Add chain_code setup instructions and integrate chain_code into configuration

Author: vietddude

INSTALLATION.md

@@ -56,6 +56,29 @@ Detailed steps can be found in [SETUP.md](SETUP.md).
 
 ---
 
+## chain_code setup (required)
+
+Generate one 32-byte hex chain code and set it in all configs:
+
+```bash
+cd /home/carmy/Documents/works/mpcium
+CC=$(openssl rand -hex 32) && echo "$CC" > .chain_code
+sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml
+for n in node0 node1 node2; do
+  sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml"
+done
+```
+
+Start nodes normally (no env export needed):
+
+```bash
+cd node0 && mpcium start -n node0
+```
+
+Repeat for `node1` and `node2`. The value must be exactly 64 hex chars (32 bytes).
+
+---
+
 ## Production Deployment (High Security)
 
 1. Use production-grade **NATS** and **Consul** clusters.

README.md

@@ -133,6 +133,18 @@ The application uses a YAML configuration file (`config.yaml`) with the followin
 - `event_initiator_pubkey`: Public key of the event initiator
 - `max_concurrent_keygen`: Maximum concurrent key generation operations
 
+#### chain_code (required)
+- Mpcium derives child keys using a master chain code.
+- Provide a single 32-byte hex value in `config.yaml` under `chain_code`, and use the same value for all nodes.
+- Example to generate once and set:
+```bash
+CC=$(openssl rand -hex 32)
+sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml
+for n in node0 node1 node2; do
+  sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "$n/config.yaml"
+done
+```
+
 ## Installation
 
 - **Local Development**: For quick setup and testing, see [INSTALLATION.md](./INSTALLATION.md)

cmd/mpcium/main.go

@@ -203,7 +203,8 @@ func runNode(ctx context.Context, c *cli.Command) error {
 	peerNodeIDs := GetPeerIDs(peers)
 	peerRegistry := mpc.NewRegistry(nodeID, peerNodeIDs, consulClient.KV(), directMessaging, pubsub, identityStore)
 
-	ckd, err := mpc.NewCKD()
+	chainCodeHex := viper.GetString("chain_code")
+	ckd, err := mpc.NewCKDFromHex(chainCodeHex)
 	if err != nil {
 		logger.Fatal("Failed to create ckd store", err)
 	}
@@ -449,6 +450,14 @@ func checkRequiredConfigValues(appConfig *config.AppConfig) {
 	if viper.GetString("event_initiator_pubkey") == "" {
 		logger.Fatal("Event initiator public key is required", nil)
 	}
+
+	chainCode := strings.TrimSpace(viper.GetString("chain_code"))
+	if chainCode == "" {
+		logger.Fatal("chain_code is required in config.yaml", nil)
+	}
+	if len(chainCode) != 64 { // 32 bytes hex
+		logger.Fatal("chain_code must be 32-byte hex (64 chars)", nil)
+	}
 }
 
 func NewConsulClient(addr string) *api.Client {

pkg/config/init.go

@@ -17,6 +17,7 @@ type AppConfig struct {
 
 	Environment    string `mapstructure:"environment"`
 	BadgerPassword string `mapstructure:"badger_password"`
+	ChainCodeHex   string `mapstructure:"chain_code"`
 }
 
 // Implement masking serializer AppConfig

pkg/mpc/ckd.go

@@ -33,26 +33,35 @@ type CKD struct {
 	mu              sync.RWMutex
 }
 
-// NewCKD loads chain code from environment variable CHAIN_CODE (hex-encoded).
-func NewCKD() (*CKD, error) {
-	envVal := os.Getenv("CHAIN_CODE")
-	if envVal == "" {
-		return nil, fmt.Errorf("CHAIN_CODE not set in environment")
+// NewCKDFromHex creates CKD from a hex-encoded chain code string (32 bytes).
+func NewCKDFromHex(hexStr string) (*CKD, error) {
+	if hexStr == "" {
+		return nil, fmt.Errorf("chain code is empty")
 	}
 
-	code, err := hex.DecodeString(envVal)
+	code, err := hex.DecodeString(hexStr)
 	if err != nil {
-		return nil, fmt.Errorf("invalid CHAIN_CODE hex: %w", err)
+		return nil, fmt.Errorf("invalid chain code hex: %w", err)
 	}
 	if len(code) != chainCodeLength {
 		return nil, fmt.Errorf("%w: got %d, want %d", ErrInvalidChainCode, len(code), chainCodeLength)
 	}
 
-	logger.Info("Loaded static chain code from environment")
+	logger.Info("Loaded static chain code from config")
 
 	return &CKD{masterChainCode: code}, nil
 }
 
+// NewCKD loads chain code from environment variable CHAIN_CODE (hex-encoded).
+// Deprecated: prefer NewCKDFromHex with config-provided value.
+func NewCKD() (*CKD, error) {
+	envVal := os.Getenv("CHAIN_CODE")
+	if envVal == "" {
+		return nil, fmt.Errorf("CHAIN_CODE not set in environment")
+	}
+	return NewCKDFromHex(envVal)
+}
+
 // GetMasterChainCode returns a copy of the chain code.
 func (c *CKD) GetMasterChainCode() []byte {
 	c.mu.RLock()

setup_identities.sh

@@ -30,6 +30,36 @@ for i in $(seq 0 $((NUM_NODES-1))); do
     ( cd "node$i" && mpcium-cli generate-identity --node "node$i" )
 done
 
+# Generate a single chain_code if not present and set it in configs
+if [ ! -f .chain_code ]; then
+    echo "🔐 Generating chain_code (32-byte hex) ..."
+    CC=$(openssl rand -hex 32)
+    echo "$CC" > .chain_code
+else
+    CC=$(cat .chain_code)
+fi
+
+if [ -z "$CC" ]; then
+    echo "❌ Failed to determine chain_code"
+    exit 1
+fi
+
+echo "📝 Setting chain_code in root config.yaml ..."
+if grep -q '^\s*chain_code:' config.yaml; then
+    sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" config.yaml
+else
+    printf '\nchain_code: "%s"\n' "$CC" >> config.yaml
+fi
+
+echo "📦 Distributing chain_code to node configs ..."
+for i in $(seq 0 $((NUM_NODES-1))); do
+    if grep -q '^\s*chain_code:' "node$i/config.yaml"; then
+        sed -i -E "s|^([[:space:]]*chain_code:).*|\1 \"$CC\"|" "node$i/config.yaml"
+    else
+        printf '\nchain_code: "%s"\n' "$CC" >> "node$i/config.yaml"
+    fi
+done
+
 # Distribute identity files to all nodes
 echo "🔄 Distributing identity files across nodes..."
 for i in $(seq 0 $((NUM_NODES-1))); do