$ agent --node sentry

last_verified: 2026-05-12 · raw markdown · human version

Sentry node — agent instructions

CONSTANTS

CHAIN_ID=roguelayer-1
BINARY=rogued
P2P_PORT=26656
VALIDATOR_NODE_ID=REQUIRED_PARAM
VALIDATOR_PRIVATE_IP=REQUIRED_PARAM
SENTRY_PEERS=REQUIRED_PARAM   # "id1@ip1:26656,id2@ip2:26656,..."
GENESIS_URL=TBD
SEED_PEERS=TBD

PREFLIGHT

  • At least one validator host already running with a known node-id.
  • Each sentry on a separate host with full-node prerequisites (see /run-a-node/full/agent CONSTANTS).
  • Private network reachability between sentries and validator on port 26656.

STEPS

STEP 1 — provision_full_node

Run /run-a-node/full/agent/raw STEPS 1–3 on each sentry host. Skip the optional RPC exposure step.

EXPECT_EXIT: 0 VERIFY: rogued status succeeds on each sentry.

STEP 2 — configure_sentry_p2p

COMMAND (run on each sentry; requires VALIDATOR_NODE_ID and VALIDATOR_PRIVATE_IP env vars):

python3 - <<'PY'
import os, re, pathlib
p = pathlib.Path.home() / ".rogued/config/config.toml"
s = p.read_text()
def set_kv(s, k, v): return re.sub(rf'(?m)^{k}\s*=.*$', f'{k} = {v}', s)
nid = os.environ["VALIDATOR_NODE_ID"]
vip = os.environ["VALIDATOR_PRIVATE_IP"]
s = set_kv(s, "pex", "true")
s = set_kv(s, "addr_book_strict", "false")
s = set_kv(s, "max_num_inbound_peers", "100")
s = set_kv(s, "max_num_outbound_peers", "40")
s = set_kv(s, "persistent_peers", f'"{nid}@{vip}:26656"')
s = set_kv(s, "private_peer_ids", f'"{nid}"')
s = set_kv(s, "unconditional_peer_ids", f'"{nid}"')
p.write_text(s)
PY

EXPECT_EXIT: 0 VERIFY: grep '^private_peer_ids' ~/.rogued/config/config.toml matches VALIDATOR_NODE_ID.

STEP 3 — lock_down_validator

Run on the validator host (NOT the sentry); requires SENTRY_PEERS env var.

COMMAND:

python3 - <<'PY'
import os, re, pathlib
p = pathlib.Path.home() / ".rogued/config/config.toml"
s = p.read_text()
def set_kv(s, k, v): return re.sub(rf'(?m)^{k}\s*=.*$', f'{k} = {v}', s)
s = set_kv(s, "pex", "false")
s = set_kv(s, "persistent_peers", f'"{os.environ["SENTRY_PEERS"]}"')
s = set_kv(s, "addr_book_strict", "false")
p.write_text(s)
PY

EXPECT_EXIT: 0 VERIFY: grep '^pex' ~/.rogued/config/config.toml shows pex = false.

STEP 4 — restart_and_verify

COMMAND on each host:

sudo systemctl restart rogued

EXPECT_EXIT: 0 VERIFY:

  • on sentry: curl -s localhost:26657/net_info | jq '.result.peers | length' returns > 1.
  • on validator: every entry in curl -s localhost:26657/net_info | jq -r '.result.peers[].node_info.id' is in SENTRY_PEERS' node IDs.

VERIFY_FINAL

The validator's peer list contains ONLY sentry node IDs. If any other peer appears, the lockdown failed.

FAILURE_MODES

  • Validator still peers with public nodes → pex = false not applied or 26656 still open on a public interface; block at firewall.
  • Sentry has 0 peers → check SEED_PEERS reachability; verify pex = true on sentry.

SAFETY

Any non-sentry peer ID in the validator's net_info means the validator is still publicly reachable. Treat as an incident: stop the validator process, fix the network config, restart.