MystenLabs · 0xsiddharthks · Apr 9, 2026 · Apr 13, 2026
@@ -43,7 +43,8 @@ tabled = "0.16"
 anyhow = "1.0.98"
 toml = "0.9.2"
 futures = "0.3.31"
-tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
+tracing-subscriber = { version = "0.3.19", features = ["env-filter", "json"] }
+crossterm = { version = "0.28", default-features = false }
 # TODO: Switch back to a crates.io release once age 0.12+ is published.
 # We pin to this specific commit because age 0.11.x depends on i18n-embed-fl 0.9.x,
 # which has a non-determinism bug (HashMap iteration in the fl!() proc macro) that

@@ -33,6 +33,7 @@ colored.workspace = true
 rand.workspace = true
 nix = { version = "0.26.4", features = ["signal"] }
 tracing-subscriber.workspace = true
+hashi-telemetry = { path = "../hashi-telemetry" }
 
 [[bin]]
 name = "hashi-localnet"

@@ -279,13 +279,10 @@ async fn cmd_start(
         tracing::level_filters::LevelFilter::OFF
     };
 
-    tracing_subscriber::fmt()
-        .with_env_filter(
-            tracing_subscriber::EnvFilter::builder()
-                .with_default_directive(default_level.into())
-                .from_env_lossy(),
-        )
+    let _guard = hashi_telemetry::TelemetryConfig::new()
+        .with_default_level(default_level)
         .with_target(false)
+        .with_env()
         .init();
 
     use std::io::Write;

@@ -11,7 +11,9 @@ serde.workspace = true
 serde_json.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
+hashi-telemetry = { path = "../hashi-telemetry" }
 tonic.workspace = true
+tonic-health.workspace = true
 hashi-types = { path = "../hashi-types" }
 
