Merge origin/staging - resolve conflicts preserving staging work

Conflict resolution:
- Kept staging UI components (integration-form-dialog, integrations-manager)
- Merged both paraWallets (staging) and apiKeys (upstream) tables
- Kept staging plugin deletions
- Preserved staging's Docker, deploy, Para integration, web3 plugin

Security patches retained:
- Next.js 16.0.7 (CVE-2025-66478)
- React 19.2.1 (CVE-2025-55182)

Author: suisuss

.dockerignore

@@ -0,0 +1,113 @@
+# Dependencies
+node_modules
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Environment files
+.env
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+# Next.js build output
+.next
+out
+dist
+
+# Development files
+.git
+.gitignore
+README.md
+Dockerfile
+.dockerignore
+docker-compose.yml
+docker-compose.*.yml
+
+# IDE files
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Logs
+logs
+*.log
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Dependency directories
+jspm_packages/
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# Svelte build output
+.svelte-kit
+
+# Database
+*.db
+*.sqlite
+
+# Temporary files
+tmp/
+temp/
+
+# Build artifacts
+build/
+dist/

.github/workflows/vw.yaml

@@ -0,0 +1,77 @@
+on:
+  push:
+    branches:
+      - staging
+      # - main
+  workflow_dispatch:
+
+name: deploy-vw
+jobs:
+  build-and-deploy-vw:
+    environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
+    runs-on: ubuntu-latest
+    env:
+      HELM_FILE: deploy/${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}/values.yaml
+      REGION: ${{ github.ref == 'refs/heads/main' && 'us-east-1' || 'us-east-2' }}
+      CLUSTER_NAME: ${{ github.ref == 'refs/heads/main' && 'maker-prod' || 'maker-staging' }}
+      ENVIRONMENT_TAG: ${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
+      NAMESPACE: vw
+      SERVICE_NAME: vw
+      AWS_ECR_NAME: keeper-app-vw-${{ github.ref == 'refs/heads/main' && 'prod' || 'staging' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.REGION }}
+
+      - name: Login to AWS ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Extract commit hash
+        id: vars
+        if: ${{ !contains(github.event.head_commit.message , '[skip build]') }}
+        shell: bash
+        run: |
+          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+
+      - name: Build, tag, and push image to ECR
+        id: build-image
+        if: ${{ !contains(github.event.head_commit.message , '[skip build]') }}
+        env:
+          SHA_TAG: ${{ steps.vars.outputs.sha_short }}
+          LATEST_TAG: latest
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        run: |
+          # Build Docker containers and push them to ECR ${{ env.AWS_ECR_NAME }}
+          docker pull $ECR_REGISTRY/$AWS_ECR_NAME:$LATEST_TAG || true
+          docker build -t $AWS_ECR_NAME \
+                        -t $ECR_REGISTRY/$AWS_ECR_NAME:$SHA_TAG \
+                        -t $ECR_REGISTRY/$AWS_ECR_NAME:$LATEST_TAG \
+                        -t $ECR_REGISTRY/$AWS_ECR_NAME:$ENVIRONMENT_TAG \
+                        -f ./Dockerfile \
+                        .
+
+          docker push $ECR_REGISTRY/$AWS_ECR_NAME --all-tags
+
+      - name: Deploying Service to Kubernetes with Helm
+        id: deploy
+        uses: bitovi/github-actions-deploy-eks-helm@v1.2.10
+        with:
+          values: image.repository=${{ steps.login-ecr.outputs.registry }}/${{ env.AWS_ECR_NAME }},image.tag=${{ steps.vars.outputs.sha_short }}
+          cluster-name: ${{ env.CLUSTER_NAME }}
+          config-files: ${{ env.HELM_FILE }}
+          chart-path: techops-services/common
+          namespace: ${{ env.NAMESPACE }}
+          timeout: 5m0s
+          name: ${{ env.SERVICE_NAME }}
+          chart-repository: https://techops-services.github.io/helm-charts
+          version: 0.0.33
+          atomic: true

Dockerfile

@@ -0,0 +1,59 @@
+# Multi-stage Dockerfile for Next.js application
+# Stage 1: Dependencies
+FROM node:25-alpine AS deps
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+# Install pnpm
+RUN npm install -g pnpm
+
+# Copy package files
+COPY package.json pnpm-lock.yaml* ./
+COPY .npmrc* ./
+
+# Install dependencies
+RUN pnpm install --frozen-lockfile
+
+# Stage 2: Builder
+FROM node:25-alpine AS builder
+WORKDIR /app
+RUN npm install -g pnpm
+
+# Copy dependencies from deps stage
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+
+# Create README.md if it doesn't exist to avoid build errors
+RUN touch README.md || true
+
+# Build the application
+RUN pnpm build
+
+# Stage 3: Runner
+FROM node:25-alpine AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+# Copy built application
+COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+# Switch to non-root user
+USER nextjs
+
+# Expose port
+EXPOSE 3000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:3000/ || exit 1
+
+# Start the application
+CMD ["node", "server.js"]

