🛠️ feat(wallet): add v2 migration backfill tooling

attid · attid · commit 4807eaa71dd1 · 2026-03-01T14:31:31.000-03:00
Add an idempotent wallet_crypto_v2 migration script with dry-run/batch/user targeting, expose it via just recipe, and document operational rollout/verification in runbooks.
diff --git a/bot/scripts/migrate_wallet_crypto_v2.py b/bot/scripts/migrate_wallet_crypto_v2.py
@@ -0,0 +1,191 @@
+"""Backfill wallet_crypto_v2 from legacy wallet fields.
+
+Version A migration strategy:
+- keep legacy fields untouched (rollback-safe)
+- fill wallet_crypto_v2 where migration is possible
+- skip wallets that require user PIN/password (use_pin in 1,2)
+
+Usage examples:
+  python scripts/migrate_wallet_crypto_v2.py --dry-run
+  python scripts/migrate_wallet_crypto_v2.py --batch-size 200
+  python scripts/migrate_wallet_crypto_v2.py --user-id 123456
+"""
+
+from __future__ import annotations
+
+import argparse
+import asyncio
+import os
+import sys
+from dataclasses import dataclass
+
+from loguru import logger
+from sqlalchemy import select
+
+# Add bot package root for direct script execution.
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from db.db_pool import db_pool
+from db.models import MyMtlWalletBot
+from infrastructure.services.encryption_service import EncryptionService
+
+
+@dataclass
+class Counters:
+    scanned: int = 0
+    migrated: int = 0
+    skipped_has_v2: int = 0
+    skipped_missing_secret: int = 0
+    skipped_requires_user_pin: int = 0
+    skipped_decrypt_failed: int = 0
+    failed: int = 0
+
+
+def _wallet_kind(is_free: bool, is_ton: bool) -> str:
+    if is_ton:
+        return "ton_free"
+    return "stellar_free" if is_free else "stellar_user"
+
+
+def _mode(use_pin: int) -> str:
+    # In current product model, no-password flow is treated as free/server mode.
+    return "free" if use_pin == 0 else "user"
+
+
+async def migrate_wallets(
+    *,
+    dry_run: bool,
+    batch_size: int,
+    user_id: int | None,
+) -> Counters:
+    counters = Counters()
+    encryption = EncryptionService()
+
+    async with db_pool.get_session() as session:
+        stmt = select(MyMtlWalletBot).where(MyMtlWalletBot.need_delete == 0)
+        if user_id is not None:
+            stmt = stmt.where(MyMtlWalletBot.user_id == user_id)
+
+        result = await session.execute(stmt)
+        wallets = result.scalars().all()
+
+        for wallet in wallets:
+            counters.scanned += 1
+
+            if wallet.wallet_crypto_v2:
+                counters.skipped_has_v2 += 1
+                continue
+
+            if not wallet.secret_key:
+                counters.skipped_missing_secret += 1
+                continue
+
+            try:
+                is_ton = wallet.secret_key == "TON"
+                kind = _wallet_kind(is_free=bool(wallet.free_wallet), is_ton=is_ton)
+                mode = _mode(int(wallet.use_pin or 0))
+
+                secret_plain: str | None = None
+                seed_plain: str | None = None
+
+                if is_ton:
+                    secret_plain = "TON"
+                    seed_plain = wallet.seed_key
+                elif mode == "free":
+                    secret_plain = encryption.decrypt(
+                        wallet.secret_key,
+                        str(wallet.user_id),
+                    )
+                    if secret_plain and wallet.seed_key:
+                        seed_plain = encryption.decrypt(wallet.seed_key, secret_plain)
+                else:
+                    counters.skipped_requires_user_pin += 1
+                    continue
+
+                if not secret_plain:
+                    counters.skipped_decrypt_failed += 1
+                    continue
+
+                wallet.wallet_crypto_v2 = encryption.encrypt_wallet_container(
+                    secret_key=secret_plain,
+                    seed_key=seed_plain,
+                    mode=mode,
+                    wallet_kind=kind,
+                    pin=None,
+                )
+                counters.migrated += 1
+
+                if not dry_run and counters.migrated % batch_size == 0:
+                    await session.commit()
+                    logger.info(
+                        "Committed batch: migrated={} scanned={}",
+                        counters.migrated,
+                        counters.scanned,
+                    )
+
+            except Exception as exc:  # pragma: no cover - defensive reporting path
+                counters.failed += 1
+                logger.exception(
+                    "Failed to migrate wallet id={} user_id={} error={}",
+                    wallet.id,
+                    wallet.user_id,
+                    exc,
+                )
+
+        if dry_run:
+            await session.rollback()
+        else:
+            await session.commit()
+
+    return counters
+
+
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(description="Migrate legacy wallet secrets to v2")
+    parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Do not persist updates; only print migration counters",
+    )
+    parser.add_argument(
+        "--batch-size",
+        type=int,
+        default=100,
+        help="Commit frequency for non-dry-run mode",
+    )
+    parser.add_argument(
+        "--user-id",
+        type=int,
+        default=None,
+        help="Migrate only a specific user_id",
+    )
+    return parser.parse_args()
+
+
+async def main() -> int:
+    args = parse_args()
+    counters = await migrate_wallets(
+        dry_run=args.dry_run,
+        batch_size=max(args.batch_size, 1),
+        user_id=args.user_id,
+    )
+    logger.info(
+        (
+            "Migration result: scanned={} migrated={} skipped_has_v2={} "
+            "skipped_missing_secret={} skipped_requires_user_pin={} "
+            "skipped_decrypt_failed={} failed={} dry_run={}"
+        ),
+        counters.scanned,
+        counters.migrated,
+        counters.skipped_has_v2,
+        counters.skipped_missing_secret,
+        counters.skipped_requires_user_pin,
+        counters.skipped_decrypt_failed,
+        counters.failed,
+        args.dry_run,
+    )
+    return 0 if counters.failed == 0 else 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(asyncio.run(main()))
diff --git a/docs/exec-plans/active/2026-03-01-wallet-crypto-v2-migration.md b/docs/exec-plans/active/2026-03-01-wallet-crypto-v2-migration.md
@@ -102,7 +102,7 @@ Operational rollout without feature flags:
      - legacy fallback.
    - Verify `routers/ton.py` user flows are unchanged.
 
