[ED] Enable explicit disclosure in conformance tests [DPP-1206] (#14974)

* Allow enabling explicit disclosure in Sandbox-on-X

changelog_begin
changelog_end

* Fix conformance tests

* Disable tests testing yet unsupported features

* Addressed Martino's review comments

ledger/ledger-api-common/src/main/scala/com/digitalasset/ledger/api/validation/CommandsValidator.scala

@@ -278,6 +278,10 @@ final class CommandsValidator(
 }
 
 object CommandsValidator {
+  def apply(ledgerId: LedgerId, explicitDisclosureUnsafeEnabled: Boolean) = new CommandsValidator(
+    ledgerId = ledgerId,
+    validateDisclosedContracts = new ValidateDisclosedContracts(explicitDisclosureUnsafeEnabled),
+  )
 
   /** Effective submitters of a command
     * @param actAs Guaranteed to be non-empty. Will contain exactly one element in most cases.

ledger/ledger-api-common/src/main/scala/com/digitalasset/platform/server/api/services/grpc/GrpcCommandService.scala

@@ -26,6 +26,7 @@ class GrpcCommandService(
     currentUtcTime: () => Instant,
     maxDeduplicationDuration: () => Option[Duration],
     generateSubmissionId: SubmissionIdGenerator,
+    explicitDisclosureUnsafeEnabled: Boolean,
 )(implicit executionContext: ExecutionContext, loggingContext: LoggingContext)
     extends CommandService
     with GrpcApiService
@@ -34,7 +35,7 @@ class GrpcCommandService(
   protected implicit val logger: ContextualizedLogger = ContextualizedLogger.get(getClass)
 
   private[this] val validator = new SubmitAndWaitRequestValidator(
-    new CommandsValidator(ledgerId)
+    CommandsValidator(ledgerId, explicitDisclosureUnsafeEnabled)
   )
 
   override def submitAndWait(request: SubmitAndWaitRequest): Future[Empty] =

ledger/ledger-api-common/src/main/scala/com/digitalasset/platform/server/api/services/grpc/GrpcCommandSubmissionService.scala

@@ -34,6 +34,7 @@ class GrpcCommandSubmissionService(
     maxDeduplicationDuration: () => Option[Duration],
     submissionIdGenerator: SubmissionIdGenerator,
     metrics: Metrics,
+    explicitDisclosureUnsafeEnabled: Boolean,
 )(implicit executionContext: ExecutionContext, loggingContext: LoggingContext)
     extends ApiCommandSubmissionService
     with ProxyCloseable
@@ -41,7 +42,7 @@ class GrpcCommandSubmissionService(
 
   protected implicit val logger: ContextualizedLogger = ContextualizedLogger.get(getClass)
   private val validator = new SubmitRequestValidator(
-    new CommandsValidator(ledgerId)
+    CommandsValidator(ledgerId, explicitDisclosureUnsafeEnabled)
   )
 
   override def submit(request: ApiSubmitRequest): Future[Empty] = {

ledger/ledger-api-common/src/test/suite/scala/com/digitalasset/platform/server/api/services/grpc/GrpcCommandServiceSpec.scala

@@ -12,18 +12,20 @@ import com.daml.ledger.api.v1.command_service.{
   SubmitAndWaitForTransactionTreeResponse,
   SubmitAndWaitRequest,
 }
-import com.daml.ledger.api.v1.commands.{Command, CreateCommand}
+import com.daml.ledger.api.v1.commands.{Command, CreateCommand, DisclosedContract}
 import com.daml.ledger.api.v1.value.{Identifier, Record, RecordField, Value}
 import com.daml.lf.data.Ref
 import com.daml.logging.LoggingContext
 import com.google.protobuf.empty.Empty
 import org.mockito.{ArgumentMatchersSugar, MockitoSugar}
+import org.scalatest.Assertion
 import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AsyncWordSpec
 
 import java.time.{Duration, Instant}
 import java.util.concurrent.atomic.AtomicInteger
 import scala.concurrent.Future
+import scala.util.{Failure, Success}
 
