@lightninglabs/lightning-mcp-server 0.2.0

package/skills/lightning-security-module/scripts/setup-signer.sh

@@ -0,0 +1,307 @@
+#!/usr/bin/env bash
+# Set up a remote signer: create wallet, export credentials bundle.
+#
+# Container mode (default — auto-detects litd-signer container):
+#   setup-signer.sh                              # Auto-detect container
+#   setup-signer.sh --container litd-signer      # Explicit container
+#
+# Native mode:
+#   setup-signer.sh --native                     # Local lnd signer
+#   setup-signer.sh --native --network mainnet   # Mainnet
+#   setup-signer.sh --native --password "mypass" # Custom passphrase
+#
+# Stores credentials at:
+#   ~/.lnget/signer/wallet-password.txt           (mode 0600)
+#   ~/.lnget/signer/seed.txt                      (mode 0600)
+#   ~/.lnget/signer/credentials-bundle/           (exported credentials)
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+LNGET_SIGNER_DIR="${LNGET_SIGNER_DIR:-$HOME/.lnget/signer}"
+LND_SIGNER_DIR="${LND_SIGNER_DIR:-$HOME/.lnd-signer}"
+NETWORK="testnet"
+PASSWORD=""
+RPC_PORT=10012
+REST_PORT=10013
+CONTAINER=""
+NATIVE=false
+
+# Parse arguments.
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+        --lnddir)
+            LND_SIGNER_DIR="$2"
+            shift 2
+            ;;
+        --password)
+            PASSWORD="$2"
+            shift 2
+            ;;
+        --rpc-port)
+            RPC_PORT="$2"
+            shift 2
+            ;;
+        --rest-port)
+            REST_PORT="$2"
+            shift 2
+            ;;
+        --container)
+            CONTAINER="$2"
+            shift 2
+            ;;
+        --native)
+            NATIVE=true
+            shift
+            ;;
+        -h|--help)
+            echo "Usage: setup-signer.sh [options]"
+            echo ""
+            echo "Set up an lnd remote signer node."
+            echo ""
+            echo "Connection options:"
+            echo "  --container NAME    Set up signer in a Docker container"
+            echo "  --native            Set up signer on local lnd process"
+            echo ""
+            echo "Options:"
+            echo "  --network NETWORK   Bitcoin network (default: testnet)"
+            echo "  --lnddir DIR        Signer lnd data directory (default: ~/.lnd-signer)"
+            echo "  --password PASS     Wallet passphrase (auto-generated if omitted)"
+            echo "  --rpc-port PORT     Signer RPC port (default: 10012)"
+            echo "  --rest-port PORT    Signer REST port (default: 10013)"
+            echo ""
+            echo "Container auto-detection: looks for litd-signer container."
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Auto-detect container if not native and no container specified.
+if [ "$NATIVE" = false ] && [ -z "$CONTAINER" ]; then
+    if command -v docker &>/dev/null; then
+        if docker ps --format '{{.Names}}' 2>/dev/null | grep -qx 'litd-signer'; then
+            CONTAINER="litd-signer"
+        fi
+    fi
+
+    # If no container found, fall back to native.
+    if [ -z "$CONTAINER" ]; then
+        NATIVE=true
+    fi
+fi
+
+# Container mode: verify container is running.
+if [ -n "$CONTAINER" ]; then
+    if ! docker ps --format '{{.Names}}' 2>/dev/null | grep -qx "$CONTAINER"; then
+        echo "Error: Container '$CONTAINER' is not running." >&2
+        echo "Start it with: skills/lightning-security-module/scripts/docker-start.sh" >&2
+        exit 1
+    fi
+fi
+
+echo "=== Remote Signer Setup ==="
+echo ""
+if [ -n "$CONTAINER" ]; then
+    echo "Container:   $CONTAINER"
+else
+    echo "Mode:        native"
+    echo "Signer dir:  $LND_SIGNER_DIR"
+fi
+echo "Network:     $NETWORK"
+echo "Creds dir:   $LNGET_SIGNER_DIR"
+echo "RPC port:    $RPC_PORT"
+echo "REST port:   $REST_PORT"
+echo ""
+
+# Native mode: verify lnd is installed.
+if [ "$NATIVE" = true ]; then
+    if ! command -v lnd &>/dev/null; then
+        echo "Error: lnd not found. Run install.sh first." >&2
+        exit 1
+    fi
+fi
+
+# Create directories with restricted permissions.
