Skip to content

fix: register missing flags and add fee validation in xmtpd-cli#2007

Open
alelpoan wants to merge 3 commits into
xmtp:mainfrom
alelpoan:fix/cli-flag-validation
Open

fix: register missing flags and add fee validation in xmtpd-cli#2007
alelpoan wants to merge 3 commits into
xmtp:mainfrom
alelpoan:fix/cli-flag-validation

Conversation

@alelpoan
Copy link
Copy Markdown

@alelpoan alelpoan commented May 25, 2026
edited by macroscopeapp Bot
Loading

Fix three bugs in xmtpd-cli command flag handling.

Changes:
key_management.go: missing --private-key flag registered in getPubKeyCommand and bound to viper so the value can be passed via CLI
rate_registry.go: added validation in addRatesHandler to reject negative fee values before passing to currency.PicoDollar
version.go: "settlement-chain-gateway|payer-registry|distribution-manager""settlement-chain-gateway|payer-registry|distribution-manager|settlement-parameter-registry|payer-report-manager|rate-registry|group|identity|app-chain-gateway|app-parameter-registry|node-registry"

Test plan:

  • xmtpd-cli keys get-public-key --private-key <key> now works via CLI
  • xmtpd-cli rates add with negative fee returns error
  • xmtpd-cli version get --help shows all supported targets

Note

Fix missing --private-key flag registration and add negative fee validation in xmtpd-cli

  • Registers a --private-key (hex) flag on the key management command and binds it to viper, making it usable via CLI.
  • Adds validation in addRatesHandler to reject negative values for MessageFee, StorageFee, and CongestionFee, returning an error immediately.
  • Expands the --target flag help text in the version command to list additional supported targets.

Macroscope summarized 2809d0b.

@alelpoan alelpoan requested a review from a team as a code owner May 25, 2026 20:17
@octane-security-app
Copy link
Copy Markdown

octane-security-app Bot commented May 25, 2026

Summary by Octane

New Contracts

No new contracts were added.

Updated Contracts

  • key_management.go: Added a flag for specifying a private key to derive the public key in the command-line interface.
  • rate_registry.go: Added validation to prevent negative fees for message, storage, and congestion.
  • version.go: The modified smart contract now supports additional targets including settlement-parameter-registry, payer-report-manager, rate-registry, group, identity, app-chain-gateway, app-parameter-registry, and node-registry.

🔗 Commit Hash: 2809d0b

@octane-security-app
Copy link
Copy Markdown

octane-security-app Bot commented May 25, 2026

Overview

Vulnerabilities found: 3                                                                                
Severity breakdown: 1 Medium, 1 Low, 1 Informational

Detailed findings

cmd/xmtpd-cli/commands/key_management.go

  • Rebinding Viper key 'private-key' in keys get-public-key subcommand causes wrong signer selection and command failures. See more

cmd/xmtpd-cli/commands/version.go

  • Unconditional dual admin initialization and duplicate remote config loading in xmtpd-cli version get causes avoidable failures of read-only single-target queries. See more

pkg/registry/node_registry_contract.go

  • Missing invalidation in SmartContractRegistry refresh causes continued peer authentication after registry revocation. See more

🔗 Commit Hash: 2809d0b
🛡️ Octane Dashboard: All vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alelpoan