Harden network CLI, blob integrity, and RPC operations (#21)

Author: JROChub

.github/workflows/ci.yml

@@ -33,6 +33,12 @@ jobs:
       - name: Test network targets
         run: cargo test --all-targets --features net --locked
 
+      - name: CLI contract tests
+        run: bash scripts/test_cli.sh
+
+      - name: RPC publication-gate tests
+        run: python3 scripts/test_rpc_check.py
+
       - name: Reproduce sparse conformance vectors
         run: |
           cargo run --example conformance_vectors

.gitignore

@@ -5,15 +5,12 @@
 *.identity
 /boot*.anchor
 /funding_service/target/
-/infra/systemd/*.service
 /infra/ops_hosts.toml
 /infra/.tmp_*
 /sample.bin
 /.soldeps/
 /artifacts/
 powerhouse/
-powerhouse-boot1.service
-powerhouse-boot2.service
 boot1.anchor
 boot2.anchor
 *.ed25519

docker-compose.yml

@@ -1,4 +1,3 @@
-version: "3.8"
 services:
   node:
     build: .

docs/ops.md

@@ -44,6 +44,10 @@ Copy the examples from `infra/systemd/` and fill in real values.
 The node wrappers read these files and start `/usr/local/bin/julian` using
 `/usr/local/bin/powerhouse-boot.sh`.
 
+The deployment script installs refreshed `.env.example` files but refuses to
+start a node until the two live environment files already exist. This prevents
+an upgrade from silently replacing identities, peer addresses, or secrets.
+
 Recommended production flags:
 
 - `--blob-dir /var/lib/powerhouse/<node>/blobs`
@@ -138,7 +142,7 @@ Use versioned releases under `/opt/powerhouse/releases`:
 ## 10. Blob/DA endpoints
 
 - Health: `curl http://<host>:8181/healthz`
-- Submit: `curl -X POST http://<host>:8181/submit_blob -H 'X-Namespace: default' -H 'X-Fee: 10' --data-binary @file.bin`
+- Submit: `curl -X POST http://<host>:8181/submit_blob -H 'X-Namespace: default' -H 'X-Fee: 0' --data-binary @file.bin`
 - Commitment: `curl http://<host>:8181/commitment/default/<hash>`
 - Sample: `curl "http://<host>:8181/sample/default/<hash>?count=2"`
 - Prove storage: `curl http://<host>:8181/prove_storage/default/<hash>/0`
@@ -147,7 +151,23 @@ Use versioned releases under `/opt/powerhouse/releases`:
 If `--blob-auth-token` is set, add:
 - `Authorization: Bearer <token>` or `x-api-key: <token>`
 
-## 10.1 External DA publisher (optional)
+Nonzero fees require a funded `X-Publisher` account and its matching
+`X-Publisher-Sig`; use the stake CLI to provision balances before testing fees.
+
+## 10.1 JSON-RPC publication gate
+
+Before publishing an EVM-compatible endpoint in ChainList, run:
+
+```bash
+python3 scripts/check_rpc.py https://rpc.example.org --expected-chain-id 177155 --require-cors
+```
+
+The probe requires working DNS/TLS, consistent `eth_chainId` and
+`net_version`, a valid latest block response, and browser CORS when requested.
+It is an endpoint integrity check, not a substitute for consensus-state audits.
+See `docs/rpc_operations.md`.
+
+## 10.2 External DA publisher (optional)
 
 Power-House can push DA commitments to an external API (Celestia/Ethereum-compatible
 gateway, or a custom relay). Configure via environment:

docs/rpc_operations.md

@@ -0,0 +1,44 @@
+# Power-House RPC Operations
+
+An RPC URL is ready for public wallets only when it serves canonical state from
+the same finalized network observed by every public node. A process that invents
+block numbers, stores balances only on one host, or acknowledges transfers
+before network finality must not be advertised as the chain RPC.
+
+## Publication gate
+
+Run the repository probe from an independent machine:
+
+```bash
+python3 scripts/check_rpc.py \
+  https://rpc.example.org \
+  --expected-chain-id 177155 \
+  --require-cors
+```
+
+The command fails on:
+
+- DNS, TCP, TLS, HTTP, or JSON decoding errors
+- JSON-RPC error responses or mismatched request IDs
+- chain ID disagreement between `eth_chainId` and `net_version`
+- malformed or inconsistent latest-block metadata
+- missing browser CORS headers when `--require-cors` is set
+
+Run the probe after every RPC deployment and continuously from external
+monitoring. Do not update ChainList until it passes.
+
+## Consensus requirements
+
+A production RPC adapter must read finalized blocks, account state, and
+transaction results from Power-House consensus. Every write must enter the
+network transaction path, survive validation and quorum finality, and return
+the same receipt from multiple RPC replicas. Contract methods must either have
+a real execution engine or return a standards-compliant unsupported-method
+error; fabricated success responses are not acceptable.
+
+## Incident response
+
+If the probe fails, remove the endpoint from public discovery or return a clear
+maintenance response. Preserve node and reverse-proxy logs, compare finalized
+anchor IDs across replicas, and restore service only after DNS, TLS, chain ID,
+latest block, and replica state agree.