+mkdir -p "$LNGET_SIGNER_DIR"
+chmod 700 "$LNGET_SIGNER_DIR"
+
+if [ "$NATIVE" = true ]; then
+    mkdir -p "$LND_SIGNER_DIR"
+fi
+
+PASSWORD_FILE="$LNGET_SIGNER_DIR/wallet-password.txt"
+SEED_OUTPUT="$LNGET_SIGNER_DIR/seed.txt"
+CONF_FILE="$LNGET_SIGNER_DIR/signer-lnd.conf"
+
+# Generate or use provided passphrase.
+if [ -n "$PASSWORD" ]; then
+    echo "Using provided passphrase."
+else
+    echo "Generating secure passphrase..."
+    PASSWORD=$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)
+fi
+
+# Store passphrase with restricted permissions on the host.
+echo -n "$PASSWORD" > "$PASSWORD_FILE"
+chmod 600 "$PASSWORD_FILE"
+echo "Passphrase saved to $PASSWORD_FILE (mode 0600)"
+echo ""
+
+# Copy password file into container if applicable.
+if [ -n "$CONTAINER" ]; then
+    docker cp "$PASSWORD_FILE" "$CONTAINER:/root/.lnd/wallet-password.txt"
+    echo "Password file copied into container."
+fi
+
+# Source shared REST helpers. REST_HOST defaults to localhost for
+# the signer; CONTAINER_PORT defaults to REST_PORT.
+REST_HOST="localhost"
+source "$SCRIPT_DIR/../../lib/rest.sh"
+
+# For native mode, create config and start lnd temporarily if needed.
+if [ "$NATIVE" = true ]; then
+    # Create signer config from template.
+    TEMPLATE="$SCRIPT_DIR/../templates/signer-lnd.conf.template"
+    if [ -f "$TEMPLATE" ]; then
+        echo "Creating signer config from template..."
+        # Replace network flag — match any existing network variant.
+        sed -E "s/bitcoin\.(testnet|mainnet|signet|regtest)=true/bitcoin.$NETWORK=true/g" "$TEMPLATE" > "$CONF_FILE"
+
+        # Replace password file path.
+        sed -i.bak "s|wallet-unlock-password-file=.*|wallet-unlock-password-file=$PASSWORD_FILE|g" "$CONF_FILE"
+
+        # Replace port numbers. Native mode binds to localhost, not 0.0.0.0.
+        sed -i.bak "s|rpclisten=0.0.0.0:10012|rpclisten=localhost:$RPC_PORT|g" "$CONF_FILE"
+        sed -i.bak "s|restlisten=0.0.0.0:10013|restlisten=localhost:$REST_PORT|g" "$CONF_FILE"
+        rm -f "$CONF_FILE.bak"
+        echo "Config saved to $CONF_FILE"
+    else
+        echo "Error: Config template not found at $TEMPLATE" >&2
+        exit 1
+    fi
+    echo ""
+
+    # Start signer lnd temporarily for wallet creation if not running.
+    if rest_call GET "/v1/state" &>/dev/null; then
+        echo "Signer lnd is already running."
+    else
+        echo "Starting signer lnd temporarily for wallet creation..."
+        nohup lnd \
+            --lnddir="$LND_SIGNER_DIR" \
+            --configfile="$CONF_FILE" \
+            > "$LNGET_SIGNER_DIR/signer-setup.log" 2>&1 &
+        SIGNER_PID=$!
+
+        echo "Waiting for signer lnd to start (PID: $SIGNER_PID)..."
+        for i in {1..30}; do
+            if rest_call GET "/v1/state" &>/dev/null; then
+                break
+            fi
+            if ! kill -0 "$SIGNER_PID" 2>/dev/null; then
+                echo "Error: signer lnd exited. Check $LNGET_SIGNER_DIR/signer-setup.log" >&2
+                exit 1
+            fi
+            sleep 2
+            echo "  Waiting... ($i/30)"
+        done
+        echo ""
+    fi
+else
+    # Container mode: wait for REST API to be available inside container.
+    wait_for_rest "signer REST API"
+fi
+
+# Create wallet via REST API.
+echo "=== Creating Signer Wallet ==="
+
+# Generate seed.
+echo "Generating wallet seed..."
