aisthetic·servicesSecurity is a product feature. Built on Solana. Not a checkbox.
Four invariants that hold whether one agent calls or a fleet does. Plus a frank list of what we do not claim. The fastest way to build trust with a security buyer is to surface the boundary, not hide it.
Four invariants
1. Zero custody
We never hold funds. Receipts are signed via a Signer port; production implementations are KMS- / HSM-backed, not in app code, not in env. Ephemeral signers are refused in production without explicit override.
2. Zero leakage
A 24-pattern leak scanner runs over every artefact before it can leave the gateway. Bodies are sha256-hashed by default. Bearer tokens, storage refs, JWT shapes, PEM headers, and DB credential URIs all fail the scan.
3. Tamper-evident
Receipts are Ed25519-signed and indexed. The audit log is append-only and hash-chained per provider. Proof bundles verify offline against a published public key, no contact with us required.
4. Bounded by design
Every external surface uses a single bounded enum vocabulary, mirrored across CLI, docs, and this site. If a capability cannot be expressed in that vocabulary, it does not ship.
On-chain anchor
The payment lane and receipt verifier are anchored to Solana mainnet. The Anchor program is immutable (upgrade authority null) and verifies receipt hashes on-chain.
| Anchor | Address / signature | Status |
|---|---|---|
| Anchor program | FWdCDkFnex…vw9Z (Solscan) | Immutable |
| Recipient ATA | Hbzx5A9M…s11A (Solscan) | Live |
| First mainnet canary | 4N9XggyC…gQaY (Solscan) | Verified |
External verification, 4/4 lanes passed
Every external lane the gateway depends on has a real third-party round-trip on disk. Operator credentials run the gated tests; the on-disk artefacts are what the sweep classifier reads. Zero operator-controlled compatibility stubs remain in the lane composition.
| Lane | Status | Receiver |
|---|---|---|
| Signed webhook external delivery | passed | real third-party Cloudflare Worker |
| x402 funded testnet settle | passed | public facilitator.x402.rs + on-chain Base Sepolia |
| Google Cloud Storage live bucket | passed | real GCS sandbox bucket round-trip |
| Grafana Cloud Mimir Alertmanager | passed | real Grafana Cloud sandbox tenant, HTTP 200 delivery |
| Solana SPL USDC mainnet payment lane | canary passed | on-chain Anchor verifier program FWdCDkFnex…vw9Z, canary tx 4N9XggyC…gQaY |
| Public on-chain billing settlement | live on Solana | mainnet recipient ATA Hbzx5A9…s11A, USDC mint EPjFWdd5…Dt1v |
All four lanes pass against real third-party tenants , no operator-controlled compatibility stubs remain in the composition. The lane status above is what an operator reproduces when they run the verification sweep with their own credentials. The evidence pack ships in the dataroom on request.
What we do not claim
- We do not claim SOC 2, ISO 27001, HIPAA, or PCI certification.
- We do not claim official Okta, Entra, or Google SAML certification.
- We do not claim official SCIM 2.0 conformance certification.
- We are not enterprise GA. Public beta only.
- Enterprise pilot has not started, the posture changes only when a real first signed pilot completes.
- No customer logos, names, revenue, or benchmark figures.
- No published price; no SLA program.