 class GrpcCommandServiceSpec
     extends AsyncWordSpec
@@ -59,6 +61,7 @@ class GrpcCommandServiceSpec
           Ref.SubmissionId.assertFromString(
             s"$submissionIdPrefix${submissionCounter.incrementAndGet()}"
           ),
+        explicitDisclosureUnsafeEnabled = false,
       )
 
       for {
@@ -85,6 +88,51 @@ class GrpcCommandServiceSpec
         succeed
       }
     }
+    "reject submission on explicit disclosure disabled with provided disclosed contracts" in {
+      val mockCommandService = mock[CommandService with AutoCloseable]
+
+      val grpcCommandService = new GrpcCommandService(
+        mockCommandService,
+        ledgerId = LedgerId(ledgerId),
+        currentLedgerTime = () => Instant.EPOCH,
+        currentUtcTime = () => Instant.EPOCH,
+        maxDeduplicationDuration = () => Some(Duration.ZERO),
+        generateSubmissionId = () => Ref.SubmissionId.assertFromString(s"submissionId"),
+        explicitDisclosureUnsafeEnabled = false,
+      )
+
+      val submissionWithDisclosedContracts = aSubmitAndWaitRequestWithNoSubmissionId.update(
+        _.commands.disclosedContracts.set(Seq(DisclosedContract()))
+      )
+
+      def expectFailedOnProvidedDisclosedContracts(f: Future[_]): Future[Assertion] = f.transform {
+        case Failure(exception)
+            if exception.getMessage.contains(
+              "feature in development: disclosed_contracts should not be set"
+            ) =>
+          Success(succeed)
+        case other => fail(s"Unexpected result: $other")
+      }
+
+      for {
+        _ <- expectFailedOnProvidedDisclosedContracts(
+          grpcCommandService.submitAndWait(submissionWithDisclosedContracts)
+        )
+        _ <- expectFailedOnProvidedDisclosedContracts(
+          grpcCommandService.submitAndWaitForTransaction(submissionWithDisclosedContracts)
+        )
+        _ <- expectFailedOnProvidedDisclosedContracts(
+          grpcCommandService.submitAndWaitForTransactionId(submissionWithDisclosedContracts)
+        )
+        _ <- expectFailedOnProvidedDisclosedContracts(
+          grpcCommandService.submitAndWaitForTransactionTree(submissionWithDisclosedContracts)
+        )
+      } yield {
+        verifyZeroInteractions(mockCommandService)
+        succeed
+      }
+    }
+
   }
 }
 

ledger/ledger-api-common/src/test/suite/scala/com/digitalasset/platform/server/api/services/grpc/GrpcCommandSubmissionServiceSpec.scala

@@ -8,7 +8,7 @@ import com.codahale.metrics.MetricRegistry
 import com.daml.ledger.api.domain.LedgerId
 import com.daml.ledger.api.messages.command.submission.SubmitRequest
 import com.daml.ledger.api.testing.utils.MockMessages._
-import com.daml.ledger.api.v1.commands.{Command, CreateCommand}
+import com.daml.ledger.api.v1.commands.{Command, CreateCommand, DisclosedContract}
 import com.daml.ledger.api.v1.value.{Identifier, Record, RecordField, Value}
 import com.daml.lf.data.Ref
 import com.daml.logging.LoggingContext
@@ -21,6 +21,7 @@ import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AsyncWordSpec
 
 import scala.concurrent.Future
+import scala.util.{Failure, Success}
 
 class GrpcCommandSubmissionServiceSpec
     extends AsyncWordSpec
@@ -87,6 +88,28 @@ class GrpcCommandSubmissionServiceSpec
           requestCaptor.value.commands.submissionId shouldBe Some(generatedSubmissionId)
         }
     }
+
+    "reject submission on explicit disclosure disabled with provided disclosed contracts" in {
+      val mockCommandSubmissionService = mock[CommandSubmissionService with AutoCloseable]
+
+      val submissionWithDisclosedContracts =
+        aSubmitRequest.update(_.commands.disclosedContracts.set(Seq(DisclosedContract())))
+
+      grpcCommandSubmissionService(mockCommandSubmissionService)
+        .submit(submissionWithDisclosedContracts)
+        .map { _ =>
+          verifyZeroInteractions(mockCommandSubmissionService)
+          succeed
+        }
+        .transform {
+          case Failure(exception)
+              if exception.getMessage.contains(
+                "feature in development: disclosed_contracts should not be set"
+              ) =>
+            Success(succeed)
+          case other => fail(s"Unexpected result: $other")
+        }
+    }
   }
 
