@canton-network/wallet-gateway-remote 0.21.0 → 0.22.0

package/README.md

@@ -48,9 +48,7 @@ The JSON-RPC API specs from `api-specs/` are generated into strongly-typed metho
 
 1. Complete steps 1–3 from the instructions at https://github.com/hyperledger-labs/splice-wallet-kernel/tree/main/core/signing-fireblocks
 
-2. Place the `fireblocks_secret.key` file at the path `/splice-wallet-kernel/wallet-gateway/remote`
-
-3. Create a file named `fireblocks_api.key` at the path `/splice-wallet-kernel/wallet-gateway/remote` and insert your Fireblocks API key into it (get it from `API User (ID)` column in fireblocks api users table). Make sure file doesn't end with new line character.
+2. set the environment variable `FIREBLOCKS_API_KEY` (get it from `API User (ID)` column in fireblocks api users table).
 
 ## Postgres connection
 

package/dist/config/Config.d.ts

@@ -15,6 +15,150 @@ export declare const serverConfigSchema: z.ZodObject<{
     requestRateLimit: z.ZodDefault<z.ZodNumber>;
     admin: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
+export declare const rawConfigSchema: z.ZodObject<{
+    kernel: z.ZodObject<{
+        id: z.ZodString;
+        publicUrl: z.ZodOptional<z.ZodString>;
+        clientType: z.ZodUnion<readonly [z.ZodLiteral<"browser">, z.ZodLiteral<"desktop">, z.ZodLiteral<"mobile">, z.ZodLiteral<"remote">]>;
+    }, z.core.$strip>;
+    server: z.ZodPipe<z.ZodTransform<{}, unknown>, z.ZodObject<{
+        port: z.ZodDefault<z.ZodNumber>;
+        dappPath: z.ZodDefault<z.ZodString>;
+        userPath: z.ZodDefault<z.ZodString>;
+        allowedOrigins: z.ZodDefault<z.ZodUnion<readonly [z.ZodLiteral<"*">, z.ZodArray<z.ZodString>]>>;
+        host: z.ZodOptional<z.ZodString>;
+        tls: z.ZodOptional<z.ZodBoolean>;
+        requestSizeLimit: z.ZodDefault<z.ZodString>;
+        requestRateLimit: z.ZodDefault<z.ZodNumber>;
+        admin: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    store: z.ZodObject<{
+        connection: z.ZodDiscriminatedUnion<[z.ZodObject<{
+            type: z.ZodLiteral<"memory">;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"sqlite">;
+            database: z.ZodString;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"postgres">;
+            host: z.ZodString;
+            port: z.ZodNumber;
+            user: z.ZodString;
+            password: z.ZodString;
+            database: z.ZodString;
+        }, z.core.$strip>], "type">;
+    }, z.core.$strip>;
+    signingStore: z.ZodObject<{
+        connection: z.ZodDiscriminatedUnion<[z.ZodObject<{
+            type: z.ZodLiteral<"memory">;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"sqlite">;
+            database: z.ZodString;
+        }, z.core.$strip>, z.ZodObject<{
+            type: z.ZodLiteral<"postgres">;
+            host: z.ZodString;
+            port: z.ZodNumber;
+            user: z.ZodString;
+            password: z.ZodString;
+            database: z.ZodString;
+        }, z.core.$strip>], "type">;
+    }, z.core.$strip>;
+    bootstrap: z.ZodObject<{
+        idps: z.ZodArray<z.ZodDiscriminatedUnion<[z.ZodObject<{
+            id: z.ZodString;
+            type: z.ZodLiteral<"self_signed">;
+            issuer: z.ZodString;
+        }, z.core.$strip>, z.ZodObject<{
+            id: z.ZodString;
+            type: z.ZodLiteral<"oauth">;
+            issuer: z.ZodString;
+            configUrl: z.ZodString;
+        }, z.core.$strip>], "type">>;
+        networks: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            name: z.ZodString;
+            description: z.ZodString;
+            synchronizerId: z.ZodOptional<z.ZodString>;
+            identityProviderId: z.ZodString;
+            ledgerApi: z.ZodObject<{
+                baseUrl: z.ZodString;
+            }, z.core.$strip>;
+            auth: z.ZodUnion<readonly [z.ZodDiscriminatedUnion<[z.ZodObject<{
+                method: z.ZodLiteral<"authorization_code">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"client_credentials">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecret: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"self_signed">;
+                issuer: z.ZodString;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecret: z.ZodString;
+            }, z.core.$strip>], "method">, z.ZodDiscriminatedUnion<[z.ZodObject<{
+                method: z.ZodLiteral<"authorization_code">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"client_credentials">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecretEnv: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"self_signed">;
+                issuer: z.ZodString;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecretEnv: z.ZodString;
+            }, z.core.$strip>], "method">]>;
+            adminAuth: z.ZodOptional<z.ZodUnion<readonly [z.ZodDiscriminatedUnion<[z.ZodObject<{
+                method: z.ZodLiteral<"authorization_code">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"client_credentials">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecret: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"self_signed">;
+                issuer: z.ZodString;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecret: z.ZodString;
+            }, z.core.$strip>], "method">, z.ZodDiscriminatedUnion<[z.ZodObject<{
+                method: z.ZodLiteral<"authorization_code">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"client_credentials">;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecretEnv: z.ZodString;
+            }, z.core.$strip>, z.ZodObject<{
+                method: z.ZodLiteral<"self_signed">;
+                issuer: z.ZodString;
+                audience: z.ZodString;
+                scope: z.ZodString;
+                clientId: z.ZodString;
+                clientSecretEnv: z.ZodString;
+            }, z.core.$strip>], "method">]>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
 export declare const configSchema: z.ZodObject<{
     kernel: z.ZodObject<{
         id: z.ZodString;
@@ -125,5 +269,6 @@ export declare const configSchema: z.ZodObject<{
 }, z.core.$strip>;
 export type KernelInfo = z.infer<typeof kernelInfoSchema>;
 export type ServerConfig = z.infer<typeof serverConfigSchema>;
+export type RawConfig = z.infer<typeof rawConfigSchema>;
 export type Config = z.infer<typeof configSchema>;
 //# sourceMappingURL=Config.d.ts.map

