feat(prover-api): production-ready claim migration prover with security hardening (#68)

* refactor(prover-api): modularize codebase with job queue and worker pool

Split monolithic main.rs into separate modules for better maintainability:
- config.rs: Configuration loading and validation
- types.rs: Shared types (AppState, JobEntry, CachedProof, etc.)
- handlers.rs: HTTP request handlers (submit_job, job_status, health)
- prover.rs: ZK proof generation logic
- queue.rs: JobQueue and WorkerPool for concurrent proof generation
- cache.rs: Proof caching with TTL cleanup
- rate_limit.rs: Per-pubkey rate limiting
- jobs.rs: Job entry cleanup
- validation.rs: Request validation utilities

Added production features:
- Configurable worker pool size and queue capacity
- Background cleanup tasks for cache, rate limits, and stale jobs
- Max body size limiting
- Proof timeout configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* feat(prover-api): add eligibility verification, signature validation, and IP rate limiting

Adds production hardening features:
- Load eligibility data from merkle-tree.json at startup with pubkey-based O(1) lookup
- Verify sr25519 signatures before proof generation using schnorrkel
- IP-based rate limiting (separate from pubkey rate limiting) to catch bots/scanners
- Add proof metrics tracking (completions, timeouts, background tasks)
- Update Dockerfile to bundle eligibility data with configurable path

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* chore(prover-api): tune default config values for production use

- Increase cache TTL from 10 minutes to 1 hour since proofs are
  deterministic and expensive to compute
- Reduce queue capacity from 100 to 50 for better wait time estimation
  (~1 hour max with 4 workers)
- Increase jobs TTL from 10 minutes to 1 hour to let users return
  for their proof

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix(prover-api): use explicit Mainnet mode for SP1 network prover

ProverClient::from_env() defaults to Reserved mode which has an invalid
domain for the mainnet network. Explicitly use NetworkMode::Mainnet via
ProverClient::builder().network_for(NetworkMode::Mainnet) to ensure
correct mainnet RPC URL is used.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* feat(prover-api): improve security and fix concurrency control

- Add trust_proxy_headers config for secure IP extraction behind reverse proxies
  - When false (default), only socket address is used for rate limiting
  - When true, respects X-Forwarded-For and X-Real-IP headers
  - Strip port from socket addresses for consistent rate limiting

- Add configurable RPC timeout for on-chain verification
  - timeout_seconds field in VerifyOnchainConfig
  - Uses RPC_TIMEOUT_SECONDS env var (default: 10s)

- Fix unbounded concurrency when proof generation times out
  - Acquire semaphore permit before spawning task, not inside
  - Hold permit until blocking task actually completes (not just timeout)
  - Use tokio::select! instead of tokio::time::timeout to keep handle valid
  - Add decrement_timed_out_still_running metric tracking

- Fix JobQueue::from_sender to use shared queue_size counter
  - Prevents queue size tracking inconsistencies
  - Add error handling for misconfigured state

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* test(prover-api): add httpmock tests for on-chain verification

- Add httpmock dev dependency for mocking RPC responses
- Add tests for verify_onchain_proof success and revert cases
- Add test for check_already_claimed with claimed/unclaimed scenarios
- Minor code cleanup and formatting fixes

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix(prover-api): use consistent timestamp in rate limiter

Capture timestamp once at the start of check_and_update() to avoid
potential race condition where multiple calls to now_ts() could return
different values.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>

Author: vutuanlinh2k2

packages/migration-claim/sp1/Cargo.lock

@@ -0,0 +1 @@
+../merkle-tree.json

packages/migration-claim/sp1/merkle-tree.json

@@ -10,8 +10,10 @@ alloy-sol-types = { workspace = true }
 anyhow = { workspace = true }
 axum = "0.7"
 hex = { workspace = true }
+merlin = { workspace = true }
 primitive-types = "0.12"
 reqwest = { version = "0.12", default-features = false, features = ["blocking", "json", "rustls-tls"] }
+schnorrkel = { workspace = true }
 serde = { workspace = true }
 serde_json = "1.0"
 sp1-sdk = { workspace = true }
@@ -22,3 +24,6 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["fmt"] }
 uuid = { version = "1", features = ["v4"] }
 rustls = { version = "0.23", features = ["ring"] }
+
+[dev-dependencies]
+httpmock = "0.7"

packages/migration-claim/sp1/prover-api/Cargo.toml

@@ -16,8 +16,17 @@ RUN apt-get update \
     && apt-get install -y --no-install-recommends ca-certificates libssl3 \
     && rm -rf /var/lib/apt/lists/*
 
