.woodpecker/gateway_aurora.yml

@@ -0,0 +1,99 @@
+matrix:
+  include:
+    - AURORA_GATEWAY_IMAGE_PATH: gateway/aurora
+      AURORA_GATEWAY_DOCKERFILE: ci/prod/compose/aurora_gateway.dockerfile
+      AURORA_GATEWAY_MONGO_SECRET_PATH: sendico/db
+      AURORA_GATEWAY_NATS_SECRET_PATH: sendico/nats
+
+labels:
+  platform: linux/amd64
+
+when:
+  - event: push
+    branch: main
+    path:
+      include:
+        - api/gateway/aurora/**
+        - api/gateway/common/**
+        - api/proto/**
+        - api/pkg/**
+        - ci/**
+        - .woodpecker/gateway_aurora.yml
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: proto
+    image: golang:alpine
+    depends_on: [ version ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base protoc protobuf-dev
+      - go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+      - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - bash ci/scripts/proto/generate.sh
+
+  - name: backend-lint
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - CGO_ENABLED=0 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - sh ci/scripts/common/run_backend_lint.sh gateway_aurora
+
+  - name: backend-tests
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - sh ci/scripts/common/run_backend_tests.sh gateway_aurora
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ backend-lint, backend-tests, secrets ]
+    commands:
+      - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
+      - sh ci/scripts/aurora/build-image.sh
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sh ci/scripts/aurora/deploy.sh

.woodpecker/gateway_chsettle.yml

@@ -0,0 +1,99 @@
+matrix:
+  include:
+    - CHSETTLE_GATEWAY_IMAGE_PATH: gateway/chsettle
+      CHSETTLE_GATEWAY_DOCKERFILE: ci/prod/compose/chsettle_gateway.dockerfile
+      CHSETTLE_GATEWAY_MONGO_SECRET_PATH: sendico/db
+      CHSETTLE_GATEWAY_NATS_SECRET_PATH: sendico/nats
+
+labels:
+  platform: linux/amd64
+
+when:
+  - event: push
+    branch: main
+    path:
+      include:
+        - api/gateway/chsettle/**
+        - api/gateway/common/**
+        - api/proto/**
+        - api/pkg/**
+        - ci/**
+        - .woodpecker/gateway_chsettle.yml
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: proto
+    image: golang:alpine
+    depends_on: [ version ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base protoc protobuf-dev
+      - go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+      - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - bash ci/scripts/proto/generate.sh
+
+  - name: backend-lint
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - CGO_ENABLED=0 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - sh ci/scripts/common/run_backend_lint.sh gateway_chsettle
+
+  - name: backend-tests
+    image: golang:alpine
+    depends_on: [ proto ]
+    commands:
+      - set -eu
+      - apk add --no-cache bash git build-base
+      - sh ci/scripts/common/run_backend_tests.sh gateway_chsettle
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ backend-lint, backend-tests, secrets ]
+    commands:
+      - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
+      - sh ci/scripts/chsettle/build-image.sh
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sh ci/scripts/chsettle/deploy.sh

.woodpecker/gateway_mntx.yml

@@ -69,6 +69,8 @@ steps:
   - name: secrets
     image: alpine:latest
     depends_on: [ version ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
@@ -83,6 +85,8 @@ steps:
   - name: build-image
     image: gcr.io/kaniko-project/executor:debug
     depends_on: [ backend-lint, backend-tests, secrets ]
+    when:
+      - event: tag
     commands:
       - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
       - sh ci/scripts/mntx/build-image.sh
@@ -90,6 +94,8 @@ steps:
   - name: deploy
     image: alpine:latest
     depends_on: [ secrets, build-image ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }

.woodpecker/gateway_tgsettle.yml

@@ -67,6 +67,8 @@ steps:
   - name: secrets
     image: alpine:latest
     depends_on: [ version ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
@@ -81,6 +83,8 @@ steps:
   - name: build-image
     image: gcr.io/kaniko-project/executor:debug
     depends_on: [ backend-lint, backend-tests, secrets ]
+    when:
+      - event: tag
     commands:
       - '[ "$(uname -m)" = "x86_64" ] || { echo "image build requires an amd64 runner"; exit 1; }'
       - sh ci/scripts/tgsettle/build-image.sh
@@ -88,6 +92,8 @@ steps:
   - name: deploy
     image: alpine:latest
     depends_on: [ secrets, build-image ]
+    when:
+      - event: tag
     environment:
       VAULT_ADDR: { from_secret: VAULT_ADDR }
       VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }

.woodpecker/vault.yml

@@ -0,0 +1,31 @@
+when:
+  - event: push
+    branch: main
+    path:
+      exclude: ['**']
+      ignore_message: '[infra]'
+
+steps:
+  - name: secrets
+    image: alpine:latest
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets ]
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - . ./ci/scripts/common/runtime_env.sh
+      - load_runtime_env_bundle "$(resolve_runtime_env_name)"
+      - bash ci/prod/scripts/bootstrap/network.sh
+      - sh ci/scripts/vault/deploy.sh

README.md

@@ -114,7 +114,15 @@ make test-frontend  # Run Flutter tests only
 
 - Pushes to `main` build and deploy changed application services to the dev server.
 - Tags matching `v*` trigger a full production rebuild and deployment from that exact tagged revision.
-- Infrastructure workflows for `db` and `nats` remain separately controlled.
+- Infrastructure workflows for `db`, `nats`, and the dev `vault` remain separately controlled via `[infra]`.
+
+First-time dev bootstrap:
+
+```bash
+# merge a PR whose commit message includes [infra]
+# this deploys dev db, nats, and dev vault
+# after infra is green, merge normal app changes to main
+```
 
 Recommended release preparation:
 

ci/devserver/.env.runtime

@@ -8,3 +8,34 @@ WS_PROTOCOL=wss
 SSH_HOST=178.57.67.136
 SSH_USER=cloud
 DEPLOY_SSH_KEY_PATH=ops/deploy/dev_ssh_key
+DB_COMPOSE_FILE=db.dev.yml
+APP_VAULT_ADDR=http://dev-vault:8200
+VAULT_DIR=vault
+VAULT_COMPOSE_PROJECT=sendico-vault
+VAULT_HTTP_PORT=8200
+
+# Aurora gateway replaces Monetix on the dev host.
+AURORA_GATEWAY_DIR=aurora_gateway
+AURORA_GATEWAY_COMPOSE_PROJECT=sendico-aurora-gateway
+AURORA_GATEWAY_SERVICE_NAME=sendico_aurora_gateway
+AURORA_GATEWAY_GRPC_PORT=50075
+AURORA_GATEWAY_METRICS_PORT=9405
+AURORA_GATEWAY_HTTP_PORT=8084
+AURORA_GATEWAY_MONGO_HOST=sendico_db1
+AURORA_GATEWAY_MONGO_PORT=27017
+AURORA_GATEWAY_MONGO_DATABASE=aurora_gateway
+AURORA_GATEWAY_MONGO_AUTH_SOURCE=admin
+AURORA_GATEWAY_MONGO_REPLICA_SET=sendico-rs
+
+# ChimeraSettle replaces TGSettle on the dev host.
+CHSETTLE_GATEWAY_DIR=chsettle_gateway
+CHSETTLE_GATEWAY_COMPOSE_PROJECT=sendico-chsettle-gateway
+CHSETTLE_GATEWAY_SERVICE_NAME=sendico_chsettle_gateway
+CHSETTLE_GATEWAY_GRPC_PORT=50080
+CHSETTLE_GATEWAY_METRICS_PORT=9406
+CHSETTLE_GATEWAY_CHAT_ID=
+CHSETTLE_GATEWAY_MONGO_HOST=sendico_db1
+CHSETTLE_GATEWAY_MONGO_PORT=27017
+CHSETTLE_GATEWAY_MONGO_DATABASE=chsettle_gateway
+CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE=admin
+CHSETTLE_GATEWAY_MONGO_REPLICA_SET=sendico-rs

ci/prod/compose/aurora_gateway.dockerfile

@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/aurora
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/aurora-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/aurora/config.yml /app/config.yml
+COPY --from=build /out/aurora-gateway /app/aurora-gateway
+EXPOSE 50075 9404 8084
+ENTRYPOINT ["/app/aurora-gateway"]
+CMD ["--config.file", "/app/config.yml"]

ci/prod/compose/aurora_gateway.yml

@@ -0,0 +1,46 @@
+# Compose v2 - Aurora Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_aurora_gateway:
+    <<: *common-env
+    container_name: sendico-aurora-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/aurora:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      AURORA_GATEWAY_MONGO_HOST: ${AURORA_GATEWAY_MONGO_HOST}
+      AURORA_GATEWAY_MONGO_PORT: ${AURORA_GATEWAY_MONGO_PORT}
+      AURORA_GATEWAY_MONGO_DATABASE: ${AURORA_GATEWAY_MONGO_DATABASE}
+      AURORA_GATEWAY_MONGO_USER: ${AURORA_GATEWAY_MONGO_USER}
+      AURORA_GATEWAY_MONGO_PASSWORD: ${AURORA_GATEWAY_MONGO_PASSWORD}
+      AURORA_GATEWAY_MONGO_AUTH_SOURCE: ${AURORA_GATEWAY_MONGO_AUTH_SOURCE}
+      AURORA_GATEWAY_MONGO_REPLICA_SET: ${AURORA_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${AURORA_GATEWAY_GRPC_PORT}:50075"
+      - "0.0.0.0:${AURORA_GATEWAY_METRICS_PORT}:9404"
+      - "0.0.0.0:${AURORA_GATEWAY_HTTP_PORT}:8084"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9404/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net

