kynesyslabs · SergeyG-Solicy · Apr 6, 2026 · Apr 6, 2026 · qodo-code-review · Apr 6, 2026
diff --git a/.env.example b/.env.example
@@ -76,6 +76,10 @@ TLSNOTARY_SIGNING_KEY=
 TLSNOTARY_PROXY_PORT=55688
 TLSNOTARY_MAX_SENT_DATA=16384
 TLSNOTARY_MAX_RECV_DATA=65536
+# Hostname of the OAuth backend as it appears in TLSNotary Telegram proofs.
+# Must match the domain your incentives OAuth backend is reachable at.
+# Example: oauth.demos.sh
+TLSN_TELEGRAM_BACKEND_HOST=
 
 # ZK Identity System Configuration
 # Points awarded for each successful ZK attestation (default: 10)

diff --git a/src/libs/blockchain/gcr/gcr_routines/GCRIdentityRoutines.ts b/src/libs/blockchain/gcr/gcr_routines/GCRIdentityRoutines.ts
@@ -279,9 +279,9 @@ export default class GCRIdentityRoutines {
                     context === "telegram"
                         ? "Telegram attestation validation failed"
                         : "Sha256 proof mismatch: Expected " +
-                          data.proofHash +
-                          " but got " +
-                          Hashing.sha256(data.proof),
+                        data.proofHash +
+                        " but got " +
+                        Hashing.sha256(data.proof),
             }
         }
 
@@ -593,9 +593,8 @@ export default class GCRIdentityRoutines {
         if (!validNetworks.includes(payload.network)) {
             return {
                 success: false,
-                message: `Invalid network: ${
-                    payload.network
-                }. Must be one of: ${validNetworks.join(", ")}`,
+                message: `Invalid network: ${payload.network
+                    }. Must be one of: ${validNetworks.join(", ")}`,
             }
         }
         if (!validRegistryTypes.includes(payload.registryType)) {
@@ -1201,14 +1200,16 @@ export default class GCRIdentityRoutines {
                 )
                 break
             case "tlsnadd":
+            case "tlsn_identity_assign":
                 result = await this.applyTLSNIdentityAdd(
                     identityEdit,
                     gcrMainRepository,
                     simulate,
                 )
                 break
-            
+
             case "tlsnremove":
+            case "tlsn_identity_remove":
                 result = await this.applyTLSNIdentityRemove(
                     identityEdit,
                     gcrMainRepository,
@@ -1810,13 +1811,13 @@ export default class GCRIdentityRoutines {
         string,
         { server: string; pathPrefix: string }
     > = {
-        github: { server: "api.github.com", pathPrefix: "/user" },
-        discord: { server: "discord.com", pathPrefix: "/api/users/@me" },
-        telegram: {
-            server: "telegram-backend",
-            pathPrefix: "/api/telegram/user",
-        },
-    }
+            github: { server: "api.github.com", pathPrefix: "/user" },
+            discord: { server: "discord.com", pathPrefix: "/api/users/@me" },
+            telegram: {
+                server: process.env.TLSN_TELEGRAM_BACKEND_HOST ?? "telegram-backend",
+                pathPrefix: "/api/telegram/user",
+            },
+        }
 
     /**
      * Add an identity via TLSNotary proof verification.

diff --git a/tlsnotary/.env.example b/tlsnotary/.env.example
@@ -0,0 +1,12 @@
+# TLSNotary Stack — Environment Variables
+# Copy this file to .env and adjust values as needed.
+#
+# Usage: docker compose --env-file .env up -d
+
+# Port the TLSNotary notary server is exposed on.
+TLSNOTARY_PORT=7047
+
+# Port the wstcp WebSocket-to-TCP proxy is exposed on.
+# Must match TLSNOTARY_PROXY_PORT in the node's .env and
+# PROXY_URL (ws://<host>:<port>) in the incentives backend .env.
+PROXY_PORT=55688
diff --git a/tlsnotary/Dockerfile.proxy b/tlsnotary/Dockerfile.proxy
@@ -0,0 +1,32 @@
+# wstcp — WebSocket-to-TCP proxy for TLSNotary
+#
+# Forwards browser WebSocket connections to the notary's TCP port so that
+# tlsn-js (which cannot open raw TCP sockets) can reach the notary.
+#
+# Build:  docker build -f Dockerfile.proxy -t tlsn-proxy .
+# Run:    docker run -p 55688:55688 tlsn-proxy notary:7047
+
+# ── Builder ──────────────────────────────────────────────────────────────────
+FROM rust:alpine AS builder
+
+RUN apk add --no-cache musl-dev
+
+RUN cargo install wstcp
+
+# ── Runtime ──────────────────────────────────────────────────────────────────
+FROM alpine:3.20
+
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S wstcp \
+    && adduser -S -G wstcp wstcp
+
+COPY --from=builder /usr/local/cargo/bin/wstcp /usr/local/bin/wstcp
+
+USER wstcp
+
+EXPOSE 55688
+
+# First arg after the image is the TCP target (e.g. notary:7047).
+# Override via `command:` in docker-compose.
+ENTRYPOINT ["wstcp", "--bind-addr", "0.0.0.0:55688"]
+CMD ["notary:7047"]
diff --git a/tlsnotary/docker-compose.yml b/tlsnotary/docker-compose.yml
@@ -1,13 +1,15 @@
-# TLSNotary Docker Notary Server
-# Uses the official tlsn-js compatible notary server image
+# TLSNotary Stack
 #
-# This provides the full HTTP API + WebSocket interface that tlsn-js expects:
-# - GET /info - Get notary public key
-# - POST /session - Create session, returns sessionId
-# - WS /notarize?sessionId=xxx - WebSocket MPC-TLS session
+# Services:
+#   notary  — TLSNotary notary server (HTTP API + WebSocket MPC-TLS sessions)
+#   proxy   — wstcp WebSocket-to-TCP proxy (lets browsers reach the notary)
 #
-# Environment variables:
-# - TLSNOTARY_PORT: Port to expose (default: 7047)
+# Usage:
+#   docker compose up -d
+#
+# Environment variables (copy .env.example → .env to override defaults):
+#   TLSNOTARY_PORT   Port the notary listens on (default: 7047)
+#   PROXY_PORT       Port the wstcp proxy listens on (default: 55688)
 
 services:
     notary:
@@ -19,16 +21,26 @@ services:
         ports:
             - "${TLSNOTARY_PORT:-7047}:7047"
         restart: unless-stopped
-        healthcheck:
-            test: [CMD, curl, -f, http://localhost:7047/info]
-            interval: 10s
-            timeout: 5s
-            retries: 3
-            start_period: 10s
-        # Note: The Docker notary-server uses its own internal signing key
-        # Attestations are cryptographically bound to this notary's public key
-        # which can be retrieved via GET /info endpoint
+        networks:
+            - tlsn
+
+    proxy:
+        container_name: tlsn-proxy-${PROXY_PORT:-55688}
+        build:
+            context: .
+            dockerfile: Dockerfile.proxy
+        ports:
+            - "${PROXY_PORT:-55688}:55688"
+        # Forward WebSocket connections to the notary's internal TCP port.
+        # Uses the Docker service name so the proxy can reach the notary
+        # without exposing any extra ports on the host.
+        command: ["notary:7047"]
+        restart: unless-stopped
+        depends_on:
+            - notary
+        networks:
+            - tlsn
 
 networks:
-    default:
+    tlsn:
         driver: bridge