Phase 7 — Retire custody infrastructure

Status: Planned.

Delete hd_wallet_seed, WALLET_ENCRYPTION_KEY, and the EVM/SOL sweep code paths. Update TOS, privacy policy, and SOC2 scope. Postmortem published within 30 days of shipping.

Scope

• Flag-flip useOnChainReceiver becomes default-on everywhere; flag then deleted.
• hd_wallet_seed rows archived to cold storage (7-year retention), then the table is dropped.
• Code paths removed.
• Legal + compliance posture updated.

Code touched (deletions)

• api/src/payments/wallet.service.ts — HD derivation, encryptSeed/decryptSeed, Alchemy smart account generation.
• api/src/withdrawals/services/smart-account-wallet.service.ts — drain / transfer / derivePrivateKey.
• api/src/withdrawals/services/solana-withdrawal-transfer.service.ts — entire file.
• Custodial branch of api/src/scheduler/processors/subscription-auto-charge.processor.ts.
• Related .spec.ts files and fixtures.

Code touched (retained, adjusted)

• BitcoinHotWalletService — retained but operates in multisig mode (Phase 5); no unilateral key.
• BTC withdrawal transfer service — signs via multisig.

Runtime / UX impact

• TOS update: "OrcaRail does not custody EVM or Solana funds during payment settlement" becomes factual.
• SOC2 controls list shrinks materially.
• Money transmitter posture re-reviewed with counsel.

Current limitations

• 7-year archival obligation for hd_wallet_seed rows remains.
• Long-tail legacy subscriptions must be migrated or canceled within the 30-day notice window.
• Legacy BTC unilateral addresses continue to accept deposits until explicit deprecation date.

Linked blog post

Phase 7: Retiring the Custody Infrastructure

Status checklist

• All EVM + SOL merchants on non-custodial flow for at least 90 days
• Residual legacy subscriptions zeroed
• Final-sweep script completed
• hd_wallet_seed archived to cold storage
• Code deletions merged
• TOS + privacy policy updated
• Postmortem post published