Skip to content

Audit RPC/ENS env usage and add production RPC env guidance#327

Merged
GsCommand merged 1 commit into
mainfrom
codex/audit-and-document-rpc/ens-environment-variables
May 24, 2026
Merged

Audit RPC/ENS env usage and add production RPC env guidance#327
GsCommand merged 1 commit into
mainfrom
codex/audit-and-document-rpc/ens-environment-variables

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 24, 2026

Motivation

  • Prevent unintended use of Alchemy shared/default credentials (and related rate-limit warnings) by making ENS reverse-lookup use an explicit, configurable mainnet RPC URL in production.
  • Provide a clear, production-oriented environment-variable policy so deployments (e.g., Vercel) can set an explicit RPC endpoint and avoid shared-provider throttling.
  • Keep verifier semantics and local fallback gating unchanged so test/demo behavior is preserved while not weakening production security.

Description

  • Added getMainnetRpcUrl() to api/ens/owned.js and updated hasProviderConfig() to accept a prioritized RPC env resolution order including ETHEREUM_RPC_URL, MAINNET_RPC_URL, ALCHEMY_ETHEREUM_RPC_URL, ALCHEMY_ETH_RPC_URL, ETH_RPC_URL, and ALCHEMY_API_KEY (mapped to https://eth-mainnet.g.alchemy.com/v2/<key> if present).
  • Replaced the implicit ethers.AlchemyProvider(...) fallback with a JsonRpcProvider that is only initialized when a concrete RPC URL is resolved so the code no longer triggers Alchemy default-key behavior.
  • Exported _private.getMainnetRpcUrl for unit testing and added tests in tests/api-ens-owned.test.js covering env precedence, Alchemy key-to-URL derivation, and last-resort empty behavior; kept SimpleHash ownership lookup logic separate.
  • Added docs/ops/environment.md documenting preferred production RPC variables and a table of required/optional env vars (including COMMANDLAYER_ALLOW_LOCAL_KEY_FALLBACK warning and SIMPLEHASH_API_KEY usage), and added a short README pointer to that doc.

Testing

  • Ran the full test suite with npm test and all tests passed (113 tests, 0 failures).
  • Ran npm run check:links and it passed with "All local links/assets resolved across 25 HTML files."
  • Added/ran new unit tests in tests/api-ens-owned.test.js which passed and validate the RPC precedence and Alchemy URL derivation behavior.
  • Performed a repo search for erc8211.merkle.v1 (no matches) and noted an unrelated npm warn Unknown env config "http-proxy" which is not a code regression.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 24, 2026 2:47am
commandlayer-org Ready Ready Preview, Comment May 24, 2026 2:47am
commandlayer-org111 Ready Ready Preview, Comment May 24, 2026 2:47am

Request Review

@GsCommand GsCommand merged commit e1bc0e7 into main May 24, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand