Skip to content

merge: Sync changes from qa to main #1418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pranalidhanavade merged 90 commits into from
Sep 8, 2025
Merged

merge: Sync changes from qa to main #1418

Show file tree
Hide file tree
Changes from 88 commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
d37a87e
fix: update upload-artifact-version to v4 and artifact name in scorec…
KambleSahil3 Jun 25, 2025
f5ce197
feat: otel and signoz implementation (#1297)
tipusinghaw Jun 27, 2025
fca8aba
feat: single sign on (#1305)
bhavanakarwade Jul 1, 2025
0ca57b2
feat/added org name for get all schema api's response
sujitaw Jul 11, 2025
8557feb
wip/fixed email not saving on verification request
sujitaw Jul 15, 2025
e5b3611
feat/added their label for connections to show in verification table
sujitaw Jul 15, 2025
2e4e6fd
Merge pull request #1314 from credebl/feat/include_org_name_in_all_sc…
sujitaw Jul 16, 2025
1cc84f0
Merge pull request #1367 from credebl/develop
shitrerohit Jul 22, 2025
9aa5c8f
fix/schema migration
sujitaw Jul 24, 2025
cb2a713
Merge pull request #1315 from credebl/fix/email_data_from_proofs_api
sujitaw Jul 24, 2025
97a2b7e
feat/updated connection for credentials with connection table
sujitaw Jul 24, 2025
38005c5
Merge pull request #1370 from credebl/feat/add_connection_label_to_cr…
sujitaw Jul 25, 2025
97af95a
Merge pull request #1373 from credebl/develop
sujitaw Jul 30, 2025
855603d
feat: refactor agent endpoint for token (#1375)
tipusinghaw Aug 5, 2025
255236a
refactor: changes agent endpoint (#1378)
tipusinghaw Aug 6, 2025
2593951
refactore: schema id in get schema (#1379)
tipusinghaw Aug 7, 2025
9deb93a
refactor: token API for tenant and create keypair (#1380)
tipusinghaw Aug 7, 2025
b45186f
feat: update workflow file to build and push multi-architecture Docke…
KambleSahil3 Aug 7, 2025
4481091
fix: DCO remediation ability (#1382)
GHkrishna Aug 7, 2025
732ac88
feat: added env key in sample and demo file (#1384)
tipusinghaw Aug 7, 2025
1fb387f
Merge pull request #1381 from credebl/develop
tipusinghaw Aug 7, 2025
ff3c273
fix: agent auth issue due to incorrect token (#1388)
GHkrishna Aug 12, 2025
4816fb6
fix/all schema api
sujitaw Aug 13, 2025
c023f07
Merge pull request #1389 from credebl/fix/all_schemas_selection
sujitaw Aug 13, 2025
addfec5
fix: taking variable value from env
bhavanakarwade Jul 16, 2025
804c0b9
wip: implemented fetch session details api
bhavanakarwade Jul 23, 2025
1a183c0
fix: added pnpm file
bhavanakarwade Jul 23, 2025
541f603
wip: fetch session details
bhavanakarwade Jul 24, 2025
ecfac3d
wip: fetch session details
bhavanakarwade Jul 24, 2025
ff8aef3
fix: encryption issues
bhavanakarwade Jul 25, 2025
b136932
fix:Added realtion between session and account table
shitrerohit Jul 29, 2025
c4d66f2
wip: update session
bhavanakarwade Jul 29, 2025
1b4b699
fix: Flow modification in generate token using clientId and secrat API
shitrerohit Jul 30, 2025
ddbfb57
feat: implemented destroy session functionality
bhavanakarwade Jul 31, 2025
97d8f79
fix:worked on generate client token API related workflow
shitrerohit Jul 31, 2025
b19ec58
account and session table related migration added
shitrerohit Jul 31, 2025
48ab913
fix:modification in session creation and account creation
shitrerohit Jul 31, 2025
9751adc
fix:modified the client login credential mathod response
shitrerohit Jul 31, 2025
c6b330b
fix:update fetch owner org details query
shitrerohit Jul 31, 2025
084a268
WIP:refresh token flow modification
shitrerohit Aug 4, 2025
d0a6267
fix: session id decoding issue
bhavanakarwade Aug 6, 2025
d616a85
fix:store correct account details issue
shitrerohit Aug 11, 2025
504e4c3
Merge pull request #1391 from credebl/develop
GHkrishna Aug 13, 2025
fe5fbad
Merge pull request #1320 from credebl/feat/database-strategy
shitrerohit Aug 18, 2025
79fa61f
fix/schema name save for connection and email
sujitaw Aug 19, 2025
b301496
Merge branch 'develop' of https://github.com/credebl/platform into fi…
sujitaw Aug 19, 2025
a2e2f4b
Merge pull request #1393 from credebl/develop
shitrerohit Aug 19, 2025
efd4276
fix/issues in the flow
sujitaw Aug 20, 2025
679cfcd
added missing constats file update
sujitaw Aug 21, 2025
3e00a4e
fix/resolved comments
sujitaw Aug 22, 2025
759dd3b
fix/change name in error for updateSchemaId
sujitaw Aug 22, 2025
fa7886f
Merge pull request #1395 from credebl/fix/schema_name_for_w3c_credent…
sujitaw Aug 22, 2025
89caf05
fix:changes in accept invitation url
shitrerohit Aug 24, 2025
92238cd
Merge pull request #1398 from credebl/fix/accept-invitation-issue
shitrerohit Aug 25, 2025
4189aa1
Merge pull request #1399 from credebl/develop
sujitaw Aug 25, 2025
ab9fb63
WIP:create account and session workflow modification
shitrerohit Aug 23, 2025
820863a
fix:add exp logic in jwt strategy
shitrerohit Aug 25, 2025
0012787
Merge pull request #1402 from credebl/fix/create-account-problem
shitrerohit Aug 25, 2025
d4c1523
fix: session logic for passkey flow (#1404)
pranalidhanavade Aug 26, 2025
79ada17
feat: Updated search parameter for Credentials and Verification api (…
sujitaw Aug 26, 2025
bdb89f2
fix: Issue for wallet creation with existing DID and Seed (#1394)
sujitaw Aug 26, 2025
b19590c
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 27, 2025
5e650c2
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 27, 2025
c4b4c7b
Merge pull request #1409 from credebl/fix/dco_fix_via_remediation
sujitaw Aug 27, 2025
f08f732
Merge pull request #1405 from credebl/develop
shitrerohit Aug 27, 2025
f93c933
fix:resolved user not found error on login
shitrerohit Aug 28, 2025
847e366
Merge pull request #1410 from credebl/fix/user-not-found-issue
shitrerohit Aug 28, 2025
90cf16a
fix/badge issuance error for non wallet issuance (#1411)
sujitaw Aug 29, 2025
2ca4baa
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 29, 2025
a6b69fd
Merge pull request #1414 from credebl/fix/dco_issue_through_remediation
sujitaw Aug 29, 2025
7600413
Merge pull request #1412 from credebl/develop
sujitaw Aug 29, 2025
19975c9
WIP:delete inactive sessions
shitrerohit Aug 28, 2025
bd4cc44
Added delete inactive session functionality during login
shitrerohit Aug 29, 2025
7f4071b
Added logs for delete inactive session
shitrerohit Aug 29, 2025
bf52105
Merge pull request #1415 from credebl/fix/inactive-session-deletion
shitrerohit Aug 29, 2025
c609bf1
Merge pull request #1416 from credebl/develop
shitrerohit Aug 30, 2025
055d9bb
feat/credo-spinup-script (#1417)
KambleSahil3 Sep 1, 2025
9a38856
Merge pull request #1419 from credebl/develop
KambleSahil3 Sep 1, 2025
3119cc7
fix/verify credentials api (#1420)
sujitaw Sep 1, 2025
2a446e6
Merge pull request #1421 from credebl/develop
sujitaw Sep 1, 2025
dc24f10
fix:sonar cloud related issues
shitrerohit Sep 2, 2025
803d7eb
Merge pull request #1422 from credebl/fix/resolve-sonar-cloud-issues
shitrerohit Sep 2, 2025
a91f3e6
fix:removed sonar cloud issue related changes
shitrerohit Sep 2, 2025
230dc9a
Merge pull request #1423 from credebl/fix/tracer-file-issue
shitrerohit Sep 2, 2025
18d1086
Merge pull request #1424 from credebl/develop
shitrerohit Sep 2, 2025
4703492
fix:sonar cloud issues
shitrerohit Sep 2, 2025
d748d20
Merge pull request #1425 from credebl/fix/sonar-cloud-issues
shitrerohit Sep 2, 2025
2571b42
Merge pull request #1426 from credebl/develop
shitrerohit Sep 2, 2025
c43f3c2
feat/credo-spinup-script (#1427)
KambleSahil3 Sep 8, 2025
00498a5
Merge pull request #1431 from credebl/develop
KambleSahil3 Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 43 additions & 2 deletions .env.demo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ KEYCLOAK_MANAGEMENT_CLIENT_ID=adminClient
KEYCLOAK_MANAGEMENT_CLIENT_SECRET=
KEYCLOAK_REALM=credebl-platform

SCHEMA_FILE_SERVER_URL='https://schema.credebl.id/schemas/'
SCHEMA_FILE_SERVER_URL=
SCHEMA_FILE_SERVER_TOKEN=

GEO_LOCATION_MASTER_DATA_IMPORT_SCRIPT=/prisma/scripts/geo_location_data_import.sh
Expand Down Expand Up @@ -145,4 +145,45 @@ APP=api
#Schema-file-server
APP_PORT=4000
JWT_TOKEN_SECRET=
ISSUER=Credebl
ISSUER=Credebl

#Signoz and OTel
IS_ENABLE_OTEL=false
OTEL_SERVICE_NAME='CREDEBL-PLATFORM-SERVICE'
OTEL_SERVICE_VERSION='1.0.0'
OTEL_TRACES_OTLP_ENDPOINT='http://localhost:4318/v1/traces'
OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs'
OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX
OTEL_LOGGER_NAME='credebl-platform-logger'
HOSTNAME='localhost'
SESSIONS_LIMIT=10
# SSO
APP_PROTOCOL=http
#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
CREDEBL_CLIENT_ALIAS=CREDEBL
CREDEBL_DOMAIN=http://localhost:3000
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
# To add more clients, simply add comma separated values of client names
SUPPORTED_SSO_CLIENTS=CREDEBL

# Key for agent base wallet
AGENT_API_KEY='supersecret-that-too-16chars'

# To add more client add the following variables for each additional client.
# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
# Default client will not need the following details

# CLIENT-NAME_CLIENT_ALIAS=VERIFIER
# # Domain represents the redirection url once the client logs-in
# # TODO: Can be taken from keycloak instead
# CLIENT-NAME_DOMAIN=https://VERIFIER-domain.com
# # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=

# Sample values:
# VERIFIER_CLIENT_ALIAS=VERIFIER
# VERIFIER_DOMAIN=https://VERIFIER-domain.com
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret
44 changes: 42 additions & 2 deletions .env.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ SCHEMA_FILE_SERVER_URL= // Please provide schema URL
SCHEMA_FILE_SERVER_TOKEN=xxxxxxxx // Please provide schema file server token for polygon

FILEUPLOAD_CACHE_TTL= //Provide file upload cache ttl

SESSIONS_LIMIT= //Provide limits of sessions
FIELD_UPLOAD_SIZE= //Provide field upload size

IS_ECOSYSTEM_ENABLE= //Set this flag to `true` to enable the ecosystem, or `false` to disable it.
Expand All @@ -166,4 +166,44 @@ ELK_PASSWORD=xxxxxx // ELK user password

ORGANIZATION=credebl
CONTEXT=platform
APP=api
APP=api

IS_ENABLE_OTEL=false # Flag to enable/disable OpenTelemetry (true = enabled, false = disabled)
OTEL_SERVICE_NAME='CREDEBL-PLATFORM-SERVICE' # Logical name of the service shown in observability tools (e.g., SigNoz)
OTEL_SERVICE_VERSION='1.0.0' # Version of the service; helps in tracking changes over time
OTEL_TRACES_OTLP_ENDPOINT='http://localhost:4318/v1/traces' # Endpoint where traces are exported (OTLP over HTTP)
OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs' # Endpoint where logs are exported (OTLP over HTTP)
OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX # API key or token used for authenticating with the OTel collector (e.g., SigNoz)
OTEL_LOGGER_NAME='credebl-platform-logger' # Name of the logger used for OpenTelemetry log records
HOSTNAME='localhost' # Hostname or unique identifier for the service instance

