@toon-protocol/hub 0.34.3

package/dist/compose/townhouse-direct.yml

@@ -0,0 +1,391 @@
+# Townhouse — Direct BTP mode operator compose template
+#
+# THIS IS A BUILD-TIME TEMPLATE. Do not use it directly.
+# The digest placeholders (${TOON_*_DIGEST}) are substituted by
+# scripts/render-compose-template.mjs during `pnpm build` (when
+# dist/image-manifest.json is present) to produce the fully-resolved
+# dist/compose/townhouse-direct.yml that ships inside the npm tarball.
+#
+# Resolved copy location at runtime: ~/.townhouse/compose/townhouse-direct.yml
+#   - Written by materializeComposeTemplate('direct') in packages/townhouse/src/compose-loader.ts
+#   - File mode: 0o600 (operator-secret — may embed private keys at deploy time)
+#
+# Architecture (Direct-mode, Phase 2):
+#   - Apex connector: standalone, NO hidden service. Its transport block is
+#     {type:'direct'} (no anon stanza in connector.yaml). The connector's BTP
+#     server port :3000 is EXPOSED to the host so an external client can connect
+#     over plain ws://host:3000/btp (Phase 1's DIRECT_BTP client transport).
+#   - townhouse-api: containerized host API — owns /var/run/docker.sock, calls
+#     connector admin API, manages lifecycle for lazy-provisioned peers.
+#   - town/mill/dvm: lazy-provisioned via Docker Compose profiles, identical
+#     wiring to the HS template. Child↔apex is direct Docker-internal
+#     (ws://connector:3000) regardless of the CLIENT-facing transport.
+#
+# Difference from townhouse-hs.yml (the structural mirror):
+#   - NO connector-init service (no .anyone key volume to chown).
+#   - NO townhouse-direct-anon volume / /var/lib/anon/hs mount.
+#   - NO anon block in the connector config (transport: {type:'direct'}).
+#   - The connector EXPOSES BTP :3000 to the host (the KEY difference). The
+#     bind interface is operator-configurable via ${TOWNHOUSE_BTP_BIND:-127.0.0.1}
+#     so binding to 0.0.0.0 (LAN/public exposure) is an explicit opt-in.
+#   - Namespaced (network/volumes/container names use the `townhouse-direct-*`
+#     prefix) so a direct stack can coexist with an HS stack on the same host.
+#     The service KEYS (connector, townhouse-api, town, mill, dvm) and profiles
+#     are IDENTICAL to the HS template so the loader/orchestrator/`node add`
+#     logic is unchanged.
+#
+# Digest placeholders (substituted at build time from dist/image-manifest.json):
+#   ${TOON_TOWNHOUSE_API_DIGEST} → @sha256:<hex>
+#   ${TOON_TOWN_DIGEST}         → @sha256:<hex>
+#   ${TOON_MILL_DIGEST}         → @sha256:<hex>
+#   ${TOON_DVM_DIGEST}          → @sha256:<hex>
+#   ${TOON_CONNECTOR_DIGEST}    → @sha256:<hex>
+#
+# Port allocation (direct-mode binds canonical ports — single-tenant operator box):
+#   ${TOWNHOUSE_BTP_BIND:-127.0.0.1}:3000   connector BTP (external client dial)
+#   127.0.0.1:9401   connector admin
+#   127.0.0.1:28090  townhouse-api Fastify
+#   ${TOWNHOUSE_RELAY_BIND:-127.0.0.1}:7100  town Nostr relay WS (external direct
+#                    READ/SUBSCRIBE — reads are free), 127.0.0.1:3100 BLS health
+#                    — both profile gated
+#   127.0.0.1:3200   mill BLS health — profile gated
+#   127.0.0.1:3400   dvm BLS health — profile gated
+#
+#   These collide with the contributor dev stack's 28xxx-namespaced bindings.
+#   Direct-mode and the contributor dev stack (scripts/townhouse-dev-infra.sh)
+#   MUST NOT run concurrently on the same machine.
+
+networks:
+  townhouse-direct-net:
+    name: townhouse-direct-net
+    driver: bridge
+
+volumes:
+  townhouse-direct-town-data:
+    name: townhouse-direct-town-data
+  townhouse-direct-mill-data:
+    name: townhouse-direct-mill-data
+  townhouse-direct-dvm-data:
+    name: townhouse-direct-dvm-data
+
+services:
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Apex connector — terminates inbound BTP over a host-exposed :3000.
+  #
+  # NO hidden service: the connector config (written by `handleDirectUp`) sets
+  # transport: {type:'direct'} and omits the anon stanza. Instead of publishing
+  # a .anyone address, the connector's BTP server is mapped to the host so an
+  # external client dials ws://<host>:3000/btp directly.
+  #
+  # NFR7: connector MUST NOT mount /var/run/docker.sock.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  connector:
+    image: ghcr.io/toon-protocol/connector${TOON_CONNECTOR_DIGEST}
+    # v3.5.1 has the multi-arch manifest but the default resolves to arm64 on
+    # some Docker versions. Pin to amd64 explicitly until the manifest is fixed.
+    platform: linux/amd64
+    container_name: townhouse-direct-connector
+    hostname: connector
+    networks:
+      - townhouse-direct-net
+    ports:
+      # BTP server — EXPOSED to the host for external direct clients. The bind
+      # interface defaults to 127.0.0.1 (loopback-only); set TOWNHOUSE_BTP_BIND=
+      # 0.0.0.0 to deliberately expose it on all interfaces (LAN / public).
+      # This host-exposed :3000 is the KEY difference from the HS template.
+      - '${TOWNHOUSE_BTP_BIND:-127.0.0.1}:3000:3000'
+      # Admin API on host loopback only (NFR9). Operator uses for status.
+      - '127.0.0.1:9401:9401'
+    volumes:
+      # Rendered connector config (handleDirectUp writes this on first-run).
+      # TOWNHOUSE_HOME is exported by `townhouse up --transport direct` as the
+      # operator's config dir (default ~/.townhouse). Docker does NOT expand
+      # `~` in bind-mount sources, so the path must come through Compose
+      # interpolation.
+      - ${TOWNHOUSE_HOME}/connector.yaml:/config/connector.yaml:ro
+    environment:
+      CONFIG_FILE: /config/connector.yaml
+    healthcheck:
+      # nosemgrep: trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url -- container-internal probe
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:9401/health']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      # No anon bootstrap to wait for (direct mode), so a short start_period is
+      # sufficient — the connector binds its admin API within a few seconds.
+      start_period: 15s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Townhouse API — containerized host API.
+  #
+  # Owns /var/run/docker.sock (the only service that may). Provides:
+  #   - Fastify REST API for operator dashboard / CLI
+  #   - Calls connector admin API (/admin/peers, etc.)
+  #   - Manages lifecycle for lazy-provisioned peer containers
+  #
+  # Verbatim from the HS template: the ${TOWNHOUSE_HOME}/${TOWNHOUSE_UID}/
+  # ${TOWNHOUSE_DOCKER_GID} passthrough + docker.sock mount are required because
+  # the API re-parses THIS compose file for `node add`.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  townhouse-api:
+    image: ghcr.io/toon-protocol/townhouse-api${TOON_TOWNHOUSE_API_DIGEST}
+    container_name: townhouse-direct-api
+    # Run as the operator's host UID so bind-mounted ~/.townhouse files
+    # (rw------- 600) are readable. TOWNHOUSE_UID is injected by the CLI.
+    # Defaults to 1000 (the standard first-user UID on Linux).
+    user: '${TOWNHOUSE_UID:-1000}'
+    # Add the host's docker socket group as a supplementary group so the
+    # non-root container user can read/write /var/run/docker.sock (typically
+    # owned root:docker mode 660 on Linux). TOWNHOUSE_DOCKER_GID is injected
+    # by the CLI via `statSync('/var/run/docker.sock').gid`.
+    group_add:
+      - '${TOWNHOUSE_DOCKER_GID:-0}'
+    networks:
+      - townhouse-direct-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    ports:
+      # Fastify host API — loopback only (NFR9).
+      - '127.0.0.1:28090:28090'
+    volumes:
+      # Docker socket — townhouse-api is the sole orchestration surface.
+      - /var/run/docker.sock:/var/run/docker.sock
+      # Operator home — wallet, config, compose files, snapshots (RW).
+      - ${TOWNHOUSE_HOME}:/.townhouse:rw
+      # Wallet dir mirrored at the host-absolute path so config.yaml's
+      # `wallet.encrypted_path` (an absolute host path set by `townhouse init`)
+      # resolves correctly inside the container.
+      - ${TOWNHOUSE_WALLET_DIR:-~/.townhouse}:${TOWNHOUSE_WALLET_DIR:-~/.townhouse}:ro
+    environment:
+      # Override entrypoint default '/config/config.yaml' so the API reads from
+      # the mounted operator-home dir (where the CLI writes config.yaml).
+      TOWNHOUSE_CONFIG: /.townhouse/config.yaml
+      # Bind on all interfaces inside the container so Docker's port mapping
+      # (127.0.0.1:28090:28090) can reach it from the host. Docker's host-only
+      # binding on the outer port is the actual access control gate.
+      TOWNHOUSE_API_HOST: 0.0.0.0
+      TOWNHOUSE_API_ALLOW_REMOTE: '1'
+      # Wallet decryption password — operator must export TOWNHOUSE_WALLET_PASSWORD
+      # in the shell that runs `docker compose up`. The container-side entrypoint
+      # enforces the requirement at startup; the YAML uses `:-` (lenient default)
+      # so `docker compose down` does not error when the var is unset.
+      TOWNHOUSE_WALLET_PASSWORD: '${TOWNHOUSE_WALLET_PASSWORD:-}'
+      # P1b — operator/agent wallet mode. When set, the entrypoint loads the
+      # operator wallet DIRECTLY from this mnemonic (no encrypted file, no
+      # password). Lenient `:-` default keeps `down` working when unset.
+      TOWNHOUSE_MNEMONIC: '${TOWNHOUSE_MNEMONIC:-}'
+      # Pass the host-side compose-interpolation values through so that when the
+      # townhouse-api shells out to `docker compose -f
+      # /.townhouse/compose/townhouse-direct.yml up -d <type>` for lazy peer
+      # provisioning, the nested compose re-parses the SAME YAML with the same
+      # env vars set (otherwise the volume specs interpolate to empty sources).
+      TOWNHOUSE_HOME: '${TOWNHOUSE_HOME}'
+      TOWNHOUSE_WALLET_DIR: '${TOWNHOUSE_WALLET_DIR}'
+      TOWNHOUSE_UID: '${TOWNHOUSE_UID:-1000}'
+      TOWNHOUSE_DOCKER_GID: '${TOWNHOUSE_DOCKER_GID:-0}'
+      # Operator may set TOWNHOUSE_BTP_BIND to expose the connector BTP port on
+      # a non-loopback interface; pass it through so nested compose `up` of the
+      # apex (if ever re-run by the API) resolves the same bind.
+      TOWNHOUSE_BTP_BIND: '${TOWNHOUSE_BTP_BIND:-127.0.0.1}'
+      # Same passthrough for TOWNHOUSE_RELAY_BIND so the nested compose `up town`
+      # (lazy `node add town`) resolves the same relay-WS host bind. Defaults to
+      # loopback; set 0.0.0.0 to expose the relay read port on all interfaces.
+      TOWNHOUSE_RELAY_BIND: '${TOWNHOUSE_RELAY_BIND:-127.0.0.1}'
+      # MILL_RELAYS is read by POST /api/nodes {type:'mill'} preflight check
+      # inside the townhouse-api process. It must be in the API container's env
+      # (not only the mill container's env) so the check works correctly.
+      MILL_RELAYS: '${MILL_RELAYS:-}'
+      # Chain RPC + token config for the wallet balances/withdraw routes. The
+      # network profile + compose .env supply these under the production names;
+      # the API must read them (it previously read only TOWNHOUSE_DEV_* dev vars,
+      # so EVM balances showed `fetch failed` / `usdc_address_not_configured`
+      # and withdraw was blocked on a real testnet/mainnet apex — #232).
