Merge pull request #8847 from BitGo/SCAAS-9316

feat(sdk-coin-canton): add CantonCommand transaction support

Author: abhijeet848

modules/sdk-coin-canton/src/canton.ts

@@ -2,6 +2,10 @@ import {
   AuditDecryptedKeyParams,
   BaseCoin,
   BitGoBase,
+  CantonCommand,
+  CantonCommandParams,
+  CantonCreateCommand,
+  CantonExerciseCommand,
   KeyPair,
   MPCAlgorithm,
   MultisigType,
@@ -10,6 +14,7 @@ import {
   ParseTransactionOptions,
   SignedTransaction,
   SignTransactionOptions,
+  TransactionParams,
   TransactionType,
   VerifyTransactionOptions,
   TransactionExplanation as BaseTransactionExplanation,
@@ -26,7 +31,8 @@ import { auditEddsaPrivateKey } from '@bitgo/sdk-lib-mpc';
 import { BaseCoin as StaticsBaseCoin, coins } from '@bitgo/statics';
 import { TransactionBuilderFactory } from './lib';
 import { KeyPair as CantonKeyPair } from './lib/keyPair';
-import { TxData } from './lib/iface';
+import { CantonCommandKind, TxData } from './lib/iface';
+import { Transaction } from './lib/transaction/transaction';
 import utils from './lib/utils';
 
 export interface TransactionExplanation extends BaseTransactionExplanation {
@@ -37,6 +43,10 @@ export interface ExplainTransactionOptions {
   txHex: string;
 }
 
+export interface CantonTransactionParams extends TransactionParams {
+  cantonCommandParams?: CantonCommandParams;
+}
+
 export class Canton extends BaseCoin {
   protected readonly _staticsCoin: Readonly<StaticsBaseCoin>;
 
@@ -118,6 +128,11 @@ export class Canton extends BaseCoin {
       case TransactionType.CosignDelegationProposal:
         // There is no input for these type of transactions, so always return true.
         return true;
+      case TransactionType.CantonCommand:
+        return this.verifyCantonCommandTransaction(
+          transaction,
+          (txParams as CantonTransactionParams).cantonCommandParams
+        );
       case TransactionType.OneStepPreApproval:
         // Canton is always a TSS wallet. The SDK's buildTokenEnablements passes enableTokens
         // through unchanged for TSS wallets (no conversion to recipients), so txParams.enableTokens
@@ -184,6 +199,149 @@ export class Canton extends BaseCoin {
     }
   }
 
