@layr-labs/ecloud-sdk 1.0.0-devep3 → 1.0.0-devep5

package/VERSION

@@ -1,2 +1,2 @@
-version=1.0.0-devep3
-commit=ae7213bb77bd5448778a2774d92c43d3d9a7cb67
+version=1.0.0-devep5
+commit=8c8210ee1e833160b553cf2c9549908f55a0a88c

package/dist/browser.cjs

@@ -749,7 +749,7 @@ var CanViewAppLogsPermission = "0x2fd3f2fe";
 var CanViewSensitiveAppInfoPermission = "0x0e67b22f";
 var CanUpdateAppProfilePermission = "0x036fef61";
 function getDefaultClientId() {
-  const version = true ? "1.0.0-devep3" : "0.0.0";
+  const version = true ? "1.0.0-devep5" : "0.0.0";
   return `ecloud-sdk/v${version}`;
 }
 var UserApiClient = class {

package/dist/browser.js

@@ -638,7 +638,7 @@ var CanViewAppLogsPermission = "0x2fd3f2fe";
 var CanViewSensitiveAppInfoPermission = "0x0e67b22f";
 var CanUpdateAppProfilePermission = "0x036fef61";
 function getDefaultClientId() {
-  const version = true ? "1.0.0-devep3" : "0.0.0";
+  const version = true ? "1.0.0-devep5" : "0.0.0";
   return `ecloud-sdk/v${version}`;
 }
 var UserApiClient = class {

package/dist/compute.cjs

@@ -457,7 +457,102 @@ var PushPermissionError = class extends Error {
 var import_handlebars = __toESM(require("handlebars"), 1);
 
 // src/client/common/templates/Dockerfile.layered.tmpl
-var Dockerfile_layered_default = '{{#if includeTLS}}\n# Get Caddy from official image\nFROM caddy:2.10.2-alpine AS caddy\n{{/if}}\n\nFROM {{baseImage}}\n\n{{#if originalUser}}\n# Switch to root to perform setup (base image has non-root USER: {{originalUser}})\nUSER root\n{{/if}}\n\n# Copy core TEE components\nCOPY compute-source-env.sh /usr/local/bin/\nCOPY kms-client /usr/local/bin/\nCOPY kms-signing-public-key.pem /usr/local/bin/\n{{#if includeDrainWatcher}}\nCOPY ecloud-drain-watcher /usr/local/bin/\n{{/if}}\n\n{{#if includeTLS}}\n# Copy Caddy from official image\nCOPY --from=caddy /usr/bin/caddy /usr/local/bin/caddy\n\n# Copy TLS components\nCOPY tls-keygen /usr/local/bin/\nCOPY Caddyfile /etc/caddy/\n{{/if}}\n\n{{#if originalUser}}\n# Make binaries executable (755 for executables, 644 for keys)\nRUN chmod 755 /usr/local/bin/compute-source-env.sh \\\n    && chmod 755 /usr/local/bin/kms-client{{#if includeDrainWatcher}} \\\n    && chmod 755 /usr/local/bin/ecloud-drain-watcher{{/if}}{{#if includeTLS}} \\\n    && chmod 755 /usr/local/bin/tls-keygen \\\n    && chmod 755 /usr/local/bin/caddy{{/if}} \\\n    && chmod 644 /usr/local/bin/kms-signing-public-key.pem\n\n# Store original user - entrypoint will drop privileges to this user after TEE setup\nENV __ECLOUD_ORIGINAL_USER={{originalUser}}\n{{else}}\n# Make binaries executable (preserve existing permissions, just add execute)\nRUN chmod +x /usr/local/bin/compute-source-env.sh \\\n    && chmod +x /usr/local/bin/kms-client{{#if includeDrainWatcher}} \\\n    && chmod +x /usr/local/bin/ecloud-drain-watcher{{/if}}{{#if includeTLS}} \\\n    && chmod +x /usr/local/bin/tls-keygen{{/if}}\n{{/if}}\n\n{{#if logRedirect}}\n\nLABEL tee.launch_policy.log_redirect={{logRedirect}}\n{{/if}}\n{{#if resourceUsageAllow}}\n\nLABEL tee.launch_policy.monitoring_memory_allow={{resourceUsageAllow}}\n{{/if}}\n\n# Allow-list the envvars the ecloud-platform sets via GCE `tee-env-*`\n# metadata. Without this label, Confidential Space\'s launcher rejects\n# any `tee-env-*` override at container-start with\n# "env var {...} is not allowed to be overridden on this image" and\n# exits with code 1 \u2014 which terminates the VM before the entrypoint\n# ever runs. ECLOUD_PD_EXPECTED is set on PD-backed apps so the\n# entrypoint (compute-source-env.sh) knows to wait for the persistent\n# disk before exec\'ing the user workload. User-supplied env vars\n# flow through KMS (not tee-env-*) and don\'t need to be listed here.\nLABEL tee.launch_policy.allow_env_override=ECLOUD_PD_EXPECTED\n\nLABEL eigenx_cli_version={{ecloudCLIVersion}}\nLABEL eigenx_vm_image=eigen\nLABEL eigenx_container_contract=v1\n\n{{#if includeTLS}}\n# Expose both HTTP and HTTPS ports for Caddy\nEXPOSE 80 443\n{{/if}}\n\nENTRYPOINT ["/usr/local/bin/compute-source-env.sh"]\nCMD {{{originalCmd}}}\n';
+var Dockerfile_layered_default = `{{#if includeTLS}}
+# Get Caddy from official image
+FROM caddy:2.10.2-alpine AS caddy
+{{/if}}
+
+FROM {{baseImage}}
+
+{{#if originalUser}}
+# Switch to root to perform setup (base image has non-root USER: {{originalUser}})
+USER root
+{{/if}}
+
+# Copy core TEE components
+COPY compute-source-env.sh /usr/local/bin/
+COPY kms-client /usr/local/bin/
