Chapter 11: Phased Independence from Openfort
Openfort was chosen over Privy + ZeroDev because every critical component that touches user funds and keys is open source and self-hostable. The hosted API at api.openfort.io is the one temporary dependency. This chapter defines the plan for eliminating it.
Why Openfort Over Privy + ZeroDev
Section titled “Why Openfort Over Privy + ZeroDev”The previous stack (Privy for auth/key management, ZeroDev for smart accounts) had a fundamental problem: Privy’s TEE-based key management is proprietary, cannot be self-hosted, audited, or forked. If Stripe (Privy’s acquirer) changes pricing, direction, or shuts down, users’ keys are inaccessible.
Openfort provides:
- OpenSigner (MIT): self-hostable key management
- Shield (open source): self-hostable recovery server
- Smart account contracts (GPL-3.0): on-chain, immutable
- Better Auth integration: first-party plugin for Capxul’s auth stack
- Single vendor: replaces both Privy and ZeroDev
See Appendix A for the full evaluation.
What We Depend On (Initially)
Section titled “What We Depend On (Initially)”The hosted API (api.openfort.io) is NOT open source. It is how Openfort makes money. The Node SDK (@openfort/openfort-node) is an HTTP client that calls this API.
| Function | What It Handles | Replaceable? | Effort |
|---|---|---|---|
| Player management | User records, auth identity linking | Yes (Convex) | Low |
| Address pre-computation | Deterministic smart account addresses | Yes (viem + CREATE2) | Low |
| Transaction building | UserOp construction, gas estimation, nonce management, retries | Yes (viem + permissionless.js) | Medium |
| Session key management | Create, scope, revoke session keys | Yes (direct contract calls) | Medium |
| Guardian management | Add/remove guardians, initiate/approve recovery | Yes (direct contract calls) | Medium |
| Policy engine | Transaction sponsorship rules | Unnecessary (BYO paymaster rules) | N/A |
The key insight: Nothing in this API is architecturally irreplaceable. It is a convenience layer wrapping open-source contracts and standard EVM operations. Every function can be replaced with Convex actions + viem + permissionless.js.
Critical Finding: Programmable Wallet Controls
Section titled “Critical Finding: Programmable Wallet Controls”The Programmable Wallet Controls (offchain policies including allowlists, spending limits, transaction rules) are proprietary and part of the managed service. They are NOT open source and NOT self-hostable. Openfort’s own documentation confirms: “The offchain policy engine and backend wallet infrastructure are proprietary, operated by Openfort as a managed service.”
Implication: When Phase 3 replaces the hosted API, the offchain policy enforcement layer is lost. For Path A (offchain destination enforcement in Convex), this means the Convex backend must replicate the offchain controls before decommissioning the hosted API. For Path B (CapxulRouter), the on-chain enforcement is independent of the hosted API and survives the transition.
Three-Phase Plan
Section titled “Three-Phase Plan”Phase 1: Launch — Use the Hosted API
Section titled “Phase 1: Launch — Use the Hosted API”Accept the temporary dependency for speed. Focus engineering time on Capxul’s product (Safe modules, Convex backend, off-ramp integration, UI).
Use both layers of enforcement:
- Openfort’s hosted offchain controls
- Convex backend’s own validation
Phase 2: Post-Launch (1-2 Months) — Self-Host Key Management
Section titled “Phase 2: Post-Launch (1-2 Months) — Self-Host Key Management”Self-host OpenSigner + Shield. This removes the key management dependency. Users’ keys are on Capxul’s infrastructure.
Deploy via Docker. Point the SDK configuration at Capxul’s servers. User wallets continue working because the encryption scheme is independent of who hosts the server.
Phase 3: Post-Launch (2-4 Months) — Replace the Hosted API
Section titled “Phase 3: Post-Launch (2-4 Months) — Replace the Hosted API”Replace Openfort’s hosted API with Convex actions + viem + permissionless.js:
- Player management moves to Convex
- Address computation moves to a local viem utility
- Transaction building moves to permissionless.js
- Session key and guardian management move to direct contract calls
Before this happens: Either (a) Convex backend has equivalent offchain enforcement built and tested, or (b) Path B (CapxulRouter) is deployed and active.
End State
Section titled “End State”- On-chain contracts: Openfort smart accounts, CapxulRouter, Payment Module, Zodiac Roles (all immutable or upgradeable by Capxul)
- Self-hosted: OpenSigner, Shield, Better Auth
- Capxul backend: Convex
- Zero runtime dependency on Openfort servers
Dependency Map
Section titled “Dependency Map”OURS (Day One)
Better Auth (magic links, sessions) Convex (users, orgs, routing, streams, tx history) OpenSigner (self-hostable key management) Shield (self-hostable recovery) Smart Account Contracts (on-chain, open source) Base Bundler + Paymaster (free, no vendor dependency) Client SDK (@openfort/react, runs local)
OPENFORT HOSTED API (Temporary)
Player management ---------- Replace with Convex (Low) Address pre-computation ---- Replace with viem (Low) Transaction building ------- Replace with viem + permissionless.js (Medium) Session key mgmt ----------- Replace with viem (Medium) Guardian mgmt -------------- Replace with viem (Medium)
Total effort to fully replace: 2-4 weeks of senior engineer timeCost Comparison
Section titled “Cost Comparison”| Scale | Openfort | Privy + ZeroDev (Previous Stack) |
|---|---|---|
| 500 MAU | Free | $368/mo ($299 Privy + $69 ZeroDev) |
| 1,000 MAU | Free | $368/mo |
| 2,000 MAU | Est. < $100/mo | $368/mo |
Privy charges per MAU regardless of activity. Openfort charges per operation (wallet creation or transaction). For payroll where most users interact infrequently, this is a better model.
Cost at End State (Fully Self-Hosted)
Section titled “Cost at End State (Fully Self-Hosted)”- Openfort hosted API: $0
- OpenSigner + Shield: $0 (self-hosted, open source)
- Bundler + Paymaster: $0 (Base free tier) or minimal
- Smart account contracts: $0 (on-chain, deployed)
- Total Openfort dependency: $0
The cost becomes pure infrastructure: hosting for OpenSigner, Shield, Better Auth, and Convex.
Risks and Mitigations
Section titled “Risks and Mitigations”| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Openfort hosted API outage during launch | Medium | High | Monitor API health. Phase 2 reduces blast radius. |
| Session key compromise (Path A) | Low | High | Low count limits. Monitoring. Auto-revoke. Path B as fast follow. |
| Better Auth server downtime | Medium | High | Deploy redundantly. Configurable session TTL. |
| CapxulRouter contract vulnerability | Low | High | Small contract (~50-80 lines). Audit before mainnet. Upgradeable proxy. |
| Openfort V1 session key limitations in POC | Low | Medium | Both Path A and Path B designed. |