       "--tmpfs=/tmp:rw,noexec,nosuid,size=512m",      // Main temporary directory
       "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m",  // System temporary directory
       "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m",   // Shared memory directory
@@ -86,7 +85,7 @@
       // This reduces the attack surface by removing unnecessary privileges
       "--cap-drop=ALL",
 
-      // Security options for container isolation
+      // Security options for container hardening
       // A few security additions (AppArmor & no new privileges)
       "--security-opt", "no-new-privileges",           // Prevent privilege escalation
       "--security-opt", "apparmor:docker-default",     // Use Docker's default AppArmor profile

.devcontainer/isolated/devcontainer.json .devcontainer/hardened/devcontainer.json.devcontainer/isolated/devcontainer.json renamed to .devcontainer/hardened/devcontainer.json

@@ -21,10 +21,10 @@
     // }
   },
 
-  // Mount isolation. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
+  // Mount hardening. If you need to extract something from within the container, you can use docker cp, but use it at your own risk. If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
   // Disables mounting the host workspace into the container.
   "workspaceMount": "type=tmpfs,destination=/workspace",
-  // Sets a workspace path entirely isolated within the container
+  // Sets a workspace path entirely hardened within the container
   "workspaceFolder": "/home/vscode/quests",
   "runArgs": [
     // Read only filesystem except for explicitly writable volumes (check mounts)

.devcontainer/legacy/devcontainer.json

@@ -1,6 +1,6 @@
 {
     // For format details, see https://aka.ms/devcontainer.json.
-    // This is the MINIMAL version of TRG's DevContainer - provides essential security isolation
+    // This is the MINIMAL version of TRG's DevContainer - provides essential security hardening
     // with a balanced approach between security and usability for Web3 development.
     "name": "Minimal TRG's DevContainer",
 
@@ -25,7 +25,7 @@
       // }
     },
 
-    // Mount copying host folder into container, no isolation.
+    // Mount copying host folder into container, no hardening.
     "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
     "workspaceFolder": "/workspace",
 
@@ -36,7 +36,7 @@
       // "--read-only",
 
       // Temporary filesystem mounts with security restrictions
-      // These provide isolated, size-limited temporary storage
+      // These provide hardened, size-limited temporary storage
       "--tmpfs=/tmp:rw,noexec,nosuid,size=512m",      // Main temporary directory
       "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m",  // System temporary directory
       "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m",   // Shared memory directory
@@ -45,7 +45,7 @@
       // This reduces the attack surface by removing unnecessary privileges
       "--cap-drop=ALL",
 
-      // Security options for container isolation
+      // Security options for container hardening
       // A few security additions (AppArmor & no new privileges)
       "--security-opt", "no-new-privileges",           // Prevent privilege escalation
       "--security-opt", "apparmor:docker-default",     // Use Docker's default AppArmor profile

.devcontainer/minimal/devcontainer.json

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1.8
 # check=error=true
 # 
-# ISOLATED TRG DevContainer Dockerfile
-# This Dockerfile creates a highly isolated development environment for Web3 security research
-# with maximum security isolation, read-only filesystem, and network isolation.
+# PARANOID TRG DevContainer Dockerfile
+# This Dockerfile creates a highly paranoid development environment for Web3 security research
+# with maximum security hardening, read-only filesystem, and network hardening.
 # 
 # Key security features:
 # - Non-root user execution