Skip to content

docs: update the usage of create-api-key aggregator command#206

Merged
chrisli30 merged 3 commits into
mainfrom
staging
Apr 8, 2026
Merged

docs: update the usage of create-api-key aggregator command#206
chrisli30 merged 3 commits into
mainfrom
staging

Conversation

@chrisli30

Copy link
Copy Markdown
Member
  • ci: read CHAIN_ENDPOINT and BUNDLER_URL from secrets
  • docs: update the usage of create-api-key aggregator command
  • docs(examples): document getExecutions/getExecution and AVS_API_KEY setup

prod-test-on-pr.yml: read CHAIN_ENDPOINT from per-environment secrets
instead of plaintext variables. Each matrix env (sepolia/ethereum/base/
base-sepolia) now carries its own chain-specific value as a secret.

dev-test-on-pr.yml: read BUNDLER_URL from secrets. The bundler URL
embeds an apikey query parameter and was previously a plaintext repo
variable, exposing it in workflow logs.
…etup

Add CLI usage examples for getExecutions and getExecution to the example.ts
header, and a dedicated section explaining how to mint an AVS_API_KEY
(create-api-key with an EOA subject) and how the loader picks it up from
.env.dev. Also enable .env.dev auto-loading so the dev environment behaves
like every other env file.
@chrisli30 chrisli30 changed the title staging docs: update the usage of create-api-key aggregator command Apr 8, 2026
@chrisli30 chrisli30 merged commit 47fa404 into main Apr 8, 2026
7 checks passed
@claude

claude Bot commented Apr 8, 2026

Copy link
Copy Markdown

PR Review — docs: update create-api-key usage + CI secrets

Overall this is a clean, well-scoped PR with good documentation improvements. The commit messages are clear and explain the why for each change. A few items worth discussing before merging:


Bug / Usability Issue

package.json — hardcoded address in apikey-gen script

-"apikey-gen": "... --subject=apikey ..."
+"apikey-gen": "... --subject=0x804e49e8C4eDb560AE7c48B554f6d2e27Bb81557 ..."

The old --subject=apikey was broken (not a valid EOA), but the fix introduces a different problem: 0x804e49e8C4eDb560AE7c48B554f6d2e27Bb81557 is hardcoded — presumably the address derived from the CI's TEST_PRIVATE_KEY. Local developers with a different TEST_PRIVATE_KEY will silently generate an API key bound to someone else's address. Requests authenticated with that key will either fail or return data for the wrong owner.

Suggestion — derive the address from TEST_PRIVATE_KEY dynamically in the script, or replace the address with a placeholder and print a hint:

# Option A: use a placeholder and fail loudly
"apikey-gen": "sh -c '[ -n \"$SUBJECT_ADDRESS\" ] || (echo \"ERROR: set SUBJECT_ADDRESS to your wallet address\" && exit 1); API_KEY=$(docker compose exec aggregator /ava create-api-key --role=admin --subject=$SUBJECT_ADDRESS) && ...'",

# Option B: derive from TEST_PRIVATE_KEY via cast/ethers if available

The CI use (dev-test-on-pr.yml) is fine as long as the hardcoded address matches what the CI's TEST_PRIVATE_KEY yields — but there's no assertion of that in the workflow, so a future key rotation could silently break tests.


Minor Issues

CHAIN_ENDPOINT secrets migration — silent failure risk

Moving from vars to secrets is correct (per commit message, endpoints embed API keys). One thing to verify: each of the four matrix environments (sepolia, ethereum, base, base-sepolia) must now have CHAIN_ENDPOINT configured as a GitHub environment secret, not a variable. If any environment is missing it, the workflow will receive an empty string and likely fail with a confusing error rather than a missing-secret message. GitHub doesn't warn on missing secrets the way it does for missing required inputs.

.env.dev loading fix — dotenv precedence

-if (currentEnv && currentEnv !== "dev") {
+if (currentEnv) {

This is the right fix (.env.dev was being silently skipped for the default dev environment). One edge case: dotenv loads the first occurrence of a key and ignores subsequent ones by default. Since .env is loaded before .env.dev, any key set in both files will use the .env value — .env.dev overrides won't work. This is probably fine for now but worth documenting in the comment block above if users are expected to put AVS_API_KEY in .env.dev.


What's Good

  • The README.md change correctly documents that --subject must be a 0x-prefixed EOA address — this was a real footgun with the old --subject=apikey placeholder.
  • The examples/example.ts header additions for getExecutions/getExecution CLI commands are clear and follow the existing pattern.
  • The AVS_API_KEY setup documentation in the example file is thorough and should unblock new contributors who were confused about how to mint the JWT.
  • Moving BUNDLER_URL to secrets is correct — the commit message confirms it embeds an API key query parameter.

Verdict: The documentation improvements are solid. The main concern is the hardcoded address in apikey-gen — it will silently break local dev for anyone whose wallet differs from that address. Recommend addressing that before merge (or at minimum adding a comment warning users to replace it).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants