Architecture
Repository layout
daml/ Daml model: participant profiles, bilateral trades, cycle proposal and
participation, the atomic execute, and selective disclosure
app/ Off-ledger client: payload encryption, commitments, per-node verification,
the matching stand-in, the Ledger API client, and typed model bindings
demo/ Demo application: party selection and the per-party views, each rendered
from that party's own ledger projection
landing/ Landing site
docs/ This documentation site
deploy/ Local Canton sandbox script and topology notesThe Daml model (daml/)
The on-ledger contracts hold only commitments, ciphertext, topology, and boolean attestations — never cleartext economics.
- ParticipantProfile— signatory: the participant; optional observer: that participant's regulator, granted only through disclosure. Carries an encrypted sensitivity commitment.
- BilateralTrade— signatories: the two counterparties only. Carries the trade's economic terms as ciphertext plus a hash commitment. No operator party is ever a stakeholder. A NominateIntoCycle choice marks it eligible for a cycle by reference, without revealing terms.
- CompressionCycle— an accumulating contract. It starts signed only by the operator (carrying no economics); each invited participant exercises Commit, which recreates the cycle adding that participant to the signatory set along with its replacement-leg commitments and a withinTolerance boolean. Once every participant has committed, the operator exercises Execute: in one transaction it archives the nominated trades and creates the replacement legs, each signed only by its two counterparties. This composition is required because a Daml choice's authority does not accumulate across separate exercises — the accumulating contract is what lets one atomic transaction carry every participant's authority.
- SelectiveAuditDisclosure— participant-initiated; adds that participant's regulator as an observer on that participant's own contracts and decryption scope only, with no transitive disclosure to any other participant's data.
The off-ledger client (app/)
Runs on each participant's own side.
- crypto/— per-leg authenticated encryption (libsodium crypto_secretbox under a fresh content key), key-wrapping to a leg's counterparties via sealed boxes, and a salted hash commitment over the canonical cleartext.
- verify/— the per-node residual-risk check: a real, deterministic computation over a participant's own decrypted positions, comparing the movement a proposed compression would cause against the participant's declared tolerance.
- cycle/ — composes crypto and verify into what a participant actually submits: open and verify each replacement leg, then emit the on-ledger participation only if the check passes.
- solver/— the matching stand-in (see Scope below): a small, deterministic algorithm that nets each party's risk across a set of nominated trades and rebuilds those net positions with a minimal set of replacement legs.
- ledger/— a per-party JSON Ledger API v2 client: submit commands, read a party's own active contracts and its CREATE/ARCHIVE activity feed, and manage parties. It holds no key that can decrypt a payload.
- model/ — typed bindings between the Daml model and the JSON the ledger client sends and reads.
The demo (demo/)
A party-selection entry followed by per-party views, each rendered from that party's own Ledger API projection: a Compression Console, a Ledger/X-ray activity feed with a contract-detail drawer, an animated privacy-matrix scoreboard computed from real projection reads, a "try to cheat" control that genuinely attempts to reveal a position as the operator, and a live counter. Shares a dealer-terminal design system with the landing site.
Scope
This is a hackathon build focused on the privacy architecture, not a production compression engine.
- The matching is a real, deterministic algorithm, not a production risk model. It nets sensitivities and rebuilds a minimal replacement topology; it does not implement SIMM, SA-CCR, or CRIF.
- Operator-blind matching via multi-party computation, topology hiding, a legal-enforceability wrapper, asset settlement, and MainNet deployment are roadmap items, not part of this build.
- Key handling is demo-grade. The code is unaudited and runs on DevNet/local sandbox only.