docs: add runbook for updating session key (#147)

* docs: add runbook for updating session key

* chore: fix lint

Author: SgtPooki

docs/update-session-key.md

@@ -0,0 +1,90 @@
+# Runbook: Update session key for pin.filecoin.cloud
+
+This runbook describes how to create or refresh the session key used by [pin.filecoin.cloud](https://pin.filecoin.cloud), and how to avoid expiry-related outages. See also [Refresh session key (issue #146)](https://github.com/filecoin-project/filecoin-pin-website/issues/146).
+
+## Context
+
+- The site uses **session key** auth (not the main wallet private key) so the app can create datasets and add pieces without exposing the owner key.
+- The session key is valid for a fixed period (e.g. 180 days). When it expires, users see: *"Session key expired or expiring soon"*.
+- **Owner wallet:** `0x44f08D1beFe61255b3C3A349C392C560FA333759`
+- The **private key** for this wallet is stored in the team’s secure secret store. Use it only to run the script below; never commit it or paste it into docs.
+
+## Prerequisites
+
+- [Foundry](https://book.getfoundry.sh/getting-started/installation) installed (`cast` is used by the script).
+- Access to the **private key** for `0x44f08D1beFe61255b3C3A349C392C560FA333759` (from the team secret store).
+- Access to update environment variables for the project on Vercel (see [Vercel env vars](#update-environment-variables-on-vercel)).
+- Optional: access to the **Filoz team calendar** to create reminder events (or someone who can create them).
+
+## 1. Create a new session key
+
+From the **repository root**:
+
+```bash
+# Recommended: 180 days validity to reduce how often you need to rotate
+PRIVATE_KEY=<private_key_for_0x44f08D1beFe61255b3C3A349C392C560FA333759> ./scripts/create-session-key.sh 180
+```
+
+- Replace `<private_key_for_0x44f08D1beFe61255b3C3A349C392C560FA333759>` with the actual key (from your secret store). It must be the key for the owner wallet above.
+- The script will:
+  - Generate a new session key.
+  - Resolve the current session key registry from Warm Storage (same as the app).
+  - Authorize the session key on-chain with CreateDataSet and AddPieces permissions.
+  - Print **VITE_WALLET_ADDRESS** and **VITE_SESSION_KEY** to add to your env.
+
+**Note the expiry date** printed by the script (e.g. *"Validity: 180 days (expires: YYYY-MM-DD HH:MM:SS)"*). You will use this for calendar reminders and the next rotation.
+
+## 2. Create calendar reminder (before expiry)
+
+To avoid the session key expiring unnoticed, create **one recurring event** on the **Filoz team calendar**:
+
+### Option A: Google Calendar link (quick)
+
+Use a pre-filled Google Calendar link, then adjust dates and set repeat:
+
+1. **Open a pre-filled event** using one of these:
+   - **Example (copy and edit):** [Open in Google Calendar (expires 2026-08-15)](https://calendar.google.com/calendar/render?action=TEMPLATE&text=Filecoin-pin-website+session+key+expiring+soon%3A+expires%3A+2026-08-15+09%3A24%3A22&dates=20260715T092400Z/20260715T095400Z&details=Rotate+using+runbook%3A+https%3A%2F%2Fgithub.com%2Ffilecoin-project%2Ffilecoin-pin-website%2Fblob%2Fmain%2Fdocs%2Fupdate-session-key.md&add=infra%40filoz.org%2Cbiglep%40filoz.org%2Corjan%40filoz.org%2Csgtpooki%40filoz.org) — then change the title (expires date) and the event start/end to **your** expiry and **1 month before** that (same time).  
