✨ server: add issuer to kms

[aguxez]

---

This is part 2 of 2 in a stack made with GitButler:

•  2  ✨ server: add issuer to kms #876 👈
•  1  ✨ server: add allower #839

---

Summary by CodeRabbit

• Bug Fixes

  • Removed embedded private key usage and migrated issuer account handling to a secure Key Management Service to improve security and stability.

• Chores

  • Updated environment and test configurations and adjusted account handling and signing flows to work with the KMS-backed issuer account.

[changeset-bot]

🦋 Changeset detected

Latest commit: e460a39

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Migrates issuer account handling from an embedded private key to KMS-backed retrieval and lazy issuer initialization. Removes ISSUER_PRIVATE_KEY from deployment/test/script configs, parameterizes account retrieval between "allower" and "issuer", adds an issuer helper, and makes signing use the dynamic issuer account.

Changes

Cohort / File(s)	Summary
Config & metadata .changeset/tough-beans-help.md, .do/app.yaml, server/vitest.config.mts, server/script/openapi.ts	Adds a patch changeset and removes the ISSUER_PRIVATE_KEY env from deployment, test, and script configs.
Account management & signing server/utils/accounts.ts, server/utils/panda.ts	Refactors getAccount(key) to select KMS key ("allower" | "issuer"), adds issuer() helper, makes signIssuerOp async and lazily obtain issuer via new issuer path; adjusts nonceManager attachment for allower.
Tests / Mocks server/test/mocks/accounts.ts	Adds issuer mock (uses padHex + privateKeyToAccount) to match new issuer helper.

Sequence Diagram(s)

sequenceDiagram
  participant Caller as Caller
  participant Panda as server/utils/panda.ts
  participant Accounts as server/utils/accounts.ts
  participant KMS as GCP KMS
  participant Wallet as WalletClient

  Caller->>Panda: signIssuerOp({account, amount, timestamp})
  Panda->>Panda: await getIssuer()
  Panda->>Accounts: getAccount("issuer")
  Accounts->>KMS: withRetry -> fetch private key / keyVersion
  KMS-->>Accounts: privateKey / key material
  Accounts-->>Panda: LocalAccount (cached via issuerPromise)
  Panda->>Wallet: signTypedData(using issuer account)
  Wallet-->>Panda: signature
  Panda-->>Caller: signature

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• 🔖 release: mobile@1.1.6, server@0.2.55 #707 — touches panda/account mocking and issuer handling; likely related to mock and issuer changes.
• 🚧 server: use gcp kms for allower #694 — implements GCP KMS-backed account retrieval and related helpers; strongly related to getAccount KMS changes.
• 🔖 release: server@0.2.53, mobile@1.1.5 #697 — release/version-bump PR publishing server changes including issuer/KMS account and signing updates.

Suggested reviewers

• nfmelendez
• cruzdanilo

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references adding issuer functionality to KMS, which is directly reflected in the changeset where getAccount() now accepts a key parameter, issuer() is added as a new helper, and KMS key selection is made dynamic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issuer

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[sentry]

✅ All tests passed.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the server by transitioning the management of the issuer account's private key from direct environment variable storage to Google Cloud Key Management Service (KMS). This change eliminates the risk associated with hardcoding sensitive keys, ensuring that cryptographic operations for the issuer account are performed securely within a managed hardware security module (HSM) environment. The refactoring involved updating configuration files, test mocks, and core utility functions to seamlessly integrate with the new KMS-based key retrieval mechanism.

Highlights

• Security Enhancement: Migrated the issuer account's private key management to Google Cloud Key Management Service (KMS) for enhanced security.
• Configuration Cleanup: Removed hardcoded private key storage from environment configurations and test setups across various files.
• Account Utility Refactoring: Refactored core account utility functions to support dynamic fetching of KMS-managed accounts, making the system more flexible and secure.

Changelog

• .changeset/tough-beans-help.md
  • Added a changeset entry documenting the issuer account KMS migration.
• .do/app.yaml
  • Removed the ISSUER_PRIVATE_KEY environment variable definition.
• server/script/openapi.ts
  • Removed the ISSUER_PRIVATE_KEY assignment from the OpenAPI script.
• server/test/mocks/accounts.ts
  • Updated account mocks to include padHex import and mock the issuer function for KMS-based account retrieval in tests.
• server/utils/accounts.ts
  • Modified the getAccount function to be generic for different KMS keys (allower, issuer).
  • Introduced a new issuer export function to specifically retrieve the issuer account from KMS.
  • Updated the allower function to use the generalized getAccount with nonce management.
• server/utils/panda.ts
  • Removed direct privateKeyToAccount usage.
  • Imported the new issuer utility from ./accounts.
  • Updated signIssuerOp to asynchronously fetch the issuer account from KMS before signing.
• server/vitest.config.mts
  • Removed the ISSUER_PRIVATE_KEY definition from the Vitest environment configuration.

Activity

• No human activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully migrates the ISSUER_PRIVATE_KEY from direct environment variable storage to Google Cloud Key Management Service (KMS), significantly enhancing security. The changes involve updating environment configurations, modifying account retrieval logic to use KMS, and adjusting test setups accordingly. The implementation correctly handles the asynchronous nature of KMS operations and incorporates retry mechanisms for resilience. The getAccount function is now more flexible, supporting different account types, and the issuer account is lazily initialized and memoized, which is a good pattern for performance and resource management. Overall, the changes are well-executed and align with best practices for secure key management.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

server/test/mocks/accounts.ts (1)

19-24: ⚠️ Potential issue | 🟠 Major

Mock getAccount() too, not just issuer().

...original keeps the live KMS-backed getAccount export around. Any test that reaches getAccount("issuer") or getAccount("allower") will still execute the real GCP path even though issuer() is stubbed here.

🧪 Suggested change

 vi.mock("../../utils/accounts", async (importOriginal) => {
   const original = await importOriginal<typeof accounts>();
+  const getAccount = vi.fn((key: "allower" | "issuer") =>
+    Promise.resolve(privateKeyToAccount(padHex(key === "issuer" ? "0x420" : "0x421"))),
+  );
   return {
     ...original,
+    getAccount,
     allower: vi.fn(() => Promise.resolve({ allow: vi.fn().mockResolvedValue({}) })),
-    issuer: vi.fn(() => Promise.resolve(privateKeyToAccount(padHex("0x420")))),
+    issuer: vi.fn(() => getAccount("issuer")),

server/utils/accounts.ts (1)

346-360: ⚠️ Potential issue | 🟠 Major

Use separate KMS version config for allower and issuer.

CryptoKeyVersion numbers are scoped per CryptoKey, and different CryptoKeys in the same key ring can have different primary versions. This code uses a single GCP_KMS_KEY_VERSION for both keys, which only works while both keys happen to share the same version number. Use per-key version configuration or dynamically resolve the active version for each key.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 76280595-3431-4e06-98f0-da3eccac84b6

📥 Commits

Reviewing files that changed from the base of the PR and between 9edf934 and e460a39.

📒 Files selected for processing (7)

• .changeset/tough-beans-help.md
• .do/app.yaml
• server/script/openapi.ts
• server/test/mocks/accounts.ts
• server/utils/accounts.ts
• server/utils/panda.ts
• server/vitest.config.mts

💤 Files with no reviewable changes (3)

• server/script/openapi.ts
• server/vitest.config.mts
• .do/app.yaml