refactor(entrypoint): use standard .env pattern instead of in-container bw

.env.example

@@ -59,3 +59,24 @@ GECKOTERMINAL_BASE_URL=http://pricing-proxy:8080/geckoterminal
 # observes when the same chat receives alerts from several chains. Leave
 # unset on single-chain stacks. Free-form value, rendered upper-cased.
 # CHAIN=Mainnet
+
+# Minter-guard auto-deny watcher.
+#
+# When enabled, the watcher iterates PROPOSED minters at the end of every
+# monitoring cycle and submits denyMinter() for any address not on the
+# committed whitelist (src/monitoringV2/config/whitelist.{testnet,mainnet}.json).
+# Bridge proposals are not exempted: the bridge type is inferred from a trivial
+# usd() view call and is therefore unsafe to exclude.
+#
+# GUARD_ENABLED          true/false. Disables the watcher entirely if false.
+# GUARD_PRIVATE_KEY      Hex private key (0x...) of the signer. Must hold or be
+#                        delegated enough voting power to pass checkQualified()
+#                        on the JUSD reserve.
+# GUARD_HELPER_ADDRESS   Address passed as the single helper to denyMinter().
+#                        Use the equity holder that delegated to the signer.
+# GUARD_WHITELIST_FILE   Absolute path to the whitelist JSON inside the
+#                        container (e.g. /app/src/monitoringV2/config/whitelist.mainnet.json).
+# GUARD_ENABLED=false
+# GUARD_PRIVATE_KEY=0x0000000000000000000000000000000000000000000000000000000000000000
+# GUARD_HELPER_ADDRESS=0x0000000000000000000000000000000000000000
+# GUARD_WHITELIST_FILE=/app/src/monitoringV2/config/whitelist.mainnet.json

Dockerfile

@@ -1,9 +1,5 @@
 FROM node:lts-alpine
 
-# bw CLI is used by entrypoint.sh to fetch GUARD_PRIVATE_KEY from Vaultwarden at container start.
-# Installed as root before switching user so the global npm prefix is writable.
-RUN apk add --no-cache bash && npm install -g @bitwarden/cli@2024.9.0
-
 RUN mkdir /app && chown -R node:node /app
 WORKDIR /app
 USER node
@@ -17,11 +13,7 @@ COPY --chown=node . .
 RUN npm run prisma:generate
 RUN npm run build
 
-# Entrypoint optionally fetches GUARD_PRIVATE_KEY from Vaultwarden, then execs npm.
-COPY --chown=node --chmod=0755 entrypoint.sh /app/entrypoint.sh
-
 # Expose port
 EXPOSE 3001
 
-ENTRYPOINT ["/app/entrypoint.sh"]
 CMD ["npm", "run", "start:migrate"]

README.md

@@ -17,6 +17,7 @@ The monitoring service continuously syncs blockchain data to provide real-time i
    - Collateral aggregation by token type
 4. **Token Prices**: Fetches real-time prices from GeckoTerminal API with caching
 5. **API Endpoints**: Serves data via REST API for frontend consumption
+6. **Minter Guard**: Optional auto-deny watcher (opt-in via `GUARD_ENABLED=true`). At the end of every monitoring cycle it submits `denyMinter()` for any `PROPOSED` minter not on a committed whitelist (`src/monitoringV2/config/whitelist.{testnet,mainnet}.json`). Requires `GUARD_PRIVATE_KEY` and `GUARD_HELPER_ADDRESS`. See `.env.example`.
 
 ## Tech Stack
 

src/monitoringV2/config/whitelist.mainnet.json

@@ -1,4 +1,4 @@
 {
-	"_comment": "Whitelist of approved generic minters (lowercase addresses). Empty = deny any new minter proposal. Bridges are never auto-denied (different type). Update via PR and redeploy.",
+	"_comment": "Whitelist of approved minter addresses (lowercase). Empty = deny any new minter proposal, including bridges (bridge type is inferred from a trivial usd() view call and is therefore unsafe to exempt). Add legitimate proposals here via PR + redeploy before they pass the application period.",
 	"minters": []
 }

src/monitoringV2/config/whitelist.testnet.json

@@ -1,4 +1,4 @@
 {
-	"_comment": "Whitelist of approved generic minters (lowercase addresses). Empty = deny any new minter proposal. Bridges are never auto-denied (different type). Update via PR and redeploy.",
+	"_comment": "Whitelist of approved minter addresses (lowercase). Empty = deny any new minter proposal, including bridges (bridge type is inferred from a trivial usd() view call and is therefore unsafe to exempt). Add legitimate proposals here via PR + redeploy before they pass the application period.",
 	"minters": []
 }