Add action status and recovery endpoints

Author: j-rafique

.github/workflows/build&release.yml

@@ -93,6 +93,7 @@ jobs:
         env:
           DD_API_KEY: ${{ secrets.DD_API_KEY }}
           DD_SITE: ${{ secrets.DD_SITE }}
+          RECOVERY_ADMIN_TOKEN: ${{ secrets.RECOVERY_ADMIN_TOKEN }}
         run: |
           # Ensure module metadata is up to date
           go mod tidy
@@ -110,7 +111,8 @@ jobs:
                     -X github.com/LumeraProtocol/supernode/v2/supernode/cmd.BuildTime=${{ steps.vars.outputs.build_time }} \
                     -X github.com/LumeraProtocol/supernode/v2/supernode/cmd.MinVer=${{ vars.MIN_VER }} \
                     -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDAPIKey=${DD_API_KEY} \
-                    -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDSite=${DD_SITE}" \
+                    -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDSite=${DD_SITE} \
+                    -X github.com/LumeraProtocol/supernode/v2/supernode/transport/gateway.RecoveryAdminToken=${RECOVERY_ADMIN_TOKEN}" \
           -o release/supernode \
           ./supernode
           

Makefile

@@ -19,7 +19,8 @@ LDFLAGS = -X github.com/LumeraProtocol/supernode/v2/supernode/cmd.Version=$(VERS
           -X github.com/LumeraProtocol/supernode/v2/supernode/cmd.BuildTime=$(BUILD_TIME) \
           -X github.com/LumeraProtocol/supernode/v2/supernode/cmd.MinVer=$(MIN_VER) \
           -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDAPIKey=$(DD_API_KEY) \
-          -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDSite=$(DD_SITE)
+          -X github.com/LumeraProtocol/supernode/v2/pkg/logtrace.DDSite=$(DD_SITE) \
+          -X github.com/LumeraProtocol/supernode/v2/supernode/transport/gateway.RecoveryAdminToken=$(RECOVERY_ADMIN_TOKEN)
 
 # Linker flags for sn-manager
 SN_MANAGER_LDFLAGS = -X main.Version=$(VERSION) \
@@ -205,4 +206,3 @@ test-sn-manager:
 	@echo "Running sn-manager e2e tests..."
 	@cd tests/system && ${GO} test -tags=system_test -v -run '^TestSNManager' .
 
-

supernode/adaptors/lumera.go

@@ -12,6 +12,7 @@ import (
 type LumeraClient interface {
 	GetAction(ctx context.Context, actionID string) (*actiontypes.QueryGetActionResponse, error)
 	GetTopSupernodes(ctx context.Context, blockHeight uint64) (*sntypes.QueryGetTopSuperNodesForBlockResponse, error)
+	ListSupernodes(ctx context.Context) (*sntypes.QueryListSuperNodesResponse, error)
 	Verify(ctx context.Context, address string, msg []byte, sig []byte) error
 	GetActionFee(ctx context.Context, dataSizeKB string) (*actiontypes.QueryGetActionFeeResponse, error)
 	SimulateFinalizeAction(ctx context.Context, actionID string, rqids []string) (*sdktx.SimulateResponse, error)
@@ -32,6 +33,10 @@ func (l *lumeraImpl) GetTopSupernodes(ctx context.Context, blockHeight uint64) (
 	})
 }
 
+func (l *lumeraImpl) ListSupernodes(ctx context.Context) (*sntypes.QueryListSuperNodesResponse, error) {
+	return l.c.SuperNode().ListSuperNodes(ctx)
+}
+
 func (l *lumeraImpl) Verify(ctx context.Context, address string, msg []byte, sig []byte) error {
 	return l.c.Auth().Verify(ctx, address, msg, sig)
 }

supernode/cascade/download.go

@@ -40,8 +40,9 @@ const (
 )
 
 type DownloadRequest struct {
-	ActionID  string
-	Signature string
+	ActionID               string
+	Signature              string
+	BypassPrivateSignature bool // recovery/admin path only; caller must enforce auth externally
 }
 
 type DownloadResponse struct {
@@ -91,8 +92,8 @@ func (task *CascadeRegistrationTask) Download(ctx context.Context, req *Download
 		return err
 	}
 
-	// Step 4: Verify download signature for private cascades.
-	if !metadata.Public {
+	// Step 4: Verify download signature for private cascades unless explicitly bypassed by admin recovery.
+	if !metadata.Public && !(req != nil && req.BypassPrivateSignature) {
 		if req.Signature == "" {
 			fields[logtrace.FieldError] = "missing signature for private download"
 			return task.wrapErr(ctx, "private cascade requires a download signature", nil, fields)
@@ -102,6 +103,8 @@ func (task *CascadeRegistrationTask) Download(ctx context.Context, req *Download
 			return task.wrapErr(ctx, "failed to verify download signature", err, fields)
 		}
 		logtrace.Info(ctx, "download: signature verified", fields)
+	} else if !metadata.Public {
+		logtrace.Warn(ctx, "download: private cascade signature bypassed (recovery/admin)", fields)
 	} else {
 		logtrace.Info(ctx, "download: public cascade (no signature)", fields)
 	}

supernode/cascade/ica_verify_test.go

@@ -28,6 +28,10 @@ func (f *fakeCascadeLumeraClient) GetTopSupernodes(ctx context.Context, blockHei
 	return nil, nil
 }
 
+func (f *fakeCascadeLumeraClient) ListSupernodes(ctx context.Context) (*sntypes.QueryListSuperNodesResponse, error) {
+	return nil, nil
+}
+
 func (f *fakeCascadeLumeraClient) Verify(ctx context.Context, address string, msg []byte, sig []byte) error {
 	if f.verifyFn == nil {
 		return nil

supernode/cascade/stream_send_error_test.go

@@ -23,6 +23,10 @@ func (s *stubLumeraClient) GetTopSupernodes(context.Context, uint64) (*sntypes.Q
 	panic("unexpected call")
 }
 
+func (s *stubLumeraClient) ListSupernodes(context.Context) (*sntypes.QueryListSuperNodesResponse, error) {
+	panic("unexpected call")
+}
+
 func (s *stubLumeraClient) Verify(context.Context, string, []byte, []byte) error {
 	panic("unexpected call")
 }

supernode/cmd/start.go

@@ -185,13 +185,18 @@ The supernode will connect to the Lumera network and begin participating in the
 			logtrace.Fatal(ctx, "Failed to create gRPC server", logtrace.Fields{"error": err.Error()})
 		}
 
-		// Create HTTP gateway server that directly calls the supernode server
-		// Pass chain ID for pprof configuration
-		gatewayServer, err := gateway.NewServerWithConfig(
+		// Create HTTP gateway server that directly calls the supernode server.
+		// Recovery endpoints are always registered; access is token-gated at handler level.
+		gatewayServer, err := gateway.NewServerWithConfigAndRecovery(
 			appConfig.SupernodeConfig.Host,
 			int(appConfig.SupernodeConfig.GatewayPort),
 			supernodeServer,
 			appConfig.LumeraClientConfig.ChainID,
+			&gateway.RecoveryDeps{
+				CascadeFactory:       cService,
+				P2PClient:            p2pService,
+				SelfSupernodeAddress: appConfig.SupernodeConfig.Identity,
+			},
 		)
 		if err != nil {
 			return fmt.Errorf("failed to create gateway server: %w", err)