Base allower

[nfmelendez]

Summary by CodeRabbit

• New Features

  • Integrated Google Cloud KMS for enhanced account security
  • Added account allowance system for controlled access
  • Implemented automatic account balance monitoring with asset updates
  • Push notifications now sent when account assets are updated
  • Enhanced retry mechanisms for improved transaction reliability

• Localization

  • Added Spanish and Portuguese translations for account update messages

[changeset-bot]

🦋 Changeset detected

Latest commit: ff942dd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7c125767-64f2-4bc8-a7ad-7ec8ac483ccb

📥 Commits

Reviewing files that changed from the base of the PR and between 04116d8 and ff942dd.

📒 Files selected for processing (14)

• .changeset/bright-eagle-catch.md
• .changeset/lucky-jokes-change.md
• .do/app.yaml
• cspell.json
• server/hooks/persona.ts
• server/script/openapi.ts
• server/test/anvil.ts
• server/test/hooks/persona.test.ts
• server/test/mocks/keeper.ts
• server/test/utils/gcp.test.ts
• server/test/utils/keeper.test.ts
• server/utils/gcp.ts
• server/utils/keeper.ts
• server/vitest.config.mts

---

Walkthrough

This PR integrates GCP KMS–backed account allowance into the persona inquiry hook, introduces asset poke logic to update on-chain account balances, and expands transaction trace retry handling. It adds credential infrastructure, HSM wallet support, and comprehensive test coverage.

Changes

GCP KMS Allowance and Account Asset Poke

Layer / File(s)	Summary
GCP KMS credential initialization server/utils/gcp.ts, server/test/utils/gcp.test.ts	New gcp.ts module enforces base64-encoded GCP credentials, writes them securely to /tmp/gcp-service-account.json with deduplicated promise-cached initialization, checks credential availability, and classifies KMS errors for retry logic. Tests validate secure permission handling and idempotent behavior.
Keeper HSM wallet and firewall allow operation server/utils/keeper.ts, server/test/utils/keeper.test.ts, server/test/mocks/keeper.ts	keeper.ts adds allower() function that builds an HSM-backed wallet via GCP KMS with lazy memoization, extends it with allow(account, options?) to call the firewall contract, and broadens trace retry logic to handle ResourceNotFoundRpcError. The extender parameter type changes from PrivateKeyAccount to LocalAccount for HSM compatibility. Keeper tests validate trace transaction retry behavior; mock keeper provides allower() helper for test usage.
Persona account allowance and asset poke server/hooks/persona.ts, server/test/hooks/persona.test.ts	Persona inquiry flow now parses account as Address, conditionally invokes allower().allow(...) with firewall error handling, and asynchronously triggers poke() to fetch on-chain assets, filter non-zero balances (excluding WETH when ETH is present), execute per-asset keeper operations with retry, and send OneSignal notifications. Test suite covers two-poke, ETH-only, retry, WETH exclusion, and zero-balance scenarios.
Test setup and dependency updates server/test/anvil.ts, server/test/hooks/activity.test.ts, server/package.json, server/vitest.config.mts	Anvil setup grants ALLOWER_ROLE to firewall via role-pair iteration; activity retry tests add account balance setup; dependencies add @google-cloud/kms and @valora/viem-account-hsm-gcp; vitest config adds GCP environment variables for test runtime.
Translations, release notes, and configuration server/i18n/es.json, server/i18n/pt.json, .changeset/*, cspell.json, .do/app.yaml, server/script/openapi.ts	Spanish and Portuguese translations added for "Account assets updated" and "Your funds are ready to use"; three changeset entries document trace retry, GCP KMS allower, and account poke features; spellchecker allows "valora"; DigitalOcean app config and openapi script define GCP KMS environment variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• exactly/exa#694: Extends the same allower via GCP KMS implementation in server/utils/keeper.ts and firewall allow wiring previously introduced in that PR.
• exactly/exa#612: Both PRs modify the persona inquiry flow in server/hooks/persona.ts to parse account and call addCapita(...) using deriveAssociateId from pax utilities.

Suggested reviewers

• cruzdanilo
• dieguezguille
• franm91

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Base allower' directly describes the main change: adding GCP KMS-backed allower functionality for firewall-based account allowance operations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch base-allower

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch base-allower

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces GCP KMS integration for the firewall allower, implements an account 'poke' mechanism after KYC to update assets, and adds retry logic for transaction tracing on resource-not-found errors. The review feedback highlights a critical issue in server/hooks/persona.ts where the block-scoped variable 'id' is used in 'addCapita' before its declaration, causing a Temporal Dead Zone error; it is recommended to move 'addCapita' after 'createUser'. Additionally, a minor improvement is suggested to make the 'flatMap' return type-safe when handling transaction receipts.

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 821dc07c-9cfa-4416-9fda-7531e94047f4

📥 Commits

Reviewing files that changed from the base of the PR and between c19dc69 and 04116d8.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (20)

• .changeset/bright-eagle-catch.md
• .changeset/lucky-jokes-change.md
• .changeset/silly-yaks-divide.md
• .do/app.yaml
• cspell.json
• server/hooks/persona.ts
• server/i18n/es.json
• server/i18n/pt.json
• server/package.json
• server/script/openapi.ts
• server/test/anvil.ts
• server/test/e2e.ts
• server/test/hooks/activity.test.ts
• server/test/hooks/persona.test.ts
• server/test/mocks/keeper.ts
• server/test/utils/gcp.test.ts
• server/test/utils/keeper.test.ts
• server/utils/gcp.ts
• server/utils/keeper.ts
• server/vitest.config.mts

[sentry]

✅ All tests passed.

[nfmelendez]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ff942dd402

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".