chore: rebase on rc15 candidate

Author: OisinKyne

cmd/obol/sell.go

@@ -22,6 +22,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/ObolNetwork/obol-stack/internal/agentcrd"
 	"github.com/ObolNetwork/obol-stack/internal/config"
 	"github.com/ObolNetwork/obol-stack/internal/enclave"
 	"github.com/ObolNetwork/obol-stack/internal/erc8004"
@@ -3827,11 +3828,11 @@ offers survive in etcd with UpstreamHealthy=False, so the public catalog
 directly so a reboot does not require a full stack-up to recover.
 
 Idempotent: offers whose gateway is still running are skipped, and the
-kubectl applies re-assert existing objects. A replayed agent offer needs
-its Agent CR: still present after a reboot, but after a full stack
-recreation the offer waits (controller reports the missing agent) until
-'obol agent new' recreates it. 'sell mcp' servers are foreground
-processes with no ServiceOffer and are not resumed.
+kubectl applies re-assert existing objects. Recorded Agent CRs
+($OBOL_CONFIG_DIR/agents/) are re-applied BEFORE offers so agent-backed
+offers resolve their agent.ref even after a full stack recreation.
+'sell mcp' servers are foreground processes with no ServiceOffer and are
+not resumed.
 
 Examples:
   obol sell resume                      Resume all persisted offers now
@@ -3852,6 +3853,9 @@ Examples:
 			if err := waitForClusterAPI(ctx, cfg, u, 3*time.Minute); err != nil {
 				u.Warnf("cluster API not ready: %v (continuing — per-offer applies may fail)", err)
 			}
+			// Recorded Agent CRs first: agent-backed offers resolve
+			// agent.ref and would dangle on a freshly-recreated cluster.
+			agentcrd.ResumeAll(cfg, u)
 			if err := resumeSellOffers(ctx, cfg, u); err != nil {
 				return err
 			}

cmd/obol/stackup_resume_guard_test.go

@@ -40,3 +40,30 @@ func TestStackUpAction_ReplaysRecordedState(t *testing.T) {
 		t.Error("agentcrd.ResumeAll must run BEFORE resumeSellOffers — agent-backed ServiceOffers need their Agent CR first")
 	}
 }
+
+// TestSellResumeAction_ReplaysAgentsBeforeOffers extends the same guard to
+// `obol sell resume` (the reboot-recovery path, incl. the systemd boot
+// unit): after a full stack recreation the ledger replays agent-backed
+// offers, which dangle unless recorded Agent CRs are re-applied first.
+func TestSellResumeAction_ReplaysAgentsBeforeOffers(t *testing.T) {
+	src, err := os.ReadFile("sell.go")
+	if err != nil {
+		t.Fatalf("read sell.go: %v", err)
+	}
+	body := string(src)
+
+	agentsIdx := strings.Index(body, "agentcrd.ResumeAll(")
+	if agentsIdx < 0 {
+		t.Fatal("cmd/obol/sell.go (sell resume action) must call agentcrd.ResumeAll before replaying offers")
+	}
+	// The resume action's offer replay is the only call site that returns
+	// the error (`if err := resumeSellOffers(...)`); main.go's stack-up
+	// call warns instead.
+	offersIdx := strings.Index(body, "if err := resumeSellOffers(ctx, cfg, u); err != nil")
+	if offersIdx < 0 {
+		t.Fatal("expected the sell resume action's resumeSellOffers call in sell.go")
+	}
+	if agentsIdx > offersIdx {
+		t.Error("agentcrd.ResumeAll must run BEFORE resumeSellOffers in the sell resume action")
+	}
+}

internal/agentcrd/manifest.go

@@ -89,6 +89,7 @@ func ResumeAll(cfg *config.Config, u *ui.UI) {
 			u.Warnf("Could not read recorded agent %s: %v", name, err)
 			continue
 		}
+		warnIfWalletWouldRegenerate(cfg, name, data, u)
 		nsErr := kubectl.PipeCommands(bin, kubeconfig,
 			[]string{"create", "namespace", Namespace(name), "--dry-run=client", "-o", "yaml"},
 			[]string{"apply", "-f", "-"})
@@ -102,3 +103,37 @@ func ResumeAll(cfg *config.Config, u *ui.UI) {
 		u.Successf("Re-applied agent %s", name)
 	}
 }
+
+// warnIfWalletWouldRegenerate flags the funds-stranding edge: replaying a
+// wallet-bearing agent against a cluster that lost its keystore Secret
+// (full recreation without a prior `obol stack import`) makes the
+// controller mint a FRESH wallet — anything held at the old address is
+// stranded unless the operator restores the keystore first. Best-effort:
+// an unreachable cluster or a wallet-less agent stays silent.
+func warnIfWalletWouldRegenerate(cfg *config.Config, name string, manifest []byte, u *ui.UI) {
+	var doc struct {
+		Spec struct {
+			Wallet struct {
+				Create bool `yaml:"create"`
+			} `yaml:"wallet"`
+		} `yaml:"spec"`
+	}
+	if err := yaml.Unmarshal(manifest, &doc); err != nil || !doc.Spec.Wallet.Create {
+		return
+	}
+	bin, kubeconfig := kubectl.Paths(cfg)
+	if err := kubectl.RunSilent(bin, kubeconfig,
+		"get", "namespace", Namespace(name)); err != nil {
+		// Namespace itself is gone — full recreation. The keystore Secret
+		// check below would also fail, but distinguish nothing: same warning.
+		u.Warnf("Agent %s declares a wallet but its namespace is gone — the controller will mint a NEW wallet on replay. "+
+			"If the old wallet held funds, restore the keystore first: 'obol stack import <backup> --cluster-only' or 'obol agent wallet restore'.", name)
+		return
+	}
+	if err := kubectl.RunSilent(bin, kubeconfig,
+		"get", "secret", "remote-signer-keystore", "-n", Namespace(name)); err != nil {
+		u.Warnf("Agent %s declares a wallet but namespace %s has no keystore Secret — the controller will mint a NEW wallet. "+
+			"If the old wallet held funds, restore it first: 'obol stack import <backup> --cluster-only' or 'obol agent wallet restore'.",
+			name, Namespace(name))
+	}
+}