feat: add a chart for the network mapper

.github/ct.yaml

@@ -0,0 +1,4 @@
+chart-dirs:
+  - charts
+remote: origin
+target-branch: main

.github/renovate.json

@@ -2,6 +2,7 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended",
+    "helpers:pinGitHubActionDigests",
     ":automergeMinor",
     ":automergePr",
     ":automergeRequireAllStatusChecks",

.github/workflows/qa.yml

@@ -60,8 +60,6 @@ jobs:
           SLACK_CHANNEL_ID: op://platform/slack-bot/SLACK_CHANNEL_ID
           HARBOR_USER: op://platform/harbor/username
           HARBOR_PASS: op://platform/harbor/password
-          PAT_TOKEN: op://platform/github-commit-pat/credential
-          NPM_TOKEN: op://platform/npmjs/credential
 
       # Label QA as running and notify Slack (only for non-draft PRs)
       - name: Label QA as running
@@ -120,6 +118,15 @@ jobs:
         if: github.event_name == 'pull_request' || github.event_name == 'push'
         run: bun typecheck
 
+      - name: Set version
+        id: version
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: bun run tools/version.ts
+
+      - name: Run docs
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: bun run docs:helm
+
       - name: Docker meta
         if: github.event_name == 'pull_request' || github.event_name == 'push'
         id: meta
@@ -135,6 +142,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
+            type=raw,value=${{ steps.version.outputs.version }}
 
       - name: Build and push
         if: github.event_name == 'pull_request' || github.event_name == 'push'
@@ -148,6 +156,52 @@ jobs:
           provenance: mode=max
           sbom: true
 
+      - name: Set up Python
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Set up Helm
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        uses: azure/setup-helm@v4
+
+      - name: Set up chart-testing
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Determine chart changes
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        id: ct-changed
+        env:
+          CT_CONFIG: .github/ct.yaml
+        run: |
+          changed=$(ct list-changed --config "$CT_CONFIG")
+          if [[ -n "$changed" ]]; then
+            printf "changed=true\n" >> "$GITHUB_OUTPUT"
+            echo "$changed"
+          else
+            printf "changed=false\n" >> "$GITHUB_OUTPUT"
+            echo "No chart changes detected"
+          fi
+
+      - name: Run chart-testing (lint)
+        if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true'
+        env:
+          CT_CONFIG: .github/ct.yaml
+        run: ct lint --config "$CT_CONFIG" --validate-yaml=false
+
+      - name: Create kind cluster
+        if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true'
+        uses: helm/kind-action@v1.12.0
+
+      - name: Run chart-testing (install)
+        if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true'
+        env:
+          CT_CONFIG: .github/ct.yaml
+        run: ct install --config "$CT_CONFIG" --skip-clean-up
+
       # Label QA results (PR only)
       - name: Label QA build status
         if: |
@@ -195,7 +249,27 @@ jobs:
             ${{ steps.secret-scan.outcome == 'success' && 'success' || 'failure'
             }}
 
-      # Skip redundant notification - handled by consolidated step at the end
+      - name: Login to Harbor
+        if: |
+          github.event_name == 'push' ||
+          (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+        uses: docker/login-action@v3
+        with:
+          registry: harbor.settlemint.com
+          username: ${{ env.HARBOR_USER }}
+          password: ${{ env.HARBOR_PASS }}
+
+      - name: Package chart
+        if: |
+          github.event_name == 'push' ||
+          (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+        run: bun run package:pack
+
+      - name: Push chart to Harbor
+        if: |
+          github.event_name == 'push' ||
+          (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+        run: bun run package:push:harbor
 
       # Check PR review status (PR and PR review events only)
       - name: Check PR review status

AGENTS.md

@@ -6,7 +6,7 @@ The TypeScript sources live in `src/`. CLI flows under `src/cli/` orchestrate pr
 
 ## Build, Test, and Development Commands
 
-Install dependencies with `bun install`. Use `bun run src/index.ts` to execute the bootstrapper locally. Run the full test suite with `bun test`. Type safety is enforced by `bun run typecheck`, and formatting plus lint rules are auto-fixed with `bun run check` (Biome). Combine these commands before pushing to catch regressions early.
+Install dependencies with `bun install`. Use `bun run src/index.ts` to execute the bootstrapper locally. Run the full test suite with `bun test`. Type safety is enforced by `bun run typecheck`, and formatting plus lint rules are auto-fixed with `bun run check:fix` (Biome). Combine these commands before pushing to catch regressions early.
 
 ## Coding Style & Naming Conventions
 

README.md

@@ -1,15 +1,38 @@
 # network-bootstrapper
 
-To install dependencies:
+Generate node identities, configure consensus, and emit a Besu genesis.
 
