build: fix docker-compose for evm

[randygrok]

some flags have changed and the docker compose for the evm was failing. Now it works again.

[gemini-code-assist]

Summary of Changes

Hello @randygrok, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue preventing the EVM Docker Compose setup from functioning correctly. The core changes involve adapting the entrypoint.sh script to reflect updated command-line flag conventions within the EVM binary, specifically the transition from rollkit to evnode prefixes. Additionally, it introduces a more secure method for handling sensitive data like the signer passphrase and JWT secret by storing them in temporary files, which are then referenced by the application. These modifications ensure the EVM environment initializes and operates as expected with the latest binary requirements.

Highlights

• Flag Renaming: All command-line flags prefixed with rollkit have been updated to use the evnode prefix, aligning with recent changes in the EVM binary.
• Enhanced Secret Handling: Sensitive information such as the signer passphrase and JWT secret are now written to temporary files (passphrase.txt, jwt.hex) with restricted permissions (chmod 600) before being passed to the EVM binary, improving security by avoiding direct exposure in process arguments.
• Configuration Directory Creation: The entrypoint.sh script now explicitly creates the configuration home directory if it does not already exist, ensuring a stable environment for secret file creation.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Jan 28, 2026, 9:59 AM

[claude]

Claude finished @randygrok's task in 1m 31s —— View job

---

Code Review Complete ✅

I've reviewed the changes in apps/evm/entrypoint.sh. This PR successfully addresses the flag migration from rollkit to evnode and introduces important security improvements. Here's my comprehensive assessment:

---

Summary of Changes

This PR makes three key improvements:

1. Flag Migration: Updates all rollkit.* flags to evnode.* prefix
2. Security Enhancement: Implements file-based secret handling instead of passing secrets as command-line arguments
3. Directory Management: Ensures config directory exists before writing secret files

---

Positive Observations ✨

Security Improvements

• Excellent change: Secrets are now written to files with chmod 600 instead of being passed directly as CLI arguments (lines 37-48)
• This prevents secrets from appearing in process listings (ps aux) and command history
• The passphrase file (passphrase.txt) and JWT secret file (jwt.hex) have properly restricted permissions

Code Quality

• The flag migration is comprehensive and consistent
• The script maintains backward compatibility by preserving the conditional logic structure
• Proper use of mkdir -p ensures idempotent directory creation

---

Issues and Recommendations

🔴 Critical: Command Injection Vulnerability

Location: apps/evm/entrypoint.sh:63 and apps/evm/entrypoint.sh:123

Issue: Unquoted variable expansion in command execution creates command injection risk:

$INIT_COMMAND      # Line 63 - UNSAFE
$START_COMMAND "$@"  # Line 123 - UNSAFE

Problem: If any environment variable contains special characters (spaces, semicolons, etc.), the shell will interpret them as command separators, potentially executing arbitrary code.

Fix: Quote the variable expansions:

"$INIT_COMMAND"      # Line 63
"$START_COMMAND" "$@"  # Line 123

Or better yet, use direct command execution instead of building command strings:

# Replace lines 60-63 with:
echo "Create default config with command: evm init $init_flags"
exec evm init $init_flags

# Replace lines 120-123 with:
echo "Starting with command: evm start $default_flags $*"
exec evm start $default_flags "$@"

Fix command injection vulnerability →

---

🟡 Medium: Security - Secret File Cleanup

Location: apps/evm/entrypoint.sh:37-48

Issue: Secret files are created but never cleaned up, persisting sensitive data on disk.

Recommendation: Add a trap to clean up secret files on script exit:

# After line 34
trap 'rm -f "$PASSPHRASE_FILE" "$JWT_SECRET_FILE"' EXIT INT TERM

# Or better: use /dev/shm for truly temporary secrets
PASSPHRASE_FILE="${TMPDIR:-/tmp}/passphrase-$$.txt"
JWT_SECRET_FILE="${TMPDIR:-/tmp}/jwt-$$hex"

Consideration: If these files need to persist between container restarts, document this requirement. Otherwise, ephemeral storage would be more secure.

---

🟡 Medium: Error Handling - Silent Failures

Location: Throughout the script

Issue: The script uses set -e (line 2) but has several operations that could fail silently:

• mkdir -p could fail due to permissions (line 34)
• File writes could fail due to disk space or permissions (lines 39, 46)
• chmod could fail if the file doesn't exist (lines 40, 47)

Recommendation: Add explicit error checking for critical operations:

# Replace line 34 with:
mkdir -p "$CONFIG_HOME" || {
  echo "ERROR: Failed to create config directory: $CONFIG_HOME" >&2
  exit 1
}

# Add checks after secret file creation:
if [ -n "$EVM_SIGNER_PASSPHRASE" ]; then
  echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE" || {
    echo "ERROR: Failed to write passphrase file" >&2
    exit 1
  }
  chmod 600 "$PASSPHRASE_FILE" || {
    echo "ERROR: Failed to set permissions on passphrase file" >&2
    exit 1
  }
fi

---

🟡 Medium: Consistency - Flag Format

Location: apps/evm/entrypoint.sh:57, 92

Issue: Inconsistent flag format - some use =, others use space separation:

• Line 57: --evnode.node.aggregator=true (equals sign)
• Line 57: --evnode.signer.passphrase_file $PASSPHRASE_FILE (space)

Recommendation: Choose one format and use it consistently. Based on the other flags in the script, space separation appears to be the standard:

--evnode.node.aggregator true --evnode.signer.passphrase_file "$PASSPHRASE_FILE"

Or use equals consistently:

--evnode.node.aggregator=true --evnode.signer.passphrase_file="$PASSPHRASE_FILE"

---

🔵 Minor: Code Quality - Variable Quoting

Location: Multiple locations throughout

Issue: Inconsistent variable quoting. Some variables are quoted, others aren't:

• Line 40, 47: chmod 600 "$PASSPHRASE_FILE" (quoted - good)
• Line 57: --evnode.signer.passphrase_file $PASSPHRASE_FILE (unquoted - risky)

Recommendation: Always quote variable expansions to prevent word splitting:

--evnode.signer.passphrase_file "$PASSPHRASE_FILE"

---

🔵 Minor: Documentation

Issue: The script lacks comments explaining the security improvements.

Recommendation: Add comments to document the design decisions:

# Create secret files with restricted permissions instead of passing
# secrets as CLI arguments to prevent exposure in process listings
PASSPHRASE_FILE="$CONFIG_HOME/passphrase.txt"
if [ -n "$EVM_SIGNER_PASSPHRASE" ]; then
  echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
  chmod 600 "$PASSPHRASE_FILE"  # Readable only by owner
fi

---

Testing Recommendations

Since this changes core initialization logic, please verify:

1. Initialization with secrets: Does evm init work correctly with the new passphrase file approach?
2. Startup with secrets: Does evm start correctly load secrets from files?
3. Permission handling: Test with restrictive umask to ensure file creation works
4. Edge cases: Test with empty environment variables, special characters in paths
5. Docker Compose: Verify the docker-compose setup works end-to-end

---

Decision: Approve with Recommendations

✅ The flag migration is correct and necessary - this unblocks the docker-compose setup.

⚠️ The command injection vulnerability should be fixed before merging - it's a security issue that could be exploited if environment variables are user-controlled.

The other issues (secret cleanup, error handling, consistency) are improvements that can be addressed in follow-up PRs if needed, but I'd recommend fixing the command injection issue in this PR.

---

Verification Checklist

• Command injection vulnerability fixed (lines 63, 123)
• Tested with docker-compose to confirm EVM starts successfully
• Verified secrets are not visible in docker exec <container> ps aux

---

[gemini-code-assist]

Code Review

This pull request updates the entrypoint.sh script to align with recent command-line flag changes, specifically replacing rollkit. with evnode., and enhances secret handling by reading them from environment variables and writing to files. While this improves security by preventing secrets from being exposed in the process list, a medium-severity argument injection vulnerability was identified in entrypoint.sh. This is due to unsafe command construction where variables are concatenated without proper quoting, leading to potential word splitting and unintended argument injection. This underlying issue should be addressed. Additionally, minor suggestions have been made to improve the robustness of writing secrets to files.

[gemini-code-assist]

Using echo can add an unwanted trailing newline to the passphrase file. While the Go application appears to handle this by trimming whitespace, it's safer and more precise to use printf '%s' to ensure the secret is written to the file exactly as it is in the environment variable, without any modifications.

Suggested change

	echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
	printf '%s' "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"

[gemini-code-assist]

Using echo can add an unwanted trailing newline to the JWT secret file. It's safer and more precise to use printf '%s' to ensure the secret is written to the file exactly as it is in the environment variable, without any modifications.

Suggested change

	echo "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
	printf '%s' "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.61%. Comparing base (62c9339) to head (8c863da).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3022      +/-   ##
==========================================
- Coverage   58.04%   55.61%   -2.43%     
==========================================
  Files         110      116       +6     
  Lines       10522    11477     +955     
==========================================
+ Hits         6107     6383     +276     
- Misses       3764     4394     +630     
- Partials      651      700      +49     

Flag	Coverage Δ
combined	55.61% <ø> (-2.43%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[julienrbrt]

utACK