hyperledger-labs · pasindutennage-da · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025
diff --git a/cluster/helm/splice-validator/templates/validator.yaml b/cluster/helm/splice-validator/templates/validator.yaml
@@ -129,9 +129,17 @@ spec:
             canton.validator-apps.validator_backend.scan-client.seed-urls = [ ${_scan.admin-api.address} ]
             {{- end }}
         {{ end }}
-        {{ if not .Values.useSequencerConnectionsFromScan }}
+        {{ if not .Values.useSequencerConnectionsFromScan -}}
         - name: ADDITIONAL_CONFIG_STATIC_SEQUENCER_URL
           value: canton.validator-apps.validator_backend.domains.global.url = {{ .Values.decentralizedSynchronizerUrl | quote }}
+        {{ else if .Values.synchronizer -}}
+            {{- if eq .Values.synchronizer.connectionType "trusted-url" }}
+        - name: ADDITIONAL_CONFIG_SYNCHRONIZER_URL
+          value: canton.validator-apps.validator_backend.domains.global.url = {{ .Values.synchronizer.url | quote }}
+            {{- else if eq .Values.synchronizer.connectionType "trusted-svs" }}
+        - name: ADDITIONAL_CONFIG_SYNCHRONIZER_NAMES
+          value: canton.validator-apps.validator_backend.domains.global.sequencer-names = {{ .Values.synchronizer.sequencerNames | toJson}}
+            {{- end }}
         {{ end }}
         {{- range $ii, $domain := .Values.extraDomains }}
         - name: ADDITIONAL_CONFIG_EXTRA_DOMAIN_{{ $ii }}

diff --git a/cluster/helm/splice-validator/tests/validator_test.yaml b/cluster/helm/splice-validator/tests/validator_test.yaml
@@ -221,3 +221,40 @@ tests:
       - matchRegex:
           path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
           pattern: 'canton.validator-apps.validator_backend.scan-client.seed-urls = \["https://custom-node-A.com","https://custom-node-B.com"\]'
+  - it: "uses decentralizedSynchronizerUrl when useSequencerConnectionsFromScan is false"
+    set:
+      useSequencerConnectionsFromScan: false
+      decentralizedSynchronizerUrl: "https://legacy-sequencer.mock.com"
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_STATIC_SEQUENCER_URL')].value
+          pattern: 'canton\.validator-apps\.validator_backend\.domains\.global\.url = "https://legacy-sequencer\.mock\.com"'
+
+  - it: "uses synchronizer.url when provided"
+    set:
+      synchronizer:
+        connectionType: "trusted-url"
+        url: "https://new-sequencer.mock.com"
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_SYNCHRONIZER_URL')].value
+          pattern: 'canton\.validator-apps\.validator_backend\.domains\.global\.url = "https://new-sequencer\.mock\.com"'
+
+  - it: "uses synchronizer.sequencerNames as a JSON array when provided"
+    set:
+      synchronizer:
+        connectionType: "trusted-svs"
+        sequencerNames: [ "sequencer-1", "sequencer-2" ]
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_SYNCHRONIZER_NAMES')].value
+          pattern: 'canton\.validator-apps\.validator_backend\.domains\.global\.sequencer-names = \["sequencer-1","sequencer-2"\]'
diff --git a/cluster/helm/splice-validator/values.schema.json b/cluster/helm/splice-validator/values.schema.json
@@ -9,6 +9,32 @@
       "type": "object",
       "description": "The authentication configuration for the application"
     },
+    "synchronizer": {
+      "type": "object",
+      "description": "Configuration parameters for the sequencer connections.",
+      "properties": {
+        "connectionType": {
+          "type": "string",
+          "enum": [
+            "from-scan",
+            "trusted-url",
+            "trusted-svs"
+          ]
+        },
+        "sequencerNames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "default": [],
+          "description": "Optional list of trusted sequencer / SV names."
+        },
+        "url": {
+          "type": "string",
+          "description": "Trusted sequencer Url."
+        }
+      }
+    },
     "scanClient": {
       "type": "object",
       "description": "Configuration parameters for the scan client.",
@@ -559,6 +585,64 @@
         },
         "errorMessage": "If 'scanClient' is set, 'scanAddress' and 'nonSvValidatorTrustSingleScan' must not be set. All the scan specific configuration must be done inside the 'scanClient' object."
       }
+    },
+    {
+      "if": {
+        "required": ["synchronizer"],
+        "properties": {
+          "synchronizer": {
+            "required": ["connectionType"]
+          }
+        }
+      },
+      "then": {
+        "allOf": [
+          {
+            "if": {
+              "properties": { "synchronizer": { "properties": { "connectionType": { "const": "from-scan" } } } }
+            },
+            "then": {
+              "properties": {
+                "synchronizer": {
+                  "properties": {
+                    "url": { "not": {} },
+                    "sequencerNames": { "not": {} }
+                  }
+                }
+              }
+            }
+          },
+          {
+            "if": {
+              "properties": { "synchronizer": { "properties": { "connectionType": { "const": "trusted-url" } } } }
+            },
+            "then": {
+              "properties": {
+                "synchronizer": {
+                  "required": ["url"],
+                  "properties": { "sequencerNames": { "not": {} } }
+                }
+              }
+            }
+          },
+          {
+            "if": {
+              "properties": { "synchronizer": { "properties": { "connectionType": { "const": "trusted-svs" } } } }
+            },
+            "then": {
+              "properties": {
+                "synchronizer": {
+                  "required": ["sequencerNames"],
+                  "properties": {
+                    "url": { "not": {} },
+                    "sequencerNames": { "minItems": 1 }
+                  }
+                }
+              }
+            }
+          }
+        ]
+      }
     }
   ]
 }
diff --git a/cluster/pulumi/common-validator/src/config.ts b/cluster/pulumi/common-validator/src/config.ts
@@ -9,6 +9,31 @@ import {
 import { clusterSubConfig } from '@lfdecentralizedtrust/splice-pulumi-common/src/config/config';
 import { z } from 'zod';
 
