@lightninglabs/lightning-mcp-server 0.2.0

package/skills/lightning-security-module/scripts/docker-stop.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Stop the remote signer container.
+#
+# Usage:
+#   docker-stop.sh                  # Stop (preserve data)
+#   docker-stop.sh --clean          # Stop and remove volumes
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TEMPLATE_DIR="$SCRIPT_DIR/../templates"
+CLEAN=false
+
+# Parse arguments.
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --clean|-v)
+            CLEAN=true
+            shift
+            ;;
+        -h|--help)
+            echo "Usage: docker-stop.sh [options]"
+            echo ""
+            echo "Stop the remote signer container."
+            echo ""
+            echo "Options:"
+            echo "  --clean, -v  Remove volumes (clean state)"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Check if the signer container is running.
+if ! docker ps --format '{{.Names}}' 2>/dev/null | grep -qx 'litd-signer'; then
+    echo "Signer container is not running."
+    exit 0
+fi
+
+cd "$TEMPLATE_DIR"
+
+echo "Stopping signer container..."
+
+if [ "$CLEAN" = true ]; then
+    docker compose -f docker-compose-signer.yml down -v
+    echo "Stopped and removed volumes."
+else
+    docker compose -f docker-compose-signer.yml down
+    echo "Stopped (volumes preserved)."
+fi

package/skills/lightning-security-module/scripts/export-credentials.sh

@@ -0,0 +1,268 @@
+#!/usr/bin/env bash
+# Export credentials bundle from a running signer for watch-only node import.
+#
+# Container mode (default — auto-detects litd-signer container):
+#   export-credentials.sh                             # Auto-detect container
+#   export-credentials.sh --container litd-signer     # Explicit container
+#
+# Native mode:
+#   export-credentials.sh --native                    # Local signer
+#   export-credentials.sh --native --network testnet  # Testnet
+#   export-credentials.sh --native --output /path     # Custom output dir
+#
+# Remote mode:
+#   export-credentials.sh --rpcserver remote:10012 \
+#                         --tlscertpath ~/tls.cert \
+#                         --macaroonpath ~/admin.macaroon
+#
+# Produces:
+#   ~/.lnget/signer/credentials-bundle/accounts.json
+#   ~/.lnget/signer/credentials-bundle/tls.cert
+#   ~/.lnget/signer/credentials-bundle/admin.macaroon
+#   ~/.lnget/signer/credentials-bundle.tar.gz.b64       (portable base64)
+
+set -e
+
+LNGET_SIGNER_DIR="${LNGET_SIGNER_DIR:-$HOME/.lnget/signer}"
+LND_SIGNER_DIR="${LND_SIGNER_DIR:-}"
+NETWORK="testnet"
+RPC_PORT=10012
+OUTPUT_DIR=""
+CONTAINER=""
+NATIVE=false
+RPCSERVER=""
+TLSCERTPATH=""
+MACAROONPATH=""
+
+# Parse arguments.
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+        --lnddir)
+            LND_SIGNER_DIR="$2"
+            shift 2
+            ;;
+        --rpc-port)
+            RPC_PORT="$2"
+            shift 2
+            ;;
+        --output)
+            OUTPUT_DIR="$2"
+            shift 2
+            ;;
+        --container)
+            CONTAINER="$2"
+            shift 2
+            ;;
+        --native)
+            NATIVE=true
+            shift
+            ;;
+        --rpcserver)
+            RPCSERVER="$2"
+            shift 2
+            ;;
+        --tlscertpath)
+            TLSCERTPATH="$2"
+            shift 2
+            ;;
+        --macaroonpath)
+            MACAROONPATH="$2"
+            shift 2
+            ;;
+        -h|--help)
+            echo "Usage: export-credentials.sh [options]"
+            echo ""
+            echo "Export credentials bundle from a running signer."
+            echo ""
+            echo "Connection options:"
+            echo "  --container NAME       Export from signer in a Docker container"
+            echo "  --native               Export from local signer process"
+            echo "  --rpcserver HOST:PORT  Connect to a remote signer node"
+            echo "  --tlscertpath PATH     TLS certificate for remote connection (also bundled)"
+            echo "  --macaroonpath PATH    Macaroon for remote authentication (also bundled)"
+            echo ""
+            echo "Options:"
+            echo "  --network NETWORK      Bitcoin network (default: testnet)"
+            echo "  --lnddir DIR           Signer lnd data directory (default: ~/.lnd-signer)"
+            echo "  --rpc-port PORT        Signer RPC port (default: 10012)"
+            echo "  --output DIR           Output directory (default: ~/.lnget/signer/credentials-bundle)"
+            echo ""
+            echo "Container auto-detection: looks for litd-signer container."
