protocol-security
diff --git a/‎.env.example‎
Lines changed: 100 additions & 0 deletions b/‎.env.example‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎.env.webapp.example‎
Lines changed: 38 additions & 0 deletions b/‎.env.webapp.example‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 57 additions & 0 deletions b/‎.gitignore‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 10 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Dockerfile.github‎
Lines changed: 10 additions & 0 deletions b/‎Dockerfile.github‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Dockerfile.queue‎
Lines changed: 10 additions & 0 deletions b/‎Dockerfile.queue‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎Dockerfile.telegram‎
Lines changed: 10 additions & 0 deletions b/‎Dockerfile.telegram‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
@@ -0,0 +1,100 @@
+# Google OAuth Configuration
+GOOGLE_CLIENT_ID=your_google_client_id_here.apps.googleusercontent.com
+
+# Flask Configuration
+FLASK_SECRET_KEY=your_super_secret_key_here
+FLASK_ENV=development
+
+# Web App Configuration
+WEB_APP_PORT=5000
+FINDINGS_SERVER_PORT=8000
+FINDINGS_SERVER_URL=http://localhost:8000
+
+# Database Configuration
+DATABASE_URL=postgresql://username:password@localhost:5432/security_findings
+
+# Authorized Email Addresses (comma-separated)
+AUTHORIZED_EMAILS=[email protected]
+
+# Optional: Telegram Configuration (if using Telegram notifications)
+TELEGRAM_BOT_TOKEN=your_telegram_bot_token_here
+TELEGRAM_CHAT_ID=your_telegram_chat_id_here
+
+# Optional: LLM Provider API Keys
+OPENAI_API_KEY=your_openai_api_key_here
+ANTHROPIC_API_KEY=your_anthropic_api_key_here
+GOOGLE_AI_API_KEY=your_google_ai_api_key_here
+
+# GitHub PAT token for accessing repositories
+GITHUB_TOKEN=your_github_token_here
+
+# Email Notifications (Amazon SES)
+AWS_SES_REGION=us-east-1
+SES_FROM_EMAIL=[email protected]
+BASE_URL=https://your-domain.com
+AWS_ACCESS_KEY_ID=your_aws_access_key_here
+AWS_SECRET_ACCESS_KEY=your_aws_secret_access_key_here
+
+# Notification Settings
+NOTIFY_CLEAN_COMMITS=false
+
+# Embeddings API key (required for Claude with docs)
+VOYAGE_API_KEY=your_voyage_api_key_here
+
+# GitHub App Settings
+GITHUB_APP_ID=12345
+GITHUB_PRIVATE_KEY_PATH=./privatekey.pem
+GITHUB_WEBHOOK_SECRET=your_webhook_secret_here
+GITHUB_CLIENT_SECRET=your_github_client_secret_here
+
+# AMQP Message Queue (optional)
+AMQP_URL=amqp://guest:guest@localhost:5672/
+QUEUE_NAME=security_review_requests
+RESPONSE_QUEUE_NAME=security_review_responses
+
+# Weights for LLM Providers (used when multiple providers are enabled)
+ANTHROPIC_WEIGHT=1
+OPENAI_WEIGHT=1
+GEMINI_WEIGHT=1
+DEEPSEEK_WEIGHT=1
+LLAMA_WEIGHT=1
+
+# Optional: Enable SQL query debugging (set to true to see SQL queries in logs)
+SQL_DEBUG=false
+
+# LLM Prompts Configuration
+LLM_SECURITY_PROMPT_INTRO="You are a security expert specializing in Ethereum client implementations and blockchain security."
+
+LLM_SECURITY_PROMPT_FOCUS_AREAS="Pay special attention to Blockchain specific vulnerabilities."
+
+LLM_SECURITY_PROMPT_IMPORTANT_NOTES="IMPORTANT:\n- Focus on concrete exploitable vulnerabilities."
+
+LLM_SECURITY_PROMPT_EXAMPLES="Examples of concrete vulnerabilities:\n- Gas costs that deviate from EIP specifications."
+
+LLM_SECURITY_PROMPT_RESPONSE_FORMAT="CRITICAL: Your response must be ONLY the following JSON object, with no additional text, explanation, or markdown formatting:\n{\n    \"confidence_score\": <use highest confidence from findings, or 100 if no vulnerabilities>,\n    \"has_vulnerabilities\": <true/false>,\n    \"findings\": [\n        {\n            \"severity\": \"<HIGH|MEDIUM|LOW>\",\n            \"description\": \"<specific vulnerability with exact code location>\",\n            \"recommendation\": \"<precise fix required>\",\n            \"confidence\": <0-100, how certain you are about this specific vulnerability>,\n            \"detailed_explanation\": \"<comprehensive explanation of what the issue is>\",\n            \"impact_explanation\": \"<what can happen if this vulnerability is exploited>\",\n            \"detailed_recommendation\": \"<detailed explanation of how to fix the issue>\",\n            \"code_example\": \"<the existing problematic code block, with proposed changes highlighted using html-style comments>\",\n            \"additional_resources\": \"<links to documentation or other resources>\"\n        }\n    ],\n    \"summary\": \"<only mention concrete vulnerabilities found>\"\n}\n\nIMPORTANT: The overall confidence_score should match the highest confidence score from the findings.\nFor example, if you find one vulnerability with 90% confidence, the overall confidence_score should also be 90."
+
+LLM_SECURITY_PROMPT_NO_VULNS_RESPONSE="If no clear vulnerabilities are found in the code changes, return:\n{\n    \"confidence_score\": 100,\n    \"has_vulnerabilities\": false,\n    \"findings\": [],\n    \"summary\": \"No concrete vulnerabilities identified in the changed code.\"\n}"
+
+LLM_SKEPTICAL_VERIFICATION_INTRO="You are a skeptical security auditor tasked with CRITICALLY reviewing and VERIFYING potential vulnerabilities."
+
+LLM_SKEPTICAL_VERIFICATION_CRITICAL_QUESTIONS="Ask yourself is this is really a vulnerability."
+
+LLM_SKEPTICAL_VERIFICATION_BE_CRITICAL="Keep a critical mindset."
+
+LLM_SKEPTICAL_VERIFICATION_ONLY_CONFIRM="Only confirm vulnerabilities you are very sure about."
+
+LLM_SKEPTICAL_VERIFICATION_RESPONSE_FORMAT="Return ONLY a JSON object with your verification results:\n{\n    \"verified_findings\": [\n        {\n            \"original_index\": <index of the original finding, starting from 0>,\n            \"is_real_vulnerability\": <true/false>,\n            \"verification_confidence\": <0-100>,\n            \"reason\": \"<why you believe this is or isnt a real vulnerability>\"\n        }\n    ],\n    \"summary\": \"<brief summary of your verification>\"\n}"
+
+LLM_SYNTHESIS_PROMPT_INTRO="You are a security expert tasked with synthesizing multiple security analyses into a single coherent report."
+
+LLM_SYNTHESIS_PROMPT_INSTRUCTION="Please synthesize these analyses into a single, coherent security report. Combine similar findings, use the highest confidence scores where appropriate, and create a unified summary."
+
+LLM_SYNTHESIS_SYSTEM_PROMPT="You are a security expert specializing in code review. Return ONLY JSON output with no additional text or explanation."
+
+LLM_SYNTHESIS_SYSTEM_PROMPT_ANTHROPIC="You are a skeptical security auditor. Return ONLY JSON output with no additional text or explanation."
+
+LLM_SYNTHESIS_SYSTEM_PROMPT_SYNTHESIZE="You are a security expert specializing in synthesizing multiple analyses. Return ONLY JSON output with no additional text or explanation."
+
+
+# End of .env.example
+# Note: Rename this file to .env and fill in the actual values before running the application.
@@ -0,0 +1,38 @@
+DEEPSEEK_API_KEY=""
+LLAMA_API_KEY=""
+GITHUB_TOKEN=""
+ANTHROPIC_API_KEY=""
+OPENAI_API_KEY=""
+VOYAGE_API_KEY=""
+TELEGRAM_BOT_TOKEN=""
+TELEGRAM_CHAT_ID=""
+TELEGRAM_CHAT_ID_GOOD=""
+GEMINI_API_KEY=""
+MULTI_JUDGE=""
+NOTIFY_CLEAN_COMMITS=""
+DATABASE_URL=""
+GOOGLE_CLIENT_ID=""
+FLASK_SECRET_KEY=""
+AUTHORIZED_EMAILS=""
+WEB_APP_PORT=""
+AWS_SES_REGION=""
+SES_FROM_EMAIL=""
+BASE_URL=""
+AWS_ACCESS_KEY_ID=""
+AWS_SECRET_ACCESS_KEY=""
+LLM_SECURITY_PROMPT_INTRO="You are a security expert specializing in Ethereum client implementations and blockchain security."
+LLM_SECURITY_PROMPT_FOCUS_AREAS="Pay special attention to Blockchain specific vulnerabilities."
+LLM_SECURITY_PROMPT_IMPORTANT_NOTES="IMPORTANT:\n- Focus on concrete exploitable vulnerabilities."
+LLM_SECURITY_PROMPT_EXAMPLES="Examples of concrete vulnerabilities:\n- Gas costs that deviate from EIP specifications."
