@canton-network/wallet-gateway-remote 0.24.0 → 0.26.0

package/dist/ledger/transaction-service.js

@@ -15,6 +15,13 @@ export class TransactionService {
         this.signingDrivers = signingDrivers;
         this.notifier = notifier;
     }
+    async loadPreparedTransactionForSigning(commandId) {
+        const existingTx = await this.store.getTransaction(commandId);
+        if (!existingTx) {
+            throw new Error(`Transaction not found with commandId: ${commandId}`);
+        }
+        return existingTx;
+    }
     signWithParticipant(wallet) {
         return {
             status: 'signed',
@@ -29,11 +36,11 @@ export class TransactionService {
             throw new Error('Wallet Kernel signing driver not available');
         }
         const driver = signingProvider.controller(userId);
-        const { preparedTransaction, preparedTransactionHash, commandId } = signParams;
+        const tx = await this.loadPreparedTransactionForSigning(signParams.commandId);
         const { signature } = await driver
             .signTransaction({
-            tx: preparedTransaction,
-            txHash: preparedTransactionHash,
+            tx: tx.preparedTransaction,
+            txHash: tx.preparedTransactionHash,
             keyIdentifier: {
                 publicKey: wallet.publicKey,
             },
@@ -42,20 +49,19 @@ export class TransactionService {
         if (!signature) {
             throw new Error('Failed to sign transaction: ' + JSON.stringify(signature));
         }
-        const existingTx = await this.store.getTransaction(commandId);
         const now = new Date();
         const signedTx = {
-            commandId,
+            commandId: tx.commandId,
             status: 'signed',
-            preparedTransaction,
-            preparedTransactionHash,
-            origin: existingTx?.origin ?? null,
-            ...(existingTx?.createdAt && {
-                createdAt: existingTx.createdAt,
+            preparedTransaction: tx.preparedTransaction,
+            preparedTransactionHash: tx.preparedTransactionHash,
+            origin: tx?.origin ?? null,
+            ...(tx?.createdAt && {
+                createdAt: tx.createdAt,
             }),
             signedAt: now,
         };
-        this.store.setTransaction(signedTx);
+        await this.store.setTransactionSigned(tx.commandId, now);
         this.notifier.emit('txChanged', signedTx);
         return {
             status: 'signed',
@@ -70,14 +76,13 @@ export class TransactionService {
             throw new Error('Blockdaemon signing driver not available');
         }
         const driver = signingProvider.controller(userId);
-        const { preparedTransaction, preparedTransactionHash, commandId } = signParams;
+        const tx = await this.loadPreparedTransactionForSigning(signParams.commandId);
         let signingResult;
-        const existingTx = await this.store.getTransaction(commandId);
-        if (existingTx && existingTx.externalTxId) {
+        if (tx && tx.externalTxId) {
             signingResult = await driver
                 .getTransaction({
                 userId,
-                txId: existingTx.externalTxId,
+                txId: tx.externalTxId,
             })
                 .then(handleSigningError);
         }
@@ -88,8 +93,8 @@ export class TransactionService {
                 .substring(0, 16);
             signingResult = await driver
                 .signTransaction({
-                tx: preparedTransaction,
-                txHash: preparedTransactionHash,
+                tx: tx.preparedTransaction,
+                txHash: tx.preparedTransactionHash,
                 keyIdentifier: {
                     publicKey: wallet.publicKey,
                 },
@@ -103,18 +108,18 @@ export class TransactionService {
                 throw new Error('No signature returned from signing driver');
             }
             const signedTx = {
-                commandId,
+                commandId: tx.commandId,
                 status: signingResult.status,
-                preparedTransaction,
-                preparedTransactionHash,
-                origin: existingTx?.origin ?? null,
-                ...(existingTx?.createdAt && {
-                    createdAt: existingTx.createdAt,
+                preparedTransaction: tx.preparedTransaction,
+                preparedTransactionHash: tx.preparedTransactionHash,
+                origin: tx?.origin ?? null,
+                ...(tx?.createdAt && {
+                    createdAt: tx.createdAt,
                 }),
                 signedAt: now,
                 externalTxId: signingResult.txId,
             };
-            this.store.setTransaction(signedTx);
+            await this.store.setTransactionSigned(tx.commandId, now, signingResult.txId);
             this.notifier.emit('txChanged', signedTx);
             return {
                 status: signingResult.status,
@@ -127,17 +132,19 @@ export class TransactionService {
         else {
             const status = signingResult.status === 'pending' ? 'pending' : 'failed';
             const pendingTx = {
-                commandId,
+                commandId: tx.commandId,
                 status,
-                preparedTransaction,
-                preparedTransactionHash,
+                preparedTransaction: tx.preparedTransaction,
