1. Non-Custodial Design Principles
The JIL wallet is built on a single foundational principle: the user controls their assets at all times. JIL cannot unilaterally move, freeze, or seize any user funds. This is not a policy choice - it is an architectural constraint enforced by cryptographic key distribution and on-chain policy rules.
Asset Handling Covenant:
- User key supremacy: The user always holds at least one MPC shard. No combination of JIL-held shards can produce a valid signature without user participation (Lane A & B). In Lane C (qualified custody), a licensed third-party custodian holds the co-sign shard - not JIL.
- No unilateral movement: JIL cannot move, freeze, or redirect user assets. There is no admin key, no backdoor, and no override mechanism that bypasses user consent.
- Deterministic policy enforcement: All wallet policies (spending limits, time-locks, recovery rules) are enforced by on-chain smart contracts with published, auditable logic. No human discretion is involved in policy execution.
- Transparent reserves: All wrapper tokens (jBTC, jETH, jUSDC) are backed 1:1 by segregated reserves. Proof-of-reserves is published on-chain and independently auditable at any time.
- Right to exit: Users can unwrap wrapper tokens and withdraw underlying assets to any external address at any time, subject only to standard network confirmation times. There are no lock-up periods, no exit fees, and no withdrawal gates.
Non-Custodial Control Test
A wallet is non-custodial if and only if: (1) the operator cannot produce a valid transaction signature without the user's active participation, and (2) the user can independently recover and transfer assets without the operator's cooperation. The JIL wallet satisfies both conditions across all three custody lanes.
Key Distinction: JIL is infrastructure, not a custodian. The platform provides cryptographic tools, policy enforcement, and protection coverage. It does not take custody of assets, hold omnibus balances, or maintain discretionary control over user funds.
2. Three MPC Wallet Lanes
The JIL wallet offers three distinct custody configurations ("lanes"), each designed for a different risk profile and regulatory context. Users choose their lane at wallet creation and can upgrade between lanes as their needs evolve.
| Property | Lane A: Pure Self-Custody | Lane B: Policy Co-Sign | Lane C: Qualified Custody |
|---|---|---|---|
| MPC Configuration | 2-of-2 (User + User backup) | 2-of-3 (User + JIL policy + User backup) | 2-of-3 (User + Custodian + User backup) |
| JIL Shard | None - JIL holds no key material | Policy co-sign shard (cannot act alone) | None - licensed custodian holds co-sign |
| Transaction Signing | User signs independently | User initiates, JIL co-signs per policy rules | User initiates, custodian co-signs per SLA |
| Policy Enforcement | User-defined on-chain rules only | JIL policy engine + user rules | Custodian SLA + user rules |
| Protection Coverage | Not eligible | Up to $250K+ per incident | Custodian's own protection + JIL coverage |
| Recovery | User backup shard only | Guardian recovery (24h timelock) | Custodian recovery + guardian fallback |
| Best For | Crypto-native users, maximum sovereignty | Individuals, small funds, retail users | Institutions, funds, corporate treasuries |
| Regulatory Posture | Non-custodial (no counterparty) | Non-custodial (JIL is co-signer, not custodian) | Qualified custody (regulated third party) |
Lane Selection Logic
Lane selection is explicit and informed. During wallet creation, users are presented with a clear comparison of trade-offs. The default recommendation is Lane B for most users, as it balances sovereignty with recovery options and protection coverage. Users can change lanes at any time - upgrading from A to B requires adding the JIL co-sign shard; downgrading from B to A requires removing it (with a 48-hour cooldown for security).
Lane B is the default recommendation because it provides the strongest combination of user control, recovery options, and protection coverage. Lane A is for users who want zero third-party involvement. Lane C is for institutions that require regulated custody for compliance or fiduciary reasons.
3. Wrapper Token Model
When users deposit external assets (BTC, ETH, USDC) into the JIL ecosystem, they receive wrapper tokens - jBTC, jETH, jUSDC - that represent a 1:1 claim on the underlying asset held in segregated reserves. Wrapper tokens are the native asset format within the JIL ledger.
What wrapper tokens are: A receipt token representing a 1:1 claim on a real underlying asset held in segregated, auditable reserves. jBTC is not synthetic BTC. It is not a derivative. It is not a stablecoin pegged to BTC. It is a transferable claim on actual BTC held in a segregated reserve address, verifiable on-chain at any time.
Design Principles
- 1:1 backing, always: Every jBTC in circulation is backed by exactly 1 BTC in segregated reserves. No fractional reserves. No rehypothecation. No lending of reserves.
- Segregated reserves: Reserve assets are held in dedicated, single-purpose addresses that are distinct from JIL operational wallets. Reserve addresses are published and independently verifiable.
- Proof-of-reserves: On-chain attestations published at regular intervals (and available on-demand) that prove the reserve balance equals or exceeds the wrapper token supply.
- Not synthetic: Wrapper tokens derive their value from actual underlying assets, not from algorithmic pegs, collateral ratios, or market-making mechanisms.
- Instant unwrap: Users can burn wrapper tokens and receive the underlying asset at any time. No lock-ups. No queues. No exit fees. The only delay is the underlying chain's confirmation time.
Supported Wrapper Tokens
| Wrapper | Underlying | Reserve Chain | Mint/Burn | Proof Frequency |
|---|---|---|---|---|
| jBTC | Bitcoin (BTC) | Bitcoin mainnet | 14-of-20 validator bridge | Every 100 blocks (~25 min) |
| jETH | Ether (ETH) | Ethereum mainnet | 14-of-20 validator bridge | Every 100 blocks (~20 min) |
| jUSDC | USDC (Circle) | Ethereum mainnet | 14-of-20 validator bridge | Every 100 blocks (~20 min) |
4. Wrapper Lifecycle
The wrapper token lifecycle follows a five-step flow from deposit to exit. Each step is deterministic, auditable, and requires no human intervention beyond the user's initial action.
| Step | Action | Description |
|---|---|---|
| 1. Deposit | Send to bridge | User sends BTC/ETH/USDC to a dedicated deposit address generated by the bridge. |
| 2. Finality | Wait for confirmations | Bridge waits for sufficient confirmations on the source chain (6 for BTC, 32 for ETH). |
| 3. Wrap | Validator attestation | 14-of-20 validators attest to the deposit. jBTC/jETH/jUSDC minted 1:1 to user's JIL wallet. |
| 4. Transact | Use on JIL L1 | User transacts freely on JIL L1: send, trade, settle, stake. Sub-second finality. |
| 5. Burn to Exit | Unwrap and withdraw | User burns wrapper tokens. Bridge releases underlying asset to user's external address. |
Mint Process (Detailed)
- User requests a deposit address from the bridge contract, specifying the asset type (BTC/ETH/USDC).
- Bridge generates a unique, single-use deposit address linked to the user's JIL wallet address.
- User sends the underlying asset to the deposit address on the source chain.
- Bridge monitors the source chain for the deposit transaction and waits for finality (configurable confirmation threshold).
- Once finality is reached, 14-of-20 validators independently verify the deposit and sign a mint attestation.
- When the quorum threshold is met, the JIL ledger mints the corresponding wrapper tokens to the user's wallet.
- A proof-of-reserves update is triggered, reflecting the new reserve balance.
Burn Process (Detailed)
- User initiates a burn transaction, specifying the wrapper token amount and the destination address on the external chain.
- Wrapper tokens are burned (destroyed) on the JIL ledger immediately.
- 14-of-20 validators sign a release attestation authorizing the transfer of underlying assets.
- Bridge releases the underlying asset from the reserve address to the user's specified destination.
- Proof-of-reserves is updated to reflect the reduced reserve balance.
5. Liquidity Design
The JIL wallet does not require users to convert between assets or use wrapper tokens for basic operations. Users can hold and transact in native JIL tokens without ever interacting with the wrapper system. Wrapping is optional and is only needed when users want to bring external assets into the JIL ecosystem.
No Forced Conversion
- Users are never required to swap, convert, or wrap assets as a prerequisite for using the wallet.
- JIL tokens can be sent, received, and used for all platform operations without wrapping.
- Wrapper tokens (jBTC, jETH, jUSDC) are an opt-in feature for users who want to bring external assets on-chain.