+      EVM_RPC_URL: '${EVM_RPC_URL:-}'
+      EVM_USDC_ADDRESS: '${EVM_USDC_ADDRESS:-}'
+      SOLANA_RPC_URL: '${SOLANA_RPC_URL:-}'
+      SOLANA_USDC_MINT: '${SOLANA_USDC_MINT:-}'
+    healthcheck:
+      # nosemgrep: trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url -- container-internal probe
+      # Use 127.0.0.1 (not localhost) to avoid IPv6 resolution surprises. The
+      # townhouse-api exposes /api/transport (not /api/health).
+      test:
+        [
+          'CMD',
+          'wget',
+          '-q',
+          '--spider',
+          'http://127.0.0.1:28090/api/transport',
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 15s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Town — Nostr relay node (profile: town)
+  # Lazy-provisioned via `townhouse node add town`.
+  # Identical wiring to the HS template (child↔apex is Docker-internal).
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  town:
+    image: ghcr.io/toon-protocol/town${TOON_TOWN_DIGEST}
+    container_name: townhouse-direct-town
+    profiles: [town]
+    networks:
+      - townhouse-direct-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3000']
+    ports:
+      # Nostr relay WS — EXPOSED to the host so a host-run client can READ /
+      # SUBSCRIBE directly over plain ws://<host>:7100 (reads are free, no ILP).
+      # The bind interface defaults to 127.0.0.1 (loopback-only); set
+      # TOWNHOUSE_RELAY_BIND=0.0.0.0 to deliberately expose it on all interfaces
+      # (LAN / public). Mirrors the TOWNHOUSE_BTP_BIND knob on the connector.
+      - '${TOWNHOUSE_RELAY_BIND:-127.0.0.1}:7100:7100'
+      - '127.0.0.1:3100:3100'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      ILP_ADDRESS: g.townhouse.town
+      NODE_ID: town
+      # MUST equal the apex connector's nodeId (g.townhouse). entrypoint-town
+      # maps PARENT_PEER_ID → TOON_PARENT_PEER_ID.
+      PARENT_PEER_ID: g.townhouse
+      # Publish price (ILP base units per event). Default 0; the node-env overlay
+      # (assembleNodeEnv) sets it from config.nodes.town.feePerEvent. The town
+      # enforces it AND advertises it in kind:10032 (feePerByte).
+      FEE_PER_EVENT: ${FEE_PER_EVENT:-0}
+      # NIP-40 TTL (seconds) for the town's kind:10032 announcement (issue #261).
+      # The town re-publishes at half this interval so a live apex stays fresh
+      # while an offline one's announcement expires — clients then skip its
+      # unreachable BTP endpoint instead of failing against it. Default 1h; set
+      # 0 to disable the expiration tag + heartbeat (non-expiring announcement).
+      TOON_ANNOUNCEMENT_TTL_SECONDS: ${TOON_ANNOUNCEMENT_TTL_SECONDS:-3600}
+      # Apex public BTP URL advertised in kind:10032 (entrypoint-town maps it to
+      # TOON_BTP_ENDPOINT). Direct default resolves to ws://127.0.0.1:3000/btp;
+      # operators set transport.externalUrl for a real public address.
+      PUBLIC_BTP_URL: ${PUBLIC_BTP_URL:-}
+      # Public Nostr relay read URL advertised in kind:10032/10166. In direct
+      # mode set transport.relayExternalUrl (e.g. ws://<host>:7100) + expose the
+      # port with TOWNHOUSE_RELAY_BIND=0.0.0.0. entrypoint maps it to
+      # TOON_EXTERNAL_RELAY_URL.
+      PUBLIC_RELAY_URL: ${PUBLIC_RELAY_URL:-}
+      ASSET_CODE: ${ASSET_CODE:-}
+      ASSET_SCALE: ${ASSET_SCALE:-}
+      # Chain selection — driven by the `network` flag (resolveNetworkProfile).
+      # Comes from the node-env overlay + ~/.townhouse/compose/.env (env-writer).
