A Substrate-based blockchain optimized for Ink! smart contracts, designed for OpenTDF integration with attribute-based access control (ABAC) and entitlement management.
Arkavo Node provides a blockchain infrastructure for decentralized access control and entitlement management. It integrates with OpenTDF to enable secure, policy-driven data sharing through smart contracts.
- Access Registry: Manage entitlements and VIP membership levels
- Attribute Store: Store and query ABAC attributes for policy evaluation
- Policy Engine: Define and evaluate access policies for resources
- Payment Integration: Link Apple Pay (and other payment providers) to entitlements
arkavo-node/
├── node/ # Blockchain node implementation
├── runtime/ # Runtime logic and pallet configuration
├── contracts/ # Ink! smart contracts
├── tools/ # Deployment and utility tools
│ └── deployer/
└── .github/ # CI/CD workflows
- Rust (stable toolchain)
wasm32-unknown-unknowntargetcargo-contractCLI tool- Docker (optional, for containerized deployment)
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Install WASM target
rustup target add wasm32-unknown-unknown
# Install cargo-contract
cargo install --locked cargo-contract# Build in release mode
cargo build --release --package arkavo-node
# The binary will be at target/release/arkavo-nodeNote: Contracts use a separate workspace (contracts/Cargo.toml) and must be built with cargo-contract.
# Build all contracts from contracts directory
cd contracts
cargo contract build --release --manifest-path access_registry/Cargo.toml
cargo contract build --release --manifest-path attribute_store/Cargo.toml
cargo contract build --release --manifest-path policy_engine/Cargo.toml
cargo contract build --release --manifest-path payment_integration/Cargo.toml
# Or build individual contract
cd contracts/access_registry
cargo contract build --releaseContract artifacts will be available in contracts/*/target/ink/.
# Run in development mode with temporary storage
./target/release/arkavo-node --dev
# Or with custom configuration
./target/release/arkavo-node --dev --rpc-cors all --rpc-externalThe node will expose:
- WebSocket:
ws://127.0.0.1:9944 - HTTP RPC:
http://127.0.0.1:9933 - P2P:
30333
# Run with persistent storage
./target/release/arkavo-node \
--base-path /data/arkavo \
--chain local \
--name "Arkavo Node"# Build and run with Docker Compose
cd docker
docker-compose up -d
# View logs
docker-compose logs -f arkavo-node
# Access the Polkadot.js Apps UI
open http://localhost:3000# Build the deployer
cargo build --release --package deployer
# Upload a contract
cargo run --package deployer -- \
--endpoint ws://127.0.0.1:9944 \
upload \
--wasm contracts/access_registry/target/ink/access_registry.wasm \
--account alice
# Deploy all contracts
cargo run --package deployer -- \
--endpoint ws://127.0.0.1:9944 \
deploy-all \
--contracts-dir ./target/ink \
--account aliceYou can also deploy contracts using the Polkadot.js Apps UI:
- Navigate to
http://localhost:3000 - Connect to your local node
- Go to Developer > Contracts
- Upload and instantiate contracts
Manages entitlements for accounts:
// Grant VIP entitlement
grant_entitlement(account, EntitlementLevel::VIP)
// Check entitlement
has_entitlement(account, EntitlementLevel::Premium)Store ABAC attributes:
// Set attribute
set_attribute(account, "opentdf", "role", "admin")
// Get attribute
get_attribute(account, "opentdf", "role")Evaluate access policies:
// Create policy
create_policy(resource_id, required_attributes, min_entitlement)
// Evaluate access
evaluate_access(account, policy_id)Link payments to entitlements:
// Record payment
record_payment(account, "apple", transaction_id, amount, entitlement_level)
// Complete payment and grant entitlement
complete_payment(payment_id)The Arkavo Node is designed to integrate with OpenTDF's authnz-rs service:
- Configure
authnz-rsto connect to your Arkavo node WebSocket endpoint - Deploy the smart contracts
- Configure policy rules in the Policy Engine
- Query access decisions through the contracts
Example flow:
User Request → authnz-rs → Arkavo Node → Smart Contracts
↓
Access Decision ← Policy Engine ← Attributes + Entitlements
# Test the node and runtime
cargo test --workspace --exclude access_registry --exclude attribute_store --exclude policy_engine --exclude payment_integration
# Test individual contracts
cd contracts/access_registry && cargo test
cd ../attribute_store && cargo test
cd ../policy_engine && cargo test
cd ../payment_integration && cargo test
# Run all tests (including contracts)
cargo test --workspace --exclude access_registry --exclude attribute_store --exclude policy_engine --exclude payment_integration
# Test individual contracts
cd contracts/access_registry && cargo test
cd ../attribute_store && cargo test
cd ../policy_engine && cargo test
cd ../payment_integration && cargo testSubstrate/Polkadot SDK introduces ~500+ transitive dependencies. We mitigate this risk with:
Automated Security Checks (via GitHub Actions):
# Install act for local workflow execution
brew install act
# Run security checks locally for specific jobs
act -j audit # CVE scanning with cargo-audit
act -j deny # License & policy checks with cargo-deny
act -j unsafe-code # Locate unsafe code blocks
act -j supply-chain # Check dependency sourcesLocal Code Quality Checks:
cargo fmt --all -- --checkcargo clippy --package arkavo-node --package arkavo-runtime -- -D warningscd contracts && cargo clippy --workspace -- -D warningsBuild-Time Enforcement (.cargo/config.toml):
- Strict Clippy lints: pedantic, cargo, nursery
- Security-focused lints: integer arithmetic, unsafe indexing, mem::forget, panics
- All warnings treated as errors (
-D warnings) - Warnings on: unwrap_used, expect_used, todo!, unimplemented!
Dependency Policy (deny.toml):
- Only allow crates from crates.io and Polkadot SDK git repo
- Deny known CVEs and yanked versions
- License compliance (MIT/Apache-2.0/BSD/GPL-3.0 allowed)
- Warn on duplicate dependencies
Daily Automated Scans:
- Security audit runs daily at 00:00 UTC via GitHub Actions
- All PRs automatically scanned for vulnerabilities and lint issues
GitHub Actions workflows are configured for:
- Build & Test: Validates node and runtime compilation
- Contracts: Builds and tests all Ink! contracts
- Docker: Builds and pushes Docker images to GHCR
node/: Node implementation with chain specification and RPC configurationruntime/: Runtime configuration withpallet-contractsenabledcontracts/: Ink! smart contracts for access control and entitlementstools/deployer/: Rust binary for contract deployment automation
- Create a new directory under
contracts/ - Add contract to workspace in root
Cargo.toml - Implement contract logic using Ink!
- Add to deployer tool's
contract_nameslist - Update CI/CD workflows if needed
# Clean build
cargo clean
# Update dependencies
cargo update
# Rebuild with verbose output
cargo build --release --verbose# Purge chain data
./target/release/arkavo-node purge-chain --dev
# Check runtime version
./target/release/arkavo-node --version- Fork the repository
- Create a feature branch
- Make your changes
- Run tests and formatting
- Submit a pull request
# Format code
cargo fmt --all
# Run linter
cargo clippy --all-targets -- -D warnings
# Run tests
cargo test --workspaceApache-2.0
For issues and questions: