From 71345092f9107661f31226a6889f921eee988b60 Mon Sep 17 00:00:00 2001
From: Claude Agent <claude@stakesquid.eu>
Date: Mon, 15 Jun 2026 12:30:07 +0000
Subject: [PATCH] cosmos-hub (gaiad): add compose + init.sh +
 cometbft.Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

First pure-cosmos chain (validates the §2 cometbft-common.sh lib via real gaiad init).
Single-binary CometBFT client serving :26657 (dshackle chain=cosmos-hub). Statesync
bootstrap (polkachu) since genesis-replay across gaia governance upgrades is impractical.
gzipped genesis. v25.3.2 (live chain version; registry's v27.4.0 not on ghcr). Params
(chain_id/genesis_url/statesync_rpc/seeds/min_gas) from context.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 compose_registry.json                        |  14 ++
 cosmos/cometbft.Dockerfile                   |  11 ++
 cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml | 115 ++++++++++++
 cosmos/scripts/cometbft-common.sh            | 187 +++++++++++++++++++
 cosmos/scripts/init.sh                       |  44 +++++
 5 files changed, 371 insertions(+)
 create mode 100644 cosmos/cometbft.Dockerfile
 create mode 100644 cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml
 create mode 100644 cosmos/scripts/cometbft-common.sh
 create mode 100644 cosmos/scripts/init.sh

diff --git a/compose_registry.json b/compose_registry.json
index 2308dbb1..23149ab8 100644
--- a/compose_registry.json
+++ b/compose_registry.json
@@ -1690,6 +1690,20 @@
       "core-pigeon-core-pruned-pebble-path"
     ]
   },
+  {
+    "chain": "mainnet",
+    "client": "gaiad",
+    "compose_file": "cosmos/gaiad/cosmos-mainnet-gaiad-pruned",
+    "features": [],
+    "network": "cosmos",
+    "node": null,
+    "relay": null,
+    "stack": null,
+    "type": "pruned",
+    "volumes": [
+      "cosmos-mainnet-gaiad-pruned"
+    ]
+  },
   {
     "chain": "zkevm-mainnet",
     "client": "external-node",
diff --git a/cosmos/cometbft.Dockerfile b/cosmos/cometbft.Dockerfile
new file mode 100644
index 00000000..6c3c5c9d
--- /dev/null
+++ b/cosmos/cometbft.Dockerfile
@@ -0,0 +1,11 @@
+ARG CL_IMAGE
+ARG CL_VERSION
+FROM ${CL_IMAGE}:${CL_VERSION}
+# Layer the shared CometBFT bootstrap lib + the chain init.sh onto the upstream
+# cosmos binary image (alpine-based, has sh+apk; runs nonroot by default — the compose
+# sets user: root so init.sh can apk-add curl and write the /root home).
+USER root
+COPY ./scripts/cometbft-common.sh /usr/local/bin/cometbft-common.sh
+COPY ./scripts/init.sh            /usr/local/bin/init.sh
+RUN chmod +x /usr/local/bin/init.sh /usr/local/bin/cometbft-common.sh
+ENTRYPOINT ["init.sh"]
diff --git a/cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml b/cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml
new file mode 100644
index 00000000..ea96ac2c
--- /dev/null
+++ b/cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml
@@ -0,0 +1,115 @@
+---
+x-logging-defaults: &logging-defaults
+  driver: json-file
+  options:
+    max-size: "10m"
+    max-file: "3"
+
+# Usage:
+#
+# mkdir rpc && cd rpc
+#
+# git init
+# git remote add origin https://github.com/StakeSquid/ethereum-rpc-docker.git
+# git fetch origin vibe
+# git checkout origin/vibe
+#
+# docker run --rm alpine sh -c "printf '0x'; head -c32 /dev/urandom | xxd -p -c 64" > .jwtsecret
+#
+# env
+# ...
+# IP=$(curl ipinfo.io/ip)
+# DOMAIN=${IP}.traefik.me
+# COMPOSE_FILE=base.yml:rpc.yml:cosmos/gaiad/cosmos-mainnet-gaiad-pruned.yml
+#
+# docker compose up -d
+#
+# curl -X POST https://${IP}.traefik.me/cosmos-mainnet-pruned \
+#   -H "Content-Type: application/json" \
+#   --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
+
+services:
+  cosmos-mainnet-pruned:
+    build:
+      context: ./cosmos
+      dockerfile: cometbft.Dockerfile
+      args:
+        CL_IMAGE: ${COSMOS_GAIAD_IMAGE:-ghcr.io/cosmos/gaia}
+        CL_VERSION: ${COSMOS_MAINNET_GAIAD_VERSION:-v25.3.2}
+    sysctls:
+      # TCP Performance
+      net.ipv4.tcp_slow_start_after_idle: 0       # Disable slow start after idle
+      net.ipv4.tcp_no_metrics_save: 1             # Disable metrics cache
+      net.ipv4.tcp_rmem: 4096 87380 16777216      # Increase TCP read buffers
+      net.ipv4.tcp_wmem: 4096 87380 16777216      # Increase TCP write buffers
+      net.core.somaxconn: 32768                   # Higher connection queue
+      # Memory/Connection Management
+      # net.core.netdev_max_backlog: 50000          # Increase network buffer
+      net.ipv4.tcp_max_syn_backlog: 30000         # More SYN requests
+      net.ipv4.tcp_max_tw_buckets: 2000000        # Allow more TIME_WAIT sockets
+    ulimits:
+      nofile: 1048576    # Max open files (for RPC/WS connections)
+    user: root
+    ports:
+      - 26656:26656
+      - 26656:26656/udp
+    expose:
+      - 26657
+      - 26660
+      - 9090
+      - 1317
+    environment:
+      - CHAIN_ID=cosmoshub-4
+      - GENESIS_URL=https://github.com/cosmos/mainnet/raw/master/genesis/genesis.cosmoshub-4.json.gz
+      - IP=${IP}
+      - MIN_GAS=0.005uatom
+      - MONIKER=d${DOMAIN:-local}
+      - P2P_PORT=26656
+      - SEEDS=ade4d8bc8cbe014af6ebdf3cb7b1e9ad36f412c0@seeds.polkachu.com:14956
+      - STATESYNC_RPC=https://cosmos-rpc.polkachu.com:443
+    restart: unless-stopped
+    stop_grace_period: 5m
+    networks:
+      - chains
+    volumes:
+      - ${COSMOS_MAINNET_GAIAD_PRUNED_DATA:-cosmos-mainnet-gaiad-pruned}:/root/.gaia
+      - /slowdisk:/slowdisk
+    logging: *logging-defaults
+    labels:
+      - prometheus-scrape.enabled=true
+      - prometheus-scrape.port=26660
+      - prometheus-scrape.path=/metrics
+      - traefik.enable=true
+      - traefik.http.middlewares.cosmos-mainnet-gaiad-pruned-stripprefix.stripprefix.prefixes=/cosmos-mainnet-pruned
+      - traefik.http.services.cosmos-mainnet-gaiad-pruned.loadbalancer.server.port=26657
+      - ${NO_SSL:-traefik.http.routers.cosmos-mainnet-gaiad-pruned.entrypoints=websecure}
+      - ${NO_SSL:-traefik.http.routers.cosmos-mainnet-gaiad-pruned.tls.certresolver=myresolver}
+      - ${NO_SSL:-traefik.http.routers.cosmos-mainnet-gaiad-pruned.rule=Host(`$DOMAIN`) && (Path(`/cosmos-mainnet-pruned`) || Path(`/cosmos-mainnet-pruned/`))}
+      - ${NO_SSL:+traefik.http.routers.cosmos-mainnet-gaiad-pruned.rule=Path(`/cosmos-mainnet-pruned`) || Path(`/cosmos-mainnet-pruned/`)}
+      - traefik.http.routers.cosmos-mainnet-gaiad-pruned.middlewares=cosmos-mainnet-gaiad-pruned-stripprefix, ipallowlist
+
+volumes:
+  cosmos-mainnet-gaiad-pruned:
+
+x-upstreams:
+  - id: $${ID}
+    labels:
+      provider: $${PROVIDER}
+    connection:
+      generic:
+        rpc:
+          url: $${RPC_URL}
+        ws:
+          frameSize: 20Mb
+          msgSize: 50Mb
+          url: $${WS_URL}
+    chain: cosmos-hub
+    method-groups:
+      enabled:
+        - debug
+        - filter
+    methods:
+      disabled:
+      enabled:
+        - name: txpool_content # TODO: should be disabled for rollup nodes
+...
\ No newline at end of file
diff --git a/cosmos/scripts/cometbft-common.sh b/cosmos/scripts/cometbft-common.sh
new file mode 100644
index 00000000..0881582d
--- /dev/null
+++ b/cosmos/scripts/cometbft-common.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+# cometbft-common.sh — reusable CometBFT-node bootstrap helpers (family C).
+#
+# Source this from a chain-specific init.sh. It encapsulates the operations every
+# CometBFT-consensus node needs (init, fetch config artifacts, patch config.toml /
+# app.toml, seed priv_validator_state), extracted verbatim from the proven berachain
+# beacon-kit entrypoint so callers inherit known-good behavior.
