matter-labs
diff --git a/‎examples/demo-app/pages/index.vue‎
Lines changed: 1 addition & 1 deletion b/‎examples/demo-app/pages/index.vue‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/demo-app/scripts/deploy-msa-anvil.sh‎
Lines changed: 4 additions & 4 deletions b/‎examples/demo-app/scripts/deploy-msa-anvil.sh‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎packages/auth-server-api/.env.example‎
Lines changed: 9 additions & 1 deletion b/‎packages/auth-server-api/.env.example‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎packages/auth-server-api/src/app.ts‎
Lines changed: 4 additions & 3 deletions b/‎packages/auth-server-api/src/app.ts‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎packages/auth-server-api/src/config.ts‎
Lines changed: 57 additions & 3 deletions b/‎packages/auth-server-api/src/config.ts‎
Lines changed: 57 additions & 3 deletions
diff --git a/‎packages/auth-server-api/src/handlers/deploy-account.ts‎
Lines changed: 69 additions & 22 deletions b/‎packages/auth-server-api/src/handlers/deploy-account.ts‎
Lines changed: 69 additions & 22 deletions
diff --git a/‎packages/auth-server-api/src/index.ts‎
Lines changed: 0 additions & 1 deletion b/‎packages/auth-server-api/src/index.ts‎
Lines changed: 0 additions & 1 deletion
@@ -160,7 +160,7 @@ const sessionConfig = {
 
 const buildConnector = (mode: "regular" | "session" | "paymaster" | "session-paymaster") => {
   const baseConfig: Parameters<typeof zksyncSsoConnector>[0] = {
-    authServerUrl: "http://localhost:3002/confirm",
+    authServerUrl: "http://localhost:3003/confirm",
   };
 
   if (mode === "session" || mode === "session-paymaster") {
 
@@ -8,8 +8,8 @@ WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
 
 # Configuration
 DEPLOYER_ADDRESS="0xa0Ee7A142d267C1f36714E4a8F75612F20a79720"  # Anvil account #9
-RPC_URL="http://localhost:8545"
-CHAIN_ID=1337
+RPC_URL="http://localhost:5050"
+CHAIN_ID=6565
 CONTRACTS_DIR="$WORKSPACE_ROOT/packages/erc4337-contracts"
 
 echo "🚀 Deploying MSA Factory and modules to Anvil (standard EVM)..."
@@ -44,7 +44,7 @@ FACTORY=$(echo "$DEPLOY_OUTPUT" | grep "MSAFactory:" | awk '{print $2}')
 echo ""
 echo "📦 Deploying MockPaymaster..."
 cd "$CONTRACTS_DIR"
-PAYMASTER_OUTPUT=$(forge create test/mocks/MockPaymaster.sol:MockPaymaster --rpc-url "$RPC_URL" --private-key 0x2a871d0798f97d79848a013d4936a73bf4cc922c825d33c1cf7073dff6d409c6 --broadcast 2>&1)
+PAYMASTER_OUTPUT=$(forge create test/mocks/MockPaymaster.sol:MockPaymaster --rpc-url "$RPC_URL" --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80 --broadcast 2>&1)
 echo "$PAYMASTER_OUTPUT"
 PAYMASTER=$(echo "$PAYMASTER_OUTPUT" | grep "Deployed to:" | awk '{print $3}')
 
@@ -70,14 +70,14 @@ fi
 
 echo ""
 echo "✅ Deployment complete!"
+echo "  MockPaymaster: $PAYMASTER"
 echo "  EOAKeyValidator: $EOA_VALIDATOR"
 echo "  SessionKeyValidator: $SESSION_VALIDATOR"
 echo "  WebAuthnValidator: $WEBAUTHN_VALIDATOR"
 echo "  GuardianExecutor: $GUARDIAN_EXECUTOR"
 echo "  ModularSmartAccount impl: $ACCOUNT_IMPL"
 echo "  UpgradeableBeacon: $BEACON"
 echo "  MSAFactory: $FACTORY"
-echo "  MockPaymaster: $PAYMASTER"
 
 # Create contracts-anvil.json
 echo ""
 
@@ -10,7 +10,6 @@ DEPLOYER_PRIVATE_KEY=0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf
 
