BitGo · Ranjna-G · Jun 16, 2026 · roshan-bitgo · Jun 16, 2026 · roshan-bitgo
@@ -2,7 +2,7 @@
 import { execSync } from 'child_process';
 import { appendFileSync } from 'fs';
 
-const ALL_PACKAGES = ['wasm-bip32', 'wasm-mps', 'wasm-utxo', 'wasm-solana', 'wasm-dot', 'wasm-ton'];
+const ALL_PACKAGES = ['wasm-bip32', 'wasm-mps', 'wasm-utxo', 'wasm-solana', 'wasm-dot', 'wasm-ton', 'wasm-privacy-coin'];
 
 function setOutput(packages) {
   const value = JSON.stringify(packages);

@@ -64,6 +64,7 @@ jobs:
             packages/wasm-solana
             packages/wasm-dot
             packages/wasm-ton
+            packages/wasm-privacy-coin
           cache-on-failure: true
 
       - name: Setup Node
@@ -101,6 +102,16 @@ jobs:
       - name: Build packages
         run: npm --workspaces run build
 
+      - name: Setup JDK 17 (for wasm-privacy-coin JAR)
+        uses: actions/setup-java@v4
+        with:
+          distribution: corretto
+          java-version: '17'
+
+      - name: Build wasm-privacy-coin JAR
+        working-directory: packages/wasm-privacy-coin
+        run: make jar
+
       - name: Check Source Code Formatting
         run: npm run check-fmt
 
@@ -121,6 +132,8 @@ jobs:
             packages/wasm-dot/js/wasm/
             packages/wasm-ton/dist/
             packages/wasm-ton/js/wasm/
+            packages/wasm-privacy-coin/dist/
+            packages/wasm-privacy-coin/js/wasm/
           retention-days: 1
 
       - name: Upload webui artifact
@@ -156,6 +169,9 @@ jobs:
           - package: wasm-ton
             needs-wasm-pack: false
             has-wasm-pack-tests: false
+          - package: wasm-privacy-coin
+            needs-wasm-pack: false
+            has-wasm-pack-tests: false
     steps:
       - uses: actions/checkout@v4
         with:
@@ -298,6 +314,16 @@ jobs:
             packages/wasm-ton/dist/
           retention-days: 1
 
+      - name: Upload wasm-privacy-coin build artifacts
+        if: inputs.upload-artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: wasm-privacy-coin-build
+          path: |
+            packages/wasm-privacy-coin/pkg/
+            packages/wasm-privacy-coin/dist/
+          retention-days: 1
+
   # This job provides a stable "test / Test" status check for branch protection.
   # It runs after all other jobs complete successfully.
   gate:

@@ -80,3 +80,65 @@ jobs:
 
