Nyx compliance architecture

Compliance without public plaintext.

Nyx separates public accountability from private financial data. The chain proves that policy was followed, the auditor can decrypt live confidential token evidence, and regulators receive only scoped facts through expiring grants.

Public verifies status

Policy, proof, lifecycle, locks, and tx hashes.

Auditor decrypts trail

Live cUSDC draw and repayment ciphertexts.

Regulator sees scope

One encrypted bundle, one permission, one expiry.

01 - Visibility model

One position, different credentials

Position existence and lifecycle
Public Visible
Auditor Visible
Regulator Scoped
SEP-31 payout status
Public Visible
Auditor Visible
Regulator Scoped
KYB approval result
Public Visible
Auditor Visible
Regulator Scoped
Proof verification result
Public Visible
Auditor Visible
Regulator Scoped
Collateral asset class and tenor
Public Visible
Auditor Visible
Regulator Scoped
Draw and repayment amounts
Public Hidden
Auditor Visible
Regulator Scoped
Static collateral balance
Public Hidden
Auditor Hidden
Regulator Hidden
Individual repayment records
Public Hidden
Auditor Visible
Regulator Scoped
Private witness values
Public Hidden
Auditor Hidden
Regulator Hidden

Static collateral balance is intentionally not decrypted in the demo. The proof shows sufficiency; the live confidential transfers emit auditor ciphertexts for draw and repayment.

02 - Data boundary

What can exist on-chain

Public chain stores

participant approval result
policy references and contract IDs
oracle price freshness result
position lifecycle events
collateral lock key and nullifier
proof public inputs and verifier result
confidential transfer ciphertext references
disclosure scope hash, expiry, revocation

Never public state

private collateral amount
private draw amount
private repayment amount
auditor private key
plaintext disclosure bundle
full repayment history
private proof witness
viewer session secret

Boundary rule: the backend stores SEP state, proof jobs, event references, and encrypted bundles. It does not become the privacy source of truth. Confidential token ciphertexts and verifier-checked proofs do.

03 - Control planes

Policy enforced before liquidity moves

KYB and participant policy

Anchor Platform callbacks create the customer status. ACCEPTED writes approval to ParticipantPolicy on-chain. REJECTED blocks quotes and credit opening.

SEP-12ParticipantPolicyon-chain approval

Collateral policy

CollateralPolicyRegistry defines eligible collateral, haircut, and maximum tenor. The credit contract checks these values before opening a line.

eligibilityhaircut5 day tenor cap

Oracle freshness

OracleAdapter reads the configured price source and rejects stale values. Before a demo, refresh the oracle if ledgers have advanced past the window.

Reflector sourcefreshness windowstale price reject

Replay prevention

Position nullifiers, collateral locks, and repayment history nullifiers prevent a proof, collateral allowance, or private repayment leaf from being reused.

position nullifierlock registryleaf nullifier

Proof verification

Noir proofs are verified by UltraHonk verifier contracts on Soroban. Public inputs bind oracle price, haircut, tenor, lock key, and nullifier.

NoirUltraHonkSoroban verifier

Auditor visibility

OZ confidential transfers emit auditor ciphertexts. The auditor can decrypt live draw and repayment amounts without making those amounts public.

auditor ciphertextlocal credentiallive transfer evidence

04 - Scoped disclosure

A thin registry that cannot leak amounts

DisclosureGrantRegistry records only permission metadata. The encrypted disclosure bundle remains off-chain, and the viewer secret belongs to the browser session.

Registry stores

grant_idownerviewer_hashposition_idevent_hashscope_hashexpires_at_ledgerrevoked

Registry never stores

plaintext amountauditor keyviewer secretfull disclosure bundledecrypted event data

05 - Audit evidence

Evidence chain for the demo

1

Anchor acceptance

SEP-12 customer status accepted, then ParticipantPolicy approval tx confirms.

2

Credit proof

Collateral sufficiency proof job produces proof bytes, verifier accepts them, PrefundingCreditLine opens.

3

Private draw

CreditExecutor coordinates a real cUSDC confidential transfer and records DrawExecuted after success.

4

Auditor decrypt

Auditor decrypts the live cUSDC draw and repayment ciphertext refs, not old proof-of-life artifacts.

5

History proof

RepaymentHistoryRegistry verifies a threshold proof over private leaves without showing the individual records.

6

Scoped disclosure

DisclosureGrantRegistry proves grant scope, expiry, and revocation while the encrypted bundle remains off-chain.

Honest prover boundary

The current demo uses an anchor demo prover worker. Do not claim the backend never sees witness values unless proving is moved to browser WASM or anchor-controlled infrastructure.

demo prover-workerproduction: anchor-controlled prover

Anchor separation

SEP-31 payout status and Nyx product status are separate. A payout can be pending while private prefunding has already moved through quote, proof, draw, and repayment.

pending_senderpending_stellarprefunding_requiredcredit_drawn

06 - Operational controls

Pre-demo readiness checklist

Use a fresh active SEP-31 transaction before every demo run
Confirm /api/demo/state returns source: live and no quote fallback warnings
Refresh the oracle if the current ledger is outside the freshness window
Confirm Beta draw and repayment confidential artifacts are configured
Run credit open, draw, repay, and history proof serially
Do not claim browser-local proving unless the prover runs outside the backend stack