@toon-protocol/hub 0.34.3

package/dist/compose/townhouse-hs.yml

@@ -0,0 +1,468 @@
+# Townhouse — Hidden Service mode (HS) operator compose template
+#
+# THIS IS A BUILD-TIME TEMPLATE. Do not use it directly.
+# The digest placeholders (${TOON_*_DIGEST}) are substituted by
+# scripts/render-compose-template.mjs during `pnpm build` (when
+# dist/image-manifest.json is present) to produce the fully-resolved
+# dist/compose/townhouse-hs.yml that ships inside the npm tarball.
+#
+# Resolved copy location at runtime: ~/.townhouse/compose/townhouse-hs.yml
+#   - Written by materializeComposeTemplate('hs') in packages/townhouse/src/compose-loader.ts
+#   - File mode: 0o600 (operator-secret — may embed private keys at deploy time)
+#
+# Story ownership:
+#   - Placeholder substitution: Story 45.2 (this file)
+#   - Boot sequence (townhouse hs up): Story 45.4
+#
+# Architecture (HS-mode v1, Epic 45):
+#   - Apex connector: standalone, anon HS publishing in-process (connector v3.5.x)
+#   - townhouse-api: containerized host API — owns /var/run/docker.sock, calls
+#     connector admin API, manages lifecycle for lazy-provisioned peers
+#   - town/mill/dvm: lazy-provisioned via Docker Compose profiles (Epic 46)
+#     Story 45.4 boots only connector + townhouse-api at apex install
+#
+# Digest placeholders (substituted at build time from dist/image-manifest.json):
+#   ${TOON_TOWNHOUSE_API_DIGEST} → @sha256:<hex>
+#   ${TOON_TOWN_DIGEST}         → @sha256:<hex>
+#   ${TOON_MILL_DIGEST}         → @sha256:<hex>
+#   ${TOON_DVM_DIGEST}          → @sha256:<hex>
+#   ${TOON_CONNECTOR_DIGEST}    → @sha256:<hex>
+#
+# Scope guard (Story 45.2 does NOT include):
+#   - ator-sidecar / ator-sidecar-relay (connector v3.5.x does HS publishing in-process)
+#   - anvil / solana / faucet (dev-stack concerns, not operator-facing)
+#   - build: directives (all images are digest-pinned GHCR pulls)
+#
+# Port allocation (HS-mode binds canonical ports — single-tenant operator box):
+#   127.0.0.1:9401   connector admin
+#   127.0.0.1:28090  townhouse-api Fastify
+#   127.0.0.1:7100,3100  town (relay WS, BLS health) — profile gated
+#   127.0.0.1:3200   mill BLS health — profile gated
+#   127.0.0.1:3400   dvm BLS health — profile gated
+#
+#   These collide with the contributor dev stack's 28xxx-namespaced bindings
+#   (28080:9401, 28100:3100, 28110:3100, 28200:3200, 28210:3200, 28400:3400,
+#   28700:7100, 28710:7100). HS-mode and the contributor dev stack
+#   (scripts/townhouse-dev-infra.sh) MUST NOT run concurrently on the same
+#   machine. If you need to run multiple townhouse instances on a multi-tenant
+#   box, open an enhancement issue — the canonical ports here are intentional
+#   for the apex operator path (Story 45.4 `townhouse hs up`).
+
+networks:
+  townhouse-hs-net:
+    name: townhouse-hs-net
+    driver: bridge
+
+volumes:
+  # Named volume for the connector's .anyone keypair + HS state.
+  # Survives `docker compose down`; delete to rotate the .anyone address.
+  #
+  # The explicit `name:` fields bypass Compose's project-prefix mechanism.
+  # Without them, Compose derives the project name from the compose file's
+  # parent directory (e.g. `compose` when the file lives at
+  # ~/.townhouse/compose/townhouse-hs.yml or <tmpDir>/compose/townhouse-hs.yml),
+  # producing on-disk volumes named `compose_townhouse-hs-anon` etc. — which
+  # would break the test 5 `volumeExists('townhouse-hs-anon')` assertion AND
+  # operator-facing rotate-keys docs that reference the bare name. Discovered
+  # by Story 46.4 live gate run (Finding H, 2026-05-11).
+  townhouse-hs-anon:
+    name: townhouse-hs-anon
+  townhouse-hs-town-data:
+    name: townhouse-hs-town-data
+  townhouse-hs-mill-data:
+    name: townhouse-hs-mill-data
+  townhouse-hs-dvm-data:
+    name: townhouse-hs-dvm-data
+
+services:
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Apex connector — terminates inbound BTP, publishes .anyone HS
+  #
+  # The connector image embeds @anyone-protocol/anyone-client v1.1.x+
+  # which handles HS publishing in-process (no sidecar required for v3.5.x+).
+  # Config file written by `townhouse hs up` (Story 45.4) on first-run.
+  #
+  # NFR7: connector MUST NOT mount /var/run/docker.sock.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # One-shot init: ensure the .anyone key volume is owned by uid 1000 (node)
+  # before the connector starts. Docker creates named volumes as root on first
+  # boot; the connector (running as node) cannot write the HS keypair/hostname
+  # without this chown step.
+  connector-init:
+    image: busybox:1.37@sha256:9532d8c39891ca2ecde4d30d7710e01fb739c87a8b9299685c63704296b16028
+    user: root
+    # anon (Tor-based) requires the HS dir to be mode 0700 — too-permissive
+    # directories cause an immediate abort. Docker creates volumes as root 755.
