Security overview.

Byzantine validators are bounded by HotStuff-2 safety. Equivocation is detected and slashed. Replay attacks are prevented by nonce-bound signatures.

Network surfaces (RPC, A2A, MCP) are open to any caller and authenticated by the caller’s own signature. Operator-hosted services (wallet custody, paid inference) authenticate to the operator and are opt-in. Mediated upstreams (Canton) are gated by an operator-issued X-Tenzro-Api-Key with scope canton; the node holds the upstream credentials. See auth surfaces for the full contract.

RPC mutation methods accept Ed25519 or Secp256k1 signatures over Transaction::hash(). A2A mutation methods carry the tenzro.a2a.envelope.* DID envelope (sender, public_key, signature, nonce, timestamp) over a domain-separated preimage. Verifier checks signature, derives the address from the public key, and confirms it matches the sender DID’s wallet address in the identity registry.

MPC threshold wallets, ERC-7579 modular validators (SocialRecovery, SessionKey, SpendingLimit), and PQ-hybrid signing constrain key abuse.

Five vendors (Intel TDX, AMD SEV-SNP, AWS Nitro, NVIDIA GPU CC, Intel Tiber). Real attestation with X.509 chain verification and signature verification of attestation payloads.

Plonky3 STARKs over KoalaBear field. Post-quantum-conjectured. No trusted setup. Off-EVM verification with on-chain commitment lookup.