+export const SynchronizerConfigSchema = z
+  .object({
+    connectionType: z.enum(['from-scan', 'trusted-url', 'trusted-svs']).default('from-scan'),
+    sequencerNames: z.array(z.string()).optional(),
+    url: z.string().optional(),
+  })
+  .refine(
+    data => {
+      if (data.connectionType === 'trusted-url') {
+        return !!data.url && (!data.sequencerNames || data.sequencerNames.length === 0);
+      }
+      if (data.connectionType === 'trusted-svs') {
+        return !!(data.sequencerNames && data.sequencerNames.length > 0) && !data.url;
+      }
+      return true;
+    },
+    {
+      message:
+        "Configuration mismatch: 'trusted-url' requires only a URL, and 'trusted-svs' requires only sequencerNames.",
+      path: ['type'],
+    }
+  );
+
+export type synchronizerConfigSchema = z.infer<typeof SynchronizerConfigSchema>;
+
 export const ScanClientConfigSchema = z
   .object({
     scanType: z.enum(['trust-single', 'bft', 'bft-custom']),
@@ -41,6 +66,7 @@ export const ValidatorAppConfigSchema = z.object({
   additionalEnvVars: z.array(EnvVarConfigSchema).default([]),
   additionalJvmOptions: z.string().optional(),
   scanClient: ScanClientConfigSchema.optional(),
+  synchronizer: SynchronizerConfigSchema.optional(),
 });
 
 export const ParticipantConfigSchema = z.object({

diff --git a/cluster/pulumi/validator-runbook/src/installNode.ts b/cluster/pulumi/validator-runbook/src/installNode.ts
@@ -218,6 +218,7 @@ async function installValidator(
         : validatorValuesFromYamlFiles.migration.migrating,
     },
     scanClient: validatorConfig.validatorApp?.scanClient,
+    synchronizer: validatorConfig.validatorApp?.synchronizer,
     metrics: {
       enable: true,
     },

diff --git a/docs/src/release_notes.rst b/docs/src/release_notes.rst
@@ -8,8 +8,11 @@
 .. release-notes:: upcoming
 
   - Validator
+
     - Added support for picking a custom name for new parties created when onboarding users via the `/v0/admin/users` API. See :ref:`docs <validator-users>`.
 
+    - Added support for specifying trusted scan and synchronizer connections, with configurable thresholds.
+
   - API security
 
     - Tightened authorization checks for all non-public API endpoints.