The latest articles on DEV Community by Akanji Rahman (@akanji_rahman_45ea46f9a7a). https://dev.to/akanji_rahman_45ea46f9a7a https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3880035%2F9dd14048-0e84-458f-a056-506b24a6ad80.png https://dev.to/akanji_rahman_45ea46f9a7a en Akanji Rahman Sat, 09 May 2026 21:09:47 +0000 https://dev.to/akanji_rahman_45ea46f9a7a/dust-sponsorship-how-one-wallet-pays-fees-for-another-users-transaction-4e45 https://dev.to/akanji_rahman_45ea46f9a7a/dust-sponsorship-how-one-wallet-pays-fees-for-another-users-transaction-4e45 <h1> DUST sponsorship: How one wallet pays fees for another user's transaction </h1> <p>Every transaction on Midnight consumes DUST. New users start with a DUST balance of zero, which creates a problem; how can they submit transactions if they cannot pay fees, especially the transactions needed to acquire NIGHT tokens in the first place?</p> <p>DUST sponsorship solves this. A sponsor (typically a backend wallet) that already holds NIGHT tokens and has accumulated DUST covers the fee portion of another user's transaction. The user's keys sign the user's assets; the sponsor's keys sign only the DUST portion. The two halves are joined into one valid, on-chain transaction.</p> <p>This tutorial walks through the complete sponsorship flow:</p> <ul> <li>How <code>tokenKindsToBalance</code> splits fee responsibility between the user and the sponsor</li> <li>A full sponsor service implementation</li> <li>How DUST regenerates and depletes</li> </ul> <h2> Before you begin </h2> <p>Make sure you are comfortable with the following:</p> <ul> <li> <strong>Midnight dev setup</strong>: You know how to set it up and use its basic features. <a href="https://docs.midnight.network/getting-started/installation" rel="noopener noreferrer">View the Midnight developer tutorial</a>.</li> <li> <strong>TypeScript</strong>: You understand types, functions, and async operations.</li> <li> <strong>DUST and NIGHT</strong>: You understand the basic roles of DUST and NIGHT in Midnight transactions and network operations. <a href="https://docs.midnight.network/concepts/how-midnight-works/midnight-combined-model" rel="noopener noreferrer">Read the DUST and NIGHT overview</a>.</li> </ul> <h2> Understanding DUST </h2> <p>A common mistake is treating DUST as a token. You cannot buy it on an exchange or send it between addresses. DUST is a shielded resource that:</p> <ul> <li>Accumulates continuously while you hold NIGHT tokens</li> <li>Gets consumed each time you submit a transaction that requires fees</li> <li>Decays over approximately one week if you move your NIGHT tokens away</li> <li>Cannot be transferred directly from one address to another. The sponsorship flow described in this tutorial is the only mechanism to pay fees on behalf of another wallet</li> </ul> <p>The key parameters on the Preview network are:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Parameter</th> <th>Value</th> <th>What it means</th> </tr> </thead> <tbody> <tr> <td><code>night_dust_ratio</code></td> <td>5,000,000,000</td> <td>Maximum of 5 DUST per NIGHT held</td> </tr> <tr> <td><code>generation_decay_rate</code></td> <td>8,267</td> <td>Approximately one week to generate from zero to maximum, or decay from maximum to zero</td> </tr> <tr> <td><code>dust_grace_period</code></td> <td>3 hours</td> <td>Timestamp tolerance window that allows back-dated DUST spends within 3 hours of the current block time</td> </tr> </tbody> </table></div> <p>Each wallet has three distinct addresses: a shielded address, an unshielded address, and a DUST address. The DUST address starts empty. Transactions cannot proceed until DUST is present or a sponsor covers the fees.</p> <h2> How sponsorship works </h2> <p>Sponsorship splits the transaction balancing process into two scoped operations:</p> <ol> <li>The user balances their own shielded and unshielded token inputs, explicitly excluding DUST.</li> <li>The sponsor takes the user's partially balanced transaction and adds DUST fees from their own DUST balance.</li> </ol> <p>The sponsor then submits the fully balanced transaction to the network. The <code>tokenKindsToBalance</code> parameter makes this split possible: it controls which resource type each party handles.</p> <h2> The user balances without DUST </h2> <p>Call <code>balanceUnboundTransaction</code> on the user's wallet, excluding <code>'dust'</code> from <code>tokenKindsToBalance</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// user-side.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WalletFacade</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-facade</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">UnboundTransaction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/ledger-v8</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">prepareUserTransaction</span><span class="p">(</span> <span class="nx">userWallet</span><span class="p">:</span> <span class="nx">WalletFacade</span><span class="p">,</span> <span class="nx">transaction</span><span class="p">:</span> <span class="nx">UnboundTransaction</span><span class="p">,</span> <span class="c1">// built from your contract call or transfer intent</span> <span class="nx">userShieldedKeys</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">[],</span> <span class="nx">userDustKey</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">userKeystore</span><span class="p">:</span> <span class="p">{</span> <span class="nl">signData</span><span class="p">:</span> <span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nb">Uint8Array</span><span class="o">&gt;</span> <span class="p">}</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userRecipe</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userWallet</span><span class="p">.</span><span class="nf">balanceUnboundTransaction</span><span class="p">(</span> <span class="nx">transaction</span><span class="p">,</span> <span class="p">{</span> <span class="na">shieldedSecretKeys</span><span class="p">:</span> <span class="nx">userShieldedKeys</span><span class="p">,</span> <span class="na">dustSecretKey</span><span class="p">:</span> <span class="nx">userDustKey</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">ttl</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="c1">// 30-minute TTL</span> <span class="na">tokenKindsToBalance</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">shielded</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">unshielded</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// 'dust' deliberately omitted</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">userSigned</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userWallet</span><span class="p">.</span><span class="nf">signRecipe</span><span class="p">(</span><span class="nx">userRecipe</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">userKeystore</span><span class="p">.</span><span class="nf">signData</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">);</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">userWallet</span><span class="p">.</span><span class="nf">finalizeRecipe</span><span class="p">(</span><span class="nx">userSigned</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The SDK processes shielded and unshielded inputs but leaves the fee slot unpopulated (this is intentional). <code>signRecipe</code> and <code>finalizeRecipe</code> seal the user's cryptographic commitments into a serialisable object. Once sealed, neither the sponsor nor any other party can alter the asset portion without invalidating those commitments. The 30-minute TTL applies to the entire flow: if the sponsor does not submit within that window, the network rejects the transaction. Pass the return value of <code>finalizeRecipe</code> to your sponsor service as the <code>userFinalized</code> payload.</p> <p><strong>Note:</strong> You still need to pass <code>dustSecretKey</code> even though <code>'dust'</code> is excluded from <code>tokenKindsToBalance</code>. The SDK requires it for internal bookkeeping and fee estimation. Excluding <code>'dust'</code> from <code>tokenKindsToBalance</code> prevents it from attempting to draw from an empty balance.</p> <h2> The sponsor adds DUST fees </h2> <p>Call <code>balanceFinalizedTransaction</code> on the sponsor's wallet, restricting <code>tokenKindsToBalance</code> to <code>['dust']</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// sponsor-side.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WalletFacade</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-facade</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">FinalizedTransaction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/ledger-v8</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sponsorTransaction</span><span class="p">(</span> <span class="nx">sponsorWallet</span><span class="p">:</span> <span class="nx">WalletFacade</span><span class="p">,</span> <span class="nx">sponsorShieldedKeys</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">[],</span> <span class="nx">sponsorDustKey</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">sponsorKeystore</span><span class="p">:</span> <span class="p">{</span> <span class="nl">signData</span><span class="p">:</span> <span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nb">Uint8Array</span><span class="o">&gt;</span> <span class="p">},</span> <span class="nx">userFinalized</span><span class="p">:</span> <span class="nx">FinalizedTransaction</span> <span class="c1">// received from the user via API</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sponsorRecipe</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">balanceFinalizedTransaction</span><span class="p">(</span> <span class="nx">userFinalized</span><span class="p">,</span> <span class="p">{</span> <span class="na">shieldedSecretKeys</span><span class="p">:</span> <span class="nx">sponsorShieldedKeys</span><span class="p">,</span> <span class="na">dustSecretKey</span><span class="p">:</span> <span class="nx">sponsorDustKey</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">ttl</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">tokenKindsToBalance</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">dust</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// sponsor handles DUST only</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">sponsorSigned</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">signRecipe</span><span class="p">(</span> <span class="nx">sponsorRecipe</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">sponsorKeystore</span><span class="p">.</span><span class="nf">signData</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">sponsorFinalized</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">finalizeRecipe</span><span class="p">(</span><span class="nx">sponsorSigned</span><span class="p">);</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">submitTransaction</span><span class="p">(</span><span class="nx">sponsorFinalized</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>balanceFinalizedTransaction</code> receives a transaction that already carries the user's zero-knowledge proofs and asset commitments; it adds DUST inputs on top without touching the existing proof data. Restricting <code>tokenKindsToBalance</code> to <code>['dust']</code> is not optional; including <code>'shielded'</code> or <code>'unshielded'</code> would attempt to re-balance inputs the user already committed, causing a double-spending error. The <code>signRecipe</code> → <code>finalizeRecipe</code> → <code>submitTransaction</code> chain seals the sponsor's DUST contribution and broadcasts the transaction as a single atomic operation. The network sees one transaction, not two.</p> <h2> How sponsorship preserves proof identity </h2> <p>A common concern is whether the sponsor's key ends up attached to the user's transaction. It does not.</p> <p>Each party generates zero-knowledge proofs only for their own part of the transaction. The user's proofs are generated locally, using the user's own keys, before <code>userFinalized</code> leaves the client. By the time the sponsor receives it, those proofs are cryptographically sealed: <code>signRecipe</code> and <code>finalizeRecipe</code> lock the user's asset commitments so that no third party can alter or re-sign them without invalidating the entire proof. The sponsor generates a separate proof covering only the DUST spend, signed with the sponsor's own key.</p> <p>If your Compact smart contract calls <code>ownPublicKey()</code>; a circuit witness function that returns the public key of whoever is running the proof locally, it will always resolve to the user's key, not the sponsor's. The sponsor never touches the user's circuit execution. The final on-chain transaction carries two distinct cryptographic domains: the user's asset proofs attributed to the user's key, and the sponsor's DUST proof attributed to the sponsor's key. Privacy is preserved for both parties.</p> <h2> Full sponsor service implementation </h2> <p>Wire the wallet lifecycle, the sponsorship endpoint, rate limiting, and DUST monitoring into a single Express application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// sponsor-service.ts</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">bip39</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bip39</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ledger</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/ledger-v8</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WalletFacade</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">DefaultConfiguration</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-facade</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ShieldedWallet</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-shielded</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DustWallet</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-dust-wallet</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UnshieldedWallet</span><span class="p">,</span> <span class="nx">createKeystore</span><span class="p">,</span> <span class="nx">PublicKey</span><span class="p">,</span> <span class="nx">InMemoryTransactionHistoryStorage</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-unshielded-wallet</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">HDWallet</span><span class="p">,</span> <span class="nx">Roles</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">AccountKey</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@midnight-ntwrk/wallet-sdk-hd</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Buffer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">buffer</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2mb</span><span class="dl">"</span> <span class="p">}));</span> <span class="kd">let</span> <span class="nx">sponsorWallet</span><span class="p">:</span> <span class="nx">WalletFacade</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">sponsorShieldedKeys</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">let</span> <span class="nx">sponsorDustKey</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">sponsorKeystore</span><span class="p">:</span> <span class="p">{</span> <span class="nl">signData</span><span class="p">:</span> <span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nb">Uint8Array</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">deriveRoleKey</span><span class="p">(</span> <span class="nx">accountKey</span><span class="p">:</span> <span class="nx">AccountKey</span><span class="p">,</span> <span class="nx">role</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">index</span> <span class="o">=</span> <span class="mi">0</span> <span class="p">):</span> <span class="nx">Buffer</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">accountKey</span><span class="p">.</span><span class="nf">selectRole</span><span class="p">(</span><span class="nx">role</span><span class="p">).</span><span class="nf">deriveKeyAt</span><span class="p">(</span><span class="nx">index</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">keyDerived</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">key</span><span class="p">);</span> <span class="k">return</span> <span class="nf">deriveRoleKey</span><span class="p">(</span><span class="nx">accountKey</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">initSponsorWallet</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">seedPhrase</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPONSOR_SEED_PHRASE</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">seedPhrase</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">SPONSOR_SEED_PHRASE is required</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">networkId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NETWORK_ID</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">preview</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">rpcUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RPC_URL</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">wss://rpc.midnight.network</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">indexerUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INDEXER_URL</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">https://indexer.midnight.network</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">proofServerUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PROOF_SERVER_URL</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">http://localhost:6300</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">seed</span> <span class="o">=</span> <span class="nx">bip39</span><span class="p">.</span><span class="nf">mnemonicToSeedSync</span><span class="p">(</span><span class="nx">seedPhrase</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hdWallet</span> <span class="o">=</span> <span class="nx">HDWallet</span><span class="p">.</span><span class="nf">fromSeed</span><span class="p">(</span><span class="nx">seed</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">hdWallet</span><span class="p">.</span><span class="kd">type</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">seedOk</span><span class="dl">"</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failed to derive keys from seed phrase</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">hdWallet</span><span class="p">.</span><span class="nx">hdWallet</span><span class="p">.</span><span class="nf">selectAccount</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">shieldedSeed</span> <span class="o">=</span> <span class="nf">deriveRoleKey</span><span class="p">(</span><span class="nx">account</span><span class="p">,</span> <span class="nx">Roles</span><span class="p">.</span><span class="nx">Zswap</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">dustSeed</span> <span class="o">=</span> <span class="nf">deriveRoleKey</span><span class="p">(</span><span class="nx">account</span><span class="p">,</span> <span class="nx">Roles</span><span class="p">.</span><span class="nx">Dust</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">unshieldedKey</span> <span class="o">=</span> <span class="nf">deriveRoleKey</span><span class="p">(</span><span class="nx">account</span><span class="p">,</span> <span class="nx">Roles</span><span class="p">.</span><span class="nx">NightExternal</span><span class="p">);</span> <span class="nx">hdWallet</span><span class="p">.</span><span class="nx">hdWallet</span><span class="p">.</span><span class="nf">clear</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">shieldedKeys</span> <span class="o">=</span> <span class="nx">ledger</span><span class="p">.</span><span class="nx">ZswapSecretKeys</span><span class="p">.</span><span class="nf">fromSeed</span><span class="p">(</span><span class="nx">shieldedSeed</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">dustKey</span> <span class="o">=</span> <span class="nx">ledger</span><span class="p">.</span><span class="nx">DustSecretKey</span><span class="p">.</span><span class="nf">fromSeed</span><span class="p">(</span><span class="nx">dustSeed</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">unshieldedKeystore</span> <span class="o">=</span> <span class="nf">createKeystore</span><span class="p">(</span><span class="nx">unshieldedKey</span><span class="p">,</span> <span class="nx">networkId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">configuration</span><span class="p">:</span> <span class="nx">DefaultConfiguration</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">networkId</span><span class="p">,</span> <span class="na">costParameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">feeBlocksMargin</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="na">relayURL</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">rpcUrl</span><span class="p">),</span> <span class="na">provingServerUrl</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">proofServerUrl</span><span class="p">),</span> <span class="na">indexerClientConnection</span><span class="p">:</span> <span class="p">{</span> <span class="na">indexerHttpUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">indexerUrl</span><span class="p">}</span><span class="s2">/api/v4/graphql`</span><span class="p">,</span> <span class="na">indexerWsUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">indexerUrl</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span> <span class="dl">"</span><span class="s2">https://</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">wss://</span><span class="dl">"</span> <span class="p">)}</span><span class="s2">/api/v4/graphql/ws`</span><span class="p">,</span> <span class="p">},</span> <span class="na">txHistoryStorage</span><span class="p">:</span> <span class="k">new</span> <span class="nc">InMemoryTransactionHistoryStorage</span><span class="p">(),</span> <span class="p">};</span> <span class="nx">sponsorWallet</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">WalletFacade</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="nx">configuration</span><span class="p">,</span> <span class="na">shielded</span><span class="p">:</span> <span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nc">ShieldedWallet</span><span class="p">(</span><span class="nx">config</span><span class="p">).</span><span class="nf">startWithSecretKeys</span><span class="p">(</span><span class="nx">shieldedKeys</span><span class="p">),</span> <span class="na">unshielded</span><span class="p">:</span> <span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nc">UnshieldedWallet</span><span class="p">(</span><span class="nx">config</span><span class="p">).</span><span class="nf">startWithPublicKey</span><span class="p">(</span> <span class="nx">PublicKey</span><span class="p">.</span><span class="nf">fromKeyStore</span><span class="p">(</span><span class="nx">unshieldedKeystore</span><span class="p">)</span> <span class="p">),</span> <span class="na">dust</span><span class="p">:</span> <span class="p">(</span><span class="nx">config</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nc">DustWallet</span><span class="p">(</span><span class="nx">config</span><span class="p">).</span><span class="nf">startWithSecretKey</span><span class="p">(</span> <span class="nx">dustKey</span><span class="p">,</span> <span class="nx">ledger</span><span class="p">.</span><span class="nx">LedgerParameters</span><span class="p">.</span><span class="nf">initialParameters</span><span class="p">().</span><span class="nx">dust</span> <span class="p">),</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">start</span><span class="p">(</span><span class="nx">shieldedKeys</span><span class="p">,</span> <span class="nx">dustKey</span><span class="p">);</span> <span class="nx">sponsorShieldedKeys</span> <span class="o">=</span> <span class="nx">shieldedKeys</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="nb">Uint8Array</span><span class="p">[];</span> <span class="nx">sponsorDustKey</span> <span class="o">=</span> <span class="nx">dustKey</span> <span class="k">as</span> <span class="nx">unknown</span> <span class="k">as</span> <span class="nb">Uint8Array</span><span class="p">;</span> <span class="nx">sponsorKeystore</span> <span class="o">=</span> <span class="nx">unshieldedKeystore</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">waitForSyncedState</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sponsor wallet initialized</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sponsor DUST address:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">state</span><span class="p">.</span><span class="nx">dust</span><span class="p">.</span><span class="nx">address</span><span class="p">);</span> <span class="k">await</span> <span class="nf">checkDustLevel</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkDustLevel</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sponsorWallet</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">waitForSyncedState</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">dustBalance</span> <span class="o">=</span> <span class="nx">state</span><span class="p">.</span><span class="nx">dust</span><span class="p">.</span><span class="nx">totalCoins</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">LOW_DUST_THRESHOLD</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">dustBalance</span> <span class="o">&lt;</span> <span class="nx">LOW_DUST_THRESHOLD</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span> <span class="s2">`[WARN] Sponsor DUST balance is low: </span><span class="p">${</span><span class="nx">dustBalance</span><span class="p">}</span><span class="s2">. Top up NIGHT holdings.`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sponsor DUST balance: </span><span class="p">${</span><span class="nx">dustBalance</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Simple in-memory rate limiter; use Redis for production</span> <span class="kd">const</span> <span class="nx">requestCounts</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">resetAt</span><span class="p">:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">RATE_LIMIT</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">RATE_WINDOW_MS</span> <span class="o">=</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">isRateLimited</span><span class="p">(</span><span class="nx">ip</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">entry</span> <span class="o">=</span> <span class="nx">requestCounts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ip</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">entry</span> <span class="o">||</span> <span class="nx">now</span> <span class="o">&gt;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">resetAt</span><span class="p">)</span> <span class="p">{</span> <span class="nx">requestCounts</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ip</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">resetAt</span><span class="p">:</span> <span class="nx">now</span> <span class="o">+</span> <span class="nx">RATE_WINDOW_MS</span> <span class="p">});</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">count</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">return</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">count</span> <span class="o">&gt;</span> <span class="nx">RATE_LIMIT</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">processedTxIds</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/sponsor</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientIp</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nf">isRateLimited</span><span class="p">(</span><span class="nx">clientIp</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Rate limit exceeded</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">userFinalized</span><span class="p">,</span> <span class="nx">idempotencyKey</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userFinalized</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Missing userFinalized</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">idempotencyKey</span> <span class="o">&amp;&amp;</span> <span class="nx">processedTxIds</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">idempotencyKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Already processed</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sponsorWallet</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">503</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Sponsor wallet not ready</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sponsorRecipe</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">balanceFinalizedTransaction</span><span class="p">(</span> <span class="nx">userFinalized</span><span class="p">,</span> <span class="p">{</span> <span class="na">shieldedSecretKeys</span><span class="p">:</span> <span class="nx">sponsorShieldedKeys</span><span class="p">,</span> <span class="na">dustSecretKey</span><span class="p">:</span> <span class="nx">sponsorDustKey</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">ttl</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="na">tokenKindsToBalance</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">dust</span><span class="dl">"</span><span class="p">],</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">sponsorSigned</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">signRecipe</span><span class="p">(</span> <span class="nx">sponsorRecipe</span><span class="p">,</span> <span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">sponsorKeystore</span><span class="p">.</span><span class="nf">signData</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">sponsorFinalized</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">finalizeRecipe</span><span class="p">(</span><span class="nx">sponsorSigned</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">txHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">submitTransaction</span><span class="p">(</span><span class="nx">sponsorFinalized</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">idempotencyKey</span><span class="p">)</span> <span class="nx">processedTxIds</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">idempotencyKey</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sponsored transaction submitted: </span><span class="p">${</span><span class="nx">txHash</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">await</span> <span class="nf">checkDustLevel</span><span class="p">();</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">txHash</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sponsorship failed:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/health</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">_req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sponsorWallet</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">503</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">not ready</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">state</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sponsorWallet</span><span class="p">.</span><span class="nf">waitForSyncedState</span><span class="p">();</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ok</span><span class="dl">"</span><span class="p">,</span> <span class="na">dustBalance</span><span class="p">:</span> <span class="nx">state</span><span class="p">.</span><span class="nx">dust</span><span class="p">.</span><span class="nx">totalCoins</span> <span class="p">});</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">3001</span><span class="dl">"</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nf">initSponsorWallet</span><span class="p">()</span> <span class="p">.</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sponsor service running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">);</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failed to initialize sponsor wallet:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><code>HDWallet.fromSeed()</code> derives three independent key sets from a single mnemonic using BIP-44 role paths. <code>hdWallet.clear()</code> is called immediately after to prevent the master seed from remaining in memory. <code>WalletFacade.init()</code> starts all three sub-wallets against the same network configuration, and <code>start()</code> triggers chain synchronisation. <code>waitForSyncedState()</code> then blocks until the wallet has caught up before the service begins accepting requests. The in-memory rate limiter and idempotency set are sufficient for a single-instance deployment. Replace both with Redis before running at scale. DUST balance is checked after every successful sponsorship so the service warns before the wallet runs dry rather than discovering the problem mid-request.</p> <h3> Environment variables </h3> <p>Set these environment variables before starting the service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">SPONSOR_SEED_PHRASE</span><span class="o">=</span><span class="s2">"your twelve word seed phrase here"</span> <span class="nv">NETWORK_ID</span><span class="o">=</span><span class="s2">"preview"</span> <span class="nv">RPC_URL</span><span class="o">=</span><span class="s2">"wss://rpc.midnight.network"</span> <span class="nv">INDEXER_URL</span><span class="o">=</span><span class="s2">"https://indexer.midnight.network"</span> <span class="nv">PROOF_SERVER_URL</span><span class="o">=</span><span class="s2">"http://localhost:6300"</span> <span class="nv">PORT</span><span class="o">=</span><span class="s2">"3001"</span> </code></pre> </div> <p><code>NETWORK_ID</code> must be the string identifier (<code>'preview'</code> or <code>'preprod'</code>), not a number, because <code>WalletFacade</code> uses it for address encoding and network routing. <code>RPC_URL</code> requires a WebSocket URL (<code>wss://</code><br> ...</p> dust sponsorship wallet midnightsdk Akanji Rahman Sun, 03 May 2026 05:17:35 +0000 https://dev.to/akanji_rahman_45ea46f9a7a/selective-disclosure-patterns-in-compact-1745 https://dev.to/akanji_rahman_45ea46f9a7a/selective-disclosure-patterns-in-compact-1745 <p>Nowadays blockchains treat privacy like it's just an extra. Just an additional feature. Everything is visible and public. This architecture works for systems where public transparency is the end goal. But what happens when you begin to handle big data, medical records or sensitive information? It collapses. Full transparency and accountability is not a feature in these contexts, it's a problem.</p> <h2> Table of contents </h2> <ul> <li>How does Midnight solve this problem?</li> <li>Understanding the privacy model</li> <li> Using disclose() correctly <ul> <li>Placing disclose() at the right scope</li> <li>Disclosure through conditional expressions</li> </ul> </li> <li> What's safe to disclose vs what leaks privacy <ul> <li>Safe to disclose</li> <li>What actually leaks privacy?</li> </ul> </li> <li> Applying domain-separated hashing for cross-property unlinkability <ul> <li>How does this relate to Compact?</li> <li>The round counter and linkability</li> </ul> </li> <li>Running a privacy audit on your contract</li> <li>Conclusion</li> </ul> <h2> Prerequisites </h2> <p>This is an intermediate tutorial. Before reading, you should be comfortable with:</p> <ul> <li> <strong>Basic Compact syntax</strong> — you understand what <code>witness</code>, <code>circuit</code>, <code>ledger</code>, and <code>export</code> declarations do. If not, start with the <a href="https://docs.midnight.network/compact" rel="noopener noreferrer">Compact language reference</a>.</li> <li> <strong>The Compact compiler installed</strong> — follow the <a href="https://docs.midnight.network/getting-started/installation" rel="noopener noreferrer">installation guide</a> to set it up.</li> <li> <strong>Zero-knowledge proofs at a conceptual level</strong> — you understand that a ZK proof lets you prove a statement is true without revealing the underlying data.</li> <li> <strong>Familiarity with a typed language like TypeScript</strong> — Compact's syntax is modelled on TypeScript, so comfort with typed functions, structs, and return types will help.</li> </ul> <h2> How does Midnight solve this problem? </h2> <p>Midnight implements a solution known as "Selective Disclosure". This is the ability of users to choose what information to reveal and who this information can be revealed to without revealing the full data.</p> <p>For example, instead of displaying "Rahman's balance is 200,000 USDT", a Midnight DApp can publish a zero-knowledge proof that says "Rahman's balance exceeds the required threshold" and nothing more. This has solved two major issues efficiently; The sensitive data stays private and the important and verifiable fact becomes public. This is the foundation of Programmable privacy on Midnight.</p> <p>This tutorial walks you through how Selective disclosure works in Compact, which is Midnight's Typescript inspired smart contract language. The knowledge you'll get from reading this article include:</p> <p>a). Learning the mechanics of the <code>disclose()</code> operator.<br> b). Understanding what is safe to disclose as opposed to what silently leaks privacy.<br> c). Applying domain-separated hashing to block cross-property linkability.<br> d). Working through a privacy audit checklist you can run on your own contracts before deployment.</p> <h2> Understanding the privacy model </h2> <p>Before we get into the coding technicalities, how does Compact even work?</p> <p>Every Compact Contract operates across two kinds of state. The Public State and The Private State.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4o3yaj1vt26w09zonsy0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4o3yaj1vt26w09zonsy0.png" alt=" " width="800" height="450"></a></p> <p>The Public State: This is the data that is written to the onchain ledger which is open and visible to all network participants.<br> The Private State: This is the data that lives only on the user's computer and is never exposed to the network. It comes from 'witness' functions that your DApp provides locally, and from any value derived from those witness values.<br> The zero-knowledge proof generated by a circuit proves that the computation was performed correctly, without leaking the witness values involved. The major guarantee is that the network learns that the rule was followed, not what values were used.</p> <p>Compact uses a compiler's witness protection program which is an interpreter that tracks which values contain witness data and rejects any program that would disclose sensitive data without an explicit declaration. Privacy becomes the default and disclosure is an exception you must deliberately request.</p> <h2> Using <code>disclose()</code> correctly </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt39v0mfe5df69sm1xkj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt39v0mfe5df69sm1xkj.png" alt=" " width="800" height="450"></a></p> <p>The <code>disclose()</code> wrapper is how you tell the Compact compiler: "I know this value contains private data, and I am intentionally making it public." Without it, the compiler stops, displaying a detailed error. Below is a simple example of this; recording a private balance on-chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pragma language_version &gt;= 0.16 &amp;&amp; &lt;= 0.22; import CompactStandardLibrary; witness getBalance(): Bytes&lt;32&gt;; export ledger balance: Bytes&lt;32&gt;; export circuit recordBalance(): [] { balance = disclose(getBalance()); } </code></pre> </div> <p>If you remove the <code>disclose()</code> wrapper, the compiler immediately rejects the program:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Exception: selective.compact line 9 char 9: potential witness-value disclosure must be declared but is not: witness value potentially disclosed: the return value of witness getBalance at line 5 char 1 nature of the disclosure: ledger operation might disclose the witness value via this path through the program: the right-hand side of = at line 9 char 9 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ohhhqyabu4nskqxtwla.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ohhhqyabu4nskqxtwla.png" alt=" " width="800" height="103"></a></p> <p>The error message is precise. It names the witness function that is the source of the data, explains the nature of the disclosure, and traces the full path through the program. This is because the compiler wants you to understand exactly what you are declaring when you add the <code>disclose()</code> wrapper.</p> <p>It is important to note that placing a <code>disclose()</code> wrapper does not cause disclosure in itself. It simply tells the compiler to treat the wrapped expression as if it does not contain witness data. The actual disclosure happens at the storage or return point.</p> <p><code>disclose()</code> is the declaration, not the action.</p> <h3> Placing <code>disclose()</code> at the right scope </h3> <p>For simple values, place <code>disclose()</code> as close to the storage or return point as possible. This is important because it minimizes the scope of the disclosure declaration and makes it more difficult to accidentally reuse a disclosed value in a privacy sensitive context elsewhere in the circuit.</p> <p>For structured values such as tuples, vectors or structs, wrap only the field you intend to disclose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pragma language_version &gt;= 0.16 &amp;&amp; &lt;= 0.22; import CompactStandardLibrary; struct UserRecord { publicName: Bytes&lt;32&gt;; privateScore: Uint&lt;64&gt;; } witness getUserRecord(): UserRecord; export ledger displayName: Bytes&lt;32&gt;; export circuit publishName(): [] { const record = getUserRecord(); // Only disclose the name field, not the entire struct displayName = disclose(record.publicName); } </code></pre> </div> <p>This pattern is important because wrapping the entire struct in a single <code>disclose()</code> would declare the <code>privateScore</code> field as publicly disclosed too even though you never store it onchain. The compiler would accept it, but you would be declaring an intention that does not match your actual privacy requirements.</p> <h3> Disclosure through conditional expressions </h3> <p>The compiler also catches indirect disclosure through boolean comparisons. This is one of the most common unintentional privacy leaks in zero-knowledge contracts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import CompactStandardLibrary; witness getBalance(): Uint&lt;64&gt;; // This will NOT compile — the comparison result leaks the witness value export circuit balanceExceeds(n: Uint&lt;64&gt;): Boolean { return getBalance() &gt; n; } </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Exception: selective.compact line 6 char 1: potential witness-value disclosure must be declared but is not: witness value potentially disclosed: the return value of witness getBalance at line 2 char 1 nature of the disclosure: the value returned from exported circuit balanceExceeds might disclose the result of a comparison involving the witness value via this path through the program: the comparison at line 6 char 8 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4288y1aawftljxgpxtw7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4288y1aawftljxgpxtw7.png" alt=" " width="800" height="133"></a></p> <p>Returning a boolean derived from a private value is still a disclosure as the result narrows the range of possible the attacker needs to test. If you intend to return this boolean, you must declare it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import CompactStandardLibrary; witness getBalance(): Uint&lt;64&gt;; export circuit balanceExceeds(n: Uint&lt;64&gt;): Boolean { return disclose(getBalance()) &gt; n; } </code></pre> </div> <p>Whether this is appropriate depends on your use case. If you are building a compliance gate (e.g "balance exceeds the minimum required to participate"), returning the boolean is intentional and acceptable. If you are building a privacy-preserving wallet, returning it leaks information about the user's balance range with every call.</p> <h2> What's safe to disclose vs what leaks privacy </h2> <p>Not all disclosures are equal. Some values are safe to publish because they carry no meaningful information about the underlying private data. Others appear harmless but silently narrow the privacy guarantees your DApp advertises. So how do we differentiate them?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8h2nc9heaxpe53dl2gxp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8h2nc9heaxpe53dl2gxp.png" alt=" " width="800" height="450"></a></p> <h3> Safe to disclose </h3> <p>Derived commitments and hashes (with correct library functions).</p> <p>The Compact standard library includes functions the compiler recognizes as cryptographically sound transformations. When you wrap witness data in <code>transientCommit()</code>, the compiler treats the output as not containing witness data, which means no explicit <code>disclose()</code> is required for a commitment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import CompactStandardLibrary; witness getSecretValue(): Field; witness getNonce(): Field; export ledger commitment: Field; export circuit commitValue(): [] { const secret = getSecretValue(); const nonce = getNonce(); // transientCommit output is treated as non-witness by the compiler commitment = transientCommit(secret, nonce); } </code></pre> </div> <p>An important distinction between these four functions: the compiler treats <code>transientCommit()</code> output as not containing witness data, so no <code>disclose()</code> is required on the result. <code>transientHash()</code>, however, is NOT considered sufficient to protect witness data — if the input came from a witness, the output still requires <code>disclose()</code> before it can be stored in the ledger or returned from an exported circuit.</p> <p>The transient variants (<code>transientCommit</code> and <code>transientHash</code>) are circuit-efficient but their algorithm is not guaranteed to stay consistent across network upgrades, so they should not be used to derive state data that needs to be verified later. The persistent variants (<code>persistentCommit</code> and <code>persistentHash</code>) use SHA-256 and are guaranteed to remain consistent across upgrades, so use these for any values stored in ledger state.</p> <h4> Aggregate results that do not reveal individual values </h4> <p>Storing a count of transactions or a running total where the per transaction values remain private is generally safe, provided the aggregate does not itself narrow the input range to be exploitable.</p> <h4> Public keys derived from private keys through domain-separated hashing </h4> <p>This pattern is used throughout the official examples. You derive a public identifier from a private key, publish the public identifier, and keep the private key local. Because the hash function is one-way and hard to invert, the public key reveals nothing about the private key. The section on domain-separated hashing covers this pattern in depth.</p> <h3> What actually leaks privacy? (even with <code>disclose()</code>)? </h3> <h4> Raw witness values </h4> <p>Storing <code>disclose(getBalance())</code> directly onchain publishes the balance in plaintext. This is appropriate when the value is intended to be public (e.g a display name, a transaction amount for a public ledger), but it is a complete disclosure of the underlying data.</p> <h4> Arithmetic on witness values </h4> <p>Adding, subtracting, or scaling a private value before disclosure does not hide it cryptographically. The Compact compiler correctly rejects this without a <code>disclose()</code> wrapper, but the real risk is developers who add <code>disclose()</code> and assume the arithmetic hides the value. It does not. Here's what it does:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Dangerous — disclosing an offset balance still reveals the balance balance = disclose(getBalance() + 73); </code></pre> </div> <p>If an attacker knows the offset which in this case is 73, they recover the original value immediately.</p> <h4> Boolean outputs from comparisons on private data </h4> <p>Exposing true/false results of comparisons on confidential values enables progressive disclosure of sensitive information. An attacker who can call the circuit many times with different values can binary-search their way to the exact private value through repeated queries. If you must expose a threshold check, consider rate-limiting at the DApp layer and documenting the tradeoff clearly.</p> <h4> Enum variants derived from private logic </h4> <p>Returning a value that is state constant or a State enum value such as 'Pending', 'Rejected', etc that was computed from sensitive data can leak information about the data depending on the number of states that exist and how they map to the input space.</p> <h2> Applying domain-separated hashing for cross-property unlinkability </h2> <p>One of the more delicate privacy risks in zero knowledge contracts is cross-property linkability which is what occurs when two different disclosures from the same private identity can be correlated by an observer even if neither disclosure reveals the identity itself. For example, Rahman reveals two things in separate transactions: a proof that his KYC tier is "premium" and a proof that his account is over 10 months old. Each proof reveals nothing individually, but if both proofs are signed with the same public key or derived from the same hash of the Rahman's identity, an observer can link the two transactions to Rahman, reconstructing a profile without ever learning the underlying identity.</p> <p>How do we resolve this? Instead of deriving a single public key from a user's secret key, you derive a different public key for each purpose (or domain) by including a domain tag in the hash input. Two hashes with different domain tags, even for the same secret, produce completely unrelated outputs.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foo9iusuosh6nh5g3013h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foo9iusuosh6nh5g3013h.png" alt=" " width="800" height="450"></a></p> <h3> How does this relate to Compact? </h3> <p>The previous examples use this pattern directly. The <code>publicKey</code> circuit in the lock example incorporates a domain tag as part of the hash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pragma language_version &gt;= 0.16 &amp;&amp; &lt;= 0.22; import CompactStandardLibrary; circuit publicKey(round: Field, sk: Bytes&lt;32&gt;): Bytes&lt;32&gt; { return persistentHash&lt;Vector&lt;3, Bytes&lt;32&gt;&gt;&gt;( [pad(32, "midnight:examples:lock:pk"), round as Bytes&lt;32&gt;, sk] ); } </code></pre> </div> <p>The string <code>midnight:examples:lock:pk</code> is the domain tag. It is namespaced to prevent collision with other contracts that might use the same hash function on the same secret key. This pattern can be extended across different properties of the same identity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pragma language_version &gt;= 0.16 &amp;&amp; &lt;= 0.22; import CompactStandardLibrary; // Produce an unlinkable key for KYC tier disclosure circuit kycTierKey(round: Field, sk: Bytes&lt;32&gt;): Bytes&lt;32&gt; { return persistentHash&lt;Vector&lt;3, Bytes&lt;32&gt;&gt;&gt;( [pad(32, "myapp:identity:kyc-tier"), round as Bytes&lt;32&gt;, sk] ); } // Produce a separate, unlinkable key for account-age disclosure circuit accountAgeKey(round: Field, sk: Bytes&lt;32&gt;): Bytes&lt;32&gt; { return persistentHash&lt;Vector&lt;3, Bytes&lt;32&gt;&gt;&gt;( [pad(32, "myapp:identity:account-age"), round as Bytes&lt;32&gt;, sk] ); } witness secretKey(): Bytes&lt;32&gt;; export ledger kycAuthority: Bytes&lt;32&gt;; export ledger ageAuthority: Bytes&lt;32&gt;; export ledger round: Counter; export circuit registerKycTier(): [] { const sk = secretKey(); kycAuthority = disclose(kycTierKey(round.read() as Field, sk)); } export circuit registerAccountAge(): [] { const sk = secretKey(); ageAuthority = disclose(accountAgeKey(round.read() as Field, sk)); } </code></pre> </div> <p>By doing this, an observer who sees both <code>kycAuthority</code> and <code>ageAuthority</code> on the ledger cannot determine whether they belong to the same user. The domain tags ensure the outputs are cryptographically unrelated, even though both were derived from the same secret key.</p> <h3> The round counter and linkability </h3> <p>The round counter in the examples above serves a second purpose. Without it, a user who calls <code>registerKycTier()</code> twice would produce the same <code>kycAuthority</code> value both times, allowing an observer to link both calls to the same identity. By introducing <code>round</code> into the hash, each call produces a different output even with the same secret key. The linkability between rounds is broken when round is incremented between calls.</p> <p>Something to note before moving on: never reuse a nonce in a commitment scheme. If you use <code>persistentCommit(value, nonce)</code> and the same nonce appears onchain in double transactions, an observer can link both commitments and if they can observe one opening, potentially infer the other.</p> <h2> Running a privacy audit on your contract </h2> <p>Before you deploy a contract to a testnet or mainnet, you should go through this checklist first. It helps to identify, the most common privacy mistakes.</p> <h3> Privacy audit checklist </h3> <h4> Disclosure scope </h4> <p>(i). Every <code>disclose()</code> call wraps the minimum expression necessary, not an entire struct when only one field needs to be public.<br> (ii). No <code>disclose()</code> is placed on a witness call whose output will be used in subsequent private computations. If a witness value travels both a public path and a private path, these should be two separate values.<br> (iii). All exported circuit return values are reviewed. If a return value is derived from witness data, confirm the disclosure is on purpose and document what information it reveals.</p> <h4> Boolean and comparison leaks </h4> <p>(i). No exported circuit returns a boolean, integer, or enum that is directly derived from an undisclosed private value without documenting the intended information disclosure.<br> (ii). For threshold checks (e.g. <code>balance &gt; n</code>), consider whether repeated calls allow binary search over the private value. If so, document the tradeoff or implement rate limiting at the DApp layer.</p> <h4> Hashing and commitments </h4> <p>(i). <code>transientHash</code>/<code>transientCommit</code> outputs should not be used to derive ledger state that needs to persist across network upgrades. Use <code>persistentHash</code>/<code>persistentCommit</code> for those values.<br> (ii). Nonces used in <code>persistentCommit</code> are never reused. Reusing a nonce with the same value allows on-chain commitment linking.<br> (iii). Hash inputs do not contain values that an attacker could enumerate to reverse the hash (e.g a small integer hashed alone without a nonce).</p> <h4> Cross-property linkability </h4> <p>(i). Each distinct property of a private identity must use a separate, name-spaced domain tag in its key derivation hash.<br> (ii). Domain tag strings follow a consistent, collision-resistant naming convention (e.g., "firstproject:context:property").<br> (iii). A round counter or similar freshness mechanism is included in any public key derivation to prevent same-key linkability across multiple interactions.</p> <h4> Compiler verification </h4> <p>(i). The contract compiles cleanly without suppressed warnings. Review any <code>disclose()</code> wrapper you added in response to a compiler error rather than from intentional design.<br> (ii). After any refactor, recompile the contract from scratch and re-review all <code>disclose()</code> sites, structural changes can introduce new disclosure paths.</p> <h4> Documentation </h4> <p>(i). Each <code>disclose()</code> site is accompanied by an inline comment explaining what is being disclosed and why it is intentional.<br> (ii). The contract's README note or specification states clearly which fields in the ledger are public, which are derived from private data, and what information each derived field reveals.</p> <h2> Conclusion </h2> <p>Using Selective disclosure in Midnight is not just a feature, it is an architectural guarantee fused into the language. The compiler's witness protection program means you cannot accidentally publish private data without being forced to make a deliberate decision which is great for security of sensitive data.</p> <p>The <code>disclose()</code> wrapper is that decision point, and treating it as such, rather than as a formality to satisfy the compiler, is what separates a contract with genuine privacy properties from one that only appears private.</p> <p>In this tutorial we have covered the full practical arc of selective disclosure in Compact. We learned how the public/private state split works and why privacy is the default. We also learned how to use <code>disclose()</code> correctly, how to scope it precisely to avoid over-disclosure on structured values, and how the compiler catches indirect leaks through arithmetic and conditionals.</p> <p>Domain-separated hashing was applied to break cross-property linkability, using the same pattern Midnight's own standard examples rely on. And now, there is a concrete privacy audit checklist to run against contracts before they reach the network.</p> <p>If you have any questions on this article or you're confused somewhere, please engage and let me know. Share this with anyone you think it will help. Privacy is the default, disclosure is the exception.</p> blockchain privacy tutorial web3