evstack · julienrbrt · Jan 28, 2026 · Jan 28, 2026 · gemini-code-assist · Jan 28, 2026
diff --git a/apps/evm/entrypoint.sh b/apps/evm/entrypoint.sh
@@ -30,14 +30,31 @@ get_home_dir() {
 # Get the home directory (either from --home flag or default)
 CONFIG_HOME=$(get_home_dir "$@")
 
+# Create config directory
+mkdir -p "$CONFIG_HOME"
+
+# Create passphrase file if environment variable is set
+PASSPHRASE_FILE="$CONFIG_HOME/passphrase.txt"
+if [ -n "$EVM_SIGNER_PASSPHRASE" ]; then
+  echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
-  echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
+  printf '%s' "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
-  echo "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
+  printf '%s' "$EVM_SIGNER_PASSPHRASE" > "$PASSPHRASE_FILE"
+  chmod 600 "$PASSPHRASE_FILE"
+fi
+
+# Create JWT secret file if environment variable is set
+JWT_SECRET_FILE="$CONFIG_HOME/jwt.hex"
+if [ -n "$EVM_JWT_SECRET" ]; then
+  echo "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
-  echo "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
+  printf '%s' "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
-  echo "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
+  printf '%s' "$EVM_JWT_SECRET" > "$JWT_SECRET_FILE"
+  chmod 600 "$JWT_SECRET_FILE"
+fi
+
 if [ ! -f "$CONFIG_HOME/config/node_key.json" ]; then
 
   # Build init flags array
   init_flags="--home=$CONFIG_HOME"
 
   # Add required flags if environment variables are set
   if [ -n "$EVM_SIGNER_PASSPHRASE" ]; then
-    init_flags="$init_flags --rollkit.node.aggregator=true --rollkit.signer.passphrase $EVM_SIGNER_PASSPHRASE"
+    init_flags="$init_flags --evnode.node.aggregator=true --evnode.signer.passphrase_file $PASSPHRASE_FILE"
   fi
 
   INIT_COMMAND="evm init $init_flags"
@@ -52,7 +69,7 @@ default_flags="--home=$CONFIG_HOME"
 
 # Add required flags if environment variables are set
 if [ -n "$EVM_JWT_SECRET" ]; then
-  default_flags="$default_flags --evm.jwt-secret $EVM_JWT_SECRET"
+  default_flags="$default_flags --evm.jwt-secret-file $JWT_SECRET_FILE"
 fi
 
 if [ -n "$EVM_GENESIS_HASH" ]; then
@@ -68,28 +85,28 @@ if [ -n "$EVM_ETH_URL" ]; then
 fi
 
 if [ -n "$EVM_BLOCK_TIME" ]; then
-  default_flags="$default_flags --rollkit.node.block_time $EVM_BLOCK_TIME"
+  default_flags="$default_flags --evnode.node.block_time $EVM_BLOCK_TIME"
 fi
 
 if [ -n "$EVM_SIGNER_PASSPHRASE" ]; then
-  default_flags="$default_flags --rollkit.node.aggregator=true --rollkit.signer.passphrase $EVM_SIGNER_PASSPHRASE"
+  default_flags="$default_flags --evnode.node.aggregator=true --evnode.signer.passphrase_file $PASSPHRASE_FILE"
 fi
 
 # Conditionally add DA-related flags
 if [ -n "$DA_ADDRESS" ]; then
-  default_flags="$default_flags --rollkit.da.address $DA_ADDRESS"
+  default_flags="$default_flags --evnode.da.address $DA_ADDRESS"
 fi
 
 if [ -n "$DA_AUTH_TOKEN" ]; then
-  default_flags="$default_flags --rollkit.da.auth_token $DA_AUTH_TOKEN"
+  default_flags="$default_flags --evnode.da.auth_token $DA_AUTH_TOKEN"
 fi
 
 if [ -n "$DA_NAMESPACE" ]; then
-  default_flags="$default_flags --rollkit.da.namespace $DA_NAMESPACE"
+  default_flags="$default_flags --evnode.da.namespace $DA_NAMESPACE"
 fi
 
 if [ -n "$DA_SIGNING_ADDRESSES" ]; then
-  default_flags="$default_flags --rollkit.da.signing_addresses $DA_SIGNING_ADDRESSES"
+  default_flags="$default_flags --evnode.da.signing_addresses $DA_SIGNING_ADDRESSES"
 fi
 
 # If no arguments passed, show help