+LLM_SECURITY_PROMPT_RESPONSE_FORMAT="CRITICAL: Your response must be ONLY the following JSON object, with no additional text, explanation, or markdown formatting:\n{\n    \"confidence_score\": <use highest confidence from findings, or 100 if no vulnerabilities>,\n    \"has_vulnerabilities\": <true/false>,\n    \"findings\": [\n        {\n            \"severity\": \"<HIGH|MEDIUM|LOW>\",\n            \"description\": \"<specific vulnerability with exact code location>\",\n            \"recommendation\": \"<precise fix required>\",\n            \"confidence\": <0-100, how certain you are about this specific vulnerability>,\n            \"detailed_explanation\": \"<comprehensive explanation of what the issue is>\",\n            \"impact_explanation\": \"<what can happen if this vulnerability is exploited>\",\n            \"detailed_recommendation\": \"<detailed explanation of how to fix the issue>\",\n            \"code_example\": \"<the existing problematic code block, with proposed changes highlighted using html-style comments>\",\n            \"additional_resources\": \"<links to documentation or other resources>\"\n        }\n    ],\n    \"summary\": \"<only mention concrete vulnerabilities found>\"\n}\n\nIMPORTANT: The overall confidence_score should match the highest confidence score from the findings.\nFor example, if you find one vulnerability with 90% confidence, the overall confidence_score should also be 90."
+LLM_SECURITY_PROMPT_NO_VULNS_RESPONSE="If no clear vulnerabilities are found in the code changes, return:\n{\n    \"confidence_score\": 100,\n    \"has_vulnerabilities\": false,\n    \"findings\": [],\n    \"summary\": \"No concrete vulnerabilities identified in the changed code.\"\n}"
+LLM_SKEPTICAL_VERIFICATION_INTRO="You are a skeptical security auditor tasked with CRITICALLY reviewing and VERIFYING potential vulnerabilities."
+LLM_SKEPTICAL_VERIFICATION_CRITICAL_QUESTIONS="Ask yourself is this is really a vulnerability."
+LLM_SKEPTICAL_VERIFICATION_BE_CRITICAL="Keep a critical mindset."
+LLM_SKEPTICAL_VERIFICATION_ONLY_CONFIRM="Only confirm vulnerabilities you are very sure about."
+LLM_SKEPTICAL_VERIFICATION_RESPONSE_FORMAT="Return ONLY a JSON object with your verification results:\n{\n    \"verified_findings\": [\n        {\n            \"original_index\": <index of the original finding, starting from 0>,\n            \"is_real_vulnerability\": <true/false>,\n            \"verification_confidence\": <0-100>,\n            \"reason\": \"<why you believe this is or isnt a real vulnerability>\"\n        }\n    ],\n    \"summary\": \"<brief summary of your verification>\"\n}"
+LLM_SYNTHESIS_PROMPT_INTRO="You are a security expert tasked with synthesizing multiple security analyses into a single coherent report."
+LLM_SYNTHESIS_PROMPT_INSTRUCTION="Please synthesize these analyses into a single, coherent security report. Combine similar findings, use the highest confidence scores where appropriate, and create a unified summary."
+LLM_SYNTHESIS_SYSTEM_PROMPT="You are a security expert specializing in code review. Return ONLY JSON output with no additional text or explanation."
+LLM_SYNTHESIS_SYSTEM_PROMPT_ANTHROPIC="You are a skeptical security auditor. Return ONLY JSON output with no additional text or explanation."
+LLM_SYNTHESIS_SYSTEM_PROMPT_SYNTHESIZE="You are a security expert specializing in synthesizing multiple analyses. Return ONLY JSON output with no additional text or explanation."
@@ -0,0 +1,57 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+.nox/
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+
+# Environment
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Flask Session
+flask_session/
+
+# Project specific
+docs/embeddings.npy
+docs/docs.json
+privatekey.pem
+vector-database-docs/
@@ -0,0 +1,10 @@
+FROM python:3.11-slim
+
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+COPY . .
+RUN pip install --no-cache-dir -e .
+
+ENTRYPOINT ["python", "-u", "-m", "pr_security_review"]
@@ -0,0 +1,10 @@
+FROM python:3.11-slim
+
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+COPY . .
+RUN pip install --no-cache-dir -e .
+
+ENTRYPOINT ["python", "-u", "-m", "pr_security_review", "--github-app"]
@@ -0,0 +1,10 @@
+FROM python:3.11-slim
+
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+COPY . .
+RUN pip install --no-cache-dir -e .
+
+ENTRYPOINT ["python", "-u", "-m", "pr_security_review", "--listen-queue"]
@@ -0,0 +1,10 @@
+FROM python:3.11-slim
+
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+COPY . .
+RUN pip install --no-cache-dir -e .
+
+ENTRYPOINT ["python", "-u", "-m", "pr_security_review", "--monitor-continuous", "--config-file", "config.json", "--docs-dir", "vector-database-docs"]
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.