chore: KEEP-230 remove Para SDK and supporting code

.github/actions/setup-e2e-db/action.yml

@@ -5,12 +5,6 @@ inputs:
   database_url:
     description: 'PostgreSQL connection string'
     required: true
-  test_para_user_share:
-    description: 'TEST_PARA_USER_SHARE secret for wallet seeding'
-    required: true
-  wallet_encryption_key:
-    description: 'WALLET_ENCRYPTION_KEY secret for wallet seeding'
-    required: true
   chain_rpc_config:
     description: 'CHAIN_RPC_CONFIG for RPC endpoint resolution'
     required: false
@@ -37,11 +31,3 @@ runs:
         DATABASE_URL: ${{ inputs.database_url }}
         CHAIN_RPC_CONFIG: ${{ inputs.chain_rpc_config }}
       run: pnpm db:seed
-
-    - name: Seed test wallet
-      shell: bash
-      env:
-        DATABASE_URL: ${{ inputs.database_url }}
-        TEST_PARA_USER_SHARE: ${{ inputs.test_para_user_share }}
-        WALLET_ENCRYPTION_KEY: ${{ inputs.wallet_encryption_key }}
-      run: pnpm db:seed-test-wallet

.github/workflows/deploy-pr-environment.yaml

@@ -393,7 +393,6 @@ jobs:
           IMAGE_TAG: ${{ steps.vars.outputs.sha_short }}
           DB_PASSWORD: ${{ steps.db-password.outputs.password }}
           SERVICE_ACCOUNT_ROLE_ARN: ${{ vars.TO_SERVICE_ACCOUNT_ROLE_ARN }}
-          TEST_PARA_USER_SHARE: ${{ secrets.TEST_PARA_USER_SHARE }}
           # PR-specific events image tag if deploy-pr-events label was set
           # (build-events-image job ran). Otherwise stays on the staging
           # event-latest tag.
@@ -736,9 +735,6 @@ jobs:
           --exclude '**/write-contract-workflow.test.ts'
         env:
           KEEPERHUB_URL: ${{ env.KEEPERHUB_URL }}
-          WALLET_ENCRYPTION_KEY: ${{ secrets.TEST_WALLET_ENCRYPTION_KEY }}
-          PARA_API_KEY: ${{ secrets.TEST_PARA_API_KEY }}
-          PARA_ENVIRONMENT: beta
           WORKFLOW_TARGET_WORLD: "@workflow/world-postgres"
           AWS_ACCESS_KEY_ID: test
           AWS_SECRET_ACCESS_KEY: test

.github/workflows/e2e-tests-ephemeral.yml

@@ -181,8 +181,6 @@ jobs:
         uses: ./.github/actions/setup-e2e-db
         with:
           database_url: postgresql://postgres:postgres@localhost:5432/keeperhub_test
-          test_para_user_share: ${{ secrets.TEST_PARA_USER_SHARE }}
-          wallet_encryption_key: ${{ secrets.TEST_WALLET_ENCRYPTION_KEY }}
           chain_rpc_config: ${{ secrets.CHAIN_RPC_CONFIG }}
 
       - name: Start application
@@ -205,9 +203,6 @@ jobs:
         env:
           DATABASE_URL: postgresql://postgres:postgres@localhost:5432/keeperhub_test
           BETTER_AUTH_SECRET: ${{ secrets.BETTER_AUTH_SECRET }}
-          WALLET_ENCRYPTION_KEY: ${{ secrets.TEST_WALLET_ENCRYPTION_KEY }}
-          PARA_API_KEY: ${{ secrets.TEST_PARA_API_KEY }}
-          PARA_ENVIRONMENT: beta
           WORKFLOW_TARGET_WORLD: "@workflow/world-postgres"
           AWS_ENDPOINT_URL: http://localhost:4566
           AWS_ACCESS_KEY_ID: test
@@ -274,8 +269,6 @@ jobs:
         uses: ./.github/actions/setup-e2e-db
         with:
           database_url: postgresql://postgres:postgres@localhost:5432/keeperhub_test
-          test_para_user_share: ${{ secrets.TEST_PARA_USER_SHARE }}
-          wallet_encryption_key: ${{ secrets.TEST_WALLET_ENCRYPTION_KEY }}
           chain_rpc_config: ${{ secrets.CHAIN_RPC_CONFIG }}
 
