Merge pull request #47 from CorruptedAesthetic/update-local-changes-20250710-172406

Update local changes 20250710 172406

Author: CorruptedAesthetic

.envrc

@@ -0,0 +1,101 @@
+# Fennel Production Chainspecs
+
+This directory contains the production chainspecs for the Fennel blockchain network.
+
+## 📋 Files
+
+- `production-chainspec.json` - Human-readable production chain specification
+- `production-raw.json` - SCALE-encoded raw production chainspec for node deployment
+
+## 🏭 Production Configuration
+
+### Chain Details
+- **Chain ID**: `fennel_production`
+- **Chain Type**: `Live` (Production)
+- **Network Name**: Fennel Production Network
+
+### Consensus
+- **Block Production**: AURA (Authority Round)
+- **Finality**: GRANDPA (GHOST-based Recursive Ancestor Deriving Prefix Agreement)
+
+### Authority Configuration
+The production chainspec contains **placeholder validator keys** that must be replaced during deployment:
+
+⚠️ **Important Security Notes:**
+- Placeholder keys are used for chainspec generation
+- Real validator and bootnode keys are managed via HashiCorp Vault
+- Production keys should be generated offline using air-gapped systems
+- See `DOCUMENTATION/UPGRADETOPRODUCTION/ndoesessionkeygenerations/` for secure key generation procedures
+
+## 🌐 Bootnode Architecture
+
+Uses **external-only bootnode architecture** following Parity's best practices:
+- Both internal and external validators connect to the same public bootnode endpoints
+- Bootnode peer IDs are dynamically derived from GitHub secrets during CI
+- DNS-based addressing: `bootnode1.fennel.network` and `bootnode2.fennel.network`
+
+## 🔐 Production Deployment Requirements
+
+### Prerequisites
+1. **HashiCorp Vault Setup**: Secure key management system deployed
+2. **Real Validator Keys**: Generated offline and stored in Vault
+3. **Production Infrastructure**: Azure AKS cluster with proper security policies
+4. **DNS Configuration**: Bootnode domains pointing to production load balancers
+
+### Key Management
+- **Validator Session Keys**: AURA (Sr25519) + GRANDPA (Ed25519) keys per validator
+- **Bootnode Node Keys**: Ed25519 keys for libp2p networking
+- **Storage**: All keys stored in Vault with KV v2 engine
+- **Access Control**: Kubernetes service account-based authentication
+
+## 🚀 Usage
+
+### For Production Deployment
+```bash
+# The production chainspec is automatically referenced by fennel-prod Helm charts
+# Example production values.yaml:
+node:
+  customChainspecUrl: "https://raw.githubusercontent.com/CorruptedAesthetic/fennel-solonet/main/chainspecs/production/production-raw.json"
+  chain: "production"
+```
+
+### For External Validators
+```bash
+# Download and use the production chainspec
+curl -O https://raw.githubusercontent.com/CorruptedAesthetic/fennel-solonet/main/chainspecs/production/production-raw.json
+
+# Start validator with production chainspec
+./fennel-node \
+  --chain production-raw.json \
+  --validator \
+  --name "my-production-validator"
+```
+
+## 🔄 Generation Process
+
+Production chainspecs are automatically generated during CI/CD:
+
+1. **Trigger**: Only generated for release tags (`fennel-node-*`)
+2. **Runtime**: Built deterministically with srtool
+3. **Preset**: Uses `production` genesis preset from runtime
+4. **Bootnodes**: Dynamically injected from GitHub secrets
+5. **Validation**: SHA-256 computed for integrity verification
+
+## 📦 Distribution
+
+- **GitHub Releases**: Attached to release assets
+- **GitHub Pages**: Available via raw URL
+- **CI Artifacts**: Available in GitHub Actions artifacts
+
+## 🔗 Related Documentation
+
+- **Production Setup**: `/DOCUMENTATION/UPGRADETOPRODUCTION/`
+- **Vault Integration**: `/DOCUMENTATION/UPGRADETOPRODUCTION/upgradenotes/creationofvaultkubernetes.md`
+- **Key Generation**: `/DOCUMENTATION/UPGRADETOPRODUCTION/ndoesessionkeygenerations/`
+- **Staging Environment**: `../staging/README.md`
+
+---
+
+**Generated**: Automatically during release builds  
+**Last Updated**: See git commit history  
+**Security Review**: Required before production deployment

