Nyx compliance architecture
Compliance without public plaintext.
Nyx separates public accountability from private financial data. The chain proves that policy was followed, the auditor can decrypt live confidential token evidence, and regulators receive only scoped facts through expiring grants.
Public verifies status
Policy, proof, lifecycle, locks, and tx hashes.
Auditor decrypts trail
Live cUSDC draw and repayment ciphertexts.
Regulator sees scope
One encrypted bundle, one permission, one expiry.
01 - Visibility model
One position, different credentials
Static collateral balance is intentionally not decrypted in the demo. The proof shows sufficiency; the live confidential transfers emit auditor ciphertexts for draw and repayment.
02 - Data boundary
What can exist on-chain
Public chain stores
Never public state
Boundary rule: the backend stores SEP state, proof jobs, event references, and encrypted bundles. It does not become the privacy source of truth. Confidential token ciphertexts and verifier-checked proofs do.
03 - Control planes
Policy enforced before liquidity moves
KYB and participant policy
Anchor Platform callbacks create the customer status. ACCEPTED writes approval to ParticipantPolicy on-chain. REJECTED blocks quotes and credit opening.
Collateral policy
CollateralPolicyRegistry defines eligible collateral, haircut, and maximum tenor. The credit contract checks these values before opening a line.
Oracle freshness
OracleAdapter reads the configured price source and rejects stale values. Before a demo, refresh the oracle if ledgers have advanced past the window.
Replay prevention
Position nullifiers, collateral locks, and repayment history nullifiers prevent a proof, collateral allowance, or private repayment leaf from being reused.
Proof verification
Noir proofs are verified by UltraHonk verifier contracts on Soroban. Public inputs bind oracle price, haircut, tenor, lock key, and nullifier.
Auditor visibility
OZ confidential transfers emit auditor ciphertexts. The auditor can decrypt live draw and repayment amounts without making those amounts public.
04 - Scoped disclosure
A thin registry that cannot leak amounts
DisclosureGrantRegistry records only permission metadata. The encrypted disclosure bundle remains off-chain, and the viewer secret belongs to the browser session.
Registry stores
Registry never stores
05 - Audit evidence
Evidence chain for the demo
Anchor acceptance
SEP-12 customer status accepted, then ParticipantPolicy approval tx confirms.
Credit proof
Collateral sufficiency proof job produces proof bytes, verifier accepts them, PrefundingCreditLine opens.
Private draw
CreditExecutor coordinates a real cUSDC confidential transfer and records DrawExecuted after success.
Auditor decrypt
Auditor decrypts the live cUSDC draw and repayment ciphertext refs, not old proof-of-life artifacts.
History proof
RepaymentHistoryRegistry verifies a threshold proof over private leaves without showing the individual records.
Scoped disclosure
DisclosureGrantRegistry proves grant scope, expiry, and revocation while the encrypted bundle remains off-chain.
Honest prover boundary
The current demo uses an anchor demo prover worker. Do not claim the backend never sees witness values unless proving is moved to browser WASM or anchor-controlled infrastructure.
Anchor separation
SEP-31 payout status and Nyx product status are separate. A payout can be pending while private prefunding has already moved through quote, proof, draw, and repayment.
06 - Operational controls