infra/systemd/powerhouse-boot1.env.example

@@ -3,6 +3,6 @@ PH_LOG_DIR=/var/lib/powerhouse/boot1/logs
 PH_LISTEN=/ip4/0.0.0.0/tcp/7001
 PH_KEY=ed25519://boot1-seed
 PH_BLOB_DIR=/var/lib/powerhouse/boot1/blobs
-PH_BOOTSTRAPS="/ip4/146.190.126.101/tcp/7002/p2p/12D3KooWRLM7PJrtjRM6NZPX8vmdu4YGJa9D6aPoEnLcE1o6aKCd /ip4/146.190.126.101/tcp/7002/p2p/12D3KooWRLM7PJrtjRM6NZPX8vmdu4YGJa9D6aPoEnLcE1o6aKCd"
+PH_BOOTSTRAPS="/ip4/146.190.126.101/tcp/7002/p2p/12D3KooWRLM7PJrtjRM6NZPX8vmdu4YGJa9D6aPoEnLcE1o6aKCd"
 PH_SERVICE_NAME=powerhouse-boot1
 PH_BACKUP_SOURCES="/var/lib/powerhouse/boot1 /etc/powerhouse/blob_policy.json /etc/powerhouse/governance.json /etc/powerhouse/stake_state.json"

infra/systemd/powerhouse-boot1.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Power-House JULIAN bootstrap node (boot1)
+After=network-online.target
+Wants=network-online.target
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=/var/lib/powerhouse/boot1
+StateDirectory=powerhouse/boot1
+StateDirectoryMode=0750
+LogsDirectory=powerhouse
+LogsDirectoryMode=0750
+Environment=RUST_LOG=info
+EnvironmentFile=/etc/powerhouse/powerhouse-common.env
+EnvironmentFile=/etc/powerhouse/powerhouse-boot1.env
+ExecStartPre=/usr/bin/install -d -m 0750 /var/lib/powerhouse/boot1/logs /var/lib/powerhouse/boot1/blobs
+ExecStart=/usr/local/bin/powerhouse-boot.sh
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+KillSignal=SIGINT
+LimitNOFILE=65536
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/powerhouse/boot1 /var/log/powerhouse
+
+[Install]
+WantedBy=multi-user.target

infra/systemd/powerhouse-boot2.env.example

@@ -3,7 +3,7 @@ PH_LOG_DIR=/var/lib/powerhouse/boot2/logs
 PH_LISTEN=/ip4/0.0.0.0/tcp/7002
 PH_KEY=ed25519://boot2-seed
 PH_BLOB_DIR=/var/lib/powerhouse/boot2/blobs
-PH_BOOTSTRAPS="/ip4/137.184.33.2/tcp/7001/p2p/12D3KooWLASw1JVBdDFNATYDJMbAn69CeWieTBLxAKaN9eLEkh3q /ip4/137.184.33.2/tcp/7001/p2p/12D3KooWLASw1JVBdDFNATYDJMbAn69CeWieTBLxAKaN9eLEkh3q"
+PH_BOOTSTRAPS="/ip4/137.184.33.2/tcp/7001/p2p/12D3KooWLASw1JVBdDFNATYDJMbAn69CeWieTBLxAKaN9eLEkh3q"
 PH_SERVICE_NAME=powerhouse-boot2
 PH_BACKUP_SOURCES="/var/lib/powerhouse/boot2 /etc/powerhouse/blob_policy.json /etc/powerhouse/governance.json /etc/powerhouse/stake_state.json"
 PH_LOG_SHIP_HOST=137.184.33.2

infra/systemd/powerhouse-boot2.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Power-House JULIAN bootstrap node (boot2)
+After=network-online.target
+Wants=network-online.target
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=/var/lib/powerhouse/boot2
+StateDirectory=powerhouse/boot2
+StateDirectoryMode=0750
+LogsDirectory=powerhouse
+LogsDirectoryMode=0750
+Environment=RUST_LOG=info
+EnvironmentFile=/etc/powerhouse/powerhouse-common.env
+EnvironmentFile=/etc/powerhouse/powerhouse-boot2.env
+ExecStartPre=/usr/bin/install -d -m 0750 /var/lib/powerhouse/boot2/logs /var/lib/powerhouse/boot2/blobs
+ExecStart=/usr/local/bin/powerhouse-boot.sh
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+KillSignal=SIGINT
+LimitNOFILE=65536
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/powerhouse/boot2 /var/log/powerhouse
+
+[Install]
+WantedBy=multi-user.target