       - name: Release (multi-semantic-release)
         run: npx multi-semantic-release --ignore-private-packages
+
+  publish-maven:
+    name: Publish Maven Artifact
+    needs: test
+    runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup JDK 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: corretto
+          java-version: '17'
+
+      - name: Download wasm-privacy-coin build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: wasm-privacy-coin-build
+          path: packages/wasm-privacy-coin/dist/
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-west-2
+
+      - name: Get CodeArtifact token
+        run: |
+          TOKEN=$(aws codeartifact get-authorization-token \
+            --domain private \
+            --domain-owner 199765120567 \
+            --query authorizationToken \
+            --output text)
+          echo "::add-mask::$TOKEN"
+          echo "AWS_CODEARTIFACT_TOKEN=$TOKEN" >> "$GITHUB_ENV"
+
+      - name: Read version from pom.xml
+        id: version
+        run: |
+          VERSION=$(grep '<version>' packages/wasm-privacy-coin/pom.xml | head -1 | sed 's/.*<version>\(.*\)<\/version>.*/\1/')
+          if [ -z "$VERSION" ]; then echo "Failed to parse version from pom.xml" && exit 1; fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy JAR to CodeArtifact
+        working-directory: packages/wasm-privacy-coin
+        run: |
+          mvn deploy:deploy-file \
+            -s .settings.xml \
+            -Pcodeartifact-deploy \
+            -DgroupId=com.bitgo \
+            -DartifactId=wasm-privacy-coin \
+            -Dversion=${{ steps.version.outputs.version }} \
+            -Dpackaging=jar \
+            -Dfile=dist/wasm-privacy-coin.jar \
+            -DrepositoryId=codeartifact-central \
+            -Durl=https://private-199765120567.d.codeartifact.us-west-2.amazonaws.com/maven/bitgo-maven-libs-release/
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings
+    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd"
+    xmlns="http://maven.apache.org/SETTINGS/1.1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <servers>
+        <server>
+            <id>codeartifact-central</id>
+            <username>aws</username>
+            <password>${env.AWS_CODEARTIFACT_TOKEN}</password>
+        </server>
+    </servers>
+</settings>
@@ -0,0 +1,24 @@
+[package]
+name = "wasm-privacy-coin"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib", "lib"]
+
+[dependencies]
+# Core tree crates — pinned to exact versions for deterministic builds.
+# These must stay in sync with the zcash ecosystem (NU6-compatible).
+shardtree = "=0.6.2"
+incrementalmerkletree = "=0.8.2"
+orchard = { version = "=0.14.0", default-features = false }
+
+# IPC protocol
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+hex = "0.4"
+
+[profile.release]
+opt-level = 3
+lto = true
+strip = true
@@ -0,0 +1,19 @@
+WASM_TARGET = wasm32-unknown-unknown
+
+.PHONY: build
+build:
+	cargo build --release --target $(WASM_TARGET)
+	mkdir -p dist
+	cp target/$(WASM_TARGET)/release/wasm_privacy_coin.wasm dist/wasm-privacy-coin.wasm
+
+.PHONY: jar
+jar: build
+	mkdir -p jar-staging/wasm
+	cp dist/wasm-privacy-coin.wasm jar-staging/wasm/privacy_coin.wasm
+	cd jar-staging && jar cf ../dist/wasm-privacy-coin.jar wasm/
+	rm -rf jar-staging
+
+.PHONY: clean
+clean:
+	cargo clean
+	rm -rf dist jar-staging
@@ -0,0 +1,41 @@
+# wasm-privacy-coin
+
+Orchard commitment tree (Zcash NU6) compiled to WebAssembly for use by the
+indexer-utxo Java service via the Chicory WASM runtime.
+
+## Building
+
+```bash
+rustup target add wasm32-unknown-unknown
+make build
+```
+
+The compiled WASM binary will be at `dist/wasm-privacy-coin.wasm`.
+
+## Architecture
+
+This module exposes a C-style FFI interface (no wasm-bindgen, no WASI).
+The host allocates memory via `alloc()`, writes JSON input, calls a function,
+then reads JSON output via `last_result_ptr()`/`last_result_len()`.
+
+## Exported Functions
+
+| Function | Signature | Description |
+|---|---|---|
+| `alloc` | `(len: u32) -> *mut u8` | Allocate buffer in WASM memory |
+| `dealloc` | `(ptr: *mut u8, len: u32)` | Free allocated buffer |
+| `ping` | `() -> i32` | Health check |
+| `init_from_frontier` | `(ptr, len) -> i32` | Initialize from z_gettreestate frontier |
+| `load_state` | `(ptr, len) -> i32` | Load persisted JSON state |
+| `save` | `() -> i32` | Serialize tree to JSON |
+| `get_info` | `() -> i32` | Return tip height, leaf count, checkpoint count |
+| `append_commitments` | `(ptr, len) -> i32` | Append Orchard commitments, verify root |
+| `truncate_to_checkpoint` | `(ptr, len) -> i32` | Reorg handling |
+| `last_result_ptr` | `() -> *const u8` | Pointer to last result buffer |
+| `last_result_len` | `() -> u32` | Length of last result buffer |
+
+## Pinned Dependencies
+
+The `shardtree`, `incrementalmerkletree`, and `orchard` crate versions are
+pinned to exact versions to ensure deterministic builds and compatibility with
+the NU6 Zcash protocol upgrade.
@@ -0,0 +1,14 @@
+{
+  "name": "@bitgo/wasm-privacy-coin",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "build": "make build",
+    "lint": "cargo fmt --check && cargo clippy --all-targets --all-features -- -D warnings",
+    "check-fmt": "cargo fmt -- --check",
+    "test": "cargo test --workspace"
+  },
+  "files": [
+    "dist/wasm-privacy-coin.wasm"
+  ]
+}
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.bitgo</groupId>
+  <artifactId>wasm-privacy-coin</artifactId>
+  <version>0.1.0</version>
+  <packaging>jar</packaging>
+
+  <description>WASM module for Orchard merkle tree operations</description>
+
+  <profiles>
+    <profile>
+      <id>codeartifact-deploy</id>
+      <distributionManagement>
+        <repository>
+          <id>codeartifact-central</id>
+          <name>BitGo CodeArtifact Release Repository</name>
+          <url>https://private-199765120567.d.codeartifact.us-west-2.amazonaws.com/maven/bitgo-maven-libs-release/</url>
+        </repository>
+      </distributionManagement>
+    </profile>
+  </profiles>
+</project>