-```bash
-bun install
-```
+## Helm chart
+
+The helm chart to run this on Kubernetes / OpenShift can be found [here](./charts/network-bootstrapper/README.md)
 
-To run:
+## CLI usage
 
-```bash
-bun run src/index.ts
 ```
+Usage: network-bootstrapper [options]
 
-This project was created using `bun init` in bun v1.2.22. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
+Generate node identities, configure consensus, and emit a Besu genesis.
+
+Options:
+  -v, --validators <count>        Number of validator nodes to generate.
+                                  (default: 4)
+  -r, --rpc-nodes <count>         Number of RPC nodes to generate. (default: 2)
+  -a, --allocations <file>        Path to a genesis allocations JSON file.
+                                  (default: none)
+  -o, --outputType <type>         Output target (screen, file, kubernetes).
+                                  (default: "screen")
+  --consensus <algorithm>         Consensus algorithm (IBFTv2, QBFT). (default:
+                                  QBFT)
+  --chain-id <number>             Chain ID for the genesis config. (default:
+                                  random between 40000 and 50000)
+  --seconds-per-block <number>    Block time in seconds. (default: 2)
+  --gas-limit <decimal>           Block gas limit in decimal form. (default:
+                                  9007199254740991)
+  --gas-price <number>            Base gas price (wei). (default: 0)
+  --evm-stack-size <number>       EVM stack size limit. (default: 2048)
+  --contract-size-limit <number>  Contract size limit in bytes. (default:
+                                  2147483647)
+  --accept-defaults               Accept default values for all prompts when CLI
+                                  flags are omitted. (default: disabled)
+  -h, --help                      display help for command
+```

README.tpl

@@ -0,0 +1,9 @@
+# network-bootstrapper
+
+Generate node identities, configure consensus, and emit a Besu genesis.
+
+## Helm chart
+
+The helm chart to run this on Kubernetes / OpenShift can be found [here](./charts/network-bootstrapper/README.md)
+
+## CLI usage

biome.jsonc

@@ -5,6 +5,12 @@
     "rules": {
       "suspicious": {
         "noConsole": "off"
+      },
+      "complexity": {
+        "noExcessiveCognitiveComplexity": "off"
+      },
+      "nursery": {
+        "useMaxParams": "off"
       }
     }
   },

bun.lock

@@ -7,8 +7,10 @@
         "@inquirer/prompts": "7.8.6",
         "@kubernetes/client-node": "1.3.0",
         "commander": "14.0.1",
+        "lefthook": "^1.13.0",
         "ox": "0.9.6",
         "viem": "2.37.6",
+        "yaml": "^2.8.1",
         "zod": "4.1.9",
       },
       "devDependencies": {
@@ -366,6 +368,28 @@
 
     "jsonpath-plus": ["jsonpath-plus@10.3.0", "", { "dependencies": { "@jsep-plugin/assignment": "^1.3.0", "@jsep-plugin/regex": "^1.0.4", "jsep": "^1.4.0" }, "bin": { "jsonpath": "bin/jsonpath-cli.js", "jsonpath-plus": "bin/jsonpath-cli.js" } }, "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA=="],
 
+    "lefthook": ["lefthook@1.13.0", "", { "optionalDependencies": { "lefthook-darwin-arm64": "1.13.0", "lefthook-darwin-x64": "1.13.0", "lefthook-freebsd-arm64": "1.13.0", "lefthook-freebsd-x64": "1.13.0", "lefthook-linux-arm64": "1.13.0", "lefthook-linux-x64": "1.13.0", "lefthook-openbsd-arm64": "1.13.0", "lefthook-openbsd-x64": "1.13.0", "lefthook-windows-arm64": "1.13.0", "lefthook-windows-x64": "1.13.0" }, "bin": { "lefthook": "bin/index.js" } }, "sha512-6pno+NjfBrKKt3XQmFUvwDdKXzBVh5JvzAIwcCOu9mqg81nAMCZd2FtTuU1fmDzXFNdsxjW8mwwKB+S8t5ucOQ=="],
+
+    "lefthook-darwin-arm64": ["lefthook-darwin-arm64@1.13.0", "", { "os": "darwin", "cpu": "arm64" }, "sha512-mhD4zOj2VRx34tptEc/lP643n5YAAVP95f/TiP6geQz4kpLwUrsTwQxzoXUIauU2DGSNbFtp9hVSE++0e4ESEA=="],
+
+    "lefthook-darwin-x64": ["lefthook-darwin-x64@1.13.0", "", { "os": "darwin", "cpu": "x64" }, "sha512-uspgWrhh9Xoyb+x0hVeMnYkSA1K/cEov4QHxcBBTIvTvjEuijSLIQEzULsHvg7a6xNM/8E3SBzOwBRK44jM2Mw=="],
+
+    "lefthook-freebsd-arm64": ["lefthook-freebsd-arm64@1.13.0", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-UUY+UlGuwAkO8hEY4+SGYfM1OeXSI4i2/8ROwBpu6fz0LrTL1OUYRVhLIRNJvWrF2XabfgXVUrnjGY7YSq4zpg=="],
