diff --git a/.env.example b/.env.example index ad85bbf723..f16f77609f 100644 --- a/.env.example +++ b/.env.example @@ -91,6 +91,5 @@ STARKNET_ADDRESS= STARKNET_PRIVATE_KEY= STARKNET_RPC_URL= - # Coinbase Commerce COINBASE_COMMERCE_KEY= diff --git a/SECURITY.md b/SECURITY.md index a08255046e..95045cf7a3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,74 +17,79 @@ We take the security of Eliza seriously. If you believe you have found a securit 1. **DO NOT** create a public GitHub issue for the vulnerability 2. Send an email to security@eliza.builders with: - - A detailed description of the vulnerability - - Steps to reproduce the issue - - Potential impact of the vulnerability - - Any possible mitigations you've identified + - A detailed description of the vulnerability + - Steps to reproduce the issue + - Potential impact of the vulnerability + - Any possible mitigations you've identified ### What to Expect -- **Initial Response**: Within 48 hours, you will receive an acknowledgment of your report -- **Updates**: We will provide updates every 5 business days about the progress -- **Resolution Timeline**: We aim to resolve critical issues within 15 days -- **Disclosure**: We will coordinate with you on the public disclosure timing +- **Initial Response**: Within 48 hours, you will receive an acknowledgment of your report +- **Updates**: We will provide updates every 5 business days about the progress +- **Resolution Timeline**: We aim to resolve critical issues within 15 days +- **Disclosure**: We will coordinate with you on the public disclosure timing ## Security Best Practices ### For Contributors 1. **API Keys and Secrets** - - Never commit API keys, passwords, or other secrets to the repository - - Use environment variables as described in our secrets management guide - - Rotate any accidentally exposed credentials immediately + + - Never commit API keys, passwords, or other secrets to the repository + - Use environment variables as described in our secrets management guide + - Rotate any accidentally exposed credentials immediately 2. **Dependencies** - - Keep all dependencies up to date - - Review security advisories for dependencies regularly - - Use `pnpm audit` to check for known vulnerabilities + + - Keep all dependencies up to date + - Review security advisories for dependencies regularly + - Use `pnpm audit` to check for known vulnerabilities 3. **Code Review** - - All code changes must go through pull request review - - Security-sensitive changes require additional review - - Enable branch protection on main branches + - All code changes must go through pull request review + - Security-sensitive changes require additional review + - Enable branch protection on main branches ### For Users 1. **Environment Setup** - - Follow our [secrets management guide](docs/guides/secrets-management.md) for secure configuration - - Use separate API keys for development and production - - Regularly rotate credentials + + - Follow our [secrets management guide](docs/guides/secrets-management.md) for secure configuration + - Use separate API keys for development and production + - Regularly rotate credentials 2. **Model Provider Security** - - Use appropriate rate limiting for API calls - - Monitor usage patterns for unusual activity - - Implement proper authentication for exposed endpoints + + - Use appropriate rate limiting for API calls + - Monitor usage patterns for unusual activity + - Implement proper authentication for exposed endpoints 3. **Platform Integration** - - Use separate bot tokens for different environments - - Implement proper permission scoping for platform APIs - - Regular audit of platform access and permissions + - Use separate bot tokens for different environments + - Implement proper permission scoping for platform APIs + - Regular audit of platform access and permissions ## Security Features ### Current Implementation -- Environment variable based secrets management -- Type-safe API implementations -- Automated dependency updates via Renovate -- Continuous Integration security checks +- Environment variable based secrets management +- Type-safe API implementations +- Automated dependency updates via Renovate +- Continuous Integration security checks ### Planned Improvements 1. **Q4 2024** - - Automated security scanning in CI pipeline - - Enhanced rate limiting implementation - - Improved audit logging + + - Automated security scanning in CI pipeline + - Enhanced rate limiting implementation + - Improved audit logging 2. **Q1 2025** - - Security-focused documentation improvements - - Enhanced platform permission management - - Automated vulnerability scanning + - Security-focused documentation improvements + - Enhanced platform permission management + - Automated vulnerability scanning ## Vulnerability Disclosure