feat(evm): mine + claim test ETH via evm.faucet#277
Open
qu0b wants to merge 3 commits into
Open
Conversation
evm.faucet(network, address) previously returned a browser URL, which an agent cannot use (no browser, captcha, or WebSocket). It now runs the full PoWFaucet agent-REST flow server-side and returns the claim transaction hash. - pkg/faucet: Go mining core using golang.org/x/crypto/argon2 (Argon2id). Zero external/runtime deps, so it works on any OS panda ships to. - evm.faucet server operation: auth-gated (requires 'panda auth'), resolves the network's faucet URL from Cartographoor, delegates to pkg/faucet. - sandbox evm.faucet() delegates to the operation and returns the tx hash. Requires the network's faucet to run a PoWFaucet build with the agent REST API (Argon2id/v19). Tests: mining core against a faithful mock + auth gate; faucet_live_test.go is an env-guarded live e2e.
The client-side auth check is meaningless if the faucet endpoint is open, so
the faucet is now reachable only through the panda proxy:
- pkg/proxy: add a /faucet/{network}/ passthrough that mirrors the ethnode
handler — the proxy's auth middleware authenticates the caller, then it
forwards to the network's credential-gated faucet host with basic auth the
proxy alone holds.
- pkg/faucet: introduce a Transport so the mining flow runs either directly
(tests/CLI) or through the proxy.
- evm.faucet op: route via proxyRequest(/faucet/<network>/...); the local
auth check is now only a fast pre-check, the proxy is the real boundary.
Contributor
🐼 Smoke eval —
|
| question | result | tokens | tools |
|---|---|---|---|
forky_node_coverage |
❌ | 14,477 | 4 |
tracoor_node_coverage |
❌ | 14,566 | 4 |
mainnet_block_arrival_p50 |
❌ | 15,763 | 7 |
list_datasources |
❌ | 13,465 | 3 |
block_count_24h |
❌ | 15,381 | 7 |
missed_slots_24h |
❌ | 14,767 | 5 |
chartkit_default_arrival_distribution |
❌ | 23,260 | 18 |
storage_upload_session_scoped |
❌ | 24,865 | 13 |
🔭 Langfuse traces (8 runs; ⚠️ = failed)
The report walks this branch's commits against the master baseline and the most recent release. A self-contained copy is in the run's eval-smoke-* artifact.
Behind the proxy every faucet request carries the proxy's IP, so the faucet's own per-IP protections collapse to one global bucket. Restore per-user fairness where the authenticated identity is known: cap startSession to 30/user/hour, keyed on the auth subject. Only startSession is counted; the many powChallenge/powSubmit calls a single claim makes pass through untouched.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
evm.faucet(network, address)mines the network's PoW faucet and claims test ETH, returning the claim tx hash (it used to return a browser URL — useless to an agent). Crucially, the faucet is reachable only through the panda proxy, which authenticates the caller — a client-side login check is meaningless if the endpoint is open.How
pkg/proxy/faucet/{network}/passthrough (handlers/faucet.go) — mirrors theethnodehandler: the proxy's auth middleware authenticates the caller, then it forwards to the network's credential-gated faucet host with basic auth that only the proxy holds. No public faucet surface for panda users.pkg/faucetTransport— the Argon2id mining flow (x/crypto/argon2, zero external deps) runs either directly (tests/CLI) or through the proxy.evm.faucetop — routes viaproxyRequest("/faucet/<network>/…"); the localpanda authcheck is only a fast pre-check now, the proxy is the real boundary.Auth model
The proxy is the single authenticated gateway (same as every datasource). The faucet endpoint is credential-gated and only the proxy holds the credential, so there is no way to reach it except an authenticated request through the proxy.
Tests
FaucetHandler(host derivation, bearer→basic-auth rewrite, path validation); op auth gate (401) + resolution errors.glamsterdam-devnet-6:pkg/faucet→ proxy/faucet/…→ faucet → mine → claim → funded 1 ETH in ~30 s (tx confirmed).Deploy order — the faucet lockdown is LAST
Faucet-side notes (ACG #554 / glamsterdam)
Requires a PoWFaucet build with the agent REST API at Argon2id/v19 (live:
ghcr.io/qu0b/powfaucet:v2.5.0-agent.4).