Merge pull request #18 from theredguild/develop

feat: Overhaul devcontainer configurations and add experimental paranoid mode

Author: mattaereal

.devcontainer/hardened/Dockerfile .devcontainer/airgapped/Dockerfile.devcontainer/hardened/Dockerfile renamed to .devcontainer/airgapped/Dockerfile

@@ -3,7 +3,7 @@
   // This is the HARDENED version of TRG's DevContainer - provides enhanced security
   // with capability dropping, security options, and resource limits while maintaining
   // network connectivity for development.
-  "name": "Hardened TRG's DevContainer",
+  "name": "Air-gapped TRG's DevContainer",
 
   // Build configuration - uses the local Dockerfile in this directory
   "build": {
@@ -23,23 +23,13 @@
   // Container environment variables
   "containerEnv": {
     "SHELL": "/bin/zsh",  // Use zsh as the default shell
-    "DEVCONTAINER_ID_LABEL": "hardened-web3-devcontainer"  // Label for container identification
+    "DEVCONTAINER_ID_LABEL": "airgapped-web3-devcontainer"  // Label for container identification
   },
 
   // Configure tool-specific properties for VS Code
   "customizations": {
     "vscode": {
       // Web3 security and development extensions
-      "extensions": [
-        "tintinweb.ethereum-security-bundle",  // Comprehensive Ethereum security tools
-        "tintinweb.vscode-ethover",           // Ethereum hover information
-        "trailofbits.weaudit",                // Trail of Bits audit tools
-        "tintinweb.vscode-inline-bookmarks",  // Inline code bookmarks
-        "tintinweb.vscode-solidity-language", // Solidity language support
-        "tintinweb.graphviz-interactive-preview", // Graph visualization
-        "trailofbits.contract-explorer",      // Smart contract exploration
-        "tintinweb.vscode-decompiler"        // Contract decompilation
-      ],
       // VS Code settings for security and functionality
       "settings": {
           // Security settings - killswitch for automated tasks
@@ -69,7 +59,7 @@
     // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
     // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
     // Disables mounting the host workspace into the container for isolation.
-    "workspaceMount": "type=tmpfs,destination=/workspace",
+    "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
     // Sets a workspace path entirely isolated within the container
     "workspaceFolder": "/workspace",
 
@@ -98,15 +88,7 @@
       // Network security configuration
       // If you really want to isolate it, just disconnect it from the internet. 
       // You should COPY your working files inside before, otherwise you'll have to mount them manually.
-      // "--network=none",
-      
-      // IPv6 security - disable IPv6 to reduce attack surface
-      "--sysctl=net.ipv6.conf.all.disable_ipv6=1",    // Disable IPv6 globally
-      "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default
-      
-      // Network capability restrictions
-      "--cap-drop=NET_RAW",                            // Disable raw packet access
-      "--network=bridge",                              // Use bridge networking
+      "--network=none",
 
       // DNS configuration for security and reliability
       "--dns=1.1.1.1",                                // Primary DNS (Cloudflare)

.devcontainer/hardened/devcontainer.json .devcontainer/airgapped/devcontainer.json.devcontainer/hardened/devcontainer.json renamed to .devcontainer/airgapped/devcontainer.json

@@ -58,11 +58,8 @@
         }
     },
 
-    // Mount isolation configuration for security and development workflow
-    // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
-    // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
-    // Disables mounting the host workspace into the container for isolation.
-    "workspaceMount": "type=tmpfs,destination=/workspace",
+    // Mount copying host folder into container, no isolation.
+    "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
     // Sets a workspace path entirely isolated within the container
     "workspaceFolder": "/workspace",
 

.devcontainer/auditor/devcontainer.json

@@ -0,0 +1 @@
+Subproject commit 78f2b0c2440709a9067ae7ca64f55d2199b03b8a

.devcontainer/eth-security-toolbox

@@ -1,14 +1,16 @@
 # syntax=docker/dockerfile:1.8
 # check=error=true
 # 
-# ISOLATED TRG DevContainer Dockerfile
-# This Dockerfile creates a highly isolated development environment for Web3 security research
-# with maximum security isolation, read-only filesystem, and network isolation.
+# HARDENED TRG DevContainer Dockerfile
+# This Dockerfile creates a security-hardened development environment for Web3 security research
+# with enhanced security features, capability dropping, and minimal attack surface.
 # 
 # Key security features:
+# - Multi-stage build for Echidna binary
 # - Non-root user execution
 # - Minimal package installation
 # - Security-hardened toolchain
+# - Reduced tool set for security focus
 
 ## Multi-stage build for Echidna
 # Pull latest prebuilt Echidna binary from Crytic's official image
@@ -17,7 +19,7 @@ FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna
 
 # Base image: Latest Debian with VS Code DevContainer support
 # This provides a stable, security-focused base for development
-FROM mcr.microsoft.com/vscode/devcontainers/base:debian
+FROM mcr.microsoft.com/devcontainers/base:bookworm
 
 # Install essential system packages for development
 # These are the minimal packages needed for Web3 development tools
@@ -35,6 +37,8 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-ins
     zsh                   # Advanced shell \
     && rm -rf /var/lib/apt/lists/*
 
+
+    
 # Install Python development dependencies
 # Required for Python-based security tools and package management
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
@@ -100,17 +104,6 @@ USER vscode
 ENV PNPM_HOME=${HOME}/.local/share/pnpm
 ENV PATH=${PATH}:${PNPM_HOME}
 
-# Install Python-based security analysis tools (reduced set for security focus)
-# These tools provide essential smart contract security analysis
-# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select
-RUN uv tool install slither-analyzer && \ 
-    uv tool install crytic-compile && \ 
-    uv tool install slither-lsp && \ 
-    uv tool install mythril && \ 
-    uv tool install halmos && \ 
-    uv tool install solc-select && \
-    solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest
-
 # Install Foundry framework for Ethereum development
 # Foundry provides Forge (testing), Cast (interaction), and Anvil (local blockchain)
 RUN curl -fsSL https://foundry.paradigm.xyz | zsh && \
@@ -135,6 +128,17 @@ RUN git clone https://github.com/crytic/medusa $HOME/medusa && \
 WORKDIR $HOME
 RUN rm -rf medusa/
 
+# Install Python-based security analysis tools (reduced set for security focus)
+# These tools provide essential smart contract security analysis
+# Focused on core tools: slither, mythril, crytic-compile, halmos, solc-select
+RUN uv tool install slither-analyzer && \ 
+    uv tool install crytic-compile && \ 
+    uv tool install slither-lsp && \ 
+    uv tool install mythril && \ 
+    uv tool install halmos && \ 
+    uv tool install solc-select && \
+    solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 0.8.10 latest && solc-select use latest
+
 # Copy Echidna binary from echidna stage to final image
 # This provides the prebuilt Echidna tool without rebuilding
 USER root

.devcontainer/isolated/Dockerfile

@@ -1,7 +1,8 @@
 {
   // For format details, see https://aka.ms/devcontainer.json.
-  // This is the ISOLATED version of TRG's DevContainer - provides maximum security isolation
-  // with a read-only filesystem and network isolation for high-security Web3 development.
+  // This is the HARDENED version of TRG's DevContainer - provides enhanced security
+  // with capability dropping, security options, and resource limits while maintaining
+  // network connectivity for development.
   "name": "Isolated TRG's DevContainer",
 
   // Build configuration - uses the local Dockerfile in this directory
@@ -29,7 +30,6 @@
   "customizations": {
     "vscode": {
       // Web3 security and development extensions
-      // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information
       "extensions": [
         "tintinweb.ethereum-security-bundle",  // Comprehensive Ethereum security tools
         "tintinweb.vscode-ethover",           // Ethereum hover information
@@ -56,54 +56,70 @@
           "terminal.integrated.defaultProfile.linux": "zsh",  // Use zsh by default
           "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
           // Using bash might be more safe and stable, but zsh provides better features
-        }
+        },
     }
   },
 
   // Commands to run during container lifecycle
-  "initializeCommand": "echo 'Initializing isolated dev container...'",
+  "initializeCommand": "echo 'Initializing hardened dev container...'",
   "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'",
 
-  // Workspace configuration - isolated within container
-  "workspaceFolder": "/workspace",
-  // Mount workspace as tmpfs for complete isolation - no host file access.
-  // This ensures that the workspace is ephemeral and does not persist data.
-  "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
-  
-  // Docker run arguments for security and isolation
-  "runArgs": [
-    // Security hardening - drop all Linux capabilities to reduce attack surface
-    "--cap-drop=ALL",
-    
-    // Read-only filesystem for maximum security, preventing any persistent changes
-    "--read-only",
-    
-    // Security options for container isolation
-    "--security-opt",
-    "no-new-privileges:true",      // Prevent privilege escalation from within the container
-    "--security-opt",
-    "apparmor=docker-default",     // Apply Docker's default AppArmor profile for enhanced security
-    
-    // Network isolation - completely disconnect from the internet for a secure environment
-    "--network=none",
-    
-      // --- Writable, EXECUTABLE Mounts for VS Code Server ---
-      "--tmpfs", "/home/vscode/.vscode-server:rw,exec,nosuid,size=512m,uid=1000,gid=1000",
-      "--tmpfs", "/home/vscode/.vscode-server-insiders:rw,exec,nosuid,size=256m,uid=1000,gid=1000",
 
-      // --- Writable, NON-EXECUTABLE Mounts for Caches, Configs, and Logs ---
-      "--tmpfs", "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000",
-      "--tmpfs", "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000",
-      "--tmpfs", "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000",
-      "--tmpfs", "/home/vscode/.gnupg:rw,noexec,nosuid,size=32m,uid=1000,gid=1000",
-      "--tmpfs", "/tmp:rw,noexec,nosuid,size=512m",
-      "--tmpfs", "/var/tmp:rw,noexec,nosuid,size=512m",
-      "--tmpfs", "/var/log:rw,noexec,nosuid,size=128m",
-      "--tmpfs", "/run:rw,noexec,nosuid,size=128m",
-      "--tmpfs", "/home/vscode/.devcontainer:rw,noexec,nosuid,size=32m,uid=1000,gid=1000"
+    // Mount isolation configuration for security and development workflow
+    // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
+    // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
+    // Disables mounting the host workspace into the container for isolation.
+    "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",
+    // Sets a workspace path entirely isolated within the container
+    "workspaceFolder": "/workspace",
 
-    // Resource limits for container performance and stability
-    // "--memory=1g",    // Limit container memory to 1GB to prevent resource exhaustion
-    // "--cpus=2"        // Limit container to 2 CPU cores for predictable performance
-  ]
+    // Docker run arguments for security hardening and resource management
+    "runArgs": [
+
+      // Temporary filesystem mounts with security restrictions
+      // These provide isolated, size-limited temporary storage
+      "--tmpfs=/tmp:rw,noexec,nosuid,size=512m",      // Main temporary directory
+      "--tmpfs=/var/tmp:rw,noexec,nosuid,size=512m",  // System temporary directory
+      "--tmpfs=/dev/shm:rw,noexec,nosuid,size=64m",   // Shared memory directory
+      
+      // Security hardening - drop all Linux capabilities
+      // This reduces the attack surface by removing unnecessary privileges
+      "--cap-drop=ALL",
+  
+      // Security options for container isolation
+      // A few security additions (AppArmor & no new privileges)
+      "--security-opt", "no-new-privileges",           // Prevent privilege escalation
+      "--security-opt", "apparmor:docker-default",     // Use Docker's default AppArmor profile
+  
+      // Use seccomp's default security profile
+      // seccomp provides system call filtering for additional security
+      // "--security-opt", "seccomp=default",
+  
+      // Network security configuration
+      // If you really want to isolate it, just disconnect it from the internet. 
+      // You should COPY your working files inside before, otherwise you'll have to mount them manually.
+      // "--network=none",
+      
+      // IPv6 security - disable IPv6 to reduce attack surface
+      "--sysctl=net.ipv6.conf.all.disable_ipv6=1",    // Disable IPv6 globally
+      "--sysctl=net.ipv6.conf.default.disable_ipv6=1", // Disable IPv6 by default
+      
+      // Network capability restrictions
+      "--cap-drop=NET_RAW",                            // Disable raw packet access
+      "--network=bridge",                              // Use bridge networking
+      
+      // DNS configuration for security and reliability
+      "--dns=1.1.1.1",                                // Primary DNS (Cloudflare)
+      "--dns=1.0.0.1",                                // Secondary DNS (Cloudflare)
+  
+      // Resource limits for container performance and security
+      // Play a little bit with resources to prevent resource exhaustion
+      // "--memory=512m",                              // Memory limit (commented out)
+      // "--cpus=2"                                    // CPU limit (commented out)
+    ],
+  
+    // Writable mounts in case you want to set --read-only above.
+    // Currently no additional mounts are configured
+    "mounts": [
+      ]
 }

.devcontainer/isolated/devcontainer.json

@@ -25,12 +25,8 @@
       // }
     },
 
-    // Mount isolation configuration for security and development workflow
-    // If you need to extract something from within the container, you can use docker cp, but use it at your own risk. 
-    // If you want to develop your devcontainer, you should comment this things, otherwise your changes inside the live container won't persist.
-    // Disables mounting the host workspace into the container for isolation.
-    "workspaceMount": "type=tmpfs,destination=/workspace",
-    // Sets a workspace path entirely isolated within the container
+    // Mount copying host folder into container, no isolation.
+    "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached",
     "workspaceFolder": "/workspace",
 
     // Docker run arguments for security hardening and resource management