+# Create app directory structure
+WORKDIR /app
+
+# Copy eligibility data (can be overridden via volume mount at runtime)
+COPY packages/migration-claim/sp1/merkle-tree.json /app/data/merkle-tree.json
+
+# Copy binary
 COPY --from=builder /repo/packages/migration-claim/sp1/target/release/tnt-claim-prover-api /usr/local/bin/tnt-claim-prover-api
 
+# Set default eligibility path (overridable via ELIGIBILITY_FILE env var)
+ENV ELIGIBILITY_FILE=/app/data/merkle-tree.json
 ENV PORT=8080
 EXPOSE 8080
 

packages/migration-claim/sp1/prover-api/Dockerfile

@@ -0,0 +1,223 @@
+#!/bin/bash
+# Integration test script for SP1 Prover API
+# Run this script after starting the API server
+
+set -e
+
+API_URL="${API_URL:-http://localhost:8080}"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+pass() {
+    echo -e "${GREEN}PASS${NC}: $1"
+}
+
+fail() {
+    echo -e "${RED}FAIL${NC}: $1"
+    exit 1
+}
+
+warn() {
+    echo -e "${YELLOW}WARN${NC}: $1"
+}
+
+# Test data
+VALID_SS58="5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY"
+VALID_SIGNATURE="0x$(printf 'ab%.0s' {1..64})"
+VALID_EVM_ADDRESS="0x742d35Cc6634C0532925a3b844Bc9e7595f4a3b2"
+VALID_CHALLENGE="0x$(printf '12%.0s' {1..32})"
+VALID_AMOUNT="1000000000000000000"
+
+echo "======================================"
+echo "SP1 Prover API Integration Tests"
+echo "API URL: $API_URL"
+echo "======================================"
+echo
+
+# Test 1: Health endpoint
+echo "Test 1: Health endpoint"
+HEALTH=$(curl -s "$API_URL/health")
+if echo "$HEALTH" | grep -q '"status":"ok"'; then
+    pass "Health endpoint returns ok"
+    echo "  Response: $HEALTH"
+else
+    fail "Health endpoint failed: $HEALTH"
+fi
+echo
+
+# Test 2: Missing required fields
+echo "Test 2: Missing required fields -> 400"
+RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+    -H "Content-Type: application/json" \
+    -d '{"ss58Address": ""}')
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "400" ]; then
+    pass "Missing fields returns 400"
+    echo "  Response: $BODY"
+else
+    fail "Expected 400, got $HTTP_CODE: $BODY"
+fi
+echo
+
+# Test 3: Invalid signature length
+echo "Test 3: Invalid signature length -> 400"
+RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"ss58Address\": \"$VALID_SS58\",
+        \"signature\": \"0x1234\",
+        \"evmAddress\": \"$VALID_EVM_ADDRESS\",
+        \"challenge\": \"$VALID_CHALLENGE\",
+        \"amount\": \"$VALID_AMOUNT\"
+    }")
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "400" ]; then
+    pass "Invalid signature length returns 400"
+    echo "  Response: $BODY"
+else
+    fail "Expected 400, got $HTTP_CODE: $BODY"
+fi
+echo
+
+# Test 4: Invalid amount (hex instead of decimal)
+echo "Test 4: Invalid amount format -> 400"
+RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"ss58Address\": \"$VALID_SS58\",
+        \"signature\": \"$VALID_SIGNATURE\",
+        \"evmAddress\": \"$VALID_EVM_ADDRESS\",
+        \"challenge\": \"$VALID_CHALLENGE\",
+        \"amount\": \"0x1234\"
+    }")
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "400" ]; then
+    pass "Hex amount returns 400"
+    echo "  Response: $BODY"
+else
+    fail "Expected 400, got $HTTP_CODE: $BODY"
+fi
+echo
+
+# Test 5: Invalid SS58 address
+echo "Test 5: Invalid SS58 address -> 400"
+RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"ss58Address\": \"invalid_address_here\",
+        \"signature\": \"$VALID_SIGNATURE\",
+        \"evmAddress\": \"$VALID_EVM_ADDRESS\",