   private def grpcCommandSubmissionService(
@@ -100,6 +123,7 @@ class GrpcCommandSubmissionServiceSpec
       maxDeduplicationDuration = () => Some(Duration.ZERO),
       submissionIdGenerator = () => Ref.SubmissionId.assertFromString(generatedSubmissionId),
       metrics = new Metrics(new MetricRegistry),
+      explicitDisclosureUnsafeEnabled = false,
     )
 }
 

ledger/ledger-api-tests/suites/src/main/scala/com/daml/ledger/api/testtool/suites/v1_dev/ExplicitDisclosureIT.scala

@@ -4,6 +4,7 @@
 package com.daml.ledger.api.testtool.suites.v1_dev
 
 import com.daml.error.definitions.LedgerApiErrors
+import com.daml.ledger.api.refinements.ApiTypes.Party
 import com.daml.ledger.api.testtool.infrastructure.Allocation._
 import com.daml.ledger.api.testtool.infrastructure.Assertions._
 import com.daml.ledger.api.testtool.infrastructure.LedgerTestSuite
@@ -100,7 +101,7 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
         // Create contract with `owner` as only stakeholder
         _ <- ledger.create(owner, WithKey(owner))
         withKeyTxIds <- ledger.flatTransactionsByTemplateId(WithKey.id, owner)
-        withKeyCreate = createdEvents(withKeyTxIds(1)).head
+        withKeyCreate = createdEvents(withKeyTxIds(0)).head
         withKeyDisclosedContract = createEventToDisclosedContract(withKeyCreate)
         exerciseByKeyError <- ledger
           .submitAndWait(
@@ -224,8 +225,8 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
             for {
               contractId <- ledger1.create(party1, Dummy(party1))
 
-              transactions <- ledger1.flatTransactionsByTemplateId(WithKey.id, party1)
+              transactions <- ledger1.flatTransactionsByTemplateId(Dummy.id, party1)
-              create = createdEvents(transactions(1)).head
+              create = createdEvents(transactions(0)).head
               disclosedContract = createEventToDisclosedContract(create)
 
               // Submit concurrently two consuming exercise choices (with and without disclosed contract)
@@ -266,13 +267,14 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
     for {
       testContext <- initializeTest(ledger, owner, delegate)
 
-      // Exercise a choice using invalid explicit disclosure (bad contract key)
+      //      // TODO ED: Enable once the check is implemented in command interpretation
-      errorBadKey <- testContext
+      //      // Exercise a choice using invalid explicit disclosure (bad contract key)
-        .exerciseFetchDelegated(
+      //      errorBadKey <- testContext
-          testContext.disclosedContract
+      //        .exerciseFetchDelegated(
-            .update(_.metadata.contractKeyHash := ByteString.copyFromUtf8("badKeyMeta"))
+      //          testContext.disclosedContract
-        )
+      //            .update(_.metadata.contractKeyHash := ByteString.copyFromUtf8("BadKeyBadKeyBadKeyBadKeyBadKey00"))
-        .mustFail("using a mismatching contract key hash in metadata")
+      //        )
+      //        .mustFail("using a mismatching contract key hash in metadata")
 
       // Exercise a choice using invalid explicit disclosure (bad ledger time)
       errorBadLet <- testContext
@@ -290,12 +292,13 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
         )
         .mustFail("using an invalid disclosed contract payload")
     } yield {
-      assertGrpcError(
+      //      // TODO ED: Enable once the check is implemented in command interpretation
-        errorBadKey,
+      //      assertGrpcError(
-        LedgerApiErrors.ConsistencyErrors.DisclosedContractInvalid,
+      //        errorBadKey,
-        None,
+      //        LedgerApiErrors.ConsistencyErrors.DisclosedContractInvalid,
-        checkDefiniteAnswerMetadata = true,
+      //        None,
-      )
+      //        checkDefiniteAnswerMetadata = true,
+      //      )
       assertGrpcError(
         errorBadLet,
         LedgerApiErrors.ConsistencyErrors.DisclosedContractInvalid,
@@ -370,15 +373,15 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
         )
         .mustFail("using a disclosed contract with missing createdAt in contract metadata")
 
