Verify, don’t trust. Including us.
Mandate is local-first: your book is governed on your own machine, the only thing you ever share is a proof that hides the book, and that proof is checked with math against a key inside it, not against our servers. Here is exactly how, and what it does and does not ask you to trust.
Your book stays on your machine.
Positions, trades, prices, and strategy are read and governed locally by the self-hosted runtime. There is no upload step and no cloud copy.
A proof pack discloses the decision, which mandate rules were satisfied, the determining rule on a block, the committed-mandate digest, and a commitment to the hidden inputs. Positions, sizes, prices, and strategy are redacted.
A shared proof travels in the URL fragment (after #), which browsers never transmit to a server. Verification runs entirely in the recipient’s browser. ScopeBlind receives nothing.
Keys are yours. Inputs are bound to their source.
The fund’s Ed25519 signing key is generated on the fund’s machine. It signs decisions and proof packs. No private key material is sent to or stored by ScopeBlind.
Each proof embeds the public verification key, so a recipient checks the signature against the key in the pack, offline. Trust anchors are the published key and the open verifier, not our infrastructure.
Inputs can be bound to a custodian/administrator-signed feed, a DKIM-signed statement email, or a signed PDF (PAdES). The runtime cannot fabricate a source it does not hold a valid signature for.