mineracks/mineracks-ckbunker-hsm-sign
mineracks/mineracks-ckbunker-hsm-sign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9d380f5013
mineracks-ckbunker-hsm-sign/config.example.yaml
mineracks 9d380f5013 Initial import: CKBunker HSM validation harness 
WebSocket client + CLI harness + pytest suite that exercises each axis of
a CKBunker + Coldcard Mk4 policy and asserts the expected outcomes, including
the critical negative test that a large PSBT without TOTP is rejected with
a specific 'rule #1: need user(s) confirmation' reason.

Configuration via .env / YAML / CLI flags, two pre-crafted test PSBTs as
fixtures (generation guide in fixtures/README.md), dashboard counter
scraper as sanity check, design rationale in docs/.
2026-04-14 10:50:04 +10:00

56 lines
2.0 KiB
YAML
Raw Blame History

# Example harness configuration.
# Copy to config.yaml and edit for your deployment, or use environment
# variables (.env) — CLI flags take precedence over YAML, YAML over env.
#
# The harness reads this to know what outcomes to ASSERT against your
# policy. If your policy shape differs from what's described here, edit
# these expectations rather than forcing your policy to fit the defaults.
ckbunker:
url: http://100.80.63.14:9823
# Only needed if ckbunker.url is behind Cloudflare Access. Leave null for
# direct Tailscale access.
cf_access_client_id: null
cf_access_client_secret: null
hsm:
user: mineracks # user declared in your Coldcard policy
message_sign_path: "m/84'/0'/0'/1"
# What the harness should ASSERT about the installed policy. These must
# MATCH the policy actually loaded onto the Coldcard, or tests will fail.
policy:
# Rule #2 equivalent: auto-approve (no user auth).
auto_approve:
per_txn_sats: 10000 # 0.0001 BTC
per_period_sats: 50000 # 0.0005 BTC
# Rule #1 equivalent: requires TOTP from `hsm.user`.
user_authorised:
per_txn_sats: 100000 # 0.001 BTC
per_period_sats: 500000 # 0.005 BTC
velocity_minutes: 1440 # 24 hours
message_signing: true # set false if your policy blocks it
# Paths to pre-crafted test PSBTs (see fixtures/README.md).
fixtures:
small_psbt: fixtures/small.psbt # value <= auto_approve.per_txn_sats
large_psbt: fixtures/large.psbt # value > auto_approve.per_txn_sats
# and <= user_authorised.per_txn_sats
# Test selection. Set false to skip a test that doesn't apply.
tests:
connectivity: true
message_signing: true
rule2_auto_approve: true
rule1_without_totp_rejects: true
rule1_with_totp_signs: true
counters_tracked: true
# Output control.
output:
verbose: false # dump every WebSocket frame
save_signed_dir: null # set a path to keep the signed PSBTs
Reference in New Issue View Git Blame Copy Permalink