# SSO
#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
CREDEBL_CLIENT_ALIAS=CREDEBL
CREDEBL_DOMAIN=http://localhost:3000
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
# To add more clients, simply add comma separated values of client names
SUPPORTED_SSO_CLIENTS=CREDEBL
APP_PROTOCOL=

# Key for agent base wallet
AGENT_API_KEY='supersecret-that-too-16chars'

# To add more client add the following variables for each additional client.
# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
# Default client will not need the following details

# CLIENT-NAME_CLIENT_ALIAS=MYAPP
# # Domain represents the redirection url once the client logs-in
# # TODO: Can be taken from keycloak instead
# CLIENT-NAME_DOMAIN=https://myapp.com
# # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET

# Sample values:
# VERIFIER_CLIENT_ALIAS=VERIFIER
# VERIFIER_DOMAIN=https://VERIFIER-domain.com
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret
2 changes: 1 addition & 1 deletion .eslintrc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,4 @@ module.exports = {
'prefer-template': 'error',
quotes: ['warn', 'single', { allowTemplateLiterals: true }]
}
};
};
3 changes: 3 additions & 0 deletions .github/dco.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
allowRemediationCommits:
individual: true
thirdParty: true
Comment on lines +1 to +3
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Confirm DCO app supports these keys and that org repo has the app installed

The keys allowRemediationCommits.individual and .thirdParty look plausible but DCO config schemas vary by app. Please verify the GitHub App you use for DCO enforcement recognizes these options, otherwise the config will be ignored.

To validate quickly:

You can also confirm the exact config keys with a quick web check:

🏁 Script executed:

#!/bin/bash
# 1) Confirm the DCO app is installed on this repo (requires gh auth with repo scope)
OWNER_REPO="$(gh repo view --json nameWithOwner -q .nameWithOwner)"
echo "Repo: $OWNER_REPO"
echo "Installed GitHub Apps:"
gh api repos/$OWNER_REPO/installations | jq -r '.installations[].app_slug'

# 2) Open a throwaway PR from a fork without Signed-off-by to see if a remediation commit is offered/applied.
echo "Create a test PR from a fork lacking DCO sign-off and observe the bot behavior."

Length of output: 528

🌐 Web query:

What is the supported configuration schema for the GitHub DCO app (probot/dco)? Does it support allowRemediationCommits with individual and thirdParty flags in .github/dco.yml?

💡 Result:

Yes. The probot DCO app supports a .github/dco.yml schema that includes an allowRemediationCommits block with boolean flags individual and thirdParty. Example forms:

  • Enable individual remediation:
    allowRemediationCommits:
    individual: true

  • Enable third‑party remediation (requires individual: true):
    allowRemediationCommits:
    individual: true
    thirdParty: true

(Other options such as require: members: false are also supported.) [1][2]

Install or enable the GitHub DCO App
The keys allowRemediationCommits.individual and thirdParty are valid for the probot DCO schema, but the GH CLI call (gh api repos/credebl/platform/installations) returned 404, indicating the DCO app isn’t installed or authorized on this repo. Please install or enable the DCO GitHub App to enforce these settings.

🤖 Prompt for AI Agents 
.github/dco.yml lines 1-3: The repository config references
allowRemediationCommits.individual and thirdParty for the DCO app but the DCO
GitHub App is not installed/authorized (GH API returned 404); install or enable
the GitHub DCO App for this repository/org via the GitHub Marketplace or org App
settings and authorize it for this repo so those settings take effect, or if you
don't intend to use the DCO app remove those keys from .github/dco.yml and
update the workflow/README to reflect the chosen enforcement method.

9 changes: 8 additions & 1 deletion .github/workflows/continuous-delivery.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ jobs:
id: get_tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Comment on lines +47 to +52
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin Docker actions to commit SHAs

Pin setup-qemu and setup-buildx to full-length SHAs instead of floating major tags.

I can fetch and pin the current SHAs and open a follow-up patch; confirm if you want this done now.