+   - **Or build your own:** use `https://calendar.google.com/calendar/render?action=TEMPLATE&text=...&dates=START/END&details=...&add=...` with title `Filecoin-pin-website session key expiring soon: expires: YYYY-MM-DD HH:MM:SS`, `dates` in UTC as `YYYYMMDDTHHMMSSZ/YYYYMMDDTHHMMSSZ` (first occurrence = 1 month before expiry), and `add=infra@filoz.org,biglep@filoz.org,orjan@filoz.org,sgtpooki@filoz.org` (URL-encode the whole query).
+
+2. After the event form opens, set **Repeat** → **Weekly** → **End after 4 occurrences**, then save. Guests (infra@filoz.org, biglep@filoz.org, orjan@filoz.org, sgtpooki@filoz.org) are pre-filled.
+
+**Date format for `dates=`:** use UTC in the form `YYYYMMDDTHHMMSSZ` for start and end (e.g. `20260715T092400Z` = 2026-07-15 09:24:00 UTC). End can be 30–60 minutes after start.
+
+### Option B: Create the event manually
+
+1. **Title:** `Filecoin-pin-website session key expiring soon: expires: YYYY-MM-DD HH:MM:SS` (use the **expires** value from the script).
+2. **When:** First occurrence **1 month before** the expiry date.
+3. **Repeat:** Custom repeat **ending after 4 occurrences** (e.g. weekly → 1 month, 3 weeks, 2 weeks, 1 week before expiry).
+4. **Invite:** infra@filoz.org, biglep@filoz.org, orjan@filoz.org, sgtpooki@filoz.org.
+
+## 3. Update environment variables on Vercel
+
+After running the script, update the production environment so the site uses the new session key:
+
+1. Open **[Vercel → filecoin-pin-website → Settings → Environment Variables](https://vercel.com/filoz/filecoin-pin-website/settings/environment-variables)**.
+2. Update (or add) for **Production** (and Preview if you use session auth there):
+   - **VITE_WALLET_ADDRESS** = `0x44f08D1beFe61255b3C3A349C392C560FA333759` (owner address; only changes if the owner wallet changes).
+   - **VITE_SESSION_KEY** = the **new** session key private key printed by the script (starts with `0x...`).
+3. Save. Trigger a new deployment if Vercel doesn’t auto-redeploy so the new values are used.
+
+Do **not** commit `VITE_SESSION_KEY` or the owner private key to the repo.
+
+## 4. Verify
+
+- Visit [pin.filecoin.cloud](https://pin.filecoin.cloud) and try an action that uses the session key (e.g. create a dataset or add content). If it works without “Session key expired or expiring soon”, the update was successful.
+- Optionally run the app locally with the same `VITE_WALLET_ADDRESS` and `VITE_SESSION_KEY` in `.env` to double-check.
+
+## Summary checklist
+
+- [ ] Retrieved private key for `0x44f08D1beFe61255b3C3A349C392C560FA333759` from the team secret store.
+- [ ] Ran `./scripts/create-session-key.sh 180` and noted the expiry date.
+- [ ] Created one recurring calendar event (title: "Filecoin-pin-website session key expiring soon: expires: &lt;date from script&gt;", first occurrence 1 month before expiry, custom repeat ending after 4 occurrences), tagging infra@filoz.org, biglep@filoz.org, orjan@filoz.org, sgtpooki@filoz.org.
+- [ ] Updated **VITE_SESSION_KEY** on [Vercel environment variables](https://vercel.com/filoz/filecoin-pin-website/settings/environment-variables).
+- [ ] Redeployed or confirmed deployment uses the new env vars.
+- [ ] Verified the site works without session key expiry errors.
+
+## References
+
+- [Refresh session key (issue #146)](https://github.com/filecoin-project/filecoin-pin-website/issues/146)
+- Script: [scripts/create-session-key.sh](../scripts/create-session-key.sh)
+- Vercel env vars: [filoz/filecoin-pin-website → Settings → Environment Variables](https://vercel.com/filoz/filecoin-pin-website/settings/environment-variables)

scripts/create-session-key.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+#
+# CREATE SESSION KEY
+#
+# Creates and authorizes a new session key for use with Synapse SDK.
+# Session keys allow delegated access without exposing your main private key.
+#
+# USAGE:
+#   PRIVATE_KEY=0x... ./create-session.sh [VALIDITY_DAYS]
+#
+# ARGUMENTS:
+#   VALIDITY_DAYS  Number of days the session key should be valid (default: 10)
+#
+# ENVIRONMENT VARIABLES:
+#   PRIVATE_KEY    Your main wallet's private key (required)
+#
+# EXAMPLES:
+#   # Create a session key valid for 10 days (default)
+#   PRIVATE_KEY=0xabc123... ./create-session.sh
+#
+#   # Create a session key valid for 30 days
+#   PRIVATE_KEY=0xabc123... ./create-session.sh 30
+#
+# OUTPUT:
+#   The script outputs environment variables to add to your .env file:
+#   - VITE_WALLET_ADDRESS: Your main wallet address
+#   - VITE_SESSION_KEY: The generated session key private key
+#
+# PERMISSIONS GRANTED:
+#   - CREATE_DATA_SET: Create new datasets
+#   - ADD_PIECES: Add data pieces to datasets
+#
+# SECURITY NOTE:
+#   Keep the session key secure. If compromised, revoke it immediately
+#   using ./revoke-session.sh
+#
+# NOTE (registry address):
+#   The session key registry address is resolved from the Warm Storage contract
+#   (same as the website/SDK). If contracts are upgraded, re-run this script to
+#   create a new session key; the script will use the current registry.
+#
+set -e
+
+# Configuration
+# These must match the addresses/typehashes used by @filoz/synapse-sdk (Warm Storage → sessionKeyRegistry, EIP712_TYPE_HASHES)
+VALIDITY_DAYS="${1:-10}"  # Default to 10 days, override with first argument
+RPC_URL="${VITE_FILECOIN_RPC_URL:-https://api.calibration.node.glif.io/rpc/v1}"
+# Warm Storage on calibration - SDK uses this to resolve sessionKeyRegistry()
+WARM_STORAGE_CALIBRATION="0x02925630df557F957f70E112bA06e50965417CA0"
+# sessionKeyRegistry() selector (keccak256 "sessionKeyRegistry()" truncated to 4 bytes)
+SESSION_KEY_REGISTRY_SELECTOR="0x9f6aa572"
+# EIP-712 type hashes from @filoz/synapse-sdk (CreateDataSet, AddPieces) - used as permission identifiers
+CREATE_DATA_SET_TYPEHASH="0x25ebf20299107c91b4624d5bac3a16d32cabf0db23b450ee09ab7732983b1dc9"
+ADD_PIECES_TYPEHASH="0x954bdc254591a7eab1b73f03842464d9283a08352772737094d710a4428fd183"
+
+# Check required env var
+if [ -z "$PRIVATE_KEY" ]; then
+    echo "Error: PRIVATE_KEY environment variable is required" >&2
+    exit 1
+fi
+
+echo "Step 1: Generating new session key..."
+# Generate new session key
+SESSION_KEY_OUTPUT=$(cast wallet new)
+SESSION_KEY_ADDRESS=$(echo "$SESSION_KEY_OUTPUT" | grep "Address:" | awk '{print $2}')
+SESSION_KEY_PRIVATE=$(echo "$SESSION_KEY_OUTPUT" | grep "Private key:" | awk '{print $3}')
+echo "  Session key address: $SESSION_KEY_ADDRESS"
+echo "  Session key private: ${SESSION_KEY_PRIVATE:0:20}..."
+
+echo "Step 2: Calculating expiry timestamp..."
+# Calculate expiry timestamp
+CURRENT_TIME=$(date +%s)
+EXPIRY=$((CURRENT_TIME + VALIDITY_DAYS * 24 * 60 * 60))
+echo "  Expiry: $(date -r $EXPIRY '+%Y-%m-%d %H:%M:%S')"
+
+echo "Step 3: Getting owner address from private key..."
+# Get owner address
+OWNER_ADDRESS=$(cast wallet address --private-key "$PRIVATE_KEY")
+echo "  Owner address: $OWNER_ADDRESS"
+
+echo "Step 4: Resolving session key registry from Warm Storage (must match SDK)..."
+# Fetch current registry address from Warm Storage so we always authorize on the same contract the app uses
+REGISTRY_RESPONSE=$(curl -s -X POST "$RPC_URL" -H "Content-Type: application/json" --data "{\"jsonrpc\":\"2.0\",\"method\":\"eth_call\",\"params\":[{\"to\":\"$WARM_STORAGE_CALIBRATION\",\"data\":\"$SESSION_KEY_REGISTRY_SELECTOR\"},\"latest\"],\"id\":1}")
+REGISTRY_HEX=$(echo "$REGISTRY_RESPONSE" | grep -o '"result":"[^"]*"' | cut -d'"' -f4)
+if [ -z "$REGISTRY_HEX" ] || [ "$REGISTRY_HEX" = "0x" ]; then
+    echo "Error: Failed to get session key registry from Warm Storage. Check RPC_URL and network." >&2
+    exit 1
+fi
+# Decode 32-byte left-padded address (last 40 hex chars = 20 bytes)
+REGISTRY="0x${REGISTRY_HEX: -40}"
+echo "  Registry: $REGISTRY"
+
+echo "Step 5: Authorizing session key on-chain (this may take a minute)..."
+echo "  RPC URL: $RPC_URL"
+# login(signer, expiry, permissions, origin) - origin is required by the SessionKeyRegistry contract
+ORIGIN="${SESSION_LOGIN_ORIGIN:-filecoin-pin-website}"
+cast send $REGISTRY \
+    "login(address,uint256,bytes32[],string)" \
+    "$SESSION_KEY_ADDRESS" \
+    "$EXPIRY" \
+    "[$CREATE_DATA_SET_TYPEHASH,$ADD_PIECES_TYPEHASH]" \
+    "$ORIGIN" \
+    --private-key "$PRIVATE_KEY" \
+    --rpc-url "$RPC_URL"
+
+# Output results
+echo ""
+echo "=========================================="
+echo "Session key created successfully!"
+echo "=========================================="
+echo "Validity: $VALIDITY_DAYS days (expires: $(date -r $EXPIRY '+%Y-%m-%d %H:%M:%S'))"
+echo ""
+echo "Add these to your .env file:"
+echo "------------------------------------------"
+echo "VITE_WALLET_ADDRESS=$OWNER_ADDRESS"
+echo "VITE_SESSION_KEY=$SESSION_KEY_PRIVATE"
+echo ""
+echo "Session key info (for debugging):"
+echo "------------------------------------------"
+echo "SESSION_KEY_ADDRESS=$SESSION_KEY_ADDRESS"
+echo "OWNER_ADDRESS=$OWNER_ADDRESS"

src/hooks/use-dataset-pieces.ts

@@ -1,7 +1,7 @@
 import { METADATA_KEYS } from '@filoz/synapse-sdk'
+import { getDetailedDataSet } from 'filecoin-pin/core/data-set'
 import { useCallback, useEffect, useState } from 'react'
 import { useFilecoinPinContext } from './use-filecoin-pin-context.ts'
-import { getDetailedDataSet } from 'filecoin-pin/core/data-set'
 
 export interface DatasetPiece {
   id: string