[infra] vault + chsettle + aurora for dev

2026-03-16 19:50:05 +01:00
parent 5b1aca86e7
commit 89edf33c2c
51 changed files with 1606 additions and 62 deletions
--- a/ci/prod/compose/aurora_gateway.dockerfile
+++ b/ci/prod/compose/aurora_gateway.dockerfile
@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/aurora
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/aurora-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/aurora/config.yml /app/config.yml
+COPY --from=build /out/aurora-gateway /app/aurora-gateway
+EXPOSE 50075 9404 8084
+ENTRYPOINT ["/app/aurora-gateway"]
+CMD ["--config.file", "/app/config.yml"]
--- a/ci/prod/compose/aurora_gateway.yml
+++ b/ci/prod/compose/aurora_gateway.yml
@@ -0,0 +1,46 @@
+# Compose v2 - Aurora Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_aurora_gateway:
+    <<: *common-env
+    container_name: sendico-aurora-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/aurora:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      AURORA_GATEWAY_MONGO_HOST: ${AURORA_GATEWAY_MONGO_HOST}
+      AURORA_GATEWAY_MONGO_PORT: ${AURORA_GATEWAY_MONGO_PORT}
+      AURORA_GATEWAY_MONGO_DATABASE: ${AURORA_GATEWAY_MONGO_DATABASE}
+      AURORA_GATEWAY_MONGO_USER: ${AURORA_GATEWAY_MONGO_USER}
+      AURORA_GATEWAY_MONGO_PASSWORD: ${AURORA_GATEWAY_MONGO_PASSWORD}
+      AURORA_GATEWAY_MONGO_AUTH_SOURCE: ${AURORA_GATEWAY_MONGO_AUTH_SOURCE}
+      AURORA_GATEWAY_MONGO_REPLICA_SET: ${AURORA_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${AURORA_GATEWAY_GRPC_PORT}:50075"
+      - "0.0.0.0:${AURORA_GATEWAY_METRICS_PORT}:9404"
+      - "0.0.0.0:${AURORA_GATEWAY_HTTP_PORT}:8084"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9404/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net
--- a/ci/prod/compose/bff.dockerfile
+++ b/ci/prod/compose/bff.dockerfile
@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    -o /out/bff .

 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/bff/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/bff/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/bff/assets /app/assets
 COPY api/edge/bff/env /app/env
 COPY api/pkg/auth/internal/casbin/models/auth.conf /app/env/permissions_model.conf
--- a/ci/prod/compose/bff.yml
+++ b/ci/prod/compose/bff.yml
@@ -60,7 +60,7 @@ services:
      PERMISSION_COLLECTION: ${PERMISSION_COLLECTION}
      PERMISSION_TIMEOUT: ${PERMISSION_TIMEOUT}
      PERMISSION_IS_FILTERED: ${PERMISSION_IS_FILTERED}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      VAULT_TOKEN_FILE: /run/vault/token
    ports:
      - "0.0.0.0:${BFF_HTTP_PORT}:8081"
@@ -86,7 +86,7 @@ services:
    pull_policy: always
    cap_add: ["IPC_LOCK"]
    environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      BFF_VAULT_ROLE_ID: ${BFF_VAULT_ROLE_ID}
      BFF_VAULT_SECRET_ID: ${BFF_VAULT_SECRET_ID}
    command: >
--- a/ci/prod/compose/callbacks.dockerfile
+++ b/ci/prod/compose/callbacks.dockerfile
@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    -o /out/callbacks .

 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/callbacks/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/callbacks/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/callbacks/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/callbacks /app/callbacks
 RUN chmod +x /app/entrypoint.sh
--- a/ci/prod/compose/callbacks.yml
+++ b/ci/prod/compose/callbacks.yml
@@ -40,7 +40,7 @@ services:
      NATS_USER: ${NATS_USER}
      NATS_PASSWORD: ${NATS_PASSWORD}
      CALLBACKS_METRICS_PORT: ${CALLBACKS_METRICS_PORT}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      VAULT_TOKEN_FILE: /run/vault/token
    command: ["--config.file", "/app/config.yml"]
    ports:
@@ -67,7 +67,7 @@ services:
    pull_policy: always
    cap_add: ["IPC_LOCK"]
    environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      CALLBACKS_VAULT_ROLE_ID: ${CALLBACKS_VAULT_ROLE_ID}
      CALLBACKS_VAULT_SECRET_ID: ${CALLBACKS_VAULT_SECRET_ID}
    command: >
--- a/ci/prod/compose/chain_gateway.dockerfile
+++ b/ci/prod/compose/chain_gateway.dockerfile
@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    -o /out/chain-gateway .

 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/chain/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/chain/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/chain/env /app/env
 COPY api/gateway/chain/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/chain-gateway /app/chain-gateway
--- a/ci/prod/compose/chain_gateway.yml
+++ b/ci/prod/compose/chain_gateway.yml
@@ -75,7 +75,7 @@ services:
    pull_policy: always
    cap_add: ["IPC_LOCK"]
    environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      CHAIN_GATEWAY_VAULT_ROLE_ID: ${CHAIN_GATEWAY_VAULT_ROLE_ID}
      CHAIN_GATEWAY_VAULT_SECRET_ID: ${CHAIN_GATEWAY_VAULT_SECRET_ID}
    command: >
--- a/ci/prod/compose/chsettle_gateway.dockerfile
+++ b/ci/prod/compose/chsettle_gateway.dockerfile
@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/chsettle
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/chsettle-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/chsettle/config.yml /app/config.yml
+COPY --from=build /out/chsettle-gateway /app/chsettle-gateway
+EXPOSE 50080 9406
+ENTRYPOINT ["/app/chsettle-gateway"]
+CMD ["--config.file", "/app/config.yml"]
--- a/ci/prod/compose/chsettle_gateway.yml
+++ b/ci/prod/compose/chsettle_gateway.yml
@@ -0,0 +1,46 @@
+# Compose v2 - ChimeraSettle Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_chsettle_gateway:
+    <<: *common-env
+    container_name: sendico-chsettle-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/chsettle:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      CHSETTLE_GATEWAY_MONGO_HOST: ${CHSETTLE_GATEWAY_MONGO_HOST}
+      CHSETTLE_GATEWAY_MONGO_PORT: ${CHSETTLE_GATEWAY_MONGO_PORT}
+      CHSETTLE_GATEWAY_MONGO_DATABASE: ${CHSETTLE_GATEWAY_MONGO_DATABASE}
+      CHSETTLE_GATEWAY_MONGO_USER: ${CHSETTLE_GATEWAY_MONGO_USER}
+      CHSETTLE_GATEWAY_MONGO_PASSWORD: ${CHSETTLE_GATEWAY_MONGO_PASSWORD}
+      CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE: ${CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE}
+      CHSETTLE_GATEWAY_MONGO_REPLICA_SET: ${CHSETTLE_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+      CHSETTLE_GATEWAY_CHAT_ID: ${CHSETTLE_GATEWAY_CHAT_ID}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${CHSETTLE_GATEWAY_GRPC_PORT}:50080"
+      - "0.0.0.0:${CHSETTLE_GATEWAY_METRICS_PORT}:9406"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9406/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net
--- a/ci/prod/compose/db.dev.yml
+++ b/ci/prod/compose/db.dev.yml
@@ -0,0 +1,163 @@
+# Compose v2 - Dev DB stack without PBM
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  mongo1_data: {}
+  mongo2_data: {}
+  mongo3_data: {}
+  # In-memory store for secrets/material rendered by Vault Agent (no host persistence)
+  vault_secrets:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: size=32m,uid=999,gid=999,mode=0750
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  vault-agent-sendico:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: vault-agent-sendico
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ROLE_ID: ${VAULT_ROLE_ID}
+      VAULT_SECRET_ID: ${VAULT_SECRET_ID}
+    volumes:
+      - ./vault/agent.dev.hcl:/etc/vault/agent.hcl:ro
+      - ./vault/templates:/etc/vault/templates:ro
+      - vault_secrets:/vault/secrets:rw
+    command: >
+      sh -lc 'set -euo pipefail; umask 077;
+              : "$${VAULT_ADDR:?}"; : "$${VAULT_ROLE_ID:?}"; : "$${VAULT_SECRET_ID:?}";
+              printf "%s" "$${VAULT_ROLE_ID}"   > /vault/secrets/role_id;
+              printf "%s" "$${VAULT_SECRET_ID}" > /vault/secrets/secret_id;
+              unset VAULT_ROLE_ID VAULT_SECRET_ID;
+              exec vault agent -config=/etc/vault/agent.hcl'
+    healthcheck:
+      test: ["CMD-SHELL","test -s /vault/secrets/MONGO_INITDB_ROOT_USERNAME -a -s /vault/secrets/MONGO_INITDB_ROOT_PASSWORD -a -s /vault/secrets/mongo.kf"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+      start_period: 5s
+    networks:
+      - sendico-net
+
+  sendico_db1:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db1
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo1_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    ports: [ "0.0.0.0:${MONGO_PORT}:${MONGO_PORT}" ]
+    networks:
+      - sendico-net
+
+  sendico_db2:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db2
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo2_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  sendico_db3:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db3
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo3_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  mongo_setup:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    depends_on:
+      sendico_db1: { condition: service_healthy }
+      sendico_db2: { condition: service_healthy }
+      sendico_db3: { condition: service_healthy }
+    volumes:
+      - vault_secrets:/vault/secrets:ro
+    entrypoint: |
+      bash -c '
+        set -euo pipefail
+        u=$(cat /vault/secrets/MONGO_INITDB_ROOT_USERNAME)
+        p=$(cat /vault/secrets/MONGO_INITDB_ROOT_PASSWORD)
+        until mongosh --quiet --host sendico_db1 --port ${MONGO_PORT} --eval "db.adminCommand({ ping: 1 })"; do
+          echo "waiting for MongoDB…"; sleep 2;
+        done
+        mongosh --host sendico_db1 --port ${MONGO_PORT} -u "$$u" -p "$$p" --authenticationDatabase admin <<'EOJS'
+          try { rs.status() } catch (e) {
+            rs.initiate({
+              _id: "${MONGO_REPLICA_SET}",
+              members: [
+                { _id: 0, host: "sendico_db1:${MONGO_PORT}", priority: 2 },
+                { _id: 1, host: "sendico_db2:${MONGO_PORT}", priority: 1 },
+                { _id: 2, host: "sendico_db3:${MONGO_PORT}", priority: 1 }
+              ]
+            })
+          }
+        EOJS
+      '
+    restart: "no"
+    networks:
+      - sendico-net
--- a/ci/prod/compose/tron_gateway.dockerfile
+++ b/ci/prod/compose/tron_gateway.dockerfile
@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    -o /out/tron-gateway .

 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/tron/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/tron/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/tron/env /app/env
 COPY api/gateway/tron/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/tron-gateway /app/tron-gateway
--- a/ci/prod/compose/tron_gateway.yml
+++ b/ci/prod/compose/tron_gateway.yml
@@ -79,7 +79,7 @@ services:
    pull_policy: always
    cap_add: ["IPC_LOCK"]
    environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
      TRON_GATEWAY_VAULT_ROLE_ID: ${TRON_GATEWAY_VAULT_ROLE_ID}
      TRON_GATEWAY_VAULT_SECRET_ID: ${TRON_GATEWAY_VAULT_SECRET_ID}
    command: >
--- a/ci/prod/compose/vault-agent/bff.hcl
+++ b/ci/prod/compose/vault-agent/bff.hcl
@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }

 auto_auth {
@@ -18,4 +18,3 @@ auto_auth {
    }
  }
 }
-
--- a/ci/prod/compose/vault-agent/callbacks.hcl
+++ b/ci/prod/compose/vault-agent/callbacks.hcl
@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }

 auto_auth {
--- a/ci/prod/compose/vault-agent/chain-gateway.hcl
+++ b/ci/prod/compose/vault-agent/chain-gateway.hcl
@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }

 auto_auth {
--- a/ci/prod/compose/vault-agent/tron-gateway.hcl
+++ b/ci/prod/compose/vault-agent/tron-gateway.hcl
@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }

 auto_auth {
--- a/ci/prod/compose/vault-server/config.hcl
+++ b/ci/prod/compose/vault-server/config.hcl
@@ -0,0 +1,12 @@
+storage "file" {
+  path = "/vault/file"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = true
+}
+
+api_addr = "http://dev-vault:8200"
+ui = true
+disable_mlock = true
--- a/ci/prod/compose/vault.yml
+++ b/ci/prod/compose/vault.yml
@@ -0,0 +1,37 @@
+# Compose v2 - Dev Vault
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  dev_vault_data: {}
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  dev_vault:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: dev-vault
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: http://127.0.0.1:8200
+    command: vault server -config=/vault/config/vault.hcl
+    volumes:
+      - dev_vault_data:/vault/file
+      - ./vault-server/config.hcl:/vault/config/vault.hcl:ro
+    ports:
+      - "0.0.0.0:${VAULT_HTTP_PORT}:8200"
+    healthcheck:
+      test: ["CMD-SHELL","export VAULT_ADDR=http://127.0.0.1:8200; vault status >/dev/null 2>&1; rc=$?; [ \"$rc\" -eq 0 ] || [ \"$rc\" -eq 2 ]"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 10s
+    networks:
+      - sendico-net
--- a/ci/prod/compose/vault/agent.dev.hcl
+++ b/ci/prod/compose/vault/agent.dev.hcl
@@ -0,0 +1,29 @@
+# Vault Agent for the dev DB stack. AppRole creds are files on the host.
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/token" } }
+}
+
+vault { address = "{{ env `VAULT_ADDR` }}" }
+
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
+}
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
+}
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
+}
--- a/ci/prod/scripts/deploy/aurora_gateway.sh
+++ b/ci/prod/scripts/deploy/aurora_gateway.sh
@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-aurora-gateway] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${AURORA_GATEWAY_DIR:?missing AURORA_GATEWAY_DIR}"
+: "${AURORA_GATEWAY_COMPOSE_PROJECT:?missing AURORA_GATEWAY_COMPOSE_PROJECT}"
+: "${AURORA_GATEWAY_SERVICE_NAME:?missing AURORA_GATEWAY_SERVICE_NAME}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${AURORA_GATEWAY_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="aurora_gateway.yml"
+SERVICE_NAMES="${AURORA_GATEWAY_SERVICE_NAME}"
+
+REQUIRED_SECRETS=(
+  AURORA_GATEWAY_MONGO_USER
+  AURORA_GATEWAY_MONGO_PASSWORD
+  NATS_USER
+  NATS_PASSWORD
+  NATS_URL
+)
+
+for var in "${REQUIRED_SECRETS[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "missing required secret env: ${var}" >&2
+    exit 65
+  fi
+done
+
+if [[ ! -s .env.version ]]; then
+  echo ".env.version is missing; run version step first" >&2
+  exit 66
+fi
+
+b64enc() {
+  printf '%s' "$1" | base64 | tr -d '\n'
+}
+
+AURORA_GATEWAY_MONGO_USER_B64="$(b64enc "${AURORA_GATEWAY_MONGO_USER}")"
+AURORA_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${AURORA_GATEWAY_MONGO_PASSWORD}")"
+NATS_USER_B64="$(b64enc "${NATS_USER}")"
+NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
+NATS_URL_B64="$(b64enc "${NATS_URL}")"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" .env.version         "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.version"
+
+SERVICES_LINE="${SERVICE_NAMES}"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$AURORA_GATEWAY_COMPOSE_PROJECT" \
+  SERVICES_LINE="$SERVICES_LINE" \
+  AURORA_GATEWAY_MONGO_USER_B64="$AURORA_GATEWAY_MONGO_USER_B64" \
+  AURORA_GATEWAY_MONGO_PASSWORD_B64="$AURORA_GATEWAY_MONGO_PASSWORD_B64" \
+  NATS_USER_B64="$NATS_USER_B64" \
+  NATS_PASSWORD_B64="$NATS_PASSWORD_B64" \
+  NATS_URL_B64="$NATS_URL_B64" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+load_kv_file() {
+  local file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    if printf '%s' "$line" | grep -Eq '^[[:alpha:]_][[:alnum:]_]*='; then
+      local key="${line%%=*}"
+      local value="${line#*=}"
+      key="$(printf '%s' "$key" | tr -d '[:space:]')"
+      value="${value#"${value%%[![:space:]]*}"}"
+      value="${value%"${value##*[![:space:]]}"}"
+      if [[ -n "$key" ]]; then
+        export "$key=$value"
+      fi
+    fi
+  done <"$file"
+}
+load_kv_file ../env/.env.version
+set +a
+
+IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
+export IMAGE_TAG
+
+if base64 -d >/dev/null 2>&1 <<<'AA=='; then
+  BASE64_DECODE_FLAG='-d'
+else
+  BASE64_DECODE_FLAG='--decode'
+fi
+
+decode_b64() {
+  val="$1"
+  if [[ -z "$val" ]]; then
+    printf ''
+    return
+  fi
+  printf '%s' "$val" | base64 "${BASE64_DECODE_FLAG}"
+}
+
+AURORA_GATEWAY_MONGO_USER="$(decode_b64 "$AURORA_GATEWAY_MONGO_USER_B64")"
+AURORA_GATEWAY_MONGO_PASSWORD="$(decode_b64 "$AURORA_GATEWAY_MONGO_PASSWORD_B64")"
+NATS_USER="$(decode_b64 "$NATS_USER_B64")"
+NATS_PASSWORD="$(decode_b64 "$NATS_PASSWORD_B64")"
+NATS_URL="$(decode_b64 "$NATS_URL_B64")"
+
+export AURORA_GATEWAY_MONGO_USER AURORA_GATEWAY_MONGO_PASSWORD
+export NATS_USER NATS_PASSWORD NATS_URL
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+read -r -a SERVICES <<<"${SERVICES_LINE}"
+
+pull_cmd=(docker compose -f "$COMPOSE_FILE" pull)
+up_cmd=(docker compose -f "$COMPOSE_FILE" up -d --remove-orphans)
+ps_cmd=(docker compose -f "$COMPOSE_FILE" ps)
+if [[ "${#SERVICES[@]}" -gt 0 ]]; then
+  pull_cmd+=("${SERVICES[@]}")
+  up_cmd+=("${SERVICES[@]}")
+  ps_cmd+=("${SERVICES[@]}")
+fi
+
+"${pull_cmd[@]}"
+"${up_cmd[@]}"
+"${ps_cmd[@]}"
+
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH
--- a/ci/prod/scripts/deploy/bff.sh
+++ b/ci/prod/scripts/deploy/bff.sh
@@ -20,8 +20,6 @@ REQUIRED_SECRETS=(
  MONGO_USER
  MONGO_PASSWORD
  API_ENDPOINT_SECRET
-  BFF_VAULT_ROLE_ID
-  BFF_VAULT_SECRET_ID
  NATS_USER
  NATS_PASSWORD
  NATS_URL
@@ -46,8 +44,8 @@ b64enc() {
 MONGO_USER_B64="$(b64enc "${MONGO_USER}")"
 MONGO_PASSWORD_B64="$(b64enc "${MONGO_PASSWORD}")"
 API_ENDPOINT_SECRET_B64="$(b64enc "${API_ENDPOINT_SECRET}")"
-BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID}")"
-BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID}")"
+BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID:-}")"
+BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -114,6 +112,9 @@ load_kv_file() {
  done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a

 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -146,6 +147,10 @@ NATS_URL="$(decode_b64 "$NATS_URL_B64")"
 export MONGO_USER MONGO_PASSWORD API_ENDPOINT_SECRET
 export BFF_VAULT_ROLE_ID BFF_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${BFF_VAULT_ROLE_ID:-}" || -z "${BFF_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: BFF_VAULT_ROLE_ID/BFF_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
 read -r -a SERVICES <<<"${SERVICES_LINE}"
--- a/ci/prod/scripts/deploy/callbacks.sh
+++ b/ci/prod/scripts/deploy/callbacks.sh
@@ -19,8 +19,6 @@ SERVICE_NAMES="${CALLBACKS_SERVICE_NAME}"
 REQUIRED_SECRETS=(
  CALLBACKS_MONGO_USER
  CALLBACKS_MONGO_PASSWORD
-  CALLBACKS_VAULT_ROLE_ID
-  CALLBACKS_VAULT_SECRET_ID
  NATS_USER
  NATS_PASSWORD
  NATS_URL
@@ -44,8 +42,8 @@ b64enc() {

 CALLBACKS_MONGO_USER_B64="$(b64enc "${CALLBACKS_MONGO_USER}")"
 CALLBACKS_MONGO_PASSWORD_B64="$(b64enc "${CALLBACKS_MONGO_PASSWORD}")"
-CALLBACKS_VAULT_ROLE_ID_B64="$(b64enc "${CALLBACKS_VAULT_ROLE_ID}")"
-CALLBACKS_VAULT_SECRET_ID_B64="$(b64enc "${CALLBACKS_VAULT_SECRET_ID}")"
+CALLBACKS_VAULT_ROLE_ID_B64="$(b64enc "${CALLBACKS_VAULT_ROLE_ID:-}")"
+CALLBACKS_VAULT_SECRET_ID_B64="$(b64enc "${CALLBACKS_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -111,6 +109,9 @@ load_kv_file() {
  done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a

 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -142,6 +143,10 @@ NATS_URL="$(decode_b64 "$NATS_URL_B64")"
 export CALLBACKS_MONGO_USER CALLBACKS_MONGO_PASSWORD
 export CALLBACKS_VAULT_ROLE_ID CALLBACKS_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${CALLBACKS_VAULT_ROLE_ID:-}" || -z "${CALLBACKS_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: CALLBACKS_VAULT_ROLE_ID/CALLBACKS_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
 read -r -a SERVICES <<<"${SERVICES_LINE}"
--- a/ci/prod/scripts/deploy/chain_gateway.sh
+++ b/ci/prod/scripts/deploy/chain_gateway.sh
@@ -22,8 +22,6 @@ REQUIRED_SECRETS=(
  CHAIN_GATEWAY_RPC_URL
  CHAIN_GATEWAY_SERVICE_WALLET_KEY
  CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS
-  CHAIN_GATEWAY_VAULT_ROLE_ID
-  CHAIN_GATEWAY_VAULT_SECRET_ID
  NATS_USER
  NATS_PASSWORD
  NATS_URL
@@ -50,8 +48,8 @@ CHAIN_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${CHAIN_GATEWAY_MONGO_PASSWORD}")"
 CHAIN_GATEWAY_RPC_URL_B64="$(b64enc "${CHAIN_GATEWAY_RPC_URL}")"
 CHAIN_GATEWAY_SERVICE_WALLET_KEY_B64="$(b64enc "${CHAIN_GATEWAY_SERVICE_WALLET_KEY}")"
 CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS_B64="$(b64enc "${CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS}")"
-CHAIN_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_ROLE_ID}")"
-CHAIN_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_SECRET_ID}")"
+CHAIN_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_ROLE_ID:-}")"
+CHAIN_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -120,6 +118,9 @@ load_kv_file() {
  done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a