+
+    "lefthook-freebsd-x64": ["lefthook-freebsd-x64@1.13.0", "", { "os": "freebsd", "cpu": "x64" }, "sha512-wdF/Cwmbiblz+UaLb3a0trSKEmaY5z20latrmhim98M1H48iBHhUyUUJWaSEauyFMJWPwu7rSVZl5KktPxCxVA=="],
+
+    "lefthook-linux-arm64": ["lefthook-linux-arm64@1.13.0", "", { "os": "linux", "cpu": "arm64" }, "sha512-tpg4pA0JTeLxGAZDFJVOGyIMjQAE7F8HcM31tj+3KOogahspOffpmSoS1SlHzUSZ8Jm+Bvoqcis/sW68HkmWHw=="],
+
+    "lefthook-linux-x64": ["lefthook-linux-x64@1.13.0", "", { "os": "linux", "cpu": "x64" }, "sha512-5JUhlDaYqt9vBTSQ5gkA00+0ktUSRyL60AhZID6OR4ML39SidzMTu/GrgHscPT4sD3TfSODEdGZ28sNKdLg6jA=="],
+
+    "lefthook-openbsd-arm64": ["lefthook-openbsd-arm64@1.13.0", "", { "os": "openbsd", "cpu": "arm64" }, "sha512-UNCoKrbH0Yv61jCCUIPRr7ErS3yYt2VNCFdzLf752O9K0yrfn9FzYUsyxQFEn1Ah/kq+TNgZw90gVLg5fv1t4g=="],
+
+    "lefthook-openbsd-x64": ["lefthook-openbsd-x64@1.13.0", "", { "os": "openbsd", "cpu": "x64" }, "sha512-iyvE+jgHYnLvOoHsLykgf98lftewsQzEBciYxygna9sLZ9nLvfbwp9mWUk09yMRmPCFGDeeDecERaUa2SICWLA=="],
+
+    "lefthook-windows-arm64": ["lefthook-windows-arm64@1.13.0", "", { "os": "win32", "cpu": "arm64" }, "sha512-+u0GyvZouKGcecFsayIbzq1KIoDcrSqVhivLfJUq7vpMXbSHV5HbhrkdkfqkuGjGgGnWulQY29/bDubTQoqfOA=="],
+
+    "lefthook-windows-x64": ["lefthook-windows-x64@1.13.0", "", { "os": "win32", "cpu": "x64" }, "sha512-RG8dfOkszk6BaOA7k26NO0R1/vy1tno7/wgdg+Wjt0pYFiBo0DhmPMoAVB4kzjObqBKDd1KWidzsEv4/R0oFIg=="],
+
     "loupe": ["loupe@3.2.1", "", {}, "sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ=="],
 
     "magic-string": ["magic-string@0.30.19", "", { "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.5" } }, "sha512-2N21sPY9Ws53PZvsEpVtNuSW+ScYbQdp4b9qUaL+9QkHUrGFKo56Lg9Emg5s9V/qrtNBmiR01sYhUOwu3H+VOw=="],
@@ -490,6 +514,8 @@
 
     "ws": ["ws@8.18.3", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg=="],
 
+    "yaml": ["yaml@2.8.1", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw=="],
+
     "yoctocolors-cjs": ["yoctocolors-cjs@2.1.3", "", {}, "sha512-U/PBtDf35ff0D8X8D0jfdzHYEPFxAI7jJlxZXwCSez5M3190m+QobIfh+sWDWSHMCWWJN2AWamkegn6vr6YBTw=="],
 
     "zod": ["zod@4.1.9", "", {}, "sha512-HI32jTq0AUAC125z30E8bQNz0RQ+9Uc+4J7V97gLYjZVKRjeydPgGt6dvQzFrav7MYOUGFqqOGiHpA/fdbd0cQ=="],

charts/network-bootstrapper/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/network-bootstrapper/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: network-bootstrapper
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+maintainers:
+  - name: SettleMint
+    email: support@settlemint.com
+    url: https://settlemint.com

charts/network-bootstrapper/README.md

@@ -0,0 +1,52 @@
+# network-bootstrapper
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| SettleMint | <support@settlemint.com> | <https://settlemint.com> |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity and anti-affinity rules influencing pod placement. |
+| fullnameOverride | string | `""` | Fully qualified name override for resources created by this release. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/settlemint/network-bootstrapper","tag":""}` | Container image settings for the network bootstrapper workload. See https://kubernetes.io/docs/concepts/containers/images/ for background. |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy controlling when Kubernetes re-fetches the image layer manifest. |
+| image.repository | string | `"ghcr.io/settlemint/network-bootstrapper"` | OCI repository hosting the network bootstrapper image. |
+| image.tag | string | `""` | Image tag override. Defaults to the chart's `.appVersion` when left empty. |
+| imagePullSecrets | list | `[]` | Image pull secrets enabling access to private registries. See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ for usage. |
+| nameOverride | string | `""` | Short name override applied to chart-scoped resource names. |
+| nodeSelector | object | `{}` | Node selector constraints for scheduling the bootstrapper pod. |
+| podAnnotations | object | `{}` | Pod-level annotations merged onto the generated pod template metadata. See https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/. |
