feat: make Rocket reloadable via on-chain restart trigger#267
Open
feat: make Rocket reloadable via on-chain restart trigger#267
Conversation
Add ServerTriggered event and serverTrigger() function to APIConfigFacet so the diamond owner can signal restarts on-chain. Introduce restart.rs event listener that polls for ServerTriggered events and sends a restart signal via mpsc channel. Refactor main() into a restart loop that rebuilds Rocket on signal while preserving long-lived state (signer pool, IPFS cache, CPU monitor). Includes restart-loop protection (max 3 restarts per 60s).
…rocket-reloadable # Conflicts: # lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/APIConfigFacet.sol # lit-api-server/src/accounts/contracts/AccountConfig.json # lit-api-server/src/accounts/contracts/account_config_contract.rs
The Add Funds modal showed "$0.01 per Lit Action" which is inaccurate after the per-second billing model shipped in CPL-174. Updated to "$0.01 per second for Lit Action execution with a 1-second minimum". Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Fix off-by-one in restart loop protection (> to >=, now correctly limits to MAX_RESTARTS within the window) - Use try_send instead of send().await so the event listener is never blocked waiting for the main loop to consume a previous restart signal - Propagate error instead of unwrap_or(0) when fetching initial block number to avoid scanning from genesis on RPC failure - Add retry with exponential backoff for listener startup failures - Use saturating_add for block number arithmetic - Simplify restart_count from Arc<AtomicU64> to plain u64 (single-threaded use)
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an on-chain “restart trigger” mechanism to the AccountConfig diamond and wires a new Rust background listener into lit-api-server so the Rocket server can be cleanly restarted in-process when the contract owner emits a ServerTriggered event.
Changes:
- Added
serverTrigger(uint256)(owner-only) +ServerTriggeredevent to the diamond, plus storage for the trigger value. - Introduced
lit-api-serverrestart listener (restart.rs) that polls forServerTriggeredand signalsmainvia an mpsc channel. - Refactored
maininto a restart-aware loop and preserved long-lived state across restarts (signer pool, chain config, CPU monitor, IPFS cache).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
lit-api-server/src/restart.rs |
New polling listener for on-chain restart events; sends restart signals to main loop. |
lit-api-server/src/main.rs |
Restart-aware launch loop; extracts build_rocket() and adds loop protection. |
lit-api-server/src/lib.rs |
Exposes the new restart module. |
lit-api-server/src/core/v1/guards/cpu_overload.rs |
Makes CpuOverloadMonitor clonable so it can be shared across restarts. |
lit-api-server/src/accounts/contracts/AccountConfig.json |
Regenerated ABI including ServerTriggered + serverTrigger. |
lit-api-server/src/accounts/contracts/account_config_contract.rs |
Regenerated Rust bindings to match updated ABI (event/function/error). |
lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/AppStorage.sol |
Adds serverTriggerValue to diamond storage. |
lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/APIConfigFacet.sol |
Adds owner-only serverTrigger() and emits ServerTriggered. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
* feat: add usage API key override to dashboard (CPL-190) Add a text input in the Overview section that allows users to paste a usage API key and use it instead of their account API key for all dashboard operations. This lets users test the permissions of a given key. - New "Usage API Key Override" card with Apply/Clear controls - Amber "Using Usage Key" badge in topbar when override is active - All API-calling functions use getEffectiveApiKey() which returns the override if set, falling back to the account key - Billing balance and Add Funds hidden when override is active (they belong to the account, not the usage key) - Override stored in sessionStorage, cleared on sign-out - Action runner respects the override (inline field > global override > account key) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update lit-static/dapps/dashboard/index.html Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix: address Copilot review — accessibility, key masking, billing logic - Add aria-label to usage key override input for screen readers - Change input to type="password" to avoid exposing the key on screen - Compute showBilling from auth state AND override state to avoid stale billing visibility if init order changes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: show first 6 chars of override key in topbar badge The badge now reads "Using Key: abc123…" so operators can tell which usage key is active at a glance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: log API key prefix and endpoint for each SDK call Wraps the SDK client with a Proxy that console.logs the method name, base URL, and first 6 chars of the API key on every call. Helps debug which key is being used for each operation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: gate usage key override behind account dropdown toggle The override card is now hidden by default. Users enable it via "Usage Key Override" in the Account dropdown menu. A checkmark shows when the feature is active. Disabling it clears any active override. Sign-out also resets the flag. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: remove fly.toml, add local test harness script - Remove fly.toml (deployment config no longer needed in repo) - Add test.sh: spins up Anvil, deploys contracts, starts dstack simulator, lit-api-server, lit-actions, and static-web-server for local end-to-end testing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Fix trigger() doc to reflect "sent or already queued" semantics (Copilot) - Keep Middleware import (needed as trait for get_block_number) (Copilot) - Propagate server errors from restart loop instead of always Ok(()) (Copilot) - Fix MAX_RESTARTS comment to match >= behavior (Copilot) - Revert >= back to > so exactly MAX_RESTARTS restarts are allowed (Graphite)
* fix: add setup-node step to static site deploy workflows (#260) The self-hosted runner doesn't have npm in PATH, causing cloudflare/wrangler-action@v3 to fail when trying to install wrangler. Add actions/setup-node@v4 with Node 20 before the deploy step, matching the pattern used by other workflows in this repo. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: migrate URLs from dev.litprotocol.com to chipotle/developer domains (#261) - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com - Fix broken swagger-ui path (/swagger-ui/ → /core/v1/swagger-ui) - Remove broken Support navbar link - Fix broken SDK link in encryption migration doc Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: migrate README URLs from dev.litprotocol.com to new domains (#262) * docs: migrate README URLs from dev.litprotocol.com to new domains Same migration as the docs/ directory (PR #261): - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: update "dev API" to "API" in README quickstart Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add usage API key step to README quickstart Adds step 2 showing how to create a scoped usage API key before using the API, reinforcing the best practice of not embedding the account key in apps. Renumbers subsequent steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: reorder quickstart — add funds before usage API key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update curl examples to use production API URL (CPL-203) (#263) Replace localhost:8000 and api.dev.litprotocol.com references in curl examples across MDX docs with https://api.chipotle.litprotocol.com. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * feat: add tracing instrumentation across lit-action request path (CPL-204) Add debug-level tracing spans and events across the full lit_action request lifecycle to measure actual latency before optimizing. Covers billing guard, Stripe API calls, on-chain authorization, gRPC connection pool, per-op handling with op type visibility, and wallet permission cache hit/miss tracking. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: fix rustfmt formatting for CI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: remove clippy unused_unit warnings in billing guard Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: reduce grpc pool log noise per review feedback Move per-loop-iteration log to trace, only log permit wait on first occurrence, and log connection creation at debug instead of every lookup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Adam Reif <adam@litprotocol.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
#268) * fix: add setup-node step to static site deploy workflows (#260) The self-hosted runner doesn't have npm in PATH, causing cloudflare/wrangler-action@v3 to fail when trying to install wrangler. Add actions/setup-node@v4 with Node 20 before the deploy step, matching the pattern used by other workflows in this repo. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: migrate URLs from dev.litprotocol.com to chipotle/developer domains (#261) - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com - Fix broken swagger-ui path (/swagger-ui/ → /core/v1/swagger-ui) - Remove broken Support navbar link - Fix broken SDK link in encryption migration doc Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: migrate README URLs from dev.litprotocol.com to new domains (#262) * docs: migrate README URLs from dev.litprotocol.com to new domains Same migration as the docs/ directory (PR #261): - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: update "dev API" to "API" in README quickstart Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add usage API key step to README quickstart Adds step 2 showing how to create a scoped usage API key before using the API, reinforcing the best practice of not embedding the account key in apps. Renumbers subsequent steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: reorder quickstart — add funds before usage API key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update curl examples to use production API URL (CPL-203) (#263) Replace localhost:8000 and api.dev.litprotocol.com references in curl examples across MDX docs with https://api.chipotle.litprotocol.com. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * feat: CDN module imports with SHA-384 integrity verification (CPL-206) Replace NoopModuleLoader with CdnModuleLoader that allows ES module imports only from cdn.jsdelivr.net. Modules are verified against an integrity.lock manifest using SHA-384 hashes with constant-time comparison. New modules use trust-on-first-use (TOFU): double-fetch from CDN, compare hashes, and auto-pin to the lockfile on match. All events are logged with structured fields for auditability. Includes: shared reqwest client with timeouts, redirect blocking, 10MB response size limit, in-memory module cache, and CLI args for lockfile path and strict mode. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add CDN imports documentation and press release (CPL-206) - Add docs/lit-actions/imports.mdx with full CDN module import guide - Update docs/lit-actions/index.mdx to link imports page - Update docs/docs.json to register new imports page in nav - Add press release for 2026-04-03 CDN imports launch - Extend cdn_module_loader.rs with three-way SRI verification via CDN header * feat: npm specifier resolution, inline integrity hashes, TOFU auto-pinning (CPL-206) Developers can now write short npm specifiers (zod@3.22.4/+esm) instead of full URLs. The resolver constructs the jsDelivr URL automatically. Adds inline integrity verification via #sha384-<hash> fragment on import specifiers. The hash is stripped before fetching and verified locally. TOFU flow: new modules are double-fetched with three-way verification (first fetch, second fetch, CDN SRI header) and auto-pinned to the integrity lockfile. * docs: update imports guide and press release with npm specifiers, inline hashes (CPL-206) * docs: update TOFU verification to reflect up to four-way checks (CPL-206) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: cargo fmt (CPL-206) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address Copilot review comments (CPL-206) - Resolve relative imports (./dep.js) against jsDelivr referrer URLs - Stream response body with hard size cap to prevent OOM (both fetches) - TOFU second fetch now has identical redirect/status/size protections - Replace unwrap() with proper error propagation in ModuleSpecifier::parse - Share reqwest::Client across all worker instances (connection pooling) - Bound module cache at 100MB total - Fix CLI help text to clarify strict+lockfile TOFU behavior - Replace expect() with anyhow error on lockfile read - Fix docs: module fetches don't count toward JS fetch() limit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address clippy lints — collapsible_if, manual_strip, needless_borrows, too_many_arguments (CPL-206) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Adam Reif <adam@litprotocol.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…271) * feat: rewrite static ES imports to dynamic import() calls (CPL-209) Static `import` statements are not valid in Deno's script mode. This adds an import rewriter that scans user code for static imports before `async function main`, strips them, and generates equivalent dynamic `import()` calls inside the async IIFE wrapper. Imported bindings are available to main() via lexical scope. Supports: named, default, namespace, renamed (as), side-effect, multi-line, default+named combos, inline integrity hashes, and full CDN URLs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: add integration tests for import rewriting (CPL-209) - import_rewrite_cdn: end-to-end test with real jsDelivr fetch (ignored, needs network) - import_rewrite_no_imports: regression test ensuring no-import code path is unchanged Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * style: fix rustfmt formatting in import_rewriter.rs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden import rewriter per eng review - Add comment/string/template literal awareness to the scanner so that import-like text inside // comments, /* */ blocks, strings, and backtick templates is never mistakenly rewritten - Harden js_escape with full JS line terminator escaping (\n, \r, \0, U+2028, U+2029) - Fix parse_namespace "as" boundary check (consistency with parse_named_imports) - Add 5 new tests covering comment/string/template edge cases Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address PR review comments (Copilot + Graphite) - Add word-boundary check for `async function main` detection so that identifiers like `main2` or `mainHelper` don't cause a false match (Copilot comment on line 46) - Fix `parse_string` to handle escape sequences so `\"` inside a string literal doesn't terminate the parse early (Copilot + Graphite comments) - Optimize default+namespace combo imports to use a single `await import()` call instead of two redundant fetches (Copilot comment on line 220) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: make find_main_declaration comment/string-aware The search for `async function main` now skips occurrences inside comments, strings, and template literals, preventing false matches that would cause imports after the false match to not be rewritten. Adds tests for `// async function main` and `"async function main"` appearing before real imports. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: resolve clippy warnings (dead code + collapsible if) - Remove unused `count_ws` function (orphaned by state-machine rewrite) - Collapse nested `if` + `if let` into single conditions using `let` chains at lines 100 and 238 (clippy::collapsible_if) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…0) (#272) * fix: allow TOFU verification for CDN imports without lockfile (CPL-210) Previously, strict mode rejected ALL CDN module imports when no --integrity-lock file was configured (the default). This made CDN imports impossible without explicit lockfile setup. Now, unknown modules fall through to TOFU verification (double-fetch + CDN SRI header check) regardless of whether a lockfile exists. With a lockfile, verified hashes are persisted to disk. Without one, pins live in memory for the process lifetime. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * style: fix cargo fmt formatting in test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make strict flag control TOFU verification behavior The `strict` field was unused after removing the rejection gate. Now `strict` controls whether unknown modules get full TOFU verification (double-fetch + SRI check) or are accepted after a single fetch: - strict=true (production): full TOFU verification - strict=false (test/dev): single-fetch, no TOFU overhead Addresses Copilot review feedback on PR #272. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* docs: add gating guidance for Action-Identity Signing (CPL-207) Adds "What if Someone Else Runs My Action?" section to the patterns doc. Covers two answers: (1) for pure actions, it doesn't matter, and (2) for restricted access, use Dashboard API key scoping as the primary control with in-action signature verification as defense-in-depth. Includes a warning against gating on plain js_params values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add PKP address check as method #2 for action gating The PKP address check is reliable when the group is configured so only a specific PKP can be used with the action — the ownership model enforces that callers can only use PKPs belonging to their account. Signature verification moves to method #3 as defense-in-depth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add note about copied actions producing different identities Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: address Copilot review — replay protection note and comment fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…ing (CPL-211) (#273) * feat: module import cleanup, showImportDetails(), and security hardening (CPL-211) - Auto-append /+esm when no file path specified in npm specifiers - Add showImportDetails() opCode that logs imported module URLs and SHA-384 hashes via the print opCode (no protobuf changes needed) - Tighten CDN allowlist to /npm/ prefix only (blocks /gh/ escape) - Verify inline hash on cache hits to prevent stale hash bypass - Add MAX_MODULE_COUNT (100) cap to prevent import graph DoS - Copy integrity.lock into Docker image and enable --integrity-lock flag - Update imports.mdx and chipotle.mdx documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: fix cargo fmt formatting in cdn_module_loader.rs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address Copilot review comments on PR #273 - Use explicit refs in serde_json::json! for LoadedModuleInfo fields - Cache-hit path now hashes cached bytes and verifies against expected_hash (inline or manifest), not just manifest-to-manifest comparison - Record expected_hash (inline or manifest) in LoadedModules tracker so inline-hash-only imports don't lose the declared hash - Dedup LoadedModules by URL so duplicate loads of the same module don't inflate the module count cap or showImportDetails() output Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: collapse nested if blocks to satisfy clippy collapsible_if Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: update Lit Action limits to match current API defaults (CPL-198) (#266) - Code size: 10 MB → 16 MB - Memory: 128 MB → 64 MB - Outbound HTTP requests: 100 → 50 - Response payload: 1 MB → 100 KB - Added: Console log output (100 KB) - Added: Key/signature requests per action (10) * feat: add local testing environment script (CPL-192) Adds local_test.sh that spins up the full Seville stack locally: Anvil, dstack simulator, contract deployment, lit-api-server, lit-actions, and static-web-server. Includes README documentation for prerequisites and configuration. * fix: address PR review comments on local_test.sh - Fix wait_for timeout math: compute iterations from timeout/interval so actual wait time matches the documented TIMEOUT_SECS parameter - Replace wait -n -p (Bash 5.1+) with polling loop compatible with Bash 3.2+ (macOS default /bin/bash) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Add $100.00 and $200.00 options to the Stripe payment amount dropdown in the billing modal. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Balance field is dead data on the contract side (ViewsFacet.sol) and billing enforcement is wallet-scoped. Removes the column header, row rendering, data normalization, data loading, and new key defaults. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…and trust verification (#32) Three new architecture docs in architectureDocs/deployment/: - derot-key-issuance.md — sequence diagram of how a CVM obtains its keys from Onchain KMS (DstackApp + DstackKms contracts on Base) - vm-code-upgrade.md — flowchart of the full upgrade lifecycle: build, governance whitelist approval, deploy, and key issuance for the new code - trust-stack-verification.md — four-layer trust model (Application, Platform, Network, Governance) with both a layer overview diagram and a detailed verifier sequence diagram; includes the full VR-1–VR-4 checklist Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: add crypto payment instructions (CPL-212) New Crypto.mdx doc covering how to pay with cryptocurrency via Stripe's crypto integration — dashboard flow, full API walkthrough, supported tokens/networks, and FAQ. Updated pricing.mdx to link to the new guide instead of the "upcoming feature" placeholder. Added to docs navigation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address review comments on crypto payment docs - Destructure both client_secret and payment_intent_id from create_payment_intent response, reuse in Step 4 - Add setup snippet defining BASE and accountApiKey variables - Fix balance endpoint response fields (balance_cents, balance_display) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: warn about no funds in dashboard instructions (CPL-248) Add a warning banner in the Instructions section when the credit balance is zero. The banner includes a link to the Add Funds modal. Hidden when billing is unavailable or the account has credits. * fix: pre-landing review fixes - Hide no-funds warning when billing becomes unavailable (prevents contradictory UI with 'Payment Not Required' banner) - Guard balance_cents with type check to prevent null coercion producing a false 'no funds' warning
* fix: smart contract security hardening from audit (CPL-199) - Restrict setApiPayers and setPricingOperator to owner-only (was api-payer-or-owner) - Add array-size bounds to addGroup (10) and setUsageApiKey (50) - Add duplicate PKP registration check in registerWalletDerivation - Add events to all state-changing functions for off-chain monitoring - Add receive() to reject direct ETH transfers - Simplify debitApiKey/creditApiKey by removing dead code branch - Remove unused LibERC2771.sol meta-transaction library - Pin pragma to =0.8.28 across all 21 contracts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/WritesFacet.sol Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix: regenerate Rust contract bindings after audit changes Run `make generate` to update the ABI and Rust ethers bindings to include new events, the NotContractOwner error, and updated function signatures from the security hardening commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address PR review comments (CPL-199) - Use custom error DirectETHTransferNotAllowed() in receive() for better diagnostics - Fix inconsistent error messages: "less than 10" -> "10 items or fewer" - Add derivationPath != 0 validation to prevent duplicate detection bypass - Regenerate Rust contract bindings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: allow admin API payer to call setApiPayers (CPL-199) The previous commit restricted setApiPayers to owner-only, but the signer pool reconciliation (signer_pool.rs) calls this function via get_admin_api_payer_contract(), which signs with the admin API payer key, not the diamond owner. This would break signer pool updates in production. New access control: owner OR admin API payer (but NOT regular API payers), which still prevents the hostile payer takeover from H-2 while keeping the signer pool operational. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On-chain restart trigger: Adds a
serverTrigger(uint256)function toAPIConfigFacet(owner-only viaLibDiamond.enforceIsContractOwner()) that emits aServerTriggeredevent. A new Rust listener (restart.rs) polls for these events and signals the main loop to restart Rocket.Restart loop: Refactors
main()into a restart-aware loop that rebuilds Rocket on signal while preserving long-lived state (signer pool, chain config, CPU monitor, IPFS cache). Includes restart-loop protection (max 3 restarts per 60s window).Reliability hardening (from pre-landing review):
try_sendso the listener is never blocked by the main loopFiles changed
APIConfigFacet.sol— newserverTrigger()function +ServerTriggeredeventAppStorage.sol— newserverTriggerValuestorage slotAccountConfig.json/account_config_contract.rs— regenerated bindingsrestart.rs— new event listener modulemain.rs— restart loop, extractedbuild_rocket()functioncpu_overload.rs— deriveClonefor sharing across restart iterationslib.rs— exposerestartmodulePre-Landing Review
No critical issues. Adversarial review findings addressed in second commit.
Test plan
cargo checkpasses (rustc 1.91)serverTrigger(1)from owner, verify server restartsCo-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com
🤖 Generated with Claude Code