 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -156,6 +157,10 @@ export CHAIN_GATEWAY_RPC_URL
 export CHAIN_GATEWAY_SERVICE_WALLET_KEY CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS
 export CHAIN_GATEWAY_VAULT_ROLE_ID CHAIN_GATEWAY_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${CHAIN_GATEWAY_VAULT_ROLE_ID:-}" || -z "${CHAIN_GATEWAY_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: CHAIN_GATEWAY_VAULT_ROLE_ID/CHAIN_GATEWAY_VAULT_SECRET_ID" >&2
+  exit 65
+fi

 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
--- a/ci/prod/scripts/deploy/chsettle_gateway.sh
+++ b/ci/prod/scripts/deploy/chsettle_gateway.sh
@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-chsettle-gateway] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${CHSETTLE_GATEWAY_DIR:?missing CHSETTLE_GATEWAY_DIR}"
+: "${CHSETTLE_GATEWAY_COMPOSE_PROJECT:?missing CHSETTLE_GATEWAY_COMPOSE_PROJECT}"
+: "${CHSETTLE_GATEWAY_SERVICE_NAME:?missing CHSETTLE_GATEWAY_SERVICE_NAME}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${CHSETTLE_GATEWAY_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="chsettle_gateway.yml"
+SERVICE_NAMES="${CHSETTLE_GATEWAY_SERVICE_NAME}"
+
+REQUIRED_SECRETS=(
+  CHSETTLE_GATEWAY_MONGO_USER
+  CHSETTLE_GATEWAY_MONGO_PASSWORD
+  NATS_USER
+  NATS_PASSWORD
+  NATS_URL
+)
+
+for var in "${REQUIRED_SECRETS[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "missing required secret env: ${var}" >&2
+    exit 65
+  fi
+done
+
+if [[ ! -s .env.version ]]; then
+  echo ".env.version is missing; run version step first" >&2
+  exit 66
+fi
+
+b64enc() {
+  printf '%s' "$1" | base64 | tr -d '\n'
+}
+
+CHSETTLE_GATEWAY_MONGO_USER_B64="$(b64enc "${CHSETTLE_GATEWAY_MONGO_USER}")"
+CHSETTLE_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${CHSETTLE_GATEWAY_MONGO_PASSWORD}")"
+NATS_USER_B64="$(b64enc "${NATS_USER}")"
+NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
+NATS_URL_B64="$(b64enc "${NATS_URL}")"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" .env.version         "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.version"
+
+SERVICES_LINE="${SERVICE_NAMES}"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$CHSETTLE_GATEWAY_COMPOSE_PROJECT" \
+  SERVICES_LINE="$SERVICES_LINE" \
+  CHSETTLE_GATEWAY_MONGO_USER_B64="$CHSETTLE_GATEWAY_MONGO_USER_B64" \
+  CHSETTLE_GATEWAY_MONGO_PASSWORD_B64="$CHSETTLE_GATEWAY_MONGO_PASSWORD_B64" \
+  NATS_USER_B64="$NATS_USER_B64" \
+  NATS_PASSWORD_B64="$NATS_PASSWORD_B64" \
+  NATS_URL_B64="$NATS_URL_B64" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+load_kv_file() {
+  local file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    if printf '%s' "$line" | grep -Eq '^[[:alpha:]_][[:alnum:]_]*='; then
+      local key="${line%%=*}"
+      local value="${line#*=}"
+      key="$(printf '%s' "$key" | tr -d '[:space:]')"
+      value="${value#"${value%%[![:space:]]*}"}"
+      value="${value%"${value##*[![:space:]]}"}"
+      if [[ -n "$key" ]]; then
+        export "$key=$value"
+      fi
+    fi
+  done <"$file"
+}
+load_kv_file ../env/.env.version
+set +a
+
+IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
+export IMAGE_TAG
+
+if base64 -d >/dev/null 2>&1 <<<'AA=='; then
+  BASE64_DECODE_FLAG='-d'
+else
+  BASE64_DECODE_FLAG='--decode'
+fi
+
+decode_b64() {
+  val="$1"
+  if [[ -z "$val" ]]; then
+    printf ''
+    return
+  fi
+  printf '%s' "$val" | base64 "${BASE64_DECODE_FLAG}"
+}
+
+CHSETTLE_GATEWAY_MONGO_USER="$(decode_b64 "$CHSETTLE_GATEWAY_MONGO_USER_B64")"
+CHSETTLE_GATEWAY_MONGO_PASSWORD="$(decode_b64 "$CHSETTLE_GATEWAY_MONGO_PASSWORD_B64")"
+NATS_USER="$(decode_b64 "$NATS_USER_B64")"
+NATS_PASSWORD="$(decode_b64 "$NATS_PASSWORD_B64")"
+NATS_URL="$(decode_b64 "$NATS_URL_B64")"
+
+export CHSETTLE_GATEWAY_MONGO_USER CHSETTLE_GATEWAY_MONGO_PASSWORD
+export NATS_USER NATS_PASSWORD NATS_URL
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+read -r -a SERVICES <<<"${SERVICES_LINE}"
+
+pull_cmd=(docker compose -f "$COMPOSE_FILE" pull)
+up_cmd=(docker compose -f "$COMPOSE_FILE" up -d --remove-orphans)
+ps_cmd=(docker compose -f "$COMPOSE_FILE" ps)
+if [[ "${#SERVICES[@]}" -gt 0 ]]; then
+  pull_cmd+=("${SERVICES[@]}")
+  up_cmd+=("${SERVICES[@]}")
+  ps_cmd+=("${SERVICES[@]}")
+fi
+
+"${pull_cmd[@]}"
+"${up_cmd[@]}"
+"${ps_cmd[@]}"
+
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH
--- a/ci/prod/scripts/deploy/db.sh
+++ b/ci/prod/scripts/deploy/db.sh
@@ -16,6 +16,7 @@ trap 'echo "[deploy-db] error at line $LINENO" >&2' ERR
 REMOTE_DIR="${REMOTE_BASE%/}/${DB_DIR}"
 REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
 RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="${DB_COMPOSE_FILE:-db.yml}"

 # SSH options: quiet by default; add -vv in debug mode
 SSH_OPTS=(
@@ -47,6 +48,7 @@ rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE
 # The vault-agent container writes them into tmpfs and unsets them internally.
 ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
  VAULT_ROLE_ID="$VAULT_ROLE_ID" \
  VAULT_SECRET_ID="$VAULT_SECRET_ID" \
  bash -s <<'EOSSH'
@@ -56,12 +58,12 @@ set -a; . ../env/.env.runtime; set +a
 COMPOSE_PROJECT_NAME="${DB_COMPOSE_PROJECT:-sendico-db}"
 export COMPOSE_PROJECT_NAME
 # Run with ephemeral AppRole env (scoped only to these commands)
-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull --quiet 2>/dev/null || \
-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull --quiet 2>/dev/null || \
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull

-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml up -d --remove-orphans
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" up -d --remove-orphans

-docker compose -f db.yml ps
+docker compose -f "${COMPOSE_FILE}" ps
 date -Is > .last_deploy
 logger -t deploy-db "db deployed at $(date -Is) in ${REMOTE_DIR}"
 EOSSH
--- a/ci/prod/scripts/deploy/tron_gateway.sh
+++ b/ci/prod/scripts/deploy/tron_gateway.sh
@@ -22,8 +22,6 @@ REQUIRED_SECRETS=(
  TRON_GATEWAY_RPC_URL
  TRON_GATEWAY_SERVICE_WALLET_KEY
  TRON_GATEWAY_SERVICE_WALLET_ADDRESS
-  TRON_GATEWAY_VAULT_ROLE_ID
-  TRON_GATEWAY_VAULT_SECRET_ID
  NATS_USER
  NATS_PASSWORD
  NATS_URL
@@ -52,8 +50,8 @@ TRON_GATEWAY_GRPC_URL_B64="$(b64enc "${TRON_GATEWAY_GRPC_URL:-}")"
 TRON_GATEWAY_GRPC_TOKEN_B64="$(b64enc "${TRON_GATEWAY_GRPC_TOKEN:-}")"
 TRON_GATEWAY_SERVICE_WALLET_KEY_B64="$(b64enc "${TRON_GATEWAY_SERVICE_WALLET_KEY}")"
 TRON_GATEWAY_SERVICE_WALLET_ADDRESS_B64="$(b64enc "${TRON_GATEWAY_SERVICE_WALLET_ADDRESS}")"
-TRON_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_ROLE_ID}")"
-TRON_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_SECRET_ID}")"
+TRON_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_ROLE_ID:-}")"
+TRON_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -124,6 +122,9 @@ load_kv_file() {
  done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a

 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -162,6 +163,10 @@ export TRON_GATEWAY_RPC_URL TRON_GATEWAY_GRPC_URL TRON_GATEWAY_GRPC_TOKEN
 export TRON_GATEWAY_SERVICE_WALLET_KEY TRON_GATEWAY_SERVICE_WALLET_ADDRESS
 export TRON_GATEWAY_VAULT_ROLE_ID TRON_GATEWAY_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${TRON_GATEWAY_VAULT_ROLE_ID:-}" || -z "${TRON_GATEWAY_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: TRON_GATEWAY_VAULT_ROLE_ID/TRON_GATEWAY_VAULT_SECRET_ID" >&2
+  exit 65
+fi

 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
--- a/ci/prod/scripts/deploy/vault.sh
+++ b/ci/prod/scripts/deploy/vault.sh
@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-vault] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${VAULT_DIR:?missing VAULT_DIR}"
+: "${VAULT_COMPOSE_PROJECT:?missing VAULT_COMPOSE_PROJECT}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${VAULT_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="vault.yml"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_BASE="$REMOTE_BASE" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$VAULT_COMPOSE_PROJECT" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+set +a
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+
+docker compose -f "$COMPOSE_FILE" pull --quiet 2>/dev/null || docker compose -f "$COMPOSE_FILE" pull
+docker compose -f "$COMPOSE_FILE" up -d --remove-orphans
+
+status_json=""
+for _ in $(seq 1 30); do
+  status_json="$(docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault status -format=json' 2>/dev/null || true)"
+  if [[ -n "$status_json" ]]; then
+    break
+  fi
+  sleep 2
+done
+
+if [[ -z "$status_json" ]]; then
+  echo "vault status did not become available" >&2
+  exit 65
+fi
+
+INIT_FILE="../env/vault-init.json"
+if printf '%s' "$status_json" | grep -Eq '"initialized"[[:space:]]*:[[:space:]]*false'; then
+  docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault operator init -format=json -key-shares=1 -key-threshold=1' >"$INIT_FILE"
+  chmod 600 "$INIT_FILE"
+  status_json="$(docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault status -format=json')"
+fi
+
+if [[ ! -s "$INIT_FILE" ]]; then
+  echo "vault init file is missing: $INIT_FILE" >&2
+  exit 66
+fi
+
+INIT_JSON_COMPACT="$(tr -d '\r\n\t ' <"$INIT_FILE")"
+UNSEAL_KEY="$(printf '%s' "$INIT_JSON_COMPACT" | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p')"
+ROOT_TOKEN="$(printf '%s' "$INIT_JSON_COMPACT" | sed -n 's/.*"root_token":"\([^"]*\)".*/\1/p')"
+
+if [[ -z "$UNSEAL_KEY" || -z "$ROOT_TOKEN" ]]; then
+  echo "failed to extract vault init credentials" >&2
+  exit 67
+fi
+
+if printf '%s' "$status_json" | grep -Eq '"sealed"[[:space:]]*:[[:space:]]*true'; then
+  docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200; vault operator unseal '${UNSEAL_KEY}' >/dev/null"
+fi
+
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault auth list -format=json | grep -q '\"approle/\"' || vault auth enable approle >/dev/null"
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault secrets list -format=json | grep -q '\"kv/\"' || vault secrets enable -path=kv kv-v2 >/dev/null"
+
+docker exec -i dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault policy write sendico-dev-apps -" <<'EOF'
+path "kv/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "kv/metadata/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOF
+
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault write auth/approle/role/sendico-dev-apps token_policies='sendico-dev-apps' token_ttl='24h' token_max_ttl='720h' >/dev/null"
+
+APPROLE_ROLE_ID="$(docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault read -field=role_id auth/approle/role/sendico-dev-apps/role-id")"
+APPROLE_SECRET_ID="$(docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault write -force -field=secret_id auth/approle/role/sendico-dev-apps/secret-id")"
+
+if [[ -z "$APPROLE_ROLE_ID" || -z "$APPROLE_SECRET_ID" ]]; then
+  echo "failed to create dev approle credentials" >&2
+  exit 68
+fi
+
+write_vault_env() {
+  local service_dir="$1"
+  local role_var="$2"
+  local secret_var="$3"
+  local env_dir="${REMOTE_BASE%/}/${service_dir}/env"
+  mkdir -p "$env_dir"
+  cat >"${env_dir}/vault.env" <<EOF
+${role_var}=${APPROLE_ROLE_ID}
+${secret_var}=${APPROLE_SECRET_ID}
+EOF
+  chmod 600 "${env_dir}/vault.env"
+}
+
+write_vault_env "${BFF_DIR}" "BFF_VAULT_ROLE_ID" "BFF_VAULT_SECRET_ID"
+write_vault_env "${CALLBACKS_DIR}" "CALLBACKS_VAULT_ROLE_ID" "CALLBACKS_VAULT_SECRET_ID"
+write_vault_env "${CHAIN_GATEWAY_DIR}" "CHAIN_GATEWAY_VAULT_ROLE_ID" "CHAIN_GATEWAY_VAULT_SECRET_ID"
+write_vault_env "${TRON_GATEWAY_DIR}" "TRON_GATEWAY_VAULT_ROLE_ID" "TRON_GATEWAY_VAULT_SECRET_ID"
+
+docker compose -f "$COMPOSE_FILE" ps
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH