dchain

vsecoder/dchain

Fork 0

Commit Graph

Author	SHA1	Message	Date
vsecoder	1e7f4d8da4	fix(docker): bump build-stage Go to 1.25 (matches go.mod) When v2.0.0 added the golang.org/x/image/webp dependency (used by the media scrubber for WebP decoding), go mod tidy bumped the module's minimum Go version in go.mod: module go-blockchain go 1.25.0 The three Dockerfiles in the repo were still pinned to older images: /Dockerfile FROM golang:1.24-alpine /deploy/prod/Dockerfile.slim FROM golang:1.24-alpine /docker/media-sidecar/Dockerfile FROM golang:1.22-alpine Result: `docker build` on any of them fails at `go mod download` with go: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local) because Alpine's golang image pins GOTOOLCHAIN=local to keep the toolchain reproducible. Fix: bump all three to golang:1.25-alpine. The media-sidecar module doesn't actually need 1.25 (it's self-contained and only uses stdlib), but keeping all three in sync avoids surprise the next time somebody adds a dep. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 22:32:22 +03:00
vsecoder	f885264d23	feat(media): mandatory metadata scrubbing on /feed/publish + FFmpeg sidecar Every photo from a phone camera ships with an EXIF block that leaks: GPS coordinates, camera model + serial, original timestamp, software name, author/copyright fields, sometimes an embedded thumbnail that survives cropping. For a social feed positioned as privacy-friendly we can't trust the client alone to scrub — a compromised build, a future plugin, or a hostile fork would simply skip the step and leak authorship data. So: server-side scrub is mandatory for every /feed/publish upload. New package: media media/scrub.go - Scrubber type with Scrub(ctx, bytes, claimedMIME) → (clean, actualMIME) - ScrubImage handles JPEG/PNG/GIF/WebP in-process: decodes, optionally downscales to 1080px max-dim, re-encodes as JPEG Q=75. Stdlib jpeg.Encode emits ZERO metadata → scrub is complete by construction. - Sidecar client (HTTP): posts video/audio bytes to an external FFmpeg worker at DCHAIN_MEDIA_SIDECAR_URL - Magic-byte MIME detection: rejects uploads where declared MIME doesn't match actual bytes (prevents a PDF dressed as image/jpeg from bypassing the scrubber) - ErrSidecarUnavailable: explicit error when video arrives but no sidecar is wired; operator opts in to fallback via --allow-unscrubbed-video (default: reject) media/scrub_test.go - Crafted EXIF segment with "SECRETGPS-…Canon-EOS-R5" canary — verifies the string is gone after ScrubImage - Downscale test (2000×1000 → 1080×540, aspect preserved) - MIME-mismatch rejection - Magic-byte detector sanity table FFmpeg sidecar — new docker/media-sidecar/ Tiny Go HTTP service (~180 LOC, no non-stdlib deps) that shells out to ffmpeg with -map_metadata -1 + -map 0:v -map 0:a? to guarantee only video + audio streams survive (no subtitles, attached pictures, or data channels that could carry hidden info). Re-encode profile: video → H.264 CRF 28 preset=fast, Opus 64k, MP4 faststart audio → Opus 64k, Ogg container Dockerfile: two-stage build (Go → alpine+ffmpeg), ~90 MB image, non- root user, /healthz endpoint for compose probes. Node reaches it via DCHAIN_MEDIA_SIDECAR_URL. Without it, video uploads are rejected with 503 unless operator sets DCHAIN_ALLOW_UNSCRUBBED_VIDEO. /feed/publish wiring - cfg.Scrubber is a required dependency - Before storing post body we call scrubber.Scrub(); attachment bytes + MIME are replaced with the cleaned version - content_hash is computed over the SCRUBBED bytes — so the on-chain CREATE_POST tx references exactly what readers will fetch - EstimatedFeeUT uses the scrubbed size, so author's fee reflects actual on-disk cost - Content-type mismatches → 400; sidecar unavailable for video → 503 Flags / env vars --feed-db / DCHAIN_FEED_DB (existing) --feed-ttl-days / DCHAIN_FEED_TTL_DAYS (existing) --media-sidecar-url / DCHAIN_MEDIA_SIDECAR_URL (NEW) --allow-unscrubbed-video / DCHAIN_ALLOW_UNSCRUBBED_VIDEO (NEW; default false) Client responsibilities (for reference — client work lands in Phase C) Even with server-side scrub, the client should still compress aggressively BEFORE upload, because: - upload time is ~N× larger for unscrubbed media (mobile networks) - the server's 256 KiB MaxPostSize is a HARD cap — oversized uploads are rejected, not silently truncated - the on-chain fee is size-based, so users pay for every byte the client didn't bother to shrink Recommended client pipeline: images → expo-image-manipulator: resize max-dim 1080px, WebP or JPEG quality 50-60 videos → react-native-compressor: H.264 CRF 28, 720p max, 64k audio audio → expo-audio's default Opus 32k (already compressed) Documented in docs/media-sidecar.md (added later with Phase C PR). Tests - go test ./... green across 6 packages (blockchain consensus identity media relay vm) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 19:15:14 +03:00

Author

SHA1

Message

Date

vsecoder

1e7f4d8da4

fix(docker): bump build-stage Go to 1.25 (matches go.mod)

When v2.0.0 added the golang.org/x/image/webp dependency (used by the
media scrubber for WebP decoding), go mod tidy bumped the module's
minimum Go version in go.mod:

  module go-blockchain
  go 1.25.0

The three Dockerfiles in the repo were still pinned to older images:

  /Dockerfile              FROM golang:1.24-alpine
  /deploy/prod/Dockerfile.slim  FROM golang:1.24-alpine
  /docker/media-sidecar/Dockerfile  FROM golang:1.22-alpine

Result: `docker build` on any of them fails at `go mod download` with
  go: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local)
because Alpine's golang image pins GOTOOLCHAIN=local to keep the
toolchain reproducible.

Fix: bump all three to golang:1.25-alpine. The media-sidecar module
doesn't actually need 1.25 (it's self-contained and only uses stdlib),
but keeping all three in sync avoids surprise the next time somebody
adds a dep.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-18 22:32:22 +03:00

vsecoder

f885264d23

feat(media): mandatory metadata scrubbing on /feed/publish + FFmpeg sidecar

Every photo from a phone camera ships with an EXIF block that leaks:
GPS coordinates, camera model + serial, original timestamp, software
name, author/copyright fields, sometimes an embedded thumbnail that
survives cropping. For a social feed positioned as privacy-friendly
we can't trust the client alone to scrub — a compromised build,
a future plugin, or a hostile fork would simply skip the step and
leak authorship data.

So: server-side scrub is mandatory for every /feed/publish upload.

New package: media

  media/scrub.go
    - Scrubber type with Scrub(ctx, bytes, claimedMIME) → (clean, actualMIME)
    - ScrubImage handles JPEG/PNG/GIF/WebP in-process: decodes, optionally
      downscales to 1080px max-dim, re-encodes as JPEG Q=75. Stdlib
      jpeg.Encode emits ZERO metadata → scrub is complete by construction.
    - Sidecar client (HTTP): posts video/audio bytes to an external
      FFmpeg worker at DCHAIN_MEDIA_SIDECAR_URL
    - Magic-byte MIME detection: rejects uploads where declared MIME
      doesn't match actual bytes (prevents a PDF dressed as image/jpeg
      from bypassing the scrubber)
    - ErrSidecarUnavailable: explicit error when video arrives but no
      sidecar is wired; operator opts in to fallback via
      --allow-unscrubbed-video (default: reject)

  media/scrub_test.go
    - Crafted EXIF segment with "SECRETGPS-…Canon-EOS-R5" canary —
      verifies the string is gone after ScrubImage
    - Downscale test (2000×1000 → 1080×540, aspect preserved)
    - MIME-mismatch rejection
    - Magic-byte detector sanity table

FFmpeg sidecar — new docker/media-sidecar/

  Tiny Go HTTP service (~180 LOC, no non-stdlib deps) that shells out
  to ffmpeg with -map_metadata -1 + -map 0:v -map 0:a? to guarantee
  only video + audio streams survive (no subtitles, attached pictures,
  or data channels that could carry hidden info).

  Re-encode profile:
    video → H.264 CRF 28 preset=fast, Opus 64k, MP4 faststart
    audio → Opus 64k, Ogg container

  Dockerfile: two-stage build (Go → alpine+ffmpeg), ~90 MB image, non-
  root user, /healthz endpoint for compose probes.

  Node reaches it via DCHAIN_MEDIA_SIDECAR_URL. Without it, video uploads
  are rejected with 503 unless operator sets DCHAIN_ALLOW_UNSCRUBBED_VIDEO.

/feed/publish wiring

  - cfg.Scrubber is a required dependency
  - Before storing post body we call scrubber.Scrub(); attachment bytes
    + MIME are replaced with the cleaned version
  - content_hash is computed over the SCRUBBED bytes — so the on-chain
    CREATE_POST tx references exactly what readers will fetch
  - EstimatedFeeUT uses the scrubbed size, so author's fee reflects
    actual on-disk cost
  - Content-type mismatches → 400; sidecar unavailable for video → 503

Flags / env vars

  --feed-db / DCHAIN_FEED_DB            (existing)
  --feed-ttl-days / DCHAIN_FEED_TTL_DAYS (existing)
  --media-sidecar-url / DCHAIN_MEDIA_SIDECAR_URL   (NEW)
  --allow-unscrubbed-video / DCHAIN_ALLOW_UNSCRUBBED_VIDEO (NEW; default false)

Client responsibilities (for reference — client work lands in Phase C)

  Even with server-side scrub, the client should still compress aggressively
  BEFORE upload, because:
    - upload time is ~N× larger for unscrubbed media (mobile networks)
    - the server's 256 KiB MaxPostSize is a HARD cap — oversized uploads
      are rejected, not silently truncated
    - the on-chain fee is size-based, so users pay for every byte the
      client didn't bother to shrink

  Recommended client pipeline:
    images → expo-image-manipulator: resize max-dim 1080px, WebP or
             JPEG quality 50-60
    videos → react-native-compressor: H.264 CRF 28, 720p max, 64k audio
    audio  → expo-audio's default Opus 32k (already compressed)

  Documented in docs/media-sidecar.md (added later with Phase C PR).

Tests
  - go test ./... green across 6 packages (blockchain consensus identity
    media relay vm)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-18 19:15:14 +03:00

2 Commits