       - name: Start application
@@ -298,14 +291,7 @@ jobs:
         env:
           DATABASE_URL: postgresql://postgres:postgres@localhost:5432/keeperhub_test
           BETTER_AUTH_SECRET: ${{ secrets.BETTER_AUTH_SECRET }}
-          PARA_API_KEY: ${{ secrets.TEST_PARA_API_KEY }}
-          PARA_ENVIRONMENT: beta
-          WALLET_ENCRYPTION_KEY: ${{ secrets.TEST_WALLET_ENCRYPTION_KEY }}
           INTEGRATION_ENCRYPTION_KEY: ${{ secrets.TEST_INTEGRATION_ENCRYPTION_KEY }}
-          PARA_PORTAL_ORG_ID: ${{ secrets.PARA_PORTAL_ORG_ID }}
-          PARA_PORTAL_PROJECT_ID: ${{ secrets.PARA_PORTAL_PROJECT_ID }}
-          PARA_PORTAL_KEY_ID: ${{ secrets.PARA_PORTAL_KEY_ID }}
-          PARA_PORTAL_API_KEY: ${{ secrets.PARA_PORTAL_API_KEY }}
           CI: true
           TEST_API_KEY: ${{ secrets.TEST_API_KEY }}
           # Start application step above runs `pnpm build && pnpm start`

app/api/execute/_lib/wallet-check.ts

@@ -1,7 +1,7 @@
 import "server-only";
 
 import { NextResponse } from "next/server";
-import { organizationHasWallet } from "@/lib/para/wallet-helpers";
+import { organizationHasWallet } from "@/lib/web3/wallet-helpers";
 
 /**
  * Check if the organization has a wallet configured.

app/api/gas/estimate/route.ts

@@ -3,9 +3,9 @@ import { NextResponse } from "next/server";
 import { apiError } from "@/lib/api-error";
 import ERC20_ABI from "@/lib/contracts/abis/erc20.json";
 import { resolveOrganizationId } from "@/lib/middleware/auth-helpers";
-import { getOrganizationWalletAddress } from "@/lib/para/wallet-helpers";
 import { getRpcProvider } from "@/lib/rpc/provider-factory";
 import { getChainGasDefaults } from "@/lib/web3/gas-defaults";
+import { getOrganizationWalletAddress } from "@/lib/web3/wallet-helpers";
 
 type EstimateConfig = {
   contractAddress?: string;

app/api/mcp/schemas/route.ts

@@ -1,11 +1,12 @@
 import { eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
-
-import { BUILTIN_NODE_ID, BUILTIN_NODE_LABEL } from "@/lib/workflow/editor/builtin-variables";
-
 import { db } from "@/lib/db";
 import { chains, explorerConfigs } from "@/lib/db/schema";
 import { ErrorCategory, logSystemError } from "@/lib/logging";
+import {
+  BUILTIN_NODE_ID,
+  BUILTIN_NODE_LABEL,
+} from "@/lib/workflow/editor/builtin-variables";
 import {
   type ActionConfigFieldBase,
   computeActionId,
@@ -366,10 +367,10 @@ function derivePlatformCapabilities(plugins: IntegrationPlugin[]) {
   return {
     wallet: web3Plugin
       ? {
-          provider: "Para",
-          features: ["mpc", "non-custodial", "hosted"],
+          provider: "Turnkey",
+          features: ["secure-enclave", "non-custodial", "hosted"],
           description:
-            "Para MPC wallet - keys are split between user and Para, neither party can sign alone",
+            "Turnkey wallet backed by hardware secure enclaves; KeeperHub signs transactions on the user's behalf via the Turnkey API",
         }
       : null,
     proxyContracts: hasAbiAutoFetch

app/api/user/route.ts

@@ -9,7 +9,7 @@ import {
   type DualAuthContext,
   getDualAuthContext,
 } from "@/lib/middleware/auth-helpers";
-import { getUserWallet } from "@/lib/para/wallet-helpers";
+import { getOrganizationWallet } from "@/lib/web3/wallet-helpers";
 
 export async function GET(request: Request): Promise<NextResponse> {
   let authContext: DualAuthContext | null = null;
@@ -22,7 +22,7 @@ export async function GET(request: Request): Promise<NextResponse> {
       );
     }
 
