Atomic, multi-agent transactional orchestration engine built inside secure enclaves with 100% cryptographic rollback guarantees.
β‘ Reviewers / judges: fastest path is GOLDEN_PATH.md β the entire flow in ~2 minutes, no credentials. Bug-bounty track: SDK_AUDIT.md (confirmed, code-cited findings from the real
@terminal3SDK).
Atomically orchestrated multi-agent transaction:
- Client submits payout envelope encrypted via ECIES and a Groth16 limit proof.
- Coordinator stages CCF KV states and evaluates specialists sequentially (Treasury and Compliance).
- If either agent vetos or fails, TEE state rolls back with zero side-effects. On success, the Blind Paymaster executes the payout.
In enterprise treasury operations, a single agent should never have unilateral authority to release funds. Traditional Web2 agent frameworks (like LangChain or crewAI) orchestrate multi-agent actions sequentially over HTTP.
If Agent B (Compliance) vetoes a transaction after Agent A (Treasury) has already committed its database write or triggered an intermediate API request, the system is left in a broken, half-executed state. Resolving these race conditions requires complex distributed transaction coordinators (e.g. the Saga pattern), which cannot guarantee hardware-isolated privacy or prevent front-running.
Synod turns independent agents into a unified, transactional agent platform. By leveraging the Terminal 3 Agent Dev Kit (ADK) inside secure TEE enclaves, Synod runs cross-contract workflows under a single atomic transaction boundary.
Either every agent approves and the final blind paymaster executes, or the entire transaction abortsβrolling back all staged states inside the TEE KV store with zero side effects. Privacy is guaranteed: no intermediate agent, not even the coordinator, can view the plaintext payment credentials.
Key Features:
- π TEE Secure Boundary: Executes multi-agent sequence inside Intel TDX enclaves ensuring hardware-isolated privacy.
- β‘ Atomic Rollback Journal: Automatically reverts all staged CCF KV writes and aborts egress webhooks on veto/outage.
- π ECIES Envelope Encryption: Client-side payload encryption ensures only the final Executor Agent can decrypt recipient details inside secure memory.
- π‘οΈ ZK Compliance Proofs: Groth16 zero-knowledge proofs verify payout limits without exposing transaction amounts in audit logs.
| Layer | Component / Technology |
|---|---|
| Frontend Console | Next.js 14, React 18, Tailwind CSS |
| Client SDK | @edycutjong/synod-sdk (ECIES payload encryption, ZK commitments generation) |
| TEE Contracts | Rust WASM (wasm32-wasip2), Cargo Workspace (coordinator, approver-a, approver-b, executor) |
| State Storage | File-based JSON Database / CCF-replicated KV namespace simulator |
| Core Security | Intel TDX Hardware Enclaves |
sequenceDiagram
autonumber
actor User as Client Dashboard
participant Coord as Synod Coordinator Agent
participant AppA as Approver A (Treasury)
participant AppB as Approver B (Compliance)
participant Exec as Executor (Paymaster)
participant KV as CCF KV Store (TEE)
User->>Coord: compose-action (ECIES envelope, ZK proof)
activate Coord
Note over Coord: Stage KV state as "submitting"
Coord->>KV: Stage State
Coord->>AppA: contracts-call: evaluate()
activate AppA
AppA-->>Coord: approved
deactivate AppA
Coord->>AppB: contracts-call: evaluate-zk(proof, limit)
activate AppB
Note over AppB: Verify Groth16 proof relation
AppB-->>Coord: approved / vetoed
deactivate AppB
alt If Approved
Coord->>Exec: contracts-call: execute-blind(envelope)
activate Exec
Note over Exec: Decrypt ECIES payload in TEE memory
Note over Exec: http-with-placeholders: POST bank/webhook
Exec-->>Coord: settled + signed VC receipt
deactivate Exec
Coord->>KV: Commit transaction state as "committed"
Coord-->>User: committed + VC receipt
else If Vetoed / Aborted
Coord->>KV: Roll back staged KV states to "aborted"
Coord-->>User: aborted (Zero side-effects)
end
deactivate Coord
Synod is built around the Terminal 3 Agent Dev Kit (ADK) and would be technically impossible to implement on conventional Web2 agent frameworks. We utilize 6 key Host API methods:
contracts-call: Invokes leaf enclaves synchronously within a single hardware transaction boundary, enabling true all-or-nothing rollback semantics.http-with-placeholders: Securely replaces ECIES decrypted account placeholders at the egress network edge.signing: Signs composite Verifiable Credential receipts verifying the approval trace.kv-store: Manages staged/committed state variables in a replicated database.logging: Securely streams execution traces to the war-room panel without exposing private variables.clock: Validates consensus windows and transaction timeouts.
- Contracts Call Stack Depth: The current
contracts-callAPI restricts nested calls to a stack depth of 3. Synod works around this by implementing a flat coordinator-leaf design. - Strict Interface Serialization: The VM requires strict interface layouts; any discrepancy in calldata byte alignments crashes the WASM runtime. Synod wraps calls in explicit validation containers to prevent silent failures.
- Node.js β₯ 20
- npm
- Rust & Cargo (to compile contracts)
- target wasm32-wasip2:
rustup target add wasm32-wasip2
Synod uses a root-level Makefile to coordinate its packages.
- Clone the repository and navigate to the project directory:
git clone https://github.com/edycutjong/dorahacks-t3launch-synod.git cd dorahacks-t3launch-synod - Bootstrap all dependencies:
make bootstrap
- Compile all packages (Contract, UI, SDK, CLI):
make build
- Configure environment variables:
cp .env.example .env
- Run the local dev server:
cd ui && npm run dev
Synod is guarded by a comprehensive 6-stage production-grade CI/CD pipeline (Quality β Security β Build β E2E β Performance β Deploy).
# ββ Setup and Installation ββββββββββββββββββ
make bootstrap # Install dependencies in all folders
# ββ Code Quality ββββββββββββββββββββββββββββ
make lint # Run ESLint checks
make typecheck # Verify TypeScript compilation safety
make test # Run unit and integration tests (Contract, UI)
make ci # Run the core CI checks (lint, typecheck, test)
# ββ Advanced Verification βββββββββββββββββββ
make e2e # Run Playwright E2E tests (demo mode)
make lighthouse # Run Lighthouse CI audit on the UI dashboard
make security-scan # Run vulnerability audits and license compliance checks| Layer | Tool | Status |
|---|---|---|
| Code Quality | ESLint + TypeScript Strict | β |
| Unit Testing | Jest (UI) + Cargo test (Contract) | β |
| E2E Testing | Playwright (3 suites, responsive, smoke, transactional flow) | β |
| Security (SAST) | CodeQL Semantic Analysis | β |
| Security (SCA) | Dependabot + npm audit | β |
| Secret Scanning | TruffleHog Commits/Secrets | β |
| Performance | Lighthouse CI (A11y >= 90%, Perf >= 80%) | β |
dorahacks-t3launch-synod/
βββ .github/ # GitHub Actions workflows & Dependabot
βββ cli/ # CCF Enclave CLI administration utilities
βββ contract/ # Rust enclave WASM contract workspace
β βββ coordinator/ # Transaction orchestrator contract
β βββ approver-a/ # Budget treasury specialist contract
β βββ approver-b/ # Compliance Groth16 verification contract
β βββ executor/ # Blind paymaster enclave contract
βββ data/ # Seed database and transaction payloads
βββ docs/ # README assets (hero, screenshots, audit reports)
βββ scripts/ # Benchmarking and seed scripts
βββ sdk/ # Client cryptography helper library
βββ ui/ # Next.js Dashboard UI (port 3000)
β βββ e2e/ # Playwright E2E tests
β βββ src/ # Next.js page components
β βββ lighthouserc.json
βββ Makefile # Automation shortcuts
βββ package.json # Root package workspace runner
βββ README.md # You are here
This project is submitted to the Terminal 3 ADK Dev Challenge 2026 as part of the Vouch Suite (a 5-enclave system including Epoch, Lethe, Silo, Synod, and Visor).
While building these enclaves we audited the T3 ADK host APIs and SDK and documented 10 concrete onboarding bugs and documentation gaps β each with a repro, impact, and the workaround we shipped β for the Track 2 bug bounty.
β‘οΈ See BUGS.md for the full audit. Highlights for Synod:
- Gap #10 β
contracts-callnested-revert & reentrancy semantics are undocumented β Synod's whole premise (a single approver veto reverting the TreasuryβComplianceβExecutor tree) depends on this. - Gap #8 β transaction rollback boundary is unspecified β what an
Errreverts across staged KV writes is the core atomicity guarantee. - Bug #2 β
kv-storeinterface discrepancy: WIT declaresget(map-name, key)but the C ABI is flat(key_ptr, key_len)(Synod stagessubmitting/committed/aborted).
MIT Β© 2026 Synod Authors