+COPY kms-signing-public-key.pem /usr/local/bin/
+{{#if includeDrainWatcher}}
+COPY ecloud-drain-watcher /usr/local/bin/
+{{/if}}
+
+{{#if includeTLS}}
+# Copy Caddy from official image
+COPY --from=caddy /usr/bin/caddy /usr/local/bin/caddy
+
+# Copy TLS components
+COPY tls-keygen /usr/local/bin/
+COPY Caddyfile /etc/caddy/
+{{/if}}
+
+{{#if originalUser}}
+# Make binaries executable (755 for executables, 644 for keys)
+RUN chmod 755 /usr/local/bin/compute-source-env.sh \\
+    && chmod 755 /usr/local/bin/kms-client{{#if includeDrainWatcher}} \\
+    && chmod 755 /usr/local/bin/ecloud-drain-watcher{{/if}}{{#if includeTLS}} \\
+    && chmod 755 /usr/local/bin/tls-keygen \\
+    && chmod 755 /usr/local/bin/caddy{{/if}} \\
+    && chmod 644 /usr/local/bin/kms-signing-public-key.pem
+
+# Store original user - entrypoint will drop privileges to this user after TEE setup
+ENV __ECLOUD_ORIGINAL_USER={{originalUser}}
+{{else}}
+# Make binaries executable (preserve existing permissions, just add execute)
+RUN chmod +x /usr/local/bin/compute-source-env.sh \\
+    && chmod +x /usr/local/bin/kms-client{{#if includeDrainWatcher}} \\
+    && chmod +x /usr/local/bin/ecloud-drain-watcher{{/if}}{{#if includeTLS}} \\
+    && chmod +x /usr/local/bin/tls-keygen{{/if}}
+{{/if}}
+
+{{#if logRedirect}}
+
+LABEL tee.launch_policy.log_redirect={{logRedirect}}
+{{/if}}
+{{#if resourceUsageAllow}}
+
+LABEL tee.launch_policy.monitoring_memory_allow={{resourceUsageAllow}}
+{{/if}}
+
+# Allow-list the envvars the ecloud-platform sets via GCE \`tee-env-*\`
+# metadata. Without this label, Confidential Space's launcher rejects
+# any \`tee-env-*\` override at container-start with
+# "env var {...} is not allowed to be overridden on this image" and
+# exits with code 1 \u2014 which terminates the VM before the entrypoint
+# ever runs. User-supplied env vars flow through KMS (not tee-env-*)
+# and don't need to be listed here.
+#
+# Entries:
+#   - ECLOUD_PD_EXPECTED   set on PD-backed apps so the entrypoint
+#                          (compute-source-env.sh) knows to wait for
+#                          the persistent disk before exec'ing the
+#                          user workload.
+#   - ECLOUD_PLATFORM_HOST the platform-routed hostname
+#                          (<addr>.<env>.eigencloud.xyz) so the
+#                          entrypoint's setup_tls can issue an ACME
+#                          cert for it. Injected by the CLI into
+#                          publicEnv at deploy/upgrade time and
+#                          propagated by ecloud-platform's
+#                          compute.go as a tee-env-* metadata key.
+#
+# The CS launcher parses this label as a comma-separated list
+# (go-tpm-tools/launcher/spec/launch_policy.go:185 \u2014 strings.Split
+# on ","). Quotes are not required; keep the value bare for
+# consistency with compute-tee's and eigenx-kms's existing labels.
+LABEL tee.launch_policy.allow_env_override=ECLOUD_PD_EXPECTED,ECLOUD_PLATFORM_HOST
+
+LABEL eigenx_cli_version={{ecloudCLIVersion}}
+LABEL eigenx_vm_image=eigen
+LABEL eigenx_container_contract=v1
+
+{{#if includeTLS}}
+# Expose both HTTP and HTTPS ports for Caddy
+EXPOSE 80 443
+{{/if}}
+
+ENTRYPOINT ["/usr/local/bin/compute-source-env.sh"]
+CMD {{{originalCmd}}}
+`;
 
