Deployment

[sjustintaylor]

• Adds docker, and docker compose files
• Adds docker related commands to taskfile
• updated sqlx dependency

Summary by CodeRabbit

• New Features

  • Multi-stage Docker builds, new Helios service and standalone compose for an Ethereum light client, gateway service with exposed ports (8080/9090) and healthchecks, and Taskfile Docker commands for build/run workflows.

• Documentation

  • New Helios setup guide and expanded environment/configuration examples.

• Chores

  • Added .dockerignore, reworked .env example, removed an unused dependency and upgraded SQL library, and changed default server bind to 0.0.0.0 for container deployments.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds Docker packaging and orchestration for the gateway and an optional Helios light client, including Dockerfiles, docker-compose variants, Taskfile automation, .dockerignore, Helios docs, env/config reflow, a default server bind change to 0.0.0.0, and a dependency update (sqlx bump, moka removed).

Changes

Cohort / File(s)	Summary
Docker ignore \.dockerignore	Adds ignore patterns to exclude build artifacts, VCS/IDE files, env/secrets, tests/docs, caches, CI/Docker helpers from Docker build context.
Gateway Docker & runtime Dockerfile , Taskfile.yml, docker-compose.yml	Adds two-stage Dockerfile (builder → slim runtime), Taskfile Docker tasks (build/run/compose helpers), and updates docker-compose.yml to add gateway service, env loading, healthchecks, ports 8080/9090, config volume mappings; removes top-level compose version.
Helios Docker & compose + docs Dockerfile.helios, docker-compose.helios.yml, HELIOS_SETUP.md	Adds multi-stage Helios Dockerfile, standalone compose for helios service (env-driven command, data volume, healthcheck), and comprehensive Helios setup documentation.
App config & source config.toml, src/config.rs	Changes server default bind from 127.0.0.1 to 0.0.0.0, adds [database] url setting in config.toml, and updates tests/comments to match new default.
Env example .env.example	Reflows and expands environment documentation, reorders sections (DATABASE CONFIGURATION) without changing variable names or defaults.
Dependencies Cargo.toml	Removes moka dependency; bumps sqlx 0.7 → 0.8 and adjusts features (runtime-tokio-rustls → runtime-tokio).
Compose & volumes docker-compose.yml (services/volumes)	Replaces pgadmin with helios and gateway services, updates service definitions, adds helios_data volume, removes pgadmin_data.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant Task as Taskfile
    participant Docker as Docker Build
    participant Compose as docker-compose
    participant Helios as Helios
    participant Gateway as Gateway
    participant Postgres as Postgres

    Dev->>Task: run docker:build / docker:build:helios
    Task->>Docker: build multi-stage images
    Docker-->>Dev: images built

    Dev->>Compose: docker-compose up
    Compose->>Postgres: start & healthcheck
    Compose->>Helios: start & healthcheck
    Compose->>Gateway: start (depends_on healthy)

    Gateway->>Postgres: connect via DATABASE_URL
    Gateway->>Gateway: serve on 0.0.0.0:8080/9090 (metrics)
    Helios->>Helios: expose JSON‑RPC :8545 (healthcheck)
    Note over Helios,Gateway: Gateway waits for healthy dependencies before serving

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Add preconfirmation gateway: config, crypto, APIs/DB, RPC #8 — Overlaps on configuration and packaging surfaces (Cargo.toml, .env.example, config.toml, Dockerfiles/compose) and src/config.rs changes; likely related.

Poem

🐰
I tunneled through Docker, built a tiny hop,
Helios humming, gateway ready to pop.
Ports open wide, configs set to roam,
0.0.0.0 welcomes every home.
I hide old crumbs in .dockerignore — nibble, hop, and stop. 🍀

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The pull request title "Deployment" is generic and does not clearly convey the specific nature of the changes. While the title is related to the changeset (the PR does add deployment infrastructure), it fails to specify that the primary focus is adding Docker and Docker Compose containerization support. The title is so broad that it could refer to various types of deployment-related changes (CI/CD, release processes, cloud configuration, etc.), and someone unfamiliar with the PR would not understand from the title alone that the main contribution is containerization infrastructure for the application. The title references a real aspect of the changes but lacks the specificity needed to adequately summarize the main point.	Consider revising the title to be more specific and descriptive of the primary changes, such as "Add Docker containerization and Docker Compose orchestration" or "Add Docker support with Helios integration." This would immediately clarify that the PR introduces containerization infrastructure, making it easier for team members reviewing the project history to understand the scope and purpose of the changes without needing to examine the full changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b8e2cde and 7145f07.