+                preparedTransactionHash: tx.preparedTransactionHash,
                 externalTxId: signingResult.txId,
-                origin: existingTx?.origin ?? null,
-                ...(existingTx?.createdAt && {
-                    createdAt: existingTx.createdAt,
+                origin: tx?.origin ?? null,
+                ...(tx?.createdAt && {
+                    createdAt: tx.createdAt,
                 }),
             };
-            this.store.setTransaction(pendingTx);
+            await this.store.setTransactionStatus(tx.commandId, status, {
+                externalTxId: signingResult.txId,
+            });
             this.notifier.emit('txChanged', pendingTx);
             return {
                 status: signingResult.status,
@@ -152,14 +159,13 @@ export class TransactionService {
             throw new Error('Fireblocks signing driver not available');
         }
         const driver = signingProvider.controller(userId);
-        const { preparedTransaction, preparedTransactionHash, commandId } = signParams;
+        const tx = await this.loadPreparedTransactionForSigning(signParams.commandId);
         let signingResult;
-        const existingTx = await this.store.getTransaction(commandId);
-        if (existingTx && existingTx.externalTxId) {
+        if (tx && tx.externalTxId) {
             signingResult = await driver
                 .getTransaction({
                 userId,
-                txId: existingTx.externalTxId,
+                txId: tx.externalTxId,
             })
                 .then(handleSigningError);
         }
@@ -167,8 +173,8 @@ export class TransactionService {
             signingResult = await driver
                 .signTransaction({
                 userId,
-                tx: preparedTransaction,
-                txHash: Buffer.from(preparedTransactionHash, 'base64').toString('hex'),
+                tx: tx.preparedTransaction,
+                txHash: Buffer.from(tx.preparedTransactionHash, 'base64').toString('hex'),
                 keyIdentifier: {
                     publicKey: wallet.publicKey,
                 },
@@ -181,18 +187,18 @@ export class TransactionService {
                 throw new Error('No signature returned from signing driver');
             }
             const signedTx = {
-                commandId,
+                commandId: tx.commandId,
                 status: signingResult.status,
-                preparedTransaction,
-                preparedTransactionHash,
-                origin: existingTx?.origin ?? null,
-                ...(existingTx?.createdAt && {
-                    createdAt: existingTx.createdAt,
+                preparedTransaction: tx.preparedTransaction,
+                preparedTransactionHash: tx.preparedTransactionHash,
+                origin: tx?.origin ?? null,
+                ...(tx?.createdAt && {
+                    createdAt: tx.createdAt,
                 }),
                 signedAt: now,
                 externalTxId: signingResult.txId,
             };
-            this.store.setTransaction(signedTx);
+            await this.store.setTransactionSigned(tx.commandId, now, signingResult.txId);
             this.notifier.emit('txChanged', signedTx);
             // return signature in format that is already usable in execute
             const decodedSignature = Buffer.from(signingResult.signature, 'hex').toString('base64');
@@ -207,17 +213,19 @@ export class TransactionService {
         else {
             const status = signingResult.status === 'pending' ? 'pending' : 'failed';
             const pendingTx = {
-                commandId,
+                commandId: tx.commandId,
                 status,
-                preparedTransaction,
-                preparedTransactionHash,
+                preparedTransaction: tx.preparedTransaction,
+                preparedTransactionHash: tx.preparedTransactionHash,
                 externalTxId: signingResult.txId,
-                origin: existingTx?.origin ?? null,
-                ...(existingTx?.createdAt && {
-                    createdAt: existingTx.createdAt,
+                origin: tx?.origin ?? null,
+                ...(tx?.createdAt && {
+                    createdAt: tx.createdAt,
                 }),
             };
-            this.store.setTransaction(pendingTx);
+            await this.store.setTransactionStatus(tx.commandId, status, {
+                externalTxId: signingResult.txId,
+            });
             this.notifier.emit('txChanged', pendingTx);
             return {
                 status: signingResult.status,
@@ -245,7 +253,9 @@ export class TransactionService {
                 signedAt: transaction.signedAt,
             }),
         };
-        this.store.setTransaction(executedTx);
+        await this.store.setTransactionStatus(commandId, 'executed', {
+            payload: res,
+        });
         this.notifier.emit('txChanged', executedTx);
         return res;
     }
@@ -289,7 +299,9 @@ export class TransactionService {
                 signedAt: transaction.signedAt,
             }),
         };
-        this.store.setTransaction(executedTx);
+        await this.store.setTransactionStatus(commandId, 'executed', {
+            payload: result,
+        });
         this.notifier.emit('txChanged', executedTx);
         return result;
     }