+    command:
+      [
+        'sh',
+        '-c',
+        'mkdir -p /data && chown -R 1000:1000 /data && chmod 700 /data',
+      ]
+    volumes:
+      - townhouse-hs-anon:/data
+    restart: 'no'
+    networks:
+      - townhouse-hs-net
+
+  connector:
+    image: ghcr.io/toon-protocol/connector${TOON_CONNECTOR_DIGEST}
+    # v3.5.1 has the multi-arch manifest but the default resolves to arm64 on
+    # some Docker versions. Pin to amd64 explicitly until the manifest is fixed.
+    platform: linux/amd64
+    container_name: townhouse-hs-connector
+    hostname: connector
+    depends_on:
+      connector-init:
+        condition: service_completed_successfully
+    networks:
+      - townhouse-hs-net
+    ports:
+      # Admin API on host loopback only (NFR9). Operator uses for status.
+      - '127.0.0.1:9401:9401'
+    volumes:
+      # Rendered connector config (Story 45.4 writes this on first-run).
+      # TOWNHOUSE_HOME is exported by `townhouse hs up` as the operator's
+      # config dir (default ~/.townhouse; --config-dir overrides). Docker does
+      # NOT expand `~` in bind-mount sources, so the path must come through
+      # Compose interpolation.
+      - ${TOWNHOUSE_HOME}/connector.yaml:/config/connector.yaml:ro
+      # .anyone keypair + HS state (persists across down/up cycles).
+      - townhouse-hs-anon:/var/lib/anon/hs
+    environment:
+      CONFIG_FILE: /config/connector.yaml
+    healthcheck:
+      # nosemgrep: trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url -- container-internal probe
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:9401/health']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      # The managed anon daemon needs ~60-120s to bootstrap circuits and publish
+      # the HS hostname before the connector starts its admin API. Keep
+      # start_period generous so health-check failures during bootstrap don't
+      # prematurely mark the container unhealthy.
+      start_period: 150s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Townhouse API — containerized host API (NEW in HS-mode v1)
+  #
+  # Owns /var/run/docker.sock (the only service that may). Provides:
+  #   - Fastify REST API for operator dashboard / CLI
+  #   - Calls connector admin API (/admin/hs-hostname, /admin/peers, etc.)
+  #   - Manages lifecycle for lazy-provisioned peer containers (Epic 46)
+  #
+  # Planning doc §4 anchor: "host-side townhouse-api owns dockerode and
+  # runs on the townhouse-hs-net so it can reach connector via Docker DNS".
+  # Port D21-008: Fastify host API on 127.0.0.1:28090.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  townhouse-api:
+    image: ghcr.io/toon-protocol/townhouse-api${TOON_TOWNHOUSE_API_DIGEST}
+    container_name: townhouse-hs-api
+    # Run as the operator's host UID so bind-mounted ~/.townhouse files
+    # (rw------- 600) are readable. TOWNHOUSE_UID is injected by `townhouse hs up`.
+    # Defaults to 1000 (the standard first-user UID on Linux).
+    user: '${TOWNHOUSE_UID:-1000}'
+    # Add the host's docker socket group as a supplementary group so the
+    # non-root container user can read/write /var/run/docker.sock (typically
+    # owned root:docker mode 660 on Linux). Without this, every dockerode call
+    # — including the `pull-image` step of POST /api/nodes — fails with
+    # `connect EACCES /var/run/docker.sock`. TOWNHOUSE_DOCKER_GID is injected
+    # by `townhouse hs up` via `statSync('/var/run/docker.sock').gid`.
+    group_add:
+      - '${TOWNHOUSE_DOCKER_GID:-0}'
+    networks:
+      - townhouse-hs-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    ports:
+      # Fastify host API — loopback only (NFR9).
+      - '127.0.0.1:28090:28090'
+    volumes:
+      # Docker socket — townhouse-api is the sole orchestration surface.
+      - /var/run/docker.sock:/var/run/docker.sock
+      # Operator home — wallet, config, compose files, snapshots (RW).
+      # TOWNHOUSE_HOME is exported by `townhouse hs up` (see connector volume
+      # above). The container-side path stays `/.townhouse` so config.yaml
+      # `TOWNHOUSE_CONFIG: /.townhouse/config.yaml` resolves identically
+      # regardless of the operator's host-side config dir.
+      - ${TOWNHOUSE_HOME}:/.townhouse:rw
+      # Wallet dir mirrored at the host-absolute path so config.yaml's
+      # `wallet.encrypted_path` (an absolute host path set by `townhouse init`)
+      # resolves correctly inside the container. TOWNHOUSE_WALLET_DIR is
+      # injected by `townhouse hs up` as path.dirname(config.wallet.encrypted_path).
+      - ${TOWNHOUSE_WALLET_DIR:-~/.townhouse}:${TOWNHOUSE_WALLET_DIR:-~/.townhouse}:ro
+    environment:
+      # Override entrypoint default '/config/config.yaml' so the API reads from
+      # the mounted operator-home dir (where Story 45.4 writes config.yaml).
+      TOWNHOUSE_CONFIG: /.townhouse/config.yaml
+      # Bind on all interfaces inside the container so Docker's port mapping
+      # (127.0.0.1:28090:28090) can reach it from the host. ALLOW_REMOTE=1
+      # is required when HOST is non-loopback; Docker's host-only binding on
+      # the outer port (127.0.0.1) is the actual access control gate.