package/dist/config/Config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Config.d.ts","sourceRoot":"","sources":["../../src/config/Config.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,gBAAgB;;;;iBAY3B,CAAA;AAEF,eAAO,MAAM,kBAAkB;;;;;;;;;;iBA0C7B,CAAA;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAMvB,CAAA;AAEF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AACzD,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA"}
+{"version":3,"file":"Config.d.ts","sourceRoot":"","sources":["../../src/config/Config.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AASvB,eAAO,MAAM,gBAAgB;;;;iBAY3B,CAAA;AAEF,eAAO,MAAM,kBAAkB;;;;;;;;;;iBA0C7B,CAAA;AAcF,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAM1B,CAAA;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAMvB,CAAA;AAEF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AACzD,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAC7D,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AACvD,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA"}

package/dist/config/Config.js

@@ -1,8 +1,9 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-import { storeConfigSchema, bootstrapConfigSchema, } from '@canton-network/core-wallet-store';
-import { storeConfigSchema as signingStoreConfigSchema } from '@canton-network/core-signing-store-sql';
 import { z } from 'zod';
+import { storeConfigSchema, bootstrapConfigSchema, networkSchema, } from '@canton-network/core-wallet-store';
+import { storeConfigSchema as signingStoreConfigSchema } from '@canton-network/core-signing-store-sql';
+import { authFromEnvSchema, authSchema } from '@canton-network/core-wallet-auth';
 export const kernelInfoSchema = z.object({
     id: z.string(),
     publicUrl: z.string().optional().meta({
@@ -51,6 +52,21 @@ export const serverConfigSchema = z.object({
         description: 'The JWT claim (e.g. "sub") identifying the admin user. If set, requests with a matching claim will be granted admin privileges.',
     }),
 });
+const authFromEnvOrConfig = z.union([authSchema, authFromEnvSchema]);
+const bootstrapFromEnv = bootstrapConfigSchema.extend({
+    networks: z.array(networkSchema.extend({
+        auth: authFromEnvOrConfig,
+        adminAuth: authFromEnvOrConfig.optional(),
+    })),
+});
+// Includes secrets for networks as env vars, rather than defined explicitly
+export const rawConfigSchema = z.object({
+    kernel: kernelInfoSchema,
+    server: z.preprocess((val) => val ?? {}, serverConfigSchema),
+    store: storeConfigSchema,
+    signingStore: signingStoreConfigSchema,
+    bootstrap: bootstrapFromEnv,
+});
 export const configSchema = z.object({
     kernel: kernelInfoSchema,
     server: z.preprocess((val) => val ?? {}, serverConfigSchema),