+        \"challenge\": \"$VALID_CHALLENGE\",
+        \"amount\": \"$VALID_AMOUNT\"
+    }")
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "400" ]; then
+    pass "Invalid SS58 address returns 400"
+    echo "  Response: $BODY"
+else
+    fail "Expected 400, got $HTTP_CODE: $BODY"
+fi
+echo
+
+# Test 6: Unknown job ID -> 404
+echo "Test 6: Unknown job ID -> 404"
+RESPONSE=$(curl -s -w "\n%{http_code}" "$API_URL/status/non-existent-job-id")
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "404" ]; then
+    pass "Unknown job ID returns 404"
+    echo "  Response: $BODY"
+else
+    fail "Expected 404, got $HTTP_CODE: $BODY"
+fi
+echo
+
+# Test 7: Valid request (only if in mock mode)
+echo "Test 7: Valid request submission"
+if echo "$HEALTH" | grep -q '"prover_mode":"mock"'; then
+    RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+        -H "Content-Type: application/json" \
+        -d "{
+            \"ss58Address\": \"$VALID_SS58\",
+            \"signature\": \"$VALID_SIGNATURE\",
+            \"evmAddress\": \"$VALID_EVM_ADDRESS\",
+            \"challenge\": \"$VALID_CHALLENGE\",
+            \"amount\": \"$VALID_AMOUNT\"
+        }")
+    HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+    BODY=$(echo "$RESPONSE" | head -n-1)
+
+    if [ "$HTTP_CODE" = "200" ]; then
+        pass "Valid request accepted"
+        echo "  Response: $BODY"
+
+        # Extract job ID and poll status
+        JOB_ID=$(echo "$BODY" | grep -o '"jobId":"[^"]*"' | cut -d'"' -f4)
+        if [ -n "$JOB_ID" ]; then
+            echo "  Polling status for job: $JOB_ID"
+            for i in {1..10}; do
+                STATUS=$(curl -s "$API_URL/status/$JOB_ID")
+                echo "  Status: $STATUS"
+                if echo "$STATUS" | grep -q '"status":"completed"'; then
+                    pass "Job completed successfully"
+                    break
+                elif echo "$STATUS" | grep -q '"status":"failed"'; then
+                    warn "Job failed (expected in mock mode without proper setup)"
+                    break
+                fi
+                sleep 1
+            done
+        fi
+    else
+        fail "Expected 200, got $HTTP_CODE: $BODY"
+    fi
+else
+    warn "Skipping - API is not in mock mode (prover_mode != mock)"
+fi
+echo
+
+# Test 8: Rate limiting test
+echo "Test 8: Rate limiting"
+if echo "$HEALTH" | grep -q '"prover_mode":"mock"'; then
+    echo "  Sending multiple rapid requests..."
+    for i in {1..5}; do
+        RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API_URL" \
+            -H "Content-Type: application/json" \
+            -d "{
+                \"ss58Address\": \"$VALID_SS58\",
+                \"signature\": \"$VALID_SIGNATURE\",
+                \"evmAddress\": \"$VALID_EVM_ADDRESS\",
+                \"challenge\": \"$VALID_CHALLENGE\",
+                \"amount\": \"$VALID_AMOUNT\"
+            }")
+        HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+        BODY=$(echo "$RESPONSE" | head -n-1)
+        echo "  Request $i: HTTP $HTTP_CODE"
+
+        if [ "$HTTP_CODE" = "429" ]; then
+            pass "Rate limiting kicked in on request $i"
+            echo "  Response: $BODY"
+            break
+        fi
+    done
+else
+    warn "Skipping - API is not in mock mode"
+fi
+echo
+
+echo "======================================"
+echo "Integration tests completed"
+echo "======================================"