Sanctions in 4.4 ms

Sanctions cleared.
Signed. Done.

Sanctions, risk, and AML flags checked and signed before the agent moves money. 4.4 ms on live traffic. Six sources reconciled into one answer.

See the hot path Back to protocol
CT 110 · Hetzner Helsinki Live
Attest p50
4.4ms
BLS sign p99
815µs
Tests green
77/ 6 crates
Clippy warnings
0
// BLS12-377 G1 compressed · 48 bytes
pubkey_b64 = "Tsgh1UPqIdgKjSfnWJOasXSBr8vtfsKfU6nMVirn2t8JBbqlIA249BOK4w1Oxn0B"
endpoint = 10.10.10.110:50051
issued = 2026-05-19
How fast it runs

Five steps. 7 ms.

Two cache reads, one assemble, one signature, one return. The signature is the only network hop. Everything else lives in memory.

Smoke test against the production endpoint signs a fresh attestation for did:ethr:8453:0xababab…ab in 4.4ms total, well under the 15ms p99 budget.

01
Redis SISMEMBER veris:sanctions:active

subject_address membership lookup

~0.1ms
02
Redis HGETALL veris:risk:{addr}

tier · drift_score · last_eval

~0.2ms
03
Assemble VerisAttestation proto

canonical deterministic serialization

~0.05ms
04
Vault Transit · BLS12-377 sign

hash to G2 · sign · mTLS gRPC

5–10ms
05
Return AttestResponse

serialized attestation + BLS sig + trace

p50 total7ms
p99 total12ms
OFAC SDNtreasury.gov · 15-min polldelta diff
UN Consolidatedscsanctions.un.orgdelta diff
EU FSFwebgate.ec.europa.eudelta diff
Chainalysiswebhook + REST deltastream
TRM Labsstreaming gRPCstream
Internal AMLkafka · pattern detectorrealtime
↓ reconciler · dedup · provenance · tier ↓
veris:sanctions:activeRedis SET · sub-ms lookup
veris.sanctions.deltaKafka downstream notify
L5 revocation pushaggressive gRPC stream
Where the data comes from

Six sources.
One clean answer.

OFAC, UN, EU, Chainalysis, TRM, and our own AML feed merge into one set. Every attestation names the exact list that matched, so the regulator never asks twice.

OFAC and fraud hits push to the on chain list in under 30 seconds. Drift and anomaly flags follow within the hour.

What runs underneath

Six crates.
Zero production unwraps.

veris-core

Domain types · attestation

Attestation builder, risk-tier rule engine, heuristic anomaly detector. The shape of every signed bundle the network sees.

veris-bls

BLS12-377 aggregation

arkworks-bls12-377. Hash-to-G2 over canonical proto bytes, Vault Transit gRPC sign, aggregate addition.

veris-feed

Sanctions pipeline

OFAC · UN · EU pollers, Chainalysis & TRM delta adapters, internal Kafka consumer, reconciler with provenance preservation.

veris-state

Redis layer

Sanctions SET membership, per-entity risk hash, revocation-push channel into L5. DB 2 on a dedicated Redis instance.

veris-grpc

Service surface

Tonic server. Attest, AttestBatch, SubscribeRevocations, Health, SignerKey. mTLS, rate-limit.

veris-bin

Binary entry · CT 110

Bootstrap + config + OpenTelemetry exporter. Multi-stage Rust 1.85 → debian:bookworm-slim, 135MB final, non-root uid 10001.

How we proved it

Twelve checks.
Eleven green.

Every check audited and signed off before the next layer started. One item parked behind a production key binding. The rest are live.

#
Check
Status
Evidence
01
Sub-ms benchmark · representative load
Passed
veris-bls/benches/sign_bench.rs · p99 ~815µs
02
BLS aggregate signature roundtrip
Passed
veris-bls/tests/roundtrip.rs · single + aggregate
03
OFAC/UN/EU feed · synthetic mismatches
Passed
veris-feed/tests · delta · dedup · provenance
04
Risk tier engine · reproducibility
Passed
veris-core/src/risk/engine.rs tests
05
AML pattern detector · per family
Passed
veris-core/src/anomaly · 6 heuristics
06
Aggressive push · synthetic OFAC hit
Passed
mpsc + Redis STREAM · wired into L5 revocation
07
gRPC contract tests
Passed
veris-grpc/tests · mTLS bootstrap covered
08
Signer custody · Vault Transit e2e
Deferred
In-memory keypair shipped · Transit AppRole v2
09
Coverage gate · Rust substitute
Passed
77 tests · 6 crates · production unwrap ban
10
Static analysis · clippy pedantic + nursery
Passed
cargo clippy -D warnings · clean
11
End-to-end · deployed CT
Passed
CT 110 · Attest 4.4ms · sanctions=clean · risk=LOW
12
Doc updated · deployed signer pubkey
Passed
apps/veris-engine/docs/architecture.md
Before you ship

Verify it yourself.

Run the verifier inside your own VPC. Pull our public keys. Check every signature against a regulator-grade source. No black boxes.

Talk to us Read the docs