+SEED_RESPONSE=$(rest_call GET "/v1/genseed")
+
+MNEMONIC=$(echo "$SEED_RESPONSE" | jq -r '.cipher_seed_mnemonic[]' 2>/dev/null)
+if [ -z "$MNEMONIC" ] || [ "$MNEMONIC" = "null" ]; then
+    echo "Error: Failed to generate seed." >&2
+    echo "Response: $SEED_RESPONSE" >&2
+    exit 1
+fi
+
+# Store seed with restricted permissions on host.
+echo "$MNEMONIC" > "$SEED_OUTPUT"
+chmod 600 "$SEED_OUTPUT"
+echo "Seed mnemonic saved to $SEED_OUTPUT (mode 0600)"
+echo ""
+
+# Initialize wallet with password and seed.
+SEED_JSON=$(echo "$MNEMONIC" | jq -R . | jq -s .)
+PAYLOAD=$(jq -n \
+    --arg pass "$(echo -n "$PASSWORD" | base64)" \
+    --argjson seed "$SEED_JSON" \
+    '{wallet_password: $pass, cipher_seed_mnemonic: $seed}')
+
+RESPONSE=$(rest_call POST "/v1/initwallet" "$PAYLOAD")
+
+ERROR=$(echo "$RESPONSE" | jq -r '.message // empty' 2>/dev/null)
+if [ -n "$ERROR" ]; then
+    echo "Error creating wallet: $ERROR" >&2
+    exit 1
+fi
+
+echo "Signer wallet created successfully!"
+echo ""
+
+# Wait for signer to be fully ready (wallet unlocked, RPC available).
+echo "Waiting for signer to be fully ready..."
+for i in {1..30}; do
+    STATE=$(rest_call GET "/v1/state" 2>/dev/null | jq -r '.state // empty' 2>/dev/null)
+    if [ "$STATE" = "SERVER_ACTIVE" ]; then
+        break
+    fi
+    sleep 2
+    echo "  Waiting for RPC... ($i/30)"
+done
+echo ""
+
+# Export credentials bundle.
+echo "=== Exporting Credentials Bundle ==="
+if [ -n "$CONTAINER" ]; then
+    "$SCRIPT_DIR/export-credentials.sh" \
+        --container "$CONTAINER" \
+        --network "$NETWORK" \
+        --rpc-port "$RPC_PORT"
+else
+    "$SCRIPT_DIR/export-credentials.sh" \
+        --network "$NETWORK" \
+        --lnddir "$LND_SIGNER_DIR" \
+        --rpc-port "$RPC_PORT"
+fi
+
+echo ""
+echo "=== Signer Setup Complete ==="
+echo ""
+echo "Credential locations:"
+echo "  Passphrase: $PASSWORD_FILE"
+echo "  Seed:       $SEED_OUTPUT"
+if [ "$NATIVE" = true ]; then
+    echo "  Config:     $CONF_FILE"
+fi
+echo ""
+echo "IMPORTANT: The seed mnemonic at $SEED_OUTPUT is the master secret."
+echo "Back it up securely and restrict access to this machine."
+echo ""
+echo "Next steps:"
+echo "  1. Copy the credentials bundle to your agent machine"
+echo "  2. On the agent: skills/lnd/scripts/import-credentials.sh --bundle <path>"
+echo "  3. On the agent: skills/lnd/scripts/create-wallet.sh"
+if [ -n "$CONTAINER" ]; then
+    echo "  4. On the agent: skills/lnd/scripts/docker-start.sh --watchonly"
+else
+    echo "  4. On the agent: skills/lnd/scripts/start-lnd.sh --native --signer-host <this-ip>:$RPC_PORT"
+fi

package/skills/lightning-security-module/scripts/start-signer.sh

@@ -0,0 +1,152 @@
+#!/usr/bin/env bash
+# Start the remote signer lnd node — delegates to Docker by default.
+#
+# Usage:
+#   start-signer.sh                          # Docker (default)
+#   start-signer.sh --network mainnet        # Mainnet
+#   start-signer.sh --native                 # Native lnd signer
+#   start-signer.sh --native --foreground    # Native, foreground
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+NATIVE=false
+
+# Check for --native flag before parsing other args.
