[Sync] migrate octobot_sync to Starfish 3.0.0a18 cap-cert auth#3480
Open
Herklos wants to merge 1 commit into
Open
[Sync] migrate octobot_sync to Starfish 3.0.0a18 cap-cert auth#3480Herklos wants to merge 1 commit into
Herklos wants to merge 1 commit into
Conversation
Replace the custom EIP-191 wallet auth with Starfish v3 capability
certificates. The EVM wallet derives a stable Ed25519/X25519 Starfish
identity via the new derive_root_identity_from_evm_signature (a18,
challenge "octobot:sync-bootstrap"); the client signs every request with a
self-minted device cap and the server authenticates with
create_cap_cert_role_resolver + identities_server_plugin.
- client: WalletCapProvider (cap_provider=); create_sync_client returns
(client, user_id); drop sign_data; share encryption via crypto.SecretEncryptor.
- server: cap-cert resolver (max_body_bytes raised to 10MB so per-collection
limits govern); storage identity is now the Starfish user_id; the bridge
resolves the local wallet by re-deriving each wallet's user_id; userId-keyed
allowlist; server-held encryption secret removed. EIP-191 modules removed
(canonical/nonce/storage/role_resolver); SignedPathMiddleware normalizes the
mounted /sync path so cap-signed paths match regardless of mount.
- deps: pin starfish-sdk/server/identities/protocol/keyring ==3.0.0a18
(pre-releases must be pinned explicitly or pip resolves the latest stable).
- temporary: product-scoped append-only by_timestamp "product-signals"
collection (products/{product_id}/{version}/signals, authorized via the root
device cap; to be removed).
Verified: packages/sync tests green (165 passed, 1 S3-gated skip) incl. a real
cap-signed round-trip through create_app with a >64KB body and the product-scoped
append-only collection. NOT exercised in this minimal env (compile-checked,
mechanical edits): octobot/community/{authentication,errors_upload/error_sharing}.py,
the flow trading_signals_repository, and the node_api_interface allowlist lambda.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Herklos
force-pushed
the
feature/bump-starfish
branch
from
c6a6436 to
7f817e7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the custom EIP-191 wallet auth with Starfish v3 capability certificates. The EVM wallet derives a stable Ed25519/X25519 Starfish identity via the new derive_root_identity_from_evm_signature (a18, challenge "octobot:sync-bootstrap"); the client signs every request with a self-minted device cap and the server authenticates with create_cap_cert_role_resolver + identities_server_plugin.