ci/prod/compose/bff.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/bff .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/bff/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/bff/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/bff/assets /app/assets
 COPY api/edge/bff/env /app/env
 COPY api/pkg/auth/internal/casbin/models/auth.conf /app/env/permissions_model.conf

ci/prod/compose/bff.yml

@@ -60,7 +60,7 @@ services:
       PERMISSION_COLLECTION: ${PERMISSION_COLLECTION}
       PERMISSION_TIMEOUT: ${PERMISSION_TIMEOUT}
       PERMISSION_IS_FILTERED: ${PERMISSION_IS_FILTERED}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       VAULT_TOKEN_FILE: /run/vault/token
     ports:
       - "0.0.0.0:${BFF_HTTP_PORT}:8081"
@@ -86,7 +86,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       BFF_VAULT_ROLE_ID: ${BFF_VAULT_ROLE_ID}
       BFF_VAULT_SECRET_ID: ${BFF_VAULT_SECRET_ID}
     command: >

ci/prod/compose/callbacks.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/callbacks .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/callbacks/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/callbacks/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/callbacks/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/callbacks /app/callbacks
 RUN chmod +x /app/entrypoint.sh

ci/prod/compose/callbacks.yml

@@ -40,7 +40,7 @@ services:
       NATS_USER: ${NATS_USER}
       NATS_PASSWORD: ${NATS_PASSWORD}
       CALLBACKS_METRICS_PORT: ${CALLBACKS_METRICS_PORT}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       VAULT_TOKEN_FILE: /run/vault/token
     command: ["--config.file", "/app/config.yml"]
     ports:
@@ -67,7 +67,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       CALLBACKS_VAULT_ROLE_ID: ${CALLBACKS_VAULT_ROLE_ID}
       CALLBACKS_VAULT_SECRET_ID: ${CALLBACKS_VAULT_SECRET_ID}
     command: >

ci/prod/compose/chain_gateway.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/chain-gateway .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/chain/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/chain/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/chain/env /app/env
 COPY api/gateway/chain/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/chain-gateway /app/chain-gateway

ci/prod/compose/chain_gateway.yml

@@ -75,7 +75,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       CHAIN_GATEWAY_VAULT_ROLE_ID: ${CHAIN_GATEWAY_VAULT_ROLE_ID}
       CHAIN_GATEWAY_VAULT_SECRET_ID: ${CHAIN_GATEWAY_VAULT_SECRET_ID}
     command: >

ci/prod/compose/chsettle_gateway.dockerfile

@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/chsettle
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/chsettle-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/chsettle/config.yml /app/config.yml
+COPY --from=build /out/chsettle-gateway /app/chsettle-gateway
+EXPOSE 50080 9406
+ENTRYPOINT ["/app/chsettle-gateway"]
+CMD ["--config.file", "/app/config.yml"]

ci/prod/compose/chsettle_gateway.yml

@@ -0,0 +1,46 @@
+# Compose v2 - ChimeraSettle Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_chsettle_gateway:
+    <<: *common-env
+    container_name: sendico-chsettle-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/chsettle:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      CHSETTLE_GATEWAY_MONGO_HOST: ${CHSETTLE_GATEWAY_MONGO_HOST}
+      CHSETTLE_GATEWAY_MONGO_PORT: ${CHSETTLE_GATEWAY_MONGO_PORT}
+      CHSETTLE_GATEWAY_MONGO_DATABASE: ${CHSETTLE_GATEWAY_MONGO_DATABASE}
+      CHSETTLE_GATEWAY_MONGO_USER: ${CHSETTLE_GATEWAY_MONGO_USER}
+      CHSETTLE_GATEWAY_MONGO_PASSWORD: ${CHSETTLE_GATEWAY_MONGO_PASSWORD}
+      CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE: ${CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE}
+      CHSETTLE_GATEWAY_MONGO_REPLICA_SET: ${CHSETTLE_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+      CHSETTLE_GATEWAY_CHAT_ID: ${CHSETTLE_GATEWAY_CHAT_ID}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${CHSETTLE_GATEWAY_GRPC_PORT}:50080"
+      - "0.0.0.0:${CHSETTLE_GATEWAY_METRICS_PORT}:9406"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9406/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net

ci/prod/compose/db.dev.yml

@@ -0,0 +1,163 @@
+# Compose v2 - Dev DB stack without PBM
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  mongo1_data: {}
+  mongo2_data: {}
+  mongo3_data: {}
+  # In-memory store for secrets/material rendered by Vault Agent (no host persistence)
+  vault_secrets:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: size=32m,uid=999,gid=999,mode=0750
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  vault-agent-sendico:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: vault-agent-sendico
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ROLE_ID: ${VAULT_ROLE_ID}
+      VAULT_SECRET_ID: ${VAULT_SECRET_ID}
+    volumes:
+      - ./vault/agent.dev.hcl:/etc/vault/agent.hcl:ro
+      - ./vault/templates:/etc/vault/templates:ro
+      - vault_secrets:/vault/secrets:rw
+    command: >
+      sh -lc 'set -euo pipefail; umask 077;
+              : "$${VAULT_ADDR:?}"; : "$${VAULT_ROLE_ID:?}"; : "$${VAULT_SECRET_ID:?}";
+              printf "%s" "$${VAULT_ROLE_ID}"   > /vault/secrets/role_id;
+              printf "%s" "$${VAULT_SECRET_ID}" > /vault/secrets/secret_id;
+              unset VAULT_ROLE_ID VAULT_SECRET_ID;
+              exec vault agent -config=/etc/vault/agent.hcl'
+    healthcheck:
+      test: ["CMD-SHELL","test -s /vault/secrets/MONGO_INITDB_ROOT_USERNAME -a -s /vault/secrets/MONGO_INITDB_ROOT_PASSWORD -a -s /vault/secrets/mongo.kf"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+      start_period: 5s
+    networks:
+      - sendico-net
+
+  sendico_db1:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db1
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo1_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    ports: [ "0.0.0.0:${MONGO_PORT}:${MONGO_PORT}" ]
+    networks:
+      - sendico-net
+
+  sendico_db2:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db2
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo2_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  sendico_db3:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db3
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo3_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  mongo_setup:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    depends_on:
+      sendico_db1: { condition: service_healthy }
+      sendico_db2: { condition: service_healthy }
+      sendico_db3: { condition: service_healthy }
+    volumes:
+      - vault_secrets:/vault/secrets:ro
+    entrypoint: |
+      bash -c '
+        set -euo pipefail
+        u=$(cat /vault/secrets/MONGO_INITDB_ROOT_USERNAME)
+        p=$(cat /vault/secrets/MONGO_INITDB_ROOT_PASSWORD)
+        until mongosh --quiet --host sendico_db1 --port ${MONGO_PORT} --eval "db.adminCommand({ ping: 1 })"; do
+          echo "waiting for MongoDB…"; sleep 2;
+        done
+        mongosh --host sendico_db1 --port ${MONGO_PORT} -u "$$u" -p "$$p" --authenticationDatabase admin <<'EOJS'
+          try { rs.status() } catch (e) {
+            rs.initiate({
+              _id: "${MONGO_REPLICA_SET}",
+              members: [
+                { _id: 0, host: "sendico_db1:${MONGO_PORT}", priority: 2 },
+                { _id: 1, host: "sendico_db2:${MONGO_PORT}", priority: 1 },
+                { _id: 2, host: "sendico_db3:${MONGO_PORT}", priority: 1 }
+              ]
+            })
+          }
+        EOJS
+      '
+    restart: "no"
+    networks:
+      - sendico-net

ci/prod/compose/tron_gateway.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/tron-gateway .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/tron/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/tron/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/tron/env /app/env
 COPY api/gateway/tron/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/tron-gateway /app/tron-gateway

ci/prod/compose/tron_gateway.yml

@@ -79,7 +79,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       TRON_GATEWAY_VAULT_ROLE_ID: ${TRON_GATEWAY_VAULT_ROLE_ID}
       TRON_GATEWAY_VAULT_SECRET_ID: ${TRON_GATEWAY_VAULT_SECRET_ID}
     command: >

ci/prod/compose/vault-agent/bff.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {
@@ -18,4 +18,3 @@ auto_auth {
     }
   }
 }
-

ci/prod/compose/vault-agent/callbacks.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-agent/chain-gateway.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-agent/tron-gateway.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-server/config.hcl

@@ -0,0 +1,12 @@
+storage "file" {
+  path = "/vault/file"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = true
+}
+
+api_addr = "http://dev-vault:8200"
+ui = true
+disable_mlock = true

ci/prod/compose/vault.yml

@@ -0,0 +1,37 @@
+# Compose v2 - Dev Vault
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  dev_vault_data: {}
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  dev_vault:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: dev-vault
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: http://127.0.0.1:8200
+    command: vault server -config=/vault/config/vault.hcl
+    volumes:
+      - dev_vault_data:/vault/file
+      - ./vault-server/config.hcl:/vault/config/vault.hcl:ro
+    ports:
+      - "0.0.0.0:${VAULT_HTTP_PORT}:8200"
+    healthcheck:
+      test: ["CMD-SHELL","export VAULT_ADDR=http://127.0.0.1:8200; vault status >/dev/null 2>&1; rc=$?; [ \"$rc\" -eq 0 ] || [ \"$rc\" -eq 2 ]"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 10s
+    networks:
+      - sendico-net

ci/prod/compose/vault/agent.dev.hcl

@@ -0,0 +1,29 @@
+# Vault Agent for the dev DB stack. AppRole creds are files on the host.
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/token" } }
+}
+
+vault { address = "{{ env `VAULT_ADDR` }}" }
+
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
+}
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
+}
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
+}

ci/prod/scripts/deploy/aurora_gateway.sh

@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-aurora-gateway] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${AURORA_GATEWAY_DIR:?missing AURORA_GATEWAY_DIR}"
+: "${AURORA_GATEWAY_COMPOSE_PROJECT:?missing AURORA_GATEWAY_COMPOSE_PROJECT}"
+: "${AURORA_GATEWAY_SERVICE_NAME:?missing AURORA_GATEWAY_SERVICE_NAME}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${AURORA_GATEWAY_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="aurora_gateway.yml"
+SERVICE_NAMES="${AURORA_GATEWAY_SERVICE_NAME}"
+
+REQUIRED_SECRETS=(
+  AURORA_GATEWAY_MONGO_USER
+  AURORA_GATEWAY_MONGO_PASSWORD
+  NATS_USER
+  NATS_PASSWORD
+  NATS_URL
+)
+
+for var in "${REQUIRED_SECRETS[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "missing required secret env: ${var}" >&2
+    exit 65
+  fi
+done
+
+if [[ ! -s .env.version ]]; then
+  echo ".env.version is missing; run version step first" >&2
+  exit 66
+fi
+
+b64enc() {
+  printf '%s' "$1" | base64 | tr -d '\n'
+}
+
+AURORA_GATEWAY_MONGO_USER_B64="$(b64enc "${AURORA_GATEWAY_MONGO_USER}")"
+AURORA_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${AURORA_GATEWAY_MONGO_PASSWORD}")"
+NATS_USER_B64="$(b64enc "${NATS_USER}")"
+NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
+NATS_URL_B64="$(b64enc "${NATS_URL}")"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" .env.version         "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.version"
+
+SERVICES_LINE="${SERVICE_NAMES}"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$AURORA_GATEWAY_COMPOSE_PROJECT" \
+  SERVICES_LINE="$SERVICES_LINE" \
+  AURORA_GATEWAY_MONGO_USER_B64="$AURORA_GATEWAY_MONGO_USER_B64" \
+  AURORA_GATEWAY_MONGO_PASSWORD_B64="$AURORA_GATEWAY_MONGO_PASSWORD_B64" \
+  NATS_USER_B64="$NATS_USER_B64" \
+  NATS_PASSWORD_B64="$NATS_PASSWORD_B64" \
+  NATS_URL_B64="$NATS_URL_B64" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+load_kv_file() {
+  local file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    if printf '%s' "$line" | grep -Eq '^[[:alpha:]_][[:alnum:]_]*='; then
+      local key="${line%%=*}"
+      local value="${line#*=}"
+      key="$(printf '%s' "$key" | tr -d '[:space:]')"
+      value="${value#"${value%%[![:space:]]*}"}"
+      value="${value%"${value##*[![:space:]]}"}"
+      if [[ -n "$key" ]]; then
+        export "$key=$value"
+      fi
+    fi
+  done <"$file"
+}
+load_kv_file ../env/.env.version
+set +a
+
+IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
+export IMAGE_TAG
+
+if base64 -d >/dev/null 2>&1 <<<'AA=='; then
+  BASE64_DECODE_FLAG='-d'
+else
+  BASE64_DECODE_FLAG='--decode'
+fi
+
+decode_b64() {
+  val="$1"
+  if [[ -z "$val" ]]; then
+    printf ''
+    return
+  fi
+  printf '%s' "$val" | base64 "${BASE64_DECODE_FLAG}"
+}
+
+AURORA_GATEWAY_MONGO_USER="$(decode_b64 "$AURORA_GATEWAY_MONGO_USER_B64")"
+AURORA_GATEWAY_MONGO_PASSWORD="$(decode_b64 "$AURORA_GATEWAY_MONGO_PASSWORD_B64")"
+NATS_USER="$(decode_b64 "$NATS_USER_B64")"
+NATS_PASSWORD="$(decode_b64 "$NATS_PASSWORD_B64")"
+NATS_URL="$(decode_b64 "$NATS_URL_B64")"
+
+export AURORA_GATEWAY_MONGO_USER AURORA_GATEWAY_MONGO_PASSWORD
+export NATS_USER NATS_PASSWORD NATS_URL
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+read -r -a SERVICES <<<"${SERVICES_LINE}"
+
+pull_cmd=(docker compose -f "$COMPOSE_FILE" pull)
+up_cmd=(docker compose -f "$COMPOSE_FILE" up -d --remove-orphans)
+ps_cmd=(docker compose -f "$COMPOSE_FILE" ps)
+if [[ "${#SERVICES[@]}" -gt 0 ]]; then
+  pull_cmd+=("${SERVICES[@]}")
+  up_cmd+=("${SERVICES[@]}")
+  ps_cmd+=("${SERVICES[@]}")
+fi
+
+"${pull_cmd[@]}"
+"${up_cmd[@]}"
+"${ps_cmd[@]}"
+
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH

ci/prod/scripts/deploy/bff.sh

@@ -20,8 +20,6 @@ REQUIRED_SECRETS=(
   MONGO_USER
   MONGO_PASSWORD
   API_ENDPOINT_SECRET
-  BFF_VAULT_ROLE_ID
-  BFF_VAULT_SECRET_ID
   NATS_USER
   NATS_PASSWORD
   NATS_URL
@@ -46,8 +44,8 @@ b64enc() {
 MONGO_USER_B64="$(b64enc "${MONGO_USER}")"
 MONGO_PASSWORD_B64="$(b64enc "${MONGO_PASSWORD}")"
 API_ENDPOINT_SECRET_B64="$(b64enc "${API_ENDPOINT_SECRET}")"
-BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID}")"
+BFF_VAULT_ROLE_ID_B64="$(b64enc "${BFF_VAULT_ROLE_ID:-}")"
-BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID}")"
+BFF_VAULT_SECRET_ID_B64="$(b64enc "${BFF_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -114,6 +112,9 @@ load_kv_file() {
   done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a
 
 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -146,6 +147,10 @@ NATS_URL="$(decode_b64 "$NATS_URL_B64")"
 export MONGO_USER MONGO_PASSWORD API_ENDPOINT_SECRET
 export BFF_VAULT_ROLE_ID BFF_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${BFF_VAULT_ROLE_ID:-}" || -z "${BFF_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: BFF_VAULT_ROLE_ID/BFF_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
 read -r -a SERVICES <<<"${SERVICES_LINE}"

ci/prod/scripts/deploy/callbacks.sh

@@ -19,8 +19,6 @@ SERVICE_NAMES="${CALLBACKS_SERVICE_NAME}"
 REQUIRED_SECRETS=(
   CALLBACKS_MONGO_USER
   CALLBACKS_MONGO_PASSWORD
-  CALLBACKS_VAULT_ROLE_ID
-  CALLBACKS_VAULT_SECRET_ID
   NATS_USER
   NATS_PASSWORD
   NATS_URL
@@ -44,8 +42,8 @@ b64enc() {
 
 CALLBACKS_MONGO_USER_B64="$(b64enc "${CALLBACKS_MONGO_USER}")"
 CALLBACKS_MONGO_PASSWORD_B64="$(b64enc "${CALLBACKS_MONGO_PASSWORD}")"
-CALLBACKS_VAULT_ROLE_ID_B64="$(b64enc "${CALLBACKS_VAULT_ROLE_ID}")"
+CALLBACKS_VAULT_ROLE_ID_B64="$(b64enc "${CALLBACKS_VAULT_ROLE_ID:-}")"
-CALLBACKS_VAULT_SECRET_ID_B64="$(b64enc "${CALLBACKS_VAULT_SECRET_ID}")"
+CALLBACKS_VAULT_SECRET_ID_B64="$(b64enc "${CALLBACKS_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -111,6 +109,9 @@ load_kv_file() {
   done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a
 
