fix(hermes): make wallet backup portable on k3d#558
Open
bussyjd wants to merge 1 commit into
Open
Conversation
bussyjd
force-pushed
the
fix/hermes-wallet-portability
branch
from
957eade to
ccbbbdc
Compare
OisinKyne
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the rc6 wallet portability failure on Linux k3d stacks:
obol agent wallet backupnow falls back to reading the remote-signer keystore through the k3d server node when the host-side PVC path is not readable by the CLI user.obol agent wallet restorenow accepts a raw Ethereum V3 keystore as an input format and converts it into the existing Obol v1 backup envelope before writing runtime metadata.Why
The rc6 reset path tells testers to preserve wallets before purging. On Linux k3d, the wallet file lives in a container-owned local-path volume, so direct host reads can fail with
permission denied. The restore side also rejected the raw Ethereum V3 keystore users could manually extract from the container becauserestoreonly accepted the Obol v1 backup envelope.Backup path
flowchart TD A[obol agent wallet backup] --> B[Read wallet metadata] B --> C[Read host-side keystore path] C -->|ok| D[Build Obol v1 backup] C -->|permission denied on k3d| E[docker exec k3d server] E --> F[cat mapped /data keystore] F --> D D --> G[Optional AES-GCM encryption] G --> H[Write backup file]The fallback is intentionally narrow: it only runs for permission errors on k3d. Other read failures still surface directly.
Restore path
sequenceDiagram participant User participant CLI as obol CLI participant Backup as Backup decoder participant Geth as Ethereum keystore decoder participant Disk as Hermes deploy files User->>CLI: restore --input wallet.json CLI->>Backup: Decode Obol v1 envelope alt Obol v1 backup Backup-->>CLI: wallet metadata + keystore else Raw Ethereum V3 keystore Backup-->>CLI: unsupported version 3 CLI->>Geth: decrypt raw V3 keystore Geth-->>CLI: address + public key + uuid CLI->>CLI: synthesize Obol v1 wallet payload end CLI->>Disk: write keystore, wallet metadata, remote-signer valuesRaw V3 support does not change the persisted backup format. It is accepted only as an import-compatible restore input.
Validation
go test ./internal/hermes -run 'TestBackupWalletCmd_K3dPermissionFallbackReadsFromNode|TestRestoreWalletCmd_HermesAcceptsRawEthereumV3Keystore|TestBackupRestoreWalletCmd_HermesRoundTrip|TestRestoreWalletCmd_HermesRequiresForceForExistingWallet' -count=1go test ./cmd/obol ./internal/hermes ./internal/walletbackup -count=1git diff --checkobol agent wallet backup obol-agent --passphrase <redacted> --output /tmp/obol-agent-wallet-backup-test.enc