aldabra

Sulkta-OSS/aldabra

Fork 0

Commit graph

Author	SHA1	Message	Date
Kayos	82e8273969	build(docker): mount git credentials as buildkit secret for pallas SSH→HTTP fetch The pallas patch in [patch.crates-io] is now ssh://git@gitea after the 2026-05-06 token-scrub. Inside a docker build the rust container has no SSH key and no known_hosts for gitea, so cargo's libgit2 / system-git both reject the fetch. Mount /root/.git-credentials as a BuildKit secret (mode=0400, required) and set a build-time `url.HTTP.insteadOf SSH` rewrite. Cargo.toml and Cargo.lock keep their SSH URLs — the rewrite is git-CLI-level so no credential ever lands in the lock file or in any image layer. Build invocation: docker build --secret id=git_credentials,src=<creds-file> ... where <creds-file> is one line `http://USER:PAT@192.168.0.5:3001`. This mirrors the pattern crafting-table already uses on its runner (.git-credentials + url.insteadOf rewrite). nightly-builds.sh on Lucy will need an analogous --secret arg before it can rebuild this branch.	2026-05-06 13:45:55 -07:00
Cobb	bc39148b63	phase 1: full read path — bip39 + cip-3 + cip-1852 + koios + age-mnemonic + rmcp end-to-end working wallet: paste 24-word mnemonic, age-encrypt at rest, on unlock derive root + payment + stake keys, build cip-19 base address, serve four tools over mcp stdio (wallet.address, wallet.network, wallet.balance, wallet.utxos). deps added: ed25519-bip32 0.4 (pallas only ships raw ed25519, not the cardano variant of bip32 hd derivation), cryptoxide 0.4 for pbkdf2-hmac-sha512, age 0.10 for at-rest mnemonic encryption, rpassword 7 for tty-only passphrase prompts, toml 0.9 for config.toml. new modules: - crates/aldabra-core/src/derive.rs — payment + stake key derivation, hash - crates/aldabra-chain/src/koios.rs — real reqwest impl, asset aggregation - crates/aldabra-mcp/src/{bootstrap,config,tools}.rs caught one bug pre-flight: get_balance was clobbering same-asset quantities across utxos instead of summing. fixed + regression test. headless support via ALDABRA_PASSPHRASE env (mcp clients own stdin so the rpassword prompt path can't run). docker secret / systemd EnvironmentFile sources it in production. dockerfile: multi-stage rust:1.95-bookworm → debian:bookworm-slim, tini as pid1, non-root aldabra user, /var/lib/aldabra owned 700. 29 unit tests + 1 ignored live-koios test. preprod smoke test exercised initialize → tools/list → tools/call wallet.address end-to-end via piped json-rpc; correct preprod address came back from canonical abandon-art mnemonic. phase 2 (send) is next.	2026-05-04 11:09:00 -07:00

Author

SHA1

Message

Date

Kayos

82e8273969

build(docker): mount git credentials as buildkit secret for pallas SSH→HTTP fetch

The pallas patch in [patch.crates-io] is now ssh://git@gitea after the
2026-05-06 token-scrub. Inside a docker build the rust container has no
SSH key and no known_hosts for gitea, so cargo's libgit2 / system-git
both reject the fetch.

Mount /root/.git-credentials as a BuildKit secret (mode=0400, required)
and set a build-time `url.HTTP.insteadOf SSH` rewrite. Cargo.toml and
Cargo.lock keep their SSH URLs — the rewrite is git-CLI-level so no
credential ever lands in the lock file or in any image layer.

Build invocation:
  docker build --secret id=git_credentials,src=<creds-file> ...

where <creds-file> is one line `http://USER:PAT@192.168.0.5:3001`.

This mirrors the pattern crafting-table already uses on its runner
(.git-credentials + url.insteadOf rewrite). nightly-builds.sh on Lucy
will need an analogous --secret arg before it can rebuild this branch.

2026-05-06 13:45:55 -07:00

Cobb

bc39148b63

phase 1: full read path — bip39 + cip-3 + cip-1852 + koios + age-mnemonic + rmcp

end-to-end working wallet: paste 24-word mnemonic, age-encrypt at rest,
on unlock derive root + payment + stake keys, build cip-19 base address,
serve four tools over mcp stdio (wallet.address, wallet.network,
wallet.balance, wallet.utxos).

deps added: ed25519-bip32 0.4 (pallas only ships raw ed25519, not the
cardano variant of bip32 hd derivation), cryptoxide 0.4 for pbkdf2-hmac-sha512,
age 0.10 for at-rest mnemonic encryption, rpassword 7 for tty-only passphrase
prompts, toml 0.9 for config.toml.

new modules:
- crates/aldabra-core/src/derive.rs — payment + stake key derivation, hash
- crates/aldabra-chain/src/koios.rs — real reqwest impl, asset aggregation
- crates/aldabra-mcp/src/{bootstrap,config,tools}.rs

caught one bug pre-flight: get_balance was clobbering same-asset
quantities across utxos instead of summing. fixed + regression test.

headless support via ALDABRA_PASSPHRASE env (mcp clients own stdin so
the rpassword prompt path can't run). docker secret / systemd
EnvironmentFile sources it in production.

dockerfile: multi-stage rust:1.95-bookworm → debian:bookworm-slim, tini
as pid1, non-root aldabra user, /var/lib/aldabra owned 700.

29 unit tests + 1 ignored live-koios test. preprod smoke test exercised
initialize → tools/list → tools/call wallet.address end-to-end via
piped json-rpc; correct preprod address came back from canonical
abandon-art mnemonic.

phase 2 (send) is next.

2026-05-04 11:09:00 -07:00

2 commits