ROADMAP

One-time addresses for every transaction using Elliptic Curve Diffie-Hellman key exchange. Recipients receive funds without revealing their public address.

Post-quantum STARK proofs over Goldilocks (custom on-chain FRI verifier, no Winterfell dep). 6 AIRs covering shield, unshield, balance, merkle, subscribe, pool ownership. ~889K CU verification — fits the Solana compute budget.

Fully on-chain trustless relayer (no backend server). Quantum vault with WOTS+ signatures, hash-timelock, and commit-then-reveal for quantum-safe withdrawals.

Real-time token streaming for subscriptions and recurring payments. Create, pause, and cancel streams with per-second settlement.

In-app token swaps powered by Jupiter aggregator with best-price routing across Solana DEXes.

Full-featured Solana wallet available as a React Native mobile app and Chrome browser extension with dApp connectivity.

On-device AI agent that manages private finances through natural language. Shield, transfer, and manage subscriptions by chatting — no data leaves your phone.

Shield and unshield in ~3 seconds total via filledSubtrees optimization. Local-only proving via Winterfell STARK WASM (WebView on mobile) — spending key never leaves device.

13 Anchor programs deployed to devnet (118+ instructions). Trustless, permissionless privacy — no server required for core operations.

Amount noise (±20% variation) and timing noise (±24h delay) to defeat chain analysis heuristics. Multiple privacy levels from standard to maximum.

Tornado Cash-style fixed-denomination privacy pools for SOL and USDC. Epoch-based maturity, PDA-per-nullifier, 32K notes per pool. P2P note sharing via BLE and NFC.

Account-model confidential tokens using Poseidon hash commitments. Quantum-resistant privacy with balance proofs. Full SDK, on-chain program, and mobile/extension integration.

On-chain recurring payment vaults with configurable intervals. Normal and ZK-private subscriber modes. Auto-pause on insufficient funds, retailer claim periods.

Share denominated pool notes between devices using BLE (ECDH encrypted) or NFC (HCE with PIN-derived encryption). Anti-MITM fingerprint verification.

Full migration off Groth16/BN254 (classical, Shor-vulnerable) to STARKs over Goldilocks (post-quantum, hash-based). Custom on-chain FRI verifier with no Winterfell dep. 6 AIRs · ~9–15KB proofs · ~889K CU · 124-bit soundness with DEEP-ALI. Trusted setup ceremony no longer required. Legacy snarkjs/circomlib paths removed from mobile + extension.

Multi-party computation via Arcium Cerberus protocol. 6 use cases: confidential relay, anonymous registry, hidden nullifier, balance audit, stealth scan, private vote. 1-of-N honest node.

Stealth meta-address directory on Solana. Register/update spending + viewing public keys, optional ML-KEM-768 pubkey for quantum-resistant stealth v2.

Spending key never leaves device. PIN with SHA-256 + progressive lockout. SecureStore for all secrets. Clipboard auto-clear (60s). App switcher blur. android:allowBackup=false.

@protocol-01/rpc-config package with priority-based connection manager. QuickNode → Helius → public fallback chain. Auto-switch on 429/502/503 errors. URL sanitization.

Comprehensive test suite: 106 program stress tests, 124 crypto SDK tests, 140 mobile service tests, E2E flows, 69 Rust STARK tests. All passing.

One-time stealth addresses on Receive screen. Incoming funds auto-detected and shielded into the pool. Main wallet never exposed to senders.

Persistent st:01/st:02 meta-addresses for full P01-to-P01 privacy. Sender auto-derives one-time stealth destination. Both sides hidden on-chain.

5 privacy levels (1-14+ hops). Autonomous runner with Android foreground service. Note locking, consent popup, route progress tracking, timing jitter.

Split high-denomination notes into multiple lower-denomination notes across pools. ZK proof (10K constraints), on-chain instruction deployed, mobile SDK ready.

Expanded from 10 to 56 tools: wallet ops, privacy actions, Solana queries, DeFi analytics, staking, NFTs, alerts, conversions, device features. On-device LLM.

Full codebase audit: 56 screens, 80+ components, all using P01 design system. Zero TypeScript errors. Settings components fixed to use theme constants.

User wallet never appears on-chain during unshield. Ephemeral stealth signer pays fees, ECDH one-time recipient receives from pool. Delayed auto-sweep with timing jitter. MPC nullifier fix (4×u64 chunks).

Full internationalization across all mobile screens and web pages. English, French, and Japanese. Language auto-detected from device settings.

Merkle-based private token distribution. Create campaigns with escrowed SPL tokens, recipients claim with SHA-256 Merkle proofs. No recipient data stored on-chain. Expired campaigns reclaimable.

STARK-verified compliance attestations. Range proofs (min <= balance <= max) and sanctions innocence proofs (not in Merkle blocklist). On-chain attestations with expiry and revocation.

@protocol-01/privacy-sdk published on npm. 14 modules: shield, stealth, confidential, streams, subscriptions, vault, registry, relay, MPC, compliance, airdrop, OTC, payroll, treasury. React hooks included.

New on-chain liquidity program that lets users unshield without fronting ~0.85 SOL of proof-buffer rent. Prefund/settle flow with a keeper network (GitHub Actions cron every 10 min). Live devnet at 6PfFkvj…, wired into the mobile STARK unshield path via an `instant` flag.

Notes deterministically derived from HKDF(walletSeed, poolPDA, counter) — cross-device recovery works from seed alone. StoredNote carries ownerPubkey so multi-wallet sessions never mix visible notes. Seed-only rescan reconstructs every note across any device.

