scripts/enable-besu-debug-api.sh

#!/usr/bin/env bash
# Enable DEBUG API in Besu Configuration
# Must be run on the RPC node

set -euo pipefail

RPC_IP="${1:-192.168.11.250}"
SSH_PASSWORD="${SSH_PASSWORD:-${2:-}}"
if [ -z "${SSH_PASSWORD}" ]; then
    echo "ERROR: SSH_PASSWORD is required. Pass it as an argument or export SSH_PASSWORD in the environment." >&2
    echo "       Hardcoded default removed for security; see docs/SECURITY.md." >&2
    exit 2
fi

CONFIG_FILE="${3:-/etc/besu/config-rpc-core.toml}"

echo "╔══════════════════════════════════════════════════════════════╗"
echo "║     ENABLING DEBUG API IN BESU CONFIGURATION                ║"
echo "╚══════════════════════════════════════════════════════════════╝"
echo ""
echo "RPC IP: $RPC_IP"
echo "Config File: $CONFIG_FILE"
echo ""

# Check if sshpass is available
if ! command -v sshpass >/dev/null 2>&1; then
    echo "⚠️  sshpass not installed. Installing..."
    sudo apt-get update -qq && sudo apt-get install -y sshpass 2>/dev/null || {
        echo "❌ Cannot install sshpass automatically"
        exit 1
    }
fi

echo "Step 1: Checking current configuration..."
CURRENT_CONFIG=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
    root@"$RPC_IP" \
    "cat $CONFIG_FILE 2>/dev/null || echo 'FILE_NOT_FOUND'" 2>&1)

if echo "$CURRENT_CONFIG" | grep -q "FILE_NOT_FOUND"; then
    echo "❌ Config file not found: $CONFIG_FILE"
    echo ""
    echo "Available config files:"
    sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
        root@"$RPC_IP" \
        "ls -la /etc/besu/*.toml 2>/dev/null || echo 'No config files found'"
    exit 1
fi

echo "✅ Config file found"
echo ""

# Check if DEBUG is already enabled
if echo "$CURRENT_CONFIG" | grep -q "DEBUG"; then
    echo "✅ DEBUG API is already enabled in configuration"
    echo ""
    echo "Current rpc-http-api setting:"
    echo "$CURRENT_CONFIG" | grep "rpc-http-api" | head -1
    echo ""
    echo "Checking if Besu service needs restart..."
    RESTART_NEEDED=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
        root@"$RPC_IP" \
        "systemctl is-active besu-rpc >/dev/null 2>&1 && echo 'active' || echo 'inactive'" 2>&1)
    
    if [ "$RESTART_NEEDED" = "active" ]; then
        echo "⚠️  DEBUG API is enabled but service may need restart"
        echo "   Restarting Besu service..."
        sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
            root@"$RPC_IP" \
            "systemctl restart besu-rpc && sleep 5 && systemctl status besu-rpc --no-pager | head -10" 2>&1
        echo ""
        echo "✅ Besu service restarted"
    fi
else
    echo "Step 2: Adding DEBUG to rpc-http-api..."
    
    # Create backup
    sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
        root@"$RPC_IP" \
        "cp $CONFIG_FILE ${CONFIG_FILE}.backup.$(date +%Y%m%d-%H%M%S)" 2>&1
    
    # Update configuration
    sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
        root@"$RPC_IP" \
        "sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE || \
         sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE || \
         sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE" 2>&1
    
    echo "✅ Configuration updated"
    echo ""
    
    echo "Step 3: Verifying configuration..."
    UPDATED_CONFIG=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
        root@"$RPC_IP" \
        "grep 'rpc-http-api' $CONFIG_FILE | head -1" 2>&1)
    
    echo "Updated rpc-http-api: $UPDATED_CONFIG"
    echo ""
    