package/dist/config/Config.test.js

@@ -13,4 +13,7 @@ test('config from json file', async () => {
     if (resp.bootstrap.networks[2].auth.method === 'client_credentials') {
         expect(resp.bootstrap.networks[2].auth.audience).toBe('https://daml.com/jwt/aud/participant/participant1::1220d44fc1c3ba0b5bdf7b956ee71bc94ebe2d23258dc268fdf0824fbaeff2c61424');
     }
+    if (resp.bootstrap.networks[4].adminAuth?.method === 'client_credentials') {
+        expect(resp.bootstrap.networks[4].adminAuth.clientSecret).toBe('devnet_secret_testval');
+    }
 });

package/dist/config/ConfigUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ConfigUtils.d.ts","sourceRoot":"","sources":["../../src/config/ConfigUtils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAgB,MAAM,aAAa,CAAA;AAElD,qBAAa,WAAW;IACpB,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAoDlD;AAgDD,UAAU,IAAI;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;CACrB;AAOD,eAAO,MAAM,UAAU,GAAI,QAAQ,MAAM,EAAE,OAAO,MAAM,KAAG,IAa1D,CAAA"}
+{"version":3,"file":"ConfigUtils.d.ts","sourceRoot":"","sources":["../../src/config/ConfigUtils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAA8B,MAAM,aAAa,CAAA;AAGhE,qBAAa,WAAW;IACpB,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAsDlD;AA+FD,UAAU,IAAI;IACV,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;CACrB;AAOD,eAAO,MAAM,UAAU,GAAI,QAAQ,MAAM,EAAE,OAAO,MAAM,KAAG,IAa1D,CAAA"}

package/dist/config/ConfigUtils.js

@@ -1,11 +1,13 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 import { readFileSync, existsSync } from 'fs';
-import { configSchema } from './Config.js';
+import { rawConfigSchema } from './Config.js';
+import { Env } from '../env.js';
 export class ConfigUtils {
     static loadConfigFile(filePath) {
         if (existsSync(filePath)) {
-            const config = configSchema.parse(JSON.parse(readFileSync(filePath, 'utf-8')));
+            const rawConfig = rawConfigSchema.parse(JSON.parse(readFileSync(filePath, 'utf-8')));
+            const config = resolveRawConfig(rawConfig);
             /**
              * Perform extra config validation beyond schema validation.
              * We want to enforce the following constraints:
@@ -38,6 +40,43 @@ export class ConfigUtils {
         }
     }
 }
+// The Wallet Gateway can accept adminAuth secrets from environment variables.
+// However, the store expects strings. This function resolves the config from env vars
+function resolveRawNetworkAuth(n) {
+    if (n.method === 'authorization_code') {
+        return n;
+    }
+    if ('clientSecret' in n) {
+        return n;
+    }
+    else {
+        const { clientSecretEnv, ...rest } = n;
+        const clientSecret = Env.get(clientSecretEnv, { required: true });
+        return {
+            ...rest,
+            clientSecret,
+        };
+    }
+}
+function resolveRawConfig(rawConfig) {
+    const rawNetworks = rawConfig.bootstrap.networks;
+    const networks = rawNetworks.map((n) => {
+        return {
+            ...n,
+            auth: resolveRawNetworkAuth(n.auth),
+            adminAuth: n.adminAuth
+                ? resolveRawNetworkAuth(n.adminAuth)
+                : undefined,
+        };
+    });
+    return {
+        ...rawConfig,
+        bootstrap: {
+            ...rawConfig.bootstrap,
+            networks,
+        },
+    };
+}
 function hasDuplicateElement(list) {
     let duplicate;
     list.forEach((item, i) => {