-7. [ ] Add migration script (safe and idempotent).
+7. [x] Add migration script (safe and idempotent).
    - Create script in `bot/scripts/` to backfill `wallet_crypto_v2`.
    - Script behavior:
      - scan wallets with empty v2,
diff --git a/docs/runbooks/README.md b/docs/runbooks/README.md
@@ -5,3 +5,4 @@ Operational checklists for common incidents and CI/test failures.
 - `ci-failure-triage.md`: default first-response flow.
 - `e2e-pipeline.md`: PR smoke + external + nightly canary strategy.
 - `task-intake-and-execution.md`: start every non-trivial task in AI-first mode.
+- `wallet-crypto-v2-migration.md`: operational steps for v2 backfill.
diff --git a/docs/runbooks/wallet-crypto-v2-migration.md b/docs/runbooks/wallet-crypto-v2-migration.md
@@ -0,0 +1,60 @@
+# Wallet Crypto V2 Migration
+
+## Goal
+
+Backfill `wallet_crypto_v2` while keeping legacy `secret_key`/`seed_key` intact
+for rollback-safe Version A rollout.
+
+## Preconditions
+
+- Version A image is deployed (dual-read + dual-write enabled in code).
+- `WALLET_KEK` is configured in runtime secrets.
+- Optional: `WALLET_KEK_OLD` if key rotation fallback is needed.
+
+## Commands
+
+Dry-run:
+
+```bash
+just migrate-wallet-crypto-v2
+```
+
+Real migration:
+
+```bash
+just migrate-wallet-crypto-v2 args="--batch-size 200"
+```
+
+Single user verification:
+
+```bash
+just migrate-wallet-crypto-v2 args="--dry-run --user-id 123456"
+```
+
+## Expected Counters
+
+Script prints:
+
+- `scanned`
+- `migrated`
+- `skipped_has_v2`
+- `skipped_missing_secret`
+- `skipped_requires_user_pin`
+- `skipped_decrypt_failed`
+- `failed`
+
+Notes:
+
+- `skipped_requires_user_pin` is expected for non-free wallets with PIN/password.
+- Those records migrate lazily when user successfully authenticates.
+
+## Rollback Safety
+
+Version A keeps writing legacy fields and does not delete them.
+Old image can continue to read legacy fields during rollback window.
+
+## Exit Criteria Before Version B
+
+- No migration failures (`failed=0`).
+- `wallet_crypto_v2` coverage is acceptable for active wallets.
+- CI gates green (`just check-fast`, smoke/external suites).
diff --git a/justfile b/justfile
@@ -72,6 +72,9 @@ metrics:
 bench-kdf:
     uv run --with argon2-cffi python bot/scripts/argon2_benchmark.py
 
+migrate-wallet-crypto-v2 args="--dry-run":
+    cd bot && uv run --package mmwb-bot python scripts/migrate_wallet_crypto_v2.py {{args}}
+
 start-task task_id title="":
     uv run python .linters/create_exec_plan.py {{task_id}} --title "{{title}}"
 
