ShieldCard
Technical Overview

How ShieldCard Enforces
Confidential Policy

Three stages. One policy. No plaintext.

Stage 1

Encrypted Policy Evaluation

When an employee submits a spend request, their browser encrypts the amount using Fhenix CoFHE before the transaction is signed. The plaintext never leaves their device.

ShieldCardControlPlane evaluates the request entirely on ciphertext: FHE.add accumulates the running budget, FHE.lte compares against limits, FHE.and combines conditions, and FHE.select routes to auto-approve, review, or deny. The contract never sees a plaintext number.

Request flow

Browser encrypts amount with CoFHE
Ciphertext submitted on-chain
FHE.add accumulates budget
FHE.lte compares against limit
FHE.select routes outcome
Threshold network signs result
Admin publishes signed status

Request lifecycle

1
Submitted
2
Decided
3
Settleable
4
Approved
5
Settled
6
Verifiable
Stage 2

Settlement and Audit Trail

Approved requests move to ShieldCardSettlement. High-risk or high-value requests require multi-approver sign-off before settlement executes. Settlement transfers testnet MockUSDC to the recipient.

Each settlement commits the previous receipt hash, forming a tamper-evident chain. Anyone can verify any receipt at /verify — no wallet required.

Stage 3

Scoped Auditor Access

The admin grants an auditor FHE.allow permission on specific request ciphertexts. The auditor can decrypt only those requests using their own wallet permit — nothing outside their granted scope is accessible.

Budget compliance can be proven without revealing any amount. The ShieldCardBudgetAttestor computes a boolean comparison over encrypted budget usage and reveals only YES or NO.

Observer View

••••••
••••••
••••••
••••••

Auditor View

Decrypted
Decrypted
Sealed
Sealed

Ready to deploy for your team?

Three contracts. One-click deployment on Arbitrum Sepolia.

Deploy on Arbitrum Sepolia Explore the Live Demo