diff --git a/core-deterministic/testing/common/src/main/kotlin/net/corda/deterministic/common/Enclavelet.kt b/core-deterministic/testing/common/src/main/kotlin/net/corda/deterministic/common/Enclavelet.kt
new file mode 100644
index 0000000000..720a2bc4ff
--- /dev/null
+++ b/core-deterministic/testing/common/src/main/kotlin/net/corda/deterministic/common/Enclavelet.kt
@@ -0,0 +1,21 @@
+@file:JvmName("Enclavelet")
+package net.corda.deterministic.common
+
+import net.corda.core.serialization.deserialize
+import net.corda.core.transactions.LedgerTransaction
+
+/**
+ * We assume the signatures were already checked outside the sandbox: the purpose of this code
+ * is simply to check the sensitive, app-specific parts of a transaction.
+ *
+ * TODO: Transaction data is meant to be encrypted under an enclave-private key.
+ */
+@Throws(Exception::class)
+fun verifyInEnclave(reqBytes: ByteArray) {
+    deserialize(reqBytes).verify()
+}
+
+private fun deserialize(reqBytes: ByteArray): LedgerTransaction {
+    return reqBytes.deserialize<TransactionVerificationRequest>()
+        .toLedgerTransaction()
+}
diff --git a/core-deterministic/testing/src/test/kotlin/net/corda/deterministic/txverify/EnclaveletTest.kt b/core-deterministic/testing/src/test/kotlin/net/corda/deterministic/txverify/EnclaveletTest.kt
index 88125a4072..84bab1d1b7 100644
--- a/core-deterministic/testing/src/test/kotlin/net/corda/deterministic/txverify/EnclaveletTest.kt
+++ b/core-deterministic/testing/src/test/kotlin/net/corda/deterministic/txverify/EnclaveletTest.kt
@@ -1,11 +1,8 @@
-@file:JvmName("Enclavelet")
 package net.corda.deterministic.txverify
 
-import net.corda.core.serialization.deserialize
-import net.corda.core.transactions.LedgerTransaction
 import net.corda.deterministic.bytesOfResource
 import net.corda.deterministic.common.LocalSerializationRule
-import net.corda.deterministic.common.TransactionVerificationRequest
+import net.corda.deterministic.common.verifyInEnclave
 import net.corda.finance.contracts.asset.Cash.Commands.*
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.ClassRule
@@ -30,23 +27,3 @@ class EnclaveletTest {
         assertThat(e).hasMessageContaining("Required ${Move::class.java.canonicalName} command")
     }
 }
-
-/**
- * Returns either null to indicate success when the transactions are validated, or a string with the
- * contents of the error. Invoked via JNI in response to an enclave RPC. The argument is a serialised
- * [TransactionVerificationRequest].
- *
- * Note that it is assumed the signatures were already checked outside the sandbox: the purpose of this code
- * is simply to check the sensitive, app specific parts of a transaction.
- *
- * TODO: Transaction data is meant to be encrypted under an enclave-private key.
- */
-@Throws(Exception::class)
-private fun verifyInEnclave(reqBytes: ByteArray) {
-    deserialize(reqBytes).verify()
-}
-
-private fun deserialize(reqBytes: ByteArray): LedgerTransaction {
-    return reqBytes.deserialize<TransactionVerificationRequest>()
-        .toLedgerTransaction()
-}
diff --git a/djvm/build.gradle b/djvm/build.gradle
index 6b1c255d6c..b3447b63ac 100644
--- a/djvm/build.gradle
+++ b/djvm/build.gradle
@@ -11,10 +11,14 @@ ext {
     asm_version = '6.1.1'
 }
 
+configurations {
+    testCompile.extendsFrom shadow
+}
+
 dependencies {
-    compile "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
-    compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
-    compile "org.slf4j:slf4j-api:$slf4j_version"
+    shadow "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
+    shadow "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
+    shadow "org.slf4j:slf4j-api:$slf4j_version"
 
     // ASM: byte code manipulation library
     compile "org.ow2.asm:asm:$asm_version"
@@ -22,7 +26,7 @@ dependencies {
     compile "org.ow2.asm:asm-commons:$asm_version"
 
     // Classpath scanner
-    compile "io.github.lukehutch:fast-classpath-scanner:$fast_classpath_scanner_version"
+    shadow "io.github.lukehutch:fast-classpath-scanner:$fast_classpath_scanner_version"
 
     // Test utilities
     testCompile "junit:junit:$junit_version"
@@ -35,11 +39,6 @@ jar.enabled = false
 shadowJar {
     baseName 'corda-djvm'
     classifier ''
-    dependencies {
-        exclude(dependency('org.jetbrains.*:.*:.*'))
-        exclude(dependency('org.slf4j:.*:.*'))
-        exclude(dependency('io.github.lukehutch:.*:.*'))
-    }
     relocate 'org.objectweb.asm', 'djvm.org.objectweb.asm'
 }
 assemble.dependsOn shadowJar
@@ -49,6 +48,7 @@ artifacts {
 }
 
 publish {
+    dependenciesFrom configurations.shadow
     disableDefaultJar true
     name shadowJar.baseName
 }
diff --git a/djvm/cli/build.gradle b/djvm/cli/build.gradle
index 617ea9fc12..d72a4a74c0 100644
--- a/djvm/cli/build.gradle
+++ b/djvm/cli/build.gradle
@@ -19,7 +19,6 @@ dependencies {
     compile "com.jcabi:jcabi-manifests:$jcabi_manifests_version"
 
     compile "info.picocli:picocli:$picocli_version"
-    compile "io.github.lukehutch:fast-classpath-scanner:$fast_classpath_scanner_version"
     compile project(path: ":djvm", configuration: "shadow")
 
     // Deterministic runtime - used in whitelist generation