-//      // TODO ED: Assert missing contract key hash when ledger side metadata validation is implemented
+      //      // TODO ED: Assert missing contract key hash when ledger side metadata validation is implemented
-//      // Exercise a choice using an invalid disclosed contract (missing key hash in contract metadata for a contract that has a contract key associated)
+      //      // Exercise a choice using an invalid disclosed contract (missing key hash in contract metadata for a contract that has a contract key associated)
-//      errorMissingKeyHash <- testContext
+      //      errorMissingKeyHash <- testContext
-//        .exerciseFetchDelegated(
+      //        .exerciseFetchDelegated(
-//          testContext.disclosedContract.update(_.metadata.contractKeyHash.set(ByteString.EMPTY))
+      //          testContext.disclosedContract.update(_.metadata.contractKeyHash.set(ByteString.EMPTY))
-//        )
+      //        )
-//        .mustFail(
+      //        .mustFail(
-//          "using a disclosed contract with missing key hash in contract metadata for a contract that has a contract key associated"
+      //          "using a disclosed contract with missing key hash in contract metadata for a contract that has a contract key associated"
-//        )
+      //        )
     } yield {
       assertGrpcError(
         errorMalformedPayload,
@@ -430,25 +433,40 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
     for {
       testContext <- initializeTest(ledger, owner, delegate)
 
+      _ <- ledger.create(owner, Dummy(owner))
+      dummyTxs <- ledger.flatTransactionsByTemplateId(Dummy.id, owner)
+      dummyCreate = createdEvents(dummyTxs(0)).head
+      dummyDisclosedContract = createEventToDisclosedContract(dummyCreate)
+
       // Exercise a choice using invalid explicit disclosure (bad contract key)
       _ <- testContext
         .exerciseFetchDelegated(
-          testContext.disclosedContract
+          testContext.disclosedContract,
-            .update(_.metadata.contractKeyHash := ByteString.copyFromUtf8("badKeyMeta"))
+          // Provide a superfluous disclosed contract with mismatching key hash
+          dummyDisclosedContract
+            .update(
+              _.metadata.contractKeyHash := ByteString.copyFromUtf8(
+                "BadKeyBadKeyBadKeyBadKeyBadKey00"
+              )
+            ),
         )
 
       // Exercise a choice using invalid explicit disclosure (bad ledger time)
       _ <- testContext
         .exerciseFetchDelegated(
-          testContext.disclosedContract
+          testContext.disclosedContract,
-            .update(_.metadata.createdAt := com.google.protobuf.timestamp.Timestamp.of(1, 0))
+          // Provide a superfluous disclosed contract with mismatching createdAt
+          dummyDisclosedContract
+            .update(_.metadata.createdAt := com.google.protobuf.timestamp.Timestamp.of(1, 0)),
         )
 
       // Exercise a choice using invalid explicit disclosure (bad payload)
       _ <- testContext
         .exerciseFetchDelegated(
-          testContext.disclosedContract
+          testContext.disclosedContract,
-            .update(_.arguments := Delegated(delegate, testContext.contractKey).arguments)
+          // Provide a superfluous disclosed contract with mismatching contract arguments
+          dummyDisclosedContract
+            .update(_.arguments := Dummy(delegate).arguments),
         )
     } yield ()
   })
@@ -554,8 +572,7 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
     "EDFeatureDisabled",
     "Submission fails when disclosed contracts provided on feature disabled",
     allocate(Parties(2)),
-    // TODO ED: Toggle after feature flag implementation
+    enabled = feature => !feature.explicitDisclosure,
-    //    enabled = feature => !feature.explicitDisclosure,
   )(implicit ec => { case Participants(Participant(ledger, owner, delegate)) =>
     for {
       testContext <- initializeTest(ledger, owner, delegate)
@@ -593,7 +610,7 @@ final class ExplicitDisclosureIT extends LedgerTestSuite {
           verbose = !normalizedDisclosedContract,
         )
       )
-      createdEvent = createdEvents(txs(1)).head
+      createdEvent = createdEvents(txs(0)).head
       disclosedContract = createEventToDisclosedContract(createdEvent)
 
