refactor: Add default config files to DF

[Lodek]

No description provided.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce Docker-based configuration infrastructure by adding default TOML configuration files for the application, client, and CometBFT node. These files are copied into the Docker image during build and subsequently deployed to the container's working directory via an updated entrypoint script.

Changes

Cohort / File(s)	Summary
Docker Build Setup Dockerfile	Added copying of TOML configuration files from docker/configs/ to /etc/sourcehub/ and updated directory permissions with chmod -R 555 for read/execute access
Container Initialization docker/entrypoint.sh	Added logic to copy TOML configuration files from /etc/sourcehub/ to /sourcehub/config/ during first-time initialization, allowing configurations to override defaults
Default Configuration Files docker/configs/app.toml, docker/configs/client.toml, docker/configs/config.toml	Introduced three new TOML configuration files: app.toml with base/telemetry/API/gRPC/mempool settings (245 lines), client.toml with client connection parameters (17 lines), and config.toml with CometBFT node runtime settings including RPC, P2P, consensus, and instrumentation (498 lines)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@docker/configs/app.toml`:
- Around line 129-151: Update the TOML to safe-by-default values: set
enabled-unsafe-cors = false and disable any faucet-related default (the faucet
block referenced around lines 242-245) and consider setting swagger = false and
API server enable = false for non-dev images; then make these features opt-in
via environment-aware configuration (e.g., read API_ENABLE_UNSAFE_CORS or
API_ENABLE_FAUCET) so the code that loads app.toml respects env overrides for
enabled-unsafe-cors, faucet, swagger, and enable (API server) instead of
exposing them by default.

In `@docker/configs/config.toml`:
- Around line 89-101: The RPC CORS default is too permissive—update the
cors_allowed_origins setting (cors_allowed_origins) in the config.toml to a
safer default (empty list or an explicit list of trusted origins) instead of
["*"]; ensure you also document the change and, if appropriate for environments
that need browser access, provide an example or env-specific override so
operators can explicitly opt-in trusted origins rather than allowing all.

In `@docker/entrypoint.sh`:
- Around line 24-26: The current cp invocation (cp /etc/sourcehub/*.toml
/sourcehub/config/) will overwrite user-mounted configs; change it to a
non-destructive copy so default container configs are only installed when absent
(for example use cp -n /etc/sourcehub/*.toml /sourcehub/config/ or loop over
/etc/sourcehub/*.toml and copy each file only if [ ! -e
"/sourcehub/config/$(basename "$f")" ]), ensuring the entrypoint.sh step that
copies config files preserves any pre-mounted user config files.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 989f677 and 95e0f6f.

📒 Files selected for processing (5)

• Dockerfile
• docker/configs/app.toml
• docker/configs/client.toml
• docker/configs/config.toml
• docker/entrypoint.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (2)

docker/configs/client.toml (1)

8-17: LGTM for client defaults.
Defaults are clear and aligned with expected CLI behavior.

Dockerfile (1)

19-22: LGTM for default config provisioning.
Copying defaults into /etc/sourcehub and making them read-only is appropriate for immutable defaults.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid unsafe-by-default API/CORS and faucet exposure.
These defaults enable unsafe CORS and a faucet by default; if this image is used outside dev, this is a security risk. Consider safe defaults with opt-in via env or custom config.

🔒 Suggested safer defaults

-# Swagger defines if swagger documentation should automatically be registered.
-swagger = true
+# Swagger defines if swagger documentation should automatically be registered.
+swagger = false
@@
-# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
-enabled-unsafe-cors = true
+# EnableUnsafeCORS defines if CORS should be enabled (unsafe - use it at your own risk).
+enabled-unsafe-cors = false
@@
-# Defines if the faucet service should be enabled.
-enable_faucet = true
+# Defines if the faucet service should be enabled.
+enable_faucet = false

Also applies to: 242-245

🤖 Prompt for AI Agents

In `@docker/configs/app.toml` around lines 129 - 151, Update the TOML to
safe-by-default values: set enabled-unsafe-cors = false and disable any
faucet-related default (the faucet block referenced around lines 242-245) and
consider setting swagger = false and API server enable = false for non-dev
images; then make these features opt-in via environment-aware configuration
(e.g., read API_ENABLE_UNSAFE_CORS or API_ENABLE_FAUCET) so the code that loads
app.toml respects env overrides for enabled-unsafe-cors, faucet, swagger, and
enable (API server) instead of exposing them by default.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Tighten RPC CORS defaults.
Allowing ["*"] on RPC is risky for browser-based abuse; safer default is empty or explicit origins.

🔒 Suggested default

-# Use '["*"]' to allow any origin
-cors_allowed_origins = ["*"]
+# Use explicit origins to allow browser access
+cors_allowed_origins = []

🤖 Prompt for AI Agents

In `@docker/configs/config.toml` around lines 89 - 101, The RPC CORS default is
too permissive—update the cors_allowed_origins setting (cors_allowed_origins) in
the config.toml to a safer default (empty list or an explicit list of trusted
origins) instead of ["*"]; ensure you also document the change and, if
appropriate for environments that need browser access, provide an example or
env-specific override so operators can explicitly opt-in trusted origins rather
than allowing all.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don’t overwrite user-provided configs on first init.
cp /etc/sourcehub/*.toml /sourcehub/config/ will clobber any pre-mounted config files. Prefer a non-destructive copy to preserve user intent.

✅ Non-destructive copy

-    cp /etc/sourcehub/*.toml /sourcehub/config/
+    for f in /etc/sourcehub/*.toml; do
+        [ -e "$f" ] || continue
+        dest="/sourcehub/config/$(basename "$f")"
+        if [ ! -f "$dest" ]; then
+            cp "$f" "$dest"
+        fi
+    done

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# copy the container specific default config files,
	# which overrides some settings such as listening address
	cp /etc/sourcehub/*.toml /sourcehub/config/
	# copy the container specific default config files,
	# which overrides some settings such as listening address
	for f in /etc/sourcehub/*.toml; do
	[ -e "$f" ] || continue
	dest="/sourcehub/config/$(basename "$f")"
	if [ ! -f "$dest" ]; then
	cp "$f" "$dest"
	fi
	done

🤖 Prompt for AI Agents

In `@docker/entrypoint.sh` around lines 24 - 26, The current cp invocation (cp
/etc/sourcehub/*.toml /sourcehub/config/) will overwrite user-mounted configs;
change it to a non-destructive copy so default container configs are only
installed when absent (for example use cp -n /etc/sourcehub/*.toml
/sourcehub/config/ or loop over /etc/sourcehub/*.toml and copy each file only if
[ ! -e "/sourcehub/config/$(basename "$f")" ]), ensuring the entrypoint.sh step
that copies config files preserves any pre-mounted user config files.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.84%. Comparing base (6f52d93) to head (95e0f6f).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev      #94      +/-   ##
==========================================
+ Coverage   47.75%   47.84%   +0.09%     
==========================================
  Files         276      276              
  Lines       16194    16195       +1     
==========================================
+ Hits         7733     7749      +16     
+ Misses       7657     7642      -15     
  Partials      804      804              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.