Threat models, hardening, and production checklist for Stealth Agent Tools.
The agent runs a StealthCoind node with an encrypted wallet and authenticates via JSON-RPC credentials. This is the standard operating mode.
Components:
- StealthCoind with encrypted wallet
- RPC authentication (username + password)
- Role-based method filtering via agent profiles
Threat model:
- Wallet passphrase required to unlock for signing
- RPC credentials required for any interaction
- Agent profiles restrict available methods
The MCP server provides read-only access. No wallet operations, no sending, no state modification.
Components:
- stealth-mcp-server connected via JSON-RPC
- Only query tools exposed
- RPC credentials needed but only read methods called
| Credential | Storage | Permissions | Purpose |
|---|---|---|---|
| RPC password | ~/.stealth-agent/rpc-password.txt |
0600 | JSON-RPC authentication |
| Wallet passphrase | ~/.stealth-agent/wallet-password.txt |
0600 | Wallet decryption |
| Config file | ~/.StealthCoin/StealthCoin.conf |
0600 | RPC + node settings |
StealthCoind encrypts wallet.dat with AES-256-CBC using a key derived from
the passphrase. The wallet must be explicitly unlocked before:
- Sending transactions
- Managing stakers
- Signing messages
- Dumping private keys
Unlock with a time limit:
stealthcli.sh walletpassphrase "passphrase" 300 # 5 minutesThe wallet auto-locks after the timeout. This limits the exposure window.
StealthCoind uses HTTP Basic Authentication for all RPC calls. The credentials
are set in StealthCoin.conf and auto-generated by the install scripts.
By default, RPC binds to 127.0.0.1 only. The rpcallowip directive
controls which IPs can connect. In container mode, the Docker network
range (172.0.0.0/8) is also allowed for inter-container communication.
The JSON-RPC port (46502) should never be accessible from the public internet. Use SSH tunnels, VPNs, or Docker networking for remote access.
The create-agent-profile.sh script generates restricted CLI wrappers that
filter RPC methods by role:
- read-only: Only
get*,list*,validate*,helpmethods - pay-only: Read-only +
send*,getnewaddress,walletpassphrase - staker-admin: Read-only + staker management methods
- full-access: All methods (testing only)
Agents should always use the most restrictive profile possible.
- Wallet encrypted with a strong passphrase
- RPC password is randomly generated (not default)
-
rpcallowiprestricted to127.0.0.1(or specific trusted IPs) - RPC port (46502) not exposed to public internet
- Agent uses appropriate role profile (not full-access)
-
wallet-password.txthas file permissions 0600 -
rpc-password.txthas file permissions 0600 -
StealthCoin.confhas file permissions 0600 - Regular
wallet.datbackups to secure off-site location - Docker container running as non-root user
- Container volumes use Docker-managed storage (not bind mounts for data)
- MCP server
.envfile not committed to version control
| Aspect | Stealth | Lightning (LND) |
|---|---|---|
| Key isolation | Wallet encryption | Remote signer |
| Auth tokens | RPC username/password | Macaroons |
| Permission scoping | Method filtering | Macaroon permissions |
| Credential format | Plain text (0600) | Binary macaroon files |
| Complexity | Low | High |
| Key storage | wallet.dat (encrypted) | Separate signer machine |
Stealth's simpler security model is appropriate because:
- No payment channels to manage (simpler attack surface)
- Feeless transactions reduce griefing vectors
- Wallet encryption provides sufficient key isolation for most use cases
- RPC authentication is battle-tested (same model as Bitcoin Core)