merging master into experiimental#351
Conversation
| npx hardhat run scripts/deploy.js --network optimism | ||
| # ... etc for each chain | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Documentation references non-existent script directory paths
High Severity
The deployment documentation instructs users to run commands like node scripts/deploy-evm-chain.js and cp scripts/hardhat.config.template.js hardhat.config.js, but these scripts are actually located at Scripts/Smart Contracts/, not scripts/. Every command users run following the documentation will fail with "file not found" errors. The deployment scripts exist but at the wrong path documented.
Additional Locations (2)
| npm run deploy:all:testnet | ||
| npm run deploy:aptos:testnet | ||
| npm run deploy:sui:mainnet | ||
| # ... see package.json for all scripts |
There was a problem hiding this comment.
Missing npm scripts referenced in documentation
High Severity
The documentation claims users can run npm scripts like npm run check-status, npm run deploy:ethereum:testnet, and npm run deploy:all:testnet, but the root package.json contains no scripts section at all—only a devDependency for mermaid-cli. Users attempting to run these documented commands will get "missing script" errors.
Additional Locations (1)
| 3. **Checklist**: `DEPLOYMENT_CHECKLIST.md` - Step-by-step checklist | ||
| 4. **Status**: `DEPLOYMENT_STATUS.md` - Current deployment status | ||
| 5. **Scripts**: `scripts/README.md` - Scripts documentation | ||
| 6. **Summary**: `scripts/DEPLOYMENT_AUTOMATION_SUMMARY.md` - Automation overview |
There was a problem hiding this comment.
Documentation index references non-existent files
Medium Severity
The documentation index references scripts/QUICK_START.md and scripts/README.md as available documentation files, but these files don't exist at the specified paths. Users looking for the Quick Start guide or Scripts documentation will encounter broken references.
Additional Locations (1)
| shell: pwsh | ||
| run: | | ||
| & "OASIS Omniverse/STARAPIClient/run_star_api_test_suite.ps1" -Configuration Release -KillStaleTestHosts $true | ||
|
|
There was a problem hiding this comment.
STARAPIClient tests likely fail on Ubuntu
High Severity
The new test-starapi-client job runs run_star_api_test_suite.ps1 on ubuntu-latest via pwsh, but related STARAPIClient scripts in the same area use Windows-only tooling/paths (e.g., C:\..., MSVC). If run_star_api_test_suite.ps1 has similar assumptions, the workflow will fail and block build-and-package via needs.
Additional Locations (1)
| STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/DNA/Default/OASIS_DNA.json | ||
| STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/DNA/CelestialBodyDNA.json | ||
| STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/linux-arm64/Cosmos.CRTCompat.dll | ||
| STAR ODK/NextGenSoftware.OASIS.STAR.CLI/publish/installers/star-cli-3.4.0-win-x64.exe |
There was a problem hiding this comment.
Entire publish gitignore block duplicated from merge
Low Severity
The entire block of publish directory entries (lines 315–877) is exactly duplicated at lines 878–1440, adding ~560 redundant lines from what appears to be a merge artifact. Additionally, most entries under publish/ subdirectories are already covered by the existing publish/ pattern on line 139, making them doubly unnecessary. Only the publishwin-x64/ entries aren't covered by the existing pattern.
Additional Locations (1)
- 9 tests in ONETControllerLifecycleTests: singleton caching, GetNetworkStatus, StartNetwork, StopNetwork, GetNetworkStats, GetNetworkTopology, null-body 400s, GetConnectedNodes without signature headers - 12 tests in ONODEControllerLifecycleTests: singleton caching, GetNodeStatus, GetNodeInfo, StartNode, StopNode (not running → 400), RestartNode, GetNodeMetrics, GetNodeLogs, GetConnectedPeers, GetNodeStats, GetNodeConfig, null-body 400s - Updated ONET-ONODE-SESSION-NOTES.md with Phase 5-7 entries and revised TODO list
… success is not masked by Solana send retries
…comments in Avalanche/Base/Cosmos/EOSIO ParkManager second constructor: base class handles all init, comment was vestigial. OAPPManager.PublishToDotNet: remove dead draft comments above working Process.Start call. Avalanche/Base/Cosmos/EOSIO GenerateKeyPair: replace misleading TODO with explanatory comment — provider-specific secp256k1 key generation already done via Nethereum above the KeyHelper call (which is used only as an IKeyPairAndWallet container).
- Add LeelaAI to AIProviderType enum - Add LeelaAISettings class and Web6Settings.LeelaAI property to OASISDNA - Add LeelaAI API key field to Web6ApiKeysSettings (env: LEELA_API_KEY) - Wire up key loading and Lambda endpoint in AIProviderManager - Suppress tool definitions for LeelaAI (API returns 400 if tools present) - Model fixed to "leela" per OpenAPI spec; endpoint appends /v1/chat/completions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…NFT mint When the NFT founders flow auto-creates an avatar, RegisterAsync now accepts suppressVerificationEmail=true so the OASIS verification email is skipped — the mint confirmation email with the activation link is the only email sent. Co-Authored-By: David Ellams <davidellams@hotmail.com>
… SetProviderConfig, OASISResultHelper HolonManager.SendHolon<T>: load from sourceProviderType, save to destinationProviderType with error handling. AvatarManager-Private MergeAvatarDetail: add missing Strength/Speed/Dexterity/Toughness/Vitality/Endurance attribute copies. ProviderController.SetProviderConfig: add cases for all providers with ConnectionString (was MongoDB only). OASISResultHelper CopyResult: copy StackTraces alongside InnerMessages in all overloads (was missing).
The async RegisterAsync overload already had this parameter but the sync Register method was missing it, causing a build error at line 302.
AptosOASIS: - SaveHolonsAsync: was returning holons unchanged with fake success; now loops SaveHolonAsync for each holon with proper error handling and continueOnError support - DeleteHolonAsync(Guid): was fabricating a Holon from the id without any chain call; now delegates to the string-based overload that calls the Aptos Move delete_holon SC - ImportAsync: was unconditionally returning true without writing anything; now calls SaveHolonsAsync to actually persist holons to Aptos ElrondOASIS: - MintTokenAsync: implements MultiversX ESDTLocalMint via /transaction/send endpoint - BurnTokenAsync: implements MultiversX ESDTNFTBurn via /transaction/send endpoint - LockTokenAsync: sends ESDTNFTTransfer to MultiversX bridge contract with lock argument - UnlockTokenAsync: calls bridge SC unlock function with token identifier OASISBootLoader: - Uncomment NEAROASIS project reference in .csproj (Ed25519 uses System.Security.Cryptography built-ins, no external package required) - Add using NextGenSoftware.OASIS.API.Providers.NEAROASIS - Uncomment NEAROASIS init block so provider can be activated via OASISDNA config
…ry, Avalonia tray app, CLI extensions, Web4 Holon bridge endpoints
…e/node-state and /api/v1/onode/commands
…-id/email/username endpoints
…tarManager Revert BCrypt.HashPassword from three update endpoints in AvatarController and instead hash in SaveAvatarAsync (AvatarManager-Save.cs) so all code paths — register, update-by-id, update-by-email, update-by-username — go through the same hashing logic. Plaintext passwords are detected by the absence of the $2 bcrypt prefix.