.github/workflows/publish.yml

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Script to derive public keys from private keys to verify our offline keys are corrupted
+
+echo "=== Deriving public keys from Vault private keys ==="
+
+# Validator 1 keys from Vault
+echo "Validator 1:"
+echo "Aura seed: 0x721aaee6982d5272bc85a3e8e50e47b5f108fc3a0326a3cc9550d682a28e579d"
+echo "Grandpa seed: 0x78608f3e2a3c545960b472de3b9fb82630864d13d7a8e26ab9e897931defe99c"
+
+# Derive Aura public key (sr25519)
+aura1_public=$(./target/release/fennel-node key inspect --scheme sr25519 "0x721aaee6982d5272bc85a3e8e50e47b5f108fc3a0326a3cc9550d682a28e579d" | grep "Public key" | cut -d':' -f2 | tr -d ' ')
+echo "Derived Aura public: $aura1_public"
+
+# Derive Grandpa public key (ed25519)  
+grandpa1_public=$(./target/release/fennel-node key inspect --scheme ed25519 "0x78608f3e2a3c545960b472de3b9fb82630864d13d7a8e26ab9e897931defe99c" | grep "Public key" | cut -d':' -f2 | tr -d ' ')
+echo "Derived Grandpa public: $grandpa1_public"
+
+echo ""
+echo "Validator 2:"
+echo "Aura seed: 0xea9bcfd9d6d7eb3711b38d293490f8f846480a192e247c0619c822e70a523ab0"
+echo "Grandpa seed: 0x101cbaf82b3b4f1dde746b26999b29c4044ce15e57de317efc69f7963827d141"
+
+# Derive Aura public key (sr25519)
+aura2_public=$(./target/release/fennel-node key inspect --scheme sr25519 "0xea9bcfd9d6d7eb3711b38d293490f8f846480a192e247c0619c822e70a523ab0" | grep "Public key" | cut -d':' -f2 | tr -d ' ')
+echo "Derived Aura public: $aura2_public"
+
+# Derive Grandpa public key (ed25519)
+grandpa2_public=$(./target/release/fennel-node key inspect --scheme ed25519 "0x101cbaf82b3b4f1dde746b26999b29c4044ce15e57de317efc69f7963827d141" | grep "Public key" | cut -d':' -f2 | tr -d ' ')
+echo "Derived Grandpa public: $grandpa2_public"
+
+echo ""
+echo "=== Comparison with stored offline keys ==="
+echo "Offline Aura public (both validators): 0x46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a"
+echo "Offline Grandpa public (both validators): 0x345071da55e5dccefaaa440339415ef9f2663338a38f7da0df21be5ab4e055ef"
+
+echo ""
+echo "=== Verification ==="
+if [ "$aura1_public" != "0x46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a" ]; then
+    echo "❌ Validator 1 Aura public key mismatch - offline keys are corrupted!"
+else
+    echo "✅ Validator 1 Aura public key matches"
+fi
+
+if [ "$aura2_public" != "0x46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a" ]; then
+    echo "❌ Validator 2 Aura public key mismatch - offline keys are corrupted!"
+else
+    echo "✅ Validator 2 Aura public key matches"
+fi
+
+if [ "$aura1_public" = "$aura2_public" ]; then
+    echo "❌ Both validators have the same Aura public key - this is a critical error!"
+else
+    echo "✅ Validators have different Aura public keys (correct)"
+fi

Cargo.lock

@@ -0,0 +1,95 @@
+```mermaid
+graph TB
+    %% Input triggers and verification
+    T[Signed Git Tag<br/>fennel-node-X.Y.Z] --> GV{GPG Signature<br/>Verification}
+    GV -->|✅ Valid| CI[CI/CD Pipeline]
+    GV -->|❌ Invalid| FAIL[Build Fails]
+    
+    %% Version extraction and propagation
+    CI --> VE[Version Extraction<br/>X.Y.Z from tag]
+    VE --> RT[Runtime Build<br/>srtool]
+    VE --> CS[Chainspec Generation]
+    VE --> DI[Docker Image Build]
+    VE --> HC[Helm Chart Update]
+    
+    %% Runtime and chainspec processing
+    RT --> WH[Wasm Hash<br/>sha256]
+    CS --> CSH[Chainspec SHA-256<br/>dev_sha + staging_sha]
+    
+    %% Docker image processing
+    DI --> IT[Image Tag<br/>fennel-node-X.Y.Z]
+    DI --> ID[Image Digest<br/>sha256:abc123...]
+    
+    %% Helm chart version unity
+    HC --> CV[Chart Version<br/>X.Y.Z]
+    HC --> CAV[Chart AppVersion<br/>X.Y.Z]
+    
+    %% Cryptographic linking in Helm values
+    IT --> HV[Helm Values Update]
+    ID --> HV
+    CSH --> HV
+    VE --> HV
+    
+    HV --> BV[Base values.yaml<br/>image.tag: X.Y.Z<br/>image.digest: sha256:...]
+    HV --> SV[Staging values.yaml<br/>image.tag: X.Y.Z<br/>image.digest: sha256:...<br/>customChainspecSha256: abc123<br/>releaseTag: fennel-node-X.Y.Z]
+    
+    %% Template rendering with digest-aware image helper
+    BV --> TH[{{fennel-node.image}} Helper]
+    SV --> TH
+    TH --> IR[Image Reference<br/>repo@sha256:digest OR repo:tag]
+    
+    %% Release artifact creation
+    IT --> RA[Release Artifacts]
+    ID --> RA
+    WH --> RA
+    CSH --> RA
+    CV --> RA
+    
+    RA --> GR[GitHub Release<br/>• fennel-node-X.Y.Z.tgz<br/>• development.json + raw<br/>• staging-chainspec.json + raw<br/>• image-info.txt]
+    RA --> HR[Helm Repository<br/>Chart Releaser]
+    
+    %% Deployment verification
+    GR --> DV[Deployment Verification]
+    HR --> DV
+    DV --> VER[Runtime Verification<br/>• Image digest match<br/>• Chainspec SHA-256 match<br/>• Release tag consistency]
+    
+    %% Security guarantees
+    VER --> SG[Security Guarantees<br/>✅ Cryptographic version unity<br/>✅ Immutable artifact references<br/>✅ Tamper detection<br/>✅ Reproducible deployments]
+    
+    %% Styling
+    classDef input fill:#e1f5fe,stroke:#01579b,stroke-width:2px
+    classDef process fill:#f3e5f5,stroke:#4a148c,stroke-width:2px
+    classDef hash fill:#fff3e0,stroke:#e65100,stroke-width:2px
+    classDef artifact fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px
+    classDef security fill:#ffebee,stroke:#b71c1c,stroke-width:2px
+    classDef fail fill:#ffcdd2,stroke:#d32f2f,stroke-width:3px
+    
+    class T,GV input
+    class CI,VE,RT,CS,DI,HC,HV,TH,DV process
+    class WH,CSH,IT,ID,CV,CAV hash
+    class BV,SV,IR,RA,GR,HR artifact
+    class VER,SG security
+    class FAIL fail
+```
+
+## Cryptographic Version Unity Architecture
+
+This diagram illustrates how the fennel-solonet CI/CD pipeline enforces cryptographic version unity across all release artifacts. The system ensures that every component in a deployment can be traced back to a single, verified Git tag through an unbroken chain of cryptographic hashes and version references.
+
+### Key Security Features
+
+1. **Single Source of Truth**: The signed Git tag `fennel-node-X.Y.Z` is the authoritative version source
+2. **Cryptographic Verification**: GPG signature verification ensures tag authenticity
+3. **Hash Propagation**: SHA-256 hashes link runtime, chainspecs, and Docker images
+4. **Digest-Based References**: Helm charts use immutable Docker image digests
+5. **Comprehensive Verification**: Deployment verifies all hashes match expected values
+
+### Version Unity Enforcement
+
+- **Chart Version** = **App Version** = **Release Tag Version** = `X.Y.Z`
+- **Docker Image Tag** = `fennel-node-X.Y.Z`
+- **Docker Image Digest** = immutable `sha256:...` reference
+- **Chainspec SHA-256** = runtime verification hash
+- **Release Tag** = Git tag embedded in Helm values
+
+This architecture prevents version drift, ensures reproducible deployments, and provides cryptographic proof that all artifacts belong to the same verified release.

chainspecs/production/README.md

@@ -45,3 +45,21 @@ pub fn staging_chain_spec() -> Result<ChainSpec, String> {
 	])
 	.build())
 }
+
+pub fn production_chain_spec() -> Result<ChainSpec, String> {
+	Ok(ChainSpec::builder(
+		WASM_BINARY.ok_or_else(|| "Production wasm not available".to_string())?,
+		None,
+	)
+	.with_name("Fennel Production")
+	.with_id("fennel_production")
+	.with_chain_type(ChainType::Live)
+	.with_genesis_config_preset_name("production")
+	.with_boot_nodes(vec![
+		// Production bootnodes - will be populated dynamically in CI
+		// These placeholder addresses will be replaced with derived peer IDs
+		"/dns4/bootnode1.fennel.network/tcp/30333/p2p/12D3KooWS84f71ufMQRsm9YWynfK5Zxa6iSooStJECnAT3RBVVxz".parse().unwrap(),
+		"/dns4/bootnode2.fennel.network/tcp/30333/p2p/12D3KooWLWzcGVuLycfL1W83yc9S4UmVJ8qBd4Rk5mS6RJ4Bh7Su".parse().unwrap(),
+	])
+	.build())
+}