🏁 Script executed:

#!/bin/bash
echo "setup-qemu-action v3 SHA:"
curl -s https://api.github.com/repos/docker/setup-qemu-action/git/refs/tags/v3 \
  | grep -m1 '"sha"' \
  | sed -E 's/.*"sha": "([^"]+)".*/\1/'

echo "setup-buildx-action v3 SHA:"
curl -s https://api.github.com/repos/docker/setup-buildx-action/git/refs/tags/v3 \
  | grep -m1 '"sha"' \
  | sed -E 's/.*"sha": "([^"]+)".*/\1/'

Length of output: 485

Pin Docker actions to exact SHAs

.github/workflows/continuous-delivery.yml
@@ -47,6 +47,6 @@

  • uses: docker/setup-qemu-action@v3
  • uses: docker/setup-buildx-action@v3
🤖 Prompt for AI Agents 
.github/workflows/continuous-delivery.yml around lines 47 to 52: the workflow
references docker/setup-qemu-action@v3 and docker/setup-buildx-action@v3
(floating tags); update both uses to pinned commit SHAs to ensure reproducible
builds and supply the exact SHAs shown in the comment (replace
docker/setup-qemu-action@v3 with
docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 and replace
docker/setup-buildx-action@v3 with
docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435).

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
Expand All @@ -57,6 +63,7 @@ jobs:
context: .
file: Dockerfiles/Dockerfile.${{ matrix.service }}
push: true
platforms: linux/amd64,linux/arm64
tags: |
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:${{ env.TAG }}
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:latest
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:latest
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
uses: actions/upload-artifact@v4
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin upload-artifact to a commit SHA for Supply-Chain hardening

Use a full-length commit SHA instead of a floating tag to satisfy Scorecard’s Pinned-Dependencies check.

Would you like me to generate a PR-ready patch with the latest v4 commit SHA pinned? I can also add step-security/harden-runner for network egress locking.

🏁 Script executed:

#!/bin/bash
# Verify usage of floating tag for upload-artifact action
rg -nP "actions/upload-artifact@v4" -C3 .github/workflows/scorecard.yml || echo "No match found"

Length of output: 394

Pin upload-artifact action to a full commit SHA
In .github/workflows/scorecard.yml:62, replace

uses: actions/upload-artifact@v4

with a specific commit SHA (e.g. actions/upload-artifact@<full-commit-sha>) so OpenSSF Scorecard’s Pinned-Dependencies check passes.

🤖 Prompt for AI Agents 
In .github/workflows/scorecard.yml around line 62, the workflow uses the
floating tag "actions/upload-artifact@v4"; replace this with the action pinned
to a full commit SHA (for example actions/upload-artifact@<full-commit-sha>) by
updating the uses line to reference the exact commit SHA for the upload-artifact
action to satisfy the OpenSSF Scorecard Pinned-Dependencies check.

with:
name: SARIF file
name: sarif-file
path: results.sarif
retention-days: 5

Expand Down
18 changes: 11 additions & 7 deletions apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,13 @@ PROTOCOL=${12}
TENANT=${13}
AFJ_VERSION=${14}
INDY_LEDGER=${15}
INBOUND_ENDPOINT=${16}
SCHEMA_FILE_SERVER_URL=${17}
AGENT_API_KEY=${18}
ADMIN_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
ADMIN_PORT=8001
INBOUND_PORT=9001

Comment on lines +20 to 27
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

AGENT_API_KEY added: ensure it’s used consistently

You accept AGENT_API_KEY but do not mask it in logs and do not validate presence.

Run-time check:

🏁 Script executed:

#!/bin/sh
if [ -z "$AGENT_API_KEY" ]; then echo "AGENT_API_KEY is empty"; exit 1; fi

Length of output: 79

Validate and mask AGENT_API_KEY

  • In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh, immediately after
    AGENT_API_KEY=${18} add a guard: 
    if [ -z "$AGENT_API_KEY" ]; then
  echo "error: AGENT_API_KEY is required" >&2
  exit 1
fi
  • Ensure no logs print the raw API key—mask it (e.g. echo "AGENT_API_KEY=****").
🧰 Tools
🪛 Shellcheck (0.10.0)

[warning] 20-20: INBOUND_ENDPOINT appears unused. Verify use (or export if used externally).

(SC2034)

🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh around lines 20 to
27, after the AGENT_API_KEY=${18} assignment add a guard that exits with a
non-zero status and writes an error to stderr if AGENT_API_KEY is empty, and
change any subsequent logging so the raw key is never printed (log a masked
value like "AGENT_API_KEY=****" instead); implement the guard and replace or
wrap any echo/printf that would output the key with a masked string.

echo "AGENCY: $AGENCY"
echo "EXTERNAL_IP: $EXTERNAL_IP"
Expand All @@ -34,11 +41,6 @@ echo "TENANT: $TENANT"
echo "AFJ_VERSION: $AFJ_VERSION"
echo "INDY_LEDGER: $INDY_LEDGER"

ADMIN_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
ADMIN_PORT=8001
INBOUND_PORT=9001

increment_port() {
local port="$1"
local lower_limit="$2"
Expand Down Expand Up @@ -144,7 +146,9 @@ cat <<EOF >${CONFIG_FILE}
],
"webhookUrl": "$WEBHOOK_HOST/wh/$AGENCY",
"adminPort": $ADMIN_PORT,
"tenancy": $TENANT
"tenancy": $TENANT,
"schemaFileServerURL": "$SCHEMA_FILE_SERVER_URL",
"apiKey": "$AGENT_API_KEY"
}
EOF

Expand Down Expand Up @@ -225,7 +229,7 @@ if [ $? -eq 0 ]; then
container_logs=$(docker logs $(docker ps -q --filter "name=${AGENCY}_${CONTAINER_NAME}"))

# Extract the token from the logs using sed
token=$(echo "$container_logs" | sed -nE 's/.*API Token: ([^ ]+).*/\1/p')
token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')

# Print the extracted token
echo "Token: $token"
Comment on lines 231 to 235
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Fix fragile token extraction

The sed regex with unescaped asterisks is unreliable. Extract by key name.

-token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')
+token=$(printf "%s" "$container_logs" | awk -F'API Key: ' '/API Key:/ {print $2}' | awk '{print $1; exit}')

Also avoid echoing the token.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh around lines 231 to
235, the sed expression using unescaped asterisks is fragile and the script
prints the token to stdout; change extraction to reliably parse by the literal
key name and capture the following non-whitespace chunk (for example use grep
-oP 'API Key:\s*\K\S+' or awk -F'API Key: ' '{print $2}' | awk '{print $1}'),
assign that to the token variable, and remove the echo that prints the token so
it is not written to stdout or logs.

Expand Down
9 changes: 5 additions & 4 deletions apps/agent-provisioning/AFJ/scripts/start_agent.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ AFJ_VERSION=${14}
INDY_LEDGER=${15}
INBOUND_ENDPOINT=${16}
SCHEMA_FILE_SERVER_URL=${17}

AGENT_API_KEY=${18}
ADMIN_PORT_FILE="$PWD/apps/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/apps/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
ADMIN_PORT=8001
Expand Down Expand Up @@ -122,7 +122,7 @@ if [ -f "$CONFIG_FILE" ]; then
rm "$CONFIG_FILE"
fi

cat <<EOF >${CONFIG_FILE}
cat <<EOF >"$CONFIG_FILE"
{
"label": "${AGENCY}_${CONTAINER_NAME}",
"walletId": "$WALLET_NAME",
Expand Down Expand Up @@ -154,7 +154,8 @@ cat <<EOF >${CONFIG_FILE}
"webhookUrl": "$WEBHOOK_HOST/wh/$AGENCY",
"adminPort": $ADMIN_PORT,
"tenancy": $TENANT,
"schemaFileServerURL": "$SCHEMA_FILE_SERVER_URL"
"schemaFileServerURL": "$SCHEMA_FILE_SERVER_URL",
"apiKey": "$AGENT_API_KEY"
}
EOF

Expand Down Expand Up @@ -238,7 +239,7 @@ if [ $? -eq 0 ]; then
container_logs=$(docker logs $(docker ps -q --filter "name=${AGENCY}_${CONTAINER_NAME}"))

# Extract the token from the logs using sed
token=$(echo "$container_logs" | sed -nE 's/.*API Token: ([^ ]+).*/\1/p')
token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix broken sed regex for API key extraction (pattern .*** is invalid).

The current regex won’t match and may error. Extract the first non-space token after “API Key:” robustly.

