Skip to content

WIP did-plc controller#47

Open
MichaelMure wants to merge 1 commit into
crypto-selectionfrom
plc-controller
Open

WIP did-plc controller#47
MichaelMure wants to merge 1 commit into
crypto-selectionfrom
plc-controller

Conversation

@MichaelMure

@MichaelMure MichaelMure commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Note

Medium Risk
Touches identity signing, rotation keys, and cryptographic chain validation; mistakes could allow invalid ops or break registry compatibility, though scope is a new package with tests.

Overview
Adds a new controller/did-plc package that talks to the PLC registry (https://plc.directory by default) to create DIDs, update documents, tombstone, recover from a fork CID, and audit the operation log with local chain checks.

Operations are signed as DAG-CBOR via an internal dagcbor encoder, with CIDv1 / MSI derivation, low-S ECDSA signatures, and JSON submission over HTTP. Registry options cover custom URL, HTTP client, and allowed rotation key algorithms (default secp256k1 + P-256). Audit parsing supports plc_operation, plc_tombstone, and legacy create entries, skipping nullified ops while verifying CID, prev continuity, and signatures.

go.mod gains IPLD/multiformats deps (go-cid, multihash, multicodec, etc.). Tests use an in-memory fake registry plus DAG-CBOR unit tests; an Example documents the end-to-end flow.

Reviewed by Cursor Bugbot for commit e9ae33f. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security

socket-security Bot commented Jun 26, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jun 26, 2026

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: golang github.com/klauspost/cpuid/v2

Location: Package overview

From: ?golang/github.com/multiformats/go-multihash@v0.2.3golang/github.com/klauspost/cpuid/v2@v2.0.9

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/klauspost/cpuid/v2@v2.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Comment thread controller/did-plc/audit.go Outdated
Comment thread controller/did-plc/controller.go

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit e9ae33f. Configure here.

}
}
return Op{}, fmt.Errorf("operation with CID %s not found for %s", cid, c.didStr)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mutating paths skip chain validation

Medium Severity

Update, Tombstone, and Recover load the audit log via fetchHead and fetchOpAtCID without calling validateChain, while Audit does. A tampered or internally inconsistent log can still supply a head CID and document state, so signed submissions may be built on unverified history until the registry rejects them or the caller runs Audit separately.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e9ae33f. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants