Merge pull request #983 from stellar/philip/chore-sync-12-09

Chore: Merge `develop` into `feature/c-accounts`

Author: philipliu

.github/workflows/automated_release_process.yml

@@ -16,7 +16,7 @@ on:
 env:
   REPO_ORG: stellar
   REPO_NAME: stellar-disbursement-platform-backend
-  REVIEWER: marcelosalloum,marwen-abid
+  REVIEWER: JiahuiWho,marwen-abid,philipliu
 
 jobs:
   create-release:

.github/workflows/ci.yml

@@ -105,7 +105,7 @@ jobs:
       - name: Install NodeJs
         uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 22
 
       - name: Install dependencies
         working-directory: internal/serve/sep24frontend/app

CHANGELOG.md

@@ -4,17 +4,35 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
-## [Unreleased]
+## [6.0.1](https://github.com/stellar/stellar-disbursement-platform-backend/releases/tag/6.0.1) ([diff](https://github.com/stellar/stellar-disbursement-platform-backend/compare/6.0.0...6.0.1))
+
+### Fixed
+
+- Fix Twilio error 21656 when sending WhatsApp OTP messages by updating template to single variable format as required by Twilio/Meta's updated authentication template requirements [#974](https://github.com/stellar/stellar-disbursement-platform-backend/pull/974)
+
+### Security and Dependencies
+
+- Bump the all-docker group with 2 updates [#976](https://github.com/stellar/stellar-disbursement-platform-backend/pull/976)
+  - golang from 1.25.4-alpine to 1.25.5-alpine
+  - alpine from 3.22 to 3.23
+- Bump the minor-and-patch group with 7 updates [#977](https://github.com/stellar/stellar-disbursement-platform-backend/pull/977)
+
+## [6.0.0](https://github.com/stellar/stellar-disbursement-platform-backend/releases/tag/6.0.0) ([diff](https://github.com/stellar/stellar-disbursement-platform-backend/compare/5.0.0...6.0.0))
+
+### 🚨Potential Breaking Changes
+
+- Remove case insensitivity from asset code comparisons [#967](https://github.com/stellar/stellar-disbursement-platform-backend/pull/967)
+- Decommission Anchor Platform and add support for SEP-10 and SEP-24 endpoints in the SDP [#834](https://github.com/stellar/stellar-disbursement-platform-backend/pull/834)
+    - Add SEP10 /auth endpoints
+    - Add SEP24 /info endpoints
+    - Add SEP24 interactive deposit endpoint
+    - Remove Anchor Platform integration from the SDP and deprecate related env variables.
 
 ### Added
 
 - Add Launch Wizard through `make setup` command to simplify initial setup and mainnet configuration for docker compose [#875](https://github.com/stellar/stellar-disbursement-platform-backend/pull/875)
+    - Add `--env-file` command line argument to support multiple environment file contexts [#963](https://github.com/stellar/stellar-disbursement-platform-backend/pull/963) 
 - Add HTTPS mode to setup wizard [#957](https://github.com/stellar/stellar-disbursement-platform-backend/pull/957)
-- Support for SEP-10 and SEP-24 endpoints in the SDP [#834](https://github.com/stellar/stellar-disbursement-platform-backend/pull/834)
-    - Add SEP10 /auth endpoints 
-    - Add SEP24 /info endpoints
-    - Add SEP24 interactive deposit endpoint
-    - Remove Anchor Platform integration from the SDP and deprecate related env variables. 
 - Add configurable database connection pool settings to prevent idle connection buildup in multi-tenant deployments [#932](https://github.com/stellar/stellar-disbursement-platform-backend/pull/932)
 
 ### Changed
@@ -25,10 +43,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Fixed
 
-- Fix HTML validation to allow apostrophes in invitation messages while maintaining security against XSS attacks [#930](https://github.com/stellar/stellar-disbursement-platform-backend/pull/930)
+- Fix HTML validation to allow apostrophes in invitation messages while maintaining security against XSS attacks [#931](https://github.com/stellar/stellar-disbursement-platform-backend/pull/931)
 - Refactor to replace float64 with shopspring decimal [#936](https://github.com/stellar/stellar-disbursement-platform-backend/pull/936)
 - `channel-accounts ensure` command should have a minimum of 1 [#939](https://github.com/stellar/stellar-disbursement-platform-backend/pull/939)
 
