Tools

Tools: Enterprise Blockchain in TypeScript: Real-World Case Studies, Protocol Mappings, MPC, HSM & Post-Quantum Patterns That Actually Run (2026)

2026-04-01 0 views admin
Tools: Enterprise Blockchain in TypeScript: Real-World Case Studies, Protocol Mappings, MPC, HSM & Post-Quantum Patterns That Actually Run (2026)

πŸ“¦ What You'll Get From This Post

πŸ—οΈ Repository Overview

🍎 Case Study #1: Food Recall Response (Fabric)

πŸ” Case Study #2: Consortium Order Sharing (Besu)

πŸ₯ Case Study #3: Hospital Staffing Clearance (Corda)

πŸ’° Case Study #4: Aid Voucher Reconciliation (Besu/Fabric)

πŸ”— Protocol Adapters: One Domain, Three Platforms

🀫 Off-Chain Cryptography: MPC Secret Sharing

πŸ” HSM Key Management: Envelope Encryption

βš›οΈ Post-Quantum Cryptography: Future-Proofing Now

🐳 Infrastructure: Docker Compose + Observability

βœ… Quality Gates: Property-Based Testing

⚑ Run Everything in 5 Minutes

πŸ“š Lessons Learned

πŸ€– AI Skills: Teaching Your Coding Assistant

🌟 Who Should Star This Repo?