+#
+# Each function takes explicit arguments (paths/values) — it is binary-agnostic. The
+# caller owns the binary name, the `<binary> init` invocation, the artifact URLs, and
+# the final `exec <binary> start ...`. EL-driven chains (beacon-kit, morph) also call
+# the JWT / engine-dial helpers; pure-consensus chains (gaiad) skip them.
+#
+# Conventions: POSIX sh (alpine). Config dir is conventionally $HOME_DIR/config.
+# Used by: morph-node, gaiad (cosmos batch), and any future family-C chain.
+# beacon-kit (berachain) keeps its own bespoke init.sh on purpose — do not retrofit it.
+
+set -e
+
+ct_log() { echo "[cometbft-init] $*"; }
+
+# Ensure curl exists (alpine base images often omit it). Idempotent.
+ct_require_curl() {
+  if ! command -v curl >/dev/null 2>&1; then
+    ct_log "installing curl"
+    apk add --no-cache curl
+  fi
+}
+
+# ct_fetch URL DEST [required]
+#   Download URL -> DEST. If the 3rd arg is "required", a failure is fatal;
+#   otherwise a missing/failed fetch is logged and skipped (returns 0).
+ct_fetch() {
+  _url="$1"; _dest="$2"; _req="${3:-optional}"
+  [ -n "$_url" ] || { [ "$_req" = required ] && { ct_log "FATAL: empty URL for $_dest"; exit 1; }; return 0; }
+  if curl -fsSL "$_url" -o "$_dest"; then
+    ct_log "fetched $_url -> $_dest"
+  else
+    if [ "$_req" = required ]; then
+      ct_log "FATAL: failed to fetch required $_url"; exit 1
+    fi
+    ct_log "skip: could not fetch optional $_url"
+  fi
+}
+
+# ct_patch_p2p CONFIG_TOML IP P2P_PORT
+#   Bind p2p to 0.0.0.0:PORT and advertise IP:PORT (only within the [p2p] section).
+ct_patch_p2p() {
+  _cfg="$1"; _ip="$2"; _port="$3"
+  [ -f "$_cfg" ] || { ct_log "patch_p2p: $_cfg missing, skipping"; return 0; }
+  _laddr="tcp:\\/\\/0\\.0\\.0\\.0\\:${_port}"
+  sed -i "/^\[p2p\]/,/^\[/{s|^laddr = .*|laddr = \"$_laddr\"|}" "$_cfg"
+  sed -i "/^\[p2p\]/,/^\[/{s|^external_address = .*|external_address = \"${_ip}:${_port}\"|}" "$_cfg"
+}
+
+# ct_merge_seeds CONFIG_TOML CONFIGURED_SEEDS [SEEDS_URL]
+#   Merge operator-configured seeds with an optional official seed list (1 entry per
+#   line, first line skipped like the berachain cl-seeds.txt header), dedupe, write.
+ct_merge_seeds() {
+  _cfg="$1"; _seeds="$2"; _url="$3"
+  [ -f "$_cfg" ] || return 0
+  if [ -n "$_url" ]; then
+    _official=$(curl -f -s "$_url" | tail -n +2 | tr '\n' ',' | sed 's/,$//' || true)
+    if [ -n "$_official" ]; then
+      ct_log "merging official seeds from $_url"
+      _seeds=$(echo "${_seeds},${_official}" | tr ',' '\n' | sed '/^$/d' | sort -u | paste -sd,)
+    else
+      ct_log "no official seeds fetched from $_url (continuing with configured)"
+    fi
+  fi
+  if [ -n "$_seeds" ]; then
+    sed -i "s/^seeds = \".*\"/seeds = \"${_seeds}\"/" "$_cfg"
+  fi
+}
+
+# ct_set_persistent_peers CONFIG_TOML PEERS
+#   Handles both cometbft-classic `persistent_peers` (underscore) and forks that use
+#   `persistent-peers` (hyphen, e.g. sei) — patches whichever key is present.
+ct_set_persistent_peers() {
+  _cfg="$1"; _peers="$2"
+  [ -f "$_cfg" ] || return 0
+  [ -n "$_peers" ] || return 0
+  sed -i "s/^persistent_peers = \".*\"/persistent_peers = \"${_peers}\"/" "$_cfg"
+  sed -i "s/^persistent-peers = \".*\"/persistent-peers = \"${_peers}\"/" "$_cfg"
+  return 0
+}
+
+# ct_set_moniker CONFIG_TOML MONIKER
+ct_set_moniker() {
+  _cfg="$1"; _mon="$2"
+  [ -f "$_cfg" ] || return 0
+  [ -n "$_mon" ] && sed -i "s/^moniker = \".*\"/moniker = \"$_mon\"/" "$_cfg"
+  return 0
+}
+
+# ct_set_addrbook CONFIG_DIR ADDRBOOK_URL
+#   Optional: cosmos chains often seed an addrbook.json for faster peer discovery.
+ct_set_addrbook() {
+  _dir="$1"; _url="$2"
+  [ -n "$_url" ] || return 0
+  ct_fetch "$_url" "$_dir/addrbook.json" optional
+}
+
+# ct_write_jwt CONFIG_DIR  [JWT_SRC]
+#   EL-driven chains: copy the shared engine JWT (default /jwtsecret) into the config
+#   dir as jwt.hex so the CL can authenticate to the EL engine API.
+ct_write_jwt() {
+  _dir="$1"; _src="${2:-/jwtsecret}"
+  [ -f "$_src" ] || { ct_log "write_jwt: $_src missing, skipping"; return 0; }
+  cat "$_src" > "$_dir/jwt.hex"
+}
+
+# ct_set_rpc_dial_url APP_TOML AUTH_RPC
+#   beacon-kit / app.toml-style EL engine endpoint (e.g. http://<el>:8551).
+ct_set_rpc_dial_url() {
+  _app="$1"; _rpc="$2"
+  [ -f "$_app" ] || return 0
+  [ -n "$_rpc" ] && sed -i "s|^rpc-dial-url = \".*\"|rpc-dial-url = \"$_rpc\"|" "$_app"
+  return 0
+}
+
+# ct_seed_priv_validator_state HOME_DIR
+#   Ensure data/priv_validator_state.json exists (cometbft refuses to start without it
+#   when one is present in config/). Mirrors the berachain init.sh behavior.
+ct_seed_priv_validator_state() {
+  _home="$1"
+  if [ -e "$_home/config/priv_validator_state.json" ] && [ ! -e "$_home/data/priv_validator_state.json" ]; then
+    mkdir -p "$_home/data"
+    cp "$_home/config/priv_validator_state.json" "$_home/data/priv_validator_state.json"
+  fi
+  return 0
+}
+
+# ct_apk PKG...
+#   Install alpine packages idempotently (most cosmos init scripts need curl, some jq).
+ct_apk() {
+  apk add --no-cache "$@"
+}
+
+# ct_localize_home CONFIG_DIR
+#   Rewrite `~/` to `/root/` in config.toml + app.toml. Cosmos `init` writes home-relative
+#   paths; the container runs as root with a static home, so make paths absolute.
+ct_localize_home() {
+  _dir="$1"
+  [ -f "$_dir/config.toml" ] && sed -i 's|~/|/root/|g' "$_dir/config.toml"
+  [ -f "$_dir/app.toml" ]    && sed -i 's|~/|/root/|g' "$_dir/app.toml"
+  return 0
+}
+
+# ct_set_min_gas_prices APP_TOML PRICE
+#   Cosmos chains reject txs (and sometimes refuse to start) with an empty
+#   minimum-gas-prices. PRICE e.g. "0.01usei", "0.0025uatom", "0.01hqq".
+ct_set_min_gas_prices() {
+  _app="$1"; _price="$2"
+  [ -f "$_app" ] || return 0
+  [ -n "$_price" ] || return 0
+  sed -i "s/minimum-gas-prices = \"\"/minimum-gas-prices = \"${_price}\"/g" "$_app"
+  return 0
+}
+
+# ct_configure_statesync CONFIG_TOML RPC_SERVERS [TRUST_OFFSET]
+#   Enable cometbft state-sync so a fresh node bootstraps near chainhead instead of
+#   replaying from genesis — the single biggest lever for "can't keep it at chainhead"
+#   chains. RPC_SERVERS = comma list of trusted RPC endpoints (>=2 recommended; a single
+#   endpoint is duplicated). TRUST_OFFSET = blocks below head to trust (default 2000).
+#   Requires jq + curl. No-op (logged) if head height can't be fetched.
+ct_configure_statesync() {
+  _cfg="$1"; _rpc="$2"; _offset="${3:-2000}"
+  [ -f "$_cfg" ] || return 0
+  [ -n "$_rpc" ] || { ct_log "statesync: no RPC servers given, skipping"; return 0; }
+  _primary=$(echo "$_rpc" | cut -d, -f1)
+  _latest=$(curl -s "$_primary/block" | jq -r .block.header.height 2>/dev/null || true)
+  if [ -z "$_latest" ] || [ "$_latest" = null ]; then
+    ct_log "statesync: could not read head height from $_primary, skipping"; return 0
+  fi
+  _trust_h=$((_latest - _offset))
+  _trust_hash=$(curl -s "$_primary/block?height=$_trust_h" | jq -r .block_id.hash 2>/dev/null || true)
+  [ -n "$_trust_hash" ] && [ "$_trust_hash" != null ] || { ct_log "statesync: no trust hash, skipping"; return 0; }
+  # second server defaults to the first (cometbft wants >=2 for light-client cross-check)
+  echo "$_rpc" | grep -q ',' || _rpc="$_rpc,$_rpc"
+  ct_log "statesync: enable trust_height=$_trust_h trust_hash=$_trust_hash"
+  sed -i.bak -E "s|^(enable[[:space:]]*=[[:space:]]*).*$|\1true| ; \
+    s|^(rpc-servers[[:space:]]*=[[:space:]]*).*$|\1\"$_rpc\"| ; \
+    s|^(trust-height[[:space:]]*=[[:space:]]*).*$|\1$_trust_h| ; \
+    s|^(trust-hash[[:space:]]*=[[:space:]]*).*$|\1\"$_trust_hash\"|" "$_cfg"
+  return 0
+}
diff --git a/cosmos/scripts/init.sh b/cosmos/scripts/init.sh
new file mode 100644
index 00000000..b39d412d
--- /dev/null
+++ b/cosmos/scripts/init.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# cosmos-hub (gaiad) entrypoint — family C, pure CometBFT (no EL). Thin: sources the
+# shared cometbft-common.sh and orchestrates init + statesync bootstrap + start.
+# Genesis replay across ~25 gaia governance upgrades is impractical, so we statesync
+# near head with the current binary. Serves CometBFT RPC :26657 (the dshackle upstream).
+set -e
+. /usr/local/bin/cometbft-common.sh
+
+HOME_DIR="/root/.gaia"
+CONFIG_DIR="$HOME_DIR/config"
+CHAIN_ID="${CHAIN_ID:-cosmoshub-4}"
+GENESIS_URL="${GENESIS_URL:-https://github.com/cosmos/mainnet/raw/master/genesis/genesis.cosmoshub-4.json.gz}"
+STATESYNC_RPC="${STATESYNC_RPC:-https://cosmos-rpc.polkachu.com:443}"
+MIN_GAS="${MIN_GAS:-0.005uatom}"
+MONIKER="${MONIKER:-rpc-node}"
+
+ct_apk curl jq
+
+if gaiad init "$MONIKER" --chain-id "$CHAIN_ID" --home "$HOME_DIR" >/dev/null 2>&1; then
+  ct_log "fresh init; fetching genesis"
+  ct_fetch "$GENESIS_URL" "$CONFIG_DIR/genesis.json.gz" required
+  if gzip -t "$CONFIG_DIR/genesis.json.gz" 2>/dev/null; then
+    gunzip -f "$CONFIG_DIR/genesis.json.gz"
+  else
+    mv "$CONFIG_DIR/genesis.json.gz" "$CONFIG_DIR/genesis.json"   # served plain, not gzipped
+  fi
+  ct_localize_home "$CONFIG_DIR"
+  ct_set_min_gas_prices "$CONFIG_DIR/app.toml" "$MIN_GAS"
+else
+  ct_log "already initialized, continuing"
+fi
+
+# Serve RPC on all interfaces (dshackle/traefik upstream); default is 127.0.0.1.
+sed -i '/^\[rpc\]/,/^\[/{s|^laddr = .*|laddr = "tcp://0.0.0.0:26657"|}' "$CONFIG_DIR/config.toml"
+
+ct_patch_p2p             "$CONFIG_DIR/config.toml" "$IP" "${P2P_PORT:-26656}"
+ct_merge_seeds           "$CONFIG_DIR/config.toml" "$SEEDS"
+ct_set_persistent_peers  "$CONFIG_DIR/config.toml" "$PERSISTENT_PEERS"
+ct_set_moniker           "$CONFIG_DIR/config.toml" "$MONIKER"
+ct_configure_statesync   "$CONFIG_DIR/config.toml" "$STATESYNC_RPC"
+ct_seed_priv_validator_state "$HOME_DIR"
+
+exec gaiad start --home "$HOME_DIR" --minimum-gas-prices "$MIN_GAS" \
+  --api.enable --api.address tcp://0.0.0.0:1317 --grpc.enable --grpc.address 0.0.0.0:9090 "$@"