 // src/client/common/templates/dockerfileTemplate.ts
 function processDockerfileTemplate(data) {
@@ -1420,132 +1515,6 @@ async function encryptRSAOAEPAndAES256GCM(encryptionKeyPEM, plaintext, protected
   return jwe;
 }
 
-// src/client/common/config/environment.ts
-var SEPOLIA_CHAIN_ID = 11155111;
-var MAINNET_CHAIN_ID = 1;
-var CommonAddresses = {
-  ERC7702Delegator: "0x63c0c19a282a1b52b07dd5a65b58948a07dae32b"
-};
-var ChainAddresses = {
-  [MAINNET_CHAIN_ID]: {
-    PermissionController: "0x25E5F8B1E7aDf44518d35D5B2271f114e081f0E5"
-  },
-  [SEPOLIA_CHAIN_ID]: {
-    PermissionController: "0x44632dfBdCb6D3E21EF613B0ca8A6A0c618F5a37"
-  }
-};
-var PLATFORM_ENV_TESTNET_SEPOLIA = "testnet-sepolia";
-var PLATFORM_ENV_MAINNET_ETHEREUM = "mainnet-ethereum";
-var DEFAULT_APP_BASE_DOMAIN = "eigencloud.xyz";
-var ENVIRONMENTS = {
-  "sepolia-dev": {
-    name: "sepolia",
-    build: "dev",
-    appControllerAddress: "0xa86DC1C47cb2518327fB4f9A1627F51966c83B92",
-    permissionControllerAddress: ChainAddresses[SEPOLIA_CHAIN_ID].PermissionController,
-    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
-    kmsServerURL: "http://10.128.0.57:8080",
-    userApiServerURL: "https://userapi-compute-sepolia-dev.eigencloud.xyz",
-    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com",
-    usdcCreditsAddress: "0xbdA3897c3A428763B59015C64AB766c288C97376",
-    platformEnv: PLATFORM_ENV_TESTNET_SEPOLIA,
-    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
-  },
-  sepolia: {
-    name: "sepolia",
-    build: "prod",
-    appControllerAddress: "0x0dd810a6ffba6a9820a10d97b659f07d8d23d4E2",
-    permissionControllerAddress: ChainAddresses[SEPOLIA_CHAIN_ID].PermissionController,
-    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
-    kmsServerURL: "http://10.128.15.203:8080",
-    userApiServerURL: "https://userapi-compute-sepolia-prod.eigencloud.xyz",
-    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com",
-    billingRPCURL: "https://ethereum-rpc.publicnode.com",
-    usdcCreditsAddress: "0xed9c88640ca9149Bd9f7ee6620074af10F2E145d",
-    platformEnv: PLATFORM_ENV_TESTNET_SEPOLIA,
-    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
-  },
-  "mainnet-alpha": {
-    name: "mainnet-alpha",
-    build: "prod",
-    appControllerAddress: "0xc38d35Fc995e75342A21CBd6D770305b142Fbe67",
-    permissionControllerAddress: ChainAddresses[MAINNET_CHAIN_ID].PermissionController,
-    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
-    kmsServerURL: "http://10.128.0.2:8080",
-    userApiServerURL: "https://userapi-compute.eigencloud.xyz",
-    defaultRPCURL: "https://ethereum-rpc.publicnode.com",
-    usdcCreditsAddress: "0xed9c88640ca9149Bd9f7ee6620074af10F2E145d",
-    platformEnv: PLATFORM_ENV_MAINNET_ETHEREUM,
-    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
-  }
-};
-function derivePlatformHost(environmentConfig, appAddress) {
-  if (!environmentConfig.platformEnv || !environmentConfig.appBaseDomain) {
-    return "";
-  }
-  const addr = appAddress.toLowerCase().replace(/^0x/, "");
-  return `${addr}.${environmentConfig.platformEnv}.${environmentConfig.appBaseDomain}`;
-}
-var CHAIN_ID_TO_ENVIRONMENT = {