πŸš€ Call to Action

πŸ“– Further Reading Most enterprise blockchain projects die in PoC hell. You've seen it: a flashy demo, some Hyperledger slides, a proof-of-concept that "works on my machine," and then... silence. The pilot never graduates to production. The consortium loses interest. The budget evaporates. The problem isn't the technologyβ€”it's that most repositories show you what blockchain can do without showing you how to actually build it. Where's the code for recall traceability that maps to real chaincode? Where's the privacy pattern that actually projects into Besu privacy groups? Where's the MPC implementation you can run locally without spinning up three cloud VMs? This repository is different. enterprise-blockchain by @psavelis delivers 20 runnable examples covering four production-grade business scenarios, three protocol adapters (Fabric, Besu, Corda), MPC secret sharing, HSM key management, and NIST-standardized post-quantum cryptography. Everything runs locally. Everything passes CI. Everything is actually useful. And yes, with quantum computers advancing faster than expected, the PQC examples aren't academic exercisesβ€”they're code you might need sooner than you think. The repository follows hexagonal architecture: domain logic sits at the center, protocol adapters implement ports, and integration clients handle the messy SDK details. This means you can swap Fabric for Besu without rewriting your business rules. Why does this matter? Most enterprise blockchain projects fail at the integration boundary. The chaincode works, but nobody can figure out how to connect it to the ERP system. The Corda flows run, but the identity mapping to Active Directory is a nightmare. This repository explicitly separates those concerns: The Problem: A contaminated lettuce shipment reaches three distribution centers before anyone notices. How do you trace every affected lot, identify which retailers received them, and generate a recall planβ€”all in under an hour? The Solution: The TraceabilityLedger domain module models lots, shipments, and telemetry readings. When temperatures breach safe ranges or contamination is detected, the RecallAssessor walks the shipment graph and returns every affected lot. The Fabric adapter projects this into chaincode invocations: Pro tip: The endorsementPolicyHint tells you which organizations must co-sign. This is operational goldβ€”it forces you to think about governance before you write the chaincode. The pattern here is powerful: domain logic knows nothing about Fabric. The TraceabilityLedger could just as easily project to Besu or Corda. The adapter layer handles the translation, and the endorsement policy hints are documentationβ€”not runtime dependencies. The Problem: A buyer, a bank financing the purchase, a logistics provider, and a regulator all need to see a purchase orderβ€”but each should see only their relevant slice. The buyer sees pricing. The bank sees credit terms. The regulator sees compliance flags. Nobody sees everything. The Solution: The SelectiveDisclosureLedger creates audience-specific projections from a canonical order, each cryptographically committed so any party can verify their view derives from the same source. The Besu adapter maps this to privacy-group scoped contract calls. Different audiences get different privacy groups, but the canonical hash anchors everyone to the same truth. Watch out: Privacy groups aren't magic. If your public contract reads private state, you've just leaked data. The adapter enforces this boundaryβ€”use it. The selective disclosure pattern is increasingly critical as regulations like GDPR and CCPA demand data minimization. The canonical order exists. The views are derived. The audit proofs are cryptographic. This is how you share data across organizational boundaries without oversharing. The Problem: Before a traveling nurse can work a shift, you need to verify their license, check for sanctions, confirm malpractice insurance, and get hospital sign-off. This involves the staffing agency, the hospital, the state licensing board, and potentially CMS. The Solution: Corda's point-to-point model fits perfectly. Each party only sees the transactions they're involved in. The ProviderClearanceState captures the clearance decision, and the flow collects signatures from exactly the required participants. The Corda adapter generates flow invocation payloads: Why Corda here? The healthcare staffing workflow is fundamentally bilateralβ€”the hospital and the staffing agency need to agree, with the licensing board providing attestation. Corda's "need-to-know" model means the hospital's competitor down the street never sees this transaction. That's not a bug, it's the core feature. The Problem: Multiple humanitarian agencies issue digital vouchers