fix(evm-wallet-experiment): unblock docker e2e stack#945
Merged
Conversation
Foundry nightly 1.6.0-nightly (9439c7bdb9 2026-04-22) requires a CA bundle on disk even for plain-http localhost RPC calls. Without it, `cast bn` in the container entrypoint's wait loop fails with "No CA certificates were loaded from the system", so the entrypoint never deploys the delegation framework contracts, `contracts.json` is never written, and the evm container never goes healthy — blocking the whole Docker e2e stack. Pre-existing issue surfaced while running docker:e2e for PR #943. Not related to the SES-lockdown cleanup theme, but blocks verification. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…s only After PR #942 (Snaps network endowment factory) introduced the `network-caveat.ts` matcher with strict "hostname-only, no port" semantics (see packages/ocap-kernel/src/vats/network-caveat.ts:17-20), the e2e allowlist entries `['evm:8545', 'bundler:4337']` never match `URL.hostname` (which is just `'evm'` / `'bundler'`). Every fetch out of the provider vat was rejected with "Invalid host: evm", causing every docker e2e test to fail at `createSmartAccount`. Drop the ports to match the caveat's contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…win wrapper The `away-coordinator.transferNative` / `transferFungible` wrappers (introduced in PR #939 when the coordinator was split) wrap per-twin rejections as `throw new Error('All delegation twins failed', { cause: errors })`. The kernel's RPC error serialization only propagates `Error.message`, not `Error.cause`, so callers (including `run-delegation-twin-e2e.mjs`) only see the generic "All delegation twins failed" — which loses the actual reason (e.g. "Insufficient budget: requested 3, remaining 2"). Concatenate the cause messages into the wrapper's message text so the specific per-twin rejection reason survives to the caller. Keep the structured `cause` array intact for programmatic consumers. Unblocks the "enforces cumulativeSpend locally" assertion in the delegation-twin docker e2e test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||
rekmarks
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent pre-existing fixes that unblock the docker e2e stack. Found while verifying #943 locally; scoped separately.
ca-certificatesin the evm image — Foundry nightly 2026-04-22 needs a CA bundle even forhttp://localhost;node:22-slimships without one, socast bnhangs forever and theevmcontainer never goes healthy.ALLOWED_HOSTShostnames only —network-caveat.ts(added in feat(ocap-kernel): integrate Snaps network endowment factory #942) matchesURL.hostname, which never has a port.'evm:8545'never matched'evm', so every provider-vat fetch was rejected.away-coordinatorwraps per-twin failures asError('All delegation twins failed', { cause }); kernel RPC only serializes.message, so the'Insufficient budget'reason was invisible to callers. Concat the cause messages into the outer message.Verification
bundler-7702,bundler-hybrid,peer-relay).🤖 Generated with Claude Code