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# Auto-detect container if not native, no container, and no remote.
+if [ "$NATIVE" = false ] && [ -z "$CONTAINER" ] && [ -z "$RPCSERVER" ]; then
+    if command -v docker &>/dev/null; then
+        if docker ps --format '{{.Names}}' 2>/dev/null | grep -qx 'litd-signer'; then
+            CONTAINER="litd-signer"
+        fi
+    fi
+
+    # If no container found, fall back to native.
+    if [ -z "$CONTAINER" ]; then
+        NATIVE=true
+    fi
+fi
+
+# Apply default lnddir if not set.
+if [ -z "$LND_SIGNER_DIR" ]; then
+    if [ -n "$CONTAINER" ]; then
+        LND_SIGNER_DIR="/root/.lnd"
+    else
+        LND_SIGNER_DIR="$HOME/.lnd-signer"
+    fi
+fi
+
+BUNDLE_DIR="${OUTPUT_DIR:-$LNGET_SIGNER_DIR/credentials-bundle}"
+
+echo "=== Exporting Credentials Bundle ==="
+echo ""
+echo "Network:    $NETWORK"
+if [ -n "$CONTAINER" ]; then
+    echo "Container:  $CONTAINER"
+elif [ -n "$RPCSERVER" ]; then
+    echo "Remote:     $RPCSERVER"
+else
+    echo "Signer dir: $LND_SIGNER_DIR"
+fi
+echo "Output:     $BUNDLE_DIR"
+echo ""
+
+# Verify lncli is available.
+if [ -n "$CONTAINER" ]; then
+    if ! docker exec "$CONTAINER" which lncli &>/dev/null; then
+        echo "Error: lncli not found in container '$CONTAINER'." >&2
+        exit 1
+    fi
+elif [ -z "$RPCSERVER" ]; then
+    if ! command -v lncli &>/dev/null; then
+        echo "Error: lncli not found. Run install.sh first." >&2
+        exit 1
+    fi
+else
+    if ! command -v lncli &>/dev/null; then
+        echo "Error: lncli not found. Install lncli to connect to the remote signer." >&2
+        exit 1
+    fi
+fi
+
+# Create bundle directory.
+mkdir -p "$BUNDLE_DIR"
+chmod 700 "$BUNDLE_DIR"
+
+# Build lncli connection flags.
+LNCLI_CONN=()
+if [ -n "$RPCSERVER" ]; then
+    LNCLI_CONN+=("--rpcserver=$RPCSERVER")
+else
+    LNCLI_CONN+=("--rpcserver=localhost:$RPC_PORT")
+fi
+LNCLI_CONN+=("--lnddir=$LND_SIGNER_DIR" "--network=$NETWORK")
+if [ -n "$TLSCERTPATH" ]; then
+    LNCLI_CONN+=("--tlscertpath=$TLSCERTPATH")
+fi
+if [ -n "$MACAROONPATH" ]; then
+    LNCLI_CONN+=("--macaroonpath=$MACAROONPATH")
+fi
+
+# Export accounts list.
+echo "Exporting accounts..."
+if [ -n "$CONTAINER" ]; then
+    docker exec "$CONTAINER" lncli "${LNCLI_CONN[@]}" \
+        wallet accounts list > "$BUNDLE_DIR/accounts.json"
+else
+    lncli "${LNCLI_CONN[@]}" \
+        wallet accounts list > "$BUNDLE_DIR/accounts.json"
+fi
+
+if [ ! -s "$BUNDLE_DIR/accounts.json" ]; then
+    echo "Error: Failed to export accounts. Is the signer running and unlocked?" >&2
+    exit 1
+fi
+echo "  accounts.json exported."
+
+# Copy TLS certificate.
+if [ -n "$RPCSERVER" ]; then
+    # Remote mode: use the provided --tlscertpath as the bundle cert.
+    if [ -z "$TLSCERTPATH" ]; then
+        echo "Error: --tlscertpath required for remote export (needed for bundle)." >&2
+        exit 1
+    fi
+    cp "$TLSCERTPATH" "$BUNDLE_DIR/tls.cert"
+elif [ -n "$CONTAINER" ]; then
+    TLS_CERT="$LND_SIGNER_DIR/tls.cert"
+    docker cp "$CONTAINER:$TLS_CERT" "$BUNDLE_DIR/tls.cert" 2>/dev/null
+    if [ ! -f "$BUNDLE_DIR/tls.cert" ]; then
+        echo "Error: TLS certificate not found at $TLS_CERT in container '$CONTAINER'" >&2
+        exit 1
+    fi
+else
+    TLS_CERT="$LND_SIGNER_DIR/tls.cert"
+    if [ ! -f "$TLS_CERT" ]; then
+        echo "Error: TLS certificate not found at $TLS_CERT" >&2
+        exit 1
+    fi
+    cp "$TLS_CERT" "$BUNDLE_DIR/tls.cert"
+fi
+echo "  tls.cert copied."
+
+# Copy admin macaroon.
+if [ -n "$RPCSERVER" ]; then
+    # Remote mode: use the provided --macaroonpath as the bundle macaroon.
+    if [ -z "$MACAROONPATH" ]; then
+        echo "Error: --macaroonpath required for remote export (needed for bundle)." >&2
+        exit 1
+    fi
+    cp "$MACAROONPATH" "$BUNDLE_DIR/admin.macaroon"
+elif [ -n "$CONTAINER" ]; then
+    MACAROON="$LND_SIGNER_DIR/data/chain/bitcoin/$NETWORK/admin.macaroon"
+    docker cp "$CONTAINER:$MACAROON" "$BUNDLE_DIR/admin.macaroon" 2>/dev/null
+    if [ ! -f "$BUNDLE_DIR/admin.macaroon" ]; then
+        echo "Error: Admin macaroon not found at $MACAROON in container '$CONTAINER'" >&2
+        exit 1
+    fi
+else
+    MACAROON="$LND_SIGNER_DIR/data/chain/bitcoin/$NETWORK/admin.macaroon"
+    if [ ! -f "$MACAROON" ]; then
+        echo "Error: Admin macaroon not found at $MACAROON" >&2
+        exit 1
+    fi
+    cp "$MACAROON" "$BUNDLE_DIR/admin.macaroon"
+fi
+echo "  admin.macaroon copied."
+echo ""
+
+# Create portable base64-encoded tar.gz bundle.
+BUNDLE_ARCHIVE="$LNGET_SIGNER_DIR/credentials-bundle.tar.gz.b64"
+echo "Creating portable bundle..."
+tar -czf - -C "$BUNDLE_DIR" accounts.json tls.cert admin.macaroon | base64 > "$BUNDLE_ARCHIVE"
+echo "  Bundle saved to $BUNDLE_ARCHIVE"
+echo ""
+
+echo "=== Credentials Bundle Ready ==="
+echo ""
+echo "Bundle contents:"
+echo "  $BUNDLE_DIR/accounts.json    — account xpubs for watch-only import"
+echo "  $BUNDLE_DIR/tls.cert         — signer TLS certificate"
+echo "  $BUNDLE_DIR/admin.macaroon   — signer admin macaroon"
+echo ""
+echo "Portable bundle (base64):"
+echo "  $BUNDLE_ARCHIVE"
+echo ""
+echo "To transfer, either:"
+echo "  1. Copy the credentials-bundle/ directory to the agent machine"
+echo "  2. Copy-paste the base64 string from $BUNDLE_ARCHIVE"
+echo ""
+echo "On the agent machine:"
+echo "  skills/lnd/scripts/import-credentials.sh --bundle <path-or-base64>"

package/skills/lightning-security-module/scripts/install.sh

@@ -0,0 +1,178 @@
+#!/usr/bin/env bash
+# Install lnd for the remote signer machine.
+#
+# Default: pulls the pre-built Docker image (fast, no Go required).
+# Fallback: --source builds lnd from source (requires Go 1.21+).
+#
+# The signer only needs lnd (not litd) since it only performs signing
+# operations via gRPC — no loop, pool, tapd, or UI needed.
+#
+# Usage:
+#   install.sh                              # Docker pull (default)
+#   install.sh --version v0.20.0-beta       # Specific version
+#   install.sh --source                     # Build from source
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+VERSIONS_FILE="$SCRIPT_DIR/../../../versions.env"
+
+# Source pinned versions.
+if [ -f "$VERSIONS_FILE" ]; then
+    source "$VERSIONS_FILE"
+fi
+
+VERSION=""
+SOURCE=false
+BUILD_TAGS="signrpc walletrpc chainrpc invoicesrpc routerrpc peersrpc kvdb_sqlite neutrinorpc"
+
+# Parse arguments.
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --version)
+            VERSION="$2"
+            shift 2
+            ;;
+        --source)
+            SOURCE=true
+            shift
+            ;;
+        --tags)
+            BUILD_TAGS="$2"
+            shift 2
+            ;;
+        -h|--help)
+            echo "Usage: install.sh [options]"
+            echo ""
+            echo "Install lnd for the remote signer."
+            echo ""
+            echo "Default: pulls the pre-built Docker image."
+            echo ""
+            echo "Options:"
+            echo "  --version VERSION  Image tag or git tag (default: from versions.env)"
+            echo "  --source           Build lnd from source instead of pulling Docker image"
+            echo "  --tags TAGS        Build tags for --source mode"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+if [ "$SOURCE" = true ]; then
+    # --- Source build mode: clone and build lnd from source ---
+    echo "=== Installing lnd (signer) from source ==="
+    echo ""
+
+    # Verify Go is installed.
+    if ! command -v go &>/dev/null; then
+        echo "Error: Go is not installed." >&2
+        echo "Install Go from https://go.dev/dl/" >&2
+        exit 1
+    fi
+
+    GO_VERSION=$(go version | grep -oE 'go[0-9]+\.[0-9]+' | head -1)
+    echo "Go version: $GO_VERSION"
+    echo "Build tags: $BUILD_TAGS"
+    echo ""
+
+    # Use LND_VERSION from versions.env if no --version given.
+    SOURCE_VERSION="${VERSION:-${LND_VERSION:-}}"
+
+    # Clone lnd into a temp directory and build from source.
+    TMPDIR=$(mktemp -d)
+    trap "rm -rf $TMPDIR" EXIT
+
+    echo "Cloning lnd..."
+    git clone --quiet https://github.com/lightningnetwork/lnd.git "$TMPDIR/lnd"
+
+    cd "$TMPDIR/lnd"
+
+    # Checkout specific version if requested, otherwise use latest tag.
+    if [ -n "$SOURCE_VERSION" ]; then
+        echo "Checking out $SOURCE_VERSION..."
+        git checkout --quiet "$SOURCE_VERSION"
+    else
+        LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+        if [ -n "$LATEST_TAG" ]; then
+            echo "Using latest tag: $LATEST_TAG"
+            git checkout --quiet "$LATEST_TAG"
+        else
+            echo "Using HEAD (no tags found)."
+        fi
+    fi
+    echo ""
+
+    GOBIN=$(go env GOPATH)/bin
+
+    # Build lnd.
+    echo "Building lnd..."
+    go build -tags "$BUILD_TAGS" -o "$GOBIN/lnd" ./cmd/lnd
+    echo "Done."
+
+    # Build lncli.
+    echo "Building lncli..."
+    go build -tags "$BUILD_TAGS" -o "$GOBIN/lncli" ./cmd/lncli
+    echo "Done."
+    echo ""
+
+    # Verify installation.
+    if command -v lnd &>/dev/null; then
+        echo "lnd installed: $(which lnd)"
+        lnd --version 2>/dev/null || true
+    else
+        echo "Warning: lnd not found on PATH." >&2
+        echo "Ensure \$GOPATH/bin is in your PATH." >&2
+        echo "  export PATH=\$PATH:\$(go env GOPATH)/bin" >&2
+    fi
+
+    if command -v lncli &>/dev/null; then
+        echo "lncli installed: $(which lncli)"
+    else
+        echo "Warning: lncli not found on PATH." >&2
+    fi
+
+    echo ""
+    echo "Source installation complete."
+    echo ""
+    echo "Next steps:"
+    echo "  1. Set up signer: skills/lightning-security-module/scripts/setup-signer.sh"
+
+else
+    # --- Docker mode (default): pull pre-built lnd image ---
+    echo "=== Installing lnd (signer) via Docker ==="
+    echo ""
+
+    # Verify Docker is available.
+    if ! command -v docker &>/dev/null; then
+        echo "Error: Docker is not installed." >&2
+        echo "Install Docker from https://docs.docker.com/get-docker/" >&2
+        echo "" >&2
+        echo "Or use --source to build from source (requires Go 1.21+)." >&2
+        exit 1
+    fi
+
+    IMAGE="${LND_IMAGE:-lightninglabs/lnd}"
+    TAG="${VERSION:-${LND_VERSION:-v0.20.0-beta}}"
+
+    echo "Image: $IMAGE:$TAG"
+    echo ""
+
+    # Pull the image.
+    echo "Pulling image..."
+    docker pull "$IMAGE:$TAG"
+    echo ""
+
+    # Verify the image works.
+    echo "Verifying installation..."
+    docker run --rm "$IMAGE:$TAG" lnd --version 2>/dev/null || true
+    echo ""
+
+    echo "Installation complete."
+    echo ""
+    echo "Next steps:"
+    echo "  1. Start signer:  skills/lightning-security-module/scripts/docker-start.sh"
+    echo "  2. Set up signer: skills/lightning-security-module/scripts/setup-signer.sh"
+fi