       _ <- ledger.submitAndWait(
@@ -749,9 +766,18 @@ object ExplicitDisclosureIT {
           Command.Command.ExerciseByKey(
             ExerciseByKeyCommand(
               Some(WithKey.id.unwrap),
-              Option(Value(Value.Sum.Party(owner.unwrap))),
+              Option(Value(Value.Sum.Party(Party.unwrap(owner)))),
               "WithKey_NoOp",
-              Option(Value(Value.Sum.Party(party.unwrap))),
+              Option(
+                Value(
+                  Value.Sum.Record(
+                    Record(
+                      None,
+                      List(RecordField("", Some(Value(Value.Sum.Party(Party.unwrap(party)))))),
+                    )
+                  )
+                )
+              ),
             )
           )
         ),

ledger/participant-integration-api/src/main/scala/platform/LedgerApiServer.scala

@@ -43,6 +43,11 @@ class LedgerApiServer(
     timeServiceBackendO: Option[TimeServiceBackend],
     servicesExecutionContext: ExecutionContextExecutorService,
     metrics: Metrics,
+    // TODO ED: Remove flag once explicit disclosure is deemed stable and all
+    //          backing ledgers implement proper validation against malicious clients.
+    //          Currently, we provide this flag outside the HOCON configuration objects
+    //          in order to ensure that participants cannot be configured to accept explicitly disclosed contracts.
+    explicitDisclosureUnsafeEnabled: Boolean = false,
 )(implicit actorSystem: ActorSystem, materializer: Materializer) {
 
   def owner: ResourceOwner[ApiService] = {
@@ -109,6 +114,7 @@ class LedgerApiServer(
           ledgerId,
           participantConfig.apiServer,
           participantId,
+          explicitDisclosureUnsafeEnabled,
         )
       } yield apiService
     }
@@ -127,6 +133,7 @@ class LedgerApiServer(
       ledgerId: LedgerId,
       apiServerConfig: ApiServerConfig,
       participantId: Ref.ParticipantId,
+      explicitDisclosureUnsafeEnabled: Boolean,
   )(implicit
       actorSystem: ActorSystem,
       loggingContext: LoggingContext,
@@ -155,6 +162,7 @@ class LedgerApiServer(
       participantId = participantId,
       authService = authService,
       jwtTimestampLeeway = participantConfig.jwtTimestampLeeway,
+      explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
     )
 }
 

ledger/participant-integration-api/src/main/scala/platform/apiserver/ApiServiceOwner.scala

@@ -55,6 +55,7 @@ object ApiServiceOwner {
       authService: AuthService,
       meteringReportKey: MeteringReportKey = CommunityKey,
       jwtTimestampLeeway: Option[JwtTimestampLeeway],
+      explicitDisclosureUnsafeEnabled: Boolean = false,
   )(implicit
       actorSystem: ActorSystem,
       materializer: Materializer,
@@ -114,6 +115,7 @@ object ApiServiceOwner {
         userManagementConfig = config.userManagement,
         apiStreamShutdownTimeout = config.apiStreamShutdownTimeout,
         meteringReportKey = meteringReportKey,
+        explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
       )(materializer, executionSequencerFactory, loggingContext)
         .map(_.withServices(otherServices))
       apiService <- new LedgerApiService(

ledger/participant-integration-api/src/main/scala/platform/apiserver/ApiServices.scala

@@ -86,6 +86,7 @@ private[daml] object ApiServices {
       userManagementConfig: UserManagementConfig,
       apiStreamShutdownTimeout: scala.concurrent.duration.Duration,
       meteringReportKey: MeteringReportKey,
+      explicitDisclosureUnsafeEnabled: Boolean,
   )(implicit
       materializer: Materializer,
       esf: ExecutionSequencerFactory,
@@ -259,6 +260,7 @@ private[daml] object ApiServices {
           commandExecutor,
           checkOverloaded,
           metrics,
+          explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
         )
 