package/dist/dapp-api/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/dapp-api/controller.ts"],"names":[],"mappings":"AAGA,OAAO,EAEH,WAAW,EAEd,MAAM,kCAAkC,CAAA;AAWzC,OAAO,EAAE,KAAK,EAAe,MAAM,mCAAmC,CAAA;AAQtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAA;AAC5E,OAAO,EAAE,UAAU,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACpE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAI7B,eAAO,MAAM,cAAc,GACvB,YAAY,gBAAgB,EAC5B,SAAS,MAAM,EACf,SAAS,MAAM,EACf,OAAO,KAAK,EACZ,qBAAqB,mBAAmB,EACxC,SAAS,MAAM,EACf,QAAQ,MAAM,GAAG,IAAI,EACrB,UAAU,WAAW;;;;;;;;;;;;;;CAuRxB,CAAA"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/dapp-api/controller.ts"],"names":[],"mappings":"AAGA,OAAO,EAEH,WAAW,EAEd,MAAM,kCAAkC,CAAA;AAWzC,OAAO,EAAE,KAAK,EAAe,MAAM,mCAAmC,CAAA;AAQtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAA;AAC5E,OAAO,EAAE,UAAU,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AACpE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAI7B,eAAO,MAAM,cAAc,GACvB,YAAY,gBAAgB,EAC5B,SAAS,MAAM,EACf,SAAS,MAAM,EACf,OAAO,KAAK,EACZ,qBAAqB,mBAAmB,EACxC,SAAS,MAAM,EACf,QAAQ,MAAM,GAAG,IAAI,EACrB,UAAU,WAAW;;;;;;;;;;;;;;CAkRxB,CAAA"}

package/dist/dapp-api/controller.js

@@ -126,10 +126,6 @@ export const dappController = (kernelInfo, dappUrl, userUrl, store, notification
             const synchronizerId = network.synchronizerId ??
                 (await ledgerClient.getSynchronizerId());
             const response = await prepareSubmission(context.userId, wallet.partyId, synchronizerId, params, ledgerClient);
-            //TODO: remove and handle normally when v3_3 is not supported anymore
-            const costEstimation = 'costEstimation' in response
-                ? response.costEstimation
-                : undefined;
             const transaction = {
                 commandId,
                 status: 'pending',
@@ -145,7 +141,8 @@ export const dappController = (kernelInfo, dappUrl, userUrl, store, notification
                 userId: context.userId,
                 commandId,
                 commands: params.commands?.[0],
-                confirmationRequestTrafficCostEstimation: costEstimation?.confirmationRequestTrafficCostEstimation,
+                confirmationRequestTrafficCostEstimation: response.costEstimation
+                    ?.confirmationRequestTrafficCostEstimation,
             }, 'prepared transaction traffic estimation');
             store.setTransaction(transaction);
             return {

package/dist/env.d.ts

@@ -0,0 +1,19 @@
+export declare class Env {
+    static FIREBLOCKS_API_KEY: () => string | undefined;
+    static FIREBLOCKS_SECRET: () => string | undefined;
+    static BLOCKDAEMON_API_URL: (fallback: string) => string;
+    static BLOCKDAEMON_API_KEY: (fallback: string) => string;
+    static get(key: string, options: {
+        required?: boolean;
+        fallback: string;
+    }): string;
+    static get(key: string, options: {
+        required: true;
+        fallback?: string;
+    }): string;
+    static get(key: string, options?: {
+        required?: boolean;
+        fallback?: string;
+    } | undefined): string | undefined;
+}
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAGA,qBAAa,GAAG;IACZ,MAAM,CAAC,kBAAkB,2BAAsC;IAC/D,MAAM,CAAC,iBAAiB,2BAAqC;IAC7D,MAAM,CAAC,mBAAmB,GAAI,UAAU,MAAM,YACE;IAChD,MAAM,CAAC,mBAAmB,GAAI,UAAU,MAAM,YACE;IAEhD,MAAM,CAAC,GAAG,CACN,GAAG,EAAE,MAAM,EACX,OAAO,EAAE;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAClD,MAAM;IACT,MAAM,CAAC,GAAG,CACN,GAAG,EAAE,MAAM,EACX,OAAO,EAAE;QAAE,QAAQ,EAAE,IAAI,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/C,MAAM;IACT,MAAM,CAAC,GAAG,CACN,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,GAChE,MAAM,GAAG,SAAS;CAcxB"}

package/dist/env.js

@@ -0,0 +1,16 @@
+// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+export class Env {
+    static { this.FIREBLOCKS_API_KEY = () => Env.get('FIREBLOCKS_API_KEY'); }
+    static { this.FIREBLOCKS_SECRET = () => Env.get('FIREBLOCKS_SECRET'); }
+    static { this.BLOCKDAEMON_API_URL = (fallback) => Env.get('BLOCKDAEMON_API_URL', { fallback }); }
+    static { this.BLOCKDAEMON_API_KEY = (fallback) => Env.get('BLOCKDAEMON_API_KEY', { fallback }); }
+    static get(key, options) {
+        const { fallback, required } = options || {};
+        const value = process.env[key]?.trim() || fallback?.trim();
+        if (required && !value) {
+            throw new Error(`Required environment variable (${key}) missing.`);
+        }
+        return value;
+    }
+}

