Chia-Network
diff --git a/‎src/datalayer/fullNodeRpc.js‎
Lines changed: 126 additions & 0 deletions b/‎src/datalayer/fullNodeRpc.js‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎src/datalayer/wallet.js‎
Lines changed: 44 additions & 0 deletions b/‎src/datalayer/wallet.js‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/middleware.js‎
Lines changed: 55 additions & 0 deletions b/‎src/middleware.js‎
Lines changed: 55 additions & 0 deletions
@@ -0,0 +1,126 @@
+/**
+ * Minimal RPC client for the locally-running chia full-node, used only by
+ * the /diagnostics endpoint. CADT does not depend on the full node for any
+ * other functionality; this client exists so we can answer "is the full
+ * node running locally, and if so is it synced?".
+ *
+ * Like the wallet client, we use mTLS with the standard chia SSL files
+ * under `${chiaRoot}/config/ssl/full_node/`. If those files are missing
+ * (e.g. on a CADT-only host), the helpers return `{ reachable: false }`
+ * instead of throwing.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import superagent from 'superagent';
+
+import _ from 'lodash';
+
+import { getChiaConfig } from './fullNode.js';
+import { getChiaRoot } from '../utils/chia-root.js';
+import { getActiveConfig } from '../utils/config-loader.js';
+import { logger } from '../config/logger.js';
+
+const DEFAULT_FULL_NODE_RPC_PORT = 8555;
+// 10s matches the outer settle() default in routes/diagnostics.js. A full node
+// catching up under heavy load can take several seconds to answer
+// get_blockchain_state, and falsely tagging it unreachable is worse than
+// waiting a bit longer.
+const DEFAULT_TIMEOUT_MS = 10000;
+
+const getCertificateFolderPath = () => {
+  const chiaRoot = getChiaRoot();
+  const overridden = getActiveConfig()?.APP?.CERTIFICATE_FOLDER_PATH;
+  return overridden || `${chiaRoot}/config/ssl`;
+};
+
+const getRpcPort = () => {
+  try {
+    const chiaConfig = getChiaConfig();
+    return _.get(chiaConfig, 'full_node.rpc_port', DEFAULT_FULL_NODE_RPC_PORT);
+  } catch (error) {
+    logger.debug(`[diagnostics]: could not read chia config for full-node rpc_port: ${error.message}`);
+    return DEFAULT_FULL_NODE_RPC_PORT;
+  }
+};
+
+const buildRpcUrl = () => `https://localhost:${getRpcPort()}`;
+
+const loadFullNodeCerts = () => {
+  const certificateFolderPath = getCertificateFolderPath();
+  const certFile = path.resolve(`${certificateFolderPath}/full_node/private_full_node.crt`);
+  const keyFile = path.resolve(`${certificateFolderPath}/full_node/private_full_node.key`);
+  return {
+    cert: fs.readFileSync(certFile),
+    key: fs.readFileSync(keyFile),
+  };
+};
+
+const callRpc = async (endpoint, payload = {}, { timeout = DEFAULT_TIMEOUT_MS } = {}) => {
+  const url = `${buildRpcUrl()}${endpoint}`;
+  const { cert, key } = loadFullNodeCerts();
+  const response = await superagent
+    .post(url)
+    .key(key)
+    .cert(cert)
+    .timeout(timeout)
+    .send(payload);
+  return response.body || JSON.parse(response.text);
+};
+
+/**
+ * Fetch full-node blockchain state.
+ * @returns {Promise<Object>} `{ reachable, synced, syncing, peakHeight, syncMode, error? }`
+ */
+export const getBlockchainState = async (options = {}) => {
+  const rpcUrl = buildRpcUrl();
+  try {
+    const data = await callRpc('/get_blockchain_state', {}, options);
+    if (!data?.success) {
+      return { rpcUrl, reachable: true, error: data?.error || 'unknown error' };
+    }
+    const state = data.blockchain_state || {};
+    return {
+      rpcUrl,
+      reachable: true,
+      synced: state.sync?.synced === true,
+      syncing: state.sync?.sync_mode === true,
+      peakHeight: state.peak?.height ?? null,
+      syncMode: state.sync?.sync_mode === true ? 'syncing' : state.sync?.synced ? 'synced' : 'not_synced',
+      genesisChallengeInitialized: state.genesis_challenge_initialized ?? null,
+    };
+  } catch (error) {
+    logger.debug(`[diagnostics]: full-node get_blockchain_state failed: ${error.message}`);
+    return { rpcUrl, reachable: false, error: error.message };
+  }
+};
+
+/**
+ * Fetch full-node peer connections. We only return the host strings; CADT
+ * never needs to act on peer details. Used to count outbound peers for the
+ * diagnostics view.
+ * @returns {Promise<{rpcUrl: string, reachable: boolean, connections?: Array, error?: string}>}
+ */
+export const getFullNodeConnections = async (options = {}) => {
+  const rpcUrl = buildRpcUrl();
+  try {
+    const data = await callRpc('/get_connections', {}, options);
+    if (!data?.success) {
+      return { rpcUrl, reachable: true, error: data?.error || 'unknown error' };
+    }
+    const connections = (data.connections || []).map((c) => ({
+      peerHost: c.peer_host,
+      peerPort: c.peer_port,
+      type: c.type,
+    }));
+    return { rpcUrl, reachable: true, connections };
+  } catch (error) {
+    logger.debug(`[diagnostics]: full-node get_connections failed: ${error.message}`);
+    return { rpcUrl, reachable: false, error: error.message };
+  }
+};
+
+export default {
+  getBlockchainState,
+  getFullNodeConnections,
+};
@@ -329,6 +329,49 @@ const getActiveNetwork = async () => {
   }
 };
 
