release: staging → main (event trigger fixes, fee classification, JWT API key, sentry logging) (#509)

Co-authored-by: Will Zimmerman <will@avaprotocol.org>

Author: chrisli30

.github/scripts/generate-test-config.sh

@@ -8,9 +8,15 @@ echo "Generating test config files from example template..."
 
 mkdir -p config
 
-# Prepend protocols to CHAIN_ENDPOINT (which is just the domain)
-CHAIN_RPC="https://${CHAIN_ENDPOINT}"
-CHAIN_WS="wss://${CHAIN_ENDPOINT}"
+# Strip any leading scheme (https://, http://, wss://, ws://) so we can
+# safely prepend the right one. The Test-environment secret may store
+# either a hostname-only form or a full URL depending on how it was set.
+CHAIN_HOST="${CHAIN_ENDPOINT#https://}"
+CHAIN_HOST="${CHAIN_HOST#http://}"
+CHAIN_HOST="${CHAIN_HOST#wss://}"
+CHAIN_HOST="${CHAIN_HOST#ws://}"
+CHAIN_RPC="https://${CHAIN_HOST}"
+CHAIN_WS="wss://${CHAIN_HOST}"
 
 # Copy example file as base
 cp config/aggregator.example.yaml config/aggregator-sepolia.yaml

.github/workflows/run-test-on-pr.yml

@@ -88,8 +88,8 @@ jobs:
       - name: Setup test configuration
         uses: ./.github/actions/setup-test-config
         with:
-          chain-endpoint: ${{ vars.CHAIN_ENDPOINT }}
-          bundler-rpc: ${{ vars.BUNDLER_RPC }}
+          chain-endpoint: ${{ secrets.CHAIN_ENDPOINT }}
+          bundler-rpc: ${{ secrets.BUNDLER_RPC }}
           tenderly-account: ${{ vars.TENDERLY_ACCOUNT }}
           tenderly-project: ${{ vars.TENDERLY_PROJECT }}
           controller-private-key: ${{ secrets.CONTROLLER_PRIVATE_KEY }}
@@ -150,8 +150,8 @@ jobs:
       - name: Setup test configuration
         uses: ./.github/actions/setup-test-config
         with:
-          chain-endpoint: ${{ vars.CHAIN_ENDPOINT }}
-          bundler-rpc: ${{ vars.BUNDLER_RPC }}
+          chain-endpoint: ${{ secrets.CHAIN_ENDPOINT }}
+          bundler-rpc: ${{ secrets.BUNDLER_RPC }}
           tenderly-account: ${{ vars.TENDERLY_ACCOUNT }}
           tenderly-project: ${{ vars.TENDERLY_PROJECT }}
           controller-private-key: ${{ secrets.CONTROLLER_PRIVATE_KEY }}

CLAUDE.md

@@ -81,6 +81,19 @@ cd contracts && forge test    # Run contract tests
 - **BigCache**: In-memory caching layer
 - **Migrations**: Versioned database migrations for schema changes
 
+### Inspecting Aggregator Data (BadgerDB)
+
+To read the live aggregator's stored task/execution state (e.g. the actual EventTrigger topics array as persisted, not the high-level CreateTask log summary), use the `examples/example.ts` CLI in the `ava-sdk-js` repo. It speaks the gRPC API against whatever endpoint the loaded `.env` points at (`localhost:2206` for the local `dev` aggregator).
+
+```bash
+cd <path-to-ava-sdk-js>/examples
+yarn start getWorkflow <task_id>     # full task: trigger queries, nodes, edges, inputVariables
+yarn start getExecution <task_id> <execution_id>
+yarn start listWorkflows
+```
+
+The `getWorkflow` output is the ground truth — it shows the trigger's `topics`, `addresses`, and `inputVariables` exactly as stored. Prefer this over inferring state from log lines, since `engine.CreateTask` does not dump the full trigger payload to the aggregator log.
+
 ## Code Style
 
 ### Go Naming Conventions

aggregator/aggregator.go

@@ -253,7 +253,7 @@ func (agg *Aggregator) migrate() {
 	agg.backup = backup.NewService(agg.logger, agg.db, agg.config.BackupDir)
 	agg.migrator = migrator.NewMigrator(agg.db, agg.backup, migrations.Migrations)
 	if err := agg.migrator.Run(); err != nil {
-		agg.logger.Error("Failed to run database migrations", "error", err.Error())
+		agg.logger.Error("Failed to run database migrations", "error", err)
 		panic("database migration failed - cannot continue")
 	}
 }

aggregator/auth.go

@@ -249,8 +249,15 @@ func (r *RpcServer) verifyAuth(ctx context.Context) (*model.User, error) {
 			return nil, fmt.Errorf("%s: invalid chainId in audience", auth.InvalidAuthenticationKey)
 		}
 
+		subject, _ := claims["sub"].(string)
+		if !common.IsHexAddress(subject) {
+			r.config.Logger.Error("API key has invalid/non-address subject; refusing to derive smart wallet",
+				"subject", subject)
+			return nil, fmt.Errorf("%s: subject must be a valid EOA address", auth.InvalidAuthenticationKey)
+		}
+
 		user := model.User{
-			Address: common.HexToAddress(claims["sub"].(string)),
+			Address: common.HexToAddress(subject),
 		}
 