+  private verifyCantonCommandTransaction(
+    transaction: BaseTransaction,
+    userParams: CantonCommandParams | undefined
+  ): boolean {
+    if (!userParams) {
+      return true;
+    }
+
+    const cantonTx = transaction as Transaction;
+    const rawPrepared = cantonTx.prepareCommand?.preparedTransaction;
+    if (!rawPrepared) {
+      throw new Error('CantonCommand verifyTransaction: missing preparedTransaction protobuf on tx prebuild');
+    }
+
+    const decodedCommand = utils.extractCantonCommandInfo(rawPrepared);
+    const userCommand = userParams.command as Partial<CantonCommand>;
+
+    // Input shape is enforced by mpcUtils at build time; here we resolve which branch is present.
+    const hasCreate = 'CreateCommand' in userCommand && utils.isPlainObject(userCommand.CreateCommand);
+    const hasExercise = 'ExerciseCommand' in userCommand && utils.isPlainObject(userCommand.ExerciseCommand);
+    if (!hasCreate && !hasExercise) {
+      throw new Error(
+        `CantonCommand verifyTransaction: command must contain a CreateCommand or ExerciseCommand wrapper`
+      );
+    }
+    if (hasCreate && hasExercise) {
+      throw new Error(
+        `CantonCommand verifyTransaction: command must contain exactly one of CreateCommand or ExerciseCommand, not both`
+      );
+    }
+    const userKind: CantonCommandKind = hasCreate ? 'CreateCommand' : 'ExerciseCommand';
+    if (decodedCommand.kind !== userKind) {
+      throw new Error(
+        `CantonCommand verifyTransaction: command kind mismatch — expected ${userKind}, got ${decodedCommand.kind}`
+      );
+    }
+
+    const userInner =
+      userKind === 'CreateCommand'
+        ? (userCommand as CantonCreateCommand).CreateCommand
+        : (userCommand as CantonExerciseCommand).ExerciseCommand;
+
+    if (!userInner?.templateId) {
+      throw new Error(`CantonCommand verifyTransaction: ${userKind}.templateId must be a non-empty string`);
+    }
+
+    // templateId (moduleName + entityName; package id is mutable, so ignored)
+    const parsed = utils.parseCantonTemplateId(userInner.templateId);
+    if (!parsed) {
+      throw new Error(
+        `CantonCommand verifyTransaction: invalid user templateId '${userInner.templateId}' — expected format 'Pkg:Module:Entity'`
+      );
+    }
+    if (
+      decodedCommand.templateId.moduleName !== parsed.moduleName ||
+      decodedCommand.templateId.entityName !== parsed.entityName
+    ) {
+      throw new Error(
+        `CantonCommand verifyTransaction: templateId mismatch — expected '${parsed.moduleName}:${parsed.entityName}', got '${decodedCommand.templateId.moduleName}:${decodedCommand.templateId.entityName}'`
+      );
+    }
+
+    // Build the inject-as skip set once for use across the contractId and argument checks
+    const skipPaths = utils.normalizeInjectAs(userParams.resolveContracts);
+
+    // metadata.submitterInfo.actAs must contain exactly the same parties as the user's actAs
+    if (!Array.isArray(userParams.actAs) || userParams.actAs.length === 0) {
+      throw new Error(`CantonCommand verifyTransaction: actAs must be a non-empty array of party IDs`);
+    }
+    if (!userParams.actAs.every((p) => typeof p === 'string' && p.trim() !== '')) {
+      throw new Error(`CantonCommand verifyTransaction: all actAs entries must be non-empty strings`);
+    }
+    const submitterActAs = cantonTx.cantonCommandActAsParties ?? [];
+    if (!utils.sameElements(submitterActAs, userParams.actAs)) {
+      throw new Error(
+        `CantonCommand verifyTransaction: submitterInfo.actAs [${submitterActAs.join(
+          ', '
+        )}] does not match user actAs [${userParams.actAs.join(', ')}]`
+      );
+    }
+
+    if (userKind === 'ExerciseCommand') {
+      const exerciseInner = userInner as CantonExerciseCommand['ExerciseCommand'];
+
+      // choice id
+      if (decodedCommand.choice !== exerciseInner.choice) {
+        throw new Error(
+          `CantonCommand verifyTransaction: choice mismatch — expected '${exerciseInner.choice}', got '${
+            decodedCommand.choice ?? ''
+          }'`
+        );
+      }
+
+      // every on-chain actingParty must be in the user's actAs (prevents privilege escalation)
+      const onChainActors = decodedCommand.actingParties ?? [];
+      for (const actor of onChainActors) {
+        if (!userParams.actAs.includes(actor)) {
+          throw new Error(
+            `CantonCommand verifyTransaction: unauthorized acting party '${actor}' on root exercise (not in user actAs)`
+          );
+        }
+      }
+
+      // contractId — skip when absent/empty or when IMS will inject it via resolveContracts
+      if (
+        exerciseInner.contractId !== undefined &&
+        exerciseInner.contractId !== '' &&
+        !skipPaths.has('ExerciseCommand.contractId')
+      ) {
+        if (decodedCommand.contractId !== exerciseInner.contractId) {
+          throw new Error(
+            `CantonCommand verifyTransaction: contractId mismatch — expected '${exerciseInner.contractId}', got '${
+              decodedCommand.contractId ?? ''
+            }'`
+          );
+        }
+      }
+
+      // deep argument compare
+      const argumentSkipPaths = this.relativeSkipPaths(skipPaths, 'ExerciseCommand.choiceArgument.');
+      utils.assertDeepCantonMatch(exerciseInner.choiceArgument, decodedCommand.argument, argumentSkipPaths);
+    } else {
+      const createInner = userInner as CantonCreateCommand['CreateCommand'];
+
+      // deep argument compare
+      const argumentSkipPaths = this.relativeSkipPaths(skipPaths, 'CreateCommand.createArguments.');
+      utils.assertDeepCantonMatch(createInner.createArguments, decodedCommand.argument, argumentSkipPaths);
+    }
+
+    return true;
+  }
+
+  private relativeSkipPaths(skipPaths: Set<string>, prefix: string): Set<string> {
+    const out = new Set<string>();
+    for (const p of skipPaths) {
+      if (p.startsWith(prefix)) {
+        const stripped = p.slice(prefix.length);
+        if (stripped) out.add(stripped);
+      }
+    }
+    return out;
+  }
+
   /** @inheritDoc */
   async isWalletAddress(params: TssVerifyAddressOptions): Promise<boolean> {
     // TODO: refactor this and use the `verifyEddsaMemoBasedWalletAddress` once published from sdk-core
@@ -287,5 +445,8 @@ export class Canton extends BaseCoin {
     if (params.unspents) {
       intent.unspents = params.unspents;
     }
+    if (params.cantonCommandParams) {
+      intent.cantonCommandParams = params.cantonCommandParams;
+    }
   }
 }