package/dist/example-config.d.ts

@@ -56,6 +56,7 @@ declare const _default: {
                 audience: string;
                 clientId: string;
                 clientSecret: string;
+                clientSecretEnv?: never;
             };
             ledgerApi: {
                 baseUrl: string;
@@ -78,8 +79,9 @@ declare const _default: {
                 scope: string;
                 audience: string;
                 clientId: string;
-                clientSecret: string;
+                clientSecretEnv: string;
                 issuer?: never;
+                clientSecret?: never;
             };
             ledgerApi: {
                 baseUrl: string;

package/dist/example-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"example-config.d.ts","sourceRoot":"","sources":["../src/example-config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,wBA6FkB"}
+{"version":3,"file":"example-config.d.ts","sourceRoot":"","sources":["../src/example-config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,wBA6FqB"}

package/dist/example-config.js

@@ -82,7 +82,7 @@ export default {
                     scope: 'daml_ledger_api',
                     audience: '<REPLACE_PARTICIPANT_AUDIENCE>',
                     clientId: '<REPLACE_ADMIN_CLIENT_ID>',
-                    clientSecret: '<REPLACE_ADMIN_CLIENT_SECRET>',
+                    clientSecretEnv: 'MY_CLIENT_SECRET_ENV_VAR',
                 },
                 ledgerApi: {
                     baseUrl: 'http://127.0.0.1:2975',

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AA4DA,QAAA,MAAM,OAAO;;;;;;CAAiB,CAAA;AAE9B,MAAM,MAAM,UAAU,GAAG,OAAO,OAAO,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAiEA,QAAA,MAAM,OAAO;;;;;;CAAiB,CAAA;AAE9B,MAAM,MAAM,UAAU,GAAG,OAAO,OAAO,CAAA"}

package/dist/index.js

@@ -1,6 +1,8 @@
 #!/usr/bin/env node
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
+import dotenv from 'dotenv';
+dotenv.config({ quiet: true, path: ['.env', '.env.local'] });
 import { Option, Command } from '@commander-js/extra-typings';
 import { initialize } from './init.js';
 import { createCLI } from '@canton-network/core-wallet-store-sql';
@@ -8,7 +10,7 @@ import { createCLI as createSigningCLI } from '@canton-network/core-signing-stor
 import { ConfigUtils } from './config/ConfigUtils.js';
 import pino from 'pino';
 import z from 'zod';
-import { configSchema } from './config/Config.js';
+import { rawConfigSchema } from './config/Config.js';
 import exampleConfig from './example-config.js';
 import { GATEWAY_VERSION } from './version.js';
 const program = new Command()
@@ -24,7 +26,7 @@ const program = new Command()
     .default('pretty'))
     .action((opts) => {
     if (opts.configSchema) {
-        console.log(JSON.stringify(z.toJSONSchema(configSchema), null, 2));
+        console.log(JSON.stringify(z.toJSONSchema(rawConfigSchema), null, 2));
         process.exit(0);
     }
     if (opts.configExample) {

package/dist/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAqB7B,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAyIvC,wBAAsB,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,iBA0IhE"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAqB7B,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAyIvC,wBAAsB,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,iBAiIhE"}