 # Blockchain Configuration
 RPC_URL=http://127.0.0.1:8545
-BUNDLER_URL=http://127.0.0.1:4337
 
 # Contract Addresses (OPTIONAL - will fall back to src/contracts.json if not provided)
 # You can provide these via environment variables OR update src/contracts.json
@@ -19,3 +18,12 @@ BUNDLER_URL=http://127.0.0.1:4337
 # EOA_VALIDATOR_ADDRESS=0x...
 # WEBAUTHN_VALIDATOR_ADDRESS=0x...
 # SESSION_VALIDATOR_ADDRESS=0x...
+
+# Prividium Mode Configuration (OPTIONAL)
+# When enabled, requires user authentication via Prividium and routes deployments through Prividium RPC proxy
+# PRIVIDIUM_MODE=true
+# PRIVIDIUM_RPC_PROXY_BASE_URL=https://rpc.prividium.io
+# PRIVIDIUM_PERMISSIONS_BASE_URL=https://permissions.prividium.io
+# PRIVIDIUM_ADMIN_PRIVATE_KEY=0x...  # Private key of a user with 'admin' role in Prividium
+# PRIVIDIUM_TEMPLATE_KEY=sso-smart-account  # Template key for whitelisting deployed contracts
+# SSO_AUTH_SERVER_BASE_URL=https://sso.example.com  # Base URL of the SSO auth server frontend (used as SIWE domain for admin authorization)
@@ -1,8 +1,9 @@
 import cors from "cors";
 import express, { type NextFunction, type Request, type Response } from "express";
 
-import { env } from "./config.js";
+import { env, prividiumConfig } from "./config.js";
 import { deployAccountHandler } from "./handlers/deploy-account.js";
+import { prividiumAuthMiddleware } from "./middleware/prividium-auth.js";
 
 // Initialize Express app
 const app = express();
@@ -33,8 +34,8 @@ app.get("/api/health", (_req: Request, res: Response) => {
   res.json({ status: "ok", timestamp: new Date().toISOString() });
 });
 
-// Deploy account endpoint
-app.post("/api/deploy-account", deployAccountHandler);
+// Deploy account endpoint (with Prividium auth middleware when enabled)
+app.post("/api/deploy-account", prividiumAuthMiddleware(prividiumConfig), deployAccountHandler);
 
 // Global error handler
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 
@@ -34,11 +34,17 @@ const envSchema = z.object({
   CORS_ORIGINS: z.string().default("http://localhost:3002,http://localhost:3003,http://localhost:3004,http://localhost:3005,http://localhost:3000"),
   DEPLOYER_PRIVATE_KEY: z.string().default("0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"),
   RPC_URL: z.string().default("http://127.0.0.1:8545"),
-  BUNDLER_URL: z.string().default("http://127.0.0.1:4337"),
   FACTORY_ADDRESS: z.string().optional(),
   EOA_VALIDATOR_ADDRESS: z.string().optional(),
   WEBAUTHN_VALIDATOR_ADDRESS: z.string().optional(),
   SESSION_VALIDATOR_ADDRESS: z.string().optional(),
+  // Prividium Mode Configuration
+  PRIVIDIUM_MODE: z.string().transform((v) => v === "true").default("false"),
+  PRIVIDIUM_PERMISSIONS_BASE_URL: z.string().optional(),
+  PRIVIDIUM_RPC_PROXY_BASE_URL: z.string().optional(),
+  PRIVIDIUM_ADMIN_PRIVATE_KEY: z.string().optional(),
+  PRIVIDIUM_TEMPLATE_KEY: z.string().optional(),
+  SSO_AUTH_SERVER_BASE_URL: z.string().optional(),
 });
 
 // Parse and validate environment variables
@@ -50,6 +56,21 @@ try {
   process.exit(1);
 }
 
+// Validate Prividium configuration when enabled
+if (env.PRIVIDIUM_MODE) {
+  const missingPrividiumVars: string[] = [];
+  if (!env.PRIVIDIUM_PERMISSIONS_BASE_URL) missingPrividiumVars.push("PRIVIDIUM_PERMISSIONS_BASE_URL");
+  if (!env.PRIVIDIUM_RPC_PROXY_BASE_URL) missingPrividiumVars.push("PRIVIDIUM_RPC_PROXY_BASE_URL");
+  if (!env.PRIVIDIUM_ADMIN_PRIVATE_KEY) missingPrividiumVars.push("PRIVIDIUM_ADMIN_PRIVATE_KEY");
+  if (!env.PRIVIDIUM_TEMPLATE_KEY) missingPrividiumVars.push("PRIVIDIUM_TEMPLATE_KEY");
+  if (!env.SSO_AUTH_SERVER_BASE_URL) missingPrividiumVars.push("SSO_AUTH_SERVER_BASE_URL");
+
+  if (missingPrividiumVars.length > 0) {
+    console.error("PRIVIDIUM_MODE is enabled but missing required configuration:", missingPrividiumVars.join(", "));
+    process.exit(1);
+  }
+}
+
 // Use env vars if provided, otherwise fall back to contracts.json
 const FACTORY_ADDRESS = env.FACTORY_ADDRESS || contractsFromFile.factory;
 const EOA_VALIDATOR_ADDRESS = env.EOA_VALIDATOR_ADDRESS || contractsFromFile.eoaValidator;
@@ -89,7 +110,21 @@ const zksyncOsTestnet = defineChain({
     },
   },
 });
-const SUPPORTED_CHAINS: Chain[] = [localhost, zksyncOsTestnet];
+const zksyncOsLocal = defineChain({
+  id: 6565,
+  name: "ZKsyncOS Local",
+  nativeCurrency: {
+    name: "Ether",
+    symbol: "ETH",
+    decimals: 18,
+  },
+  rpcUrls: {
+    default: {
+      http: ["http://localhost:5050"],
+    },
+  },
+});
+const SUPPORTED_CHAINS: Chain[] = [localhost, zksyncOsTestnet, zksyncOsLocal];
 
 function getChain(chainId: number): Chain {
   const chain = SUPPORTED_CHAINS.find((c) => c.id === chainId);
@@ -99,4 +134,23 @@ function getChain(chainId: number): Chain {
   return chain;
 }
 
-export { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, SESSION_VALIDATOR_ADDRESS, SUPPORTED_CHAINS, WEBAUTHN_VALIDATOR_ADDRESS };
+// Prividium configuration object for services
+export interface PrividiumConfig {
+  enabled: boolean;
+  permissionsApiUrl: string;
+  proxyUrl: string;
+  adminPrivateKey: string;
+  templateKey: string;
+  ssoAuthServerBaseUrl: string;
+}
+
+const prividiumConfig: PrividiumConfig = {
+  enabled: env.PRIVIDIUM_MODE,
+  permissionsApiUrl: env.PRIVIDIUM_PERMISSIONS_BASE_URL || "",
+  proxyUrl: env.PRIVIDIUM_RPC_PROXY_BASE_URL ? `${env.PRIVIDIUM_RPC_PROXY_BASE_URL}/rpc` : "",
+  adminPrivateKey: env.PRIVIDIUM_ADMIN_PRIVATE_KEY || "",
+  templateKey: env.PRIVIDIUM_TEMPLATE_KEY || "",
+  ssoAuthServerBaseUrl: env.SSO_AUTH_SERVER_BASE_URL || "",
+};
+
+export { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, prividiumConfig, SESSION_VALIDATOR_ADDRESS, SUPPORTED_CHAINS, WEBAUTHN_VALIDATOR_ADDRESS };
@@ -1,11 +1,12 @@
 import type { Request, Response } from "express";
-import { type Address, createPublicClient, createWalletClient, type Hex, http } from "viem";
+import { type Address, createPublicClient, createWalletClient, type Hex, http, parseEther } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { waitForTransactionReceipt } from "viem/actions";
 import { getAccountAddressFromLogs, prepareDeploySmartAccount } from "zksync-sso-4337/client";
 
-import { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, SESSION_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from "../config.js";
+import { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, prividiumConfig, SESSION_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from "../config.js";
 import { deployAccountSchema } from "../schemas.js";
+import { addAddressToUser, createProxyTransport, getAdminAuthService, whitelistContract } from "../services/prividium/index.js";
 
 type DeployAccountRequest = {
   chainId: number;
@@ -14,7 +15,6 @@ type DeployAccountRequest = {
   originDomain: string;
   userId?: string;
   eoaSigners?: Address[];
-  paymaster?: Address;
 };
 
 // Deploy account endpoint
@@ -34,25 +34,46 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
     // Get chain from request
     const chain = getChain(body.chainId);
 
+    // Get admin token if in Prividium mode (needed for RPC proxy, whitelisting, and address association)
+    let adminToken: string | undefined;
+    if (prividiumConfig.enabled && req.prividiumUser) {
+      try {
+        const adminAuth = getAdminAuthService(prividiumConfig);
+        adminToken = await adminAuth.getValidToken();
+      } catch (error) {
+        console.error("Admin authentication failed:", error);
+        res.status(500).json({
+          error: "Admin authentication failed",
+        });
+        return;
+      }
+    }
+
+    // Create transport - use Prividium proxy if enabled, otherwise direct RPC
+    const transport = prividiumConfig.enabled && adminToken
+      ? createProxyTransport(prividiumConfig.proxyUrl, adminToken)
+      : http(env.RPC_URL);
+
     // Create clients
     const publicClient = createPublicClient({
       chain,
-      transport: http(env.RPC_URL),
+      transport,
     });
 
     const deployerAccount = privateKeyToAccount(env.DEPLOYER_PRIVATE_KEY as Hex);
     const walletClient = createWalletClient({
       account: deployerAccount,
       chain,
-      transport: http(env.RPC_URL),
+      transport,
     });
 