 		// caching to reduce hitting eth rpc node

aggregator/key.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/AvaProtocol/EigenLayer-AVS/core/auth"
 	"github.com/AvaProtocol/EigenLayer-AVS/core/config"
+	"github.com/ethereum/go-ethereum/common"
 	"github.com/golang-jwt/jwt/v5"
 )
 
@@ -30,6 +31,10 @@ func CreateAdminKey(configPath string, opt CreateApiKeyOption) error {
 		return fmt.Errorf("error: subject cannot be empty")
 	}
 
+	if !common.IsHexAddress(opt.Subject) {
+		return fmt.Errorf("error: subject must be a valid 0x-prefixed EOA address (got %q). The subject is used as the owner identity bound to this API key.", opt.Subject)
+	}
+
 	if len(opt.Roles) < 1 {
 		return fmt.Errorf("error: at least one role is required")
 	}

aggregator/rpc_server.go

@@ -962,7 +962,7 @@ func (r *RpcServer) SimulateTask(ctx context.Context, req *avsproto.SimulateTask
 		r.config.Logger.Error("simulate task failed",
 			"user", user.Address.String(),
 			"trigger_name", req.Trigger.Name,
-			"error", err.Error(),
+			"error", err,
 		)
 		return nil, status.Errorf(codes.Internal, "simulation failed: %v", err)
 	}
@@ -1080,7 +1080,7 @@ func (r *RpcServer) handlePaginationError(err error, methodName string, userAddr
 	// Prepare logging fields for non-pagination errors
 	logFields := []interface{}{
 		"user", userAddr,
-		"error", err.Error(),
+		"error", err,
 	}
 
 	// Add context-specific fields
@@ -1233,7 +1233,7 @@ func (r *RpcServer) EstimateFees(ctx context.Context, req *avsproto.EstimateFees
 	resp, err := feeEstimator.EstimateFees(ctx, req)
 	if err != nil {
 		r.config.Logger.Error("failed to estimate fees",
-			"error", err.Error(),
+			"error", err,
 			"user", user.Address.String(),
 			"trigger_type", req.Trigger.Type.String())
 		return nil, status.Errorf(codes.Internal, "failed to estimate fees: %v", err)
@@ -1326,7 +1326,7 @@ func (agg *Aggregator) startRpcServer(ctx context.Context) error {
 
 	goSafe(func() {
 		if err := s.Serve(lis); err != nil {
-			agg.logger.Error("gRPC server failed to serve", "error", err.Error())
+			agg.logger.Error("gRPC server failed to serve", "error", err)
 		}
 	})
 	return nil

aggregator/task_engine.go

@@ -117,15 +117,15 @@ func (agg *Aggregator) startTaskEngine(ctx context.Context) {
 		taskengine.JobTypeExecuteTask,
 		taskExecutor,
 	); err != nil {
-		agg.logger.Error("failed to register task processor", "error", err.Error())
+		agg.logger.Error("failed to register task processor", "error", err)
 	}
 	if err := agg.engine.MustStart(); err != nil {
-		agg.logger.Error("failed to start task engine", "error", err.Error())
+		agg.logger.Error("failed to start task engine", "error", err)
 	}
 
 	queueErr := agg.queue.MustStart()
 	if queueErr != nil {
-		agg.logger.Error("failed to start task queue", "error", queueErr.Error())
+		agg.logger.Error("failed to start task queue", "error", queueErr)
 	}
 
 	// Start periodic cleanup with environment-specific intervals

cmd/createAdminKey.go

@@ -1,6 +1,9 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+
 	"github.com/AvaProtocol/EigenLayer-AVS/aggregator"
 
 	"github.com/spf13/cobra"
@@ -10,16 +13,21 @@ var (
 	apiKeyOption = aggregator.CreateApiKeyOption{}
 	createApiKey = &cobra.Command{
 		Use:   "create-api-key",
-		Short: "Create a long live JWT key to interact with userdata of AVS",
-		Long:  `Create an JWT key that allow one to manage user tasks. This key cannot control operator aspect, only user storage such as tasks management`,
+		Short: "Create a long-lived JWT key to interact with user data of AVS",
+		Long: `Create a JWT key that allows one to manage user tasks. This key cannot control operator aspect, only user storage such as tasks management.
+
+The --subject flag must be a 0x-prefixed EOA address. The auth layer treats the JWT subject as the owner address and derives a smart wallet from it (see aggregator/auth.go), so any non-address subject will fail authentication.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			aggregator.CreateAdminKey(config, apiKeyOption)
+			if err := aggregator.CreateAdminKey(config, apiKeyOption); err != nil {
+				fmt.Fprintln(os.Stderr, err)
+				os.Exit(1)
+			}
 		},
 	}
 )
 
 func init() {
 	createApiKey.Flags().StringArrayVar(&(apiKeyOption.Roles), "role", []string{}, "Role for API Key")
-	createApiKey.Flags().StringVarP(&(apiKeyOption.Subject), "subject", "s", "admin", "subject name to be use for jwt api key")
+	createApiKey.Flags().StringVarP(&(apiKeyOption.Subject), "subject", "s", "", "owner EOA address (0x...) bound to this API key; required")
 	rootCmd.AddCommand(createApiKey)
 }

core/apqueue/worker.go

@@ -101,7 +101,7 @@ func (w *Worker) ProcessSignal(jid uint64) {
 				"job_id", jid,
 				"task_id", job.Name,
 				"job_type", job.Type,
-				"error", err.Error())
+				"error", err)
 		}
 	}
 }