Skip to content

fix(money-machine): harden desktop security #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Moeabdelaziz007 merged 3 commits into from
May 14, 2026
Merged

fix(money-machine): harden desktop security #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6d674e6
fix(money-machine): harden desktop security
devin-ai-integration[bot] May 14, 2026
c02eb6c
chore: merge main into security hardening
devin-ai-integration[bot] May 14, 2026
4da4bbc
chore(release): prepare money machine alpha
devin-ai-integration[bot] May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .github/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
changelog:
exclude:
labels:
- ignore-for-release
authors:
- dependabot
categories:
- title: Security
labels:
- security
- title: Features
labels:
- enhancement
- feature
- title: Fixes
labels:
- bug
- fix
- title: Dependencies
labels:
- dependencies
- title: Other Changes
labels:
- "*"
21 changes: 21 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Changelog

## [0.1.1-alpha] - 2026-05-14

### Security
- Stop reading exchange and Gemini API keys from `config.json`; secrets are loaded from environment variables only.
- Enforce bounded IPC header/body reads with oversized request rejection.
- Add whitelist and range validation for runtime config updates.

### Fixed
- Consolidate `TradingSignal` on one canonical dataclass.
- Keep AI signal sizing data in metadata so pipeline contracts stay compatible.

### Changed
- Refresh Money Machine desktop logo/icons and Shadow Mode dashboard UI.
- Add Vercel and Cloudflare Pages security headers for the dashboard build.

## [0.1.0-alpha] - 2026-05-14

### Added
- Initial alpha release tag for AlphaAxiom Money Machine.
10 changes: 5 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@

<p align="center">
<a href="https://t.me/AlphaAxiomBot">🤖 Telegram Bot</a> •
<a href="https://aqt.axiomid.app">🌐 Dashboard</a> •
<a href="https://aitrading.axiomid.app">🌐 Dashboard</a> •
<a href="https://oracle.axiomid.app">⚡ Oracle API</a> •
<a href="https://github.com/Moeabdelaziz007/AlphaAxiom/releases">📦 Downloads</a>
</p>
Expand All @@ -77,7 +77,7 @@
| المنتج | الوصف | الرابط |
|--------|-------|--------|
| 🤖 **Telegram Bot** | تنبيهات فورية + أوامر التداول | [@AlphaAxiomBot](https://t.me/AlphaAxiomBot) |
| 🌐 **Dashboard** | لوحة تحكم الويب | [aqt.axiomid.app](https://aqt.axiomid.app) |
| 🌐 **Dashboard** | لوحة تحكم الويب | [aitrading.axiomid.app](https://aitrading.axiomid.app) |
| 💻 **Money Machine** | تطبيق سطح المكتب (Ghost/Overlay) | [تحميل](https://github.com/Moeabdelaziz007/AlphaAxiom/releases) |
| 📊 **AlphaReceiver.mq5** | EA لتنفيذ الصفقات على MT5 | [تحميل](https://github.com/Moeabdelaziz007/AlphaAxiom/tree/main/frontend/public) |

Expand Down Expand Up @@ -134,7 +134,7 @@
| Product | Description | Link |
|---------|-------------|------|
| 🤖 **Telegram Bot** | Instant alerts + Trading commands | [@AlphaAxiomBot](https://t.me/AlphaAxiomBot) |
| 🌐 **Dashboard** | Web-based control panel | [aqt.axiomid.app](https://aqt.axiomid.app) |
| 🌐 **Dashboard** | Web-based control panel | [aitrading.axiomid.app](https://aitrading.axiomid.app) |
| 💻 **Money Machine** | Desktop overlay app (Ghost Mode) | [Download](https://github.com/Moeabdelaziz007/AlphaAxiom/releases) |
| 📊 **AlphaReceiver.mq5** | MT5 Expert Advisor for trade execution | [Download](https://github.com/Moeabdelaziz007/AlphaAxiom/tree/main/frontend/public) |