+### Security and Dependencies
+
+- Upgrade React to 19.2.1 in SEP-24 frontend to address CVE-2025-66478 and CVE-2025-55182 [#968](https://github.com/stellar/stellar-disbursement-platform-backend/pull/968)
+- Bump the minor-and-patch group with 5 updates [#961](https://github.com/stellar/stellar-disbursement-platform-backend/pull/961)
+- Bump the minor-and-patch group across 1 directory with 12 updates [#955](https://github.com/stellar/stellar-disbursement-platform-backend/pull/955)
+- Bump actions/checkout from 5 to 6 in the all-actions group [#954](https://github.com/stellar/stellar-disbursement-platform-backend/pull/954)
+- Bump js-yaml from 4.1.0 to 4.1.1 in the npm_and_yarn group [#947](https://github.com/stellar/stellar-disbursement-platform-backend/pull/947)
+- Bump golang from 1.25.3-alpine to 1.25.4-alpine in the all-docker group [#940](https://github.com/stellar/stellar-disbursement-platform-backend/pull/940)
+- Bump the minor-and-patch group with 7 updates [#933](https://github.com/stellar/stellar-disbursement-platform-backend/pull/933)
+
 ## [5.0.0](https://github.com/stellar/stellar-disbursement-platform-backend/releases/tag/5.0.0) ([diff](https://github.com/stellar/stellar-disbursement-platform-backend/compare/4.1.0...5.0.0))
 
 ### Added

Dockerfile

@@ -3,7 +3,7 @@
 # To push:
 #    make docker-push
 
-FROM golang:1.25.4-alpine AS build
+FROM golang:1.25.5-alpine AS build
 ARG GIT_COMMIT
 
 ENV CGO_ENABLED=0 GOOS=linux
@@ -14,7 +14,7 @@ COPY . ./
 RUN go build -o /bin/stellar-disbursement-platform -ldflags "-X main.GitCommit=$GIT_COMMIT" .
 
 
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN apk add --no-cache ca-certificates
 # ADD migrations/ /app/migrations/

Dockerfile.development

@@ -1,5 +1,5 @@
 # Stage 1: Build the Go application
-FROM golang:1.25.4-alpine AS build
+FROM golang:1.25.5-alpine AS build
 ARG GIT_COMMIT
 
 WORKDIR /src/stellar-disbursement-platform
@@ -9,7 +9,7 @@ COPY . ./
 RUN go build -o /bin/stellar-disbursement-platform -ldflags "-X main.GitCommit=$GIT_COMMIT" .
 
 # Stage 2: Setup the development environment with Delve for debugging
-FROM golang:1.25.4-alpine AS development
+FROM golang:1.25.5-alpine AS development
 
 # set workdir according to repo structure so remote debug source code is in sync
 WORKDIR /app/github.com/stellar/stellar-disbursement-platform

README.md

@@ -2,7 +2,7 @@
 
 [![Swagger Documentation](https://img.shields.io/badge/docs-swagger-blue?logo=swagger)](https://petstore.swagger.io/?url=https://raw.githubusercontent.com/stellar/stellar-docs/refs/heads/main/openapi/stellar-disbursement-platform/bundled.yaml)
 [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/stellar/stellar-disbursement-platform-backend)
-[![Stellar Docs](https://img.shields.io/badge/docs-stellar.org-blue?logo=stellar)](https://developers.stellar.org/platforms/stellar-disbursement-platform)
+[![Stellar Docs](https://img.shields.io/badge/docs-stellar.org-blue?logo=stellar)](https://developers.stellar.org/docs/platforms/stellar-disbursement-platform)
 [![CI](https://img.shields.io/github/check-runs/stellar/stellar-disbursement-platform-backend/develop?logo=github&label=CI)](https://github.com/stellar/stellar-disbursement-platform-backend/actions/workflows/docker_image_public_release.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/stellar/stellar-disbursement-platform-backend)](https://goreportcard.com/report/github.com/stellar/stellar-disbursement-platform-backend)
 [![GitHub](https://img.shields.io/github/license/stellar/stellar-disbursement-platform-backend)](https://github.com/stellar/stellar-disbursement-platform-backend/blob/main/LICENSE)
@@ -25,8 +25,8 @@
   - [State Transitions](#state-transitions)
 
 > [!NOTE]
-> If you are using version 1.x.x, we highly recommend upgrading to version 2.x.x to benefit from the latest features, routine fixes, and security patches. 
-> For detailed instructions on how to upgrade, please refer to [the upgrade guide](https://developers.stellar.org/network/stellar-disbursement-platform/admin-guide/single-tenant-to-multi-tenant-migration).
+> If you are using version 1.x.x, we highly recommend upgrading to version 2.x.x to benefit from the latest features, routine fixes, and security patches.
+> For detailed instructions on how to upgrade, please refer to [the upgrade guide](https://developers.stellar.org/docs/platforms/stellar-disbursement-platform/admin-guide/single-tenant-to-multi-tenant-migration).
 
 ## Introduction
 
@@ -47,7 +47,7 @@ stellar-disbursement-platform --help
 
 ## Quick Start
 
-### Docker Compose 
+### Docker Compose
 
 To quickly test the SDP using preconfigured values, use the startup wizard.
 
@@ -57,7 +57,7 @@ make setup
 
 For more information about launching and configuring the SDP, see the [Quick Start Guide](./dev/README.md).
 
-### Helm 
+### Helm
 
 To deploy the SDP using Helm, see the [Helm Chart](./helmchart/sdp/README.md).
 
@@ -178,7 +178,7 @@ The SEP10/SEP24 implementation can be configured using the following environment
 SEP10_SIGNING_PUBLIC_KEY=G...  # Public key for SEP10 signing
 SEP10_SIGNING_PRIVATE_KEY=S... # Private key for SEP10 signing
 
-# SEP24 Configuration  
+# SEP24 Configuration
 SEP24_JWT_SECRET=jwt_secret_... # JWT secret for SEP24 tokens
 ```
 
@@ -190,7 +190,7 @@ The following environment variables are required for SEP10/SEP24 functionality:
 
 **Required Variables:**
 - `SEP10_SIGNING_PUBLIC_KEY` - Public key for SEP10 challenge signing
-- `SEP10_SIGNING_PRIVATE_KEY` - Private key for SEP10 challenge signing  
+- `SEP10_SIGNING_PRIVATE_KEY` - Private key for SEP10 challenge signing
 - `SEP24_JWT_SECRET` - JWT secret for SEP24 token signing
 
 **Optional Variables:**
@@ -207,9 +207,9 @@ The SDP Core service include several components started using a single command.
 stellar-disbursement-platform serve --help
 ```
 
-#### Admin API 
+#### Admin API
 
-The Admin API is the component responsible for managing tenants of the SDP. It runs by default on port 8003 and is used to provision new tenants and manage existing tenants. 
+The Admin API is the component responsible for managing tenants of the SDP. It runs by default on port 8003 and is used to provision new tenants and manage existing tenants.
 
 #### Dashboard API
 
@@ -273,7 +273,7 @@ TWILIO_WHATSAPP_RECEIVER_OTP_TEMPLATE_SID=HXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 - WhatsApp requires pre-approved message templates for all business-initiated conversations
 - Template variables are automatically populated by the SDP based on the message type
 - All templates must be approved by WhatsApp before they can be used in production
-- For detailed setup instructions, refer to the [Twilio WhatsApp API documentation](https://www.twilio.com/docs/whatsapp/api) 
+- For detailed setup instructions, refer to the [Twilio WhatsApp API documentation](https://www.twilio.com/docs/whatsapp/api)
 
 #### Wallet Registration UI
 
@@ -308,7 +308,7 @@ In future iterations of the project, the Transaction Submission Service will pro
 
 To manage the migrations of the database, use the `db` subcommand.
 
-#### 
+####
 
 ```sh
 stellar-disbursement-platform db --help
@@ -322,7 +322,7 @@ stellar-disbursement-platform db --help
 stellar-disbursement-platform db admin migrate up
 ```
 
-The tables below are used to manage tenants and their configurations. 
+The tables below are used to manage tenants and their configurations.
 
 ![admin schema](./docs/images/admin_db_schema.png)
 
@@ -371,8 +371,8 @@ The SDP uses Background jobs to handle asynchronous tasks.
 
 **1. Jobs**
 
-> [!NOTE]  
-> Certain jobs are not listed here because they cannot be configured and are necessary to the functioning of the SDP. 
+> [!NOTE]
+> Certain jobs are not listed here because they cannot be configured and are necessary to the functioning of the SDP.
 
 * `send_receiver_wallets_invitation_job`: This job is used to send disbursement invites to recipients. Its interval is configured through the `SCHEDULER_RECEIVER_INVITATION_JOB_SECONDS` environment variable.
 * `payment_to_submitter_job`: This job is used to submit payments from Core to the TSS. Its interval is configured through the `SCHEDULER_PAYMENT_JOB_SECONDS` environment variable.

cloudformation/eks/README.md

@@ -41,7 +41,7 @@ This guide walks through deploying the Stellar Disbursement Platform (SDP) infra
   - Creates EKS cluster and node group
   - Sets up IAM roles and security groups
   - Configures IRSA (IAM Roles for Service Accounts)
-  - Sets up permissions for pods to access secrets stored in AWS Secrets Manager 
+  - Sets up permissions for pods to access secrets stored in AWS Secrets Manager
 
 After the CloudFormation stacks are deployed, additional Kubernetes resources are installed via Helm charts to complete the setup. The SDP expects secrets to be available as Kubernetes secrets, but how those secrets are synchronized (whether through ExternalSecrets, direct creation, or other means) is left to the deployer's preference.
 
@@ -82,7 +82,7 @@ aws cloudformation create-stack \
 ```
 
 ## 3. Keys Stack Deployment
-For testnet, you can auto-generate Stellar secrets using the following command: 
+For testnet, you can auto-generate Stellar secrets using the following command:
 
 ```bash
 aws cloudformation create-stack \
@@ -107,7 +107,7 @@ aws cloudformation create-stack \
     ParameterKey=ChannelAccountEncryptionPassphrase,ParameterValue=your-channel-encryption-passphrase \
     ParameterKey=DistributionAccountEncryptionPassphrase,ParameterValue=your-distribution-encryption-passphrase
 ```
-for a description of these parameters, please see: [Configuring the SDP](https://developers.stellar.org/platforms/stellar-disbursement-platform/admin-guide/configuring-sdp)
+for a description of these parameters, please see: [Configuring the SDP](https://developers.stellar.org/docs/platforms/stellar-disbursement-platform/admin-guide/configuring-sdp)
 
 ## 4. EKS Cluster Deployment
 Deploy the EKS cluster:
@@ -374,7 +374,7 @@ aws cloudformation delete-stack --stack-name ${STACK_NAME_PREFIX}-network --regi
 ## Additional Information
 
 ### Stellar Disbursement Platform Domain Structure
-The SDP platform uses two base-level domains for multi-tenant frontend and backend access. For example, lets say your hosted public domain is `api.example.org`. Then, you could configure a subdomain called `api.example.org` as the base-level domain for api access and `dashboard.example.org` as the front-end dashboard base-level domain.   If you then added a tenant (eg `ridedash`) to the SDP, the api and dashboard URLs for them would be `ridedash.api.example.org` and `ridedash.dashboard.example.org` respectively.  you can see this example in the helm-example-values file.   
+The SDP platform uses two base-level domains for multi-tenant frontend and backend access. For example, lets say your hosted public domain is `api.example.org`. Then, you could configure a subdomain called `api.example.org` as the base-level domain for api access and `dashboard.example.org` as the front-end dashboard base-level domain.   If you then added a tenant (eg `ridedash`) to the SDP, the api and dashboard URLs for them would be `ridedash.api.example.org` and `ridedash.dashboard.example.org` respectively.  you can see this example in the helm-example-values file.
 
 ## Example Helm Values configuration
 The following illustrates the example configuration for backend (api) and frontend (dashboard) base domains for the public domain `example.org`. Note, these domains must have a wild-card certificate.
@@ -392,7 +392,7 @@ dashboard:
 
 The following illustrates the kubernetes configurations that result from the above helm values.
 ```bash
-kubectl -n sdp get ingress              
+kubectl -n sdp get ingress
 NAME            CLASS            HOSTS                                           ADDRESS                                                                         PORTS     AGE
 sdp             ingress-public   api.example.org,*.api.example.org               a3ca0226bd4494ffb808a64476ddfc4f-66bf685869e3cc2e.elb.us-west-2.amazonaws.com   80, 443   9s
 sdp-ap          ingress-public   ap-api.example.org                              a3ca0226bd4494ffb808a64476ddfc4f-66bf685869e3cc2e.elb.us-west-2.amazonaws.com   80, 443   9s
@@ -514,4 +514,4 @@ kubectl describe pods -n sdp
 ```bash
 aws secretsmanager list-secrets \
   --filters Key=name-prefix,Values=/sdp/${ENVIRONMENT}
-```
+```

cmd/root.go

@@ -66,6 +66,14 @@ func rootCmd() *cobra.Command {
 			FlagDefault: "http://localhost:3000",
 			Required:    true,
 		},
+		// env-file flag is already handled in main.go, but it needs to be also defined here because Cobra doesn't allow unknown flags.
+		{
+			Name:      "env-file",
+			Usage:     "Path to environment file to load (e.g., \"dev/.env.https-testnet\"). Supports absolute and relative paths. Defaults to \".env\" if not specified.",
+			OptType:   types.String,
+			ConfigKey: &globalOptions.EnvFile,
+			Required:  false,
+		},
 		cmdUtils.NetworkPassphrase(&globalOptions.NetworkPassphrase),
 	}
 

cmd/utils/env_loader.go

@@ -0,0 +1,89 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/joho/godotenv"
+)
+
+const (
+	envFileFlag   = "--env-file"
+	envFileEnvVar = "ENV_FILE"
+)
+
+// LoadEnvFile loads environment variables from a file.
+// Priority: --env-file flag > ENV_FILE environment variable > .env in working directory
+func LoadEnvFile() error {
+	envFilePath := determineEnvFilePath()
+
+	if envFilePath != "" {
+		return loadExplicitEnvFile(envFilePath)
+	}
+
+	return loadDefaultEnvFile()
+}
+
+// determineEnvFilePath determines the path to the env file based on priority.
+func determineEnvFilePath() string {
+	if path := parseEnvFileFlag(); path != "" {
+		return toAbsolutePath(path)
+	}
+
+	if path := os.Getenv(envFileEnvVar); path != "" {
+		return toAbsolutePath(path)
+	}
+
+	return ""
+}
+
+// parseEnvFileFlag checks command-line arguments for the --env-file flag.
+func parseEnvFileFlag() string {
+	for i, arg := range os.Args {
+		if arg == envFileFlag && i+1 < len(os.Args) {
+			return os.Args[i+1]
+		}
+		if strings.HasPrefix(arg, envFileFlag+"=") {
+			return strings.TrimPrefix(arg, envFileFlag+"=")
+		}
+	}
+	return ""
+}
+
+// toAbsolutePath converts a relative path to an absolute path.
+func toAbsolutePath(path string) string {
+	if path == "" || filepath.IsAbs(path) {
+		return path
+	}
+
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return path
+	}
+	return absPath
+}
+
+// loadExplicitEnvFile loads environment variables from the specified file.
+func loadExplicitEnvFile(path string) error {
+	if err := godotenv.Load(path); err != nil {
+		return fmt.Errorf("loading env file %s: %w", path, err)
+	}
+	return nil
+}
+
+// loadDefaultEnvFile loads environment variables from the default .env file.
+func loadDefaultEnvFile() error {
+	err := godotenv.Load()
+	if err == nil {
+		return nil
+	}
+
+	if errors.Is(err, os.ErrNotExist) {
+		return nil
+	}
+
+	return fmt.Errorf("loading .env file: %w", err)
+}