     // Check deployer balance
     const balance = await publicClient.getBalance({ address: deployerAccount.address });
-    const minBalance = BigInt("100000000000000000"); // 0.1 ETH minimum
+    const minBalance = parseEther("0.01"); // Minimum balance required for deployment
     if (balance < minBalance) {
+      console.error(`Deployer balance too low: ${balance.toString()} < ${minBalance.toString()}`);
       res.status(500).json({
-        error: `Insufficient balance to cover deployment. Current: ${balance.toString()}, Required: ${minBalance.toString()}`,
+        error: "Deployer doesn't have enough balance to cover deployment",
       });
       return;
     }
@@ -82,17 +103,11 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
     // Send transaction
     let txHash: Hex;
     try {
-      const txParams: any = {
+      const txParams = {
         to: transaction.to,
         data: transaction.data,
       };
 
-      // Add paymaster if provided
-      if (body.paymaster) {
-        txParams.paymaster = body.paymaster;
-        txParams.paymasterInput = "0x";
-      }
-
       txHash = await walletClient.sendTransaction(txParams);
     } catch (error) {
       console.error("Transaction send failed:", error);
@@ -104,7 +119,7 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
         return;
       }
       res.status(500).json({
-        error: `Transaction failed: ${errorMessage}`,
+        error: "Internal server error",
       });
       return;
     }
@@ -119,17 +134,16 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
       });
     } catch (error) {
       console.error("Transaction receipt failed:", error);
-      const errorMessage = error instanceof Error ? error.message : "Unknown error";
       res.status(500).json({
-        error: `Transaction failed to be mined: ${errorMessage}`,
+        error: "Internal server error",
       });
       return;
     }
 
     // Check if transaction was successful
     if (receipt.status === "reverted") {
       res.status(500).json({
-        error: "Deployment reverted: Transaction execution failed",
+        error: "Deployment reverted",
       });
       return;
     }
@@ -140,22 +154,55 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
       deployedAddress = getAccountAddressFromLogs(receipt.logs);
     } catch (error) {
       console.error("Failed to extract address from logs:", error);
-      const errorMessage = error instanceof Error ? error.message : "";
       res.status(500).json({
-        error: `Deployment failed: Could not extract account address from logs. ${errorMessage}`,
+        error: "Internal server error",
       });
       return;
     }
 
     console.log("Account deployed at:", deployedAddress);
 
+    // Prividium post-deployment steps (all blocking)
+    if (prividiumConfig.enabled && req.prividiumUser && adminToken) {
+      // Step 1: Whitelist the contract with template (blocking)
+      try {
+        await whitelistContract(
+          deployedAddress,
+          prividiumConfig.templateKey,
+          adminToken,
+          prividiumConfig.permissionsApiUrl,
+        );
+      } catch (error) {
+        console.error("Failed to whitelist contract:", error);
+        res.status(500).json({
+          error: "Failed to whitelist contract",
+        });
+        return;
+      }
+
+      // Step 2: Associate address with user (blocking)
+      try {
+        await addAddressToUser(
+          req.prividiumUser.userId,
+          [deployedAddress],
+          adminToken,
+          prividiumConfig.permissionsApiUrl,
+        );
+      } catch (error) {
+        console.error("Failed to associate address with user:", error);
+        res.status(500).json({
+          error: "Failed to associate address with user",
+        });
+        return;
+      }
+    }
+
     // Return success response
     res.json({ address: deployedAddress });
   } catch (error) {
     console.error("Deployment error:", error);
-    const errorMessage = error instanceof Error ? error.message : "Unknown error";
     res.status(500).json({
-      error: `Deployment failed: ${errorMessage}`,
+      error: "Internal server error",
     });
   }
 };
@@ -11,5 +11,4 @@ app.listen(port, () => {
   console.log(`CORS origins: ${allowlist.join(", ")}`);
   console.log(`Deployer address: ${privateKeyToAccount(env.DEPLOYER_PRIVATE_KEY as Hex).address}`);
   console.log(`RPC URL: ${env.RPC_URL}`);
-  console.log(`Bundler URL: ${env.BUNDLER_URL}`);
 });