package/dist/init.js

@@ -16,12 +16,12 @@ import express from 'express';
 import { jwtAuth } from './middleware/jwtAuth.js';
 import { rateLimiter } from './middleware/rateLimit.js';
 import { deriveUrls } from './config/ConfigUtils.js';
-import { existsSync, readFileSync } from 'fs';
-import path from 'path';
+import { existsSync } from 'fs';
 import { GATEWAY_VERSION } from './version.js';
 import { sessionHandler } from './middleware/sessionHandler.js';
 import { NotificationService } from './notification/NotificationService.js';
 import { sql } from 'kysely';
+import { Env } from './env.js';
 let isReady = false;
 async function initializeDatabase(config, logger) {
     logger.info('Checking for database migrations...');
@@ -137,25 +137,15 @@ export async function initialize(opts, logger) {
     const store = await initializeDatabase(config, logger);
     const signingStore = await initializeSigningDatabase(config, logger);
     const authService = jwtAuthService(store, logger);
-    // Provide apiKey from User API in Fireblocks
-    const apiPath = path.resolve(process.cwd(), 'fireblocks_api.key');
-    const secretPath = path.resolve(process.cwd(), 'fireblocks_secret.key');
-    let apiKey;
-    let apiSecret;
-    if (existsSync(apiPath) && existsSync(secretPath)) {
-        apiKey = readFileSync(apiPath, 'utf8');
-        apiSecret = readFileSync(secretPath, 'utf8');
-    }
-    else {
+    let apiKey = Env.FIREBLOCKS_API_KEY();
+    let apiSecret = Env.FIREBLOCKS_SECRET();
+    if (!apiKey || !apiSecret) {
         apiKey = 'missing';
         apiSecret = 'missing';
-        logger.warn('Fireblocks keys files are missing');
+        logger.warn('Fireblocks key files are missing');
     }
     const keyInfo = { apiKey, apiSecret };
     const userApiKeys = new Map([['user', keyInfo]]);
-    const blockdaemonApiUrl = process.env.BLOCKDAEMON_API_URL ||
-        'http://localhost:5080/api/cwp/canton';
-    const blockdaemonApiKey = process.env.BLOCKDAEMON_API_KEY || '';
     const drivers = {
         [SigningProvider.PARTICIPANT]: new ParticipantSigningDriver(),
         [SigningProvider.WALLET_KERNEL]: new InternalSigningDriver(signingStore),
@@ -164,8 +154,8 @@ export async function initialize(opts, logger) {
             userApiKeys,
         }),
         [SigningProvider.BLOCKDAEMON]: new BlockdaemonSigningProvider({
-            baseUrl: blockdaemonApiUrl,
-            apiKey: blockdaemonApiKey,
+            baseUrl: Env.BLOCKDAEMON_API_URL('http://localhost:5080/api/cwp/canton'),
+            apiKey: Env.BLOCKDAEMON_API_KEY(''),
         }),
     };
     const allowedPaths = {

package/dist/ledger/party-allocation-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"party-allocation-service.d.ts","sourceRoot":"","sources":["../../src/ledger/party-allocation-service.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,2BAA2B,EAE9B,MAAM,oCAAoC,CAAA;AAE3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAE7B,MAAM,MAAM,cAAc,GAAG;IACzB,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,KAAK,WAAW,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpD;;GAEG;AACH,qBAAa,sBAAsB;IAC/B,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,YAAY,CAAc;IAClC,OAAO,CAAC,cAAc,CAAoB;gBAE9B,EACR,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,MAAM,GACT,EAAE;QACC,cAAc,CAAC,EAAE,MAAM,CAAA;QACvB,mBAAmB,EAAE,mBAAmB,CAAA;QACxC,aAAa,EAAE,MAAM,CAAA;QACrB,MAAM,EAAE,MAAM,CAAA;KACjB;IAUD;;;;OAIG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAE1E;;;;;;OAMG;IACG,aAAa,CACf,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,eAAe,EAAE,WAAW,GAC7B,OAAO,CAAC,cAAc,CAAC;IAoB1B;;;OAGG;IACH,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAenD;;;;;OAKG;IACH,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAsB5D;;;;OAIG;IACG,4BAA4B,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAClB,OAAO,CAAC,2BAA2B,CAAC;IAevC;;;;;;OAMG;IACG,+BAA+B,CACjC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,EAAE,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC;YAgCJ,qBAAqB;YAgCrB,qBAAqB;CAsCtC"}
+{"version":3,"file":"party-allocation-service.d.ts","sourceRoot":"","sources":["../../src/ledger/party-allocation-service.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,2BAA2B,EAE9B,MAAM,oCAAoC,CAAA;AAE3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAE7B,MAAM,MAAM,cAAc,GAAG;IACzB,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,KAAK,WAAW,GAAG,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpD;;GAEG;AACH,qBAAa,sBAAsB;IAC/B,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,YAAY,CAAc;IAClC,OAAO,CAAC,cAAc,CAAoB;gBAE9B,EACR,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,MAAM,GACT,EAAE;QACC,cAAc,CAAC,EAAE,MAAM,CAAA;QACvB,mBAAmB,EAAE,mBAAmB,CAAA;QACxC,aAAa,EAAE,MAAM,CAAA;QACrB,MAAM,EAAE,MAAM,CAAA;KACjB;IAUD;;;;OAIG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAE1E;;;;;;OAMG;IACG,aAAa,CACf,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,eAAe,EAAE,WAAW,GAC7B,OAAO,CAAC,cAAc,CAAC;IAoB1B;;;OAGG;IACH,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAenD;;;;;OAKG;IACH,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAsB5D;;;;OAIG;IACG,4BAA4B,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAClB,OAAO,CAAC,2BAA2B,CAAC;IAevC;;;;;;OAMG;IACG,+BAA+B,CACjC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,EAAE,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC;YAgCJ,qBAAqB;YAoCrB,qBAAqB;CAsCtC"}

