Gateway Master Dashboard

Loading…
Accounts
Total stored
Sia
Storj
Objects
Storj Agents

Wallet (fleet_financials)

Storage by Backend

Sia
objects
Avg file:
Storj
objects
agents
Avg file:

Regional (Sia hosts)

Hosts

Latency Contracts Price/TB $SC Score Region Host Key
No probe data

Gateway Capacity

Total capacity
Used
Utilization
Writable

Wallet

Balance
USD value

Contracted Hosts

Host Key Storage Usability
No contracts
Total Deposits
Total Billed
Agent Balances
Active Agents

Billing

Last run
Total storage + egress
Standard agents
Express agents

Deposit Pipeline

Deposits processed
Total credited
Status

Top Agents by Balance

AgentTierBalance

Recent Transactions

AgentTypeAmountWhen

renterd

Status
Contracts
Storage (Sia)
Client data
Redundancy (3x)
Total stored
Objects
By network
Wallet
Autopilot

System

Disk
RAM
CPU load
Uptime

Credits (OpenRouter)

Today
This week
This month
Total spent

Cumulative security posture across all audits. Most recent on top. Click any card to expand details.

2026-07-06 — Pre-Launch Billing Audit Hermes · code review
1 CRITICAL 2 MEDIUM 2 LOW 1 INFO
Billing pipeline audit: deposit → credit → storage → charge. Found 30x overcharge due to missing daily pro-ration.
#SeverityFindingImpact
1CRITICALBilling 30x overcharge — no daily pro-rationAgents charged $60/TB instead of $2/TB
2MEDIUMCredit endpoint not idempotent (tx_hash ignored)Double-credit risk on watcher state loss
3LOWNo transaction wrapping in adjust_balanceBalance drift on concurrent writes
4MEDIUMAgent registration unauthenticated (public)Registration spam / abuse vector
5LOWShare endpoint leaks renterd internalsInfo disclosure if share token leaks
6INFONo deposit minimum enforcedDust deposits create unbillable balances
Full report: /root/sia-project/gateway/.hermes/plans/2026-07-06_015500-billing-audit.md
2026-07-05 — Gateway Attack Surface Baseline Hermes · perimeter scan
2 CRITICAL 4 HIGH 5 MEDIUM 2 LOW
External attack surface: nmap, nikto, slowhttptest, nuclei, semgrep. Top priority: nginx reverse proxy for DoS protection.
#SeverityFindingFix
C1CRITICALSlow Read DoS — 200 concurrent connections make gateway unresponsive in ~2snginx reverse proxy with timeouts
C2CRITICALS3 bucket enumeration — :8080 lists all buckets without authFirewall :8080 to localhost only
H1HIGH10 missing security headers (HSTS, CSP, X-Frame-Options, etc.)nginx add_header directives
H2HIGHServer version disclosure (uvicorn, SimpleHTTP/0.6)Override Server header in nginx
H3HIGH40 urllib dynamic URL injection (file:// scheme risk)Switch to requests library
H4HIGH15 insecure transport (HTTP instead of HTTPS)Enforce HTTPS, validate certs
M1MEDIUMCORS wildcard on S3 gatewayRestrict origins
M2MEDIUMAPI docs exposed (/docs, /openapi.json, /redoc) without authGate behind admin token
M3MEDIUMUnauthenticated /health & /metricsRate-limit or auth
M4MEDIUM7 SQL injection risks (raw execute + formatted SQL)Parameterized queries
M5MEDIUMDashboard on SimpleHTTP — not production-grade, trivial DoSnginx static file serving
Full report: /root/sia-project/dashboard/audits/2026-07-05-baseline.md
2026-07-05 — Code & Dependency Security Audit Ken · SAST + deps + secrets + infra
PASS 3 NOTES
Bandit SAST (0 HIGH, 29 MEDIUM reviewed — all false positives). pip-audit clean. gitleaks: 0 real secrets. Verdict: PASS WITH NOTES.
ScopeToolResult
SASTBandit 1.9.40 HIGH, 29 MEDIUM (all false positives — hardcoded localhost URLs), 17 LOW
Dependenciespip-audit 2.10.1✓ No known vulnerabilities
Secretsgitleaks 8.16.00 real secrets (193 hits in .venv/ fake tokens)
InfraManual port scanGateway :8000 + Dashboard :8001 on 0.0.0.0 — behind Caddy ✓. renterd :9980 localhost ✓
Notes: (1) No per-agent rate limiting — MEDIUM DoS concern. (2) Audit subprocess calls for shell injection. (3) Bind admin dashboard to 127.0.0.1.
Full report: /root/sia-project/gateway/shared/security-audit-latest.md

In-Flight Development

Items actively under development:

billing Two-tier billing pipeline — Standard ($8/TB) + Express ($25/TB)
trial 5-min free trial (10 MB, full API, 1-hour cooldown). No phantom money.
watcher Block watcher credit path fix (needs /admin/ prefix)
live-test Live-fire money flow test pending 0.003 SOL gas
nginx nginx reverse proxy for production hardening
a2a Agent-to-agent sharing — grant another agent read access to keys/namespaces. Billing model TBD (sharer pays egress?)
Issues: None at present