Skip to content

B02 SQLite append-only audit log + hash chain in verifier #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pulkitpareek18 merged 1 commit into from
May 15, 2026
Merged

B02 SQLite append-only audit log + hash chain in verifier #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,22 @@ RUN addgroup -g 1001 -S zeroauth && \
# npm workspaces, which complicates a single-package install). Trade-off
# is acceptable for v0; full reproducible-build provenance is on the
# roadmap per ADR-0005 / the verifier design doc.
#
# NOTES:
# 1. `better-sqlite3` is a native Node addon. The npm-published prebuilds
# don't cover alpine-linux-musl-arm64 (the VPS architecture), so
# prebuild-install falls back to a node-gyp source build. That needs
# python3 + make + g++. We install them, build, then DELETE them to
# keep the runtime image small (cleanup at the end of this RUN saves
# ~150MB).
# 2. We allow lifecycle scripts here (no `--ignore-scripts`) because
# better-sqlite3's postinstall is what triggers the build. All 4
# other deps (express, snarkjs, uuid, winston) are JS-only.
COPY verifier/package.json ./package.json
RUN npm install --omit=dev --ignore-scripts && npm cache clean --force
RUN apk add --no-cache --virtual .build-deps python3 make g++ \
&& npm install --omit=dev \
&& npm cache clean --force \
&& apk del .build-deps

# Compiled JS from the verifier-build stage
COPY --from=verifier-build /app/verifier/dist ./dist
Expand All @@ -98,10 +112,17 @@ COPY --from=verifier-build /app/verifier/dist ./dist
# unfindable.
COPY circuits/build/verification_key.json /app/circuits/build/verification_key.json

# Writable data directory for the SQLite audit log (B02 design doc §4.3).
# Owned by the non-root user; mounted as a Docker volume in compose so
# the DB survives container restarts. Without this `mkdir` here, the
# non-root user can't create the dir at startup → service crashes.
RUN mkdir -p /app/data && chown -R zeroauth:zeroauth /app/data

USER zeroauth

ENV NODE_ENV=production
ENV VERIFIER_VKEY_PATH=/app/circuits/build/verification_key.json
ENV VERIFIER_AUDIT_DB_PATH=/app/data/audit.db
ENV VERIFIER_BIND=0.0.0.0
ENV VERIFIER_PORT=3001

Expand Down
7 changes: 7 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,12 @@ services:
- NODE_ENV=production
- VERIFIER_CIRCUIT_VERSION=v1
- LOG_LEVEL=info
# Persistent volume for the SQLite audit log (B02 design doc §4.3).
# Mounted at /app/data inside the container. Survives container
# restarts + image rebuilds. Backup story: snapshot the volume on
# deploy + nightly cron (TODO).
volumes:
- verifier-audit-data:/app/data
restart: unless-stopped
# 127.0.0.1 (not localhost) because alpine busybox wget hits IPv6 first
# and the verifier binds 0.0.0.0 (IPv4 only). The Dockerfile carries
Expand Down Expand Up @@ -176,3 +182,4 @@ volumes:
postgres-data:
caddy-data:
caddy-config:
verifier-audit-data:
Loading
Loading