Expand Down Expand Up @@ -208,7 +208,7 @@ npm run tauri dev
├─────────────────────────────────────────────────────────────────┤
│ 📡 DELIVERY CHANNELS │
│ ├── Telegram Bot (@AlphaAxiomBot) │
│ ├── Web Dashboard (aqt.axiomid.app)
│ ├── Web Dashboard (aitrading.axiomid.app) │
│ ├── Desktop App (Money Machine) │
│ └── Oracle API (oracle.axiomid.app) │
├─────────────────────────────────────────────────────────────────┤
Expand All @@ -226,7 +226,7 @@ npm run tauri dev
| Resource | URL |
|----------|-----|
| 🤖 Telegram Bot | [t.me/AlphaAxiomBot](https://t.me/AlphaAxiomBot) |
| 🌐 Dashboard | [aqt.axiomid.app](https://aqt.axiomid.app) |
| 🌐 Dashboard | [aitrading.axiomid.app](https://aitrading.axiomid.app) |
| ⚡ Oracle API | [oracle.axiomid.app](https://oracle.axiomid.app) |
| 📦 Releases | [GitHub Releases](https://github.com/Moeabdelaziz007/AlphaAxiom/releases) |
| 📊 EA Download | [AlphaReceiver.mq5](https://github.com/Moeabdelaziz007/AlphaAxiom/tree/main/frontend/public) |
Expand Down
36 changes: 19 additions & 17 deletions money-machine/.github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,24 +51,25 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
node-version: 22
cache: "npm"
cache-dependency-path: money-machine/package-lock.json

- name: Install frontend dependencies
run: npm ci
run: npm --prefix money-machine ci

- name: Build frontend
run: npm run build
run: npm --prefix money-machine run build

- name: Setup Python (for sidecar)
uses: actions/setup-python@v5
with:
python-version: "3.11"
python-version: "3.12"

- name: Install Python dependencies
run: |
cd src-python
pip install -r requirements.txt
python -m pip install --upgrade pip
python -m pip install -r money-machine/src-python/requirements.txt

- name: Build Tauri app
uses: tauri-apps/tauri-action@v0
Expand All @@ -77,24 +78,25 @@ jobs:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
with:
projectPath: money-machine
args: ${{ matrix.args }}
tagName: ${{ github.ref_name }}
releaseName: "Money Machine v__VERSION__"
releaseBody: "See the assets below for your platform."
releaseDraft: false
releaseName: "Money Machine ${{ github.ref_name }}"
releaseBody: "See CHANGELOG.md and the assets below for your platform."
releaseDraft: true
prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') }}

- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: money-machine-${{ matrix.platform }}-${{ matrix.target || 'default' }}
path: |
src-tauri/target/release/bundle/**/*.dmg
src-tauri/target/release/bundle/**/*.app
src-tauri/target/release/bundle/**/*.deb
src-tauri/target/release/bundle/**/*.AppImage
src-tauri/target/release/bundle/**/*.msi
src-tauri/target/release/bundle/**/*.exe
money-machine/src-tauri/target/release/bundle/**/*.dmg
money-machine/src-tauri/target/release/bundle/**/*.app
money-machine/src-tauri/target/release/bundle/**/*.deb
money-machine/src-tauri/target/release/bundle/**/*.AppImage
money-machine/src-tauri/target/release/bundle/**/*.msi
money-machine/src-tauri/target/release/bundle/**/*.exe

release:
needs: build
Expand All @@ -110,9 +112,9 @@ jobs:
path: artifacts

- name: Create Release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v2
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflow actions that are not pinned to a full commit SHA.
# Expected: any remaining lines are candidates to pin.
rg -nP '^\s*uses:\s*[^@\s]+@[^\s]+$' -- '**/*.yml' '**/*.yaml' \
  | rg -nPv '@[0-9a-fA-F]{40}$'

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 169

🏁 Script executed:

#!/bin/bash
# Find the workflow file
find . -type f -path "*money-machine/.github/workflows/build.yml" 2>/dev/null

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 114

🏁 Script executed:

#!/bin/bash
# If file exists, show content around line 115
if [ -f "./money-machine/.github/workflows/build.yml" ]; then
  echo "=== File found. Lines 110-120 ===";
  sed -n '110,120p' "./money-machine/.github/workflows/build.yml" | cat -n;
else
  echo "File not found at expected path. Searching for build.yml files:";
  find . -type f -name "build.yml" 2>/dev/null;
fi

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 537

🏁 Script executed:

#!/bin/bash
# Search for any uses of softprops/action-gh-release in the repo
rg 'softprops/action-gh-release' -n

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 52

🏁 Script executed:

#!/bin/bash
# Show all 'uses:' lines in the build.yml file
cat -n "./money-machine/.github/workflows/build.yml" | grep 'uses:'

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 445

🌐 Web query:

GitHub Actions security best practices version pinning commit SHA

💡 Result:

GitHub Actions security best practices strongly recommend pinning actions to full-length commit SHAs to prevent supply chain attacks where malicious code could be injected via mutable tags or compromised repositories [1][2][3]. This is the only way to use actions as immutable releases, as tags can be rewritten or deleted even by trusted maintainers [1][4]. Official GitHub documentation states: "Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload" [1]. Example workflow change: uses: actions/checkout@v4 becomes: uses: actions/checkout@692973e # v4.1.0 [5][6] To find the SHA for a tag: - git ls-remote --tags https://github.com/owner/repo.git refs/tags/v4 [7] - Visit the repo, switch to the tag, copy the full SHA [6] - Check workflow run logs under "Setup Job" [6] Add a comment with the version for readability, e.g., # v4.1.0 [3][7]. Use Dependabot to automate updates: it creates PRs updating the SHA and version comment when new releases occur [3][8][9]. Tools like pin-github-action or ensure-sha-pinned-actions can help enforce/automate pinning [10][11][12]. Organizations can enforce SHA pinning via policies at repo/org/enterprise levels; workflows using tags will fail [2][3]. The policy checks the full dependency tree, including sub-actions [3]. Upcoming 2026 features include workflow dependencies lockfiles for transitive pinning and execution policies [13]. Additional practices: - Verify SHA is from the official repo, not a fork [1] - Prefer verified creators on Marketplace [1] - Use read-only GITHUB_TOKEN by default, escalate per-job [14] - Avoid pull_request_target for untrusted code [15] - Implement cooldowns (7-14 days) before updating [16]

Citations:

Pin all GitHub Actions to immutable commit SHAs.

All eight actions in this workflow use floating version tags (v4, v5, v0, v2, stable), which can change upstream and weaken CI/CD supply-chain guarantees. GitHub's official security guidance recommends pinning to full 40-character commit SHAs as the only way to ensure immutability. Apply this across the entire file:

  • Line 38: actions/checkout@v4
  • Line 41: dtolnay/rust-action@stable
  • Line 52: actions/setup-node@v4
  • Line 65: actions/setup-python@v5
  • Line 75: tauri-apps/tauri-action@v0
  • Line 90: actions/upload-artifact@v4
  • Line 110: actions/download-artifact@v4
  • Line 115: softprops/action-gh-release@v2

Include a comment with the version for readability (e.g., # v2.0.0). Use Dependabot to automate updates.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@money-machine/.github/workflows/build.yml` at line 115, Replace every
floating GitHub Action version tag in the workflow with the corresponding full
commit SHA and add a comment with the human-readable version next to each use:
update uses for actions/checkout@v4, dtolnay/rust-action@stable,
actions/setup-node@v4, actions/setup-python@v5, tauri-apps/tauri-action@v0,
actions/upload-artifact@v4, actions/download-artifact@v4, and
softprops/action-gh-release@v2 to their immutable 40-character commit SHAs (and
append a comment like "# v2.0.0" for readability); ensure you change the uses
strings in the workflow to the SHAs and leave comments showing the original tag
versions so Dependabot/maintainers can track updates.

with:
files: artifacts/**/*
generate_release_notes: true
draft: false
draft: true
prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') }}
1 change: 1 addition & 0 deletions money-machine/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ dist/

# Tauri
src-tauri/target/
src-tauri/gen/

# System Files
.DS_Store
Expand Down
2 changes: 2 additions & 0 deletions money-machine/eslint.config.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ const eslintConfig = defineConfig([
".next/**",
"out/**",
"build/**",
"src-tauri/target/**",
"src-tauri/gen/**",
"next-env.d.ts",
]),
]);
Expand Down
6 changes: 6 additions & 0 deletions money-machine/next-env.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
/// <reference types="next" />
/// <reference types="next/image-types/global" />
import "./.next/types/routes.d.ts";
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether next-env.d.ts imports generated artifacts directly.
rg -n '^\s*import\s+["'\'']\./\.next/types/routes\.d\.ts["'\''];?\s*$' money-machine/next-env.d.ts

# Check if generated file exists in repo checkout (clean CI often won't have it).
test -f money-machine/.next/types/routes.d.ts; echo "routes.d.ts exists? exit=$?"

# Inspect tsconfig include entries that already cover generated types.
rg -n '"\.next/types/\*\*/\*\.ts"|"\.next/dev/types/\*\*/\*\.ts"' money-machine/tsconfig.json

Repository: Moeabdelaziz007/AlphaAxiom

Length of output: 198

Remove direct import of generated .next route types from next-env.d.ts.

The import of ./.next/types/routes.d.ts is brittle and breaks type-checking in clean environments before the .next directory is generated. This is already covered by tsconfig.json include globs (.next/types/**/*.ts), making the explicit import redundant. Remove the import and keep next-env.d.ts framework-managed.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@money-machine/next-env.d.ts` at line 3, Remove the brittle explicit import of
"./.next/types/routes.d.ts" from next-env.d.ts: delete the import line so the
file remains framework-managed and relies on the tsconfig.json include globs
(e.g., .next/types/**/*.ts) to pick up generated route types instead of
importing them directly.


// NOTE: This file should not be edited
// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
Loading
Loading