-  [SEPOLIA_CHAIN_ID.toString()]: "sepolia",
-  [MAINNET_CHAIN_ID.toString()]: "mainnet-alpha"
-};
-function getApiUrlOverride() {
-  const raw = process.env.ECLOUD_API_URL;
-  if (!raw) return void 0;
-  const trimmed = raw.trim().replace(/\/+$/, "");
-  return trimmed.length > 0 ? trimmed : void 0;
-}
-function getEnvironmentConfig(environment, chainID) {
-  const env = ENVIRONMENTS[environment];
-  if (!env) {
-    throw new Error(`Unknown environment: ${environment}`);
-  }
-  if (!isEnvironmentAvailable(environment)) {
-    throw new Error(
-      `Environment ${environment} is not available in this build type. Available environments: ${getAvailableEnvironments().join(", ")}`
-    );
-  }
-  if (chainID) {
-    const expectedEnv = CHAIN_ID_TO_ENVIRONMENT[chainID.toString()];
-    if (expectedEnv && expectedEnv !== environment) {
-      throw new Error(`Environment ${environment} does not match chain ID ${chainID}`);
-    }
-  }
-  const resolvedChainID = chainID || (environment === "sepolia" || environment === "sepolia-dev" ? SEPOLIA_CHAIN_ID : MAINNET_CHAIN_ID);
-  const apiUrlOverride = getApiUrlOverride();
-  return {
-    ...env,
-    chainID: BigInt(resolvedChainID),
-    ...apiUrlOverride ? { userApiServerURL: apiUrlOverride } : {},
-    ...process.env.ECLOUD_USER_API_URL && {
-      userApiServerURL: process.env.ECLOUD_USER_API_URL
-    },
-    ...process.env.ECLOUD_RPC_URL && {
-      defaultRPCURL: process.env.ECLOUD_RPC_URL
-    }
-  };
-}
-function getBuildType() {
-  const buildTimeType = true ? "dev"?.toLowerCase() : void 0;
-  const runtimeType = process.env.BUILD_TYPE?.toLowerCase();
-  const buildType = buildTimeType || runtimeType;
-  if (buildType === "dev") {
-    return "dev";
-  }
-  return "prod";
-}
-function getAvailableEnvironments() {
-  const buildType = getBuildType();
-  if (buildType === "dev") {
-    return ["sepolia-dev"];
-  }
-  return ["sepolia", "mainnet-alpha"];
-}
-function isEnvironmentAvailable(environment) {
-  return getAvailableEnvironments().includes(environment);
-}
-
 // src/client/common/env/parser.ts
 var fs2 = __toESM(require("fs"), 1);
 var MNEMONIC_ENV_VAR = "MNEMONIC";
@@ -1683,11 +1652,6 @@ Please verify the image exists: docker manifest inspect ${finalImageRef}`
   }
   publicEnv["EIGEN_MACHINE_TYPE_PUBLIC"] = instanceType;
   logger.info(`Instance type: ${instanceType}`);
-  const platformHost = derivePlatformHost(environmentConfig, options.appId);
-  if (platformHost !== "") {
-    publicEnv["ECLOUD_PLATFORM_HOST"] = platformHost;
-    logger.info(`Platform hostname: ${platformHost}`);
-  }
   logger.info("Encrypting environment variables...");
   const { encryptionKey } = getKMSKeysForEnvironment(
     environmentConfig.name,
@@ -5270,7 +5234,7 @@ var CanViewAppLogsPermission = "0x2fd3f2fe";
 var CanViewSensitiveAppInfoPermission = "0x0e67b22f";
 var CanUpdateAppProfilePermission = "0x036fef61";
 function getDefaultClientId() {
-  const version = true ? "1.0.0-devep3" : "0.0.0";
+  const version = true ? "1.0.0-devep5" : "0.0.0";
   return `ecloud-sdk/v${version}`;
 }
 var UserApiClient = class {
@@ -5932,6 +5896,125 @@ function validateResourceUsageMonitoring(resourceUsageMonitoring) {
   }
 }
 