+      TOON_CHAIN: ${EVM_CHAIN:-}
+      TOON_RPC_URL: ${EVM_RPC_URL:-}
+      NODE_NOSTR_PUBKEY: '${TOWN_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      NODE_NOSTR_SECRET_KEY: '${TOWN_SECRET_KEY:-}'
+      TOON_SETTLEMENT_PRIVATE_KEY: '${TOWN_SETTLEMENT_PRIVATE_KEY:-}'
+      PARENT_EVM_ADDRESS: '${APEX_EVM_ADDRESS:-}'
+      TOON_CONNECTOR_LOG_LEVEL: '${TOON_CONNECTOR_LOG_LEVEL:-warn}'
+    volumes:
+      - townhouse-direct-town-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3100/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Mill — multi-chain swap node (profile: mill)
+  # Lazy-provisioned via `townhouse node add mill`.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  mill:
+    image: ghcr.io/toon-protocol/mill${TOON_MILL_DIGEST}
+    container_name: townhouse-direct-mill
+    profiles: [mill]
+    networks:
+      - townhouse-direct-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3000']
+    ports:
+      - '127.0.0.1:3200:3200'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      # MUST match the route the apex registers for the mill peer
+      # (`g.townhouse.<type>` — see nodes-lifecycle.ts). entrypoint-mill maps
+      # ILP_ADDRESS → TOON_ILP_ADDRESS → the embedded connector's self-route.
+      # WITHOUT this the mill defaults its self-route to `g.toon.mill.<pubkey>`,
+      # the apex-forwarded swap PREPARE (`g.townhouse.mill`) misses it, falls
+      # through to the up-to-parent route, and the per-packet-claim-service
+      # T00-rejects trying to open an outbound channel back to g.townhouse
+      # (issue #157). town sets the equivalent ILP_ADDRESS=g.townhouse.town.
+      ILP_ADDRESS: g.townhouse.mill
+      NODE_ID: mill
+      # MUST equal the apex connector's nodeId (g.townhouse). entrypoint-mill
+      # reads TOON_PARENT_PEER_ID directly.
+      TOON_PARENT_PEER_ID: g.townhouse
+      FEE_BASIS_POINTS: '0'
+      SETTLEMENT_RPC_URL: ${EVM_RPC_URL:-}
+      SETTLEMENT_CHAIN_ID: ${EVM_CHAIN_ID:-}
+      SETTLEMENT_TOKEN_ADDRESS: ${EVM_USDC_ADDRESS:-}
+      SOLANA_RPC_URL: ${SOLANA_RPC_URL:-}
+      SOLANA_USDC_MINT: ${SOLANA_USDC_MINT:-}
+      NODE_NOSTR_PUBKEY: '${MILL_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      MILL_MNEMONIC: '${MILL_MNEMONIC:-}'
+      NODE_NOSTR_SECRET_KEY: '${MILL_SECRET_KEY:-}'
+      MILL_CONFIG_PATH: /config/mill.config.json
+      MILL_RELAYS: ${MILL_RELAYS:-}
+      SETTLEMENT_PRIVATE_KEY: '${MILL_SETTLEMENT_PRIVATE_KEY:-}'
+      PARENT_EVM_ADDRESS: '${APEX_EVM_ADDRESS:-}'
+      TOON_CONNECTOR_LOG_LEVEL: '${TOON_CONNECTOR_LOG_LEVEL:-warn}'
+    volumes:
+      # Operator-managed mill config (provisioned on `townhouse node add mill`).
+      - ${TOWNHOUSE_HOME}/mill.config.json:/config/mill.config.json:ro
+      - townhouse-direct-mill-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3200/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # DVM — Arweave upload DVM (profile: dvm)
+  # Lazy-provisioned via `townhouse node add dvm`.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  dvm:
+    image: ghcr.io/toon-protocol/dvm${TOON_DVM_DIGEST}
+    container_name: townhouse-direct-dvm
+    profiles: [dvm]
+    networks:
+      - townhouse-direct-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3300']
+    ports:
+      - '127.0.0.1:3400:3400'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      FEE_PER_JOB: '0'
+      DVM_KIND: '5094'
+      NODE_NOSTR_PUBKEY: '${DVM_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      NODE_NOSTR_SECRET_KEY: '${DVM_SECRET_KEY:-}'
+      TURBO_TOKEN: ${TURBO_TOKEN:-}
+    volumes:
+      - townhouse-direct-dvm-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3400/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped