feat(tbtc): covenant signer final project branch#3882
Draft
mswilkison wants to merge 52 commits intomainfrom
Draft
feat(tbtc): covenant signer final project branch#3882mswilkison wants to merge 52 commits intomainfrom
mswilkison wants to merge 52 commits intomainfrom
Conversation
## Summary - add a new `pkg/covenantsigner` substrate package with durable submit/poll semantics for covenant signer jobs - wire an optional `covenantSigner.port` HTTP server into `keep start` backed by work persistence - add route-aware request validation, job dedup by `routeRequestId`, health endpoint, and targeted tests ## Scope This is the first keep-core covenant signer extension slice only: - common covenant job domain - persistent store - HTTP+JSON signer-provider surface - request validation and idempotency It does **not** yet implement the real signer cryptography / artifact generation path. The default engine accepts jobs and leaves them pending until the signing internals are plugged in by follow-up work. ## Verification - `go test ./pkg/covenantsigner` - `go test ./config ./cmd`
## Summary - extend the covenant signer request contract with a concrete migration destination reservation artifact - validate reservation script hash, migration extraData encoding, and canonical destination commitment hash inside keep-core - add fixed-vector and mismatch coverage so later real signing can rely on a verified destination artifact instead of only an opaque hash ## Why now The new tBTC covenant migration destination reservation service is merged on the covenant project branch. The keep-core signer substrate now needs to consume that concrete artifact so later self_v1/qc_v1 signing slices can fail closed on destination mismatch before implementing real tx construction. ## Verification - `go test ./pkg/covenantsigner` - `go test ./config` - `go test ./cmd`
## Summary - require a concrete migration transaction plan alongside the reservation artifact - validate canonical Leaf-1 pre-signed policy fields in keep-core before real signing work - add focused negative coverage for bad plan inputs and HTTP submit payloads ## Testing - go test ./pkg/covenantsigner ./config ./cmd
## Summary - wire the covenant signer server to a real engine from tbtc instead of the passive stub - add the first real self_v1 signer path that fetches the active outpoint, verifies the reserved migration destination and transaction plan, signs the canonical maturity spend, and returns READY with transactionHex + deterministic artifact hash - extend the bitcoin transaction builder with explicit locktime/sequence/witness controls and add end-to-end signer coverage ## Testing - go test ./pkg/bitcoin ./pkg/covenantsigner - go test ./pkg/tbtc -run TestCovenantSignerEngine_SubmitSelfV1Ready -v - go test ./config ./cmd
## Summary - add a real qc_v1 signer path in keep-core that produces signer handoff bundles - build and sign the canonical unsigned migration spend, then return a typed handoff instead of a final artifact - cover the new handoff path with direct pkg/tbtc tests ## Testing - go test ./pkg/tbtc -run focused covenant signer tests - go test ./pkg/bitcoin ./pkg/covenantsigner ./config ./cmd
## Summary - default the covenant signer HTTP listener to loopback and require a bearer auth token for non-loopback exposure - stop holding the submit mutex across engine.OnSubmit so deduped callers are not serialized behind long signer work - add focused tests for auth enforcement, config flags, and in-flight submit dedupe semantics ## Testing - go test ./pkg/covenantsigner -count=1 - go test ./pkg/tbtc -run 'TestCovenantSignerEngine_' -count=1 - go test ./cmd -count=1
## Summary - add optional role-tagged artifact approval envelopes to covenant signer requests - validate approval payload bindings and required roles by route while keeping legacy artifact signature arrays as the active compatibility contract - add focused tests for acceptance, rejection paths, and legacy-array mismatch handling ## Testing - go test ./pkg/covenantsigner - go test ./pkg/tbtc -run CovenantSigner -count=1 ## Notes - stacked on top of codex/psbt-covenant-signer-hardening - this is the structural validation slice only; it does not add cryptographic verification of the approvals yet
## Summary - add config-backed depositor and custodian trust roots keyed by route/reserve/network - enforce self_v1 depositor key pinning and qc_v1 custodian key pinning before artifact approval signature verification - add focused covenantsigner coverage for matching, mismatched, and missing trust-root entries ## Testing - go test ./pkg/covenantsigner -count=1 - go test ./pkg/tbtc -run 'SignerApprovalCertificate|CovenantSigner' -count=1 -timeout=5m
…val-cutover' into codex/repair-keep-core-umbrella
## Summary - add requestType to covenant signer requests and make it part of normalization and request digests - reject invalid qc_v1 + presign_self_v1 combinations while preserving explicit self_v1 presign semantics - refresh mirrored approval-contract vectors and add requestType regressions in covenantsigner and tbtc engine tests ## Testing - go test ./pkg/covenantsigner ./pkg/tbtc -run 'SignerApprovalCertificate|CovenantSigner|ApprovalContractVectors|RequestDigestDistinguishesSelfV1PresignFromReconstruct|RejectsQcV1PresignRequestType' -count=1
…com/threshold-network/keep-core into feat/psbt-covenant-final-project-pr
## Summary - add a production startup gate for missing covenant approval trust roots - expose the gate through keep-core config and CLI flags - cover startup enforcement plus config/flag parsing in tests ## Testing - go test ./pkg/covenantsigner ./cmd ./config -count=1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the draft final project PR for the keep-core side of the PSBT covenant extension.
It accumulates the keep-core covenant signer work for the current threshold ECDSA signer set before a final merge to main.
Current contents:
This PR is intentionally draft and will be updated as the remaining keep-core covenant work lands.