📒 Files selected for processing (5)

• Dockerfile.helios (1 hunks)
• Taskfile.yml (1 hunks)
• config.toml (2 hunks)
• docker-compose.helios.yml (1 hunks)
• docker-compose.yml (1 hunks)

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• JIRA integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📊 Test Coverage Report

Overall Coverage: 56.74%

📁 Coverage by File

File	Coverage	Lines	Uncovered Lines
🔴 types/database.rs	0.0%	0/11	12, 22, 23, 27, 28, 32, 33, 34, 35, 40 ... (+1 more)
🔴 main.rs	0.0%	0/90	17, 19, 22, 25, 26, 27, 31, 32, 33, 35 ... (+80 more)
🔴 rpc/handlers.rs	6.8%	10/147	46, 52, 53, 54, 57, 58, 59, 62, 63, 65 ... (+127 more)
🔴 types/delegation.rs	11.8%	6/51	37, 41, 42, 43, 45, 46, 49, 50, 51, 79 ... (+35 more)
🔴 services/constraint_submission.rs	35.9%	51/142	73, 74, 75, 76, 78, 79, 80, 114, 121, 122 ... (+81 more)
🔴 db/delegation_ops.rs	40.3%	56/139	35, 36, 43, 44, 46, 61, 62, 63, 64, 65 ... (+73 more)
🔴 services/delegation_polling.rs	41.1%	76/185	63, 64, 65, 66, 67, 69, 70, 71, 72, 74 ... (+99 more)
🔴 services/validator_status_cache.rs	47.1%	8/17	55, 62, 64, 90, 94, 97, 98, 99, 102
🟡 api/constraints.rs	56.1%	46/82	107, 109, 112, 114, 118, 119, 121, 122, 123, 140 ... (+26 more)
🟡 server.rs	57.9%	11/19	9, 10, 11, 13, 14, 15, 18, 20
🟡 db/mod.rs	59.4%	38/64	41, 42, 90, 91, 92, 94, 164, 165, 180, 181 ... (+16 more)
🟡 types/context.rs	60.0%	3/5	51, 52
🟡 services/fee_pricing.rs	63.9%	53/83	66, 72, 75, 78, 81, 82, 83, 85, 86, 89 ... (+20 more)
🟡 api/beacon.rs	66.7%	72/108	64, 65, 68, 142, 143, 144, 145, 156, 157, 158 ... (+26 more)
🟡 api/reth.rs	73.8%	48/65	156, 159, 163, 164, 165, 166, 167, 171, 174, 176 ... (+7 more)
🟡 types/payload.rs	74.5%	41/55	66, 95, 97, 98, 102, 126, 127, 128, 201, 202 ... (+4 more)
🟢 types/beacon.rs	84.8%	28/33	159, 180, 181, 182, 184
🟢 metrics.rs	84.9%	73/86	137, 138, 145, 146, 147, 148, 149, 156, 157, 158 ... (+3 more)
🟢 config.rs	86.5%	96/111	139, 150, 209, 230, 252, 277, 307, 310, 360, 361 ... (+5 more)
🟢 crypto/bls.rs	89.9%	71/79	211, 249, 264, 265, 266, 268, 269, 272
🟢 db/slot_congestion_ops.rs	91.3%	116/127	85, 86, 87, 103, 115, 345, 378, 379, 380, 383 ... (+1 more)
🟢 db/operations.rs	96.9%	63/65	38, 45
🟢 crypto/mod.rs	98.5%	65/66	168
🟢 types/hex_serde.rs	100.0%	7/7	All covered ✅
🟢 rpc/methods.rs	100.0%	7/7	All covered ✅
🟢 utils/address.rs	100.0%	3/3	All covered ✅

📈 Summary

• 🟢 High coverage (≥80%): 10 files
• 🟡 Medium coverage (50-79%): 8 files
• 🔴 Low coverage (<50%): 8 files
• 📦 Total files: 26

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/config.rs (1)

1172-1173: Clarify test comment.

The comment states "create_test_config uses '127.0.0.1' for test isolation" but this appears misleading since the actual default is now 0.0.0.0. The test helper create_test_config() does use 127.0.0.1 at line 626, but this comment might confuse readers about what the actual default is.

Apply this diff to clarify:

-		// Note: create_test_config uses "127.0.0.1" for test isolation
-		assert!(debug_str.contains("127.0.0.1"));
+		// Note: This test uses create_test_config which explicitly sets "127.0.0.1"
+		// The actual default is "0.0.0.0" (see test_server_config_default)
+		assert!(debug_str.contains("127.0.0.1"));

.env.example (1)

1-71: LGTM! Much clearer organization.

The restructure significantly improves the documentation and organization of environment variables. The new sections (REQUIRED VARIABLES, DATABASE CONFIGURATION, OPTIONAL VARIABLES, ADDITIONAL ENDPOINTS) make it much easier for developers to understand what they need to configure.

Add a blank line at the end of the file to satisfy the linter:

 # Constraints API relay endpoint (optional override)
 # CONSTRAINTS_API_ENDPOINT=http://localhost:3501
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6fbb8a0 and 3bae40d.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• .dockerignore (1 hunks)
• .env.example (1 hunks)
• Cargo.toml (1 hunks)
• Dockerfile (1 hunks)
• Taskfile.yml (1 hunks)
• config.toml (1 hunks)
• docker-compose.yml (1 hunks)
• src/config.rs (4 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.rs

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.rs: Format Rust code with rustfmt using hard tabs and 120-character width
Place unit tests within each module using #[cfg(test)] and #[test]

Files:

• src/config.rs

src/config.rs

📄 CodeRabbit inference engine (CLAUDE.md)

src/config.rs: Environment variables take precedence over TOML configuration values
Load private keys exclusively from environment variables; never from files

Files:

• src/config.rs

config.toml

📄 CodeRabbit inference engine (CLAUDE.md)

Do not store private keys in configuration files

Files:

• config.toml

🪛 Checkov (3.2.334)

Dockerfile

[medium] 88-89: Basic Auth Credentials

(CKV_SECRET_4)

docker-compose.yml

[medium] 52-53: Basic Auth Credentials

(CKV_SECRET_4)

🪛 dotenv-linter (3.3.0)

.env.example

[warning] 71-71: [EndingBlankLine] No blank line at the end of the file

(EndingBlankLine)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Code Coverage

🔇 Additional comments (8)

src/config.rs (1)

140-146: LGTM! Appropriate default for container deployments.

The change from 127.0.0.1 to 0.0.0.0 is correct for Docker/container deployments where the service needs to be accessible from outside the container. The updated documentation clearly explains the rationale.

config.toml (1)

6-9: LGTM! Clear documentation for container deployments.

The change to 0.0.0.0 with helpful comments explaining the difference between container and local-only deployments is excellent. This aligns with the changes in src/config.rs and the Docker deployment infrastructure.

.dockerignore (1)

1-63: LGTM! Comprehensive exclusions with good security practices.

The .dockerignore file properly excludes sensitive files (.env, *.key, *.pem, test-keys.sh) and unnecessary build artifacts. The intentional inclusion of .sqlx/ (commented at line 38) is correct since it's needed during compilation for offline query checking.

Dockerfile (2)

61-61: Verify config.toml handling with docker-compose volume mount.

Line 61 copies config.toml into the image, but docker-compose.yml at line 61 mounts ./config.toml:/app/config.toml:ro as a volume. This creates two potential issues:

1. Redundancy: The baked-in config.toml will be overridden by the volume mount when using docker-compose
2. Inconsistency: Running the container directly with docker run will use the baked-in config, while docker-compose uses the host config

Clarify the intended usage pattern. If docker-compose is the primary deployment method, consider removing the COPY of config.toml and documenting that config.toml must be provided as a volume mount. Alternatively, if the Dockerfile should be self-contained, document that docker-compose overrides the default config.

---

1-102: Well-structured Dockerfile with security best practices.

The two-stage build effectively minimizes the final image size, and the use of a non-root user (gateway) follows security best practices. The comprehensive comments and build instructions are helpful.

Taskfile.yml (1)

61-116: LGTM! Well-organized Docker task automation.

The new Docker tasks provide a comprehensive set of operations for building, running, and managing the containerized application. The task naming is consistent and descriptive, and the use of docker-compose for service orchestration is appropriate.

docker-compose.yml (1)

36-62: LGTM! Well-configured gateway service with health dependencies.