         // Note: the command service uses the command submission, command completion, and transaction
@@ -282,6 +284,7 @@ private[daml] object ApiServices {
           timeProvider = timeProvider,
           ledgerConfigurationSubscription = ledgerConfigurationSubscription,
           metrics = metrics,
+          explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
         )
 
         val apiPartyManagementService = ApiPartyManagementService.createApiService(

ledger/participant-integration-api/src/main/scala/platform/apiserver/LedgerFeatures.scala

@@ -8,6 +8,7 @@ import com.daml.ledger.api.v1.experimental_features.{
   CommandDeduplicationFeatures,
   ExperimentalCommitterEventLog,
   ExperimentalContractIds,
+  ExperimentalExplicitDisclosure,
 }
 
 case class LedgerFeatures(
@@ -17,4 +18,6 @@ case class LedgerFeatures(
     contractIdFeatures: ExperimentalContractIds = ExperimentalContractIds.defaultInstance,
     committerEventLog: ExperimentalCommitterEventLog =
       ExperimentalCommitterEventLog.of(eventLogType = CENTRALIZED),
+    explicitDisclosure: ExperimentalExplicitDisclosure =
+      ExperimentalExplicitDisclosure.of(supported = false),
 )

ledger/participant-integration-api/src/main/scala/platform/apiserver/services/ApiCommandService.scala

@@ -208,6 +208,7 @@ private[apiserver] object ApiCommandService {
       timeProvider: TimeProvider,
       ledgerConfigurationSubscription: LedgerConfigurationSubscription,
       metrics: Metrics,
+      explicitDisclosureUnsafeEnabled: Boolean,
   )(implicit
       materializer: Materializer,
       executionContext: ExecutionContext,
@@ -232,6 +233,7 @@ private[apiserver] object ApiCommandService {
       maxDeduplicationDuration = () =>
         ledgerConfigurationSubscription.latestConfiguration().map(_.maxDeduplicationDuration),
       generateSubmissionId = SubmissionIdGenerator.Random,
+      explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
     )
   }
 

ledger/participant-integration-api/src/main/scala/platform/apiserver/services/ApiSubmissionService.scala

@@ -43,6 +43,7 @@ private[apiserver] object ApiSubmissionService {
       commandExecutor: CommandExecutor,
       checkOverloaded: TelemetryContext => Option[state.SubmissionResult],
       metrics: Metrics,
+      explicitDisclosureUnsafeEnabled: Boolean,
   )(implicit
       executionContext: ExecutionContext,
       loggingContext: LoggingContext,
@@ -65,6 +66,7 @@ private[apiserver] object ApiSubmissionService {
         ledgerConfigurationSubscription.latestConfiguration().map(_.maxDeduplicationDuration),
       submissionIdGenerator = SubmissionIdGenerator.Random,
       metrics = metrics,
+      explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
     )
 }
 

ledger/participant-integration-api/src/main/scala/platform/apiserver/services/ApiVersionService.scala

@@ -74,7 +74,7 @@ private[apiserver] final class ApiVersionService private (
           optionalLedgerId = Some(ExperimentalOptionalLedgerId()),
           contractIds = Some(ledgerFeatures.contractIdFeatures),
           committerEventLog = Some(ledgerFeatures.committerEventLog),
-          explicitDisclosure = None, // TODO[ED]: Wire-up with participant configuration flag
+          explicitDisclosure = Some(ledgerFeatures.explicitDisclosure),
         )
       ),
     )

ledger/sandbox-on-x/BUILD.bazel

@@ -575,6 +575,24 @@ server_conformance_test(
     ],
 )
 
