Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions client-cmds/nlean-cmd.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
# NLEAN_REPO should point to this repository when lean-quickstart is outside this workspace.
# Default assumes sibling checkouts: <workspace>/nlean and <workspace>/lean-quickstart.
nlean_repo="${NLEAN_REPO:-$scriptDir/../nlean}"
nlean_docker_image="${NLEAN_DOCKER_IMAGE:-ghcr.io/nleaneth/nlean:devnet3}"
nlean_network_name="${NLEAN_NETWORK_NAME:-devnet0}"
nlean_docker_image="${NLEAN_DOCKER_IMAGE:-ghcr.io/nleaneth/nlean:devnet4}"
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping the default image to ghcr.io/nleaneth/nlean:devnet4 while also switching this script to use --fork-digest creates an inconsistency with the repo’s Ansible nlean role, which extracts this default image from client-cmds/nlean-cmd.sh but still starts the container with --network (see ansible/roles/nlean/tasks/main.yml). If devnet4 no longer supports --network, Ansible deployments will fail. Consider either updating the Ansible role in the same PR to pass --fork-digest, or keeping the default image pinned to a version that still accepts --network until the Ansible change lands.

Suggested change
nlean_docker_image="${NLEAN_DOCKER_IMAGE:-ghcr.io/nleaneth/nlean:devnet4}"
nlean_docker_image="${NLEAN_DOCKER_IMAGE:-ghcr.io/nleaneth/nlean:devnet3}"

Copilot uses AI. Check for mistakes.
nlean_fork_digest="${NLEAN_FORK_DIGEST:-12345678}"
log_level="${NLEAN_LOG_LEVEL:-}"
enable_metrics="${enableMetrics:-false}"

Expand All @@ -16,8 +16,8 @@ if [[ "$enable_metrics" != "true" && "$enable_metrics" != "false" ]]; then
enable_metrics="false"
fi

if [[ -z "${nlean_network_name// }" ]]; then
nlean_network_name="devnet0"
if [[ -z "${nlean_fork_digest// }" ]]; then
nlean_fork_digest="12345678"
Comment on lines +19 to +20
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nlean_fork_digest is taken from NLEAN_FORK_DIGEST and later interpolated into a command string that is executed via eval (see spin-node.sh). As-is, leading/trailing whitespace is preserved and non-hex characters (or shell metacharacters like ;) could break the CLI invocation or enable shell injection. Suggest trimming the value and validating it matches exactly 8 hex chars (e.g., ^[0-9a-fA-F]{8}$), failing fast with a clear error if invalid.

Suggested change
if [[ -z "${nlean_fork_digest// }" ]]; then
nlean_fork_digest="12345678"
nlean_fork_digest="${nlean_fork_digest#${nlean_fork_digest%%[![:space:]]*}}"
nlean_fork_digest="${nlean_fork_digest%${nlean_fork_digest##*[![:space:]]}}"
if [[ -z "$nlean_fork_digest" ]]; then
nlean_fork_digest="12345678"
elif [[ ! "$nlean_fork_digest" =~ ^[0-9a-fA-F]{8}$ ]]; then
echo "Error: NLEAN_FORK_DIGEST must be exactly 8 hexadecimal characters" >&2
exit 1

Copilot uses AI. Check for mistakes.
fi

log_level="${log_level#${log_level%%[![:space:]]*}}"
Expand Down Expand Up @@ -63,7 +63,7 @@ node_binary="$binary_path \
--validator-config $configDir/validator-config.yaml \
--node $item \
--data-dir $dataDir/$item \
--network $nlean_network_name \
--fork-digest $nlean_fork_digest \
--node-key $configDir/$node_private_key_path \
--socket-port $quicPort \
--metrics $enable_metrics \
Expand Down Expand Up @@ -106,7 +106,7 @@ node_docker="${nlean_docker_extra_env} ${nlean_docker_image} \
--validator-config /config/validator-config.yaml \
--node $item \
--data-dir /data \
--network $nlean_network_name \
--fork-digest $nlean_fork_digest \
--node-key /config/$node_private_key_path \
--socket-port $quicPort \
--metrics $enable_metrics \
Expand Down
Loading