fix: audit follow-up — keystore 0600 + key_bytes zeroize + prom-exporter doc/warn

[satyakwok]

Summary

Follow-up to the workspace-wide audit pass. Each finding here was re-verified against current code (per operator's "yakin kan?") before fixing. Four real defects, no theoretical ones.

Findings + fixes

sentrix-wallet (security — defense in depth)

1. Keystore::save wrote keystore with default umask (0644 on most hosts) → world-readable file.

Even with AES-GCM ciphertext over an Argon2id-derived key, leaking the file's ciphertext + salt + MAC to a co-tenant user enables offline brute-force against the password. Fix: explicit `set_permissions(0o600)` after the write on Unix. Windows keeps the default — ACL hardening is the operator's responsibility.

Added `test_save_file_mode_is_0600` so a future edit that drops the chmod fails CI.

2. Derived KDF key + plaintext private key bytes were never zeroized.

encrypt / decrypt / the wrong-password early-return path all allocated `[u8; 32]` for the Argon2id-derived AES-GCM key on stack and left it there until the frame unwound. A core dump or post-free memory inspection could still recover the AES key (and the second-half MAC key sliced from it). Fix: `zeroize::Zeroize::zeroize()` on:

• `key_bytes` — the derived AES-GCM key
• `private_key_bytes` — the raw secret-key bytes between hex-decode and AES encrypt (encrypt path) / between AES decrypt and re-encode (decrypt path)
• `mac_input` — contains a copy of the MAC half of `key_bytes`
• `private_key_hex` (decrypt path) — the hex-encoded private key

The `zeroize` crate was already in workspace deps (used by other crates).

sentrix-prom-exporter (correctness + observability)

3. Module doc said "first 4 hex of latest_block_hash as u32" — actual code consumes 8 hex chars.

Code at line 222 (`if h.len() < 8`) + test asserting `0xdeadbeef` (8 chars → u32) + the metric-registration doc string at line 89 all agree on 8. Module doc line 15 was stale. Fix: update to "first 8 hex".

4. `parse_targets` silently dropped malformed `SENTRIX_TARGETS` entries.

Operator that misconfigured the env var would see the exporter run with fewer (or zero) targets and no log indication why the Grafana dashboard went dark. Fix: `warn!` on the dropped entry with the bad input + observed part count.

Self-review (per feedback_smoke_test_and_code_review_every_change)

• ✅ Each finding re-verified by reading the exact source lines before fixing — no speculative changes.
• ✅ `cargo clippy --workspace --tests -- -D warnings` clean (matches CI Test workflow).
• ✅ 22/22 `sentrix-wallet` tests pass — includes the new `test_save_file_mode_is_0600` regression test.
• ✅ Existing roundtrip + wrong-password tests still pass — zeroize calls don't perturb the cryptographic contract.
• ✅ `sentrix-prom-exporter` builds clean.

Downgraded / not in this PR

These were initially flagged in the audit but downgraded after re-verification:

• `prom-exporter::metrics_handler` `.unwrap()` on response builder — practically infallible (hardcoded headers, in-memory body), not a bug.
• `grpc::marshal_block` silent bincode-error fallback — owned-struct bincode serialize practically infallible, theoretical only.
• Argon2id parameters (m=64 MiB) — within RFC 9106 acceptable range, not a defect.

These are notes for a future hardening pass, not real defects today.

Found via

Operator-requested audit pass against workspace crates one at a time. Faucet cooldown TOCTOU (separate PR #760) was the first real bug; these are the next four after re-verifying the rest.

[coderabbitai]

Warning

Review limit reached

@satyakwok, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 36 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 295d1ed2-e081-4e96-b51e-432265db8fd0

📥 Commits

Reviewing files that changed from the base of the PR and between f1cca47 and 07cfb60.

📒 Files selected for processing (2)

• crates/sentrix-prom-exporter/src/main.rs
• crates/sentrix-wallet/src/keystore.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/audit-followup-wallet-prom-exporter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!