 # Crypto dependencies

@@ -0,0 +1,114 @@
+// Copyright (c) Mysten Labs, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//! Bootstrap a hashi-guardian instance by calling `OperatorInit` with AWS S3
+//! credentials and dummy share commitments. This is a *development-only* helper
+//! intended to make a running guardian fully initialized enough to emit
+//! heartbeats against a real AWS S3 bucket with Object Lock enabled.
+//!
+//! It does **not** run a real `SetupNewKey` + `ProvisionerInit` flow — the
+//! resulting guardian will accept `OperatorInit` and start heartbeating, but
+//! will not be able to sign withdrawals (because no real key shares are ever
+//! combined). For production bootstrap use the operator + KP flow, not this.
+//!
+//! Usage (from repo root):
+//!
+//!     GUARDIAN_ENDPOINT=http://localhost:3000 \
+//!     AWS_S3_BUCKET=mysten-hashi-guardian-dev \
+//!     AWS_S3_REGION=us-west-2 \
+//!     AWS_ACCESS_KEY_ID=... \
+//!     AWS_SECRET_ACCESS_KEY=... \
+//!     BITCOIN_NETWORK=signet \
+//!     cargo run -p hashi-guardian --example bootstrap_operator_init
+
+use anyhow::anyhow;
+use anyhow::Context;
+use anyhow::Result;
+use hashi_types::proto::guardian_service_client::GuardianServiceClient;
+use hashi_types::proto::GuardianShareCommitment;
+use hashi_types::proto::GuardianShareId;
+use hashi_types::proto::Network as ProtoNetwork;
+use hashi_types::proto::OperatorInitRequest;
+use hashi_types::proto::S3Config as ProtoS3Config;
+use std::env;
+
+/// Must match `hashi_types::guardian::crypto::NUM_OF_SHARES`. We provide that
+/// many dummy commitments because `OperatorInitRequest` stores them verbatim;
+/// actual share verification happens later in `ProvisionerInit`, which this
+/// helper does not drive.
+const NUM_OF_SHARES: u32 = 5;
+
+fn required_env(name: &str) -> Result<String> {
+    env::var(name).map_err(|_| anyhow!("required env var `{name}` is not set"))
+}
+
+fn parse_network(s: &str) -> Result<ProtoNetwork> {
+    match s.to_ascii_lowercase().as_str() {
+        "mainnet" => Ok(ProtoNetwork::Mainnet),
+        "testnet" => Ok(ProtoNetwork::Testnet),
+        "regtest" => Ok(ProtoNetwork::Regtest),
+        "signet" => Ok(ProtoNetwork::Signet),
+        other => Err(anyhow!(
+            "unknown BITCOIN_NETWORK `{other}`; expected mainnet/testnet/regtest/signet"
+        )),
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::builder()
+                .with_default_directive(tracing::level_filters::LevelFilter::INFO.into())
+                .from_env_lossy(),
+        )
+        .init();
+
+    let endpoint =
+        env::var("GUARDIAN_ENDPOINT").unwrap_or_else(|_| "http://localhost:3000".to_string());
+    let bucket = required_env("AWS_S3_BUCKET")?;
+    let region = required_env("AWS_S3_REGION")?;
+    let access_key = required_env("AWS_ACCESS_KEY_ID")?;
+    let secret_key = required_env("AWS_SECRET_ACCESS_KEY")?;
+    let network_str = env::var("BITCOIN_NETWORK").unwrap_or_else(|_| "signet".to_string());
+    let network = parse_network(&network_str)?;
+
+    tracing::info!(
+        endpoint = %endpoint,
+        bucket = %bucket,
+        region = %region,
+        network = ?network,
+        "connecting to guardian"
+    );
+
+    let mut client = GuardianServiceClient::connect(endpoint.clone())
+        .await
+        .with_context(|| format!("failed to connect to guardian at {endpoint}"))?;
+
+    let share_commitments: Vec<GuardianShareCommitment> = (1..=NUM_OF_SHARES)
+        .map(|id| GuardianShareCommitment {
+            id: Some(GuardianShareId { id: Some(id) }),
+            digest_hex: Some(String::new()),
+        })
+        .collect();
+
+    let request = OperatorInitRequest {
+        s3_config: Some(ProtoS3Config {
+            access_key: Some(access_key),
+            secret_key: Some(secret_key),
+            bucket_name: Some(bucket),
+            region: Some(region),
+        }),
+        share_commitments,
+        network: Some(network as i32),
+    };
+
+    tracing::info!("calling OperatorInit");
+    let response = client
+        .operator_init(request)
+        .await
+        .context("operator_init RPC failed")?;
+    tracing::info!(?response, "OperatorInit returned successfully");
+    println!("OperatorInit complete.");
+    Ok(())
+}
@@ -20,6 +20,7 @@ use std::sync::OnceLock;
 use std::sync::RwLock;
 use std::time::Duration;
 use tonic::transport::Server;
+use tonic_health::server::health_reporter;
 use tracing::info;
 
 mod getters;
@@ -102,7 +103,11 @@ pub struct EphemeralKeyPairs {
 /// SETUP_MODE=false: all endpoints except setup_new_key are enabled.
 #[tokio::main]
 async fn main() -> Result<()> {
-    init_tracing_subscriber(true);
+    let _guard = hashi_telemetry::TelemetryConfig::new()
+        .with_file_line(true)
+        .with_service_name("hashi-guardian")
+        .with_env()
+        .init();
 
     // Check if SETUP_MODE is enabled (defaults to false)
     let setup_mode = std::env::var("SETUP_MODE")
@@ -128,7 +133,14 @@ async fn main() -> Result<()> {
     let addr = "0.0.0.0:3000".parse()?;
     info!("gRPC server listening on {}.", addr);
 
+    // gRPC health reporter — used by the K8s gRPC probe and GKE HealthCheckPolicy.
+    let (health_reporter, health_service) = health_reporter();
+    health_reporter
+        .set_serving::<GuardianServiceServer<GuardianGrpc>>()
+        .await;
+
     let server_future = Server::builder()
+        .add_service(health_service)
         .add_service(GuardianServiceServer::new(svc))
         .serve(addr);
 