The gateway service configuration is comprehensive:

• Proper build context and dockerfile reference
• Correct port mappings (8080 for API, 9090 for metrics)
• Health check dependency on postgres ensures proper startup order
• Environment variable management with .env.docker and explicit overrides
• Read-only config volume mount prevents accidental modifications

The change of pgadmin port from 8080 to 8081 (line 29) avoids conflict with the gateway service.

Cargo.toml (1)

29-29: Review sqlx 0.8 migration and TLS feature change

sqlx 0.8 introduces breaking changes (SQLite macro revisions, offline/prepare workflow update, MSSQL removal, renamed APIs) and drops rustls so default TLS switches to native-tls (OpenSSL). Rerun cargo sqlx prepare if you use offline mode, update any CI/workflows, ensure OpenSSL is available in your environments, and run the full test suite to verify all database operations compile and execute correctly.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

docker-compose.yml (1)

88-89: Provide the .env.docker file to prevent deployment failures.

Lines 88-89 reference .env.docker via env_file, but this file is not included in the PR. Without it, the gateway service will fail to start with missing environment variables (particularly BEACON_API_ENDPOINT, COMMITTER_PRIVATE_KEY, BLS_PRIVATE_KEY, and the corrected DATABASE_URL per the previous comment).

Action needed:

1. Create a .env.docker file with all required and optional environment variables
2. Add .env.docker to .gitignore (if not already present)
3. Provide a .env.docker.example template for developers

As noted in the past review, do you want me to generate a .env.docker template suitable for Docker deployments?

🧹 Nitpick comments (4)

config.toml (1)

6-8: Server binding change enables containerization but verify deployment strategy.

Binding to 0.0.0.0 is required for Docker deployments to expose the service externally. However, ensure your deployment documentation clarifies this is a breaking change for local development if not using containers. Consider whether this should be configurable per environment (e.g., via GATEWAY_HOST environment variable) to support both container and non-container deployments seamlessly.

Dockerfile.helios (1)

16-19: Use caution with curl | bash installation pattern; consider pre-built binaries.

Lines 18-19 use the curl | bash pattern from a16z's heliosup installer, which executes remote scripts directly. While sourced from a trusted official repository, this pattern:

• Bypasses package manager security checks
• Is vulnerable to MITM attacks unless HTTPS is enforced (which it is, but still a known risk)
• May introduce hidden dependencies or modifications

Alternatives to consider:

1. Pre-build Helios binaries in a cached layer or publish a Helios Docker image maintained by a16z
2. Use a package manager (if available) or version-pinned release artifacts instead of the installer script
3. Document the security implications and hash verification if possible

For now, this approach is acceptable given a16z's official status, but document it as a known limitation and plan a migration path if a16z publishes official Docker images.

HELIOS_SETUP.md (2)

106-106: Add language identifier to fenced code block for proper syntax highlighting.

Line 106 defines an ASCII diagram in a fenced code block without a language specifier. This prevents syntax highlighting and IDE support.

Recommendation: Update the block to use a language identifier (e.g., ```text or ```plaintext) for consistency with other code blocks in the file.

-```
+```text
 ┌─────────────────────────────────────────────────┐

---

222-222: Wrap bare URL in markdown link syntax for better documentation rendering.

Line 222 contains a bare URL (https://beaconcha.in/) that should be wrapped in markdown link format for consistency and proper rendering in documentation viewers.

-Get a fresh checkpoint from https://beaconcha.in/
+Get a fresh checkpoint from [beaconcha.in](https://beaconcha.in/)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3bae40d and b8c1f35.

📒 Files selected for processing (6)

• Dockerfile.helios (1 hunks)
• HELIOS_SETUP.md (1 hunks)
• Taskfile.yml (1 hunks)
• config.toml (2 hunks)
• docker-compose.helios.yml (1 hunks)
• docker-compose.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Taskfile.yml

🧰 Additional context used

📓 Path-based instructions (1)

config.toml

📄 CodeRabbit inference engine (CLAUDE.md)

Do not store private keys in configuration files

Files:

• config.toml

🪛 Checkov (3.2.334)

docker-compose.yml

[medium] 93-94: Basic Auth Credentials

(CKV_SECRET_4)

🪛 LanguageTool

HELIOS_SETUP.md

[grammar] ~25-~25: There might be a mistake here.
Context: ...eth_getProof**. Recommended providers: - Alchemy - Sup...

