fix(infra)(#321): aggregator-proxy /health passes through to backend#323
Merged
Conversation
The proxy was returning a hardcoded {"status":"ok"} for /health,
which hid the backend's rich health response (role, sharding,
commitment_queue, database). unicity-infra-probe and similar
monitoring tools mark the aggregator DEGRADED because they can't
distinguish a healthy backend from a wedged one — both produce
the same canned reply.
Pass /health through to the backend like every other path. Proxy
liveness becomes implicit: if nginx forwards and reads the reply,
both halves are alive.
Live response now (verified):
{"status":"ok","role":"standalone","details":{
"commitment_queue":"0","database":"connected", ...}}
(Note: unicity-infra-probe still reports DEGRADED because it
expects `{status:"healthy", database:"ok"}` rather than the
aggregator binary's actual `{status:"ok", details.database:
"connected"}` schema — that's a probe-side schema drift, not
fixed by this change.)
vrogojin
added a commit
that referenced
this pull request
Jun 8, 2026
… surfaces nametag Two related changes that close the loop for self-hosted nametag minting: 1) aggregator-proxy serves the trust base. The compose file bind- mounts ./data/genesis:/etc/aggregator-config:ro into agg-proxy and the nginx config exposes https://<aggregator-domain>/.well-known/trust-base.json as a public alias. Wallets pointed at our aggregator can now download the matching trust base over HTTPS — required for the SDK's verification path to come up without skipVerification=true. The /health location also picks up the pass-through fix from PR #323 so the rich backend response (role, database, sharding) is visible externally — necessary to land both changes against integration/all-fixes together. 2) render-discovery.sh surfaces the nametag. The discovery doc at https://<faucet-domain>/.well-known/faucet.json was showing nametag: null even after a successful mint. The watcher now tails for the nametag_verified log line (emitted by js-faucet AFTER mint+resolve completes) and rewrites identity.json with the verified nametag. The registering_nametag line is NOT used as a signal because it fires BEFORE the mint commits and would surface unverified state. Verified live end-to-end on this host: - faucet logs: aggregator_override_active, nametag_verified - mongo: commitments=1, aggregator_records=1 - relay: NAMETAG_BINDING (kind 30078) event for xaleava landed - discovery: identity.nametag="xaleava" The companion js-faucet PR #3 (env override wiring) and sphere-sdk PR #324 (relay + run-faucet env passthrough) are both still required for the end-to-end flow.
vrogojin
added a commit
that referenced
this pull request
Jun 8, 2026
… surfaces nametag Two related changes that close the loop for self-hosted nametag minting: 1) aggregator-proxy serves the trust base. The compose file bind- mounts ./data/genesis:/etc/aggregator-config:ro into agg-proxy and the nginx config exposes https://<aggregator-domain>/.well-known/trust-base.json as a public alias. Wallets pointed at our aggregator can now download the matching trust base over HTTPS — required for the SDK's verification path to come up without skipVerification=true. The /health location also picks up the pass-through fix from PR #323 so the rich backend response (role, database, sharding) is visible externally — necessary to land both changes against integration/all-fixes together. 2) render-discovery.sh surfaces the nametag. The discovery doc at https://<faucet-domain>/.well-known/faucet.json was showing nametag: null even after a successful mint. The watcher now tails for the nametag_verified log line (emitted by js-faucet AFTER mint+resolve completes) and rewrites identity.json with the verified nametag. The registering_nametag line is NOT used as a signal because it fires BEFORE the mint commits and would surface unverified state. Verified live end-to-end on this host: - faucet logs: aggregator_override_active, nametag_verified - mongo: commitments=1, aggregator_records=1 - relay: NAMETAG_BINDING (kind 30078) event for xaleava landed - discovery: identity.nametag="xaleava" The companion js-faucet PR #3 (env override wiring) and sphere-sdk PR #324 (relay + run-faucet env passthrough) are both still required for the end-to-end flow.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The proxy was returning a hardcoded
{"status":"ok"}for/health, hiding the backend's rich health response (role, sharding, commitment_queue, database). Tools likeunicity-infra-probemarked the aggregator DEGRADED because they couldn't distinguish a healthy backend from a wedged one.Pass
/healththrough to the backend. Proxy liveness becomes implicit.Verified live
Follow-ups
unicity-infra-probestill reports DEGRADED because it expects{status:"healthy", database:"ok"}rather than the actual aggregator schema{status:"ok", details.database:"connected"}. That's probe-side schema drift, separate fix in unicitynetwork/infra-probe.Test plan
curl https://aggregator-unicity-dev.dyndns.org/healthreturns the rich payload (verified)