to beneficiaries. Merchants redeem them for payment. But without coordination, beneficiaries double-dip, merchants submit fake invoices, and settlement takes months. The Solution: The AidSettlementLedger validates claims against grant rules (budget caps, category restrictions, expiry dates) and generates reconciliation reports. The Solidity contract mirrors these rules on-chain: Pro tip: The validation rules are expressed in both TypeScript and Solidity. This is the one place hexagonal purity yields to platform reality: EVM enforcement requires on-chain logic. The TypeScript domain model remains the source of truth for design, but Besu deployments maintain parallel validation in Solidity. Fabric deployments can keep everything in TypeScript chaincode. The protocol adapter layer is where this repository shines. Instead of writing three separate applications, you write domain logic once and project it to multiple platforms: The adapters are stateless. They take domain objects and return platform-specific command shapes. No network calls, no SDK dependencies, no environment configuration. You can unit test them in isolation. This is the key insight: protocol selection is a deployment decision, not an architectural one. Your domain model should survive a platform migration. The caveat: EVM-based platforms (Besu) require on-chain enforcement in Solidity, so you'll maintain parallel validation logic there. Fabric's TypeScript chaincode keeps everything in one language. The domain layer remains the design authority either wayβ€”contract code is derived from it, not the other way around. Some computations shouldn't happen on-chain. Sealed-bid auctions, joint risk analysis, and threshold signatures all require parties to collaborate without revealing their inputs. The MPCEngine implements additive secret sharing: The compute() method reconstructs the aggregate without any party learning individual inputs: The repository also includes QuantumResistantVault for Shamir k-of-n threshold secret sharing: This pattern is essential for key custody ceremonies where no single party should hold the complete key. Production blockchain deployments use hardware security modules. The HsmClient simulates PKCS#11 semanticsβ€”private keys never leave the "hardware boundary": Three examples demonstrate real patterns: Watch out: The simulated HSM uses in-memory storage. In production, you'd connect to AWS CloudHSM, Azure Dedicated HSM, or an on-prem Thales Luna via PKCS#11. Here's the thing about "harvest now, decrypt later" attacks: adversaries are already collecting your encrypted traffic. When CRQCs arrive (NIST estimates 2030-2035), they'll decrypt everything you sent today. If your data has 10+ year confidentiality requirementsβ€”financial records, healthcare, trade secretsβ€”you need post-quantum cryptography now. The repository implements NIST FIPS 203 (ML-KEM-768) and FIPS 204 (ML-DSA-65) with hybrid constructions for defense-in-depth: This matches how Chrome and Cloudflare deployed post-quantum TLS (X25519Kyber768). Run the examples: The repository includes a complete local development stack: Security follows CIS Docker Benchmark: Want to see distributed traces for your blockchain operations? Just set the environment variables: Then open Jaeger and watch the spans flow through your traceability ledger operations. Enterprise blockchain systems demand correctness guarantees that exceed typical application standards. Cryptographic operations produce silent failuresβ€”no exception, just compromised security. The repository uses fast-check for property-based testing of cryptographic invariants: These tests catch edge cases that unit tests miss: Run the property tests: That's it. Every example runs. Every test passes. No external services required. Want to verify everything passes CI? Run the full quality gate: This is the same command CI runs. If it passes locally, it passes in GitHub Actions. No surprises. After reviewing dozens of enterprise blockchain deployments, some patterns emerge: Platform selection follows trust, not throughput. Feature matrices are noise. Teams pick Fabric because they have Java developers. They pick Besu because they know EVM. They pick Corda because R3 has regulatory relationships. Throughput differences matter only after trust assumptions narrow the field. Privacy is architecture, not configuration. Every platform offers privacy mechanisms. None of them work without deliberate design. If your public contract queries private state, you've leaked data. Off-chain is not optional. Every production deployment stores bulk data off-chain. The blockchain stores commitments, not content. Plan for this from day one. Integration complexity dominates. Chaincode development is 20-30% of the project. Identity integration, legacy