AurumShield.
Sovereign Financial Infrastructure for Institutional Gold Trading — End-to-End Platform Technical Overview
Document Classification: Confidential — Investor Due Diligence
Prepared by: AurumShield Engineering
1. Executive Summary & Technical Overview
AurumShield is a sovereign financial infrastructure platform purpose-built for secure, compliant institutional gold trading. The platform delivers a fully integrated digital experience — from counterparty onboarding and identity verification through real-time marketplace operations, settlement execution, and physical delivery logistics — within a single, auditable system.
The platform implements clearinghouse-grade trade lifecycle management with formalized state machines governing every order and settlement transition. All operations are enforced through a deterministic policy engine that evaluates counterparty risk, capital adequacy, and compliance posture in real time before any transaction is authorized.
AurumShield's architecture is designed around three core principles: fail-closed security (every protected operation requires DB-verified compliance approval and valid LEI/role), Column Bank settlement resilience (Fedwire and ACH rails with automatic failover and idempotency), and forensic auditability (every state transition produces tamper-evident, SHA-256 hashed audit events with maker-checker cryptographic binding via WebAuthn signatures).
2. The Lifecycle of a Transaction
Every gold transaction on AurumShield follows a strict, auditable pipeline from initial user registration through final delivery confirmation. Each stage is governed by formalized state machines (state-machine.ts), role-based access controls (authz.ts), and capital adequacy checks (capital-controls.ts) — ensuring no step can be bypassed or executed out of order. This deterministic escrow mechanism mathematically eliminates Herstatt Risk (asynchronous settlement exposure), ensuring neither counterparty holds unrecovered notional value during transit.
Entity & Account Creation
Organizations register with a strictly required Legal Entity Identifier (LEI), validated against the Global LEI Foundation (GLEIF) API for deterministic entity resolution. Authentication is enforced via Hardware Key/WebAuthn and Enterprise SSO (SAML/OIDC via Okta/Entra ID). SMS OTP has been fully removed. Device fingerprinting via Fingerprint.com establishes a trust baseline.
GLEIF · WebAuthn · Okta/EntraKnow-Your-Business (KYB) Verification
The verification engine (verification-engine.ts) orchestrates a headless Veriff KYB integration accepting LEI/EIN to fetch registry data and map Ultimate Beneficial Owners (UBOs). OpenSanctions screens against OFAC, EU, UN, HMT, and DFAT watchlists. Retail KYC selfie-check components have been removed — all counterparties are Corporate Entities.
Compliance Case Approval
The compliance case model (compliance/models.ts) creates a formal case that progresses through a confined state machine: OPEN → PENDING_USER → PENDING_PROVIDER → UNDER_REVIEW → APPROVED. Only APPROVED cases unlock protected capabilities. The capability ladder gates access progressively: BROWSE → QUOTE → LOCK_PRICE → EXECUTE_PURCHASE → SETTLE.
Treasury Funding & Stablecoin Bridge
Treasuries fund accounts via USD Fedwire or our Phase 1 Stablecoin Bridge (USDC/USDT). Digital asset onboarding bypasses legacy banking delays, providing instant liquidity.
USDC · FedwireWholesale Sourcing & Allocation
AurumShield programmatically routes funds to vetted mine originators, acquiring physical gold at wholesale discounts. The asset is allocated at a Tier-1 facility (Malca-Amit) under the user's title.
Vertical IntegrationExecute Goldwire (Title Transfer)
The TRADER initiates a Goldwire. The TREASURY role approves via a JIT WebAuthn signature. The engine instantly reassigns the legal title of vaulted gold to the recipient. T+0 finality.
T+0 FinalityDual Off-Ramps: Fiat API or Physical
Recipients choose their exit: instantly liquidate via API to Dubai OTC partners for local fiat/USDC, OR initiate Sovereign Kinetic Redemption to take physical delivery via Malca-Amit armored transport.
OTC API · Malca-AmitCryptographic Finality
Upon liquidation or physical delivery, the certificate engine issues a SHA-256 signed Clearing Certificate providing independently verifiable proof of the entire lifecycle.