 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -142,6 +143,10 @@ NATS_URL="$(decode_b64 "$NATS_URL_B64")"
 export CALLBACKS_MONGO_USER CALLBACKS_MONGO_PASSWORD
 export CALLBACKS_VAULT_ROLE_ID CALLBACKS_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${CALLBACKS_VAULT_ROLE_ID:-}" || -z "${CALLBACKS_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: CALLBACKS_VAULT_ROLE_ID/CALLBACKS_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME
 read -r -a SERVICES <<<"${SERVICES_LINE}"

ci/prod/scripts/deploy/chain_gateway.sh

@@ -22,8 +22,6 @@ REQUIRED_SECRETS=(
   CHAIN_GATEWAY_RPC_URL
   CHAIN_GATEWAY_SERVICE_WALLET_KEY
   CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS
-  CHAIN_GATEWAY_VAULT_ROLE_ID
-  CHAIN_GATEWAY_VAULT_SECRET_ID
   NATS_USER
   NATS_PASSWORD
   NATS_URL
@@ -50,8 +48,8 @@ CHAIN_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${CHAIN_GATEWAY_MONGO_PASSWORD}")"
 CHAIN_GATEWAY_RPC_URL_B64="$(b64enc "${CHAIN_GATEWAY_RPC_URL}")"
 CHAIN_GATEWAY_SERVICE_WALLET_KEY_B64="$(b64enc "${CHAIN_GATEWAY_SERVICE_WALLET_KEY}")"
 CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS_B64="$(b64enc "${CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS}")"
-CHAIN_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_ROLE_ID}")"
+CHAIN_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_ROLE_ID:-}")"
-CHAIN_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_SECRET_ID}")"
+CHAIN_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${CHAIN_GATEWAY_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -120,6 +118,9 @@ load_kv_file() {
   done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a
 
 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -156,6 +157,10 @@ export CHAIN_GATEWAY_RPC_URL
 export CHAIN_GATEWAY_SERVICE_WALLET_KEY CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS
 export CHAIN_GATEWAY_VAULT_ROLE_ID CHAIN_GATEWAY_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${CHAIN_GATEWAY_VAULT_ROLE_ID:-}" || -z "${CHAIN_GATEWAY_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: CHAIN_GATEWAY_VAULT_ROLE_ID/CHAIN_GATEWAY_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME

ci/prod/scripts/deploy/chsettle_gateway.sh

@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-chsettle-gateway] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${CHSETTLE_GATEWAY_DIR:?missing CHSETTLE_GATEWAY_DIR}"
+: "${CHSETTLE_GATEWAY_COMPOSE_PROJECT:?missing CHSETTLE_GATEWAY_COMPOSE_PROJECT}"
+: "${CHSETTLE_GATEWAY_SERVICE_NAME:?missing CHSETTLE_GATEWAY_SERVICE_NAME}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${CHSETTLE_GATEWAY_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="chsettle_gateway.yml"
+SERVICE_NAMES="${CHSETTLE_GATEWAY_SERVICE_NAME}"
+
+REQUIRED_SECRETS=(
+  CHSETTLE_GATEWAY_MONGO_USER
+  CHSETTLE_GATEWAY_MONGO_PASSWORD
+  NATS_USER
+  NATS_PASSWORD
+  NATS_URL
+)
+
+for var in "${REQUIRED_SECRETS[@]}"; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "missing required secret env: ${var}" >&2
+    exit 65
+  fi
+done
+
+if [[ ! -s .env.version ]]; then
+  echo ".env.version is missing; run version step first" >&2
+  exit 66
+fi
+
+b64enc() {
+  printf '%s' "$1" | base64 | tr -d '\n'
+}
+
+CHSETTLE_GATEWAY_MONGO_USER_B64="$(b64enc "${CHSETTLE_GATEWAY_MONGO_USER}")"
+CHSETTLE_GATEWAY_MONGO_PASSWORD_B64="$(b64enc "${CHSETTLE_GATEWAY_MONGO_PASSWORD}")"
+NATS_USER_B64="$(b64enc "${NATS_USER}")"
+NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
+NATS_URL_B64="$(b64enc "${NATS_URL}")"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" .env.version         "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.version"
+
+SERVICES_LINE="${SERVICE_NAMES}"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$CHSETTLE_GATEWAY_COMPOSE_PROJECT" \
+  SERVICES_LINE="$SERVICES_LINE" \
+  CHSETTLE_GATEWAY_MONGO_USER_B64="$CHSETTLE_GATEWAY_MONGO_USER_B64" \
+  CHSETTLE_GATEWAY_MONGO_PASSWORD_B64="$CHSETTLE_GATEWAY_MONGO_PASSWORD_B64" \
+  NATS_USER_B64="$NATS_USER_B64" \
+  NATS_PASSWORD_B64="$NATS_PASSWORD_B64" \
+  NATS_URL_B64="$NATS_URL_B64" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+load_kv_file() {
+  local file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    if printf '%s' "$line" | grep -Eq '^[[:alpha:]_][[:alnum:]_]*='; then
+      local key="${line%%=*}"
+      local value="${line#*=}"
+      key="$(printf '%s' "$key" | tr -d '[:space:]')"
+      value="${value#"${value%%[![:space:]]*}"}"
+      value="${value%"${value##*[![:space:]]}"}"
+      if [[ -n "$key" ]]; then
+        export "$key=$value"
+      fi
+    fi
+  done <"$file"
+}
+load_kv_file ../env/.env.version
+set +a
+
+IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
+export IMAGE_TAG
+
+if base64 -d >/dev/null 2>&1 <<<'AA=='; then
+  BASE64_DECODE_FLAG='-d'
+else
+  BASE64_DECODE_FLAG='--decode'
+fi
+
+decode_b64() {
+  val="$1"
+  if [[ -z "$val" ]]; then
+    printf ''
+    return
+  fi
+  printf '%s' "$val" | base64 "${BASE64_DECODE_FLAG}"
+}
+
+CHSETTLE_GATEWAY_MONGO_USER="$(decode_b64 "$CHSETTLE_GATEWAY_MONGO_USER_B64")"
+CHSETTLE_GATEWAY_MONGO_PASSWORD="$(decode_b64 "$CHSETTLE_GATEWAY_MONGO_PASSWORD_B64")"
+NATS_USER="$(decode_b64 "$NATS_USER_B64")"
+NATS_PASSWORD="$(decode_b64 "$NATS_PASSWORD_B64")"
+NATS_URL="$(decode_b64 "$NATS_URL_B64")"
+
+export CHSETTLE_GATEWAY_MONGO_USER CHSETTLE_GATEWAY_MONGO_PASSWORD
+export NATS_USER NATS_PASSWORD NATS_URL
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+read -r -a SERVICES <<<"${SERVICES_LINE}"
+
+pull_cmd=(docker compose -f "$COMPOSE_FILE" pull)
+up_cmd=(docker compose -f "$COMPOSE_FILE" up -d --remove-orphans)
+ps_cmd=(docker compose -f "$COMPOSE_FILE" ps)
+if [[ "${#SERVICES[@]}" -gt 0 ]]; then
+  pull_cmd+=("${SERVICES[@]}")
+  up_cmd+=("${SERVICES[@]}")
+  ps_cmd+=("${SERVICES[@]}")
+fi
+
+"${pull_cmd[@]}"
+"${up_cmd[@]}"
+"${ps_cmd[@]}"
+
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH

ci/prod/scripts/deploy/db.sh

@@ -16,6 +16,7 @@ trap 'echo "[deploy-db] error at line $LINENO" >&2' ERR
 REMOTE_DIR="${REMOTE_BASE%/}/${DB_DIR}"
 REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
 RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="${DB_COMPOSE_FILE:-db.yml}"
 
 # SSH options: quiet by default; add -vv in debug mode
 SSH_OPTS=(
@@ -47,6 +48,7 @@ rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE
 # The vault-agent container writes them into tmpfs and unsets them internally.
 ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
   REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
   VAULT_ROLE_ID="$VAULT_ROLE_ID" \
   VAULT_SECRET_ID="$VAULT_SECRET_ID" \
   bash -s <<'EOSSH'
@@ -56,12 +58,12 @@ set -a; . ../env/.env.runtime; set +a
 COMPOSE_PROJECT_NAME="${DB_COMPOSE_PROJECT:-sendico-db}"
 export COMPOSE_PROJECT_NAME
 # Run with ephemeral AppRole env (scoped only to these commands)
-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull --quiet 2>/dev/null || \
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull --quiet 2>/dev/null || \
-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml pull
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" pull
 
-VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f db.yml up -d --remove-orphans
+VAULT_ROLE_ID="${VAULT_ROLE_ID}" VAULT_SECRET_ID="${VAULT_SECRET_ID}" docker compose -f "${COMPOSE_FILE}" up -d --remove-orphans
 
-docker compose -f db.yml ps
+docker compose -f "${COMPOSE_FILE}" ps
 date -Is > .last_deploy
 logger -t deploy-db "db deployed at $(date -Is) in ${REMOTE_DIR}"
 EOSSH

ci/prod/scripts/deploy/tron_gateway.sh

@@ -22,8 +22,6 @@ REQUIRED_SECRETS=(
   TRON_GATEWAY_RPC_URL
   TRON_GATEWAY_SERVICE_WALLET_KEY
   TRON_GATEWAY_SERVICE_WALLET_ADDRESS
-  TRON_GATEWAY_VAULT_ROLE_ID
-  TRON_GATEWAY_VAULT_SECRET_ID
   NATS_USER
   NATS_PASSWORD
   NATS_URL
@@ -52,8 +50,8 @@ TRON_GATEWAY_GRPC_URL_B64="$(b64enc "${TRON_GATEWAY_GRPC_URL:-}")"
 TRON_GATEWAY_GRPC_TOKEN_B64="$(b64enc "${TRON_GATEWAY_GRPC_TOKEN:-}")"
 TRON_GATEWAY_SERVICE_WALLET_KEY_B64="$(b64enc "${TRON_GATEWAY_SERVICE_WALLET_KEY}")"
 TRON_GATEWAY_SERVICE_WALLET_ADDRESS_B64="$(b64enc "${TRON_GATEWAY_SERVICE_WALLET_ADDRESS}")"
-TRON_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_ROLE_ID}")"
+TRON_GATEWAY_VAULT_ROLE_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_ROLE_ID:-}")"
-TRON_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_SECRET_ID}")"
+TRON_GATEWAY_VAULT_SECRET_ID_B64="$(b64enc "${TRON_GATEWAY_VAULT_SECRET_ID:-}")"
 NATS_USER_B64="$(b64enc "${NATS_USER}")"
 NATS_PASSWORD_B64="$(b64enc "${NATS_PASSWORD}")"
 NATS_URL_B64="$(b64enc "${NATS_URL}")"
@@ -124,6 +122,9 @@ load_kv_file() {
   done <"$file"
 }
 load_kv_file ../env/.env.version
+if [[ -f ../env/vault.env ]]; then
+  load_kv_file ../env/vault.env
+fi
 set +a
 
 IMAGE_TAG="${IMAGE_TAG:-${APP_V}-${GIT_REV}}"
@@ -162,6 +163,10 @@ export TRON_GATEWAY_RPC_URL TRON_GATEWAY_GRPC_URL TRON_GATEWAY_GRPC_TOKEN
 export TRON_GATEWAY_SERVICE_WALLET_KEY TRON_GATEWAY_SERVICE_WALLET_ADDRESS
 export TRON_GATEWAY_VAULT_ROLE_ID TRON_GATEWAY_VAULT_SECRET_ID
 export NATS_USER NATS_PASSWORD NATS_URL
+if [[ -z "${TRON_GATEWAY_VAULT_ROLE_ID:-}" || -z "${TRON_GATEWAY_VAULT_SECRET_ID:-}" ]]; then
+  echo "missing required secret env: TRON_GATEWAY_VAULT_ROLE_ID/TRON_GATEWAY_VAULT_SECRET_ID" >&2
+  exit 65
+fi
 
 COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
 export COMPOSE_PROJECT_NAME

ci/prod/scripts/deploy/vault.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+set -euo pipefail
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && set -x
+trap 'echo "[deploy-vault] error at line $LINENO" >&2' ERR
+
+: "${REMOTE_BASE:?missing REMOTE_BASE}"
+: "${SSH_USER:?missing SSH_USER}"
+: "${SSH_HOST:?missing SSH_HOST}"
+: "${VAULT_DIR:?missing VAULT_DIR}"
+: "${VAULT_COMPOSE_PROJECT:?missing VAULT_COMPOSE_PROJECT}"
+
+REMOTE_DIR="${REMOTE_BASE%/}/${VAULT_DIR}"
+REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
+RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE:-ci/prod/.env.runtime}"
+COMPOSE_FILE="vault.yml"
+
+SSH_OPTS=(
+  -i /root/.ssh/id_rsa
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+  -o LogLevel=ERROR
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o ConnectTimeout=10
+  -q
+)
+if [[ "${DEBUG_DEPLOY:-0}" = "1" ]]; then
+  SSH_OPTS=("${SSH_OPTS[@]/-q/}" -vv)
+fi
+
+RSYNC_FLAGS=(-az --delete)
+[[ "${DEBUG_DEPLOY:-0}" = "1" ]] && RSYNC_FLAGS=(-avz --delete)
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
+
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
+rsync "${RSYNC_FLAGS[@]}" -e "ssh ${SSH_OPTS[*]}" "${RUNTIME_ENV_FILE}" "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
+
+ssh "${SSH_OPTS[@]}" "$REMOTE_TARGET" \
+  REMOTE_BASE="$REMOTE_BASE" \
+  REMOTE_DIR="$REMOTE_DIR" \
+  COMPOSE_FILE="$COMPOSE_FILE" \
+  COMPOSE_PROJECT="$VAULT_COMPOSE_PROJECT" \
+  bash -s <<'EOSSH'
+set -euo pipefail
+cd "${REMOTE_DIR}/compose"
+set -a
+. ../env/.env.runtime
+set +a
+
+COMPOSE_PROJECT_NAME="$COMPOSE_PROJECT"
+export COMPOSE_PROJECT_NAME
+
+docker compose -f "$COMPOSE_FILE" pull --quiet 2>/dev/null || docker compose -f "$COMPOSE_FILE" pull
+docker compose -f "$COMPOSE_FILE" up -d --remove-orphans
+
+status_json=""
+for _ in $(seq 1 30); do
+  status_json="$(docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault status -format=json' 2>/dev/null || true)"
+  if [[ -n "$status_json" ]]; then
+    break
+  fi
+  sleep 2
+done
+
+if [[ -z "$status_json" ]]; then
+  echo "vault status did not become available" >&2
+  exit 65
+fi
+
+INIT_FILE="../env/vault-init.json"
+if printf '%s' "$status_json" | grep -Eq '"initialized"[[:space:]]*:[[:space:]]*false'; then
+  docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault operator init -format=json -key-shares=1 -key-threshold=1' >"$INIT_FILE"
+  chmod 600 "$INIT_FILE"
+  status_json="$(docker exec dev-vault sh -lc 'export VAULT_ADDR=http://127.0.0.1:8200; vault status -format=json')"
+fi
+
+if [[ ! -s "$INIT_FILE" ]]; then
+  echo "vault init file is missing: $INIT_FILE" >&2
+  exit 66
+fi
+
+INIT_JSON_COMPACT="$(tr -d '\r\n\t ' <"$INIT_FILE")"
+UNSEAL_KEY="$(printf '%s' "$INIT_JSON_COMPACT" | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p')"
+ROOT_TOKEN="$(printf '%s' "$INIT_JSON_COMPACT" | sed -n 's/.*"root_token":"\([^"]*\)".*/\1/p')"
+
+if [[ -z "$UNSEAL_KEY" || -z "$ROOT_TOKEN" ]]; then
+  echo "failed to extract vault init credentials" >&2
+  exit 67
+fi
+
+if printf '%s' "$status_json" | grep -Eq '"sealed"[[:space:]]*:[[:space:]]*true'; then
+  docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200; vault operator unseal '${UNSEAL_KEY}' >/dev/null"
+fi
+
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault auth list -format=json | grep -q '\"approle/\"' || vault auth enable approle >/dev/null"
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault secrets list -format=json | grep -q '\"kv/\"' || vault secrets enable -path=kv kv-v2 >/dev/null"
+
+docker exec -i dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault policy write sendico-dev-apps -" <<'EOF'
+path "kv/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "kv/metadata/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOF
+
+docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault write auth/approle/role/sendico-dev-apps token_policies='sendico-dev-apps' token_ttl='24h' token_max_ttl='720h' >/dev/null"
+
+APPROLE_ROLE_ID="$(docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault read -field=role_id auth/approle/role/sendico-dev-apps/role-id")"
+APPROLE_SECRET_ID="$(docker exec dev-vault sh -lc "export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN='${ROOT_TOKEN}'; vault write -force -field=secret_id auth/approle/role/sendico-dev-apps/secret-id")"
+
+if [[ -z "$APPROLE_ROLE_ID" || -z "$APPROLE_SECRET_ID" ]]; then
+  echo "failed to create dev approle credentials" >&2
+  exit 68
+fi
+
+write_vault_env() {
+  local service_dir="$1"
+  local role_var="$2"
+  local secret_var="$3"
+  local env_dir="${REMOTE_BASE%/}/${service_dir}/env"
+  mkdir -p "$env_dir"
+  cat >"${env_dir}/vault.env" <<EOF
+${role_var}=${APPROLE_ROLE_ID}
+${secret_var}=${APPROLE_SECRET_ID}
+EOF
+  chmod 600 "${env_dir}/vault.env"
+}
+
+write_vault_env "${BFF_DIR}" "BFF_VAULT_ROLE_ID" "BFF_VAULT_SECRET_ID"
+write_vault_env "${CALLBACKS_DIR}" "CALLBACKS_VAULT_ROLE_ID" "CALLBACKS_VAULT_SECRET_ID"
+write_vault_env "${CHAIN_GATEWAY_DIR}" "CHAIN_GATEWAY_VAULT_ROLE_ID" "CHAIN_GATEWAY_VAULT_SECRET_ID"
+write_vault_env "${TRON_GATEWAY_DIR}" "TRON_GATEWAY_VAULT_ROLE_ID" "TRON_GATEWAY_VAULT_SECRET_ID"
+
+docker compose -f "$COMPOSE_FILE" ps
+date -Is > .last_deploy
+logger -t "deploy-${COMPOSE_PROJECT_NAME}" "${COMPOSE_PROJECT_NAME} deployed at $(date -Is) in ${REMOTE_DIR}"
+EOSSH