…iting, audit log, active-nodes endpoint
Password encryption (PasswordEncryptionHelper): - Layer 1: BCrypt (existing, adaptive cost hash) - Layer 2: Rijndael-256 / AES-256-CBC (now wired in, key from OASISDNA) - Layer 3: Quantum-resistant AES-256-GCM AEAD (new, key from OASISDNA) - All 3 layers are individually toggleable in OASISDNA.Security.AvatarPassword - Added QuantumEncryptionKey field to EncryptionSettings - SaveAvatarAsync, SaveAvatar, ProcessAvatarLogin and ResetPassword now route through PasswordEncryptionHelper instead of bare BCrypt calls - IsAlreadyHashed() detects qpq:/r256:/$2 prefixes to avoid double-hashing - Default DNA sets Rijndael/Quantum disabled until keys are configured DID (Decentralized Identifier) support: - IAvatar + Avatar gain DID (auto-derives as did:oasis:<Id>) and DIDPublicKey - SecuritySettings gains DIDEnabled flag in OASISDNA - JWT tokens include a did claim when DIDEnabled = true - New AuthenticateWithDIDAsync in AvatarManager verifies ECDsa P-256 challenge-response signatures against the stored DIDPublicKey - POST /api/avatar/authenticate-did endpoint wired in AvatarController - AuthenticateWithDIDRequest model (DID, Challenge, Signature)
- DIDChallengeStore: thread-safe in-memory nonce store with 5-minute TTL and
single-use consumption to prevent replay attacks
- AvatarManager.GenerateDIDChallenge: issues a cryptographically random nonce
tied to the DID; replaces any previous pending nonce for that DID
- AuthenticateWithDIDAsync: now validates the challenge was server-issued and
not expired/replayed before checking the signature
- GET /api/avatar/did-challenge/{did} endpoint wired in AvatarController
- Docs updated: GET /did-challenge/{did} section, two-step flow description,
and C#/JS client examples updated to show the server-nonce pattern
…uto-update, SkiaSharp icon generation, rate limiting, audit log, active-nodes endpoint, provider management, and GitHub Actions release workflow
- IDIDChallengeStore interface in Core.Helpers (no new deps on Core) - InMemoryDIDChallengeStore: ConcurrentDictionary with expiry sweep, default - DIDChallengeStore: static facade with SetProvider() for startup injection - RedisDIDChallengeStore (WebAPI only): atomic Lua GET+DEL for replay protection, native Redis TTL, StackExchange.Redis 3.0.17 - DIDChallengeStoreSettings added to OASISDNA: Provider/RedisConnectionString/ RedisKeyPrefix/NonceTtlSeconds - Startup.cs reads DNA config and calls SetProvider() before first request - Docs: nonce store section, provider comparison table, extension point guide
…lient to sln - ONODEWebSocketHub.cs: add explicit using directives (System, Generic, Linq, Threading) and WS alias for System.Net.WebSockets.WebSocket to resolve 'WebSocket is a namespace' ambiguity, missing List<>/ArraySegment<>/ CancellationToken errors, and ConcurrentBag Except/Count(pred) issues - STAR.WebUI.csproj: bump AutoMapper 12.0.0 → 16.2.0 to match API.Core's requirement and eliminate WarningAsError NU1107 downgrade error - The OASIS.sln: add ONODE.Client project (referenced by STAR.CLI and ONODE.Manager but missing from solution)
- Startup.cs: add using System.Threading for CancellationToken - ONODEController.cs: add using System.IO for Path; initialise providersEl to default to satisfy definite-assignment analysis
…, adding ONODE client, manager and service (part of the new ONODE/ONET upgrades)
… OASIS-HyperDrive-Client Update root folder references in both the Design Spec and Implementation doc to match the actual repo location at C:\Source\OASIS-HyperDrive-Client. Project/solution file names (OasisHyperDriveClient.*) and AppData paths are unchanged as they reflect the assembly name, not the folder name.


Note
Medium Risk
Moderate risk because it changes CI orchestration by adding a new
test-starapi-clientjob and making release builds depend on it; failures or environment assumptions in the PowerShell test suite could block packaging. Other changes are documentation and.gitignorehygiene with minimal runtime impact.Overview
CI now runs the STARAPIClient automated suite by adding a new
test-starapi-clientjob that executesOASIS Omniverse/STARAPIClient/run_star_api_test_suite.ps1, uploadsTestResults/artifacts, and is required forbuild-and-package.Repo hygiene and docs were expanded:
.gitignorenow excludes common deployment secrets/config (e.g..env,hardhat.config.js,deployed-addresses.json,*.key/*.pem) and STAR CLI publish/install artifacts; a staleDockerfile.star-api.newwas removed; and multiple newDocs/Devs/*guides were added/linked covering smart-contract deployment and cross-platform getting-started/installer workflows.Written by Cursor Bugbot for commit d69b90f. This will update automatically on new commits. Configure here.