Optional RFQ Routing
For users who want to trade between assets (e.g., jBTC to jUSDC), the wallet integrates with the JIL RFQ (Request for Quote) system. RFQ routes orders to external liquidity providers who compete to offer the best price. This is entirely optional - no market-making obligation falls on the user or on JIL.
| Feature | How It Works | User Impact |
|---|---|---|
| RFQ Routing | User requests a quote; multiple LPs compete; best price wins | Better execution than single-source pricing |
| AMM v5 Integration | On-chain AMM with batch auctions for price discovery | Available for all supported pairs |
| Cross-Chain Swaps | Atomic swap via bridge: burn jBTC, release BTC, mint jUSDC from USDC deposit | Single transaction from user perspective |
6. Authentication & Passkeys
The JIL wallet replaces traditional password-based authentication with WebAuthn passkeys - hardware-bound, phishing-resistant credentials that use biometric verification (Face ID, fingerprint, Windows Hello) or security keys.
WebAuthn Ceremony
- Registration: User creates a passkey on their device. The device generates a public-private keypair in a secure enclave (TPM, Secure Enclave, or equivalent). The private key never leaves the device.
- Authentication: To sign a transaction, the user performs a biometric challenge (face scan, fingerprint). The device signs a challenge with the private key and returns the signature to the wallet.
- Verification: The wallet verifies the signature against the registered public key. No password, no OTP, no SMS - just a biometric gesture on the user's own device.
Security Properties
| Property | Description |
|---|---|
| Phishing Resistant | Passkeys are domain-bound. A credential created for jilsovereign.com cannot be used on a phishing domain. The browser enforces this automatically. |
| Device Bound | Private keys live in hardware secure enclaves and cannot be extracted, exported, or copied. Compromise of the server does not compromise the credential. |
| Multi-Device | Users can register multiple passkeys across devices (phone, laptop, security key) for redundancy. Any registered device can authenticate. |
| No Shared Secrets | Unlike passwords, passkeys use asymmetric cryptography. The server only stores the public key. There is nothing to steal from the server side. |
Transaction Signing Flow
Every transaction requires explicit user approval via biometric passkey. The flow is: Review transaction details (amount, recipient, fees) - Biometric challenge (Face ID / fingerprint) - MPC co-sign (Lane B: JIL policy engine auto-co-signs if policy rules pass; Lane C: custodian co-signs per SLA) - Submit to ledger.
7. Guardian Recovery
If a user loses access to their device or passkey, the JIL wallet provides a guardian recovery mechanism that restores access without requiring JIL to hold or use any key material on the user's behalf.
How Guardian Recovery Works
- Setup (before loss): User designates 3-5 trusted guardians (family members, colleagues, or institutional guardians). Each guardian receives a recovery shard encrypted to their own wallet.
- Initiation (after loss): User contacts guardians and requests recovery. A majority of guardians (e.g., 3-of-5) must independently approve the recovery request from their own wallets.
- Timelock (24 hours): Once the guardian quorum is reached, a mandatory 24-hour timelock begins. During this period, the original wallet holder can cancel the recovery if it was unauthorized. Notifications are sent to all registered devices and email addresses.
- Key rotation: After the timelock expires, a new MPC key shard is generated and bound to the user's new device/passkey. The old shard is cryptographically invalidated.
Recovery Guarantees
| Guarantee | Description |
|---|---|
| No JIL Discretion | Recovery is fully deterministic. JIL cannot approve or deny a recovery request. The guardian quorum and timelock rules are enforced by smart contract. |
| Anti-Coercion | The 24-hour timelock gives the original owner time to cancel a fraudulent recovery attempt. This protects against social engineering of guardians. |
| Independent Exit | Lane A users can recover using their backup shard alone, with no guardian involvement. Lane B/C users have both guardian and backup shard recovery paths. |
Recovery is not custody. At no point during recovery does JIL hold, generate, or access the user's private key material. Guardians approve the rotation of key shards - they do not gain access to assets or signing authority.
8. Protection Coverage
Lane B and Lane C wallets include up to $250,000 in per-incident protection coverage, underwritten by a licensed third-party protection coverage provider. This is not government-backed deposit insurance - it is a commercial protection coverage product specifically designed for digital asset custody.