Apply:

-    token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')
+    token=$(echo "$container_logs" | sed -nE 's/.*API Key:\s*([^[:space:]]+).*/\1/p' | head -n1)
+    if [ -z "$token" ]; then
+      echo "ERROR: Failed to parse API key from container logs"; exit 125
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')
# Extract the first non-space token after "API Key:" and fail if not found
token=$(echo "$container_logs" \
| sed -nE 's/.*API Key:\s*([^[:space:]]+).*/\1/p' \
| head -n1)
if [ -z "$token" ]; then
echo "ERROR: Failed to parse API key from container logs" >&2
exit 125
fi
🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/start_agent.sh around line 242, the sed
regex uses an invalid `.***` pattern so it fails to extract the API key; replace
the invalid sequence with a proper wildcard (use `.*`) and use a capture group
that matches the first non-space token after the literal "API Key:" (i.e.,
capture one or more non-space characters following "API Key:") while keeping sed
invoked with extended regex and -n so you print only the captured group.


# Print the extracted token
echo "Token: $token"
Expand Down
84 changes: 75 additions & 9 deletions apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,12 @@ AFJ_VERSION=${14}
INDY_LEDGER=${15}
INBOUND_ENDPOINT=${16}
SCHEMA_FILE_SERVER_URL=${17}
AGENT_HOST=${18}
AWS_ACCOUNT_ID=${19}
S3_BUCKET_ARN=${20}
CLUSTER_NAME=${21}
TESKDEFINITION_FAMILY=${22}
AGENT_API_KEY=${18}
AGENT_HOST=${19}
AWS_ACCOUNT_ID=${20}
S3_BUCKET_ARN=${21}
CLUSTER_NAME=${22}
TASKDEFINITION_FAMILY=${23}

DESIRED_COUNT=1

Expand All @@ -37,7 +38,7 @@ random_string=$(generate_random_string)
# Print the generated random string
echo "Random String: $random_string"

SERVICE_NAME="${AGENCY}-${CONTAINER_NAME}-service-${random_string}"
SERVICE_NAME="${CONTAINER_NAME}-service"
EXTERNAL_IP=$(echo "$2" | tr -d '[:space:]')
ADMIN_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
Expand Down Expand Up @@ -153,7 +154,7 @@ CONTAINER_DEFINITIONS=$(
[
{
"name": "$CONTAINER_NAME",
"image": "${AFJ_IMAGE_URL}",
"image": "${AFJ_VERSION}",
"cpu": 154,
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Fail fast when AFJ_VERSION is unset

Empty image fields cause ECS failures.

-    "image": "${AFJ_VERSION}",
+    "image": "${AFJ_VERSION}",

Add before building JSON:

: "${AFJ_VERSION:?AFJ_VERSION is required and must be a full image URI}"
🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh around lines 156-158,
the container image field uses ${AFJ_VERSION} which can be empty and causes ECS
failures; add a shell fail-fast check before building the JSON such as a
parameter expansion that exits with a clear message when AFJ_VERSION is unset or
empty (i.e. use : "${AFJ_VERSION:?AFJ_VERSION is required and must be a full
image URI}") so the script fails early with a helpful error instead of producing
an empty image field.

"memory": 307,
"portMappings": [
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Image reference may be incomplete

"${AFJ_VERSION}" likely lacks registry/repo (needs ECR URI). Confirm value contains full image URL.

🏁 Script executed:

#!/bin/bash
echo "AFJ_VERSION=${AFJ_VERSION:-unset}"
# Expected format: <account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>

Length of output: 42

AFJ_VERSION is unset, causing incomplete image reference
AFJ_VERSION is not set at runtime, so "image": "" in the task definition. Ensure AFJ_VERSION is populated with the full ECR image URI (<account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>) before invoking apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh (lines 156–159).

🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh around lines 156 to
159, the AFJ_VERSION variable is unset so the task definition image field ends
up empty; ensure AFJ_VERSION is populated with the full ECR image URI before
building the JSON. Fix by exporting or assigning AFJ_VERSION earlier in the
script (or failing fast) to a value like
<account>.dkr.ecr.<region>.amazonaws.com/<repo>:<tag>, validate it’s non-empty
(exit with an error if empty), and use that validated variable when writing the
"image" property so the task definition contains a complete image reference.

