Skip to main content

What is a shyconfig?

A shyconfig is a machine-readable JSON document that governs a shyware deployment. Every client module validates a shyconfig on initialization and uses it to derive:
  • which contract version and flow types are active
  • which identity provider and mode to use
  • what signing backend and HSM configuration to expect
  • what deployment posture (recoverable vs. coercion-resistant) applies
  • what receipt storage and recovery policy is in effect
Two deployments initialized from shyconfigs with the same contract_version are governed by the same anonymous-layer authority model regardless of branding, hostname, or audience. The canonical schema is at shyware/shyconfig.schema.json.

Required top-level fields

{
  "contract_version": "shyvoting-v1",
  "app": { "id": "...", "name": "...", "product_type": "shyvoting" },
  "domains": { "public": { "splash": "yourinpolitics.com" } },
  "anon_layer": { "sdk_id": "...", "black_box_required": true, "required_flows": [...] },
  "api": { "base_url": "https://api.yourdomain.com" },
  "identity": { ... },
  "signing": { ... },
  "deployment": { ... }
}

contract_version

"shyvoting-v1" | "shywire-v1" | "shycustody-v1" | "shycontracts-v1" | "shyshares-v1"
Determines which embodiment-specific block is required and which required_flows are valid.

anon_layer.required_flows

Declares the SDK flow types this deployment activates. Full set by embodiment:
EmbodimentRequired flows
shyvotingpoll_read, identity_bind, ballot_build, ballot_submit, receipt_verify
shywirewire_issue, wire_transfer, wire_redeem
shycustodypolicy_read, lot_record, silo_transfer, redemption_request, redemption_settlement, demurrage_apply
shycontractscontract_register, contract_activate, remittance_submit
shysharesorganization_read, membership_snapshot_read, proposal_create, weighted_ballot_submit, tally_read, action_queue_read, action_dispatch

Identity block

"identity": {
  "provider": "didit",
  "mode": "stable_person_id",
  "kyc_required": true,
  "recommended_idv": "didit",
  "byoid_policy": "disallowed",
  "workflow_id": "...",
  "issuer_did": "did:prism:..."
}
FieldValuesNotes
providerdidit | identus | wallet | nonePrimary identity source
modestable_person_id | wallet_commitment | manual_demoCommitment derivation strategy
byoid_policydisallowed | allowed | requiredWhether to accept caller-supplied identity inputs
presentation_modeproof_hash | credential_commitment | wallet_signatureHow identity proof is presented to the runtime

Signing block

"signing": {
  "required": true,
  "backend": "aws_kms_x_azure_hsm",
  "validator_key_id": "alias/shyware-validator",
  "tally_key_id": "alias/shyware-tally",
  "external_hsm": "azure_managed_hsm",
  "external_hsm_key_name": "shyware-tally-hsm",
  "external_hsm_uri": "https://yourvault.managedhsm.azure.net",
  "attestation_required": true
}
backendUse case
aws_kms_x_azure_hsmProduction — cross-cloud FIPS 140-3 L3 signing
aws_kmsProduction — single-cloud KMS
local_ed25519Development only
noneTesting without signing

Deployment block

"deployment": {
  "default_posture": "recoverable",
  "runtime_fallbacks": {
    "write_only_on_missing_play_integrity": true,
    "write_only_on_hostile_network": true,
    "write_only_on_untrusted_device_attestation": true
  }
}
default_posture: "coercion_resistant" activates write-only mode unconditionally — no receipt retained on device after submission. "recoverable" allows receipt retention when runtime signals indicate a safe environment, falling back to write-only when any enabled runtime fallback condition is met.

Receipts block

"receipts": {
  "match_store": "cockroach_encrypted",
  "user_access": "gated_recovery",
  "double_vote_enforcement": "voter_registry_only",
  "recovery_signals": ["device_integrity", "didit_recheck"],
  "high_risk_region_blocklist": ["IR", "KP", "RU"]
}
match_storeNotes
cockroach_encryptedProduction — encrypted CockroachDB on Verne Global
firestore_encryptedProduction — encrypted Firestore
device_onlyReceipt stored locally only; no rematch available
noneWrite-only — no receipt retained

Embodiment-specific blocks

shyvoting — no additional required block

Voting uses the base required fields plus identity, signing, deployment, receipts.

shywirewire block required

"wire": {
  "asset_id": "usdc-shywire",
  "issuer_name": "Oneway",
  "backing_asset": "USDC",
  "wrapper_mode": "stablecoin_wrapper",
  "provider": "circle_usdc",
  "provider_config": {
    "mode": "live",
    "intent_path": "/wire/intent",
    "settlement_asset": "USDC",
    "supported_rails": ["blockchain", "ach"],
    "requires_operator_review": false
  },
  "operator_mint_burn": true,
  "rematch_authority": "issuer_read_only",
  "supported_networks": ["ethereum", "polygon"]
}

shycustodycustody block required

"custody": {
  "asset_id": "vault-gold-1",
  "policy_source": "on_chain",
  "accepted_sku_whitelist": ["XAU-9999", "XAU-9995"],
  "unit_of_measure": "troy_oz",
  "quantity_normalization": "grade_weight_nav",
  "demurrage_policy": "policy_burn",
  "operator_mint_burn": true,
  "redemption_mode": "physical_goods_only",
  "redemption_routing": "holder_chooses_warehouse",
  "evidence_requirements": ["camera_session_ref", "operator_receipt_ref"],
  "transfer_layer": "shywire"
}

shycontractsfinancing block required

"financing": {
  "goal_gated": true,
  "return_basis": "project_profit",
  "remittance_source_mode": "matched_customer_revenue",
  "funding_mode": "staggered_waitlist",
  "transfer_layer": "shywire"
}

shysharesgovernance + execution blocks required

"governance": {
  "membership_sources": ["token_balance"],
  "weighting_mode": "token_weighted",
  "privacy_mode": "anonymous",
  "proposal_classes": ["parameter_change", "treasury_payout"],
  "transfer_layer": "shywire"
},
"execution": {
  "default_mode": "internal_queue",
  "adapters": ["shywire"],
  "canonical_queue": true
}