Coverage Scope
| Covered | Not Covered |
|---|---|
| Unauthorized transactions due to platform security breach | Market losses or price depreciation |
| MPC co-signer compromise (JIL-side or custodian-side) | User negligence (sharing passkey, social engineering) |
| Bridge exploit resulting in reserve loss | Regulatory seizure or sanctions enforcement |
| Smart contract vulnerability in JIL protocol code | Third-party DeFi protocol losses |
| Validator collusion (byzantine fault beyond 14-of-20 threshold) | Loss of user's own backup shard |
Important Disclaimers
This is NOT FDIC deposit insurance. Protection coverage is provided by a licensed third-party commercial underwriter and is subject to policy terms, conditions, and exclusions. Coverage limits apply per incident, not per account. JIL Sovereign is not a bank, is not FDIC-insured, and does not offer government-guaranteed deposit protection. Users should review the full protection coverage policy terms before relying on coverage.
Claims Process
- Incident detection: Automated monitoring detects unauthorized activity or platform compromise. User can also report directly.
- Investigation: On-chain forensics determine whether the incident falls within coverage scope. All evidence is cryptographically verifiable.
- Claim submission: Verified claims are submitted to the protection coverage underwriter with on-chain evidence package.
- Payout: Approved claims are paid directly to the affected user's wallet, up to the $250K+ per-incident limit.
9. Compliance Zones
The JIL wallet integrates with the platform's 13-zone compliance framework, ensuring that every transaction passes a pre-transaction compliance preflight before execution. This allows users to transact freely within their jurisdictional boundaries while maintaining full regulatory compliance.
13 Compliance Zones
| Zone | Jurisdiction | Regulator | Key Requirements |
|---|---|---|---|
| US_FINCEN | United States | FinCEN | BSA/AML, OFAC sanctions, CTR/SAR reporting |
| DE_BAFIN | Germany | BaFin | KWG licensing, MiCA compliance, PSD2 |
| EU_ESMA | European Union | ESMA | MiCA, AMLD6, DORA operational resilience |
| SG_MAS | Singapore | MAS | PSA licensing, travel rule, sanctions screening |
| CH_FINMA | Switzerland | FINMA | AMLA, DLT framework, qualified custody |
| GB_FCA | United Kingdom | FCA | FCA registration, MLR 2017, travel rule |
| JP_JFSA | Japan | JFSA | FIEA registration, cold storage requirements |
| AE_FSRA | UAE | FSRA (ADGM) | FSRA framework, VASP requirements |
| BR_CVM | Brazil | CVM | CVM Normative 175, LGPD data protection |
| GLOBAL_FATF | Global fallback | FATF | Travel rule, risk-based AML, sanctions |
Pre-Transaction Compliance Preflight
Before any transaction is submitted to the ledger, the wallet performs a compliance preflight that checks:
- Sanctions screening: Sender and recipient addresses checked against OFAC, EU, UN, and jurisdiction-specific sanctions lists.
- Transaction limits: Per-transaction and velocity limits enforced per zone (e.g., US_FINCEN: $10K CTR threshold).
- Travel rule: For transactions above threshold amounts, originator and beneficiary information is collected and transmitted per FATF Recommendation 16.
- Asset restrictions: Certain assets may be restricted in specific zones (enforced per zone policy).
- Corridor restrictions: Cross-border transfer rules enforced based on sender and recipient zones.
Zero-Knowledge Compliance Proofs
For privacy-sensitive compliance checks, the wallet generates ZK proofs that demonstrate compliance without revealing underlying data. For example: "this transaction is below the $10K CTR threshold" without revealing the exact amount. ZK proofs are generated client-side and verified by validators.
10. Cross-Chain Bridge
The JIL wallet connects to external blockchains through a 14-of-20 validator bridge - the same infrastructure used for wrapper token minting and burning. The bridge is the gateway between the JIL L1 ledger and external chains (Bitcoin, Ethereum, and future integrations).
Bridge Architecture
- 14-of-20 quorum: Any bridge operation (mint, burn, transfer) requires signatures from at least 14 of 20 validators distributed across 13 jurisdictions. This provides Byzantine fault tolerance up to 6 compromised validators.
- Multi-chain support: Bitcoin (native SegWit), Ethereum (ERC-20), and future chains via adapter modules.
- Finality guarantees: Bridge operations wait for source-chain finality (6 confirmations BTC, 32 confirmations ETH) before minting wrapper tokens.
- Reserve segregation: Each asset type has a dedicated reserve address. Reserve addresses are multisig-controlled by the validator set.