package/dist/ledger/party-allocation-service.js

@@ -95,6 +95,9 @@ export class PartyAllocationService {
         const res = await this.ledgerClient.postWithRetry('/v2/parties', {
             partyIdHint: hint,
             identityProviderId: '',
+            synchronizerId: this.synchronizerId ??
+                (await this.ledgerClient.getSynchronizerId()),
+            userId,
         });
         if (!res.partyDetails?.party) {
             throw new Error('Failed to allocate party');

package/dist/ledger/transaction-service.d.ts

@@ -0,0 +1,22 @@
+import { Logger } from 'pino';
+import { LedgerClient } from '@canton-network/core-ledger-client';
+import { Store, Transaction, Wallet, Network } from '@canton-network/core-wallet-store';
+import type { SignResult } from '../user-api/rpc-gen/typings.js';
+import { SigningDriverInterface, SigningProvider } from '@canton-network/core-signing-lib';
+import { ExecuteParams, ExecuteResult, SignParams, SignResultSigned } from '../user-api/rpc-gen/typings.js';
+import { UserId } from '../dapp-api/rpc-gen/typings.js';
+import { Notifier } from '../notification/NotificationService.js';
+export declare class TransactionService {
+    private store;
+    private logger;
+    private signingDrivers;
+    private notifier;
+    constructor(store: Store, logger: Logger, signingDrivers: Partial<Record<SigningProvider, SigningDriverInterface>> | undefined, notifier: Notifier);
+    signWithParticipant(wallet: Wallet): SignResultSigned;
+    signWithWalletKernel(userId: UserId, wallet: Wallet, signParams: SignParams): Promise<SignResultSigned>;
+    signWithBlockdaemon(userId: UserId, wallet: Wallet, signParams: SignParams): Promise<SignResult>;
+    signWithFireblocks(userId: UserId, wallet: Wallet, signParams: SignParams): Promise<SignResult>;
+    executeWithParticipant(userId: UserId, executeParams: ExecuteParams, transaction: Transaction, ledgerClient: LedgerClient, network: Network): Promise<ExecuteResult>;
+    executeWithExternal(userId: UserId, executeParams: ExecuteParams, transaction: Transaction, ledgerClient: LedgerClient): Promise<ExecuteResult>;
+}
+//# sourceMappingURL=transaction-service.d.ts.map

package/dist/ledger/transaction-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transaction-service.d.ts","sourceRoot":"","sources":["../../src/ledger/transaction-service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACjE,OAAO,EACH,KAAK,EACL,WAAW,EACX,MAAM,EACN,OAAO,EACV,MAAM,mCAAmC,CAAA;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAA;AAChE,OAAO,EAGH,sBAAsB,EACtB,eAAe,EAElB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EACH,aAAa,EACb,aAAa,EACb,UAAU,EACV,gBAAgB,EACnB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAA;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAA;AAYjE,qBAAa,kBAAkB;IAEvB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,cAAc;IAGtB,OAAO,CAAC,QAAQ;gBALR,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,CAC3B,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAClD,YAAK,EACE,QAAQ,EAAE,QAAQ;IAGvB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB;IAS/C,oBAAoB,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,GACvB,OAAO,CAAC,gBAAgB,CAAC;IAoDf,mBAAmB,CAC5B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,GACvB,OAAO,CAAC,UAAU,CAAC;IAgGT,kBAAkB,CAC3B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,GACvB,OAAO,CAAC,UAAU,CAAC;IAoGT,sBAAsB,CAC/B,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,aAAa,EAC5B,WAAW,EAAE,WAAW,EACxB,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,OAAO,GACjB,OAAO,CAAC,aAAa,CAAC;IAqCZ,mBAAmB,CAC5B,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,aAAa,EAC5B,WAAW,EAAE,WAAW,EACxB,YAAY,EAAE,YAAY,GAC3B,OAAO,CAAC,aAAa,CAAC;CAmD5B"}