package/dist/ledger/wallet-allocation/signing-providers/blockdaemon-wallet-allocator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"blockdaemon-wallet-allocator.d.ts","sourceRoot":"","sources":["../../../../src/ledger/wallet-allocation/signing-providers/blockdaemon-wallet-allocator.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,kCAAkC,CAAA;AACzD,OAAO,EAAE,KAAK,EAAgB,MAAM,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,EAEH,sBAAsB,EAEzB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC1E,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,sCAAsC,CAAA;AACzE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAA;AAYtE,qBAAa,0BAA2B,YAAW,eAAe;IAE1D,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,aAAa;gBAHb,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,sBAAsB,EACtC,aAAa,EAAE,sBAAsB;IAG3C,YAAY,CACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,SAAS,EAAE,SAAS,EACpB,OAAO,GAAE,OAAe,GACzB,OAAO,CAAC,MAAM,CAAC;IAwGZ,aAAa,CACf,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;CA6DnB"}
+{"version":3,"file":"blockdaemon-wallet-allocator.d.ts","sourceRoot":"","sources":["../../../../src/ledger/wallet-allocation/signing-providers/blockdaemon-wallet-allocator.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,kCAAkC,CAAA;AACzD,OAAO,EAAE,KAAK,EAAgB,MAAM,EAAE,MAAM,mCAAmC,CAAA;AAC/E,OAAO,EAEH,sBAAsB,EAEzB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC1E,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,sCAAsC,CAAA;AACzE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAA;AAYtE,qBAAa,0BAA2B,YAAW,eAAe;IAE1D,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,aAAa;gBAHb,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,sBAAsB,EACtC,aAAa,EAAE,sBAAsB;IAG3C,YAAY,CACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,SAAS,EAAE,SAAS,EACpB,OAAO,GAAE,OAAe,GACzB,OAAO,CAAC,MAAM,CAAC;IAwGZ,aAAa,CACf,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;CAgEnB"}

package/dist/ledger/wallet-allocation/signing-providers/blockdaemon-wallet-allocator.js

@@ -102,7 +102,7 @@ export class BlockdaemonWalletAllocator {
             throw new Error('Existing wallet is missing field externalTxId or topologyTransactions');
         }
         const driver = this.signingDriver.controller(email);
-        const { signature, status } = await driver
+        const { signature, status, metadata } = await driver
             .getTransaction({
             txId: existingWallet.externalTxId,
         })
@@ -131,6 +131,7 @@ export class BlockdaemonWalletAllocator {
             };
         }
         else {
+            this.logger.warn(`Topology transaction for wallet ${existingWallet.partyId} was ${status} with ${JSON.stringify(metadata)}`);
             const reason = status === 'rejected'
                 ? WALLET_DISABLED_REASON.TOPOLOGY_TRANSACTION_REJECTED
                 : WALLET_DISABLED_REASON.TOPOLOGY_TRANSACTION_FAILED;

package/dist/ledger/wallet-allocation/wallet-allocation-service.test.js

@@ -1,6 +1,6 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-import { jest, describe, it, expect, beforeEach, afterEach, } from '@jest/globals';
+import { vi, describe, it, expect, beforeEach, afterEach, } from 'vitest';
 import { pino } from 'pino';
 import { sink } from 'pino-test';
 import { WalletAllocationService } from './wallet-allocation-service.js';
@@ -34,14 +34,14 @@ function createFireblocksDriver(options) {
     };
     const getTransactionResult = options.getTransactionResult ?? signTransactionResult;
     return {
-        controller: jest.fn().mockReturnValue({
-            getKeys: jest
+        controller: vi.fn().mockReturnValue({
+            getKeys: vi
                 .fn()
                 .mockResolvedValue(getKeysResult),
-            signTransaction: jest
+            signTransaction: vi
                 .fn()
                 .mockResolvedValue(signTransactionResult),
-            getTransaction: jest
+            getTransaction: vi
                 .fn()
                 .mockResolvedValue(getTransactionResult),
         }),
@@ -54,16 +54,16 @@ function createBlockdaemonDriver(options) {
     };
     const getTransactionResult = options.getTransactionResult ?? signTransactionResult;
     return {
-        controller: jest.fn().mockReturnValue({
-            createKey: jest
+        controller: vi.fn().mockReturnValue({
+            createKey: vi
                 .fn()
                 .mockResolvedValue({
                 publicKey: 'bd-pk',
             }),
-            signTransaction: jest
+            signTransaction: vi
                 .fn()
                 .mockResolvedValue(signTransactionResult),
-            getTransaction: jest
+            getTransaction: vi
                 .fn()
                 .mockResolvedValue(getTransactionResult),
         }),
@@ -80,19 +80,19 @@ describe('WalletAllocationService', () => {
     beforeEach(async () => {
         mockLogger = pino(sink());
         mockStore = {
-            getWallets: jest.fn(),
-            removeWallet: jest.fn(),
-            addWallet: jest.fn(),
-            updateWallet: jest.fn(),
-            getCurrentNetwork: jest
+            getWallets: vi.fn(),
+            removeWallet: vi.fn(),
+            addWallet: vi.fn(),
+            updateWallet: vi.fn(),
+            getCurrentNetwork: vi
                 .fn()
                 .mockResolvedValue({ id: 'network1' }),
         };
         mockPartyAllocator = {
-            allocateParty: jest.fn(),
-            allocatePartyWithExistingWallet: jest.fn(),
-            createFingerprintFromKey: jest.fn().mockReturnValue('fingerprint'),
-            generateTopologyTransactions: jest
+            allocateParty: vi.fn(),
+            allocatePartyWithExistingWallet: vi.fn(),
+            createFingerprintFromKey: vi.fn().mockReturnValue('fingerprint'),
+            generateTopologyTransactions: vi
                 .fn()
                 .mockResolvedValue({
                 topologyTransactions: ['tx1'],
@@ -100,14 +100,14 @@ describe('WalletAllocationService', () => {
             }),
         };
         mockController = {
-            createKey: jest
+            createKey: vi
                 .fn()
                 .mockResolvedValue({
                 id: 'key-id',
                 name: 'test-key',
                 publicKey: 'new-public-key',
             }),
-            signTransaction: jest
+            signTransaction: vi
                 .fn()
                 .mockResolvedValue({
                 txId: 'tx-id',
@@ -116,14 +116,14 @@ describe('WalletAllocationService', () => {
             }),
         };
         mockWalletKernelDriver = {
-            controller: jest.fn(() => mockController),
+            controller: vi.fn(() => mockController),
         };
         service = createService({
             [SigningProvider.WALLET_KERNEL]: mockWalletKernelDriver,
         });
     });
     afterEach(() => {
-        jest.restoreAllMocks();
+        vi.restoreAllMocks();
     });
     describe('Participant', () => {
         it('createWallet allocates new party and adds wallet', async () => {

package/dist/ledger/wallet-sync-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"wallet-sync-service.d.ts","sourceRoot":"","sources":["../../src/ledger/wallet-sync-service.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,YAAY,EAEf,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAA;AAC9D,OAAO,EACH,KAAK,EAIR,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EACH,sBAAsB,EACtB,eAAe,EAClB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAA;AAGlE,qBAAa,iBAAiB;IAEtB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,cAAc;IAGtB,OAAO,CAAC,cAAc;gBAPd,KAAK,EAAE,KAAK,EACZ,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,CAC3B,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAClD,YAAK,EACE,cAAc,EAAE,sBAAsB;IAGlD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAwB;IAE5D,OAAO,CAAC,UAAU;IAUZ,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;cAU3B,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAC5D;QACI,iBAAiB,EAAE,eAAe,CAAC,WAAW,CAAA;QAC9C,OAAO,EAAE,OAAO,CAAA;KACnB,GACD;QACI,iBAAiB,EAAE,OAAO,CACtB,eAAe,EACf,eAAe,CAAC,WAAW,CAC9B,CAAA;QACD,SAAS,EAAE,MAAM,CAAA;QACjB,OAAO,EAAE,OAAO,CAAA;KACnB,CACN;YA4Ha,iBAAiB;IA2DzB,kBAAkB,IAAI,OAAO,CAAC,OAAO,CAAC;YA8D9B,yBAAyB;YAkEzB,0BAA0B;YAgD1B,mBAAmB;IAsB3B,WAAW,IAAI,OAAO,CAAC,iBAAiB,CAAC;CAuGlD"}
+{"version":3,"file":"wallet-sync-service.d.ts","sourceRoot":"","sources":["../../src/ledger/wallet-sync-service.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,YAAY,EAEf,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAA;AAC9D,OAAO,EACH,KAAK,EAIR,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EACH,sBAAsB,EACtB,eAAe,EAClB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAA;AAGlE,qBAAa,iBAAiB;IAEtB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,cAAc;IAGtB,OAAO,CAAC,cAAc;gBAPd,KAAK,EAAE,KAAK,EACZ,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,CAC3B,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAClD,YAAK,EACE,cAAc,EAAE,sBAAsB;IAGlD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAwB;IAE5D,OAAO,CAAC,UAAU;IAUZ,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;cAU3B,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAC5D;QACI,iBAAiB,EAAE,eAAe,CAAC,WAAW,CAAA;QAC9C,OAAO,EAAE,OAAO,CAAA;KACnB,GACD;QACI,iBAAiB,EAAE,OAAO,CACtB,eAAe,EACf,eAAe,CAAC,WAAW,CAC9B,CAAA;QACD,SAAS,EAAE,MAAM,CAAA;QACjB,OAAO,EAAE,OAAO,CAAA;KACnB,CACN;YA4Ha,iBAAiB;IA8DzB,kBAAkB,IAAI,OAAO,CAAC,OAAO,CAAC;YA8D9B,yBAAyB;YAkEzB,0BAA0B;YAgD1B,mBAAmB;IAsB3B,WAAW,IAAI,OAAO,CAAC,iBAAiB,CAAC;CAuGlD"}

package/dist/ledger/wallet-sync-service.js

@@ -138,24 +138,27 @@ export class WalletSyncService {
             return created;
         };
         rights.rights?.forEach((right) => {
-            if ('CanActAs' in right.kind) {
-                const party = right.kind.CanActAs.value.party;
+            const kind = right.kind;
+            if (!kind)
+                return;
+            if ('CanActAs' in kind) {
+                const party = kind.CanActAs.value.party;
                 getOrCreateRights(party).add(PartyLevelRight.CanActAs);
             }
-            else if ('CanExecuteAs' in right.kind) {
-                const party = right.kind.CanExecuteAs.value.party;
+            else if ('CanExecuteAs' in kind) {
+                const party = kind.CanExecuteAs.value.party;
                 getOrCreateRights(party).add(PartyLevelRight.CanExecuteAs);
             }
-            else if ('CanReadAs' in right.kind) {
-                const party = right.kind.CanReadAs.value.party;
+            else if ('CanReadAs' in kind) {
+                const party = kind.CanReadAs.value.party;
                 getOrCreateRights(party).add(PartyLevelRight.CanReadAs);
             }
-            else if ('CanReadAsAnyParty' in right.kind) {
+            else if ('CanReadAsAnyParty' in kind) {
                 rightsByUser
                     .get(this.authContext.userId)
                     ?.add(UserLevelRight.CanReadAsAnyParty);
             }
-            else if ('CanExecuteAsAnyParty' in right.kind) {
+            else if ('CanExecuteAsAnyParty' in kind) {
                 rightsByUser
                     .get(this.authContext.userId)
                     ?.add(UserLevelRight.CanExecuteAsAnyParty);

package/dist/ledger/wallet-sync-service.test.js

@@ -1,6 +1,6 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-import { jest, describe, it, expect, beforeEach, afterEach, } from '@jest/globals';
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { pino } from 'pino';
 import { sink } from 'pino-test';
 import { SigningProvider, } from '@canton-network/core-signing-lib';
@@ -11,9 +11,11 @@ import { PartyLevelRight, } from '@canton-network/core-wallet-store';
 import { StoreInternal } from '@canton-network/core-wallet-store-inmemory';
 import { WalletSyncService } from './wallet-sync-service.js';
 import { PartyAllocationService } from './party-allocation-service.js';
-const mockLedgerGet = jest.fn();
-jest.unstable_mockModule('@canton-network/core-ledger-client', () => ({
-    LedgerClient: jest.fn().mockImplementation(() => {
+const { mockLedgerGet } = vi.hoisted(() => ({
+    mockLedgerGet: vi.fn(),
+}));
+vi.mock('@canton-network/core-ledger-client', () => ({
+    LedgerClient: vi.fn(function LedgerClientMock() {
         return {
             getWithRetry: mockLedgerGet,
         };
@@ -83,7 +85,7 @@ describe('WalletSyncService - resolveSigningProvider', () => {
         }, partyAllocator);
     });
     afterEach(() => {
-        jest.restoreAllMocks();
+        vi.restoreAllMocks();
         mockLedgerGet.mockClear();
     });
     it('resolves participant when namespace matches participant namespace', async () => {
@@ -128,8 +130,8 @@ describe('WalletSyncService - resolveSigningProvider', () => {
         const normalizedKey = partyAllocator.normalizePublicKeyToBase64(fireblocksPublicKeyHex);
         const namespace = partyAllocator.createFingerprintFromKey(normalizedKey);
         const mockFireblocksDriver = {
-            controller: jest.fn().mockReturnValue({
-                getKeys: jest
+            controller: vi.fn().mockReturnValue({
+                getKeys: vi
                     .fn()
                     .mockResolvedValue({
                     keys: [
@@ -253,7 +255,7 @@ describe('WalletSyncService - multi-network features', () => {
         service = new WalletSyncService(store, mockLedgerClient, authContext, mockLogger, {}, partyAllocator);
     });
     afterEach(() => {
-        jest.restoreAllMocks();
+        vi.restoreAllMocks();
         mockLedgerGet.mockClear();
     });
     it('isWalletSyncNeeded should filter by current network', async () => {
@@ -305,7 +307,7 @@ describe('WalletSyncService - multi-network features', () => {
         await store.addNetwork(network1);
         await setSession('network1');
         await store.addWallet(createWallet('party1::namespace', 'network1'));
-        const addWalletSpy = jest.spyOn(store, 'addWallet');
+        const addWalletSpy = vi.spyOn(store, 'addWallet');
         mockLedgerGet
             .mockResolvedValueOnce({
             rights: [
@@ -542,7 +544,7 @@ describe('WalletSyncService - multi-network features', () => {
                 .mockResolvedValueOnce({
                 participantId: 'participant1::namespace',
             });
-            const updateWalletSpy = jest.spyOn(store, 'updateWallet');
+            const updateWalletSpy = vi.spyOn(store, 'updateWallet');
             await service.syncWallets();
             expect(updateWalletSpy).toHaveBeenCalledWith(expect.objectContaining({
                 partyId: 'party1::namespace',
@@ -575,7 +577,7 @@ describe('WalletSyncService - multi-network features', () => {
                 .mockResolvedValueOnce({
                 participantId: 'participant1::namespace',
             });
-            const updateWalletSpy = jest.spyOn(store, 'updateWallet');
+            const updateWalletSpy = vi.spyOn(store, 'updateWallet');
             await service.syncWallets();
             expect(updateWalletSpy).not.toHaveBeenCalled();
             const wallets = await store.getWallets();
@@ -603,7 +605,7 @@ describe('WalletSyncService - multi-network features', () => {
                 .mockResolvedValueOnce({
                 participantId: 'participant1::namespace',
             });
-            const updateWalletSpy = jest.spyOn(store, 'updateWallet');
+            const updateWalletSpy = vi.spyOn(store, 'updateWallet');
             await service.syncWallets();
             expect(updateWalletSpy).toHaveBeenCalledTimes(2);
             expect(updateWalletSpy).toHaveBeenCalledWith(expect.objectContaining({
@@ -639,7 +641,7 @@ describe('WalletSyncService - multi-network features', () => {
                 .mockResolvedValueOnce({
                 participantId: 'participant1::namespace',
             });
-            const updateWalletSpy = jest.spyOn(store, 'updateWallet');
+            const updateWalletSpy = vi.spyOn(store, 'updateWallet');
             await service.syncWallets();
             expect(updateWalletSpy).toHaveBeenCalledWith(expect.objectContaining({
                 partyId: 'party1::namespace',

package/dist/middleware/rateLimit.d.ts

@@ -1,2 +1,7 @@
+import type { Request } from 'express';
+export declare function ipRateLimitKeyGenerator(req: Request): string;
+export declare function rateLimitKeyGenerator(req: Request): string;
 export declare function rateLimiter(requestRateLimit: number): import("express-rate-limit").RateLimitRequestHandler;
+export declare function preAuthIpRateLimiter(requestRateLimit: number): import("express-rate-limit").RateLimitRequestHandler;
+export declare function authenticatedRateLimiter(requestRateLimit: number): import("express-rate-limit").RateLimitRequestHandler;
 //# sourceMappingURL=rateLimit.d.ts.map

package/dist/middleware/rateLimit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rateLimit.d.ts","sourceRoot":"","sources":["../../src/middleware/rateLimit.ts"],"names":[],"mappings":"AAKA,wBAAgB,WAAW,CAAC,gBAAgB,EAAE,MAAM,wDAOnD"}
+{"version":3,"file":"rateLimit.d.ts","sourceRoot":"","sources":["../../src/middleware/rateLimit.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AAWtC,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAE5D;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAO1D;AAED,wBAAgB,WAAW,CAAC,gBAAgB,EAAE,MAAM,wDAQnD;AAED,wBAAgB,oBAAoB,CAAC,gBAAgB,EAAE,MAAM,wDAU5D;AAED,wBAAgB,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,wDAUhE"}

package/dist/middleware/rateLimit.js

@@ -1,10 +1,50 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 import rateLimit from 'express-rate-limit';
+function hasBearerToken(req) {
+    const authHeader = req.headers.authorization;
+    if (typeof authHeader === 'string' && authHeader.startsWith('Bearer ')) {
+        return true;
+    }
+    return typeof req.query.token === 'string' && req.query.token.length > 0;
+}
+export function ipRateLimitKeyGenerator(req) {
+    return `ip:${req.ip || req.socket.remoteAddress || 'unknown'}`;
+}
+export function rateLimitKeyGenerator(req) {
+    // Prefer authenticated identity to avoid shared proxy IP buckets.
+    if (req.authContext?.userId) {
+        return `user:${req.authContext.userId}`;
+    }
+    return ipRateLimitKeyGenerator(req);
+}
 export function rateLimiter(requestRateLimit) {
     return rateLimit({
         windowMs: 1 * 60 * 1000, // 1 minute
         max: requestRateLimit, // limit each IP to requestRateLimit requests per windowMs
+        keyGenerator: rateLimitKeyGenerator,
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+}
+export function preAuthIpRateLimiter(requestRateLimit) {
+    return rateLimit({
+        windowMs: 1 * 60 * 1000,
+        max: requestRateLimit,
+        keyGenerator: ipRateLimitKeyGenerator,
+        // Only protect unauthenticated traffic before JWT verification.
+        skip: hasBearerToken,
+        standardHeaders: true,
+        legacyHeaders: false,
+    });
+}
+export function authenticatedRateLimiter(requestRateLimit) {
+    return rateLimit({
+        windowMs: 1 * 60 * 1000,
+        max: requestRateLimit,
+        keyGenerator: rateLimitKeyGenerator,
+        // Apply only after JWT middleware has attached an authenticated context.
+        skip: (req) => !req.authContext?.userId,
         standardHeaders: true,
         legacyHeaders: false,
     });

package/dist/middleware/rateLimit.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=rateLimit.test.d.ts.map

package/dist/middleware/rateLimit.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rateLimit.test.d.ts","sourceRoot":"","sources":["../../src/middleware/rateLimit.test.ts"],"names":[],"mappings":""}

package/dist/middleware/rateLimit.test.js

@@ -0,0 +1,30 @@
+// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+import { describe, expect, test } from 'vitest';
+import { ipRateLimitKeyGenerator, rateLimitKeyGenerator } from './rateLimit.js';
+describe('ipRateLimitKeyGenerator', () => {
+    test('uses request ip address', () => {
+        const req = {
+            ip: '198.51.100.42',
+            socket: { remoteAddress: '10.0.0.1' },
+        };
+        expect(ipRateLimitKeyGenerator(req)).toBe('ip:198.51.100.42');
+    });
+});
+describe('rateLimitKeyGenerator', () => {
+    test('uses authenticated user id when available', () => {
+        const req = {
+            authContext: { userId: 'alice' },
+            ip: '203.0.113.10',
+            socket: { remoteAddress: '10.0.0.1' },
+        };
+        expect(rateLimitKeyGenerator(req)).toBe('user:alice');
+    });
+    test('falls back to request ip when user is not authenticated', () => {
+        const req = {
+            ip: '198.51.100.42',
+            socket: { remoteAddress: '10.0.0.1' },
+        };
+        expect(rateLimitKeyGenerator(req)).toBe('ip:198.51.100.42');
+    });
+});

package/dist/user-api/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/user-api/controller.ts"],"names":[],"mappings":"AA6BA,OAAO,EAAE,KAAK,EAAW,MAAM,mCAAmC,CAAA;AAClE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAA;AAC5E,OAAO,EAEH,WAAW,EAKd,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,EACH,sBAAsB,EACtB,eAAe,EAClB,MAAM,kCAAkC,CAAA;AAQzC,KAAK,uBAAuB,GAAG,OAAO,CAClC,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAClD,CAAA;AAED,eAAO,MAAM,cAAc,GACvB,YAAY,UAAU,EACtB,SAAS,MAAM,EACf,OAAO,KAAK,EACZ,qBAAqB,mBAAmB,EACxC,aAAa,WAAW,GAAG,SAAS,EACpC,SAAS,uBAAuB,EAChC,SAAS,MAAM,EACf,cAAc,MAAM;;;;;;;;;;;;;;;;;;;;;;;CA8vBvB,CAAA"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/user-api/controller.ts"],"names":[],"mappings":"AA6BA,OAAO,EAAE,KAAK,EAAW,MAAM,mCAAmC,CAAA;AAClE,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAA;AAC7B,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAA;AAC5E,OAAO,EAEH,WAAW,EAKd,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,EACH,sBAAsB,EACtB,eAAe,EAClB,MAAM,kCAAkC,CAAA;AASzC,KAAK,uBAAuB,GAAG,OAAO,CAClC,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAClD,CAAA;AAED,eAAO,MAAM,cAAc,GACvB,YAAY,UAAU,EACtB,SAAS,MAAM,EACf,OAAO,KAAK,EACZ,qBAAqB,mBAAmB,EACxC,aAAa,WAAW,GAAG,SAAS,EACpC,SAAS,uBAAuB,EAChC,SAAS,MAAM,EACf,cAAc,MAAM;;;;;;;;;;;;;;;;;;;;;;;CA+vBvB,CAAA"}