10 KiB
Secret API Backend (secretapi)
Deterministic backend for wallet-first designation, EDUT ID activation metadata, and governance install authorization.
Run
cd <home>/Documents/VSG\ Codex/web/backend/secretapi
go run .
Default listen address is :8080.
Test
cd <home>/Documents/VSG\ Codex/web/backend/secretapi
go test ./...
Environment Template
Copy .env.example in this folder and set contract/runtime values before deploy.
secretapi validates config at startup and fails closed if strict chain verification is enabled without RPC.
Endpoint Surface
Membership
POST /secret/wallet/intentPOST /secret/wallet/verifyPOST /secret/wallet/session/refreshPOST /secret/wallet/session/revokePOST /secret/membership/quotePOST /secret/membership/confirmGET /secret/membership/statusPOST /secret/id/quote(alias to membership quote)POST /secret/id/confirm(alias to membership confirm)GET /secret/id/status(alias to membership status)GET /secret/setup/health(deterministic setup readiness checks for wallet/session/membership/assurance/principal state)POST /secret/id/mint-payload(direct wallet mint payload, no quote dependency)
Marketplace
GET /marketplace/offersGET /marketplace/offers/{offer_id}POST /marketplace/checkout/quotePOST /marketplace/checkout/confirmGET /marketplace/entitlements
Governance install + availability
POST /governance/install/tokenPOST /governance/install/confirmGET /governance/install/statusPOST /governance/lease/heartbeatPOST /governance/lease/offline-renew
Member app channel
POST /member/channel/device/registerPOST /member/channel/device/unregisterGET /member/channel/eventsPOST /member/channel/events/{event_id}/ackPOST /member/channel/support/ticket
Member channel feed includes deterministic anti-noise throttling:
- when event volume exceeds configured burst limits in a window, direct events are suppressed
- a single
channel_digestcard is inserted per window with grouped context and aggregatedsuppressed_count - throttling is fail-closed deterministic and does not require external services
GET /member/channel/events now also returns digest summary fields:
digest_activedigest_suppressed_count
Wallet Session Hardening
POST /secret/wallet/verify now issues a wallet session token:
- Response fields:
session_token,session_expires_at - Response headers:
X-Edut-Session,X-Edut-Session-Expires-At
When SECRET_API_REQUIRE_WALLET_SESSION=true, wallet-scoped control-plane endpoints fail closed unless a valid session token is provided via:
Authorization: Bearer <session_token>X-Edut-Session: <session_token>- Optional stronger replay binding:
X-Edut-Device-Binding: <stable-device-secret>
If a session was issued with a device binding (or user-agent fallback binding), requests from a different binding context are rejected with wallet_session_context_mismatch.
Covered endpoints include marketplace checkout/entitlements, governance install/lease actions, and member-channel calls.
Session lifecycle endpoints:
POST /secret/wallet/session/refresh: rotates the current session token and revokes the prior token.POST /secret/wallet/session/revoke: revokes the current token immediately.
Sponsorship Behavior
Membership quote supports ownership wallet and distinct payer wallet:
address: ownership wallet (required)payer_wallet: optional payer walletpayer_proof: required when payer differs from owner
Distinct payer proof uses owner-signed personal message:
EDUT-PAYER-AUTH:{designation_code}:{owner_wallet}:{payer_wallet}:{chain_id}
This enables company-sponsored mint flows while preserving deterministic owner authorization.
Company-first sponsor path is also supported:
- If
sponsor_org_root_idis provided and thepayer_walletis a storedorg_root_ownerprincipal for that org root with active entitlement status, quote issuance is allowed withoutpayer_proof.
Identity Assurance Model
Membership activation and identity assurance are stored as separate facts:
membership_statusidentity_assurance_level
Assurance levels:
nonecrypto_direct_unattestedsponsored_unattestedonramp_attested
onramp_attested can be set during membership confirm only on self-paid quotes and requires identity_attested_by.
Policy gates:
- Store checkout requires active membership.
- Workspace admin install/support actions require active membership and org-root-owner role.
- Governance admin controls (install token issuance, lease heartbeat/offline renew, owner support tickets) require
org_root_ownerrole and additionally requireonramp_attestedidentity assurance (identity_assurance_insufficientwhen unmet).
Quote Cost Envelope
POST /secret/membership/quote and POST /marketplace/checkout/quote return a deterministic cost_envelope object.
The envelope is pre-execution pricing metadata and is authoritative for checkout presentation:
checkout_total_atomicandcheckout_totalare the user checkout totals.provider_fee_policy=edut_absorbedmeans on-ramp processing fees are absorbed by EDUT.network_fee_policy=payer_wallet_pays_chain_gasmeans chain gas remains wallet-dependent and separate from checkout total.
Quote endpoints accept optional payment_path:
crypto_direct(default)fiat_onramp
When the on-ramp dependency edge is degraded, fiat_onramp fails closed with dependency.onramp_unavailable while crypto_direct remains available.