+      TOWNHOUSE_API_HOST: 0.0.0.0
+      TOWNHOUSE_API_ALLOW_REMOTE: '1'
+      # Wallet decryption password — operator must export TOWNHOUSE_WALLET_PASSWORD
+      # in the shell that runs `docker compose up`. The container-side
+      # entrypoint (entrypoint-townhouse-api.ts) enforces the password
+      # requirement at startup and exits 1 if it is missing — so the YAML
+      # uses `:-` (lenient default) here instead of `:?` (Compose-time
+      # mandatory error). The `:?` variant would also force `docker compose
+      # down` to error out unless the operator pre-exports the password,
+      # which broke the teardown flow. Discovered by Story 46.4 live gate
+      # run (Finding J, 2026-05-11).
+      TOWNHOUSE_WALLET_PASSWORD: '${TOWNHOUSE_WALLET_PASSWORD:-}'
+      # P1b — operator/agent wallet mode. When set, the entrypoint loads the
+      # operator wallet DIRECTLY from this mnemonic (no encrypted file, no
+      # password). Lenient `:-` default keeps `down` working when unset.
+      TOWNHOUSE_MNEMONIC: '${TOWNHOUSE_MNEMONIC:-}'
+      # Pass the host-side compose-interpolation values through to the
+      # townhouse-api container, because the API itself shells out to
+      # `docker compose -f /.townhouse/compose/townhouse-hs.yml up -d <type>`
+      # for each lazy peer-node provisioning request (Story 46.2). That
+      # nested compose re-parses the SAME YAML and needs the same env vars
+      # set — otherwise the townhouse-api volume specs interpolate to
+      # `:/.townhouse:rw` (empty source) and the inner `up` aborts with
+      # `invalid spec: :/.townhouse:rw: empty section between colons`.
+      # All four values are HOST paths/IDs (because Docker bind-mount
+      # sources are resolved by the daemon, which sees host paths).
+      # Discovered by Story 46.4 live gate run (Finding L, 2026-05-12).
+      TOWNHOUSE_HOME: '${TOWNHOUSE_HOME}'
+      TOWNHOUSE_WALLET_DIR: '${TOWNHOUSE_WALLET_DIR}'
+      TOWNHOUSE_UID: '${TOWNHOUSE_UID:-1000}'
+      TOWNHOUSE_DOCKER_GID: '${TOWNHOUSE_DOCKER_GID:-0}'
+      # MILL_RELAYS is read by POST /api/nodes {type:'mill'} preflight check
+      # inside the townhouse-api process. It must be in the API container's env
+      # (not only the mill container's env) so the check works correctly.
+      MILL_RELAYS: '${MILL_RELAYS:-}'
+      # Chain RPC + token config for the wallet balances/withdraw routes. The
+      # network profile + compose .env supply these under the production names;
+      # the API must read them (it previously read only TOWNHOUSE_DEV_* dev vars,
+      # so EVM balances showed `fetch failed` / `usdc_address_not_configured`
+      # and withdraw was blocked on a real testnet/mainnet apex — #232).
+      EVM_RPC_URL: '${EVM_RPC_URL:-}'
+      EVM_USDC_ADDRESS: '${EVM_USDC_ADDRESS:-}'
+      SOLANA_RPC_URL: '${SOLANA_RPC_URL:-}'
+      SOLANA_USDC_MINT: '${SOLANA_USDC_MINT:-}'
+    healthcheck:
+      # nosemgrep: trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url -- container-internal probe
+      # Use 127.0.0.1 (not localhost) to avoid IPv6 resolution surprises. The
+      # townhouse-api exposes /api/transport (not /api/health).
+      test:
+        [
+          'CMD',
+          'wget',
+          '-q',
+          '--spider',
+          'http://127.0.0.1:28090/api/transport',
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 15s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Town — Nostr relay node (profile: town)
+  # Lazy-provisioned via Epic 46: `townhouse node add town`
+  #
+  # SECURITY TODO (Epic 46): the per-node secrets below use `${VAR:-}` empty
+  # defaults, which silently start the container with a zero/empty key when
+  # the operator forgets to export the env var. Story 45.2 review (R2-MINOR)
+  # recommends switching to `${VAR:?msg}` (fail-fast) once Epic 46 boots
+  # these profiles — keeping the empty default for now lets `docker compose
+  # config` validation pass without injecting per-node secrets, matching
+  # Story 45.4's apex-only boot semantic (only connector + townhouse-api
+  # start at first run).
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  town:
+    image: ghcr.io/toon-protocol/town${TOON_TOWN_DIGEST}
+    container_name: townhouse-hs-town
+    profiles: [town]
+    networks:
+      - townhouse-hs-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3000']
+    ports:
+      - '127.0.0.1:7100:7100'
+      - '127.0.0.1:3100:3100'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      ILP_ADDRESS: g.townhouse.town
+      NODE_ID: town
+      # MUST equal the apex connector's nodeId (g.townhouse). The child connector
+      # keys peerRelations by the auth-declared peerId of the inbound session, so
+      # a mismatched value (e.g. the old literal 'apex') means the child never
+      # applies the 'parent' relation → it F06-rejects every paid PREPARE the
+      # apex forwards ("No payment channel claim attached"). entrypoint-town maps
+      # PARENT_PEER_ID → TOON_PARENT_PEER_ID.
+      PARENT_PEER_ID: g.townhouse
+      # Publish price (ILP base units per event). Default 0; the node-env overlay
+      # (assembleNodeEnv) sets it from config.nodes.town.feePerEvent. The town
+      # enforces it AND advertises it in kind:10032 (feePerByte).
+      FEE_PER_EVENT: ${FEE_PER_EVENT:-0}
+      # NIP-40 TTL (seconds) for the town's kind:10032 announcement (issue #261).
+      # The town re-publishes at half this interval so a live apex stays fresh
+      # while an offline one's announcement expires — clients then skip its
+      # unreachable BTP endpoint instead of failing against it. Especially
+      # relevant for an HS apex (relay can outlive the BTP hidden service).
+      # Default 1h; set 0 to disable the expiration tag + heartbeat.
+      TOON_ANNOUNCEMENT_TTL_SECONDS: ${TOON_ANNOUNCEMENT_TTL_SECONDS:-3600}
+      # Apex public BTP URL the town advertises in kind:10032 so clients learn
+      # where to route packets for g.townhouse.town (.anyone URL or direct).
+      # Set by the node-env overlay / boot rebinder; entrypoint-town maps it to
+      # TOON_BTP_ENDPOINT.
+      PUBLIC_BTP_URL: ${PUBLIC_BTP_URL:-}
+      # Public Nostr relay read URL advertised in kind:10032/10166 (HS .anyone
+      # relay URL, derived by `hs up` from the relay hidden service). entrypoint
+      # maps it to TOON_EXTERNAL_RELAY_URL.
+      PUBLIC_RELAY_URL: ${PUBLIC_RELAY_URL:-}
+      # Settlement asset advertised in kind:10032 (operator-configurable token).
+      ASSET_CODE: ${ASSET_CODE:-}
+      ASSET_SCALE: ${ASSET_SCALE:-}
+      # Chain selection — driven by the `network` flag (resolveNetworkProfile).
+      # EVM_CHAIN is the primary EVM preset name (e.g. base-mainnet) → town
+      # TOON_CHAIN; EVM_RPC_URL is the matching RPC. Both come from the node-env
+      # overlay (nodes-lifecycle buildNetworkNodeEnv) and ~/.townhouse/compose/.env
+      # (env-writer). 'none' makes the town node run relay-only (no settlement).
+      TOON_CHAIN: ${EVM_CHAIN:-}
+      TOON_RPC_URL: ${EVM_RPC_URL:-}
+      # x-only pubkey derived from the node secret at provisioning time and
+      # injected by the API (nodes-lifecycle buildNodeEnv → TOWN_NOSTR_PUBKEY).
+      # Informational — lets operators / SDK clients read it via `docker inspect`
+      # or `node list --json` without re-deriving from the secret (issue #81).
+      NODE_NOSTR_PUBKEY: '${TOWN_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      # Derived from HD wallet at runtime (Story 45.4 / Epic 46).
+      NODE_NOSTR_SECRET_KEY: '${TOWN_SECRET_KEY:-}'
+      # Town reads TOON_SETTLEMENT_PRIVATE_KEY (packages/town/src/cli.ts:305),
+      # 0x-prefixed 32-byte hex. The API passes the already-0x-prefixed value
+      # via TOWN_SETTLEMENT_PRIVATE_KEY. Previously this was wired to the wrong
+      # env var name (`SETTLEMENT_PRIVATE_KEY`), so town crash-looped at boot
+      # with `TOON_SETTLEMENT_PRIVATE_KEY must be a 0x-prefixed 32-byte hex
+      # string` and never reached its /health endpoint — failing the gate
+      # at step 5 (healthcheck). Story 46.4 live gate run (Finding N+O,
+      # 2026-05-12).
+      TOON_SETTLEMENT_PRIVATE_KEY: '${TOWN_SETTLEMENT_PRIVATE_KEY:-}'
+      PARENT_EVM_ADDRESS: '${APEX_EVM_ADDRESS:-}'
+      TOON_CONNECTOR_LOG_LEVEL: '${TOON_CONNECTOR_LOG_LEVEL:-warn}'
+    volumes:
+      - townhouse-hs-town-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3100/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Mill — multi-chain swap node (profile: mill)
+  # Lazy-provisioned via Epic 46: `townhouse node add mill`
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  mill:
+    image: ghcr.io/toon-protocol/mill${TOON_MILL_DIGEST}
+    container_name: townhouse-hs-mill
+    profiles: [mill]
+    networks:
+      - townhouse-hs-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3000']
+    ports:
+      - '127.0.0.1:3200:3200'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      # MUST match the route the apex registers for the mill peer
+      # (`g.townhouse.<type>` — see nodes-lifecycle.ts). entrypoint-mill maps
+      # ILP_ADDRESS → TOON_ILP_ADDRESS → the embedded connector's self-route.
+      # WITHOUT this the mill defaults its self-route to `g.toon.mill.<pubkey>`,
+      # the apex-forwarded swap PREPARE (`g.townhouse.mill`) misses it, falls
+      # through to the up-to-parent route, and the per-packet-claim-service
+      # T00-rejects trying to open an outbound channel back to g.townhouse
+      # (issue #157). town sets the equivalent ILP_ADDRESS=g.townhouse.town.
+      ILP_ADDRESS: g.townhouse.mill
+      NODE_ID: mill
+      # MUST equal the apex connector's nodeId (g.townhouse) so the mill's
+      # embedded connector applies the 'parent' relation to the apex session and
+      # treats forwarded swap PREPAREs as free parent traffic. entrypoint-mill
+      # reads TOON_PARENT_PEER_ID directly (it does NOT map PARENT_PEER_ID like
+      # town does); without it the mill defaults to 'apex' and rejects swaps with
+      # T00 "Per-packet claim service not configured".
+      TOON_PARENT_PEER_ID: g.townhouse
+      FEE_BASIS_POINTS: '0'
+      SETTLEMENT_RPC_URL: ${EVM_RPC_URL:-}
+      SETTLEMENT_CHAIN_ID: ${EVM_CHAIN_ID:-}
+      SETTLEMENT_TOKEN_ADDRESS: ${EVM_USDC_ADDRESS:-}
+      SOLANA_RPC_URL: ${SOLANA_RPC_URL:-}
+      SOLANA_USDC_MINT: ${SOLANA_USDC_MINT:-}
+      # x-only pubkey injected by the API (buildNodeEnv → MILL_NOSTR_PUBKEY).
+      # SDK clients need the mill pubkey for streamSwap seal verification —
+      # surfacing it here avoids re-deriving from the secret (issue #81).
+      NODE_NOSTR_PUBKEY: '${MILL_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      # Derived from HD wallet at runtime (Story 45.4 / Epic 46).
+      MILL_MNEMONIC: '${MILL_MNEMONIC:-}'
+      NODE_NOSTR_SECRET_KEY: '${MILL_SECRET_KEY:-}'
+      MILL_CONFIG_PATH: /config/mill.config.json
+      MILL_RELAYS: ${MILL_RELAYS:-}
+      SETTLEMENT_PRIVATE_KEY: '${MILL_SETTLEMENT_PRIVATE_KEY:-}'
+      PARENT_EVM_ADDRESS: '${APEX_EVM_ADDRESS:-}'
+      TOON_CONNECTOR_LOG_LEVEL: '${TOON_CONNECTOR_LOG_LEVEL:-warn}'
+    volumes:
+      # Operator-managed mill config (Epic 46 provisions this on `townhouse node add mill`).
+      # TOWNHOUSE_HOME is exported by `townhouse hs up` (see connector volume above).
+      - ${TOWNHOUSE_HOME}/mill.config.json:/config/mill.config.json:ro
+      - townhouse-hs-mill-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3200/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    restart: unless-stopped
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # DVM — Arweave upload DVM (profile: dvm)
+  # Lazy-provisioned via Epic 46: `townhouse node add dvm`
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  dvm:
+    image: ghcr.io/toon-protocol/dvm${TOON_DVM_DIGEST}
+    container_name: townhouse-hs-dvm
+    profiles: [dvm]
+    networks:
+      - townhouse-hs-net
+    depends_on:
+      connector:
+        condition: service_healthy
+    expose: ['3300']
+    ports:
+      - '127.0.0.1:3400:3400'
+    environment:
+      # nosemgrep: detect-insecure-websocket -- Docker-internal
+      CONNECTOR_URL: ws://connector:3000
+      FEE_PER_JOB: '0'
+      DVM_KIND: '5094'
+      # x-only pubkey injected by the API (buildNodeEnv → DVM_NOSTR_PUBKEY).
+      # Informational — readable via `docker inspect` / `node list --json`
+      # without re-deriving from the secret (issue #81).
+      NODE_NOSTR_PUBKEY: '${DVM_NOSTR_PUBKEY:-}'
+      NODE_EVM_ADDRESS: ''
+      # Derived from HD wallet at runtime (Story 45.4 / Epic 46).
+      NODE_NOSTR_SECRET_KEY: '${DVM_SECRET_KEY:-}'
+      TURBO_TOKEN: ${TURBO_TOKEN:-}
+    volumes:
+      - townhouse-hs-dvm-data:/data
+    healthcheck:
+      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3400/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped

package/dist/demo-UJ37MLCG.js

@@ -0,0 +1,118 @@
+import { createRequire } from 'module'; const require = createRequire(import.meta.url);
+import {
+  DEFAULT_CONNECTOR_IMAGE
+} from "./chunk-MNVIN5XK.js";
+import "./chunk-I2R4CRUX.js";
+
+// src/presets/demo.ts
+import { join } from "path";
+import { homedir } from "os";
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+var LOCAL_DEVNET_FALLBACK = {
+  anvilUrl: "http://localhost:28545",
+  solanaUrl: "http://localhost:28899"
+};
+var DEMO_DETERMINISTIC_PASSWORD = "townhouse-demo-INSECURE-do-not-use-in-prod";
+function resolveChainEndpoints(leasesPath) {
+  const localEvm = { rpcUrl: LOCAL_DEVNET_FALLBACK.anvilUrl };
+  const localSol = { rpcUrl: LOCAL_DEVNET_FALLBACK.solanaUrl };
+  if (!leasesPath || !existsSync(leasesPath)) {
+    return { source: "local-fallback", evm: localEvm, solana: localSol };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(leasesPath, "utf-8"));
+  } catch {
+    return { source: "local-fallback", evm: localEvm, solana: localSol };
+  }
+  const evmUrl = typeof parsed.anvil?.url === "string" ? parsed.anvil.url : void 0;
+  const evmWs = typeof parsed.anvil?.ws_url === "string" ? parsed.anvil.ws_url : void 0;
+  const solUrl = typeof parsed.solana?.url === "string" ? parsed.solana.url : void 0;
+  const solWs = typeof parsed.solana?.ws_url === "string" ? parsed.solana.ws_url : void 0;
+  return {
+    source: leasesPath,
+    evm: evmUrl ? { rpcUrl: evmUrl, ...evmWs ? { wsUrl: evmWs } : {} } : localEvm,
+    solana: solUrl ? { rpcUrl: solUrl, ...solWs ? { wsUrl: solWs } : {} } : localSol
+  };
+}
+function defaultLeasesPath() {
+  return resolve(process.cwd(), "deploy", "akash", "leases.json");
+}
+function buildDemoConfig(options) {
+  const leasesPath = options.leasesPath === null ? void 0 : options.leasesPath ?? defaultLeasesPath();
+  const endpoints = resolveChainEndpoints(leasesPath);
+  return {
+    nodes: {
+      town: {
+        enabled: true,
+        feePerEvent: 0
+      },
+      mill: {
+        enabled: true,
+        feeBasisPoints: 0,
+        // Demo pair: EVM (Anvil) <-> Solana. The orchestrator does not
+        // currently consume mill.chains directly — it round-trips through
+        // YAML so the dashboard / future stories can read it.
+        chains: {
+          evm: {
+            rpcUrl: endpoints.evm.rpcUrl,
+            ...endpoints.evm.wsUrl ? { wsUrl: endpoints.evm.wsUrl } : {}
+          },
+          solana: {
+            rpcUrl: endpoints.solana.rpcUrl,
+            ...endpoints.solana.wsUrl ? { wsUrl: endpoints.solana.wsUrl } : {}
+          }
+        },
+        pairs: ["EVM<->SOL"]
+      },
+      dvm: {
+        enabled: true,
+        feePerJob: 0,
+        // Arweave DVM (kind:5094) — frictionless demo pricing. Operators
+        // running for real should raise this; entrypoint-dvm.ts treats the
+        // value as msats per byte uploaded to Arweave.
+        kindPricing: { "5094": 0 }
+      }
+    },
+    wallet: {
+      encrypted_path: options.walletPath
+    },
+    connector: {
+      image: DEFAULT_CONNECTOR_IMAGE,
+      adminPort: 9401
+    },
+    transport: {
+      // 'direct' for the demo because `townhouse up` doesn't bring up a
+      // SOCKS5 sidecar — hs mode would require one at `socks5://127.0.0.1:28050`
+      // (provided by the dev-infra stack but not the operator CLI). Switch
+      // to 'hs' once the sidecar story lands in townhouse `up`.
+      mode: "direct"
+    },
+    api: {
+      port: 9400,
+      host: "127.0.0.1"
+    },
+    logging: {
+      level: "info"
+    },
+    preset: {
+      name: "demo",
+      // Source recorded so operators can see at-a-glance whether their demo
+      // is hitting Akash or local devnets.
+      chainEndpointSource: endpoints.source
+    }
+  };
+}
+function defaultDemoConfigDir() {
+  return join(homedir(), ".townhouse");
+}
+export {
+  DEMO_DETERMINISTIC_PASSWORD,
+  LOCAL_DEVNET_FALLBACK,
+  buildDemoConfig,
+  defaultDemoConfigDir,
+  defaultLeasesPath,
+  resolveChainEndpoints
+};
+//# sourceMappingURL=demo-UJ37MLCG.js.map

package/dist/demo-UJ37MLCG.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/presets/demo.ts"],"sourcesContent":["/**\n * `--preset=demo` configuration (Story D2).\n *\n * Non-interactive preset for the TOON demo: 1 town, 1 mill (EVM<->SOL pair),\n * 1 dvm, ATOR transport ON, all fees zeroed (demo = free). Chain RPC URLs are\n * sourced from `deploy/akash/leases.json` if present, otherwise from local\n * devnet defaults documented in CLAUDE.md (Anvil 28545, Solana 28899).\n *\n * Future presets (test, prod) follow the same shape — see {@link PresetBuilder}.\n *\n * NOTE on schema reach: this preset writes mill chain endpoints into a\n * `chains` field on the mill node config. The orchestrator wiring that\n * forwards these into MILL_CONFIG_JSON is out of scope for D2 — for now the\n * field round-trips through the YAML so future stories (and the dashboard)\n * can read it without re-deriving it from leases.json.\n */\n\nimport { join } from 'node:path';\nimport { homedir } from 'node:os';\nimport { readFileSync, existsSync } from 'node:fs';\nimport { resolve } from 'node:path';\n\nimport type { TownhouseConfig } from '../config/schema.js';\nimport { DEFAULT_CONNECTOR_IMAGE } from '../constants.js';\n\n/**\n * Preset identifier — keep the union closed so we surface unknown presets at\n * the CLI boundary instead of silently falling through to defaults.\n */\nexport type PresetName = 'demo';\n\n/**\n * Local-devnet fallback URLs (CLAUDE.md \"Townhouse Dev Stack\" 28xxx range).\n * Used when `deploy/akash/leases.json` is absent or unreadable.\n */\nexport const LOCAL_DEVNET_FALLBACK = {\n  anvilUrl: 'http://localhost:28545',\n  solanaUrl: 'http://localhost:28899',\n} as const;\n\n/**\n * Deterministic-but-clearly-unsafe password used for the demo wallet when the\n * caller passes `--preset=demo --yes` without `--password`. The string\n * embeds the warning so it shows up in any log scrape; production callers\n * MUST supply their own `--password` (AC-D2-6).\n */\nexport const DEMO_DETERMINISTIC_PASSWORD =\n  'townhouse-demo-INSECURE-do-not-use-in-prod';\n\n/**\n * Shape of `deploy/akash/leases.json` that this preset cares about. The full\n * file emitted by `scripts/akash-deploy.sh` has more fields; we only need\n * RPC + WS URLs here, so the type is intentionally narrow + tolerant.\n */\nexport interface AkashLeases {\n  anvil?: {\n    url?: string;\n    host?: string;\n    port?: number | string;\n    ws_url?: string;\n  };\n  solana?: {\n    url?: string;\n    host?: string;\n    port?: number | string;\n    ws_host?: string;\n    ws_port?: number | string;\n    ws_url?: string;\n  };\n}\n\nexport interface ResolvedChainEndpoints {\n  /** Source of truth for traceability — either an absolute leases.json path or 'local-fallback'. */\n  source: string;\n  evm: { rpcUrl: string; wsUrl?: string };\n  solana: { rpcUrl: string; wsUrl?: string };\n}\n\n/**\n * Read `deploy/akash/leases.json` and extract chain endpoints, falling back\n * to local devnet URLs if the file is missing or any field is unusable.\n *\n * The fallback is per-chain: a leases.json that defines anvil but not solana\n * still gets the local Solana URL (and vice-versa). This keeps half-deployed\n * states usable.\n */\nexport function resolveChainEndpoints(\n  leasesPath?: string\n): ResolvedChainEndpoints {\n  const localEvm = { rpcUrl: LOCAL_DEVNET_FALLBACK.anvilUrl };\n  const localSol = { rpcUrl: LOCAL_DEVNET_FALLBACK.solanaUrl };\n\n  if (!leasesPath || !existsSync(leasesPath)) {\n    return { source: 'local-fallback', evm: localEvm, solana: localSol };\n  }\n\n  let parsed: AkashLeases;\n  try {\n    parsed = JSON.parse(readFileSync(leasesPath, 'utf-8')) as AkashLeases;\n  } catch {\n    // Malformed JSON — better to demo on local devnets than to error out at\n    // wizard-bypass time. Caller never blocks on bad leases data.\n    return { source: 'local-fallback', evm: localEvm, solana: localSol };\n  }\n\n  const evmUrl =\n    typeof parsed.anvil?.url === 'string' ? parsed.anvil.url : undefined;\n  const evmWs =\n    typeof parsed.anvil?.ws_url === 'string' ? parsed.anvil.ws_url : undefined;\n  const solUrl =\n    typeof parsed.solana?.url === 'string' ? parsed.solana.url : undefined;\n  const solWs =\n    typeof parsed.solana?.ws_url === 'string'\n      ? parsed.solana.ws_url\n      : undefined;\n\n  return {\n    source: leasesPath,\n    evm: evmUrl\n      ? { rpcUrl: evmUrl, ...(evmWs ? { wsUrl: evmWs } : {}) }\n      : localEvm,\n    solana: solUrl\n      ? { rpcUrl: solUrl, ...(solWs ? { wsUrl: solWs } : {}) }\n      : localSol,\n  };\n}\n\nexport interface BuildDemoConfigOptions {\n  /** Absolute path to the wallet file (typically `<configDir>/wallet.enc`). */\n  walletPath: string;\n  /**\n   * Absolute path to `deploy/akash/leases.json`. Defaults to\n   * `<repoRoot>/deploy/akash/leases.json` if not provided. Pass `null` to\n   * force local-devnet fallback (used in tests and when the file is known\n   * to not exist on the operator's machine).\n   */\n  leasesPath?: string | null;\n}\n\n/**\n * Default location of the Akash leases file. Resolved relative to CWD —\n * the demo CLI is run from anywhere, but the leases.json that matters lives\n * at `<repo>/deploy/akash/leases.json`.\n */\nexport function defaultLeasesPath(): string {\n  return resolve(process.cwd(), 'deploy', 'akash', 'leases.json');\n}\n\n/**\n * Build the full TownhouseConfig for `--preset=demo`.\n *\n * AC-D2-5 invariants enforced here:\n * - 1 town, 1 mill, 1 dvm (all enabled)\n * - feePerEvent = 0, feeBasisPoints = 0, feePerJob = 0\n * - transport.mode = 'direct'\n * - mill.chains contains exactly one EVM<->SOL pair\n */\nexport function buildDemoConfig(\n  options: BuildDemoConfigOptions\n): TownhouseConfig {\n  const leasesPath =\n    options.leasesPath === null\n      ? undefined\n      : (options.leasesPath ?? defaultLeasesPath());\n\n  const endpoints = resolveChainEndpoints(leasesPath);\n\n  return {\n    nodes: {\n      town: {\n        enabled: true,\n        feePerEvent: 0,\n      },\n      mill: {\n        enabled: true,\n        feeBasisPoints: 0,\n        // Demo pair: EVM (Anvil) <-> Solana. The orchestrator does not\n        // currently consume mill.chains directly — it round-trips through\n        // YAML so the dashboard / future stories can read it.