-    const { userId } = authContext;
+    const { userId, organizationId } = authContext;
     if (!userId) {
       return NextResponse.json(
         { error: "Auth context missing user. Please recreate the API key." },
@@ -53,11 +53,13 @@ export async function GET(request: Request): Promise<NextResponse> {
     });
 
     let walletAddress: string | null = null;
-    try {
-      const wallet = await getUserWallet(userId);
-      walletAddress = wallet.walletAddress;
-    } catch {
-      walletAddress = null;
+    if (organizationId) {
+      try {
+        const wallet = await getOrganizationWallet(organizationId);
+        walletAddress = wallet.walletAddress;
+      } catch {
+        walletAddress = null;
+      }
     }
 
     return NextResponse.json({

app/api/user/wallet/active/route.ts

@@ -1,8 +1,7 @@
 import { NextResponse } from "next/server";
 
 // Switching the active wallet is disabled. Every organization signs with its
-// Turnkey wallet; the Para → Turnkey migration is one-way and no longer
-// user-driven. Kept as a 410 so old clients get a clear, non-generic error
+// Turnkey wallet. Kept as a 410 so old clients get a clear, non-generic error
 // instead of a silent 404.
 export function POST(): NextResponse {
   return NextResponse.json(

app/api/user/wallet/balances/route.ts

@@ -12,9 +12,9 @@ import {
 } from "@/lib/db/schema";
 import { ErrorCategory, logSystemError } from "@/lib/logging";
 import { resolveOrganizationId } from "@/lib/middleware/auth-helpers";
-import { getOrganizationWallet } from "@/lib/para/wallet-helpers";
 import { getRpcProvider } from "@/lib/rpc/provider-factory";
 import { formatWeiToBalance } from "@/lib/wallet/fetch-balances";
+import { getOrganizationWallet } from "@/lib/web3/wallet-helpers";
 
 const NATIVE_DECIMALS = 18;
 
@@ -123,10 +123,7 @@ export async function GET(request: Request) {
       db.select().from(explorerConfigs),
     ]);
 
-    const supportedTokensByChain = new Map<
-      number,
-      typeof allSupportedTokens
-    >();
+    const supportedTokensByChain = new Map<number, typeof allSupportedTokens>();
     for (const token of allSupportedTokens) {
       const existing = supportedTokensByChain.get(token.chainId) ?? [];
       existing.push(token);

app/api/user/wallet/estimate-gas/route.ts

@@ -8,9 +8,9 @@ import { db } from "@/lib/db";
 import { chains } from "@/lib/db/schema";
 import { ErrorCategory, logSystemError } from "@/lib/logging";
 import { getActiveOrgId } from "@/lib/middleware/org-context";
-import { getOrganizationWalletAddress } from "@/lib/para/wallet-helpers";
 import { getRpcProvider } from "@/lib/rpc/provider-factory";
 import { getGasStrategy } from "@/lib/web3/gas-strategy";
+import { getOrganizationWalletAddress } from "@/lib/web3/wallet-helpers";
 
 const ERC20_TRANSFER_ABI = [
   "function transfer(address to, uint256 amount) returns (bool)",

app/api/user/wallet/export-key/request/route.ts

@@ -1,5 +1,5 @@
 import crypto from "node:crypto";
-import { and, eq } from "drizzle-orm";
+import { eq } from "drizzle-orm";
 import { headers } from "next/headers";
 import { NextResponse } from "next/server";
 import { apiError } from "@/lib/api-error";
@@ -63,21 +63,14 @@ export async function POST(request: Request): Promise<NextResponse> {
       );
     }
 
-    // Verify a Turnkey wallet exists (only Turnkey wallets are exportable;
-    // Para wallets during migration are inactive and not exportable here)
     const turnkeyWallets = await db
       .select({
         id: organizationWallets.id,
         userId: organizationWallets.userId,
         email: organizationWallets.email,
       })
       .from(organizationWallets)
-      .where(
-        and(
-          eq(organizationWallets.organizationId, activeOrgId),
-          eq(organizationWallets.provider, "turnkey")
-        )
-      )
+      .where(eq(organizationWallets.organizationId, activeOrgId))
       .limit(1);
 
     if (turnkeyWallets.length === 0) {

app/api/user/wallet/export-key/verify/route.ts

@@ -132,16 +132,10 @@ export async function POST(request: Request): Promise<NextResponse> {
     // Delete used code (single-use)
     await db.delete(keyExportCodes).where(eq(keyExportCodes.id, storedCode.id));
 
-    // Fetch Turnkey wallet and export
     const wallets = await db
       .select()
       .from(organizationWallets)
-      .where(
-        and(
-          eq(organizationWallets.organizationId, activeOrgId),
-          eq(organizationWallets.provider, "turnkey")
-        )
-      )
+      .where(eq(organizationWallets.organizationId, activeOrgId))
       .limit(1);
 
     if (wallets.length === 0) {