-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathoperator-workstation.test.env
More file actions
103 lines (89 loc) · 4.75 KB
/
operator-workstation.test.env
File metadata and controls
103 lines (89 loc) · 4.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# AgentKeys operator-workstation env file — TEST INSTANCE.
#
# Parallel of scripts/operator-workstation.env (which targets prod).
# Source on YOUR LAPTOP (or have the GH Actions runner write it from
# secrets) when running setup-cloud.sh / setup-heima.sh / the harness
# against the test broker + test buckets + test contracts.
#
# Isolation strategy: SAME AWS account as prod, distinct IAM roles +
# distinct S3 buckets + distinct OIDC issuer + distinct DNS subdomains,
# all suffixed `-test`. The test stack and the prod stack share neither
# trust policies nor bucket grants — a leaked test cred cannot reach
# prod data.
#
# Usage:
# awsp agentkeys-admin
# set -a; source ./operator-workstation.test.env; set +a
# bash scripts/setup-cloud.sh --env-file scripts/operator-workstation.test.env --yes
#
# Commits as-is — no secrets. Real AWS creds live in the operator's
# secret manager / GitHub repo secrets store.
# Same AWS account as prod is fine — isolation is by `-test` suffix.
ACCOUNT_ID=429071895007
REGION=us-east-1
# Test broker hostname (DNS A record provisioned by setup-cloud.sh
# step 6 when --test is passed). Must be long-lived because AWS
# validates the OIDC issuer URL byte-for-byte against the JWT iss claim.
BROKER_HOST=test-broker.litentry.org
# Parent DNS zone — same as prod (the `-test` lives in the subdomain).
ZONE=litentry.org
PARENT_ZONE_ID=Z09723983CFJOHAE3VC65
# Test mail bucket + subdomain.
BUCKET=agentkeys-mail-test-${ACCOUNT_ID}
MAIL_BUCKET=agentkeys-mail-test-${ACCOUNT_ID}
MAIL_DOMAIN=bots-test.litentry.org
# Test OIDC issuer — DIFFERENT ARN from prod (different --url to
# create-open-id-connect-provider = different ARN by design).
OIDC_ISSUER=https://${BROKER_HOST}
OIDC_PROVIDER_ARN=arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${BROKER_HOST}
# Test data + per-data-class roles. Distinct trust policy (federated on
# the TEST OIDC provider only) so prod JWTs cannot assume these and
# test JWTs cannot assume prod roles.
DATA_ROLE_ARN=arn:aws:iam::429071895007:role/agentkeys-data-role-test
VAULT_ROLE_ARN=arn:aws:iam::${ACCOUNT_ID}:role/agentkeys-vault-role-test
MEMORY_ROLE_ARN=arn:aws:iam::${ACCOUNT_ID}:role/agentkeys-memory-role-test
# Test per-data-class buckets.
VAULT_BUCKET=agentkeys-vault-test-${ACCOUNT_ID}
MEMORY_BUCKET=agentkeys-memory-test-${ACCOUNT_ID}
# Test signer + worker subdomains. All A-record-pointed at the test
# broker EIP (single-tenant test host, same as prod's single-tenant
# pattern).
SIGNER_HOST=signer-test.${BROKER_HOST#*.}
AGENTKEYS_SIGNER_URL=https://${SIGNER_HOST}
BACKEND_URL=${AGENTKEYS_SIGNER_URL}
WORKER_AUDIT_HOST=audit-test.${BROKER_HOST#*.}
WORKER_EMAIL_HOST=email-test.${BROKER_HOST#*.}
WORKER_CRED_HOST=cred-test.${BROKER_HOST#*.}
WORKER_MEMORY_HOST=memory-test.${BROKER_HOST#*.}
AGENTKEYS_WORKER_AUDIT_URL=https://${WORKER_AUDIT_HOST}
AGENTKEYS_WORKER_EMAIL_URL=https://${WORKER_EMAIL_HOST}
AGENTKEYS_WORKER_CRED_URL=https://${WORKER_CRED_HOST}
AGENTKEYS_WORKER_MEMORY_URL=https://${WORKER_MEMORY_HOST}
AGENTKEYS_SESSION_STORE=file
# Test sender — verified separately from prod's sender. Both can coexist
# under the same SES domain identity if MAIL_DOMAIN is shared, but the
# default here uses a distinct `bots-test.` subdomain for blast-radius
# isolation at the SES level too.
BROKER_EMAIL_FROM_ADDRESS=noreply-test@${MAIL_DOMAIN}
# Test contract addresses on Heima mainnet (same chain as prod, but
# deployed by a DIFFERENT test deployer key → different addresses via
# (deployer, nonce) derivation). Pin these AFTER one-shot deploy via:
# AGENTKEYS_CHAIN=heima HEIMA_DEPLOYER_KEY_FILE=~/.agentkeys/heima-deployer-test.key \
# MAINNET_CONFIRM=1 bash scripts/setup-heima.sh --from-step 4 --to-step 8
#
# Placeholders below — replace with real test addresses post-deploy.
SCOPE_CONTRACT_ADDRESS_HEIMA=0x338d68D73Ab664c8Fc100b9B307Aded5F6BAc3b7
SIDECAR_REGISTRY_ADDRESS_HEIMA=0x7d58c1A7e7C2a91F5A5a5331CAb28174616af0F5
K3_EPOCH_COUNTER_ADDRESS_HEIMA=0x82a6D4E47D8C8Df2F00A18e022F1CDD0FC1A2044
CREDENTIAL_AUDIT_ADDRESS_HEIMA=0xEB9C31aFbE1BC3cfbB218F554148b456095deF9b
# P256 + K11 verifiers are SHARED pre-deployed contracts — same address on
# prod and test. Not deployed by setup-heima.sh; mirror the prod values.
P256_VERIFIER_ADDRESS_HEIMA=0xda5b772f9d6c09abe80414eea908612df9b54749
K11_VERIFIER_ADDRESS_HEIMA=0x5a441431f08e0f5f5ed10659620cb4e0e814e627
# Test deployer wallet address (operator-provided; key file lives at
# $HEIMA_DEPLOYER_KEY_FILE — never committed).
HEIMA_DEPLOYER_ADDR_HEIMA=0x9FE9e6c208e9e75D2A19a5c2683127c33896F259
# EC2 + EIP wiring lives in scripts/broker.test.env (the test broker-machine
# env file) — those values identify the test broker host, not operator-account
# identifiers. setup-cloud.sh sources broker.test.env after this file when
# --test (or env-file path matches *test*) is set.