(QB_NEW_EN)

---

[grammar] ~26-~26: There might be a mistake here.
Context: ...y](https://www.alchemy.com/) - Supports eth_getProof - Infura - Suppor...

(QB_NEW_EN)

---

[grammar] ~42-~42: There might be a mistake here.
Context: ...compose logs -f helios ``` Helios will: 1. Build the Docker image (first time only,...

(QB_NEW_EN)

---

[grammar] ~43-~43: There might be a mistake here.
Context: ...e (first time only, takes ~5-10 minutes) 2. Sync with the Ethereum network (takes ~3...

(QB_NEW_EN)

---

[grammar] ~44-~44: There might be a mistake here.
Context: ... Ethereum network (takes ~30-60 seconds) 3. Expose the JSON-RPC endpoint at `http://...

(QB_NEW_EN)

---

[grammar] ~81-~81: There might be a mistake here.
Context: ...on | Variable | Description | Example | |----------|-------------|---------| | `...

(QB_NEW_EN)

---

[grammar] ~82-~82: There might be a mistake here.
Context: ...e | |----------|-------------|---------| | HELIOS_EXECUTION_RPC | Execution RPC...

(QB_NEW_EN)

---

[grammar] ~87-~87: There might be a mistake here.
Context: ...able | Default | Options | Description | |----------|---------|---------|--------...

(QB_NEW_EN)

---

[grammar] ~88-~88: There might be a mistake here.
Context: ...-----|---------|---------|-------------| | HELIOS_CONSENSUS_RPC | `https://www....

(QB_NEW_EN)

---

[grammar] ~89-~89: There might be a mistake here.
Context: ...sensus node | Consensus layer endpoint | | HELIOS_NETWORK | mainnet | `mainne...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...esky| Ethereum network to connect to | |HELIOS_CHECKPOINT` | (cached) | Beaco...

(QB_NEW_EN)

---

[grammar] ~128-~128: There might be a mistake here.
Context: ...────────────────────┘ ``` Key features: - Health checks: Gateway waits for Helio...

(QB_NEW_EN)

---

[grammar] ~131-~131: There might be a mistake here.
Context: ...k isolation**: All services communicate via Docker internal network ## Checkpoint ...

(QB_NEW_EN)

---

[grammar] ~222-~222: There might be a mistake here.
Context: ...sh checkpoint from https://beaconcha.in/ 2. Set HELIOS_CHECKPOINT in [.env.docker]...

(QB_NEW_EN)

---

[grammar] ~237-~237: There might be a mistake here.
Context: ...Gateway can't connect to Helios Ensure: 1. Helios is running: `docker-compose ps he...

(QB_NEW_EN)

---

[grammar] ~246-~246: There might be a mistake here.
Context: ...# Resource Usage Helios is lightweight: - CPU: Minimal (mostly idle after sync) ...

(QB_NEW_EN)

---

[grammar] ~247-~247: There might be a mistake here.
Context: ...CPU*: Minimal (mostly idle after sync) - Memory: ~100-200 MB - Disk: ~10 MB...

(QB_NEW_EN)

---

[grammar] ~248-~248: There might be a mistake here.
Context: ...le after sync) - Memory: ~100-200 MB - Disk: ~10 MB for checkpoint cache - **...

(QB_NEW_EN)

---

[grammar] ~249-~249: There might be a mistake here.
Context: ... - Disk: ~10 MB for checkpoint cache - Network: Initial sync downloads ~50-10...

(QB_NEW_EN)

---

[grammar] ~254-~254: There might be a mistake here.
Context: ...nc Time - First sync: 30-60 seconds - Subsequent starts: 5-10 seconds (uses ...

(QB_NEW_EN)

---

[grammar] ~255-~255: There might be a mistake here.
Context: ...*: 5-10 seconds (uses cached checkpoint) - Stay synced: Continuous, automatic ##...

(QB_NEW_EN)

---

[grammar] ~260-~260: There might be a mistake here.
Context: ...lar performance to remote RPC providers: - Latency: ~50-200ms per request (includ...

(QB_NEW_EN)

---

[grammar] ~261-~261: There might be a mistake here.
Context: ...00ms per request (includes verification) - Throughput: Hundreds of requests per s...