    if echo "$UPDATED_CONFIG" | grep -q "DEBUG"; then
        echo "✅ DEBUG API added to configuration"
        echo ""
        echo "Step 4: Restarting Besu service..."
        sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
            root@"$RPC_IP" \
            "systemctl restart besu-rpc && sleep 5 && systemctl status besu-rpc --no-pager | head -10" 2>&1
        
        echo ""
        echo "✅ Besu service restarted"
        echo ""
        echo "Step 5: Verifying DEBUG API is enabled..."
        sleep 3
        DEBUG_TEST=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
            root@"$RPC_IP" \
            "curl -s -X POST -H 'Content-Type: application/json' \
             --data '{\"jsonrpc\":\"2.0\",\"method\":\"debug_traceTransaction\",\"params\":[\"0x0000000000000000000000000000000000000000000000000000000000000000\",{\"tracer\":\"callTracer\"}],\"id\":1}' \
             http://localhost:8545 2>&1" 2>&1)
        
        if echo "$DEBUG_TEST" | grep -q "Method not enabled"; then
            echo "⚠️  DEBUG API still not enabled (may need more time to restart)"
        elif echo "$DEBUG_TEST" | grep -q "error"; then
            echo "✅ DEBUG API is enabled (returned error for invalid transaction, which is expected)"
        else
            echo "✅ DEBUG API appears to be enabled"
        fi
    else
        echo "❌ Failed to add DEBUG API to configuration"
        echo "   Please edit manually: $CONFIG_FILE"
        echo "   Add \"DEBUG\" and \"TRACE\" to rpc-http-api array"
    fi
fi

echo ""
echo "═══════════════════════════════════════════════════════════════"
echo "SUMMARY"
echo "═══════════════════════════════════════════════════════════════"
echo ""
echo "To enable DEBUG API manually:"
echo "  1. Edit: $CONFIG_FILE"
echo "  2. Find: rpc-http-api=[...]"
echo "  3. Add: \"DEBUG\", \"TRACE\" to the array"
echo "  4. Restart: systemctl restart besu-rpc"
echo ""
echo "Then test with:"
echo "  curl -X POST -H 'Content-Type: application/json' \\"
echo "    --data '{\"jsonrpc\":\"2.0\",\"method\":\"debug_traceTransaction\",\"params\":[\"0x4dc9f5eedf580c2b37457916b04048481aba19cf3c1a106ea1ee9eefa0dc03c8\",{\"tracer\":\"callTracer\"}],\"id\":1}' \\"
echo "    http://localhost:8545 | jq"
echo ""
Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-10 11:32:49 -08:00			`#!/usr/bin/env bash`
			`# Enable DEBUG API in Besu Configuration`
			`# Must be run on the RPC node`

