test: gate that LND wallet is unlocked after restart (catches fleet-wide lock)

A wrong/locked LND wallet password leaves the wallet LOCKED after every restart/OTA, breaking all Bitcoin-receive + Lightning ops fleet-wide — and the harness was blind to it: live-lnd-address-type treats 'wallet locked' as PASS, os-audit treated lnd-unreachable as WARN, and the archipelago lnd.getinfo RPC masks a locked wallet (returns all-zero success). - tests/release/run.sh: new 'live-lnd-unlocked' stage polls LND's unauth /v1/state and FAILs if still LOCKED after a 60s grace window. - tests/lifecycle/os-audit.sh: probe lnd.newaddress (the real receive path, which surfaces LND_WALLET_LOCKED) instead of lnd.getinfo; locked = hard FAIL, not-installed = WARN. Proven on .116 (genuinely locked): os-audit now reports '[FAIL] lnd wallet unlocked (lnd.newaddress) wallet LOCKED'. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 10:36:12 -04:00 · 2026-06-14 10:36:12 -04:00 · 8c8e4d7a29
commit 8c8e4d7a29
parent 9d3347463a
2 changed files with 42 additions and 2 deletions
--- a/tests/lifecycle/os-audit.sh
+++ b/tests/lifecycle/os-audit.sh
@ -133,10 +133,23 @@ section_a() {
  else
    record WARN "bitcoin RPC reachable" "bitcoin.getinfo/relay-status did not answer (not installed?)"
  fi
+  # LND wallet must be UNLOCKED. NB: lnd.getinfo masks a locked wallet (it
+  # returns an all-zero success, error:null), so it can't detect the lock. Probe
+  # the actual receive path (lnd.newaddress) instead: a LOCKED wallet returns the
+  # LND_WALLET_LOCKED reason code — the exact fleet-wide receive breakage. A
+  # locked wallet is a hard FAIL; "not installed" is a WARN. (newaddress derives
+  # a fresh address — harmless; LND tolerates address gaps.)
  if rpc_ok lnd.getinfo; then
-    record PASS "lnd RPC reachable" ""
+    local na; na=$(rpc lnd.newaddress)
+    if grep -qE "LND_WALLET_LOCKED|wallet is locked|WALLET_LOCKED" <<<"$na"; then
+      record FAIL "lnd wallet unlocked (lnd.newaddress)" "wallet LOCKED — auto-unlock failed (Bitcoin-receive broken)"
+    elif [[ "$(jq -r '(has("result") and (.result!=null))' <<<"$na" 2>/dev/null)" == "true" ]]; then
+      record PASS "lnd wallet unlocked (lnd.newaddress)" ""
+    else
+      record WARN "lnd wallet unlocked (lnd.newaddress)" "newaddress: $(jq -rc '.error.message // "no address"' <<<"$na" 2>/dev/null | head -c 60)"
+    fi
  else
-    record WARN "lnd RPC reachable" "lnd.getinfo did not answer (not installed / wallet locked?)"
+    record WARN "lnd RPC reachable" "lnd.getinfo did not answer (not installed?)"
  fi
  if rpc_ok system.stats || rpc_ok system.get-metrics; then
    record PASS "system metrics reachable" ""
--- a/tests/release/run.sh
+++ b/tests/release/run.sh
@ -128,6 +128,33 @@ if [[ $LIVE -eq 1 ]]; then
    done
    echo "SKIP: LND REST not reachable on 18080/8080 — cannot validate address type live"; exit 0
  '
+
+  # Wallet-unlock guard. After a restart/OTA, LND comes up LOCKED and the backend
+  # must auto-unlock it; if the unlock password is wrong (e.g. a fleet-wide
+  # constant vs a per-wallet password) the wallet stays LOCKED forever and ALL
+  # Bitcoin-receive / Lightning ops fail — fleet-wide, silently. Nothing else in
+  # this harness catches that: live-lnd-address-type explicitly treats "wallet
+  # locked" as a PASS, and os-audit treats lnd-unreachable as a WARN. This stage
+  # polls LND's unauthenticated /v1/state and FAILS if it is still LOCKED after a
+  # grace window. RPC_ACTIVE = unlocked (pass); NON_EXISTING/WAITING = no wallet
+  # yet (not a regression); unreachable = skip.
+  stage "live-lnd-unlocked" bash -c '
+    deadline=$(( $(date +%s) + 60 ))
+    while :; do
+      seen=""
+      for port in 18080 8080; do
+        st=$(curl -sk --max-time 6 "https://127.0.0.1:$port/v1/state" 2>/dev/null)
+        [ -z "$st" ] && continue
+        seen=1
+        echo "LND($port) state: $st"
+        echo "$st" | grep -q "RPC_ACTIVE" && { echo "OK: LND wallet is unlocked"; exit 0; }
+        echo "$st" | grep -qE "NON_EXISTING|WAITING_TO_START" && { echo "OK: LND wallet not initialized yet — not a lock regression"; exit 0; }
+      done
+      [ -z "$seen" ] && { echo "SKIP: LND /v1/state not reachable on 18080/8080"; exit 0; }
+      [ "$(date +%s)" -ge "$deadline" ] && { echo "FAIL: LND wallet still LOCKED after 60s — auto-unlock failed; Bitcoin-receive/Lightning are broken"; exit 1; }
+      sleep 5
+    done
+  '
 fi

 summary 0