Migrate to External Parties (AllocateExternalParty)

[salindne]

Problem

The middleware currently uses AllocateParty (internal parties) to create a new Canton party for every registered user. Internal parties are fully managed by the participant node -- the node generates and holds signing keys. Canton has a ~200 internal party limit per participant node, making this a hard scalability blocker.

Canton Loop Wallet uses external parties (AllocateExternalParty), which have no practical limit. External parties require the Interactive Submission API (prepare/sign/execute) which is implemented in #113.

Solution

Switch user party allocation from internal to external while keeping the custodial model (server still generates and holds keys, signs via InteractiveSubmission server-side). The relayer/issuer party remains internal (uses only 1 of the 200 slots).

Registration Flow Change

• Current: AllocateParty(hint) → GrantCanActAs(partyID) → standard submission
• Target: GenerateExternalPartyTopology(pubKey) → sign topology → AllocateExternalParty(signedTxs) → InteractiveSubmission

Scope of Changes

Only TransferAsUser uses the user's party in ActAs. All other operations (mint, burn, deposit, withdrawal, fingerprint mapping) use the RelayerParty and remain unchanged. This keeps the migration focused and low-risk.

Tasks

• Implement AllocateExternalPartyForUser() in pkg/canton/client.go
  • Call GenerateExternalPartyTopology(synchronizer, partyHint, signingPublicKey) (stubs already exist in pkg/canton/lapi/v2/admin/)
  • Sign the returned multi_hash with user's private key
  • Call AllocateExternalParty(synchronizer, signedTopologyTxs)
• Update handleWeb3Registration in pkg/registration/handler.go to use AllocateExternalPartyForUser instead of AllocateParty
• Remove GrantCanActAs from handleWeb3Registration (not needed with InteractiveSubmission)
• Remove GrantCanActAs from handleCantonNativeRegistration (doesn't work for external parties)
• Modify TransferAsUser to use prepareAndExecuteAsUser() from Interactive Submission API infrastructure (prepare/sign/execute) #113 instead of CommandService.SubmitAndWait
• Test full flow: register Web3 user (external party) → mint tokens → transfer via InteractiveSubmission

Files Affected

File	Change
pkg/canton/client.go	Add AllocateExternalPartyForUser(), modify TransferAsUser()
pkg/registration/handler.go	Replace AllocateParty → AllocateExternalPartyForUser, remove GrantCanActAs

Risks

• Backward compatibility: existing internal party users are not migrated (new registrations only). Migration script may be needed later.
• Canton native (Loop Wallet) user transfers deferred to Non-custodial signing: Prepare/Execute API MetaMask Snap #111 -- server doesn't hold their signing key.

Related Issues

• Depends on: Interactive Submission API infrastructure (prepare/sign/execute) #113 (Interactive Submission API infrastructure)
• Enables: Non-custodial signing: Prepare/Execute API MetaMask Snap #111 (Non-custodial signing)

[michaellinhq]

Hi, I reviewed 'Migrate to External Parties (AllocateExternalParty) + Interactive Submission API' and can start immediately. I can deliver a first usable version quickly and iterate based on your feedback. If this scope still matches your priority, I can proceed right away.