unicity-sphere · vrogojin · May 28, 2026
diff --git a/tests/e2e/local-infra/aggregator-image/docker-compose.yml b/tests/e2e/local-infra/aggregator-image/docker-compose.yml
@@ -273,6 +273,11 @@ services:
       - haproxy-net
     volumes:
       - agg-letsencrypt:/etc/letsencrypt
+      # Read-only bind-mount of the genesis dir so the proxy nginx can
+      # serve trust-base.json at /.well-known/trust-base.json. Wallets
+      # talking to this aggregator need OUR trust base (not the testnet
+      # one) to verify inclusion proofs against this chain's genesis.
+      - ./data/genesis:/etc/aggregator-config:ro
     environment:
       # ${AGG_DOMAIN} and ${SSL_EMAIL} are validated at the wrapper-
       # script level (run-aggregator.sh) so `docker compose down`

diff --git a/tests/e2e/local-infra/aggregator-image/proxy/nginx.conf.template b/tests/e2e/local-infra/aggregator-image/proxy/nginx.conf.template
@@ -38,11 +38,32 @@ server {
         proxy_send_timeout 600s;
     }
 
-    # Lightweight liveness — short-circuits the backend so the proxy
-    # itself can fail-fast if nginx is wedged but the backend is fine.
+    # /health passes through to the backend so callers see the full
+    # response (status + role + sharding + database details). Proxy
+    # liveness is implicit — if nginx forwards and reads the reply,
+    # both halves are alive.
     location = /health {
         access_log off;
-        return 200 '{"status":"ok"}';
+        proxy_pass http://aggregator_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_read_timeout 10s;
+    }
+
+    # Serve OUR aggregator's trust-base.json so wallets can verify
+    # inclusion proofs against this chain's genesis. The file is
+    # bind-mounted into /etc/aggregator-config/ from the same host
+    # path the aggregator binary reads its config from (./data/genesis/
+    # in the compose file's working directory). When fresh genesis is
+    # minted via `run-aggregator.sh --fresh`, this URL serves the new
+    # trust-base on the next nginx reload — no restart required as
+    # long as the file's inode is preserved (which Docker bind-mounts
+    # of single files do).
+    location = /.well-known/trust-base.json {
+        access_log off;
         default_type application/json;
+        add_header Access-Control-Allow-Origin "*" always;
+        add_header Cache-Control "no-cache, must-revalidate";
+        alias /etc/aggregator-config/trust-base.json;
     }
 }
diff --git a/tests/e2e/local-infra/faucet-image/render-discovery.sh b/tests/e2e/local-infra/faucet-image/render-discovery.sh
@@ -13,9 +13,28 @@ set -euo pipefail
 
 IDENTITY_FILE="${IDENTITY_FILE:-/var/lib/faucet/identity.json}"
 CURRENT_PUBKEY=
+CURRENT_NAMETAG=
 TMP_DIR=$(mktemp -d)
 trap 'rm -rf "$TMP_DIR"' EXIT
 
+render() {
+    local pubkey="$1" nametag="$2"
+    local direct="DIRECT://${pubkey}"
+    cat > "$TMP_DIR/identity.json" <<EOF
+{
+  "status": "running",
+  "domain": "${SSL_DOMAIN:-localhost}",
+  "network": "${UNICITY_NETWORK:-testnet}",
+  "chain_pubkey": "${pubkey}",
+  "direct_address": "${direct}",
+  "nametag": $([ -n "$nametag" ] && printf '"%s"' "$nametag" || echo "null"),
+  "supported_coins": []
+}
+EOF
+    mv "$TMP_DIR/identity.json" "$IDENTITY_FILE"
+    chmod 644 "$IDENTITY_FILE" 2>/dev/null || true
+}
+
 while IFS= read -r line; do
     # Pass the line through to stdout (so docker logs still see it).
     printf '%s\n' "$line"
@@ -27,21 +46,29 @@ while IFS= read -r line; do
         | grep -oE '0[23][0-9a-fA-F]{64}' \
         | head -1 || true)
 
+    # Also extract the nametag when it shows up. js-faucet logs:
+    # {"nametag":"xaleava","msg":"nametag_verified"} after a successful
+    # mint+resolve cycle. Earlier "registering_nametag" lines come BEFORE
+    # the mint completes — they don't prove the nametag exists yet, so
+    # we wait for nametag_verified.
+    if printf '%s' "$line" | grep -q 'nametag_verified'; then
+        nametag=$(printf '%s\n' "$line" \
+            | grep -oE '"nametag"\s*:\s*"[^"]*"' \
+            | head -1 \
+            | sed -E 's/.*:\s*"([^"]*)".*/\1/' \
+            || true)
+        if [ -n "$nametag" ] && [ "$nametag" != "$CURRENT_NAMETAG" ]; then
+            CURRENT_NAMETAG="$nametag"
+            if [ -n "$CURRENT_PUBKEY" ]; then
+                render "$CURRENT_PUBKEY" "$CURRENT_NAMETAG"
+                printf '[faucet-discovery] nametag verified: %s\n' "$nametag" >&2
+            fi
+        fi
+    fi
+
     if [ -n "$pubkey" ] && [ "$pubkey" != "$CURRENT_PUBKEY" ]; then
         CURRENT_PUBKEY="$pubkey"
-        direct="DIRECT://${pubkey}"
-        cat > "$TMP_DIR/identity.json" <<EOF
-{
-  "status": "running",
-  "domain": "${SSL_DOMAIN:-localhost}",
-  "network": "${UNICITY_NETWORK:-testnet}",
-  "chain_pubkey": "${pubkey}",
-  "direct_address": "${direct}",
-  "supported_coins": []
-}
-EOF
-        mv "$TMP_DIR/identity.json" "$IDENTITY_FILE"
-        chmod 644 "$IDENTITY_FILE" 2>/dev/null || true
+        render "$CURRENT_PUBKEY" "$CURRENT_NAMETAG"
         printf '[faucet-discovery] identity updated: %s\n' "$pubkey" >&2
     fi
 done