Policy @@ -100,21 +105,21 @@ We follow a coordinated disclosure process: We believe in recognizing security researchers who help improve our security. Contributors who report valid security issues will be: -- Credited in our security acknowledgments (unless they wish to remain anonymous) -- Added to our security hall of fame -- Considered for our bug bounty program (coming soon) +- Credited in our security acknowledgments (unless they wish to remain anonymous) +- Added to our security hall of fame +- Considered for our bug bounty program (coming soon) ## License Considerations As an MIT licensed project, users should understand: -- The software is provided "as is" -- No warranty is provided -- Users are responsible for their own security implementations -- Contributors grant perpetual license to their contributions +- The software is provided "as is" +- No warranty is provided +- Users are responsible for their own security implementations +- Contributors grant perpetual license to their contributions ## Contact -- Security Issues: security@eliza.builders -- General Questions: Join our [Discord](https://discord.gg/ai16z) -- Updates: Follow our [security advisory page](https://github.com/ai16z/eliza/security/advisories) +- Security Issues: security@eliza.builders +- General Questions: Join our [Discord](https://discord.gg/ai16z) +- Updates: Follow our [security advisory page](https://github.com/ai16z/eliza/security/advisories) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2dbbe1b118..e7cddacf7d 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -607,8 +607,8 @@ importers: specifier: workspace:* version: link:../core agent-twitter-client: - specifier: 0.0.14 - version: 0.0.14 + specifier: 0.0.13 + version: 0.0.13 glob: specifier: 11.0.0 version: 11.0.0 @@ -670,11 +670,9 @@ importers: ai: specifier: ^3.4.23 version: 3.4.33(openai@4.69.0(encoding@0.1.13)(zod@3.23.8))(react@18.3.1)(sswr@2.1.0(svelte@5.2.7))(svelte@5.2.7)(vue@3.5.13(typescript@5.6.3))(zod@3.23.8) - version: 3.4.33(openai@4.69.0(encoding@0.1.13)(zod@3.23.8))(react@18.3.1)(sswr@2.1.0(svelte@5.2.7))(svelte@5.2.7)(vue@3.5.13(typescript@5.6.3))(zod@3.23.8) anthropic-vertex-ai: specifier: ^1.0.0 version: 1.0.2(encoding@0.1.13)(zod@3.23.8) - version: 1.0.2(encoding@0.1.13)(zod@3.23.8) fastembed: specifier: ^1.14.1 version: 1.14.1 @@ -6114,9 +6112,6 @@ packages: agent-twitter-client@0.0.13: resolution: {integrity: sha512-xIVvrMKWe9VfZDlmGwO9hEd0Kav74FUT4euPZV8XiTqPv6D5gOd5PE0KkkBHPKSupOZuHf8BvQuhEwa/5Ac6hg==} - agent-twitter-client@0.0.14: - resolution: {integrity: sha512-GYTyLRqiN3yaJTSSiPB1J5kL0RXh10UvsN/Xn2HhegBnpQlgtLkMEQnDKfR+ZNBiLBhG2QBpm/6GrhAxdF4a5g==} - agentkeepalive@4.5.0: resolution: {integrity: sha512-5GG/5IbQQpC9FpkRGsSvZI5QYeSCzlJHdpBQntCsuTOxhKD8lqKhrleg2Yi7yvMIf82Ycmmqln9U8V9qwEiJew==} engines: {node: '>= 8.0.0'} @@ -13818,14 +13813,16 @@ packages: resolution: {integrity: sha512-n1cw8k1k0x4pgA2+9XrOkFydTerNcJ1zWCO5Nn9scWHTD+5tp8dghT2x1uduQePZTZgd3Tupf+x9BxJjeJi77Q==} engines: {node: '>=14.0.0'} - tldts-core@6.1.63: - resolution: {integrity: sha512-H1XCt54xY+QPbwhTgmxLkepX0MVHu3USfMmejiCOdkMbRcP22Pn2FVF127r/GWXVDmXTRezyF3Ckvhn4Fs6j7Q==} tldts-core@6.1.63: resolution: {integrity: sha512-H1XCt54xY+QPbwhTgmxLkepX0MVHu3USfMmejiCOdkMbRcP22Pn2FVF127r/GWXVDmXTRezyF3Ckvhn4Fs6j7Q==} tldts-experimental@6.1.63: resolution: {integrity: sha512-Xqxv4UvuTwC/sslspSbkw/52vvYCeZdEJwnv7VFlQEfYvK8fNuIpz5hoOvO7XuzfjqexMRRnVDYUyjqesTYESg==} + tldts@6.1.63: + resolution: {integrity: sha512-YWwhsjyn9sB/1rOkSRYxvkN/wl5LFM1QDv6F2pVR+pb/jFne4EOBxHfkKVWvDIBEAw9iGOwwubHtQTm0WRT5sQ==} + hasBin: true + tmp@0.0.33: resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==} engines: {node: '>=0.6.0'} @@ -14016,9 +14013,6 @@ packages: tweetnacl@0.14.5: resolution: {integrity: sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==} - twitter-api-v2@1.18.2: - resolution: {integrity: sha512-ggImmoAeVgETYqrWeZy+nWnDpwgTP+IvFEc03Pitt1HcgMX+Yw17rP38Fb5FFTinuyNvS07EPtAfZ184uIyB0A==} - tx2@1.0.5: resolution: {integrity: sha512-sJ24w0y03Md/bxzK4FU8J8JveYYUbSs2FViLJ2D/8bytSiyPRbuE3DyL/9UKYXTZlV3yXq0L8GLlhobTnekCVg==} @@ -21618,18 +21612,6 @@ snapshots: tough-cookie: 4.1.4 tslib: 2.8.0 - agent-twitter-client@0.0.14: - dependencies: - '@sinclair/typebox': 0.32.35 - agent-twitter-client: 0.0.13 - headers-polyfill: 3.3.0 - json-stable-stringify: 1.1.1 - otpauth: 9.3.5 - set-cookie-parser: 2.7.1 - tough-cookie: 4.1.4 - tslib: 2.8.0 - twitter-api-v2: 1.18.2 - agentkeepalive@4.5.0: dependencies: humanize-ms: 1.2.1 @@ -31064,6 +31046,10 @@ snapshots: dependencies: tldts-core: 6.1.63 + tldts@6.1.63: + dependencies: + tldts-core: 6.1.63 + tmp@0.0.33: dependencies: os-tmpdir: 1.0.2 @@ -31250,8 +31236,6 @@ snapshots: tweetnacl@0.14.5: {} - twitter-api-v2@1.18.2: {} - tx2@1.0.5: dependencies: json-stringify-safe: 5.0.1