fix: sandbox scripts (#803)

Author: sosweetham

docker-compose.databases.yml

@@ -10,7 +10,7 @@ services:
     environment:
       - POSTGRES_USER=${POSTGRES_USER:-postgres}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
-      - POSTGRES_MULTIPLE_DATABASES=registry
+      - POSTGRES_MULTIPLE_DATABASES=registry,provisioner
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./db/init-multiple-databases.sh:/docker-entrypoint-initdb.d/init-multiple-databases.sh

infrastructure/dev-sandbox/src/lib/PersistingWebCryptoAdapter.ts

@@ -114,7 +114,40 @@ export class PersistingWebCryptoAdapter implements CryptoAdapter {
     return { keyId, publicKey: bufferToMultibaseHex(spki) };
   }
 
-  private async ensureKey(keyId: string): Promise<CryptoKeyPair> {
+  async getPublicKey(keyId: string, _context?: string): Promise<string> {
+    const pair = await this.ensureKeyInMemory(keyId);
+    const spki = await crypto.subtle.exportKey("spki", pair.publicKey);
+    return bufferToMultibaseHex(spki);
+  }
+
+  async sign(keyId: string, payload: string): Promise<string> {
+    const pair = await this.ensureKeyInMemory(keyId);
+    const data = new TextEncoder().encode(payload);
+    const sig = await crypto.subtle.sign(SIGN_ALG, pair.privateKey, data);
+    return bufferToBase64(sig);
+  }
+
+  /** CryptoAdapter: sign with keyId and context (context ignored). */
+  async signPayload(
+    keyId: string,
+    _context: string,
+    payload: string,
+  ): Promise<string> {
+    return this.sign(keyId, payload);
+  }
+
+  /** CryptoAdapter: ensure key exists (load from storage); return created: false (we don't create on demand by keyId). */
+  async ensureKey(keyId: string, _context: string): Promise<{ created: boolean }> {
+    if (keyStore.has(keyId)) return { created: false };
+    const stored = readStoredKeys()[keyId];
+    if (!stored?.privateKeyPkcs8Base64) {
+      throw new Error(`Key not found: ${keyId}. Provision an eVault first to create a key.`);
+    }
+    await this.ensureKeyInMemory(keyId);
+    return { created: false };
+  }
+
+  private async ensureKeyInMemory(keyId: string): Promise<CryptoKeyPair> {
     let pair = keyStore.get(keyId);
     if (pair) return pair;
     const stored = readStoredKeys()[keyId];
@@ -137,17 +170,4 @@ export class PersistingWebCryptoAdapter implements CryptoAdapter {
     keyStore.set(keyId, pair);
     return pair;
   }
-
-  async getPublicKey(keyId: string): Promise<string> {
-    const pair = await this.ensureKey(keyId);
-    const spki = await crypto.subtle.exportKey("spki", pair.publicKey);
-    return bufferToMultibaseHex(spki);
-  }
-
-  async sign(keyId: string, payload: string): Promise<string> {
-    const pair = await this.ensureKey(keyId);
-    const data = new TextEncoder().encode(payload);
-    const sig = await crypto.subtle.sign(SIGN_ALG, pair.privateKey, data);
-    return bufferToBase64(sig);
-  }
 }

infrastructure/dev-sandbox/src/routes/+page.svelte

@@ -17,6 +17,9 @@
         platformName: env.PUBLIC_DEV_SANDBOX_PLATFORM_NAME ?? "dev-sandbox",
     };
 
+    /** Demo verification code accepted by evault-core when DEMO_CODE_W3DS is set. */
+    const DEMO_VERIFICATION_ID = "d66b7138-538a-465f-a6ce-f6985854c3f4";
+
     const IDENTITIES_STORAGE_KEY = "dev-sandbox-identities";
     const TOKEN_REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
 
@@ -158,15 +161,19 @@
         provisionSuccess = null;
         addLog("info", "Provisioning new eVault…");
         try {
-            const result = await provision({
-                cryptoAdapter: adapter,
+            const { keyId } = await adapter.generateKeyPair();
+            const result = await provision(adapter, {
                 registryUrl: config.registryUrl,
                 provisionerUrl: config.provisionerUrl,
+                namespace: crypto.randomUUID(),
+                verificationId: DEMO_VERIFICATION_ID,
+                keyId,
+                context: "onboarding",
             });
             const identity: Identity = {
                 w3id: result.w3id,
                 uri: result.uri,
-                keyId: result.keyId,
+                keyId,
             };
             identities = [...identities, identity];
             selectedIndex = identities.length - 1;

platforms/pictique-api/~/metastate-mappings/pic/mappings.db

@@ -51,6 +51,28 @@ for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
 done
 echo "Postgres and Neo4j are up."
 
+# Create registry and provisioner databases if they don't exist
+echo "Ensuring registry and provisioner databases exist..."
+for db in registry provisioner; do
+  EXISTS=$(docker compose -f docker-compose.databases.yml exec -T postgres psql -U "${POSTGRES_USER:-postgres}" -d postgres -tAc "SELECT 1 FROM pg_database WHERE datname='$db'" 2>/dev/null | tr -d '[:space:]' || echo "")
+  if [ "$EXISTS" != "1" ]; then
+    echo "Creating database: $db"
+    docker compose -f docker-compose.databases.yml exec -T postgres psql -U "${POSTGRES_USER:-postgres}" -d postgres -c "CREATE DATABASE \"$db\""
+  else
+    echo "Database $db already exists."
+  fi
+done
+
+# Run registry migrations
+echo "Running registry migrations..."
+pnpm --filter registry migration:run
+
+# Build and run evault-core (provisioner) migrations
+# Unset REGISTRY_DATABASE_URL so evault-core uses PROVISIONER_DATABASE_URL for its migrations
+echo "Building evault-core and running provisioner migrations..."
+pnpm --filter evault-core build
+REGISTRY_DATABASE_URL= pnpm --filter evault-core migration:run
+
 echo "Starting registry, evault-core, dev-sandbox (logs prefixed by service)..."
 pnpm exec concurrently -n registry,evault,sandbox \
   "pnpm --filter registry dev" \