Beta-stage security architecture. Honest, not aspirational.
What we ship today, what we explicitly don't, what the trust assumptions are, and how to reach the operator with a vulnerability. v1 ships at $NEXUS launch — the gaps below are post-launch roadmap items, not denial.
The cryptographic spine.
Every primitive below is in production on mainnet since 2026-05-21. Each can be inspected in the open-source code at github.com/vdmnexus/vdmnexus.
AWS KMS Ed25519 signing
The facilitator signing key is held by AWS KMS as an Ed25519 (ECC_NIST_EDWARDS25519) key. KMS.Sign with ED25519_SHA_512 is invoked per request — the private key never enters lambda memory. The deployed KMS-derived public key is asserted equal to NEXUS_DEPOSIT_ADDRESS at boot or the service fails closed.
Receipt signing (Ed25519, canonical JSON)
Every signed inference receipt is canonicalized (sorted keys, no whitespace, excluding nexus_signature) and signed by the Nexus operator Ed25519 key. Operator public key is published at GET /api/v1/operator-key. Verifiers — including verify.vdmnexus.com and @vdm-nexus/x402 — check signatures against this key independently of the operator.
Five-check verification
Every receipt is verifiable end-to-end via five independent checks: prompt-hash match, response-hash match, Ed25519 operator signature, on-chain USDC settlement landed at the recipient, payer pubkey matches receipt.agent_pubkey. The same code path runs in the SDK and in the hosted verifier — no operator-controlled verification surface.
Mainnet kill switch + spend cap + allowlist
Operationally-critical fail-safes: NEXUS_MAINNET_ENABLED='false' makes all mainnet paid routes return 503 instantly (testnets stay reachable). NEXUS_MAX_PRICE_USDC is a hard ceiling on the challenge price — the issuer 500s closed if X402_FLAT_PRICE_USDC exceeds it. NEXUS_ALLOWED_AGENTS is a comma-separated allowlist of payer pubkeys; non-listed payers 403 with structured logs.
Append-only ledger + idempotent settlement
credits_ledger and burn_pool_ledger are append-only deltas with a unique index on (tx_signature) — repeated scans or replayed transactions never double-credit. Nonce table prevents request replay within the 30-second timestamp window. Server-side service-role writes only; RLS denies anon-key writes everywhere.
Upstash sliding-window rate limit
30 requests/minute per IP on chat-completions, 100/minute per agent pubkey on both paid routes. Backed by Upstash Redis (or Vercel Marketplace KV) with sliding-window semantics. 429 responses carry X-RateLimit-* headers. Missing config fails open with a single warn log — chosen over fail-closed at Beta to avoid silent outage during config drift; v1 may revert this.
Beta means we don't have these yet.
Stated plainly. The absence of these is a Beta-stage tradeoff, not an oversight. Each lands as Nexus matures past v1.
No third-party security audit
No external paid audit has been performed at time of publication. Code is open-source under MIT at github.com/vdmnexus/vdmnexus; public review is encouraged. An Immunefi bounty and a third-party audit are on the post-launch roadmap, gated on revenue. Do not assume any code review beyond what a public repo earns.
No SLA at Beta
There is no SLA, no uptime commitment, no incident-response time guarantee, and no paid support tier during Beta. v1 (shipping at $NEXUS launch) introduces a Business tier with SLA, incident response, and dedicated support.
No SOC 2 / ISO 27001 / formal compliance attestation
No formal compliance attestations exist. The rail is appropriate for builders, hobbyists, and self-serve agent operators. Regulated-industry buyers should wait for v1 (compliance-export feature) or contact the operator directly to scope a custom evaluation.
Solo founder, single point of failure
One Spain-resident autónomo operates the rail, the deployments, the security response, and the development. Incapacitation, illness, or operator absence may pause incident response and feature work indefinitely. Critical infrastructure (KMS, Squads multisigs, Supabase, Vercel team) is recoverable by the operator only at Beta — disaster-recovery delegation is part of v1 scope.
What we promise to defend; what we don't.
Three rows: trust assumptions on the left, out-of-scope on the right. The signed receipt is the cryptographic boundary — everything inside is defended; everything outside is the caller's responsibility.
Trust assumption
Out of scope
Find a vulnerability? Tell us first.
Email security@vdmnexus.com with reproduction steps and the impact you've observed. The operator will acknowledge within 72 hours, work toward a fix, and publish a coordinated disclosure within 90 days of acknowledgment unless the issue is actively exploited (then sooner).
There is no paid bug bounty at Beta. Public credit on /roadmap and a permanent ack in the security advisory is the only available recognition. An Immunefi bounty is on the post-launch roadmap, gated on revenue.
- Do report quietly to the email above. Provide PoC and impact analysis.
- Do not exploit beyond what's needed to prove the bug. Do not exfil data, do not move funds, do not disrupt the rail.
- Do not publish before coordinated disclosure. We work in good faith with anyone who works in good faith with us.
See also: /disclosures (token + protocol legal disclosures, MiCA-aware issuer notice), /whitepaper (protocol architecture and token role), SIR v2 spec (receipt format and verification).