\n        chains: {\n          evm: {\n            rpcUrl: endpoints.evm.rpcUrl,\n            ...(endpoints.evm.wsUrl ? { wsUrl: endpoints.evm.wsUrl } : {}),\n          },\n          solana: {\n            rpcUrl: endpoints.solana.rpcUrl,\n            ...(endpoints.solana.wsUrl\n              ? { wsUrl: endpoints.solana.wsUrl }\n              : {}),\n          },\n        },\n        pairs: ['EVM<->SOL'],\n      },\n      dvm: {\n        enabled: true,\n        feePerJob: 0,\n        // Arweave DVM (kind:5094) — frictionless demo pricing. Operators\n        // running for real should raise this; entrypoint-dvm.ts treats the\n        // value as msats per byte uploaded to Arweave.\n        kindPricing: { '5094': 0 },\n      },\n    },\n    wallet: {\n      encrypted_path: options.walletPath,\n    },\n    connector: {\n      image: DEFAULT_CONNECTOR_IMAGE,\n      adminPort: 9401,\n    },\n    transport: {\n      // 'direct' for the demo because `townhouse up` doesn't bring up a\n      // SOCKS5 sidecar — hs mode would require one at `socks5://127.0.0.1:28050`\n      // (provided by the dev-infra stack but not the operator CLI). Switch\n      // to 'hs' once the sidecar story lands in townhouse `up`.\n      mode: 'direct',\n    },\n    api: {\n      port: 9400,\n      host: '127.0.0.1',\n    },\n    logging: {\n      level: 'info',\n    },\n    preset: {\n      name: 'demo',\n      // Source recorded so operators can see at-a-glance whether their demo\n      // is hitting Akash or local devnets.\n      chainEndpointSource: endpoints.source,\n    },\n  };\n}\n\n/**\n * Default config dir used by the demo preset when `--config-dir` is omitted.\n * Mirrors the value in cli.ts; duplicated here so tests can construct the\n * same path without importing from the CLI surface.\n */\nexport function defaultDemoConfigDir(): string {\n  return join(homedir(), '.townhouse');\n}\n"],"mappings":";;;;;;;AAiBA,SAAS,YAAY;AACrB,SAAS,eAAe;AACxB,SAAS,cAAc,kBAAkB;AACzC,SAAS,eAAe;AAejB,IAAM,wBAAwB;AAAA,EACnC,UAAU;AAAA,EACV,WAAW;AACb;AAQO,IAAM,8BACX;AAuCK,SAAS,sBACd,YACwB;AACxB,QAAM,WAAW,EAAE,QAAQ,sBAAsB,SAAS;AAC1D,QAAM,WAAW,EAAE,QAAQ,sBAAsB,UAAU;AAE3D,MAAI,CAAC,cAAc,CAAC,WAAW,UAAU,GAAG;AAC1C,WAAO,EAAE,QAAQ,kBAAkB,KAAK,UAAU,QAAQ,SAAS;AAAA,EACrE;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,aAAa,YAAY,OAAO,CAAC;AAAA,EACvD,QAAQ;AAGN,WAAO,EAAE,QAAQ,kBAAkB,KAAK,UAAU,QAAQ,SAAS;AAAA,EACrE;AAEA,QAAM,SACJ,OAAO,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM,MAAM;AAC7D,QAAM,QACJ,OAAO,OAAO,OAAO,WAAW,WAAW,OAAO,MAAM,SAAS;AACnE,QAAM,SACJ,OAAO,OAAO,QAAQ,QAAQ,WAAW,OAAO,OAAO,MAAM;AAC/D,QAAM,QACJ,OAAO,OAAO,QAAQ,WAAW,WAC7B,OAAO,OAAO,SACd;AAEN,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,KAAK,SACD,EAAE,QAAQ,QAAQ,GAAI,QAAQ,EAAE,OAAO,MAAM,IAAI,CAAC,EAAG,IACrD;AAAA,IACJ,QAAQ,SACJ,EAAE,QAAQ,QAAQ,GAAI,QAAQ,EAAE,OAAO,MAAM,IAAI,CAAC,EAAG,IACrD;AAAA,EACN;AACF;AAmBO,SAAS,oBAA4B;AAC1C,SAAO,QAAQ,QAAQ,IAAI,GAAG,UAAU,SAAS,aAAa;AAChE;AAWO,SAAS,gBACd,SACiB;AACjB,QAAM,aACJ,QAAQ,eAAe,OACnB,SACC,QAAQ,cAAc,kBAAkB;AAE/C,QAAM,YAAY,sBAAsB,UAAU;AAElD,SAAO;AAAA,IACL,OAAO;AAAA,MACL,MAAM;AAAA,QACJ,SAAS;AAAA,QACT,aAAa;AAAA,MACf;AAAA,MACA,MAAM;AAAA,QACJ,SAAS;AAAA,QACT,gBAAgB;AAAA;AAAA;AAAA;AAAA,QAIhB,QAAQ;AAAA,UACN,KAAK;AAAA,YACH,QAAQ,UAAU,IAAI;AAAA,YACtB,GAAI,UAAU,IAAI,QAAQ,EAAE,OAAO,UAAU,IAAI,MAAM,IAAI,CAAC;AAAA,UAC9D;AAAA,UACA,QAAQ;AAAA,YACN,QAAQ,UAAU,OAAO;AAAA,YACzB,GAAI,UAAU,OAAO,QACjB,EAAE,OAAO,UAAU,OAAO,MAAM,IAChC,CAAC;AAAA,UACP;AAAA,QACF;AAAA,QACA,OAAO,CAAC,WAAW;AAAA,MACrB;AAAA,MACA,KAAK;AAAA,QACH,SAAS;AAAA,QACT,WAAW;AAAA;AAAA;AAAA;AAAA,QAIX,aAAa,EAAE,QAAQ,EAAE;AAAA,MAC3B;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,IACA,WAAW;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,IACb;AAAA,IACA,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA,MAKT,MAAM;AAAA,IACR;AAAA,IACA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAAA,IACA,SAAS;AAAA,MACP,OAAO;AAAA,IACT;AAAA,IACA,QAAQ;AAAA,MACN,MAAM;AAAA;AAAA;AAAA,MAGN,qBAAqB,UAAU;AAAA,IACjC;AAAA,EACF;AACF;AAOO,SAAS,uBAA+B;AAC7C,SAAO,KAAK,QAAQ,GAAG,YAAY;AACrC;","names":[]}