+PASS_ARGS=()
+for arg in "$@"; do
+    if [ "$arg" = "--native" ]; then
+        NATIVE=true
+    else
+        PASS_ARGS+=("$arg")
+    fi
+done
+
+# If not native mode, delegate to docker-start.sh.
+if [ "$NATIVE" = false ]; then
+    if command -v docker &>/dev/null; then
+        exec "$SCRIPT_DIR/docker-start.sh" "${PASS_ARGS[@]}"
+    else
+        echo "Docker not available. Falling back to native mode." >&2
+        echo "Install Docker or use --native explicitly." >&2
+        echo ""
+        NATIVE=true
+    fi
+fi
+
+# --- Native mode: original signer startup logic ---
+
+LNGET_SIGNER_DIR="${LNGET_SIGNER_DIR:-$HOME/.lnget/signer}"
+LND_SIGNER_DIR="${LND_SIGNER_DIR:-$HOME/.lnd-signer}"
+NETWORK="testnet"
+FOREGROUND=false
+EXTRA_ARGS=""
+RPC_PORT=10012
+CONF_FILE="$LNGET_SIGNER_DIR/signer-lnd.conf"
+
+# Parse arguments.
+set -- "${PASS_ARGS[@]}"
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+        --lnddir)
+            LND_SIGNER_DIR="$2"
+            shift 2
+            ;;
+        --foreground)
+            FOREGROUND=true
+            shift
+            ;;
+        --rpc-port)
+            RPC_PORT="$2"
+            shift 2
+            ;;
+        --extra-args)
+            EXTRA_ARGS="$2"
+            shift 2
+            ;;
+        -h|--help)
+            echo "Usage: start-signer.sh [options]"
+            echo ""
+            echo "Start the remote signer lnd node."
+            echo ""
+            echo "Docker options (default):"
+            echo "  --network NET     Override network (testnet, mainnet, signet)"
+            echo "  --foreground      Run in foreground (show logs)"
+            echo ""
+            echo "Native options (--native):"
+            echo "  --native             Run lnd as a local process"
+            echo "  --lnddir DIR         Signer lnd data directory (default: ~/.lnd-signer)"
+            echo "  --rpc-port PORT      Signer RPC port (default: 10012)"
+            echo "  --extra-args ARGS    Additional lnd arguments"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Verify lnd is installed.
+if ! command -v lnd &>/dev/null; then
+    echo "Error: lnd not found. Run install.sh first." >&2
+    exit 1
+fi
+
+# Check if signer is already running by checking the RPC port.
+if curl -sk "https://localhost:$RPC_PORT/v1/state" &>/dev/null 2>&1; then
+    echo "Signer lnd is already running on port $RPC_PORT."
+    echo "Use stop-signer.sh to stop it first."
+    exit 1
+fi
+
+# Verify config exists.
+if [ ! -f "$CONF_FILE" ]; then
+    echo "Error: Signer config not found at $CONF_FILE" >&2
+    echo "Run setup-signer.sh --native first." >&2
+    exit 1
+fi
+
+echo "=== Starting Signer LND ==="
+echo "Network:  $NETWORK"
+echo "Data dir: $LND_SIGNER_DIR"
+echo "Config:   $CONF_FILE"
+echo "RPC port: $RPC_PORT"
+echo ""
+
+LOG_FILE="$LNGET_SIGNER_DIR/signer-lnd.log"
+
+if [ "$FOREGROUND" = true ]; then
+    exec lnd \
+        --lnddir="$LND_SIGNER_DIR" \
+        --configfile="$CONF_FILE" \
+        $EXTRA_ARGS
+else
+    nohup lnd \
+        --lnddir="$LND_SIGNER_DIR" \
+        --configfile="$CONF_FILE" \
+        $EXTRA_ARGS \
+        > "$LOG_FILE" 2>&1 &
+    SIGNER_PID=$!
+    echo "Signer lnd started in background (PID: $SIGNER_PID)"
+    echo "Log file: $LOG_FILE"
+    echo ""
+
+    # Wait briefly and verify it's running.
+    sleep 2
+    if kill -0 "$SIGNER_PID" 2>/dev/null; then
+        echo "Signer lnd is running."
+    else
+        echo "Error: signer lnd exited immediately. Check $LOG_FILE" >&2
+        tail -20 "$LOG_FILE" 2>/dev/null
+        exit 1
+    fi
+
+    echo ""
+    echo "The signer is ready to accept connections from watch-only nodes."
+    echo "Watch-only nodes connect to this machine on port $RPC_PORT."
+fi

package/skills/lightning-security-module/scripts/stop-signer.sh

@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+# Stop the remote signer — delegates to Docker by default.
+#
+# Usage:
+#   stop-signer.sh                          # Docker stop (auto-detect)
+#   stop-signer.sh --clean                  # Docker stop + remove volumes
+#   stop-signer.sh --native                 # Stop native signer process
+#   stop-signer.sh --native --force         # SIGTERM native process
+#   stop-signer.sh --container litd-signer  # Explicit container
+#   stop-signer.sh --rpcserver remote:10012 --tlscertpath ~/tls.cert --macaroonpath ~/admin.macaroon
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+NATIVE=false
+
+# Check for --native flag before parsing other args.
+PASS_ARGS=()
+for arg in "$@"; do
+    if [ "$arg" = "--native" ]; then
+        NATIVE=true
+    else
+        PASS_ARGS+=("$arg")
+    fi
+done
+
+# If not native mode, delegate to docker-stop.sh.
+if [ "$NATIVE" = false ]; then
+    # Check if we have a --container arg or docker-specific flags.
+    HAS_CONTAINER_ARG=false
+    HAS_RPCSERVER=false
+    for arg in "${PASS_ARGS[@]}"; do
+        if [ "$arg" = "--container" ]; then
+            HAS_CONTAINER_ARG=true
+        fi
+        if [ "$arg" = "--rpcserver" ]; then
+            HAS_RPCSERVER=true
+        fi
+    done
+
+    # If --rpcserver is specified, fall through to native stop logic (remote
+    # mode needs lncli).
+    if [ "$HAS_RPCSERVER" = true ]; then
+        NATIVE=true
+    elif [ "$HAS_CONTAINER_ARG" = true ]; then
+        # Explicit container — use native stop logic (handles docker exec).
+        NATIVE=true
+    elif command -v docker &>/dev/null; then
+        if docker ps --format '{{.Names}}' 2>/dev/null | grep -qx 'litd-signer'; then
+            exec "$SCRIPT_DIR/docker-stop.sh" "${PASS_ARGS[@]}"
+        fi
+        # No signer container found, fall through to native.
+        NATIVE=true
+    else
+        NATIVE=true
+    fi
+fi
+
+# --- Native / container-specific stop logic ---
+
+LND_SIGNER_DIR="${LND_SIGNER_DIR:-}"
+NETWORK="${NETWORK:-testnet}"
+RPC_PORT=10012
+FORCE=false
+CONTAINER=""
+RPCSERVER=""
+TLSCERTPATH=""
+MACAROONPATH=""
+
+# Parse arguments.
+set -- "${PASS_ARGS[@]}"
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --force)
+            FORCE=true
+            shift
+            ;;
+        --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+        --rpc-port)
+            RPC_PORT="$2"
+            shift 2
+            ;;
+        --container)
+            CONTAINER="$2"
+            shift 2
+            ;;
+        --rpcserver)
+            RPCSERVER="$2"
+            shift 2
+            ;;
+        --tlscertpath)
+            TLSCERTPATH="$2"
+            shift 2
+            ;;
+        --macaroonpath)
+            MACAROONPATH="$2"
+            shift 2
+            ;;
+        --clean|-v)
+            # Docker-specific flags; delegate to docker-stop.sh.
+            exec "$SCRIPT_DIR/docker-stop.sh" "${PASS_ARGS[@]}"
+            ;;
+        -h|--help)
+            echo "Usage: stop-signer.sh [options]"
+            echo ""
+            echo "Stop the remote signer."
+            echo ""
+            echo "Docker options (default):"
+            echo "  --clean, -v            Remove volumes (clean state)"
+            echo ""
+            echo "Native options (--native):"
+            echo "  --native               Stop native signer process"
+            echo "  --force                Send SIGTERM immediately"
+            echo "  --container NAME       Stop signer in a specific container"
+            echo "  --rpcserver HOST:PORT  Connect to a remote signer node"
+            echo "  --tlscertpath PATH     TLS certificate for remote connection"
+            echo "  --macaroonpath PATH    Macaroon for remote authentication"
+            echo "  --rpc-port PORT        Signer RPC port (default: 10012)"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Apply default lnddir if not set.
+if [ -z "$LND_SIGNER_DIR" ]; then
+    if [ -n "$CONTAINER" ]; then
+        LND_SIGNER_DIR="/root/.lnd"
+    else
+        LND_SIGNER_DIR="$HOME/.lnd-signer"
+    fi
+fi
+
+if [ -n "$CONTAINER" ]; then
+    # Docker container mode.
+    if ! docker ps --format '{{.Names}}' | grep -qx "$CONTAINER"; then
+        echo "Container '$CONTAINER' is not running."
+        exit 0
+    fi
+
+    echo "Stopping signer lnd in container '$CONTAINER'..."
+
+    if [ "$FORCE" = true ]; then
+        docker stop "$CONTAINER"
+        echo "Container stopped."
+    else
+        if docker exec "$CONTAINER" lncli --rpcserver="localhost:$RPC_PORT" \
+            --lnddir="$LND_SIGNER_DIR" \
+            --network="$NETWORK" \
+            stop 2>/dev/null; then
+            echo "Graceful shutdown initiated."
+        else
+            echo "lncli stop failed, stopping container..."
+            docker stop "$CONTAINER"
+            echo "Container stopped."
+        fi
+    fi
+    exit 0
+fi
+
+# Build connection flags for lncli.
+CONN_FLAGS=(--network="$NETWORK" --lnddir="$LND_SIGNER_DIR")
+if [ -n "$RPCSERVER" ]; then
+    CONN_FLAGS+=("--rpcserver=$RPCSERVER")
+else
+    CONN_FLAGS+=("--rpcserver=localhost:$RPC_PORT")
+fi
+if [ -n "$TLSCERTPATH" ]; then
+    CONN_FLAGS+=("--tlscertpath=$TLSCERTPATH")
+fi
+if [ -n "$MACAROONPATH" ]; then
+    CONN_FLAGS+=("--macaroonpath=$MACAROONPATH")
+fi
+
+# Remote mode — stop via lncli only (no PID or port access).
+if [ -n "$RPCSERVER" ]; then
+    echo "Stopping remote signer at $RPCSERVER..."
+    if lncli "${CONN_FLAGS[@]}" stop; then
+        echo "Graceful shutdown initiated."
+    else
+        echo "Error: lncli stop failed for remote signer." >&2
+        exit 1
+    fi
+    exit 0
+fi
+
+# Local mode — check if signer is running by probing the RPC port.
+if ! curl -sk "https://localhost:$RPC_PORT/v1/state" &>/dev/null 2>&1; then
+    echo "Signer lnd is not running (port $RPC_PORT not responding)."
+    exit 0
+fi
+
+echo "Stopping signer lnd..."
+
+if [ "$FORCE" = true ]; then
+    # Find the process listening on the signer RPC port and kill it.
+    SIGNER_PID=$(lsof -ti ":$RPC_PORT" 2>/dev/null | head -1 || true)
+    if [ -n "$SIGNER_PID" ]; then
+        kill "$SIGNER_PID"
+        echo "Sent SIGTERM to PID $SIGNER_PID."
+    else
+        echo "Warning: Could not find process on port $RPC_PORT." >&2
+        exit 1
+    fi
+else
+    # Try graceful shutdown via lncli.
+    if lncli "${CONN_FLAGS[@]}" stop 2>/dev/null; then
+        echo "Graceful shutdown initiated."
+    else
+        echo "lncli stop failed, finding process on port $RPC_PORT..."
+        SIGNER_PID=$(lsof -ti ":$RPC_PORT" 2>/dev/null | head -1 || true)
+        if [ -n "$SIGNER_PID" ]; then
+            kill "$SIGNER_PID"
+            echo "Sent SIGTERM to PID $SIGNER_PID."
+        else
+            echo "Warning: Could not find process to stop." >&2
+            exit 1
+        fi
+    fi
+fi
+
+# Wait for process to exit.
+echo "Waiting for signer lnd to exit..."
+for i in {1..15}; do
+    if ! curl -sk "https://localhost:$RPC_PORT/v1/state" &>/dev/null 2>&1; then
+        echo "Signer lnd stopped."
+        exit 0
+    fi
+    sleep 1
+done
+
+echo "Warning: signer lnd did not exit within 15 seconds." >&2
+echo "Use --force or manually kill the process." >&2
+exit 1