Skip to main content

Production Checklist

Checklist for deploying L{CORE} to production.

Pre-Deployment

Infrastructure

  • EigenCloud account created and verified
  • Docker Hub access for pushing images
  • Arbitrum RPC endpoint configured (Alchemy, Infura, etc.)
  • Domain/IP addresses allocated for services
  • SSL certificates provisioned (if using custom domain)

Wallet Setup

  • Production wallet created
  • Wallet funded with ETH for gas (Arbitrum Sepolia or Mainnet)
  • Private key/mnemonic stored securely (never in code)
  • Test transaction successful

Keys Generated

  • NaCl keypair for L{CORE} encryption 
    node -e "
    const nacl = require('tweetnacl');
    const kp = nacl.box.keyPair();
    console.log('PUBLIC=' + Buffer.from(kp.publicKey).toString('base64'));
    console.log('PRIVATE=' + Buffer.from(kp.secretKey).toString('base64'));
    "
  • Proof signing key 
    node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
  • JWT secret for admin sessions
  • Keys stored in secure secret manager

Cartesi Node Deployment

Docker Image

  • Image built with EXPOSE directive 
    FROM modernsociety/lcore-cartesi-node:latest
    USER root
    EXPOSE 10000
  • Image pushed to registry
  • Image tag matches deployment config

Environment Variables

  • CARTESI_HTTP_ADDRESS=0.0.0.0 (CRITICAL)
  • CARTESI_CONTRACTS_APPLICATION_ADDRESS set
  • CARTESI_CONTRACTS_INPUT_BOX_ADDRESS set
  • CARTESI_CONTRACTS_AUTHORITY_ADDRESS set
  • CARTESI_CONTRACTS_HISTORY_ADDRESS set
  • CARTESI_BLOCKCHAIN_ID matches network
  • CARTESI_BLOCKCHAIN_HTTP_ENDPOINT set
  • CARTESI_BLOCKCHAIN_WS_ENDPOINT set
  • CARTESI_AUTH_MNEMONIC set
  • CARTESI_EXPERIMENTAL_DISABLE_CONFIG_LOG=true

Verification

  • Container starts without errors
  • Port 10000 accessible externally
  • Health query returns success 
    curl "http://${IP}:10000/inspect/$(python3 -c "import urllib.parse; print(urllib.parse.quote('{\"type\":\"health\",\"params\":{}}'))")"
  • Node syncing with blockchain

Attestor Deployment

Docker Image

  • Image built
  • Image pushed to registry
  • Image tag matches deployment config

Environment Variables

  • LCORE_ENABLED=1
  • LCORE_NODE_URL points to Cartesi node
  • LCORE_RPC_URL set
  • LCORE_DAPP_ADDRESS set
  • LCORE_INPUTBOX_ADDRESS set
  • LCORE_ADMIN_PUBLIC_KEY set
  • LCORE_ADMIN_PRIVATE_KEY set
  • NODE_ENV=production
  • PORT=8001
  • Database credentials (if using Supabase)

Verification

  • Container starts without errors
  • Health check passes 
    curl http://${IP}:8001/healthcheck
  • L{CORE} status shows connected 
    curl http://${IP}:8001/api/lcore/status
  • Test attestation succeeds

Security Checklist

Secrets

  • No secrets in code or Dockerfiles
  • Environment variables not logged
  • CARTESI_EXPERIMENTAL_DISABLE_CONFIG_LOG=true set
  • Private keys rotated from development
  • Different keys per environment

Network

  • Firewall rules configured
  • Only required ports exposed (8001, 10000)
  • RPC endpoint has IP allowlist (if possible)
  • Internal network isolated from public

Access Control

  • Admin endpoints require authentication
  • Rate limiting enabled
  • CORS configured appropriately
  • No debug endpoints exposed

Monitoring Setup

Health Checks

  • Uptime monitoring for Attestor /healthcheck
  • Uptime monitoring for Cartesi /inspect/...
  • Alert thresholds configured

Logging

  • Log aggregation configured
  • Log retention policy set
  • Sensitive data not logged

Metrics

  • Request latency tracked
  • Error rates monitored
  • Gas usage tracked
  • Attestation throughput measured

Backup & Recovery

Database

  • Supabase backups enabled (if using)
  • Backup retention configured
  • Restore procedure tested

Keys

  • Key backup procedure documented
  • Key recovery tested
  • Key rotation procedure documented

Configuration

  • Environment config version controlled
  • Deployment rollback procedure documented

Post-Deployment

Functional Tests

  • Create test attestation
  • Query attestation via Cartesi
  • Verify bucket assignment
  • Test access grant flow
  • Verify encryption/decryption

Load Tests

  • Concurrent attestation test
  • Query performance under load
  • Gas estimation accurate

Documentation

  • Endpoint URLs documented
  • API keys documented (securely)
  • Runbook created for common operations
  • Incident response plan documented

Contract Addresses Reference

Arbitrum Sepolia (Testnet)

ContractAddress
DApp0xAE0863401D5B953b89cad8a5E7c98f5136E9C26d
InputBox0x59b22D57D4f067708AB0c00552767405926dc768
Authority0x08cC70a34EA78F35a871822F685dCB99EE079A08
History0xF1A186AFC0C794dA242fcE50052592dDA30F0457

Arbitrum One (Mainnet)

ContractAddress
DApp(Your deployed address)
InputBoxSee Cartesi docs

Emergency Procedures

Service Down

  1. Check container logs
  2. Verify environment variables
  3. Check RPC endpoint availability
  4. Check wallet balance
  5. Restart containers

Suspected Compromise

  1. Rotate all keys immediately
  2. Disable public endpoints
  3. Audit recent transactions
  4. Review access logs
  5. Report to security team