system bridges, and operational tooling consume the rest. Governance evolves faster than code. Consortium agreements written at kickoff become obsolete. New members require endorsement policy changes. Regulatory requirements mandate audit observer nodes. Design for governance evolution from day one. Consensus selection follows trust, not throughput. Marketing materials emphasize throughput differences. Production deployments choose based on trust assumptions. Raft (CFT) for aligned incentives. QBFT (BFT) for competing parties. The throughput numbers are noise. The skills/ folder contains structured knowledge files designed for AI coding assistants: Each skill follows a consistent structure: when to use, when NOT to use, key concepts, must-preserve invariants, and anti-patterns to avoid. Feed these to Claude, Copilot, or your favorite coding assistant for context-aware suggestions. Whether you're building a supply chain traceability system, a consortium data sharing platform, or exploring post-quantum cryptography for your organization's future security postureβ€”this repository has runnable code that demonstrates the pattern. Star the repo β†’ Fork it β†’ Run the examples β†’ Open an issue with your use case The code is Apache 2.0. Take what you need. Adapt it to your consortium. And if you build something cool, let us know in the issuesβ€”we love seeing what people create with these patterns. Built by @psavelis. If this helped you ship something real, drop a star. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ modules/ β”œβ”€β”€ traceability/ # Food recall domain logic β”œβ”€β”€ privacy/ # Selective disclosure ledger β”œβ”€β”€ credentialing/ # Hospital staffing clearance β”œβ”€β”€ aid-settlement/ # Humanitarian voucher reconciliation β”œβ”€β”€ mpc/ # Secret sharing + post-quantum KEM β”œβ”€β”€ hsm/ # Envelope encryption + signing β”œβ”€β”€ protocols/ # Fabric, Besu, Corda adapters └── integrations/ # SDK clients (Gateway, ethers, REST) modules/ β”œβ”€β”€ traceability/ # Food recall domain logic β”œβ”€β”€ privacy/ # Selective disclosure ledger β”œβ”€β”€ credentialing/ # Hospital staffing clearance β”œβ”€β”€ aid-settlement/ # Humanitarian voucher reconciliation β”œβ”€β”€ mpc/ # Secret sharing + post-quantum KEM β”œβ”€β”€ hsm/ # Envelope encryption + signing β”œβ”€β”€ protocols/ # Fabric, Besu, Corda adapters └── integrations/ # SDK clients (Gateway, ethers, REST) modules/ β”œβ”€β”€ traceability/ # Food recall domain logic β”œβ”€β”€ privacy/ # Selective disclosure ledger β”œβ”€β”€ credentialing/ # Hospital staffing clearance β”œβ”€β”€ aid-settlement/ # Humanitarian voucher reconciliation β”œβ”€β”€ mpc/ # Secret sharing + post-quantum KEM β”œβ”€β”€ hsm/ # Envelope encryption + signing β”œβ”€β”€ protocols/ # Fabric, Besu, Corda adapters └── integrations/ # SDK clients (Gateway, ethers, REST) export class TraceabilityLedger { private readonly store: TraceabilityStore; registerLot(lot: ProductLot): void { this.store.addLot(lot); } dispatchShipment(shipment: Shipment): void { this.store.addShipment(shipment); } recordTelemetry(reading: TelemetryReading): void { this.store.addTelemetry(reading); } assessRecall(rule: RecallRule): RecallAssessment { return new RecallAssessor(this.store).assess(rule); } } export class TraceabilityLedger { private readonly store: TraceabilityStore; registerLot(lot: ProductLot): void { this.store.addLot(lot); } dispatchShipment(shipment: Shipment): void { this.store.addShipment(shipment); } recordTelemetry(reading: TelemetryReading): void { this.store.addTelemetry(reading); } assessRecall(rule: RecallRule): RecallAssessment { return new RecallAssessor(this.store).assess(rule); } } export class TraceabilityLedger { private readonly store: TraceabilityStore; registerLot(lot: ProductLot): void { this.store.addLot(lot); } dispatchShipment(shipment: Shipment): void { this.store.addShipment(shipment); } recordTelemetry(reading: TelemetryReading): void { this.store.addTelemetry(reading); } assessRecall(rule: RecallRule): RecallAssessment { return new RecallAssessor(this.store).assess(rule); } } export class FabricTraceabilityAdapter { createLotCommand(lot: ProductLot): FabricInvocation { return { contract: "FoodTraceContract", transaction: "CreateProduct", args: [lot.id, lot.originCountry, lot.supplier, lot.harvestDate], endorsementPolicyHint: "AND('RetailerMSP.peer','SupplierMSP.peer')", }; } } export class FabricTraceabilityAdapter { createLotCommand(lot: ProductLot): FabricInvocation { return { contract: "FoodTraceContract", transaction: "CreateProduct", args: [lot.id, lot.originCountry, lot.supplier, lot.harvestDate], endorsementPolicyHint: "AND('RetailerMSP.peer','SupplierMSP.peer')", }; } } export class FabricTraceabilityAdapter { createLotCommand(lot: ProductLot): FabricInvocation { return { contract: "FoodTraceContract", transaction: "CreateProduct", args: [lot.id, lot.originCountry, lot.supplier, lot.harvestDate], endorsementPolicyHint: "AND('RetailerMSP.peer','SupplierMSP.peer')", }; } } -weight: 500;">npm run example:food-recall -weight: 500;">npm run example:fabric-projection -weight: 500;">npm run example:food-recall -weight: 500;">npm run example:fabric-projection -weight: 500;">npm run example:food-recall -weight: 500;">npm run example:fabric-projection export class SelectiveDisclosureLedger { publishOrder(order: PurchaseOrder): void { this.repo.addOrder(order); } createView(orderId: string, audience: Audience): SharedOrderView { return this.projector.createView(orderId, audience); } } export class SelectiveDisclosureLedger { publishOrder(order: PurchaseOrder): void { this.repo.addOrder(order); } createView(orderId: string, audience: Audience): SharedOrderView { return this.projector.createView(orderId, audience); } } export class SelectiveDisclosureLedger { publishOrder(order: PurchaseOrder): void { this.repo.addOrder(order); } createView(orderId: string, audience: Audience): SharedOrderView { return this.projector.createView(orderId, audience); } } -weight: 500;">npm run example:order-sharing -weight: 500;">npm run example:besu-projection -weight: 500;">npm run example:order-sharing -weight: 500;">npm run example:besu-projection -weight: 500;">npm run example:order-sharing -weight: 500;">npm run example:besu-projection { flow: "IssueProviderClearanceFlow", participants: ["Hospital-A", "StaffingAgency-X", "LicenseBoard-CA"], state: { providerId: "NP-12345", clearanceStatus: "APPROVED", validUntil: "2026-06-30" } } { flow: "IssueProviderClearanceFlow", participants: ["Hospital-A", "StaffingAgency-X", "LicenseBoard-CA"], state: { providerId: "NP-12345", clearanceStatus: "APPROVED", validUntil: "2026-06-30" } } { flow: "IssueProviderClearanceFlow", participants: ["Hospital-A", "StaffingAgency-X", "LicenseBoard-CA"], state: { providerId: "NP-12345", clearanceStatus: "APPROVED", validUntil: "2026-06-30" } } -weight: 500;">npm run example:staffing-clearance -weight: 500;">npm run example:corda-projection -weight: 500;">npm run example:staffing-clearance -weight: 500;">npm run example:corda-projection -weight: 500;">npm run example:staffing-clearance -weight: 500;">npm run example:corda-projection function submitClaim( bytes32 claimId, bytes32 grantId, address merchantId, uint8 merchantCategory, bytes32 invoiceReference, uint256 amountUsd100 ) external { Grant storage g = grants[grantId]; require(block.timestamp < g.expiresAt, "Grant expired"); require(g.consumedUsd + amountUsd100 <= g.amountUsd, "Budget exceeded"); require(!usedInvoices[grantId][invoiceReference], "Duplicate invoice"); // ... emit ClaimSettled or ClaimRejected } function submitClaim( bytes32 claimId, bytes32 grantId, address merchantId, uint8 merchantCategory, bytes32 invoiceReference, uint256 amountUsd100 ) external { Grant storage g = grants[grantId]; require(block.timestamp < g.expiresAt, "Grant expired"); require(g.consumedUsd + amountUsd100 <= g.amountUsd, "Budget exceeded"); require(!usedInvoices[grantId][invoiceReference], "Duplicate invoice"); // ... emit ClaimSettled or ClaimRejected } function submitClaim( bytes32 claimId, bytes32 grantId, address merchantId, uint8 merchantCategory, bytes32 invoiceReference, uint256 amountUsd100 ) external { Grant storage g = grants[grantId]; require(block.timestamp < g.expiresAt, "Grant expired"); require(g.consumedUsd + amountUsd100 <= g.amountUsd, "Budget exceeded"); require(!usedInvoices[grantId][invoiceReference], "Duplicate invoice"); // ... emit ClaimSettled or ClaimRejected } export class MPCEngine { /** * Split `secret` into `partyIds.length` additive shares. * Any strict subset reveals nothing; summing all shares * reconstructs the original value. */ splitSecret(secret: number, partyIds: string[]): SecretShare[] { const shares: SecretShare[] = []; let remaining = secret; for (let i = 0; i < partyIds.length - 1; i++) { const value = randomInt(-(2 ** 47) + 1, 2 ** 47); remaining -= value; const nonce = randomBytes(16).toString("hex"); // Fresh nonce per share shares.push({ partyId: partyIds[i], shareIndex: i, value, nonce, commitment: commitShare(partyIds[i], i, value, nonce), }); } // Last share gets the remainder to ensure sum = original secret return shares; } } export class MPCEngine { /** * Split `secret` into `partyIds.length` additive shares. * Any strict subset reveals nothing; summing all shares * reconstructs the original value. */ splitSecret(secret: number, partyIds: string[]): SecretShare[] { const shares: SecretShare[] = []; let remaining = secret; for (let i = 0; i < partyIds.length - 1; i++) { const value = randomInt(-(2 ** 47) + 1, 2 ** 47); remaining -= value; const nonce = randomBytes(16).toString("hex"); // Fresh nonce per share shares.push({ partyId: partyIds[i], shareIndex: i, value, nonce, commitment: commitShare(partyIds[i], i, value, nonce), }); } // Last share gets the remainder to ensure sum = original secret return shares; } } export class MPCEngine { /** * Split `secret` into `partyIds.length` additive shares. * Any strict subset reveals nothing; summing all shares * reconstructs the original value. */ splitSecret(secret: number, partyIds: string[]): SecretShare[] { const shares: SecretShare[] = []; let remaining = secret; for (let i = 0; i < partyIds.length - 1; i++) { const value = randomInt(-(2 ** 47) + 1, 2 ** 47); remaining -= value; const nonce = randomBytes(16).toString("hex"); // Fresh nonce per share shares.push({ partyId: partyIds[i], shareIndex: i, value, nonce, commitment: commitShare(partyIds[i], i, value, nonce), }); } // Last share gets the remainder to ensure sum = original secret return shares; } } -weight: 500;">npm run example:mpc-auction # Sealed-bid procurement -weight: 500;">npm run example:mpc-risk-analysis # Cross-institution credit analysis -weight: 500;">npm run example:mpc-auction # Sealed-bid procurement -weight: 500;">npm run example:mpc-risk-analysis # Cross-institution credit analysis -weight: 500;">npm run example:mpc-auction # Sealed-bid procurement -weight: 500;">npm run example:mpc-risk-analysis # Cross-institution credit analysis // Distribute a key across 5 custodians, requiring any 3 to reconstruct const shares = vault.distributeSecret(masterKey, parties, 3); const reconstructed = vault.reconstructSecret(threeShares, 3); // Distribute a key across 5 custodians, requiring any 3 to reconstruct const shares = vault.distributeSecret(masterKey, parties, 3); const reconstructed = vault.reconstructSecret(threeShares, 3); // Distribute a key across 5 custodians, requiring any 3 to reconstruct const shares = vault.distributeSecret(masterKey, parties, 3); const reconstructed = vault.reconstructSecret(threeShares, 3); export class HsmClient { generateKeyPair(keyLabel: string): HsmKeyPair; sign(keyLabel: string, data: string): HsmSignatureResult; // Envelope encryption: DEK wrapped by KEK encryptWithEnvelope(kekLabel: string, plaintext: string): { encryptedRecord: EncryptedRecord; wrappedDek: WrappedKey; }; } export class HsmClient { generateKeyPair(keyLabel: string): HsmKeyPair; sign(keyLabel: string, data: string): HsmSignatureResult; // Envelope encryption: DEK wrapped by KEK encryptWithEnvelope(kekLabel: string, plaintext: string): { encryptedRecord: EncryptedRecord; wrappedDek: WrappedKey; }; } export class HsmClient { generateKeyPair(keyLabel: string): HsmKeyPair; sign(keyLabel: string, data: string): HsmSignatureResult; // Envelope encryption: DEK wrapped by KEK encryptWithEnvelope(kekLabel: string, plaintext: string): { encryptedRecord: EncryptedRecord; wrappedDek: WrappedKey; }; } export class HybridKem { /** * Combine X25519 (classical) + ML-KEM-768 (post-quantum). * Breaking this requires breaking BOTH algorithms. */ encapsulate( recipientX25519PublicKey: KeyObject, recipientMlKemPublicKey: Uint8Array, // FIPS 203 naming ): HybridEncapsulation { // Classical channel const x25519SharedSecret = diffieHellman({ /* ... */ }); // Post-quantum channel (ML-KEM-768, formerly "Kyber") const { cipherText, sharedSecret: mlKemSharedSecret } = ml_kem768.encapsulate(recipientMlKemPublicKey); // Combine via HKDF const combinedKey = hkdfSync( "sha256", Buffer.concat([x25519SharedSecret, mlKemSharedSecret]), HKDF_SALT, "hybrid-kem-v1", 32, ); return { combinedKey, /* ... */ }; } } export class HybridKem { /** * Combine X25519 (classical) + ML-KEM-768 (post-quantum). * Breaking this requires breaking BOTH algorithms. */ encapsulate( recipientX25519PublicKey: KeyObject, recipientMlKemPublicKey: Uint8Array, // FIPS 203 naming ): HybridEncapsulation { // Classical channel const x25519SharedSecret = diffieHellman({ /* ... */ }); // Post-quantum channel (ML-KEM-768, formerly "Kyber") const { cipherText, sharedSecret: mlKemSharedSecret } = ml_kem768.encapsulate(recipientMlKemPublicKey); // Combine via HKDF const combinedKey = hkdfSync( "sha256", Buffer.concat([x25519SharedSecret, mlKemSharedSecret]), HKDF_SALT, "hybrid-kem-v1", 32, ); return { combinedKey, /* ... */ }; } } export class HybridKem { /** * Combine X25519 (classical) + ML-KEM-768 (post-quantum). * Breaking this requires breaking BOTH algorithms. */ encapsulate( recipientX25519PublicKey: KeyObject, recipientMlKemPublicKey: Uint8Array, // FIPS 203 naming ): HybridEncapsulation { // Classical channel const x25519SharedSecret = diffieHellman({ /* ... */ }); // Post-quantum channel (ML-KEM-768, formerly "Kyber") const { cipherText, sharedSecret: mlKemSharedSecret } = ml_kem768.encapsulate(recipientMlKemPublicKey); // Combine via HKDF const combinedKey = hkdfSync( "sha256", Buffer.concat([x25519SharedSecret, mlKemSharedSecret]), HKDF_SALT, "hybrid-kem-v1", 32, ); return { combinedKey, /* ... */ }; } } -weight: 500;">npm run example:kyber-kem # Pure ML-KEM-768 -weight: 500;">npm run example:hybrid-kem # X25519 + ML-KEM hybrid -weight: 500;">npm run example:quantum-safe-payment # End-to-end PQ payment flow -weight: 500;">npm run example:kyber-kem # Pure ML-KEM-768 -weight: 500;">npm run example:hybrid-kem # X25519 + ML-KEM hybrid -weight: 500;">npm run example:quantum-safe-payment # End-to-end PQ payment flow -weight: 500;">npm run example:kyber-kem # Pure ML-KEM-768 -weight: 500;">npm run example:hybrid-kem # X25519 + ML-KEM hybrid -weight: 500;">npm run example:quantum-safe-payment # End-to-end PQ payment flow services: besu-validator-1: # Hyperledger Besu node besu-validator-2: fabric-peer: # Hyperledger Fabric peer fabric-orderer: otel-collector: # OpenTelemetry Collector jaeger: # Distributed tracing UI prometheus: # Metrics collection services: besu-validator-1: # Hyperledger Besu node besu-validator-2: fabric-peer: # Hyperledger Fabric peer fabric-orderer: otel-collector: # OpenTelemetry Collector jaeger: # Distributed tracing UI prometheus: # Metrics collection services: besu-validator-1: # Hyperledger Besu node besu-validator-2: fabric-peer: # Hyperledger Fabric peer fabric-orderer: otel-collector: # OpenTelemetry Collector jaeger: # Distributed tracing UI prometheus: # Metrics collection make up # Start everything make smoke # Run health checks open http://localhost:16686 # Jaeger traces open http://localhost:9090 # Prometheus metrics make up # Start everything make smoke # Run health checks open http://localhost:16686 # Jaeger traces open http://localhost:9090 # Prometheus metrics make up # Start everything make smoke # Run health checks open http://localhost:16686 # Jaeger traces open http://localhost:9090 # Prometheus metrics export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 export OTEL_SERVICE_NAME=food-recall--weight: 500;">service -weight: 500;">npm run example:food-recall export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 export OTEL_SERVICE_NAME=food-recall--weight: 500;">service -weight: 500;">npm run example:food-recall export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 export OTEL_SERVICE_NAME=food-recall--weight: 500;">service -weight: 500;">npm run example:food-recall // HSM envelope encryption round-trip test("envelope encryption: decrypt(encrypt(x)) === x", () => { fc.assert( fc.property( fc.string({ minLength: 1, maxLength: 10000, unit: "binary-ascii" }), (plaintext) => { const { encryptedRecord, wrappedDek } = hsm.encryptWithEnvelope(kekLabel, plaintext); const decrypted = hsm.decryptWithEnvelope(wrappedDek, encryptedRecord); return decrypted === plaintext; }, ), ); }); // HSM envelope encryption round-trip test("envelope encryption: decrypt(encrypt(x)) === x", () => { fc.assert( fc.property( fc.string({ minLength: 1, maxLength: 10000, unit: "binary-ascii" }), (plaintext) => { const { encryptedRecord, wrappedDek } = hsm.encryptWithEnvelope(kekLabel, plaintext); const decrypted = hsm.decryptWithEnvelope(wrappedDek, encryptedRecord); return decrypted === plaintext; }, ), ); }); // HSM envelope encryption round-trip test("envelope encryption: decrypt(encrypt(x)) === x", () => { fc.assert( fc.property( fc.string({ minLength: 1, maxLength: 10000, unit: "binary-ascii" }), (plaintext) => { const { encryptedRecord, wrappedDek } = hsm.encryptWithEnvelope(kekLabel, plaintext); const decrypted = hsm.decryptWithEnvelope(wrappedDek, encryptedRecord); return decrypted === plaintext; }, ), ); }); -weight: 500;">npm test # All tests -weight: 500;">npm test -- tests/hsm.property.test.ts # HSM-specific -weight: 500;">npm test -- tests/mpc.property.test.ts # MPC-specific -weight: 500;">npm test # All tests -weight: 500;">npm test -- tests/hsm.property.test.ts # HSM-specific -weight: 500;">npm test -- tests/mpc.property.test.ts # MPC-specific -weight: 500;">npm test # All tests -weight: 500;">npm test -- tests/hsm.property.test.ts # HSM-specific -weight: 500;">npm test -- tests/mpc.property.test.ts # MPC-specific -weight: 500;">git clone --recursive https://github.com/psavelis/enterprise-blockchain.-weight: 500;">git cd enterprise-blockchain -weight: 500;">npm -weight: 500;">install -weight: 500;">npm run verify # format + lint + typecheck + tests + 20 examples make up # -weight: 500;">start infrastructure (optional) -weight: 500;">npm run examples # run all business scenarios -weight: 500;">git clone --recursive https://github.com/psavelis/enterprise-blockchain.