Sanctifier’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt
Use this file to discover all available pages before exploring further.
contracts/runtime-guard-wrapper is a Soroban smart contract that wraps target contracts with pre- and post-execution validation, collects execution metrics, and exposes a health_check() entry point for continuous monitoring. This guide covers three ways to deploy it to the Soroban testnet: the sanctifier deploy CLI command, the scripts/deploy-soroban-testnet.sh shell script, and the soroban-deploy.yml GitHub Actions workflow.
Prerequisites
Before deploying, you need a funded testnet account and the toolchain installed:Rust + WASM target
Rust 1.70 or later with the
wasm32-unknown-unknown target added via rustup target add wasm32-unknown-unknown.Soroban CLI
The latest Soroban CLI installed via
cargo install --locked soroban-cli.Funded testnet account
A keypair generated with
soroban keys generate and funded via Friendbot.jq + curl
Standard Unix utilities used by the deployment script for JSON parsing and API calls.
Generate and fund a testnet account
Environment variable
All three deployment methods read credentials from theSOROBAN_SECRET_KEY environment variable. Set it in your shell or a local .env.local file (never commit this file):
Method 1 — CLI (sanctifier deploy)
The sanctifier deploy command handles building, deploying, and optionally validating the contract in one step.
Deploy with validation
Pass the path to the contract directory, your target network, and To deploy without the post-deployment validation step:For machine-readable output:
--validate to invoke health_check() automatically after deployment:deploy subcommand accepts the following options:
| Option | Description |
|---|---|
--network <NETWORK> | Target network: testnet, futurenet, or mainnet |
--secret-key <KEY> | Soroban secret key (S-prefixed) |
--account-id <ID> | Account ID (optional; derived from the secret key if omitted) |
--validate | Invoke health_check() on the deployed contract |
--output-format | Output format: text or json |
Method 2 — Bash script (scripts/deploy-soroban-testnet.sh)
The deployment script at scripts/deploy-soroban-testnet.sh automates the full lifecycle: environment validation, WASM build, deployment with retry logic, post-deployment validation, and an optional continuous validation loop that re-checks the contract every N seconds.
Standard deployment
Dry run (no actual deployment)
soroban contract deploy call with a mock contract ID.
Deploy without continuous validation
Custom validation interval
All flags
| Flag | Default | Description |
|---|---|---|
--network <NETWORK> | testnet | Target network (testnet, futurenet, mainnet) |
--no-validate | off | Skip post-deployment validation entirely |
--no-continuous | off | Disable the continuous validation loop |
--dry-run | off | Simulate without deploying |
--interval <SECONDS> | 300 | Validation interval in seconds |
--debug | off | Enable verbose debug logging |
SOROBAN_SECRET_KEY
What the script produces
After a successful run the script writes two artifacts to the project root:deployment-manifest.json — JSON record of every deployed contract:
deployment.log — Full execution log for auditing and troubleshooting.
Method 3 — GitHub Actions (soroban-deploy.yml)
The .github/workflows/soroban-deploy.yml workflow automates deployment on three triggers:
| Trigger | Condition |
|---|---|
Push to main | Only when files under contracts/runtime-guard-wrapper/, scripts/deploy-soroban-testnet.sh, or the workflow file itself change |
| Schedule | Every 6 hours (cron: "0 */6 * * *") for continuous validation |
Manual (workflow_dispatch) | Choose network and optionally enable dry run |
Setup
Add the secret to your repository once:Manual trigger
Workflow jobs
The workflow has three jobs that run in sequence:build-and-deploy
Checks out the repository, installs the stable Rust toolchain with Uploads
wasm32-unknown-unknown, builds the contract in release mode, verifies the WASM artifact exists, and runs scripts/deploy-soroban-testnet.sh:deployment-manifest.json and deployment.log as workflow artifacts retained for 30 days.continuous-validation
Downloads the deployment manifest from the previous job, then invokes
health_check() and get_stats() on each deployed contract ID:Deployment orchestration steps
Whether you use the CLI, the script, or GitHub Actions, the underlying deployment follows the same five phases:Environment validation
Checks that
cargo, soroban, jq, and curl are on the PATH, verifies SOROBAN_SECRET_KEY is set, and confirms the network name is one of testnet, futurenet, or mainnet.Contract build
Compiles
contracts/runtime-guard-wrapper to WASM using the release profile and the wasm32-unknown-unknown target:WASM discovery and deployment
Locates
target/wasm32-unknown-unknown/release/runtime_guard_wrapper.wasm and submits it to the network via soroban contract deploy. Retries up to three times on transient failures.Post-deployment validation
Invokes
health_check() on the newly deployed contract ID and records pass/fail in the deployment manifest:Manual validation
After any deployment, validate the contract directly with the Soroban CLI:Troubleshooting
SOROBAN_SECRET_KEY not found — Set the environment variable before running the script:
wasm32-unknown-unknown target not found — Install the target:
soroban command not found — Install the CLI:
Insufficient balance — Fund the account on testnet via Friendbot:
RPC connection failed — Check network connectivity and testnet status:
health_check() call manually.