modules/sdk-coin-canton/src/lib/cantonCommandBuilder.ts

@@ -0,0 +1,171 @@
+import {
+  InvalidTransactionError,
+  PublicKey,
+  TransactionType,
+  CantonCommand,
+  CantonCommandResolveContractSpec,
+} from '@bitgo/sdk-core';
+import { BaseCoin as CoinConfig } from '@bitgo/statics';
+import { CANTON_COMMAND_KEYS, CantonCommandRequest, CantonPrepareCommandResponse } from './iface';
+import { TransactionBuilder } from './transactionBuilder';
+import { Transaction } from './transaction/transaction';
+import utils from './utils';
+
+export class CantonCommandBuilder extends TransactionBuilder {
+  private _commandId: string;
+  private _actAs: string[] = [];
+  private _readAs: string[] = [];
+  private _command: CantonCommand;
+  private _resolveContracts: CantonCommandResolveContractSpec[] = [];
+
+  constructor(_coinConfig: Readonly<CoinConfig>) {
+    super(_coinConfig);
+  }
+
+  initBuilder(tx: Transaction): void {
+    super.initBuilder(tx);
+    this.setTransactionType();
+    try {
+      this._commandId = tx.id;
+    } catch {
+      // tx.id throws when not set — leave _commandId uninitialized
+    }
+    const parties = tx.cantonCommandActAsParties;
+    if (parties.length > 0) {
+      this._actAs = parties;
+    }
+  }
+
+  get transactionType(): TransactionType {
+    return TransactionType.CantonCommand;
+  }
+
+  setTransactionType(): void {
+    this.transaction.transactionType = TransactionType.CantonCommand;
+  }
+
+  setTransaction(transaction: CantonPrepareCommandResponse): void {
+    this.transaction.prepareCommand = transaction;
+  }
+
+  /** @inheritDoc */
+  addSignature(publicKey: PublicKey, signature: Buffer): void {
+    if (!this.transaction) {
+      throw new InvalidTransactionError('transaction is empty!');
+    }
+    this._signatures.push({ publicKey, signature });
+    const pubKeyBase64 = utils.getBase64FromHex(publicKey.pub);
+    this.transaction.signerFingerprint = utils.getAddressFromPublicKey(pubKeyBase64);
+    this.transaction.signatures = signature.toString('base64');
+  }
+
+  /**
+   * Sets the unique command id. Also sets the transaction _id.
+   *
+   * @param id - A uuid
+   * @returns The current builder instance for chaining.
+   */
+  commandId(id: string): this {
+    if (!id || !id.trim()) {
+      throw new Error('commandId must be a non-empty string');
+    }
+    this._commandId = id.trim();
+    this.transaction.id = id.trim();
+    return this;
+  }
+
+  /**
+   * Sets the parties that will act in the DAML submission.
+   *
+   * @param parties - Non-empty array of fully-qualified party ids
+   * @returns The current builder instance for chaining.
+   */
+  actAs(parties: string[]): this {
+    if (!parties || parties.length === 0) {
+      throw new Error('actAs must be a non-empty array');
+    }
+    const normalizedParties = parties.map((p) => p.trim());
+    if (normalizedParties.some((p) => !p)) {
+      throw new Error('actAs parties must be non-empty strings');
+    }
+    this._actAs = normalizedParties;
+    this.transaction.cantonCommandActAs = normalizedParties;
+    return this;
+  }
+
+  /**
+   * Sets the read-only parties for the DAML submission.
+   *
+   * @param parties - Array of fully-qualified party ids
+   * @returns The current builder instance for chaining.
+   */
+  readAs(parties?: string[] | null): this {
+    if (parties && parties.length > 0) {
+      const normalized = parties.map((p) => p.trim());
+      if (normalized.some((p) => !p)) {
+        throw new Error('readAs parties must be non-empty strings');
+      }
+      this._readAs = normalized;
+    } else {
+      this._readAs = [];
+    }
+    return this;
+  }
+
+  /**
+   * Sets the opaque DAML command object (CreateCommand or ExerciseCommand).
+   *
+   * @param command - The raw DAML command as a plain object
+   * @returns The current builder instance for chaining.
+   */
+  command(command: CantonCommand): this {
+    if (!command || typeof command !== 'object' || Array.isArray(command)) {
+      throw new Error('command must be a plain object');
+    }
+    this._command = command;
+    return this;
+  }
+
+  /**
+   * Sets the list of ACS contract resolution specs that IMS will resolve before prepare.
+   *
+   * @param specs - Array of CantonCommandResolveContractSpec
+   * @returns The current builder instance for chaining.
+   */
+  resolveContracts(specs?: CantonCommandResolveContractSpec[] | null): this {
+    this._resolveContracts = specs ?? [];
+    return this;
+  }
+
+  /**
+   * Builds and returns the CantonCommandRequest from the builder's internal state.
+   *
+   * @returns {CantonCommandRequest}
+   * @throws {Error} If any required field is missing.
+   */
+  toRequestObject(): CantonCommandRequest {
+    this.validate();
+
+    return {
+      commandId: this._commandId,
+      actAs: this._actAs,
+      readAs: this._readAs ?? [],
+      command: this._command,
+      resolveContracts: this._resolveContracts ?? [],
+    };
+  }
+
+  private validate(): void {
+    if (!this._commandId) throw new Error('commandId is missing');
+    if (!this._actAs || this._actAs.length === 0) throw new Error('actAs is missing');
+    if (!this._command) throw new Error('command is missing');
+    const activeKeys = CANTON_COMMAND_KEYS.filter((key) =>
+      utils.isPlainObject(this._command[key as keyof CantonCommand])
+    );
+    if (activeKeys.length !== 1) {
+      throw new Error(
+        `command must contain exactly one of: ${CANTON_COMMAND_KEYS.join(', ')} as a non-null plain object`
+      );
+    }
+  }
+}