Production Roadmap

The Honest Gap Between Hackathon and Production

What's shipped today, and what a regulated financial protocol on HashKey Chain needs before mainnet. We're transparent about both.

Shipped — hackathon-grade, working on testnet

  • Semaphore v4 ZK credentials
    Groth16 proofs, bn128 precompiles verified on HashKey Chain, 74 passing tests.
  • Per-prover credential freshness (v6)
    Custom Circom circuit + FreshnessVerifier + HSKPassportFreshness deployed on testnet. Browser-side Groth16 proof ~4.5s, on-chain verification green (see /demo/fresh).
  • Sumsub KYC integration
    Real applicant creation, webhook verification, auto-issuance on GREEN. Sandbox mode for demo.
  • Audit-class security hardening
    H1 issuer offboarding, H2 anti-sybil bridges, H3/H4 backend privacy, M1-M5 governance + delegate split.
  • Composable compliance policies
    /composer generates Solidity contract + React gate + tests for any rule set.
  • Privacy-safe backend
    KYC queue redacts PII unless the caller signs as an approved issuer.
  • OpenZeppelin Timelock (48h delay)
    Deployed and wired to protocol ownership transfer.
  • Issuer slashing via Timelock
    IssuerRegistry stake forfeit routed through Timelock authority; 3 Hardhat tests cover the flow (authority check, cap at available stake, IssuerSlashed emission).
  • SDK on npm
    hsk-passport-sdk v1.1.0 published with v6 freshness module; contracts library in-repo.

Q3 2026 — production hardening

  • Issuer-side v6 auto-registration
    Backend auto-issuer posts Poseidon(commitment, issuanceTime) to FreshnessRegistry at issuance time. Scoped but not yet wired — today only the seeded demo credential exists on-chain.
  • Blind-signature issuance
    Backend never learns commitment ↔ Sumsub applicant mapping. Eliminates the backend-correlation risk.
  • Multi-sig governance handoff
    3-of-5 Safe with core contributors as signers, timelock as executor.
  • HSM-protected issuer keys
    YubiHSM or AWS CloudHSM for issuer private keys — no more .env secrets on VPS.
  • Sumsub production tier
    Switch from sandbox to prd token. iBeta L2 liveness, document authenticity, internal dedup.
  • Anonymity set floor enforcement
    Reject proofs from groups below 1000 members; verifier warns on groups below 10000.

Q4 2026 — scale and trust minimization

  • Formal security audit
    Trail of Bits or OpenZeppelin full audit (6-8 weeks, ~$100-200k).
  • Proof aggregation
    Nova/HyperNova folding or recursive Groth16 for batch verification at ≤50k gas per proof.
  • Cross-chain availability
    LayerZero message routing — verifiers callable from Arbitrum, Base, Ethereum mainnet.
  • Decentralized issuer network
    Permissionless Tier-3 issuers with reputation scoring and public audit logs.
  • Efficient revocation via accumulators
    Move from client-side Merkle tree reconstruction to RSA accumulator or MMR for O(log n) revocation checks.

Threat model — where HSK Passport protects, and where it does not

  • Protects
    Identity leakage to dApps, sybil attacks at verifier (same commitment, per-action scope), front-running of proofs (caller-bound message), issuer abuse (revocation + group freeze).
  • Does not protect
    Coerced real users, deepfake attacks against the KYC provider, compromised issuer private key (until HSM ships), correlation by someone with backend DB access (until blind issuance ships).
On honest positioning:Every KYC-gated protocol has these gaps. Most don't list them. We list them because closing them is the work, not pretending they don't exist.