Bridge Risk Disclosure
Cross-chain bridges involve inherent risk. While the 14-of-20 validator quorum provides strong security, bridge operations depend on the security of both the JIL L1 and the external chain. Users should understand that: (1) bridge transactions are irreversible once finality is reached on both chains, (2) extreme network congestion on external chains may delay bridge operations, (3) bridge security depends on the honest behavior of at least 14 of 20 validators, and (4) smart contract risk exists despite auditing and formal verification.
11. Secure Document Vault (SDV)
The JIL wallet includes a Secure Document Vault (SDV) - encrypted, content-addressable document storage that allows users to upload, manage, and selectively share sensitive documents directly from their wallet. SDV is built on Hetzner S3-compatible object storage with client-side encryption and SHA-256 content hashing.
Design Principles
- Client-side encryption: Documents are encrypted on the user's device before upload. The encryption key is derived from the user's MPC key shard. JIL never has access to plaintext document content.
- Content-addressable storage: Each document is stored under its SHA-256 content hash (
docs/{sha256}). This ensures deduplication, integrity verification, and tamper detection. - Zero-knowledge metadata: Document metadata (name, type, size) is stored in the wallet database, encrypted at rest. The storage backend only sees opaque content hashes.
- User sovereignty: Users own and control their documents at all times. Documents can be permanently deleted by the owner. JIL cannot access, read, or share user documents without explicit user authorization.
Supported Document Types
| Category | Types | Max Size | Use Cases |
|---|---|---|---|
| Identity | PDF, JPG, PNG | 50 MB | Passport, driver's license, national ID, proof of address |
| Financial | PDF, XLSX, CSV | 50 MB | Bank statements, tax returns, audit reports, fund documentation |
| Legal | PDF, DOCX | 50 MB | Incorporation documents, operating agreements, power of attorney |
| Compliance | PDF, JSON | 50 MB | KYC/AML certificates, compliance attestations, regulatory filings |
Document Lifecycle
- Upload: User selects a file from their device. The wallet encrypts the file client-side, computes the SHA-256 hash, and uploads the encrypted blob to SDV.
- Index: Document metadata (name, type, size, hash) is stored in the wallet database, linked to the user's wallet ID.
- Share (optional): User can share documents with other users via handle-based access grants (see Section 12).
- Verify: Any party with access can verify document integrity by comparing the content hash against the stored SHA-256. Tampered documents fail verification.
- Delete: Owner can permanently delete a document. The encrypted blob is removed from SDV, all access grants are revoked, and metadata is purged.
SDV is not a public blockchain. Documents are stored in encrypted object storage, not on-chain. Only the SHA-256 content hash can optionally be anchored on-chain for provenance attestation. This provides the integrity guarantees of blockchain without the privacy and scalability limitations of on-chain storage.
12. Handle-Based Document Sharing
The JIL wallet uses @handle-based addressing for document sharing. Instead of sharing via wallet addresses or email, users share documents by entering the recipient's JIL handle (e.g., @alice). The handle system resolves to the recipient's wallet, and access is granted with configurable permissions and expiration.
Sharing Flow
- Select document: Owner chooses a document from their vault to share.
- Enter handle: Owner enters the recipient's @handle. The system resolves the handle to a verified user account.
- Set access type: Owner chooses between View (read-only, no download) and Download (full access to retrieve the decrypted file).
- Set expiration: Owner configures the access duration:
- 1 hour - for time-sensitive verifications
- 24 hours - for standard document review
- 7 days - for due diligence periods
- 30 days - for ongoing business relationships
- Unlimited - permanent access until explicitly revoked
- Grant access: A share record is created. The recipient sees the document in their "Shared With Me" tab with the granted permissions.
Access Control
| Property | Description |
|---|---|
| Granular Permissions | Each share grant specifies exactly one access type (view or download). No implicit escalation. |
| Time-Bound Access | Expired shares are automatically invalidated. The recipient can no longer access the document after expiration. |
| Instant Revocation | Owner can revoke any share at any time, regardless of the original expiration setting. Revocation is immediate. |
| Audit Trail | Every share grant, access, and revocation is logged with timestamp. Owner has full visibility into who accessed their documents and when. |
| Handle Resolution | Handles are resolved server-side to verified user accounts. Invalid or unregistered handles are rejected at share time. |
Use Cases
- KYC document sharing: Share identity documents with a compliance officer's @handle for verification, with 24-hour expiration.
- Institutional due diligence: Share fund documentation with a counterparty's @handle for 7-day review period.
- Regulatory filing: Share compliance attestations with a regulator's @handle with unlimited access for ongoing oversight.
- Proof of reserves: Share audit reports with investors' @handles with 30-day access windows.
Privacy by design. Document content is never exposed to JIL. The sharing mechanism grants the recipient a decryption key for the specific document, time-limited and revocable. JIL facilitates the key exchange via the handle system but cannot read the document content at any point.
13. Document API
The wallet exposes a RESTful API for programmatic document management. All endpoints require JWT authentication and operate within the user's own document scope.
| Method | Endpoint | Description |
|---|---|---|
| GET | /documents | List all documents in the user's vault. Returns metadata (name, type, size, hash, upload date). |
| POST | /documents/upload | Upload a new document. Accepts base64-encoded content, filename, and MIME type. Returns document ID and SHA-256 hash. |
| DELETE | /documents/:id | Permanently delete a document. Removes encrypted blob from SDV, revokes all shares, and purges metadata. |
| POST | /documents/:id/share | Share a document with a @handle. Requires handle, access type (view/download), and optional expiration. |
| GET | /documents/:id/shares | List all active shares for a document. Shows recipient handle, access type, expiration, and creation date. |
| POST | /documents/:id/revoke | Revoke a specific share by share ID. Immediately invalidates the recipient's access. |
| GET | /documents/shared-with-me | List documents shared with the current user by others. Shows document name, owner handle, access type, and expiration. |
Upload Request
POST /documents/upload
Authorization: Bearer <jwt>
Content-Type: application/json
{
"filename": "passport_scan.pdf",
"mimeType": "application/pdf",
"content": "<base64-encoded-data>"
}
Response:
{
"id": "doc_a1b2c3d4",
"sha256": "e3b0c44298fc1c149afb...",
"filename": "passport_scan.pdf",
"size": 245760,
"createdAt": "2026-03-02T10:30:00Z"
}Share Request
POST /documents/doc_a1b2c3d4/share
Authorization: Bearer <jwt>
Content-Type: application/json
{
"handle": "@alice",
"accessType": "view",
"expiresIn": "24h"
}
Response:
{
"shareId": "share_x1y2z3",
"handle": "@alice",
"accessType": "view",
"expiresAt": "2026-03-03T10:30:00Z"
}Rate limits: Upload is limited to 10 documents per hour per user. Share is limited to 50 grants per hour per user. These limits protect against abuse while supporting normal institutional workflows.
14. Implementation Roadmap
| Phase | Timeline | Milestone | Details |
|---|---|---|---|
| Phase 1 | Q1 2026 | Lane A: Pure Self-Custody | 2-of-2 MPC wallet, WebAuthn passkey authentication, basic send/receive, JIL native token support. No wrapper tokens, no co-signing. Target: crypto-native early adopters. |
| Phase 2 | Q2 2026 | Wrapper Tokens + Bridge + SDV | jBTC, jETH, jUSDC wrapper tokens. 14-of-20 validator bridge. Proof-of-reserves. Deposit, wrap, transact, burn-to-exit lifecycle. Reserve auditing dashboard. Secure Document Vault (SDV) with encrypted upload, handle-based sharing, and expiration controls. |
| Phase 3 | Q3 2026 | Lane B + RFQ + Protection | Lane B policy co-sign. Guardian recovery with 24h timelock. $250K+ protection coverage (third-party underwriter onboarded). RFQ integration for cross-asset trading. AMM v5 integration. Advanced document sharing with ZK-proof-based access attestations. |
| Phase 4 | Q4 2026 | Lane C: Qualified Custody | Licensed third-party custodian integration. Institutional onboarding flow. Enhanced compliance reporting. Multi-entity wallet management. Full 10-zone compliance enforcement. |
15. Connected Ecosystem
The JIL Wallet integrates seamlessly with every component of the JIL Sovereign platform.
| Component | Description |
|---|---|
| Wallet App | Non-custodial MPC wallet with WebAuthn passkeys |
| DEX & AMM v5 | Dual-lane trading with batch auctions and RFQ |
| Settlement Engine | T+0 atomic settlement across 13 jurisdictions |
| Cross-Chain Bridge | 14-of-20 validator bridge for BTC, ETH, USDC |
| Secure Document Vault | Encrypted document storage with handle-based sharing and expiration controls |