(QB_NEW_EN)

---

[grammar] ~262-~262: There might be a mistake here.
Context: ...ghput**: Hundreds of requests per second - Reliability: No rate limits, local acc...

(QB_NEW_EN)

---

[grammar] ~269-~269: There might be a mistake here.
Context: ... Helios is a trustless light client: - ✅ Verifies all data cryptographically us...

(QB_NEW_EN)

---

[grammar] ~279-~279: There might be a mistake here.
Context: ...y 4. Network isolation: Keep Helios on internal network, not exposed to intern...

(QB_NEW_EN)

---

[grammar] ~279-~279: There might be a mistake here.
Context: ...Helios on internal network, not exposed to internet 5. Monitoring: Monitor syn...

(QB_NEW_EN)

---

[grammar] ~284-~284: There might be a mistake here.
Context: ...# Additional Resources - Helios GitHub - [Helios Documentation](https://github.com...

(QB_NEW_EN)

---

[grammar] ~285-~285: There might be a mistake here.
Context: ...com/a16z/helios) - Helios Documentation - [Ethereum Light Client Specification](htt...

(QB_NEW_EN)

---

[grammar] ~286-~286: There might be a mistake here.
Context: ...) - Ethereum Light Client Specification - beaconcha.in - B...

(QB_NEW_EN)

---

[grammar] ~287-~287: There might be a mistake here.
Context: ...ha.in/) - Block explorer for checkpoints - Alchemy - Rec...

(QB_NEW_EN)

---

[grammar] ~288-~288: There might be a mistake here.
Context: ...alchemy.com/) - Recommended RPC provider - Infura - Altern...

(QB_NEW_EN)

---

[grammar] ~293-~293: There might be a mistake here.
Context: ... ## Support For Helios-specific issues: - [Helios GitHub Issues](https://github.com...

(QB_NEW_EN)

---

[grammar] ~294-~294: There might be a mistake here.
Context: ...specific issues: - Helios GitHub Issues - Helios Discord...

(QB_NEW_EN)

---

[grammar] ~297-~297: There might be a mistake here.
Context: ...confirmation gateway integration issues: - Check CLAUDE.md for project...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.18.1)

HELIOS_SETUP.md

106-106: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

222-222: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (7)

Dockerfile.helios (1)

40-43: Security posture is solid with non-root user and proper ownership.

The use of a dedicated non-root user (helios:1000) and correct directory ownership is a security best practice. The read-only config mount in docker-compose.yml (line 104) further hardens this.

HELIOS_SETUP.md (1)

1-300: Comprehensive and well-structured documentation that aligns with deployment architecture.

The Helios setup guide is thorough, covering configuration, deployment, troubleshooting, and security considerations. It correctly references the docker-compose.yml and Dockerfile.helios files and provides clear guidance on checkpoint management, provider requirements (eth_getProof support), and networking in containers. The cross-references to related configuration files and documentation are helpful.

Note: This documentation assumes the .env.docker file will be provided (referenced in Quick Start, line 18). Ensure this file is created or documented separately to prevent deployment failures. See past review comment for context.

docker-compose.helios.yml (1)

1-46: Standalone Helios compose configuration is well-structured and correct.

The docker-compose.helios.yml file is a clean, self-contained alternative to the helios service in the main docker-compose.yml. The health check is appropriately configured with a 60-second start period to accommodate Helios' initial sync time, and the checkpoint caching via the helios_data_standalone volume ensures faster subsequent restarts. The command correctly uses the conditional checkpoint flag (line 35) to support optional weak subjectivity checkpoints.

docker-compose.yml (3)

29-32: Port mapping and depends_on update correctly resolve conflicts.

The change from 8080:80 to 8081:80 for pgadmin (line 29) avoids a conflict with the gateway service's JSON-RPC port (8080, line 84). The health-based depends_on condition (lines 31-32) ensures pgadmin only starts after postgres is fully ready.

---

36-75: Helios service integration is well-structured with appropriate health checks.

The helios service is correctly configured with:

• Multi-stage build via Dockerfile.helios
• Environment variables for execution/consensus RPC, network, and optional checkpoint
• Health check with 60-second start period (adequate for initial sync)
• Volume persistence via helios_data for checkpoint caching
• Proper port exposure (8545) for JSON-RPC access

The command uses bash variable substitution with defaults (e.g., ${HELIOS_NETWORK:-mainnet}) and conditional checkpoint flag, which correctly handles optional configuration.