+SERVERS_EXPLICIT_DISCLOSURE = {
+    "h2database": {
+        "binary": ":app",
+        "server_args": ["explicit-disclosure-unsafe-enabled run"],
+    },
+    "postgresql": {
+        "binary": ":conformance-test-postgres-bin",
+        "server_args": ["explicit-disclosure-unsafe-enabled run -c $(rootpath :postgres.conf)"],
+        "extra_data": [":postgres.conf"],
+    },
+    "oracle": {
+        "binary": ":conformance-test-oracle-bin",
+        "tags": oracle_tags,
+        "server_args": ["explicit-disclosure-unsafe-enabled run -c $(rootpath :oracle.conf)"],
+        "extra_data": [":oracle.conf"],
+    },
+}
+
 server_conformance_test(
     name = "conformance-test-explicit-disclosure",
     hocon = True,
@@ -584,7 +602,32 @@ server_conformance_test(
     lf_versions = [
         "1.dev",
     ],
-    servers = SERVERS,
+    servers = SERVERS_EXPLICIT_DISCLOSURE,
+    test_tool_args = [
+        "--verbose",
+        "--include=ExplicitDisclosureIT",
+        # TODO ED: Enable the following test once https://github.com/digital-asset/daml/issues/14200 is solved
+        "--exclude=ExplicitDisclosureIT:EDDuplicates",
+        # TODO ED: Enable the following tests once https://github.com/digital-asset/daml/issues/14199 is solved
+        "--exclude=ExplicitDisclosureIT:EDExerciseByKeyDisclosedContract",
+        "--exclude=ExplicitDisclosureIT:EDLocalKeyVisibility",
+        "--exclude=ExplicitDisclosureIT:EDNonNormalizedDisclosedContract",
+        "--exclude=ExplicitDisclosureIT:EDNormalizedDisclosedContract",
+    ],
+)
+
+# Suite asserting that tests targeting disabled explicit disclosure are successful
+# (i.e. test asserting that submissions using disclosed contracts are rejected)
+# TODO ED: Remove once feature deemed stable
+conformance_test(
+    name = "conformance-test-explicit-disclosure-disabled-lf-dev-h2",
+    hocon = True,
+    lf_versions = [
+        "1.dev",
+    ],
+    ports = [6865],
+    server = ":app",
+    server_args = ["run"],
     test_tool_args = [
         "--verbose",
         "--include=ExplicitDisclosureIT",

ledger/sandbox-on-x/src/main/scala/com/daml/ledger/sandbox/CliSandboxOnXRunner.scala

@@ -9,6 +9,13 @@ import com.daml.logging.ContextualizedLogger
 import com.daml.resources.ProgramResource
 
 object CliSandboxOnXRunner {
+  // TODO ED: Remove flag once explicit disclosure is deemed stable and all
+  //          backing ledgers implement proper validation against malicious clients
+  //
+  // NOTE: The flag is explicitly extracted out of the provided program arguments
+  //       and not passed via the HOCON config in order to prevent accidental
+  //       enablement, which could render participants vulnerable to malicious clients.
+  private val ExplicitDisclosureEnabledArg = "explicit-disclosure-unsafe-enabled"
   private val logger = ContextualizedLogger.get(getClass)
   val RunnerName = "sandbox-on-x"
 
@@ -19,14 +26,23 @@ object CliSandboxOnXRunner {
       args: collection.Seq[String],
       manipulateConfig: CliConfig[BridgeConfig] => CliConfig[BridgeConfig] = identity,
   ): Unit = {
+    val explicitDisclosureEnabled = args.contains(ExplicitDisclosureEnabledArg)
     val config = CliConfig
-      .parse(RunnerName, BridgeConfig.Parser, BridgeConfig.Default, args)
+      .parse(
+        RunnerName,
+        BridgeConfig.Parser,
+        BridgeConfig.Default,
+        args.filterNot(_ == ExplicitDisclosureEnabledArg),
+      )
       .map(manipulateConfig)
       .getOrElse(sys.exit(1))
-    runProgram(config)
+    runProgram(config, explicitDisclosureEnabled)
   }
 
-  private def runProgram(config: CliConfig[BridgeConfig]): Unit =
+  private def runProgram(
+      config: CliConfig[BridgeConfig],
+      explicitDisclosureUnsafeEnabled: Boolean,
+  ): Unit =
     config.mode match {
       case Mode.Run =>
         SandboxOnXConfig
@@ -34,7 +50,9 @@ object CliSandboxOnXRunner {
           .fold(
             System.err.println,
             { sandboxOnXConfig =>
-              program(sox(new BridgeConfigAdaptor, sandboxOnXConfig))
+              program(
+                sox(new BridgeConfigAdaptor, sandboxOnXConfig, explicitDisclosureUnsafeEnabled)
+              )
             },
           )
       case Mode.DumpIndexMetadata(jdbcUrls) =>
@@ -46,12 +64,13 @@ object CliSandboxOnXRunner {
       case Mode.RunLegacyCliConfig =>
         val configAdaptor: BridgeConfigAdaptor = new BridgeConfigAdaptor
         val sandboxOnXConfig: SandboxOnXConfig = SandboxOnXConfig.fromLegacy(configAdaptor, config)
-        program(sox(configAdaptor, sandboxOnXConfig))
+        program(sox(configAdaptor, sandboxOnXConfig, explicitDisclosureUnsafeEnabled))
     }
 
   private def sox(
       configAdaptor: BridgeConfigAdaptor,
       sandboxOnXConfig: SandboxOnXConfig,
+      explicitDisclosureUnsafeEnabled: Boolean,
   ): ResourceOwner[Unit] = {
     Banner.show(Console.out)
     logger.withoutContext.info(
@@ -62,6 +81,7 @@ object CliSandboxOnXRunner {
         configAdaptor,
         sandboxOnXConfig.ledger,
         sandboxOnXConfig.bridge,
+        explicitDisclosureUnsafeEnabled,
       )
       .map(_ => ())
   }

ledger/sandbox-on-x/src/main/scala/com/daml/ledger/sandbox/SandboxOnXRunner.scala

@@ -21,6 +21,7 @@ import com.daml.ledger.api.v1.experimental_features.{
   CommandDeduplicationPeriodSupport,
   CommandDeduplicationType,
   ExperimentalContractIds,
+  ExperimentalExplicitDisclosure,
 }
 import com.daml.ledger.offset.Offset
 import com.daml.ledger.participant.state.index.v2.IndexService
@@ -56,16 +57,20 @@ object SandboxOnXRunner {
       configAdaptor: BridgeConfigAdaptor,
       config: Config,
       bridgeConfig: BridgeConfig,
+      explicitDisclosureUnsafeEnabled: Boolean = false,
   ): ResourceOwner[Port] =
     new ResourceOwner[Port] {
       override def acquire()(implicit context: ResourceContext): Resource[Port] =
-        SandboxOnXRunner.run(bridgeConfig, config, configAdaptor).acquire()
+        SandboxOnXRunner
+          .run(bridgeConfig, config, configAdaptor, explicitDisclosureUnsafeEnabled)
+          .acquire()
     }
 
   def run(
       bridgeConfig: BridgeConfig,
       config: Config,
       configAdaptor: BridgeConfigAdaptor,
+      explicitDisclosureUnsafeEnabled: Boolean,
   ): ResourceOwner[Port] = newLoggingContext { implicit loggingContext =>
     implicit val actorSystem: ActorSystem = ActorSystem(RunnerName)
     implicit val materializer: Materializer = Materializer(actorSystem)
@@ -111,6 +116,7 @@ object SandboxOnXRunner {
           contractIdFeatures = ExperimentalContractIds.of(
             v1 = ExperimentalContractIds.ContractIdV1Support.NON_SUFFIXED
           ),
+          explicitDisclosure = ExperimentalExplicitDisclosure.of(explicitDisclosureUnsafeEnabled),
         ),
         authService = configAdaptor.authService(participantConfig),
         buildWriteService = buildWriteServiceLambda,
@@ -127,6 +133,7 @@ object SandboxOnXRunner {
         timeServiceBackendO = timeServiceBackendO,
         servicesExecutionContext = servicesExecutionContext,
         metrics = metrics,
+        explicitDisclosureUnsafeEnabled = explicitDisclosureUnsafeEnabled,
       )(actorSystem, materializer).owner
     } yield {
       logInitializationHeader(