mineracks/mineracks-ckbunker-hsm-sign
mineracks/mineracks-ckbunker-hsm-sign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9d380f5013
mineracks-ckbunker-hsm-sign/.env.example
mineracks 9d380f5013 Initial import: CKBunker HSM validation harness 
WebSocket client + CLI harness + pytest suite that exercises each axis of
a CKBunker + Coldcard Mk4 policy and asserts the expected outcomes, including
the critical negative test that a large PSBT without TOTP is rejected with
a specific 'rule #1: need user(s) confirmation' reason.

Configuration via .env / YAML / CLI flags, two pre-crafted test PSBTs as
fixtures (generation guide in fixtures/README.md), dashboard counter
scraper as sanity check, design rationale in docs/.
2026-04-14 10:50:04 +10:00

34 lines
1.4 KiB
Plaintext
Raw Blame History

# CKBunker base URL.
# - For Tailscale/private ingress use http://<tailnet-ip>:9823
# - For public Cloudflare-fronted deployment use https://your.hostname
# Tailscale is strongly preferred for this harness because Cloudflare Access
# with service tokens does not pass the WebSocket upgrade cleanly.
CKBUNKER_URL=http://100.80.63.14:9823
# Cloudflare Access service token (only needed if hitting a CF-Access-protected URL).
# Leave blank when talking to the Tailscale IP directly.
CF_ACCESS_CLIENT_ID=
CF_ACCESS_CLIENT_SECRET=
# TOTP shared secret for the HSM user.
# Issued by `ckcc user -t -q <username>` during enrolment (base32 string).
# The harness uses this to auto-generate codes for Rule #1 tests.
TOTP_SECRET=
# HSM user that matches the user named in the Coldcard's policy (typically the
# one TOTP is bound to).
HSM_USER=mineracks
# Path to a pre-crafted "small" PSBT whose value is <= your auto-approve cap
# (Rule #2 equivalent). See fixtures/README.md for how to generate this.
SMALL_PSBT_PATH=fixtures/small.psbt
# Path to a pre-crafted "large" PSBT whose value exceeds the auto-approve cap
# but fits inside the 2FA-authorised cap (Rule #1 equivalent).
LARGE_PSBT_PATH=fixtures/large.psbt
# Optional: Sparrow/Bitcoin Core address to verify a signed test message against.
# Must match the derivation path below and belong to the Coldcard seed.
MESSAGE_SIGN_ADDRESS=
MESSAGE_SIGN_PATH=m/84'/0'/0'/1
Reference in New Issue View Git Blame Copy Permalink