-weight: 500;">git cd enterprise-blockchain -weight: 500;">npm -weight: 500;">install -weight: 500;">npm run verify # format + lint + typecheck + tests + 20 examples make up # -weight: 500;">start infrastructure (optional) -weight: 500;">npm run examples # run all business scenarios -weight: 500;">git clone --recursive https://github.com/psavelis/enterprise-blockchain.-weight: 500;">git cd enterprise-blockchain -weight: 500;">npm -weight: 500;">install -weight: 500;">npm run verify # format + lint + typecheck + tests + 20 examples make up # -weight: 500;">start infrastructure (optional) -weight: 500;">npm run examples # run all business scenarios -weight: 500;">npm run verify # format:check + lint + typecheck + test + all examples -weight: 500;">npm run verify # format:check + lint + typecheck + test + all examples -weight: 500;">npm run verify # format:check + lint + typecheck + test + all examples - 4 production case studies with domain models and real code - 3 protocol adapters (Hyperledger Fabric, Besu/EVM, R3 Corda) - Post-quantum cryptography (NIST FIPS 203/204 compliant) - MPC and HSM patterns for off-chain computation and key custody - Full local infrastructure (Docker Compose + OpenTelemetry + Jaeger) - AI skill files that teach coding assistants the domain - Domain layer: Pure business logic. No protocol dependencies. Fully unit-testable. - Protocol adapters: Stateless projectors that translate domain events into platform-specific transaction shapes. - Integration clients: SDK wrappers with retry policies, circuit breakers, and connection management. - hsm-transaction-signing: ECDSA-SHA256 for equity trade orders - hsm-key-ceremony: Root key ceremony with 3-of-5 Shamir threshold - hsm-envelope-encryption: DEK/KEK for sensitive trade documents - Resource limits (CPU/memory) on all containers - no-new-privileges: true blocks privilege escalation - Log rotation prevents disk exhaustion - All ports bound to 127.0.0.1 - Off-by-one errors in field arithmetic - IV reuse across encryptions - Implicit rejection failures in post-quantum KEMs - Platform selection follows trust, not throughput. Feature matrices are noise. Teams pick Fabric because they have Java developers. They pick Besu because they know EVM. They pick Corda because R3 has regulatory relationships. Throughput differences matter only after trust assumptions narrow the field. - Privacy is architecture, not configuration. Every platform offers privacy mechanisms. None of them work without deliberate design. If your public contract queries private state, you've leaked data. - Off-chain is not optional. Every production deployment stores bulk data off-chain. The blockchain stores commitments, not content. Plan for this from day one. - Integration complexity dominates. Chaincode development is 20-30% of the project. Identity integration, legacy system bridges, and operational tooling consume the rest. - Governance evolves faster than code. Consortium agreements written at kickoff become obsolete. New members require endorsement policy changes. Regulatory requirements mandate audit observer nodes. Design for governance evolution from day one. - Consensus selection follows trust, not throughput. Marketing materials emphasize throughput differences. Production deployments choose based on trust assumptions. Raft (CFT) for aligned incentives. QBFT (BFT) for competing parties. The throughput numbers are noise. - Blockchain architects evaluating Fabric vs Besu vs Corda - Security engineers implementing MPC, HSM, or post-quantum patterns - Protocol researchers studying transaction shape mappings - Teams in PoC purgatory who need production-grade examples - Anyone who's tired of blockchain demos that don't actually run - Developers learning enterprise blockchain who want working examples, not slides - Study Guide β€” Recommended reading order for architects - Architecture Guides β€” Platform decision matrix, protocol flows, observability - Research Notes β€” Industry deployments and lessons learned - AI Skills β€” Structured knowledge files for coding assistants

🏷️ Tags

toolsutilitiessecurity toolsenterpriseblockchaintypescriptworldstudiesprotocolmappings

More from Tools

Tools: What Actually Happens When You Read a File - 2025 Update

Tools: What Actually Happens When You Read a File - 2025 Update

2026-04-01 0
Tools: Latest: Your DNS is Lying to You

Tools: Latest: Your DNS is Lying to You

2026-04-01 0
Tools: The Event Loop You're Already Using (2026)

Tools: The Event Loop You're Already Using (2026)

2026-04-01 0
Tools: malloc Is Not Free - Full Analysis

Tools: malloc Is Not Free - Full Analysis

2026-04-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 β€’ 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 β€’ 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 β€’ 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 β€’ 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 β€’ 81 views