+/**
+ * Return the wallet's peer connections (used by /diagnostics to cross-reference
+ * connected full-node peers against the trusted_peers map in the chia config).
+ *
+ * Returns an object with `success: false` on connection errors instead of
+ * throwing, so the diagnostics endpoint can degrade gracefully without
+ * bringing down the rest of the response.
+ *
+ * @returns {Promise<{success: boolean, connections?: Array, error?: string}>}
+ */
+const getWalletConnections = async () => {
+  if (USE_SIMULATOR) {
+    return { success: true, connections: [] };
+  }
+
+  const url = `${rpcUrl}/get_connections`;
+  try {
+    const { cert, key, timeout } = getBaseOptions();
+    const response = await superagent
+      .post(url)
+      .key(key)
+      .cert(cert)
+      .timeout(timeout)
+      .send({});
+
+    const data = response.body || JSON.parse(response.text);
+    if (!data?.success) {
+      return { success: false, error: data?.error || 'unknown error' };
+    }
+
+    const connections = (data.connections || []).map((c) => ({
+      peerHost: c.peer_host,
+      peerPort: c.peer_port,
+      type: c.type,
+      nodeId: c.node_id,
+    }));
+    return { success: true, connections };
+  } catch (error) {
+    logger.debug(`[diagnostics]: wallet get_connections failed: ${error.message}`);
+    return { success: false, error: error.message };
+  }
+};
+
 /**
  * Get coin records from the wallet (includes coin IDs)
  * @returns {Promise<{success: boolean, coin_records: Array}>} Object with coin_records array and success flag
@@ -884,6 +927,7 @@ export default {
   waitForAllTransactionsToConfirm,
   waitForSpendableCoins,
   getActiveNetwork,
+  getWalletConnections,
   getLastWalletSyncError,
   getWalletBlockchainSyncStatus,
   getCoinRecords,
 
@@ -41,6 +41,7 @@ const HEALTH_ENDPOINTS = new Set([
   '/v2/health',
   '/v1/health/wallet',
   '/v2/health/wallet',
+  '/diagnostics',
 ]);
 
 const isHealthEndpoint = (path) => HEALTH_ENDPOINTS.has(path);
@@ -314,6 +315,13 @@ app.use(function (req, res, next) {
 });
 
 app.use(async function (req, res, next) {
+  // Skip the home-organization-synced header probe on health endpoints so
+  // /diagnostics (and /health*) can respond even when migrations or the
+  // organizations table are slow to come up.
+  if (isHealthEndpoint(req.path)) {
+    return next();
+  }
+
   if (process.env.NODE_ENV !== 'test') {
     // Wait for migrations to complete before accessing organizations table
     const { waitForMigrations } = await import('./routes/index.js');
@@ -396,6 +404,13 @@ app.use(async function (req, res, next) {
 });
 
 app.use(async function (req, res, next) {
+  // Skip the all-data-synced header probe on health endpoints so /diagnostics
+  // (and /health*) can respond even when migrations or the organizations
+  // table are slow to come up.
+  if (isHealthEndpoint(req.path)) {
+    return next();
+  }
+
   // Wait for migrations to complete before accessing organizations table
   const { waitForMigrations } = await import('./routes/index.js');
   await waitForMigrations();
@@ -474,6 +489,14 @@ app.use(async function (req, res, next) {
 });
 
 app.use(async function (req, res, next) {
+  // Skip the wallet-synced header probe for health endpoints. walletIsSynced
+  // can hang for up to 300s when the wallet RPC is unreachable, which would
+  // defeat the purpose of /diagnostics (and slow down /health) precisely in
+  // the scenarios where those endpoints are most useful.
+  if (isHealthEndpoint(req.path)) {
+    return next();
+  }
+
   if (USE_SIMULATOR) {
     res.setHeader(headerKeys.WALLET_SYNCED, true);
   } else {
@@ -490,6 +513,38 @@ app.get('/health', (req, res) => {
   });
 });
 
+// System-wide diagnostics. Mounted on the root app (not under /v1 or /v2) so
+// it can report CADT, Chia, and machine status independent of the data-model
+// version. Lives in HEALTH_ENDPOINTS above so it bypasses the rate limiter,
+// startup gates, and the Chia/datalayer assertions -- this endpoint is meant
+// to be useful precisely when those subsystems are broken.
+//
+// Auth: handled by the global API-key middleware further up, which runs for
+// EVERY route including HEALTH_ENDPOINTS. When CADT_API_KEY is configured the
+// caller must present x-api-key before reaching this handler. We rely on
+// that single enforcement point rather than duplicating the constant-time
+// check here.
+//
+// Read-only: when V1 or V2 READ_ONLY is set we strip sensitive fields
+// (balances, transaction details, peer details, subscription IDs, home org
+// IDs) the same way wallet-health.js does for /v{1,2}/health/wallet.
+app.get('/diagnostics', async (req, res) => {
+  try {
+    const configV1 = getConfig();
+    const configV2 = getConfigV2();
+    const readOnly = configV2.READ_ONLY === true || configV1.READ_ONLY === true;
+    const { getDiagnosticsResponse } = await import('./routes/diagnostics.js');
+    const result = await getDiagnosticsResponse({ readOnly });
+    return res.status(200).json(result);
+  } catch (error) {
+    logger.error(`[diagnostics]: unexpected error building response: ${error.message}`);
+    return res.status(200).json({
+      timestamp: new Date().toISOString(),
+      error: `Failed to build diagnostics response: ${error.message}`,
+    });
+  }
+});
+
 // Conditionally mount V1 and V2 routes based on config
 // Each version's enable flag is in its own config file
 const configV1 = getConfig();