fix: pass CHALLENGE_UUID env var for broker authentication

echobt · echobt · commit d88bfe5e15cc · 2026-01-04T23:07:17.000Z
The JWT token for broker auth is generated with the challenge UUID,
but CHALLENGE_ID was set to the human-readable name (e.g., 'term-challenge').
This caused a mismatch error when challenges tried to create containers.

Now we pass both:
- CHALLENGE_ID: Human-readable name (for logging, events)
- CHALLENGE_UUID: UUID that matches JWT token (for broker auth)

WsContainerClient.from_env() now prefers CHALLENGE_UUID over CHALLENGE_ID.
diff --git a/crates/challenge-orchestrator/src/docker.rs b/crates/challenge-orchestrator/src/docker.rs
@@ -520,6 +520,8 @@ impl DockerClient {
         let mut env: Vec<String> = Vec::new();
         // Use challenge NAME (not UUID) so validators can match events by name
         env.push(format!("CHALLENGE_ID={}", config.name));
+        // Also pass the UUID for broker authentication (JWT token uses UUID)
+        env.push(format!("CHALLENGE_UUID={}", config.challenge_id));
         env.push(format!("MECHANISM_ID={}", config.mechanism_id));
         // Pass through important environment variables from image defaults
         env.push("TASKS_DIR=/app/data/tasks".to_string());
diff --git a/crates/secure-container-runtime/src/ws_client.rs b/crates/secure-container-runtime/src/ws_client.rs
@@ -31,12 +31,14 @@ impl WsContainerClient {
 
     /// Create client from environment variables
     /// Requires: CONTAINER_BROKER_WS_URL, CONTAINER_BROKER_JWT
-    /// Optional: CHALLENGE_ID, VALIDATOR_HOTKEY (for owner_id)
+    /// Optional: CHALLENGE_UUID (preferred), CHALLENGE_ID, VALIDATOR_HOTKEY (for owner_id)
     pub fn from_env() -> Option<Self> {
         let ws_url = std::env::var("CONTAINER_BROKER_WS_URL").ok()?;
         let jwt_token = std::env::var("CONTAINER_BROKER_JWT").ok()?;
-        let challenge_id =
-            std::env::var("CHALLENGE_ID").unwrap_or_else(|_| "unknown-challenge".to_string());
+        // Prefer CHALLENGE_UUID (matches JWT token) over CHALLENGE_ID (human-readable name)
+        let challenge_id = std::env::var("CHALLENGE_UUID")
+            .or_else(|_| std::env::var("CHALLENGE_ID"))
+            .unwrap_or_else(|_| "unknown-challenge".to_string());
         let owner_id =
             std::env::var("VALIDATOR_HOTKEY").unwrap_or_else(|_| "unknown-owner".to_string());
         Some(Self::new(&ws_url, &jwt_token, &challenge_id, &owner_id))