---

77-104: Gateway service is well-integrated but depends on .env.docker file.

The gateway service correctly:

• Declares depends_on with health conditions for both postgres and helios (lines 99-102), ensuring proper startup ordering
• Mounts config.toml as read-only (line 104) for immutable configuration
• Exposes metrics port 9090 alongside the JSON-RPC port 8080

However, the service's success depends on the .env.docker file providing BEACON_API_ENDPOINT, COMMITTER_PRIVATE_KEY, and BLS_PRIVATE_KEY (see previous critical comment about DATABASE_URL also needing to move to .env.docker).

config.toml (1)

11-14: The review comment is incorrect regarding the actual implementation behavior.

The concern assumes the hardcoded localhost URL will be used in production, but this is mitigated by proper environment variable precedence that is already implemented.

Why the review concern is not substantiated:

1. Environment variable precedence is correctly implemented (src/db/mod.rs:31):

   let database_url = env::var("DATABASE_URL").unwrap_or_else(|_| config.database_url().to_string());

   The DATABASE_URL env var is checked first and takes precedence. The config file value is used only as a fallback when the env var is not set.

2. Docker deployment already overrides it (docker-compose.yml:93):
   The gateway service explicitly sets DATABASE_URL: postgresql://postgres:postgres@postgres:5432/preconfirmation_gateway, which takes precedence over the config.toml value.

3. No private keys are stored (guideline compliance):
   The URL contains no credentials—just a hostname. This does not violate the guideline against storing private keys in configuration files.

4. Config value serves as documented fallback:
   The comment on config.toml:13 already states it "can be overridden by the DATABASE_URL environment variable." This aligns with the review's recommendation.

5. Test validates precedence (src/db/mod.rs:516-528):
   An explicit test confirms that DATABASE_URL env var takes precedence over the config file value.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b8c1f35 and b8e2cde.

📒 Files selected for processing (3)

• Dockerfile (1 hunks)
• Taskfile.yml (1 hunks)
• docker-compose.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Taskfile.yml

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[medium] 89-90: Basic Auth Credentials

(CKV_SECRET_4)

🔇 Additional comments (9)

Dockerfile (4)

43-47: ✅ curl installation issue resolved.

The previous critical issue flagging missing curl for the HEALTHCHECK is now addressed. The runtime image correctly installs curl alongside other necessary dependencies.

---

4-33: Well-structured builder stage with proper dependency caching.

The two-stage build is optimized: manifests are copied before source code to leverage Docker layer caching, build dependencies are appropriate for a Rust + PostgreSQL project, and --locked ensures reproducibility.

---

49-68: Security best practice: non-root user execution.

The image correctly creates a non-root gateway user, adjusts ownership, and runs the application under that user. This follows container security hardening principles.

---

84-103: Static analysis false positive: example credentials in documentation.

Lines 89-90 show example credentials in documentation comments for instructional purposes only. These are not embedded in the image and the static analysis flag (CKV_SECRET_4) is a false positive. No actual secrets are hard-coded during the build.

docker-compose.yml (5)

29-32: Port mapping and health-condition dependency are correct.

PgAdmin port is moved from 8080 to 8081 to avoid conflict with the gateway service, and the dependency now correctly waits for postgres to be healthy.

---

36-76: Helios service well-configured with appropriate environment and health checks.

The helios service properly uses environment variable substitution, includes sensible defaults (mainnet network, lightclientdata.org consensus RPC), and the health check correctly validates the JSON-RPC endpoint. The 60-second start period allows sufficient time for light client initialization.

---

93-97: ✅ Environment variable substitution properly replaces hardcoded credentials.

The previous security concern about hardcoded credentials is resolved. All sensitive variables (DATABASE_URL, keys, API endpoints) now use proper ${VAR_NAME} substitution syntax, which means secrets are externalized to .env.docker (which should be gitignored) rather than embedded in version control. The RUST_LOG default is also appropriate.

---

99-102: Proper service startup ordering with health conditions.

The gateway correctly depends on both postgres and helios being in a service_healthy state before starting. This ensures all dependencies are ready and prevents race conditions during startup.

---

106-109: Volume configuration supports data persistence and proper service isolation.

Named volumes for postgres, pgadmin, and helios ensure data persistence across container restarts. The read-only mount of config.toml (line 104) provides immutable configuration for the gateway.