PARA_INTEGRATION.md

@@ -0,0 +1,90 @@
+# Para Wallet Integration
+
+## Overview
+
+This integration automatically creates and manages Para wallets for users, enabling server-side blockchain operations within workflow steps.
+
+## What This Does
+
+1. **Automatic Wallet Creation**: When a user signs up, a Para wallet is automatically created for them
+2. **Secure Storage**: Wallet keyshares are encrypted with AES-256-GCM and stored securely in the database
+3. **Server-Side Access**: Workflow steps can use the user's wallet to perform blockchain operations (sending transactions, signing messages, interacting with smart contracts, etc.)
+4. **User Visibility**: Users can see their wallet address displayed in the user dropdown menu
+
+## How It Works
+
+### Wallet Creation Flow
+1. **User signs up** → Better Auth triggers a database hook
+   - File: `lib/auth.ts`
+   - Hook: `databaseHooks.user.create.after`
+
+2. **Database hook calls Para SDK** to create a pregenerated wallet
+   - `const wallet = await paraClient.createPregenWallet({ type: "EVM", pregenId: { email } })`
+   - Returns: `{ id, address, ... }`
+
+3. **Wallet keyshare is encrypted** and stored in database
+   - File: `lib/encryption.ts`
+   - Function: `encryptUserShare(userShare)`
+   - Stored in: `para_wallets` table
+
+4. **Wallet address is displayed** to the user
+   - File: `components/workflows/user-menu.tsx`
+   - Shown in user dropdown menu
+
+### Workflow Step Usage
+When a workflow step needs to use the wallet:
+1. Fetch encrypted keyshare from database (using authenticated userId)
+2. Decrypt the keyshare
+3. Initialize Para signer for blockchain operations
+4. Perform the operation (send transaction, sign message, call smart contract, etc.)
+
+## Key Components
+
+### Database
+- **Table**: `para_wallets`
+- **Fields**: userId (unique), email, walletId, walletAddress, encrypted userShare, createdAt
+- **Security**: One wallet per user, foreign key to users table, cascading delete
+
+### Encryption
+- **Algorithm**: AES-256-GCM (authenticated encryption)
+- **Key Storage**: Environment variable `WALLET_ENCRYPTION_KEY`
+- **Format**: `iv:authTag:encryptedData` (prevents tampering)
+
+### Helper Functions
+- `getUserWallet(userId)` - Retrieve wallet from database
+- `initializeParaSigner(userId, rpcUrl)` - Get ready-to-use signer for transactions
+- `getUserWalletAddress(userId)` - Get wallet address for display
+- `userHasWallet(userId)` - Check if user has wallet
+
+## What You Can Build
+
+Workflow steps that use the user's wallet can:
+- Send ETH or ERC-20 tokens
+- Interact with smart contracts (DeFi, NFTs, DAOs)
+- Sign messages or data
+- Check balances and token ownership
+- Execute any blockchain operation the user authorizes
+
+## Key Files
+
+- `lib/auth.ts` - Better Auth configuration with wallet creation hook
+- `lib/db/schema.ts` - Database schema for `para_wallets` table
+- `lib/encryption.ts` - AES-256-GCM encryption/decryption utilities
+- `lib/para/wallet-helpers.ts` - Helper functions for wallet operations
+- `app/api/user/route.ts` - API endpoint that includes wallet address
+- `components/workflows/user-menu.tsx` - UI component displaying wallet address
+
+## Environment Variables Required
+
+```env
+PARA_API_KEY=your-para-api-key
+PARA_ENVIRONMENT=beta  # or 'prod'
+WALLET_ENCRYPTION_KEY=64-character-hex-string
+```
+
+## Security Notes
+
+- All Para SDK operations happen server-side only
+- userShare never transmitted to browser
+- Encryption key stored only in environment variables
+- Each user can only access their own wallet (enforced by userId authentication)

PARA_WORKFLOW_STEP.md

@@ -0,0 +1,44 @@
+# Para Wallet - Send Sepolia ETH Workflow Step
+
+## Goal
+
+Create a workflow step that allows users to send ETH on the Sepolia testnet using their Para wallet.
+
+## File locations
+
+- Plugin definition: plugins/[name]/index.ts
+- Step implementation: plugins/[name]/steps/[step-name].ts
+- Step registry: lib/step-registry.ts (auto-generated)
+- Workflow executor: lib/workflow-executor.workflow.ts
+- Step handler utilities: lib/steps/step-handler.ts
+
+## For this step
+
+You'll need to:
+
+- Create plugins/para/index.ts — register the plugin
+- Create plugins/para/steps/send-eth.ts — step implementation
+- Access userId — look up from executionId via workflowExecutions table
+- Use wallet helpers — initializeParaSigner(userId, rpcUrl) from lib/para/wallet-helpers.ts
+- Define config fields — amount and recipientAddress in plugin registration
+- The PARA integration already exists (wallet creation, encryption, helpers), so you're adding a step that uses it.
+
+## Current Status
+
+- ✅ Para wallet integration is complete (wallets auto-created on user signup)
+- ✅ Wallet addresses display in user dropdown menu
+
+## What Works
+
+1. Users automatically get a Para wallet when they sign up
+2. Wallet keyshares are encrypted and stored securely in the database
+
+## What Doesn't Work
+
+Nothing about the step is yet implemented
+
+## The Issue
+
+## Next Steps
+
+## Key Files