Ephemeral signers are now seeded from (walletSeed, noteId) instead of Date.now() — any failed STARK op can resume or sweep the pre-funded SOL back to the user. Never again traps 0.85 SOL on an unrecoverable ephemeral pubkey.

Program upgrade bumping DenominatedPool::SEED_PREFIX to `denominated_pool_v2` + 13 fresh pool PDAs (6 SOL + 7 USDC). Every future leaf insertion emits the canonical MerkleRootChanged event — guarantees 100% decodable tree history for the client Merkle rebuild.

Client Merkle rebuild now walks a registry of 6 event layouts (MerkleRootChanged + V1/V2 ShieldDenominated + ShieldStark + TransferDenominatedStark + EscrowRelease) + signature pagination. Defeats the decoder drift that made pre-hardening pools unrecoverable.

Gojo-themed P2P fiat-to-crypto marketplace — no KYC, escrow via wSOL on-chain vault, Treasury Buffer layer, MagicBlock PER + Arcium + FROST + Nym privacy stack. Mobile-native integration with privacy receipt + trade lifecycle UI. Deployed on Vercel.

Submitted on 2026-04-23 under Ireland team region (Superteam IE affiliation). Accelerator track enabled. Publicly tagged by Superteam Ireland as one of 5 Irish teams actively building on Arcium.

V3 STARK transfer validated end-to-end on devnet (sender → encoded → import → maturation → unshield, +0.995 SOL net on test tx). Goldilocks Poseidon parity-locked across mobile, extension, and on-chain verifier. BN254 fully retired from every spend path.

p01_relayer integrated into V3 shield/unshield/transfer flows. RPC submitter IP no longer correlatable to user device. Outer relay-job tx fee_payer = ephemeral random. v1 X25519 envelope (73-byte overhead) chosen to fit within the 1280-byte encrypted_tx cap.

Stripped depositor, recipient, denomination, protocol fee, and timestamps from all V3 events. Inner unshield logs validated empty on devnet. Indexer-tier surveillance (Helius, Solscan, Chainalysis-tier) no longer reads useful state from emitted events.

Every STARK proof buffer padded to UNIFORM_PROOF_SIZE = 145 KB regardless of circuit. Tx-level fingerprinting by proof size eliminated. Combined with Phase E fee_escrow PDAs, lamport delta no longer leaks denomination of individual transactions.

Mobile auto-rotation across registered relayers + liveness filter via last_active_slot. Closes the strict-mode-on-first-failure gap. Chunked submit_job ix scaffolded for proofs above the per-tx cap. Lazy reputation decay anti-Sybil.

Program seed bumped to denominated_pool_v4. 13 fresh pools (6 SOL + 7 USDC) deployed on devnet. Escapes the legacy un-decodable LeafInserted events that broke Merkle rebuild on V3 pools. V3 pools deprecated, drainable via cancel_job.

subscribe_private_stark ix ported V2 → V3 on-chain (Anchor discriminator mismatch fixed). Mobile ix builder placeholders for Option<Account>, stark_proof_buffer writable, isRelayCall ReferenceError closed, min_epoch semantics corrected. Vault PDA création validated live end-to-end on devnet.

Map internal transaction flows to optimize privacy routing and reduce on-chain fingerprinting across the P-01 network.

Card and MoonPay integration in-app, alongside the Mugen P2P route. Direct fiat-to-crypto without leaving the app, with the P2P path staying KYC-free for privacy-first users.

Comprehensive audit of all 12 programs, 6 STARK AIRs, custom on-chain FRI verifier, and 10 SDKs by OtterSec, Neodyme, or Trail of Bits before mainnet deployment.

Single canonical event emitted from `MerkleTree::insert_with_root()` regardless of caller (shield, transfer, split, escrow, future instructions). Eliminates the entire class of client-side decoder drift bugs forever — one layout, decodable on day 1 and day 1000.

Full mainnet deployment after the external security audit closes. Phase-gated rollout starting with denominated pools, expanding to subscriptions and the privacy router once TVL and observability signals stabilize.

iOS build and testing — currently only Android is verified. Requires CocoaPods setup, code signing, and TestFlight deployment.

Enable confidential balances and shielded pools to interact with Solana DeFi protocols. Composable privacy for lending, swapping, and staking.

Port the on-chain cancel ix to V3 — insert_with_root_v3 has a different signature (subtrees + c6_verified flag). Requires client-side computation of new subtrees per re-shielded note. Tracked separately from subscribe_private_stark V3.

submit_confidential_relay ix scaffold landed in p01_arcium (commit 7c0841c). Hides the recipient even from the relayer via threshold MPC decryption. Compose with stealth recipient enforcement to close T3 (compromised relayer) threat model.

STARK-authorized smart-contract wallet replacing Ed25519 fund custody. Funds spent via Poseidon preimage knowledge proof (Goldilocks, post-quantum), not signature. Even when Shor breaks Ed25519 (≥ 2030), an attacker who steals the gas key cannot move funds. ~9-11 weeks solo, gated on V3 audit close.

User-side dummy transactions that are byte-identical to a real round-trip shield → unshield, drowning real activity in indistinguishable noise. Closes timing correlation (L20) and degrades program-touched signal (L11). Indistinguishability ceiling 5/5. Zero protocol surface, zero infra cost.

Closes the depositor-visible-on-shield leak (L1/L2). Honest implementation requires either TEE attestation (Marlin Oyster) or N ≥ 3 geo-distributed relayers with stake/slashing. Without one of those, would be trust-shift, not privacy gain. Gated on infra availability.

Native desktop application for macOS, Windows, and Linux with full wallet functionality and hardware wallet support.

Command-line interface for developers and power users. Script transactions, automate streams, and integrate P-01 into existing workflows.