			`set -euo pipefail`

			`RPC_IP="${1:-192.168.11.250}"`
fix(security): fail-fast on missing JWT_SECRET, harden CSP, strip hardcoded passwords backend/api/rest/server.go: - NewServer() now delegates to loadJWTSecret(), which: - Rejects JWT_SECRET < 32 bytes (log.Fatal). - Requires JWT_SECRET when APP_ENV=production or GO_ENV=production. - Generates a 32-byte crypto/rand ephemeral secret in dev only. - Treats rand.Read failure as fatal (removes the prior time-based fallback that was deterministic and forgeable). - Default Content-Security-Policy rewritten: - Drops 'unsafe-inline' and 'unsafe-eval'. - Drops private CIDRs (192.168.11.221:854[5\|6]). - Adds frame-ancestors 'none', base-uri 'self', form-action 'self'. - CSP_HEADER is required in production; fatal if unset there. backend/api/rest/server_security_test.go (new): - Covers the three loadJWTSecret() paths (valid, whitespace-trimmed, ephemeral in dev). - Covers isProductionEnv() across APP_ENV / GO_ENV combinations. - Asserts defaultDevCSP contains no unsafe directives or private CIDRs and includes the frame-ancestors / base-uri / form-action directives. scripts/.sh: - Removed 'REDACTED-LEGACY-PW' default value from SSH_PASSWORD / NEW_PASSWORD in 7 helper scripts. Each script now fails with exit 2 and points to docs/SECURITY.md if the password isn't supplied via env or argv. EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh: - Replaced hardcoded DB_PASSWORD='REDACTED-LEGACY-PW' with a ':?' guard that aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT, RPC_URL) is not exported. Other env vars keep sensible non-secret defaults via ${VAR:-default}. README.md: - Removed the hardcoded Database Password / RPC URL lines. Replaced with an env-variable reference table pointing at docs/SECURITY.md and docs/DATABASE_CONNECTION_GUIDE.md. docs/DEPLOYMENT.md: - Replaced 'PASSWORD: SSH password (default: REDACTED-LEGACY-PW)' with a required-no-default contract and a link to docs/SECURITY.md. docs/SECURITY.md (new): - Full secret inventory keyed to the env variable name and the file that consumes it. - Five-step rotation checklist covering the Postgres role, the Proxmox VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based history audit. - Explicit note that merging secret-scrub PRs does NOT invalidate already-leaked credentials; rotation is the operator's responsibility. Verification: - go build ./... + go vet ./... pass clean. - Targeted tests (LoadJWTSecret, IsProduction, DefaultDevCSP) pass. Advances completion criterion 2 (Secrets & config hardened). Residual leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is handled by PR #2 (doc consolidation), which deletes those files. 2026-04-18 19:02:27 +00:00			`SSH_PASSWORD="${SSH_PASSWORD:-${2:-}}"`
			`if [ -z "${SSH_PASSWORD}" ]; then`
			`echo "ERROR: SSH_PASSWORD is required. Pass it as an argument or export SSH_PASSWORD in the environment." >&2`
			`echo " Hardcoded default removed for security; see docs/SECURITY.md." >&2`
			`exit 2`
			`fi`

Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-10 11:32:49 -08:00			`CONFIG_FILE="${3:-/etc/besu/config-rpc-core.toml}"`

			`echo "╔══════════════════════════════════════════════════════════════╗"`
			`echo "║ ENABLING DEBUG API IN BESU CONFIGURATION ║"`
			`echo "╚══════════════════════════════════════════════════════════════╝"`
			`echo ""`
			`echo "RPC IP: $RPC_IP"`
			`echo "Config File: $CONFIG_FILE"`
			`echo ""`

			`# Check if sshpass is available`
			`if ! command -v sshpass >/dev/null 2>&1; then`
			`echo "⚠️ sshpass not installed. Installing..."`
			`sudo apt-get update -qq && sudo apt-get install -y sshpass 2>/dev/null \|\| {`
			`echo "❌ Cannot install sshpass automatically"`
			`exit 1`
			`}`
			`fi`

			`echo "Step 1: Checking current configuration..."`
			`CURRENT_CONFIG=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"cat $CONFIG_FILE 2>/dev/null \|\| echo 'FILE_NOT_FOUND'" 2>&1)`

			`if echo "$CURRENT_CONFIG" \| grep -q "FILE_NOT_FOUND"; then`
			`echo "❌ Config file not found: $CONFIG_FILE"`
			`echo ""`
			`echo "Available config files:"`
			`sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"ls -la /etc/besu/*.toml 2>/dev/null \|\| echo 'No config files found'"`
			`exit 1`
			`fi`

			`echo "✅ Config file found"`
			`echo ""`

			`# Check if DEBUG is already enabled`
			`if echo "$CURRENT_CONFIG" \| grep -q "DEBUG"; then`
			`echo "✅ DEBUG API is already enabled in configuration"`
			`echo ""`
			`echo "Current rpc-http-api setting:"`
			`echo "$CURRENT_CONFIG" \| grep "rpc-http-api" \| head -1`
			`echo ""`
			`echo "Checking if Besu service needs restart..."`
			`RESTART_NEEDED=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"systemctl is-active besu-rpc >/dev/null 2>&1 && echo 'active' \|\| echo 'inactive'" 2>&1)`

			`if [ "$RESTART_NEEDED" = "active" ]; then`
			`echo "⚠️ DEBUG API is enabled but service may need restart"`
			`echo " Restarting Besu service..."`
			`sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"systemctl restart besu-rpc && sleep 5 && systemctl status besu-rpc --no-pager \| head -10" 2>&1`
			`echo ""`
			`echo "✅ Besu service restarted"`
			`fi`
			`else`
			`echo "Step 2: Adding DEBUG to rpc-http-api..."`

			`# Create backup`
			`sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"cp $CONFIG_FILE ${CONFIG_FILE}.backup.$(date +%Y%m%d-%H%M%S)" 2>&1`

			`# Update configuration`
			`sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE \|\| \`
			`sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE \|\| \`
			`sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE" 2>&1`

			`echo "✅ Configuration updated"`
			`echo ""`

			`echo "Step 3: Verifying configuration..."`
			`UPDATED_CONFIG=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"grep 'rpc-http-api' $CONFIG_FILE \| head -1" 2>&1)`

			`echo "Updated rpc-http-api: $UPDATED_CONFIG"`
			`echo ""`

			`if echo "$UPDATED_CONFIG" \| grep -q "DEBUG"; then`
			`echo "✅ DEBUG API added to configuration"`
			`echo ""`
			`echo "Step 4: Restarting Besu service..."`
			`sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"systemctl restart besu-rpc && sleep 5 && systemctl status besu-rpc --no-pager \| head -10" 2>&1`

			`echo ""`
			`echo "✅ Besu service restarted"`
			`echo ""`
			`echo "Step 5: Verifying DEBUG API is enabled..."`
			`sleep 3`
			`DEBUG_TEST=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \`
			`root@"$RPC_IP" \`
			`"curl -s -X POST -H 'Content-Type: application/json' \`
			`--data '{\"jsonrpc\":\"2.0\",\"method\":\"debug_traceTransaction\",\"params\":[\"0x0000000000000000000000000000000000000000000000000000000000000000\",{\"tracer\":\"callTracer\"}],\"id\":1}' \`
			`http://localhost:8545 2>&1" 2>&1)`

			`if echo "$DEBUG_TEST" \| grep -q "Method not enabled"; then`
			`echo "⚠️ DEBUG API still not enabled (may need more time to restart)"`
			`elif echo "$DEBUG_TEST" \| grep -q "error"; then`
			`echo "✅ DEBUG API is enabled (returned error for invalid transaction, which is expected)"`
			`else`
			`echo "✅ DEBUG API appears to be enabled"`
			`fi`
			`else`
			`echo "❌ Failed to add DEBUG API to configuration"`
			`echo " Please edit manually: $CONFIG_FILE"`
			`echo " Add \"DEBUG\" and \"TRACE\" to rpc-http-api array"`
			`fi`
			`fi`

			`echo ""`
			`echo "═══════════════════════════════════════════════════════════════"`
			`echo "SUMMARY"`
			`echo "═══════════════════════════════════════════════════════════════"`
			`echo ""`
			`echo "To enable DEBUG API manually:"`
			`echo " 1. Edit: $CONFIG_FILE"`
			`echo " 2. Find: rpc-http-api=[...]"`
			`echo " 3. Add: \"DEBUG\", \"TRACE\" to the array"`
			`echo " 4. Restart: systemctl restart besu-rpc"`
			`echo ""`
			`echo "Then test with:"`
			`echo " curl -X POST -H 'Content-Type: application/json' \\"`
			`echo " --data '{\"jsonrpc\":\"2.0\",\"method\":\"debug_traceTransaction\",\"params\":[\"0x4dc9f5eedf580c2b37457916b04048481aba19cf3c1a106ea1ee9eefa0dc03c8\",{\"tracer\":\"callTracer\"}],\"id\":1}' \\"`
			`echo " http://localhost:8545 \| jq"`
			`echo ""`