+| podLabels | object | `{}` | Pod-level labels applied to the pod template metadata. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/. |
+| podSecurityContext | object | `{}` | Pod-level security context applied to all containers in the pod. |
+| rbac | object | `{"create":true}` | RBAC resources granting ConfigMap access for Kubernetes output workflows. |
+| rbac.create | bool | `true` | Whether to create Role and RoleBinding objects targeting the service account. |
+| resources | object | `{}` | Resource requests and limits for the bootstrapper container. |
+| securityContext | object | `{}` | Container security context applied to the bootstrapper container. |
+| serviceAccount | object | `{"annotations":{},"automount":true,"create":true,"name":""}` | Service account configuration for the bootstrapper pod. See https://kubernetes.io/docs/concepts/security/service-accounts/ for details. |
+| serviceAccount.annotations | object | `{}` | Additional metadata annotations applied to the service account object. |
+| serviceAccount.automount | bool | `true` | Automatically mount the service account token into the pod. |
+| serviceAccount.create | bool | `true` | Whether to create a service account automatically. |
+| serviceAccount.name | string | `""` | Existing service account name to use instead of one generated by the chart. If unset and `serviceAccount.create` is true, a name is derived from the chart fullname. |
+| settings | object | `{"allocations":null,"chainId":null,"consensus":null,"contractSizeLimit":null,"evmStackSize":null,"gasLimit":null,"gasPrice":null,"outputType":"kubernetes","rpcNodes":null,"secondsPerBlock":null,"validators":null}` | Network bootstrapper CLI settings translated into command-line flags. |
+| settings.allocations | string | `nil` | Filesystem path, accessible to the job, pointing to a JSON file with initial account allocations. Omit to skip pre-funded accounts. |
+| settings.chainId | int | `nil` | Explicit chain ID applied to the genesis configuration. Defaults to a random value in the 40000-50000 range when omitted. |
+| settings.consensus | string | `nil` | Consensus engine to configure for the network (IBFTv2 or QBFT). Default: "QBFT". |
+| settings.contractSizeLimit | int | `nil` | Contract size limit in bytes enforced by the EVM. Default: 2147483647. |
+| settings.evmStackSize | int | `nil` | Maximum EVM stack size allowed for contract execution. Default: 2048. |
+| settings.gasLimit | int | `nil` | Genesis block gas limit value expressed in decimal. Default: 9007199254740991. |
+| settings.gasPrice | int | `nil` | Base gas price in wei applied to the chain. Default: 0. |
+| settings.outputType | string | `"kubernetes"` | Destination for generated artefacts: `screen` (stdout), `file` (write to volume), or `kubernetes` (persist as Kubernetes secrets/configmaps). Default: "screen". |
+| settings.rpcNodes | int | `nil` | Number of RPC node definitions included in the output topology. Default: 2. |
+| settings.secondsPerBlock | int | `nil` | Target block time in seconds encoded into genesis. Default: 2. |
+| settings.validators | int | `nil` | Number of validator node definitions the bootstrapper generates. Default: 4. |
+| tolerations | list | `[]` | Kubernetes tolerations assigned to the bootstrapper pod. |
+| volumeMounts | list | `[]` | Additional volume mounts added to the bootstrapper container. |
+| volumes | list | `[]` | Additional volumes injected into the deployment pod spec. |

charts/network-bootstrapper/templates/NOTES.txt

@@ -0,0 +1,18 @@
+Thanks for installing the network bootstrapper chart!
+
+{{- $jobName := include "network-bootstrapper.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+To generate the network configuration, monitor the job status:
+
+  kubectl -n {{ $namespace }} wait --for=condition=complete job/{{ $jobName }}
+
+Once the job completes you can review the output:
+
+  kubectl -n {{ $namespace }} logs job/{{ $jobName }}
+
+If `settings.outputType` is set to `kubernetes`, inspect the generated ConfigMaps and Secrets:
+
+  kubectl -n {{ $namespace }} get configmaps
+  kubectl -n {{ $namespace }} get secrets
+
+Refer to the chart documentation for additional post-processing steps tailored to your deployment.