derive-public-keys.sh

@@ -40,6 +40,7 @@ impl SubstrateCli for Cli {
 			"dev" => Box::new(chain_spec::development_chain_spec()?),
 			"" | "local" => Box::new(chain_spec::local_chain_spec()?),
 			"staging" => Box::new(chain_spec::staging_chain_spec()?),
+			"production" => Box::new(chain_spec::production_chain_spec()?),
 			path =>
 				Box::new(chain_spec::ChainSpec::from_json_file(std::path::PathBuf::from(path))?),
 		})

docs/CRYPTOGRAPHIC-VERSION-UNITY.md

@@ -48,6 +48,7 @@ sp-consensus-aura = { features = ["serde"], workspace = true }
 sp-consensus-grandpa = { features = ["serde"], workspace = true }
 sp-core = { features = ["serde"], workspace = true }
 sp-genesis-builder.workspace = true
+hex = { version = "0.4", default-features = false, features = ["alloc"] }
 sp-inherents.workspace = true
 sp-io = { version = "40.0.0", default-features = false }
 sp-keyring.workspace = true

node/src/chain_spec.rs

@@ -1,16 +1,89 @@
 #[cfg(all(feature = "std", feature = "metadata-hash"))]
 fn main() {
+	// Pass production genesis environment variables as compile-time constants
+	pass_genesis_env_vars();
+	
 	substrate_wasm_builder::WasmBuilder::init_with_defaults()
 		.enable_metadata_hash("UNIT", 12)
-			.build();
-	}
+		.build();
+}
 
 #[cfg(all(feature = "std", not(feature = "metadata-hash")))]
 fn main() {
+	// Pass production genesis environment variables as compile-time constants
+	pass_genesis_env_vars();
+	
 	substrate_wasm_builder::WasmBuilder::build_using_defaults();
 }
 
 /// The wasm builder is deactivated when compiling
 /// this crate for wasm to speed up the compilation.
 #[cfg(not(feature = "std"))]
 fn main() {}
+
+/// Pass production genesis environment variables as rustc-env for compile-time access
+/// Variables are MANDATORY for production builds but optional for development builds
+fn pass_genesis_env_vars() {
+	// All required environment variables for production builds
+	// These MUST be set for production builds to prevent accidental use of test keys
+	const REQUIRED_VARS: &[&str] = &[
+		"SUDO_SS58",           // Production sudo account
+		"VAL1_AURA_PUB",       // Validator 1 AURA public key
+		"VAL1_GRANDPA_PUB",    // Validator 1 GRANDPA public key  
+		"VAL1_STASH_SS58",     // Validator 1 stash account
+		"VAL2_AURA_PUB",       // Validator 2 AURA public key
+		"VAL2_GRANDPA_PUB",    // Validator 2 GRANDPA public key
+		"VAL2_STASH_SS58",     // Validator 2 stash account
+	];
+
+	let mut missing_vars = Vec::new();
+	let mut found_vars = Vec::new();
+	
+	// Check all required variables first
+	for &var_name in REQUIRED_VARS {
+		match std::env::var(var_name) {
+			Ok(value) => {
+				// Forward to the compiler so `env!(var_name)` works in the runtime
+				println!("cargo:rustc-env={}={}", var_name, value);
+				println!("cargo:rerun-if-env-changed={}", var_name);
+				found_vars.push(var_name);
+			}
+			Err(_) => {
+				missing_vars.push(var_name);
+			}
+		}
+	}
+	
+	// Determine build mode based on environment variables presence
+	if found_vars.is_empty() {
+		// Development/staging build - no production variables set
+		println!("🧪 Development/staging build detected (no production env vars)");
+		println!("📋 Development and staging presets will use Alice/Bob hardcoded keys");
+		println!("⚠️  Production preset will NOT be available for this build");
+	} else if missing_vars.is_empty() {
+		// Production build - all variables set
+		println!("✅ Production build: All {} required environment variables are set", REQUIRED_VARS.len());
+		println!("🏭 Production preset will use Vault-sourced public keys");
+	} else {
+		// Partial production build - some variables set, some missing (ERROR)
+		eprintln!("🚨 PRODUCTION BUILD ERROR: Partial environment variable configuration detected!");
+		eprintln!("   Found {} variables, missing {} variables", found_vars.len(), missing_vars.len());
+		eprintln!();
+		eprintln!("   ✅ Found:");
+		for var in &found_vars {
+			eprintln!("      • {}", var);
+		}
+		eprintln!();
+		eprintln!("   ❌ Missing:");
+		for var in &missing_vars {
+			eprintln!("      • {}", var);
+		}
+		eprintln!();
+		eprintln!("💡 To fix this:");
+		eprintln!("   • For production: Set ALL 7 variables");
+		eprintln!("   • For development: Set NONE of them (use Alice/Bob presets)");
+		eprintln!("   • This prevents accidental mixing of production and test keys");
+		eprintln!();
+		panic!("Build halted due to partial production environment variable configuration");
+	}
+}