End-to-end healthcare credentialing and hiring verification.
The backend service is located in the backend directory. It exposes a GraphQL API powered by Express, Apollo Server and Prisma.
cd backend
npm installRun the migrations and generate the Prisma client by executing:
./backend/scripts/run-migrations.shThe Prisma client requires engine downloads which may be blocked in restricted environments. If downloads fail, set PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING=1 when running generate:
PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING=1 npx prisma generatenpm run devThis starts the server on http://localhost:4000/graphql by default.
The backend now includes a simple GraphQL API powered by Apollo Server.
Resolvers use Prisma Client to perform CRUD operations on a Credential
model defined in prisma/schema.prisma.
Run the server with:
cd backend
npm install
npx prisma generate # requires internet for Prisma engines
npm startThe backend now includes a simple GraphQL API powered by Apollo Server.
Resolvers use Prisma Client to perform CRUD operations on a Credential
model defined in prisma/schema.prisma.
Run the server with:
cd backend
npm install
npx prisma generate # requires internet for Prisma engines
npm startThe backend now includes a small Express setup with middleware for request validation and centralized error handling. To run the server locally:
cd backend
npm install
npm startThe /credentials endpoint expects name and issuer fields in the request
body. Invalid input results in a structured error response.
The platform includes an Aries Cloud Agent Python (ACA-Py) microservice that issues and verifies healthcare credentials. The agent is configured to support both Hyperledger AnonCreds and W3C Verifiable Credentials so that clinicians can selectively disclose information during onboarding.
See aca_py_agent/README.md for usage.
The front-end includes a simple onboarding wizard with contextual GPT hints.
Open /frontend/pages/onboarding.tsx to start the flow and generate a local
API key.
We have launched an internal bug bounty program to improve platform security.
- Install dependencies for the reporting interface:
pip install -r bug-bounty/requirements.txt
- Run the Flask application:
python bug-bounty/app.py
- Open
http://localhost:5000in your browser and fill out the bug report form.
Submitted reports are stored in bug-bounty/bug_reports.txt on the server.
The backend includes a stubbed workflow for processing data erasure requests.
Sensitive user data is hashed and the resulting digest is stored on-chain using
PolkadotService for auditability.
The backend includes utilities to hash GPT rationale and anchor it on-chain using PolkadotService. Call verifyCredential with an identifier and a textual rationale to store a hash of the explanation on the blockchain.
Issuer keys must be stored on hardware-backed devices such as YubiKey or
Ledger. The backend exposes helper functions in
backend/src/blockchain/blockchain_integration.ts that require a hardware
wallet to be initialized before any signing operations can occur.
All service-to-service communication now uses mTLS. Certificates are mounted
from Kubernetes secrets and referenced by the applications. An OPA sidecar
is injected into each deployment to enforce policies defined in opa/policy.rego.
See docs/disaster_recovery.md for instructions on running scripted multi-region failover drills.
The frontend/vault folder contains a small example of client-side encryption helpers. These functions can be used to encrypt sensitive data in the browser before sending it anywhere else, providing the foundation for a privacy-by-design vault for user PII.
SOC 2 compliance artifacts are published from the compliance/ directory. A GitHub Actions workflow (publish_soc2_dashboard.yml) deploys the contents of this folder to GitHub Pages whenever updates are pushed to main.
The backend/src/blockchain/TrustRegistry.sol contract implements a simple on-chain registry for credential issuers. Each issuer can be registered and receive weighted endorsement votes from other accounts. Endorsements accumulate as reputation for the issuer while preventing duplicate votes from the same endorser.
The identity_governance_upgrade.ts module under backend/src/blockchain
provides a lightweight example of how new identity features might be proposed
and applied through a governance process. It is a starting point for exploring
consensus-layer upgrades within the platform.
The backend now includes a simple resolver capable of fetching DID documents from external networks. It bridges to any resolver service compatible with the Universal Resolver API, enabling cross-chain lookups of identities.
The backend contains a simple KeyRotationPolicy that supports scheduling
future signing keys with a time lock. Once the specified transition time has
passed, the policy automatically activates the new key. See
backend/src/blockchain/key_rotation_policy.ts for implementation details.
The repository includes a trusted-node directory with a Dockerfile and Helm chart
that demonstrate how institutional validators can deploy a placeholder trusted node.
See trusted-node/README.md for usage instructions.
This repository now includes the W3C Verifiable Credentials Data Model v1.0
context inside the credential registry pallet under backend/src/credential_registry.
This integration provides a foundation for validating credentials against the
standard VC schema.
This demo now includes immutable audit scrapbooks recorded on-chain for every
major identity action. The AuditScrapbook class writes an audit record through
the PolkadotService which would normally commit a transaction containing a hash
of the activity.
This repository includes a simple PolkadotService that wraps
@polkadot/api for interacting with a Substrate-based chain. It now
supports batching credential issuance using utility.batch so that
multiple credentials can be issued in a single extrinsic.
The backend now exposes helper utilities to create chain-agnostic upgrade paths.
These allow the platform to bridge existing credentials to smart contracts on
both EVM and WASM based chains. See backend/src/blockchain/upgrade_paths.ts
for the implementation.
This repository now includes a Substrate pallet for managing on-chain
identity policy changes via community voting. The pallet lives in
identity-governance-pallet and provides basic functionality to propose
policies, cast votes and finalize proposals.
Verifiers are required to lock tokens in the VerifierStaking smart contract. If a
verifier provides incorrect verification, the contract owner can slash the
verifier's stake. The contract and a simple TypeScript wrapper live under
backend/contracts and backend/src/blockchain.
This repository now includes a simple bonding curve model used to prototype token pricing for the credential verification service. The implementation can be found in pricing/bonding_curve.py with accompanying unit tests in pricing/tests.
The GovernanceToken smart contract located under backend/src/blockchain/contracts
implements an ERC20-compatible token with weighted voting and linear vesting
schedules. Token holders can delegate their votes to another address, and
vesting schedules allow timed release of allocated tokens.
This repository contains a basic Substrate pallet implementation to manage
utilitarian, governance, and reputation tokens. The pallet can be found in
backend/src/blockchain/multi_token_pallet.rs and is intended as a starting
point for future on-chain logic.
The backend/contracts/ChallengeRewards.sol contract contains basic logic for distributing rewards for challenge-based gamification events. It allows new challenges to be added and emits a RewardDistributed event when a participant completes a challenge.
This repository includes a lightweight implementation of a micropayment channel
used for off-chain API calls with on-chain settlement. The implementation lives
in backend/src/payments/micropayment_channel.ts and provides utilities to
create vouchers that can later be settled on-chain.
The backend includes a simple yield farming service in
backend/src/blockchain/yield_farming.ts. Stakers can deposit tokens and earn
fees collected from credential transactions. Rewards are distributed
proportionally to each participant's stake.
A simple token implementation is provided in backend/src/blockchain/deflationary_token.ts.
Each transfer burns a portion of the tokens, reducing the total supply over time.
This burn also occurs when tokens are consumed for utility actions via useUtility.
The platform now includes a simple DAO governance module located in
backend/src/blockchain/governance.ts. This allows community members to
propose changes to key economic parameters (such as interestRate and
inflationRate) and vote on them. Proposals that receive more votesFor
than votesAgainst will update the current economic configuration when
finalized.
The platform now includes a basic service for minting NFT badges. Badges can represent career milestones or course completions. The nft_badge_service provides a mintBadgeNFT function that simulates minting on the Polkadot blockchain and returns a placeholder token ID.
The repository now includes Solidity contracts that implement basic escrow functionality:
JobOfferEscrow.solhandles deposits from employers for job offers. Funds are released to the candidate once they accept the offer, or refunded if the employer cancels before acceptance.MilestoneEscrow.solsupports milestone based payments. A payer deposits funds for a payee and can release them when a milestone is completed.
Both contracts can be found in the contracts/ directory and are provided under
the MIT license.
The backend now exposes a simple universal DID resolver that supports did:web, did:ethr and did:key methods. The resolver is implemented in backend/src/did/universal_did_resolver.ts using the did-resolver package and companion method resolvers. This utility can be imported and used anywhere within the backend:
import { defaultResolver } from './src/did/universal_did_resolver';
const doc = await defaultResolver.resolve('did:key:z6Mkw...');Enterprise partners can unlock additional API capabilities by staking tokens on-chain. The available tiers are:
- Gold – requires 1,000 tokens staked
- Platinum – requires 5,000 tokens staked
See backend/src/controllers/premium_api_controller.ts for the stub implementation handling stake verification and tier checks.
This prototype integrates Ocean Protocol to mint and trade anonymized analytics as datatokens. See backend/src/blockchain/ocean_marketplace.ts for a minimal example using @oceanprotocol/lib.
Smart contracts on Ethereum can validate hashed CHAI credentials using the
ChaiCredentialBridge contract found in the contracts/ directory. An off-chain
or cross-chain process is expected to call setCredentialValid when a CHAI
credential has been confirmed on the source chain. Other contracts may query the
validate function to check if a given credential hash is recognised by the
bridge.
The backend/src/blockchain directory contains a simple rollup prototype. It batches credential operations and anchors a SHA-256 proof on-chain via a stub Polkadot service.
SDKs are provided for integrating with external blockchains.
sdks/solana-sdk– helper functions for Solana based projects.sdks/avalanche-sdk– helper functions for Avalanche projects.
These packages expose a validate<Chain>Credential(apiUrl, payload) function
that posts credential data to the CHAI validation API.
The backend/src/blockchain/evm_erc721_wrapper.ts file provides a simple
ERC-721 wrapper for CHAI soulbound tokens. It can be used to mint and query
non-transferable tokens on any EVM-compatible chain.
- credibc: a skeleton Cosmos IBC module located at
backend/src/blockchain/credibcfor transferring credential evidence between chains.
This repository includes a stub integration with Chainlink Functions to
demonstrate how off-chain AI logic could provide on-chain risk scores. See
backend/src/blockchain/chainlink_oracle.ts for details.
For issuers that are not yet integrated with the platform, you can issue a provisional attestation. The backend exposes a helper function offerProvisionalAttestation which returns a temporary attestation object valid for a configurable number of days.
import { offerProvisionalAttestation } from './backend/src/provisional_attestation';
const attestation = offerProvisionalAttestation('issuer-123');This allows the platform to acknowledge an issuer while full integration is pending.
The demonstration wallet now includes a Share only status toggle on the credential details page. Enabling this option shares a simple proof that the credential exists and is valid instead of exposing the entire verifiable credential payload. The proof generation is stubbed in the frontend but serves as a placeholder for future cryptographic implementations.
The k8s/backend-rollout.yaml file demonstrates how to deploy the backend using
Argo Rollouts. It defines a canary
strategy with automated analysis. The analysis succeeds only when the backend's
Prometheus metrics report a success rate of 95% or higher and no HTTP
errors.
See docs/substrate_eks_poa_setup.md for instructions on deploying a permissioned Substrate network with Proof-of-Authority consensus on AWS EKS.