Financial approval thresholds:
- when
SECRET_API_FINANCIAL_APPROVAL_THRESHOLD_ATOMIC > 0, quote responses includeapproval_required=trueand deterministicapproval_reasonwhentotal_amount_atomicexceeds the threshold. - threshold-gated confirms fail closed with
approval_requiredunless bothapproval_tokenandapproval_actorare supplied. - confirm responses persist only
approval_token_ref(hash reference), never raw approval token material.
Chain-settlement confirmations (/secret/membership/confirm, /marketplace/checkout/confirm) also fail closed when chain-adjacent dependency edges are degraded:
dependency.dns_unavailabledependency.tls_unavailabledependency.chain_unavailable
Error envelope contract:
- all non-2xx responses return deterministic
code+error+correlation_id. - responses now also include deterministic
next_stepguidance for remediation/retry. /marketplace/checkout/confirmnow enforces setup readiness before high-impact entitlement activation:- if membership is not active and the quote is not a bundled membership activation quote, confirm fails closed with
setup_incomplete. - recovery path is deterministic via
GET /secret/setup/health?wallet=....
- if membership is not active and the quote is not a bundled membership activation quote, confirm fails closed with
Key Environment Variables
Core
SECRET_API_LISTEN_ADDR(default:8080)SECRET_API_DB_PATH(default./secret.db)SECRET_API_ALLOWED_ORIGIN(defaulthttps://edut.ai)SECRET_API_DEPLOYMENT_CLASS(development|staging|production; defaultdevelopment)SECRET_API_DEPENDENCY_RECOVERY_STABILITY_SECONDS(default60; hold window before degraded-edge recovery)SECRET_API_DEPENDENCY_CHAIN_STATE(auto|healthy|degraded; defaultauto)SECRET_API_DEPENDENCY_TLS_STATE(auto|healthy|degraded; defaultauto)SECRET_API_DEPENDENCY_DNS_STATE(auto|healthy|degraded; defaultauto)SECRET_API_DEPENDENCY_ONRAMP_STATE(auto|healthy|degraded; defaultauto)SECRET_API_DEPENDENCY_CLOUD_STATE(auto|healthy|degraded; defaultauto)SECRET_API_DEPENDENCY_MODEL_STATE(auto|healthy|degraded; defaultauto)SECRET_API_MEMBER_POLL_INTERVAL_SECONDS(default30)SECRET_API_MEMBER_CHANNEL_EVENT_BURST_LIMIT(default25; set0to disable channel event throttling)SECRET_API_MEMBER_CHANNEL_EVENT_BURST_WINDOW_SECONDS(default3600; required positive when burst limit is enabled)SECRET_API_CHAIN_ID(default84532)SECRET_API_CHAIN_RPC_URL(optional, enables on-chain tx receipt verification)SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION:- if explicitly set, value is honored.
- if unset, defaults to
truewhenSECRET_API_DEPLOYMENT_CLASS=production, elsefalse. - when enabled, membership confirm and marketplace checkout confirm fail closed without chain receipt verification.
SECRET_API_ENTITLEMENT_CONTRACT(optional; when set, marketplace quote emits purchase calldata for entitlement settlement contract)
Membership
SECRET_API_INTENT_TTL_SECONDS(default900)SECRET_API_QUOTE_TTL_SECONDS(default900)SECRET_API_WALLET_SESSION_TTL_SECONDS(default2592000)SECRET_API_REQUIRE_WALLET_SESSION(defaulttrue; setfalseonly for controlled local harness/debug usage)SECRET_API_REGULATORY_PROFILE_ID(us_general_2026default,eu_ai_act_2026_baselinesupported)SECRET_API_DOMAIN_NAMESECRET_API_VERIFYING_CONTRACTSECRET_API_MEMBERSHIP_CONTRACTSECRET_API_MINT_CURRENCY(ETHdefault for gas-only EDUT ID;USDCoptional)SECRET_API_MINT_AMOUNT_ATOMIC(default0for gas-only EDUT ID mint)SECRET_API_MINT_DECIMALS(must be6forUSDC,18forETH)SECRET_API_FINANCIAL_APPROVAL_THRESHOLD_ATOMIC(default0; when greater than0, marketplace checkout confirmations above threshold require explicitapproval_tokenandapproval_actor)
Marketplace
SECRET_API_ENTITLEMENT_CONTRACTmust be configured to issue checkout quotes.- Marketplace quote fails closed with
entitlement_contract_unconfiguredwhen unset/zero.
Governance install
SECRET_API_INSTALL_TOKEN_TTL_SECONDS(default900)SECRET_API_LEASE_TTL_SECONDS(default3600)SECRET_API_OFFLINE_RENEW_TTL_SECONDS(default2592000)SECRET_API_GOV_RUNTIME_VERSIONSECRET_API_GOV_PACKAGE_URLSECRET_API_GOV_PACKAGE_HASHSECRET_API_GOV_PACKAGE_SIGNATURESECRET_API_GOV_SIGNER_KEY_IDSECRET_API_GOV_POLICY_HASHSECRET_API_GOV_ROLLOUT_CHANNEL(defaultstable)