+// src/client/common/config/environment.ts
+var SEPOLIA_CHAIN_ID = 11155111;
+var MAINNET_CHAIN_ID = 1;
+var CommonAddresses = {
+  ERC7702Delegator: "0x63c0c19a282a1b52b07dd5a65b58948a07dae32b"
+};
+var ChainAddresses = {
+  [MAINNET_CHAIN_ID]: {
+    PermissionController: "0x25E5F8B1E7aDf44518d35D5B2271f114e081f0E5"
+  },
+  [SEPOLIA_CHAIN_ID]: {
+    PermissionController: "0x44632dfBdCb6D3E21EF613B0ca8A6A0c618F5a37"
+  }
+};
+var PLATFORM_ENV_TESTNET_SEPOLIA = "testnet-sepolia";
+var PLATFORM_ENV_MAINNET_ETHEREUM = "mainnet-ethereum";
+var DEFAULT_APP_BASE_DOMAIN = "eigencloud.xyz";
+var ENVIRONMENTS = {
+  "sepolia-dev": {
+    name: "sepolia",
+    build: "dev",
+    appControllerAddress: "0xa86DC1C47cb2518327fB4f9A1627F51966c83B92",
+    permissionControllerAddress: ChainAddresses[SEPOLIA_CHAIN_ID].PermissionController,
+    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
+    kmsServerURL: "http://10.128.0.57:8080",
+    userApiServerURL: "https://userapi-compute-sepolia-dev.eigencloud.xyz",
+    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com",
+    usdcCreditsAddress: "0xbdA3897c3A428763B59015C64AB766c288C97376",
+    platformEnv: PLATFORM_ENV_TESTNET_SEPOLIA,
+    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
+  },
+  sepolia: {
+    name: "sepolia",
+    build: "prod",
+    appControllerAddress: "0x0dd810a6ffba6a9820a10d97b659f07d8d23d4E2",
+    permissionControllerAddress: ChainAddresses[SEPOLIA_CHAIN_ID].PermissionController,
+    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
+    kmsServerURL: "http://10.128.15.203:8080",
+    userApiServerURL: "https://userapi-compute-sepolia-prod.eigencloud.xyz",
+    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com",
+    billingRPCURL: "https://ethereum-rpc.publicnode.com",
+    usdcCreditsAddress: "0xed9c88640ca9149Bd9f7ee6620074af10F2E145d",
+    platformEnv: PLATFORM_ENV_TESTNET_SEPOLIA,
+    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
+  },
+  "mainnet-alpha": {
+    name: "mainnet-alpha",
+    build: "prod",
+    appControllerAddress: "0xc38d35Fc995e75342A21CBd6D770305b142Fbe67",
+    permissionControllerAddress: ChainAddresses[MAINNET_CHAIN_ID].PermissionController,
+    erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
+    kmsServerURL: "http://10.128.0.2:8080",
+    userApiServerURL: "https://userapi-compute.eigencloud.xyz",
+    defaultRPCURL: "https://ethereum-rpc.publicnode.com",
+    usdcCreditsAddress: "0xed9c88640ca9149Bd9f7ee6620074af10F2E145d",
+    platformEnv: PLATFORM_ENV_MAINNET_ETHEREUM,
+    appBaseDomain: DEFAULT_APP_BASE_DOMAIN
+  }
+};
+var CHAIN_ID_TO_ENVIRONMENT = {
+  [SEPOLIA_CHAIN_ID.toString()]: "sepolia",
+  [MAINNET_CHAIN_ID.toString()]: "mainnet-alpha"
+};
+function getApiUrlOverride() {
+  const raw = process.env.ECLOUD_API_URL;
+  if (!raw) return void 0;
+  const trimmed = raw.trim().replace(/\/+$/, "");
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function getEnvironmentConfig(environment, chainID) {
+  const env = ENVIRONMENTS[environment];
+  if (!env) {
+    throw new Error(`Unknown environment: ${environment}`);
+  }
+  if (!isEnvironmentAvailable(environment)) {
+    throw new Error(
+      `Environment ${environment} is not available in this build type. Available environments: ${getAvailableEnvironments().join(", ")}`
+    );
+  }
+  if (chainID) {
+    const expectedEnv = CHAIN_ID_TO_ENVIRONMENT[chainID.toString()];
+    if (expectedEnv && expectedEnv !== environment) {
+      throw new Error(`Environment ${environment} does not match chain ID ${chainID}`);
+    }
+  }
+  const resolvedChainID = chainID || (environment === "sepolia" || environment === "sepolia-dev" ? SEPOLIA_CHAIN_ID : MAINNET_CHAIN_ID);
+  const apiUrlOverride = getApiUrlOverride();
+  return {
+    ...env,
+    chainID: BigInt(resolvedChainID),
+    ...apiUrlOverride ? { userApiServerURL: apiUrlOverride } : {},
+    ...process.env.ECLOUD_USER_API_URL && {
+      userApiServerURL: process.env.ECLOUD_USER_API_URL
+    },
+    ...process.env.ECLOUD_RPC_URL && {
+      defaultRPCURL: process.env.ECLOUD_RPC_URL
+    }
+  };
+}
+function getBuildType() {
+  const buildTimeType = true ? "dev"?.toLowerCase() : void 0;
+  const runtimeType = process.env.BUILD_TYPE?.toLowerCase();
+  const buildType = buildTimeType || runtimeType;
+  if (buildType === "dev") {
+    return "dev";
+  }
+  return "prod";
+}
+function getAvailableEnvironments() {
+  const buildType = getBuildType();
+  if (buildType === "dev") {
+    return ["sepolia-dev"];
+  }
+  return ["sepolia", "mainnet-alpha"];
+}
+function isEnvironmentAvailable(environment) {
+  return getAvailableEnvironments().includes(environment);
+}
+
 // src/client/common/utils/preflight.ts
 async function doPreflightChecks(options, logger) {
   const { walletClient, publicClient } = options;