ci/scripts/aurora/build-image.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+set -eu
+
+if ! set -o pipefail 2>/dev/null; then
+  :
+fi
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+sh ci/scripts/common/ensure_env_version.sh
+. ci/scripts/common/runtime_env.sh
+
+normalize_env_file() {
+  file="$1"
+  tmp="${file}.tmp.$$"
+  tr -d '\r' <"$file" >"$tmp"
+  mv "$tmp" "$file"
+}
+
+load_env_file() {
+  file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    key="${line%%=*}"
+    value="${line#*=}"
+    key="$(printf '%s' "$key" | tr -d '[:space:]')"
+    value="${value#"${value%%[![:space:]]*}"}"
+    value="${value%"${value##*[![:space:]]}"}"
+    export "$key=$value"
+  done <"$file"
+}
+
+AURORA_GATEWAY_ENV_NAME="${AURORA_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
+load_runtime_env_bundle "${AURORA_GATEWAY_ENV_NAME}"
+
+IMAGE_TAG="$(compute_image_tag)"
+
+REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
+APP_V="${APP_V:?missing APP_V}"
+AURORA_GATEWAY_DOCKERFILE="${AURORA_GATEWAY_DOCKERFILE:?missing AURORA_GATEWAY_DOCKERFILE}"
+AURORA_GATEWAY_IMAGE_PATH="${AURORA_GATEWAY_IMAGE_PATH:?missing AURORA_GATEWAY_IMAGE_PATH}"
+
+REGISTRY_HOST="${REGISTRY_URL#http://}"
+REGISTRY_HOST="${REGISTRY_HOST#https://}"
+REGISTRY_USER="$(cat secrets/REGISTRY_USER)"
+REGISTRY_PASSWORD="$(cat secrets/REGISTRY_PASSWORD)"
+: "${REGISTRY_USER:?missing registry user}"
+: "${REGISTRY_PASSWORD:?missing registry password}"
+
+mkdir -p /kaniko/.docker
+AUTH_B64="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+cat <<EOF >/kaniko/.docker/config.json
+{
+  "auths": {
+    "https://${REGISTRY_HOST}": { "auth": "${AUTH_B64}" }
+  }
+}
+EOF
+
+BUILD_CONTEXT="${AURORA_GATEWAY_BUILD_CONTEXT:-${WOODPECKER_WORKSPACE:-${CI_WORKSPACE:-${PWD:-/workspace}}}}"
+if [ ! -d "${BUILD_CONTEXT}" ]; then
+  BUILD_CONTEXT="/workspace"
+fi
+
+# Gateway modules use a local replace (../common); ensure build context contains shared code.
+if [ ! -d "${BUILD_CONTEXT}/api/gateway/common" ] || [ ! -f "${BUILD_CONTEXT}/${AURORA_GATEWAY_DOCKERFILE}" ]; then
+  if [ -d "${REPO_ROOT}/api/gateway/common" ] && [ -f "${REPO_ROOT}/${AURORA_GATEWAY_DOCKERFILE}" ]; then
+    echo "[aurora-gateway-build] build context ${BUILD_CONTEXT} is incomplete; falling back to ${REPO_ROOT}" >&2
+    BUILD_CONTEXT="${REPO_ROOT}"
+  fi
+fi
+
+if [ ! -d "${BUILD_CONTEXT}/api/gateway/common" ]; then
+  echo "[aurora-gateway-build] build context ${BUILD_CONTEXT} missing api/gateway/common" >&2
+  exit 67
+fi
+if [ ! -f "${BUILD_CONTEXT}/${AURORA_GATEWAY_DOCKERFILE}" ]; then
+  echo "[aurora-gateway-build] dockerfile not found in build context: ${AURORA_GATEWAY_DOCKERFILE}" >&2
+  exit 68
+fi
+
+/kaniko/executor \
+  --context "${BUILD_CONTEXT}" \
+  --dockerfile "${AURORA_GATEWAY_DOCKERFILE}" \
+  --destination "${REGISTRY_URL}/${AURORA_GATEWAY_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_VERSION="${APP_V}" \
+  --build-arg GIT_REV="${GIT_REV}" \
+  --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \
+  --build-arg BUILD_DATE="${BUILD_DATE}" \
+  --build-arg BUILD_USER="${BUILD_USER}" \
+  --single-snapshot

ci/scripts/aurora/deploy.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+set -eu
+
+if ! set -o pipefail 2>/dev/null; then
+  :
+fi
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+sh ci/scripts/common/ensure_env_version.sh
+. ci/scripts/common/runtime_env.sh
+. ci/scripts/common/nats_env.sh
+
+normalize_env_file() {
+  file="$1"
+  tmp="${file}.tmp.$$"
+  tr -d '\r' <"$file" >"$tmp"
+  mv "$tmp" "$file"
+}
+
+load_env_file() {
+  file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    key="${line%%=*}"
+    value="${line#*=}"
+    key="$(printf '%s' "$key" | tr -d '[:space:]')"
+    value="${value#"${value%%[![:space:]]*}"}"
+    value="${value%"${value##*[![:space:]]}"}"
+    export "$key=$value"
+  done <"$file"
+}
+
+AURORA_GATEWAY_ENV_NAME="${AURORA_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
+load_runtime_env_bundle "${AURORA_GATEWAY_ENV_NAME}"
+
+AURORA_GATEWAY_MONGO_SECRET_PATH="${AURORA_GATEWAY_MONGO_SECRET_PATH:?missing AURORA_GATEWAY_MONGO_SECRET_PATH}"
+AURORA_GATEWAY_NATS_SECRET_PATH="${AURORA_GATEWAY_NATS_SECRET_PATH:-sendico/nats}"
+
+export AURORA_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" user)"
+export AURORA_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${AURORA_GATEWAY_MONGO_SECRET_PATH}" password)"
+
+NATS_SECRET_PATH="${AURORA_GATEWAY_NATS_SECRET_PATH}" load_nats_env
+
+bash ci/prod/scripts/bootstrap/network.sh
+sh ci/scripts/common/ensure_remote_registry_login.sh
+bash ci/prod/scripts/deploy/aurora_gateway.sh

ci/scripts/bff/build-image.sh

@@ -37,6 +37,10 @@ BFF_ENV_NAME="${BFF_ENV:-$(resolve_runtime_env_name)}"
 load_runtime_env_bundle "${BFF_ENV_NAME}"
 
 IMAGE_TAG="$(compute_image_tag)"
+BFF_CONFIG_PATH="api/edge/bff/config.yml"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" = "devserver" ] && [ -f "${REPO_ROOT}/api/edge/bff/config.dev.yml" ]; then
+  BFF_CONFIG_PATH="api/edge/bff/config.dev.yml"
+fi
 
 REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
 APP_V="${APP_V:?missing APP_V}"
@@ -69,6 +73,7 @@ fi
   --context "${BUILD_CONTEXT}" \
   --dockerfile "${BFF_DOCKERFILE}" \
   --destination "${REGISTRY_URL}/${BFF_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_CONFIG_PATH="${BFF_CONFIG_PATH}" \
   --build-arg APP_VERSION="${APP_V}" \
   --build-arg GIT_REV="${GIT_REV}" \
   --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \

ci/scripts/bff/deploy.sh

@@ -46,11 +46,13 @@ export MONGO_USER="$(./ci/vlt kv_get kv "${BFF_MONGO_SECRET_PATH}" user)"
 export MONGO_PASSWORD="$(./ci/vlt kv_get kv "${BFF_MONGO_SECRET_PATH}" password)"
 
 export API_ENDPOINT_SECRET="$(./ci/vlt kv_get kv "${BFF_API_SECRET_PATH}" secret)"
-export BFF_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" role_id)"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
-export BFF_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" secret_id)"
+  export BFF_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" role_id)"
-if [ -z "${BFF_VAULT_ROLE_ID}" ] || [ -z "${BFF_VAULT_SECRET_ID}" ]; then
+  export BFF_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${BFF_VAULT_SECRET_PATH}" secret_id)"
-  echo "[bff-deploy] vault approle creds are empty for path ${BFF_VAULT_SECRET_PATH}" >&2
+  if [ -z "${BFF_VAULT_ROLE_ID}" ] || [ -z "${BFF_VAULT_SECRET_ID}" ]; then
-  exit 1
+    echo "[bff-deploy] vault approle creds are empty for path ${BFF_VAULT_SECRET_PATH}" >&2
+    exit 1
+  fi
 fi
 
 load_nats_env

ci/scripts/callbacks/build-image.sh

@@ -37,6 +37,10 @@ CALLBACKS_ENV_NAME="${CALLBACKS_ENV:-$(resolve_runtime_env_name)}"
 load_runtime_env_bundle "${CALLBACKS_ENV_NAME}"
 
 IMAGE_TAG="$(compute_image_tag)"
+CALLBACKS_CONFIG_PATH="api/edge/callbacks/config.yml"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" = "devserver" ] && [ -f "${REPO_ROOT}/api/edge/callbacks/config.dev.yml" ]; then
+  CALLBACKS_CONFIG_PATH="api/edge/callbacks/config.dev.yml"
+fi
 
 REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
 APP_V="${APP_V:?missing APP_V}"
@@ -69,6 +73,7 @@ fi
   --context "${BUILD_CONTEXT}" \
   --dockerfile "${CALLBACKS_DOCKERFILE}" \
   --destination "${REGISTRY_URL}/${CALLBACKS_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_CONFIG_PATH="${CALLBACKS_CONFIG_PATH}" \
   --build-arg APP_VERSION="${APP_V}" \
   --build-arg GIT_REV="${GIT_REV}" \
   --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \

ci/scripts/callbacks/deploy.sh

@@ -43,11 +43,13 @@ CALLBACKS_VAULT_SECRET_PATH="${CALLBACKS_VAULT_SECRET_PATH:?missing CALLBACKS_VA
 
 export CALLBACKS_MONGO_USER="$(./ci/vlt kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" user)"
 export CALLBACKS_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${CALLBACKS_MONGO_SECRET_PATH}" password)"
-export CALLBACKS_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" role_id)"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
-export CALLBACKS_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" secret_id)"
+  export CALLBACKS_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" role_id)"
-if [ -z "${CALLBACKS_VAULT_ROLE_ID}" ] || [ -z "${CALLBACKS_VAULT_SECRET_ID}" ]; then
+  export CALLBACKS_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CALLBACKS_VAULT_SECRET_PATH}" secret_id)"
-  echo "[callbacks-deploy] vault approle creds are empty for path ${CALLBACKS_VAULT_SECRET_PATH}" >&2
+  if [ -z "${CALLBACKS_VAULT_ROLE_ID}" ] || [ -z "${CALLBACKS_VAULT_SECRET_ID}" ]; then
-  exit 1
+    echo "[callbacks-deploy] vault approle creds are empty for path ${CALLBACKS_VAULT_SECRET_PATH}" >&2
+    exit 1
+  fi
 fi
 
 load_nats_env

ci/scripts/chain_gateway/build-image.sh

@@ -37,6 +37,10 @@ CHAIN_GATEWAY_ENV_NAME="${CHAIN_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
 load_runtime_env_bundle "${CHAIN_GATEWAY_ENV_NAME}"
 
 IMAGE_TAG="$(compute_image_tag)"
+CHAIN_GATEWAY_CONFIG_PATH="api/gateway/chain/config.yml"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" = "devserver" ] && [ -f "${REPO_ROOT}/api/gateway/chain/config.dev.yml" ]; then
+  CHAIN_GATEWAY_CONFIG_PATH="api/gateway/chain/config.dev.yml"
+fi
 
 REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
 APP_V="${APP_V:?missing APP_V}"
@@ -86,6 +90,7 @@ fi
   --context "${BUILD_CONTEXT}" \
   --dockerfile "${CHAIN_GATEWAY_DOCKERFILE}" \
   --destination "${REGISTRY_URL}/${CHAIN_GATEWAY_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_CONFIG_PATH="${CHAIN_GATEWAY_CONFIG_PATH}" \
   --build-arg APP_VERSION="${APP_V}" \
   --build-arg GIT_REV="${GIT_REV}" \
   --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \

ci/scripts/chain_gateway/deploy.sh

@@ -51,11 +51,13 @@ export CHAIN_GATEWAY_RPC_URL="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_RPC_SECRET_P
 export CHAIN_GATEWAY_SERVICE_WALLET_KEY="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" private_key)"
 export CHAIN_GATEWAY_SERVICE_WALLET_ADDRESS="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_WALLET_SECRET_PATH}" address || true)"
 
-export CHAIN_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" role_id)"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
-export CHAIN_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
+  export CHAIN_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" role_id)"
-if [ -z "${CHAIN_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${CHAIN_GATEWAY_VAULT_SECRET_ID}" ]; then
+  export CHAIN_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${CHAIN_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
-  echo "[chain-gateway-deploy] vault approle creds are empty for path ${CHAIN_GATEWAY_VAULT_SECRET_PATH}" >&2
+  if [ -z "${CHAIN_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${CHAIN_GATEWAY_VAULT_SECRET_ID}" ]; then
-  exit 1
+    echo "[chain-gateway-deploy] vault approle creds are empty for path ${CHAIN_GATEWAY_VAULT_SECRET_PATH}" >&2
+    exit 1
+  fi
 fi
 
 load_nats_env

ci/scripts/chsettle/build-image.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+set -eu
+
+if ! set -o pipefail 2>/dev/null; then
+  :
+fi
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+sh ci/scripts/common/ensure_env_version.sh
+. ci/scripts/common/runtime_env.sh
+
+normalize_env_file() {
+  file="$1"
+  tmp="${file}.tmp.$$"
+  tr -d '\r' <"$file" >"$tmp"
+  mv "$tmp" "$file"
+}
+
+load_env_file() {
+  file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    key="${line%%=*}"
+    value="${line#*=}"
+    key="$(printf '%s' "$key" | tr -d '[:space:]')"
+    value="${value#"${value%%[![:space:]]*}"}"
+    value="${value%"${value##*[![:space:]]}"}"
+    export "$key=$value"
+  done <"$file"
+}
+
+CHSETTLE_GATEWAY_ENV_NAME="${CHSETTLE_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
+load_runtime_env_bundle "${CHSETTLE_GATEWAY_ENV_NAME}"
+
+IMAGE_TAG="$(compute_image_tag)"
+
+REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
+APP_V="${APP_V:?missing APP_V}"
+CHSETTLE_GATEWAY_DOCKERFILE="${CHSETTLE_GATEWAY_DOCKERFILE:?missing CHSETTLE_GATEWAY_DOCKERFILE}"
+CHSETTLE_GATEWAY_IMAGE_PATH="${CHSETTLE_GATEWAY_IMAGE_PATH:?missing CHSETTLE_GATEWAY_IMAGE_PATH}"
+
+REGISTRY_HOST="${REGISTRY_URL#http://}"
+REGISTRY_HOST="${REGISTRY_HOST#https://}"
+REGISTRY_USER="$(cat secrets/REGISTRY_USER)"
+REGISTRY_PASSWORD="$(cat secrets/REGISTRY_PASSWORD)"
+: "${REGISTRY_USER:?missing registry user}"
+: "${REGISTRY_PASSWORD:?missing registry password}"
+
+mkdir -p /kaniko/.docker
+AUTH_B64="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+cat <<EOF >/kaniko/.docker/config.json
+{
+  "auths": {
+    "https://${REGISTRY_HOST}": { "auth": "${AUTH_B64}" }
+  }
+}
+EOF
+
+BUILD_CONTEXT="${CHSETTLE_GATEWAY_BUILD_CONTEXT:-${WOODPECKER_WORKSPACE:-${CI_WORKSPACE:-${PWD:-/workspace}}}}"
+if [ ! -d "${BUILD_CONTEXT}" ]; then
+  BUILD_CONTEXT="/workspace"
+fi
+
+# Gateway modules use a local replace (../common); ensure build context contains shared code.
+if [ ! -d "${BUILD_CONTEXT}/api/gateway/common" ] || [ ! -f "${BUILD_CONTEXT}/${CHSETTLE_GATEWAY_DOCKERFILE}" ]; then
+  if [ -d "${REPO_ROOT}/api/gateway/common" ] && [ -f "${REPO_ROOT}/${CHSETTLE_GATEWAY_DOCKERFILE}" ]; then
+    echo "[chsettle-gateway-build] build context ${BUILD_CONTEXT} is incomplete; falling back to ${REPO_ROOT}" >&2
+    BUILD_CONTEXT="${REPO_ROOT}"
+  fi
+fi
+
+if [ ! -d "${BUILD_CONTEXT}/api/gateway/common" ]; then
+  echo "[chsettle-gateway-build] build context ${BUILD_CONTEXT} missing api/gateway/common" >&2
+  exit 67
+fi
+if [ ! -f "${BUILD_CONTEXT}/${CHSETTLE_GATEWAY_DOCKERFILE}" ]; then
+  echo "[chsettle-gateway-build] dockerfile not found in build context: ${CHSETTLE_GATEWAY_DOCKERFILE}" >&2
+  exit 68
+fi
+
+/kaniko/executor \
+  --context "${BUILD_CONTEXT}" \
+  --dockerfile "${CHSETTLE_GATEWAY_DOCKERFILE}" \
+  --destination "${REGISTRY_URL}/${CHSETTLE_GATEWAY_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_VERSION="${APP_V}" \
+  --build-arg GIT_REV="${GIT_REV}" \
+  --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \
+  --build-arg BUILD_DATE="${BUILD_DATE}" \
+  --build-arg BUILD_USER="${BUILD_USER}" \
+  --single-snapshot

ci/scripts/chsettle/deploy.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+set -eu
+
+if ! set -o pipefail 2>/dev/null; then
+  :
+fi
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+sh ci/scripts/common/ensure_env_version.sh
+. ci/scripts/common/runtime_env.sh
+. ci/scripts/common/nats_env.sh
+
+normalize_env_file() {
+  file="$1"
+  tmp="${file}.tmp.$$"
+  tr -d '\r' <"$file" >"$tmp"
+  mv "$tmp" "$file"
+}
+
+load_env_file() {
+  file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    key="${line%%=*}"
+    value="${line#*=}"
+    key="$(printf '%s' "$key" | tr -d '[:space:]')"
+    value="${value#"${value%%[![:space:]]*}"}"
+    value="${value%"${value##*[![:space:]]}"}"
+    export "$key=$value"
+  done <"$file"
+}
+
+CHSETTLE_GATEWAY_ENV_NAME="${CHSETTLE_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
+load_runtime_env_bundle "${CHSETTLE_GATEWAY_ENV_NAME}"
+
+CHSETTLE_GATEWAY_MONGO_SECRET_PATH="${CHSETTLE_GATEWAY_MONGO_SECRET_PATH:?missing CHSETTLE_GATEWAY_MONGO_SECRET_PATH}"
+CHSETTLE_GATEWAY_NATS_SECRET_PATH="${CHSETTLE_GATEWAY_NATS_SECRET_PATH:-sendico/nats}"
+
+export CHSETTLE_GATEWAY_MONGO_USER="$(./ci/vlt kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" user)"
+export CHSETTLE_GATEWAY_MONGO_PASSWORD="$(./ci/vlt kv_get kv "${CHSETTLE_GATEWAY_MONGO_SECRET_PATH}" password)"
+
+NATS_SECRET_PATH="${CHSETTLE_GATEWAY_NATS_SECRET_PATH}" load_nats_env
+
+bash ci/prod/scripts/bootstrap/network.sh
+sh ci/scripts/common/ensure_remote_registry_login.sh
+bash ci/prod/scripts/deploy/chsettle_gateway.sh

ci/scripts/common/backend_modules.sh

@@ -57,6 +57,18 @@ EOF
       cat <<'EOF'
 api/pkg
 api/gateway/mntx
+EOF
+      ;;
+    gateway_aurora)
+      cat <<'EOF'
+api/pkg
+api/gateway/aurora
+EOF
+      ;;
+    gateway_chsettle)
+      cat <<'EOF'
+api/pkg
+api/gateway/chsettle
 EOF
       ;;
     gateway_tgsettle)

ci/scripts/common/runtime_env.sh

@@ -86,6 +86,16 @@ load_runtime_env_bundle() {
   env_name="$1"
   runtime_file="$(resolve_runtime_env_file "${env_name}")"
 
+  if [ -n "${VAULT_ADDR:-}" ] && [ -z "${CI_VAULT_ADDR:-}" ]; then
+    export CI_VAULT_ADDR="${VAULT_ADDR}"
+  fi
+  if [ -n "${VAULT_ROLE_ID:-}" ] && [ -z "${CI_VAULT_ROLE_ID:-}" ]; then
+    export CI_VAULT_ROLE_ID="${VAULT_ROLE_ID}"
+  fi
+  if [ -n "${VAULT_SECRET_ID:-}" ] && [ -z "${CI_VAULT_SECRET_ID:-}" ]; then
+    export CI_VAULT_SECRET_ID="${VAULT_SECRET_ID}"
+  fi
+
   normalize_env_file "${runtime_file}"
   normalize_env_file ./.env.version
 

ci/scripts/tron_gateway/build-image.sh

@@ -37,6 +37,10 @@ TRON_GATEWAY_ENV_NAME="${TRON_GATEWAY_ENV:-$(resolve_runtime_env_name)}"
 load_runtime_env_bundle "${TRON_GATEWAY_ENV_NAME}"
 
 IMAGE_TAG="$(compute_image_tag)"
+TRON_GATEWAY_CONFIG_PATH="api/gateway/tron/config.yml"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" = "devserver" ] && [ -f "${REPO_ROOT}/api/gateway/tron/config.dev.yml" ]; then
+  TRON_GATEWAY_CONFIG_PATH="api/gateway/tron/config.dev.yml"
+fi
 
 REGISTRY_URL="${REGISTRY_URL:?missing REGISTRY_URL}"
 APP_V="${APP_V:?missing APP_V}"
@@ -86,6 +90,7 @@ fi
   --context "${BUILD_CONTEXT}" \
   --dockerfile "${TRON_GATEWAY_DOCKERFILE}" \
   --destination "${REGISTRY_URL}/${TRON_GATEWAY_IMAGE_PATH}:${IMAGE_TAG}" \
+  --build-arg APP_CONFIG_PATH="${TRON_GATEWAY_CONFIG_PATH}" \
   --build-arg APP_VERSION="${APP_V}" \
   --build-arg GIT_REV="${GIT_REV}" \
   --build-arg BUILD_BRANCH="${BUILD_BRANCH}" \

ci/scripts/tron_gateway/deploy.sh

@@ -53,11 +53,13 @@ export TRON_GATEWAY_GRPC_TOKEN="$(./ci/vlt kv_get kv "${TRON_GATEWAY_RPC_SECRET_
 export TRON_GATEWAY_SERVICE_WALLET_KEY="$(./ci/vlt kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" private_key)"
 export TRON_GATEWAY_SERVICE_WALLET_ADDRESS="$(./ci/vlt kv_get kv "${TRON_GATEWAY_WALLET_SECRET_PATH}" address || true)"
 
-export TRON_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" role_id)"
+if [ "${CI_RUNTIME_ENV_NAME:-prod}" != "devserver" ]; then
-export TRON_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
+  export TRON_GATEWAY_VAULT_ROLE_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" role_id)"
-if [ -z "${TRON_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${TRON_GATEWAY_VAULT_SECRET_ID}" ]; then
+  export TRON_GATEWAY_VAULT_SECRET_ID="$(./ci/vlt kv_get kv "${TRON_GATEWAY_VAULT_SECRET_PATH}" secret_id)"
-  echo "[tron-gateway-deploy] vault approle creds are empty for path ${TRON_GATEWAY_VAULT_SECRET_PATH}" >&2
+  if [ -z "${TRON_GATEWAY_VAULT_ROLE_ID}" ] || [ -z "${TRON_GATEWAY_VAULT_SECRET_ID}" ]; then
-  exit 1
+    echo "[tron-gateway-deploy] vault approle creds are empty for path ${TRON_GATEWAY_VAULT_SECRET_PATH}" >&2
+    exit 1
+  fi
 fi
 
 load_nats_env

ci/scripts/vault/deploy.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -eu
+
+if ! set -o pipefail 2>/dev/null; then
+  :
+fi
+
+REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
+cd "${REPO_ROOT}"
+
+. ci/scripts/common/runtime_env.sh
+
+normalize_env_file() {
+  file="$1"
+  tmp="${file}.tmp.$$"
+  tr -d '\r' <"$file" >"$tmp"
+  mv "$tmp" "$file"
+}
+
+load_env_file() {
+  file="$1"
+  while IFS= read -r line || [ -n "$line" ]; do
+    case "$line" in
+      ''|\#*) continue ;;
+    esac
+    key="${line%%=*}"
+    value="${line#*=}"
+    key="$(printf '%s' "$key" | tr -d '[:space:]')"
+    value="${value#"${value%%[![:space:]]*}"}"
+    value="${value%"${value##*[![:space:]]}"}"
+    export "$key=$value"
+  done <"$file"
+}
+
+VAULT_ENV_NAME="${VAULT_ENV:-$(resolve_runtime_env_name)}"
+load_runtime_env_bundle "${VAULT_ENV_NAME}"
+
+bash ci/prod/scripts/deploy/vault.sh

ci/vlt

@@ -3,19 +3,23 @@
 # Requires: curl, sed. Uses VAULT_ADDR, VAULT_ROLE_ID, VAULT_SECRET_ID from env.
 set -euo pipefail
 
-: "${VAULT_ADDR:?missing VAULT_ADDR}"
+VLT_VAULT_ADDR="${CI_VAULT_ADDR:-${VAULT_ADDR:-}}"
+VLT_VAULT_ROLE_ID="${CI_VAULT_ROLE_ID:-${VAULT_ROLE_ID:-}}"
+VLT_VAULT_SECRET_ID="${CI_VAULT_SECRET_ID:-${VAULT_SECRET_ID:-}}"
+
+: "${VLT_VAULT_ADDR:?missing VAULT_ADDR}"
 VAULT_TOKEN_FILE="${VAULT_TOKEN_FILE:-.vault_token}"
 
 log(){ printf '[vlt] %s\n' "$*" >&2; }
 
 login() {
-  : "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
+  : "${VLT_VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
-  : "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
+  : "${VLT_VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
   log "login approle"
   resp="$(curl -sfS -X POST -H 'Content-Type: application/json' \
     --connect-timeout 5 --max-time 20 \
-    -d "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
+    -d "{\"role_id\":\"${VLT_VAULT_ROLE_ID}\",\"secret_id\":\"${VLT_VAULT_SECRET_ID}\"}" \
-    "${VAULT_ADDR%/}/v1/auth/approle/login")"
+    "${VLT_VAULT_ADDR%/}/v1/auth/approle/login")"
   token="$(printf '%s' "$resp" | sed -n 's/.*"client_token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
   [ -n "$token" ] || { echo "login failed" >&2; exit 1; }
   printf '%s' "$token" > "$VAULT_TOKEN_FILE"
@@ -34,7 +38,7 @@ ensure_token() {
 kv_get() {
   mount="$1"; path="$2"; field="$3"
   ensure_token
-  url="${VAULT_ADDR%/}/v1/${mount}/data/${path}"
+  url="${VLT_VAULT_ADDR%/}/v1/${mount}/data/${path}"
   resp="$(curl -sfS --connect-timeout 5 --max-time 20 -H "X-Vault-Token: ${VAULT_TOKEN}" "$url")"
   RESP="$resp" python3 - "$field" <<'PY'
 import json, os, sys