Lesson 11 — Gateway's Defining Architecture

The system you're taking over, in one mental model: the frontend never touches a chain, one service writes, one reads, and Fireblocks holds every key. Everything else hangs off this.

Why this is lesson one of the Gateway track. You now hold the concepts (custody, the on/off-chain boundary, events, viem, Token-2022). This lesson lands them on the real system. Get this shape into memory and every other part of Gateway — the four services, the token standards, the multi-chain handlers, the 6.5 migration — becomes a detail hanging off a frame you already understand.

The one decision that defines Gateway

The frontend never touches a chain. No MetaMask, no WalletConnect, no in-browser signing — anywhere. All on-chain execution is isolated behind the backend, and all key custody lives in Fireblocks. In Gateway, Web3 is a backend concern; the UI is orchestration and monitoring.

This is the institutional answer to Lesson 6. A regulated platform cannot have private keys in browsers or staff laptops. Fireblocks is API-accessed MPC infrastructure — keys are split into shares across hardware enclaves (TSS/MPC-CMP) and never assembled; your backend requests a signature, it never holds a key.¹ So the architecture isn't a style choice — it's custody and compliance dictating the shape.

The write path and the read path

Gateway splits chain interaction into exactly two directions — your Lesson 10 Signer-writes / Provider-reads split, promoted to whole services:

▶ connector (the only writer)

gateway-blockchain-connector. Consumes DEPLOY_QUEUE / CHAIN_ACTION_QUEUE off Azure Service Bus; executes deploys, MINT, BURN, TRANSFER, DIVIDEND, trustline ops, Solana freeze — via Fireblocks. The server-side Signer (Lesson 10), made institutional. Per-chain handlers; SHA-512 idempotency keys; writes results to transaction_out.

◀ listener (the only reader)

gateway-blockchain-listener. Subscribes to chain events (viem WS for EVM, XRPL/Stellar/Solana equivalents), decodes Transfer / AllowList changes, normalizes to a ChainEvent (TRANSFER / WHITELIST), writes DB tables, and publishes to TRANSFER_EVENT_TOPIC. The Provider + event-subscription side (Lessons 3, 5, 10), made institutional.

This separation is deliberate and powerful: one service can write, exactly one can read, and nothing else ever speaks to a chain. Auditable, securable, and the blast radius of a bug is contained to one direction.

The end-to-end flow

WRITE PATH (command → chain): Dashboard FE ─REST─▶ token-service / asset-adapter │ enqueue ▼ (Azure Service Bus) connector ─▶ Fireblocks (signs) ─▶ CHAIN READ PATH (chain → state): CHAIN ─events─▶ listener ─normalize─▶ DB + TRANSFER_EVENT_TOPIC │ token-service ◀─────┘ (confirms escrow / mint / burn) │ recon ◀── reconciles transaction_out vs off-chain ledger

Read it as a loop. A command goes down the write path (UI → orchestration → bus → connector → Fireblocks → chain). The result comes back up the read path (chain → listener → DB/topic → token-service confirms → recon checks). The two paths are asynchronous and decoupled — the chain's latency never blocks the UI, and confirmation is an event that arrives later. This is the on/off-chain boundary (Lesson 5) realised as message-passing.

Why message queues, not direct calls

The frontend doesn't wait for a transaction; it fires a command and watches for confirmation. Azure Service Bus between orchestration and connector buys you: decoupling (UI returns instantly), retries & durability (a queued action survives a connector restart), and back-pressure (chain congestion can't topple the API). The SHA-512 idempotency keys matter here — if a message is delivered twice, the connector must not mint twice. Idempotency is what makes "at-least-once" delivery safe for irreversible chain actions.

One risk to clock on day one

The listener's resume-from-block is in-memory only — no persistent checkpoint. If the listener is down long enough, chain events during the gap can be missed, and the off-chain DB silently drifts from on-chain truth. Industry best practice is a persistent sync table (last block number + hash per chain) so the indexer resumes exactly where it stopped, plus reorg handling.² Gateway's recon-service is the safety net that detects the resulting drift (MATCHED/UNMATCHED) — but detection isn't prevention. This is exactly the kind of inherited risk a new engineering lead should surface, prioritise, and own.

How your prior lessons map onto Gateway

Gateway piece	You already learned it as…
Frontend never signs; keys in Fireblocks	Custody / MPC / agent-key protection (Lessons 6, 8)
connector = the only writer	The server-side Signer (Lesson 10)
listener = the only reader	Provider + events as the sync feed (Lessons 3, 5, 10)
Async write/read paths over a bus	The on/off-chain boundary (Lesson 5)
AllowList contract for whitelisting	Permissioned transfer / identity gate (Lesson 4)
recon-service	Reconciliation of on- vs off-chain books (Lesson 5)
Solana Token-2022 freeze/thaw, ATA	Default-frozen + permissioned tokens (Lessons 7, 8)

You are not learning Gateway from scratch — you're recognising it. The rest of this track names the parts and goes deep on the few genuinely new things (the ERC20F/ERC20MN01 standard, XRPL/Stellar trustlines, the 6.5 collapse).

Retrieve it (don't peek)

From memory. Interleaves Lessons 5, 6 & 10.

1. Why do Gateway's frontends never sign transactions or hold a wallet?

Correct. It's custody/compliance dictating architecture (Lesson 6): a regulated platform keeps keys in Fireblocks MPC, reached only via the backend. The UI is orchestration; signing is a backend concern.

Reconsider. It's not performance, chain limits, or team preference — it's the institutional custody rule: private keys live in Fireblocks and never touch a browser.

2. In Gateway, which statement about the connector and listener is correct?

Correct. Exactly one writer (connector → Fireblocks → chain) and exactly one reader (listener → DB/topic). Nothing else speaks to a chain — that's the contained-blast-radius design.

Reconsider. The split is strict and one-directional each: connector writes (via Fireblocks), listener reads (events). The frontend never touches a chain at all.

3. Why are the connector's SHA-512 idempotency keys important on a message queue?

Correct. Service Bus is at-least-once: a message can arrive twice. Idempotency keys ensure a duplicated MINT executes once — essential because chain actions are irreversible (Lesson 1).

Reconsider. They don't encrypt keys, fix the listener checkpoint, or speed polling. They guarantee a redelivered command (e.g. MINT) executes only once — safety for at-least-once delivery.

Primary source

Your single best source is Gateway's own docs/architecture.md (especially the 6.5 target) — read it against this lesson's frame. To ground the building blocks: Fireblocks — What is Fireblocks (the custody model) and QuickNode — Reorg & checkpoint handling (why the in-memory checkpoint is a risk).

I'm your teacher — ask me. Want to go deep next on the four services (token-service, asset-adapter, mna-service, recon), the ERC20F/ERC20MN01 + AllowList token design, the multi-chain model (EVM events vs XRPL/Stellar trustlines vs Solana), or the 6.5 migration? Or have me turn the listener-checkpoint risk into a proper write-up you could bring to your team? Just ask.