feat: add bundler

Author: JackHamer09

.github/workflows/push-bundler-container.yml

@@ -0,0 +1,78 @@
+name: Build and push Bundler Docker image
+permissions:
+  contents: read
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-push-image:
+    name: Build and push Bundler Docker image
+    runs-on: [matterlabs-ci-runner]
+    # Only run docker build/push for the main repository, not forks
+    # Allow manual dispatch from any repository
+    if: github.repository == 'matter-labs/zksync-sso'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          submodules: recursive
+
+      - name: Set git SHA
+        id: git_sha
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Set Docker tag
+        id: docker_tag
+        run: |
+          ts=$(date +%s%N | cut -b1-13)
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            echo "tag=${{ steps.git_sha.outputs.sha_short }}-${ts}" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "tag=$(echo ${GITHUB_REF#refs/tags/})" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "tag=none" >> $GITHUB_OUTPUT
+          else
+            echo "Unsupported event ${GITHUB_EVENT_NAME} or ref ${GITHUB_REF}, only refs/heads/, refs/tags/, pull_request, and workflow_dispatch are supported."
+            exit 1
+          fi
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GAR
+        run: |
+          gcloud auth configure-docker us-docker.pkg.dev -q
+
+      - name: Build and push bundler image
+        id: docker_build_bundler
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: packages/bundler
+          file: packages/bundler/Dockerfile
+          push: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
+          tags: |
+            matterlabs/sso-bundler:${{ steps.docker_tag.outputs.tag }}
+            matterlabs/sso-bundler:latest
+            us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/sso-bundler:${{ steps.docker_tag.outputs.tag }}
+            us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/sso-bundler:latest
+
+      - name: Print image digest to summary
+        run: |
+          echo "Bundler Image tag: ${{ steps.docker_tag.outputs.tag }}" >> $GITHUB_STEP_SUMMARY

cspell-config/cspell-misc.txt

@@ -45,4 +45,7 @@ wght
 // packages/auther-server-api
 rustup
 distroless
-debian
+debian
+
+// packages/bundler
+pimlico

packages/bundler/.env.example

@@ -0,0 +1,18 @@
+# ERC-4337 Bundler Configuration
+
+# Private key for executing user operations (required for production)
+# Default: Anvil rich account #0
+EXECUTOR_PRIVATE_KEY=0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
+
+# Private key for utility operations (required for production)
+# Default: Anvil rich account #1
+UTILITY_PRIVATE_KEY=0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d
+
+# RPC URL for the blockchain network (required for production)
+# Default: Local anvil instance
+RPC_URL=http://localhost:8545
+
+# For production (testnet/mainnet), replace with actual values:
+# EXECUTOR_PRIVATE_KEY=0x...
+# UTILITY_PRIVATE_KEY=0x...
+# RPC_URL=https://sepolia.drpc.org

packages/bundler/Dockerfile

@@ -0,0 +1,49 @@
+# Stage 1: Build TypeScript
+FROM node:22-slim AS builder
+
+WORKDIR /app
+
+# Copy package files
+COPY package.json ./
+COPY tsconfig.json ./
+
+# Install dependencies
+RUN npm install
+
+# Copy source files
+COPY src/ ./src/
+
+# Build TypeScript
+RUN npm run build
+
+# Stage 2: Production runtime
+FROM node:22-slim AS production
+
+# Install @pimlico/alto globally
+RUN npm install -g @pimlico/alto@0.0.19
+
+WORKDIR /app
+
+# Copy package.json for production dependencies
+COPY package.json ./
+
+# Install production dependencies only
+RUN npm install --omit=dev && npm cache clean --force
+
+# Copy built files from builder
+COPY --from=builder /app/dist ./dist
+
+# Environment defaults (can be overridden at runtime)
+ENV EXECUTOR_PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
+ENV UTILITY_PRIVATE_KEY="0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d"
+ENV RPC_URL="http://localhost:8545"
+
+# Healthcheck on Alto bundler port (internal)
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["node", "-e", "require('http').get('http://localhost:4338/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"]
+
+# Expose only the CORS proxy port (4338 is internal)
+EXPOSE 4337
+
+# Start the bundler
+CMD ["node", "dist/index.js"]

packages/bundler/README.md

@@ -0,0 +1,125 @@
+# Bundler
+
+ERC-4337 bundler service with CORS proxy for ZKsync SSO. Built on
+[@pimlico/alto](https://github.com/pimlicolabs/alto).
+
+## Features
+
+- **Alto Bundler**: ERC-4337 compliant bundler on port 4338
+- **CORS Proxy**: Browser-friendly proxy on port 4337
+- **Environment Validation**: Zod-based config with sensible defaults
+- **Docker Ready**: Multi-stage build with production-optimized image
+
+## Ports
+
+- **4337**: CORS proxy (accessible from browsers)
+- **4338**: Alto bundler API (internal)
+
+## Quick Start
+
+### Local Development
+
+Works out of the box with local Anvil:
+
+```bash
+# Install dependencies
+pnpm install
+
+# Start bundler (uses default anvil keys)
+pnpm dev
+```
+
+The bundler will start with default configuration for local development:
+
+- Anvil rich account keys
+- RPC: `http://localhost:8545`
+- EntryPoint: `0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108`
+
+### Production
+
+Create a `.env` file:
+
+```bash
+EXECUTOR_PRIVATE_KEY=0x...
+UTILITY_PRIVATE_KEY=0x...
+RPC_URL=https://sepolia.drpc.org
+```
+
+Then start:
+
+```bash
+pnpm start
+```
+
+## Docker Usage
+
+### Build
+
+```bash
+docker build -t sso-bundler packages/bundler
+```
+
+### Run
+
+```bash
+docker run -p 4337:4337 -p 4338:4338 \
+  -e EXECUTOR_PRIVATE_KEY=0x... \
+  -e UTILITY_PRIVATE_KEY=0x... \
+  -e RPC_URL=https://sepolia.drpc.org \
+  sso-bundler
+```
+
+### Pre-built Image
+
+```bash
+docker pull matterlabs/sso-bundler:latest
+
+docker run -p 4337:4337 -p 4338:4338 \
+  -e EXECUTOR_PRIVATE_KEY=0x... \
+  -e UTILITY_PRIVATE_KEY=0x... \
+  -e RPC_URL=https://sepolia.drpc.org \
+  matterlabs/sso-bundler:latest
+```
+
+## Environment Variables
+
+| Variable               | Description                               | Default (Local Dev)     |
+| ---------------------- | ----------------------------------------- | ----------------------- |
+| `EXECUTOR_PRIVATE_KEY` | Private key for executing user operations | Anvil account #0        |
+| `UTILITY_PRIVATE_KEY`  | Private key for utility operations        | Anvil account #1        |
+| `RPC_URL`              | RPC endpoint for blockchain network       | `http://localhost:8545` |
+
+## Configuration
+
+The bundler generates an Alto config file at runtime with these fixed values:
+
+- **EntryPoint**: `0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108`
+- **Port**: 4338
+- **Safe Mode**: false
+
+## API Usage
+
+Send ERC-4337 user operations to: `http://localhost:4337`
+
+The CORS proxy automatically forwards requests to Alto bundler and adds
+appropriate CORS headers for browser compatibility.
+
+## Development
+
+```bash
+# Install dependencies
+pnpm install
+
+# Build TypeScript
+pnpm build
+
+# Run in development mode with hot reload
+pnpm dev
+
+# Run compiled version
+pnpm start
+```
+
+## License
+
+MIT

packages/bundler/alto-config.json

@@ -0,0 +1,8 @@
+{
+  "entrypoints": "0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108",
+  "executor-private-keys": "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80",
+  "utility-private-key": "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d",
+  "rpc-url": "http://localhost:8545",
+  "port": 4338,
+  "safe-mode": false
+}

packages/bundler/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "bundler",
+  "version": "0.0.1",
+  "description": "ERC-4337 bundler with CORS proxy for zkSync SSO",
+  "type": "module",
+  "main": "dist/index.js",
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "dev": "node --import tsx src/index.ts",
+    "start": "node dist/index.js"
+  },
+  "keywords": [
+    "zksync",
+    "account-abstraction",
+    "ERC4337",
+    "bundler",
+    "alto"
+  ],
+  "author": "Matter Labs <zksync.io>",
+  "license": "MIT",
+  "dependencies": {
+    "@pimlico/alto": "^0.0.19",
+    "dotenv": "^16.4.7",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.1",
+    "tsx": "^4.19.2",
+    "typescript": "^5.6.2"
+  }
+}

packages/bundler/project.json

@@ -0,0 +1,20 @@
+{
+  "name": "bundler",
+  "tags": ["type:package"],
+  "targets": {
+    "build": {
+      "executor": "nx:run-script",
+      "options": {
+        "cwd": "packages/bundler",
+        "script": "build"
+      }
+    },
+    "dev": {
+      "executor": "nx:run-script",
+      "options": {
+        "cwd": "packages/bundler",
+        "script": "dev"
+      }
+    }
+  }
+}