Expand Down Expand Up @@ -194,6 +195,14 @@ CONTAINER_DEFINITIONS=$(
}
],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/$TASKDEFINITION_FAMILY",
"awslogs-create-group": "true",
"awslogs-region": "$AWS_PUBLIC_REGION",
"awslogs-stream-prefix": "ecs"
},
"ulimits": []
}
]
Expand All @@ -204,7 +213,7 @@ EOF
TASK_DEFINITION=$(
cat <<EOF
{
"family": "$TESKDEFINITION_FAMILY",
"family": "$TASKDEFINITION_FAMILY",
"containerDefinitions": $CONTAINER_DEFINITIONS,
"executionRoleArn": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/ecsTaskExecutionRole",
"volumes": [
Expand Down Expand Up @@ -262,6 +271,63 @@ if [ $? -eq 0 ]; then
sleep 10
fi
done
# Describe the ECS service and filter by service name
service_description=$(aws ecs describe-services --service $SERVICE_NAME --cluster $CLUSTER_NAME --region $AWS_PUBLIC_REGION)
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Use --services (plural) in aws ecs describe-services

CLI requires “--services”.

-service_description=$(aws ecs describe-services --service $SERVICE_NAME --cluster $CLUSTER_NAME --region $AWS_PUBLIC_REGION)
+service_description=$(aws ecs describe-services --services "$SERVICE_NAME" --cluster "$CLUSTER_NAME" --region "$AWS_PUBLIC_REGION")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
service_description=$(aws ecs describe-services --service $SERVICE_NAME --cluster $CLUSTER_NAME --region $AWS_PUBLIC_REGION)
service_description=$(aws ecs describe-services --services "$SERVICE_NAME" --cluster "$CLUSTER_NAME" --region "$AWS_PUBLIC_REGION")
🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh around line 275, the
aws cli call uses the incorrect flag “--service”; change it to the required
plural “--services” and pass the SERVICE_NAME (and other variables) safely
(quoted) so the describe-services call succeeds; update the command to use
--services $SERVICE_NAME (preferably --services "$SERVICE_NAME") and ensure
consistency with other flags.

echo "service_description=$service_description"


# Extract Task ID from the service description events
task_id=$(echo "$service_description" | jq -r '.services[0].events[] | select(.message | test("has started 1 tasks")) | .message | capture("\\(task (?<id>[^)]+)\\)") | .id')
#echo "task_id=$task_id"

# to fetch log group of container
.............................................................
log_group=/ecs/$TASKDEFINITION_FAMILY
echo "log_group=$log_group"

# Get Log Stream Name
log_stream=ecs/$CONTAINER_NAME/$task_id

echo "logstrem=$log_stream"

# Check if the token folder exists, and create it if it doesn't
token_folder="$PWD/agent-provisioning/AFJ/token"
if [ ! -d "$token_folder" ]; then
mkdir -p "$token_folder"
fi

# Set maximum retry attempts
RETRIES=3

# Loop to attempt retrieving token from logs
# Loop to attempt retrieving token from logs
for attempt in $(seq 1 $RETRIES); do
echo "Attempt $attempt: Checking service logs for token..."

# Fetch logs and grep for API token
token=$(aws logs get-log-events \
--log-group-name "$log_group" \
--log-stream-name "$log_stream" \
--region $AWS_PUBLIC_REGION \
| grep -o '*** API Key: [^ ]*' \
| cut -d ' ' -f 3
)
# echo "token=$token"
if [ -n "$token" ]; then
echo "Token found: $token"
# Write token to a file
echo "{\"token\": \"$token\"}" > "$PWD/agent-provisioning/AFJ/token/${AGENCY}_${CONTAINER_NAME}.json"
break # Exit loop if token is found
else
echo "Token not found in logs. Retrying..."
if [ $attempt -eq $RETRIES ]; then
echo "Reached maximum retry attempts. Token not found."
fi
fi
# Add a delay of 10 seconds between retries
sleep 10
done


echo "Creating agent config"
cat <<EOF >${PWD}/agent-provisioning/AFJ/endpoints/${AGENCY}_${CONTAINER_NAME}.json
Expand All @@ -273,7 +339,7 @@ EOF

cat <<EOF >${PWD}/agent-provisioning/AFJ/token/${AGENCY}_${CONTAINER_NAME}.json
{
"token" : ""
"token" : "$token"
}
EOF

Expand Down
Loading