@@ -537,27 +549,6 @@ impl Enclave {
     }
 }
 
-// ---------------------------------
-//    Tracing utilities
-// ---------------------------------
-
-/// Initialize tracing subscriber with optional file/line number logging
-pub fn init_tracing_subscriber(with_file_line: bool) {
-    let mut builder = tracing_subscriber::FmtSubscriber::builder().with_env_filter(
-        tracing_subscriber::EnvFilter::builder()
-            .with_default_directive(tracing::level_filters::LevelFilter::INFO.into())
-            .from_env_lossy(),
-    );
-
-    if with_file_line {
-        builder = builder.with_file(true).with_line_number(true);
-    }
-
-    let subscriber = builder.finish();
-    tracing::subscriber::set_global_default(subscriber)
-        .expect("unable to initialize tracing subscriber");
-}
-
 // ---------------------------------
 //    Tests and related utilities
 // ---------------------------------

@@ -22,6 +22,7 @@ tokio.workspace = true
 tonic.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
+hashi-telemetry = { path = "../hashi-telemetry" }
 
 [dev-dependencies]
 e2e-tests = { path = "../e2e-tests" }

@@ -51,7 +51,11 @@ enum Command {
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
-    init_tracing_subscriber(false);
+    let _guard = hashi_telemetry::TelemetryConfig::new()
+        .with_service_name("hashi-monitor")
+        .with_target(false)
+        .with_env()
+        .init();
 
     let cli = Cli::parse();
 
@@ -78,22 +82,3 @@ async fn main() -> anyhow::Result<()> {
 
     Ok(())
 }
-
-pub fn init_tracing_subscriber(with_file_line: bool) {
-    let mut builder = tracing_subscriber::FmtSubscriber::builder().with_env_filter(
-        tracing_subscriber::EnvFilter::builder()
-            .with_default_directive(tracing::level_filters::LevelFilter::INFO.into())
-            .from_env_lossy(),
-    );
-
-    if with_file_line {
-        builder = builder
-            .with_file(true)
-            .with_line_number(true)
-            .with_target(false);
-    }
-
-    let subscriber = builder.finish();
-    tracing::subscriber::set_global_default(subscriber)
-        .expect("unable to initialize tracing subscriber");
-}
@@ -11,6 +11,7 @@ thiserror.workspace = true
 tokio.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
+hashi-telemetry = { path = "../hashi-telemetry" }
 prometheus.workspace = true
 axum.workspace = true
 sui-http.workspace = true

@@ -226,20 +226,6 @@ impl ScreenerService for ScreenerServiceImpl {
     }
 }
 
-fn init_tracing_subscriber() {
-    let subscriber = tracing_subscriber::FmtSubscriber::builder()
-        .with_env_filter(
-            tracing_subscriber::EnvFilter::builder()
-                .with_default_directive(tracing::level_filters::LevelFilter::INFO.into())
-                .from_env_lossy(),
-        )
-        .with_file(true)
-        .with_line_number(true)
-        .finish();
-    tracing::subscriber::set_global_default(subscriber)
-        .expect("unable to initialize tracing subscriber");
-}
-
 fn start_metrics_server(registry: prometheus::Registry) -> sui_http::ServerHandle {
     let addr: SocketAddr = "0.0.0.0:9184".parse().unwrap();
     info!("Prometheus metrics server listening on {}", addr);
@@ -266,7 +252,11 @@ async fn metrics_handler(
 
 #[tokio::main]
 async fn main() -> Result<()> {
-    init_tracing_subscriber();
+    let _guard = hashi_telemetry::TelemetryConfig::new()
+        .with_file_line(true)
+        .with_service_name("hashi-screener")
+        .with_env()
+        .init();
 
     let api_key = env::var("MERKLE_SCIENCE_API_KEY")
         .map_err(|_| anyhow::anyhow!("MERKLE_SCIENCE_API_KEY environment variable is not set"))?;