SHA-256 SignedTrade State Machine
Every order transitions through a strict state machine defined in state-machine.ts. Only authorized roles can trigger each transition, and illegal transitions throw forensic IllegalStateTransitionError events with full actor/entity context.
| State | Allowed Transitions | Authorized Roles |
|---|---|---|
DRAFT | → PENDING_COLLATERAL, CANCELLED | TRADER (Maker) |
PENDING_COLLATERAL | → PENDING_CHECKER_APPROVAL, CANCELLED | system |
PENDING_CHECKER_APPROVAL | → APPROVED_UNSETTLED, REJECTED_COMPLIANCE, CANCELLED | TREASURY (Checker) |
APPROVED_UNSETTLED | → SETTLEMENT_PENDING | system |
SETTLEMENT_PENDING | → SETTLED, SLASH_COLLATERAL, FAILED | system, TREASURY |
SETTLED | — (terminal) | — |
SLASH_COLLATERAL | — (terminal, T+1 wire failure) | — |
REJECTED_COMPLIANCE | — (terminal) | — |
CANCELLED | — (terminal) | — |
FAILED | — (terminal) | — |
3. Fortified Security Architecture & Compliance Mapping
AurumShield implements a defense-in-depth security architecture where every layer — from network topology to application logic — enforces the principle of least privilege. The platform operates under a fail-closed security model: any ambiguity in authorization state results in denial, never approval.
🔐 Role-Based Access Control
Implemented in authz.ts, the authorization system defines a maker-checker RBAC model with strict role separation:
TRADER (Maker): Can initiate orders and lock prices.
TREASURY (Checker/Approver): Reviews, approves, and executes DvP via JIT WebAuthn signature.
Capability Ladder: BROWSE → QUOTE → LOCK_PRICE → EXECUTE_PURCHASE → SETTLE
Protected capabilities (LOCK_PRICE+) require a database-verified APPROVED compliance case, valid LEI, and correct organizational role. If roles or LEIs are missing, access is denied by default. Authentication enforced via Hardware Key/WebAuthn and Enterprise SSO (SAML/OIDC). SMS OTP removed.
🛡️ JIT Biometric Execution Binding
When the TREASURY (Checker) clicks "Approve & Execute DvP", a native WebAuthn/Passkey signature prompt (navigator.credentials.get()) is triggered. This signature is cryptographically bound to the canonicalized SHA-256 payload of the settlement document and stored in the order_approvals table with checker_user_id, signature_hash, and timestamp.
📋 Forensic Audit Logging
The audit logger (audit-logger.ts) produces append-only, structured JSON events written to stdout for CloudWatch/Datadog capture. Each event carries a deterministic SHA-256 event ID computed from timestamp + event name + payload — ensuring the same event cannot be emitted twice and providing tamper-evident verification. Policy snapshots are SHA-256 hashed at order creation — any later tampering is detectable.
🔑 Encryption Protocols
At Rest: RDS PostgreSQL 15 with storage_encrypted = true (AES-256 via AWS KMS). Database credentials auto-managed by RDS and stored in AWS Secrets Manager — never in Terraform state or environment variables. S3 document storage uses server-side encryption.
In Transit: All external traffic terminates at AWS ALB with ACM-provisioned TLS certificates. Webhook payloads from Column Bank are verified using HMAC-SHA256 with timing-safe comparison (webhook-verify.ts) to prevent timing attacks. Clearing certificates signed with AWS KMS ECDSA for non-repudiation.
🌐 Network Security
The infrastructure implements three-tier Security Group isolation defined in Terraform:
ALB SG: 80/443 inbound from 0.0.0.0/0 (public internet)
App SG: Port 3000 inbound from ALB SG only
DB SG: Port 5432 inbound from App SG only
ECS tasks run in private subnets with no public IP. Outbound routes through NAT Gateway. Database is not publicly accessible. This ensures zero direct public access to containers or database.
⚡ Capital Controls & Breach Monitoring
The capital controls engine evaluates real-time capital snapshots, pre-funded 5% collateral locks from CorporateWallets, and enforces 5 escalating control modes:
NORMAL → THROTTLE_RESERVATIONS → FREEZE_CONVERSIONS → FREEZE_MARKETPLACE → EMERGENCY_HALT
Failed T+1 wires transition to SLASH_COLLATERAL, penalizing the defaulting organization. The multi-oracle circuit breaker triggers FREEZE if pricing feed divergence exceeds 15 bps. All financial values stored as BIGINT (cents/basis points) — no floating-point math.
Compliance Framework Cross-Reference
| Framework | Requirement | Implementation | Source |
|---|---|---|---|
| KYC / AML | Identity Verification | Veriff: government ID, biometric liveness, multi-step workflow | kyc-adapters.ts |
| Sanctions Screening | OpenSanctions: OFAC SDN, EU, UN, UK HMT, DFAT watchlists | kyc-adapters.ts | |
| UBO Declaration | Company/individual bifurcation, source of funds analysis | verification-engine.ts | |
| SOC 2 | Audit Trail | Append-only SHA-256 hashed events, deterministic IDs, SIEM-ready JSON | audit-logger.ts |
| Access Control | 5-level RBAC, 6 roles, fail-closed enforcement, step-up re-verification | authz.ts | |
| Change Management | Formalized state machines, illegal transition forensic logging | state-machine.ts | |
| PCI-DSS | Payment Routing | Settlement via Column Bank (Fedwire / ACH) — no raw card data | settlement-rail.ts |
| Idempotent Txns | SHA-256 idempotency keys, ON CONFLICT dedup, transfer status polling | settlement-rail.ts | |
| Webhook Integrity | HMAC-SHA256 + timing-safe comparison for all inbound webhooks | webhook-verify.ts | |
| GDPR / CCPA | Data Minimization | PII managed by Clerk; app stores only opaque user IDs, not raw PII | middleware.ts |
| At-Rest Protection | RDS AES-256, Secrets Manager for credentials, S3 server-side encryption | rds.tf | |
| LBMA | Refiner Verification | Deterministic LEI resolution via GLEIF API, unique LEI constraint | entity-validation.ts |
| Evidence Gate | 3 mandatory evidence types per listing: Assay, Chain of Custody, Attestation (DocuSign CLM) | marketplace-engine.ts |
4. Technical Stack & Infrastructure
Frontend
| Framework | Next.js 16.1.6 (App Router) |
| Runtime | React 19.2.3 with Server Components |
| Styling | Tailwind CSS v4, custom design tokens |
| UI Primitives | Radix UI (Dialog, Dropdown, Tooltip, Popover, Switch) |
| Forms | React Hook Form + Zod v4 schema validation |
| Data Fetching | TanStack React Query v5 |
| Animation | Framer Motion v12 |
| Typography | IBM Plex Sans + Source Serif 4 |
| Auth UI | WebAuthn/Hardware Keys + Enterprise SSO (Okta/Entra) |
Backend & Data
| Server Logic | Next.js Server Actions + API Routes |
| Database | PostgreSQL 15 (RDS, gp3, encrypted) |
| DB Client | node-postgres (pg v8), raw SQL migrations |
| Schema | 10 sequential migrations (buyer_journey → risk_parameters) |
| Auth | WebAuthn/Hardware Keys + Enterprise SSO (SAML/OIDC) |
| KYB | Veriff KYB + GLEIF LEI (deterministic entity resolution) |
| AML | OpenSanctions (OFAC, EU, UN, UK, AU) |
| Device Trust | Fingerprint.com Pro (bot detection, velocity) |
| Docs | AWS Textract (OCR verification) |
| Resend (transactional email) |
Settlement & Payments
| Primary Rail | Column Bank (Fedwire / ACH) |
| Secondary Rail | Turnkey MPC (USDC/USDT) |
| Rail Selection | Auto: Fedwire default, ACH fallback |
| Fallback | Automatic with finality check |
| Idempotency | SHA-256: settlement_id|payee_id|amount|action |
| Clearing | Double-entry balanced debit/credit journals |
| Certificates | SHA-256 + optional KMS ECDSA signing |
Logistics
| Primary | Malca-Amit armored transport (vault-to-vault) |
| Secondary | Brink's armored transport (global failover) |
| Routing | Deterministic: notional value + corridor + availability |
| Origin | AurumShield Vault, 1 Federal Reserve Plz, NY |
| Tracking | Real-time events → settlement lifecycle |
Infrastructure Architecture (AWS)
| Component | Service | Configuration |
|---|---|---|
| Compute | ECS Fargate | 2 tasks (512 CPU / 1024 MB), private subnets, rolling deploys |
| Registry | ECR | Multi-stage Docker (Node 20 Alpine), non-root user |
| Load Balancer | ALB | HTTPS with ACM TLS, HTTP→HTTPS redirect |
| Database | RDS PostgreSQL 15 | db.t3.micro, gp3 encrypted, private, 7-day backups |
| Secrets | Secrets Manager | RDS auto-managed password — never in tfstate |
| Storage | S3 | Document storage with server-side encryption |
| Networking | VPC 10.0.0.0/16 | 2 AZs, 2 public + 2 private subnets, NAT Gateway |
| Monitoring | CloudWatch | Structured JSON audit ingestion |
| DNS | Route 53 | Hosted zone with ALB alias |
| CI/CD | GitHub Actions | Build → ECR push → ECS blue-green deploy |
API & Webhook Security
/api/webhooks/*) are exempted from session auth but enforce payload-level cryptographic verification:Column Bank: HMAC-SHA256 in
X-Signature header, timing-safe comparison via timingSafeEqual().Veriff: Idempotent processing via
webhookId tracking — duplicates safely ignored.Clerk: Svix-signed payloads verified by the Clerk SDK's built-in webhook verification.