VDM NexusDocs

Security & Privacy

What VDM Nexus protects, what it doesn't, and how to reason about the trust model.

VDM Nexus gives you cryptographic verifiability of what the model said, not cryptographic privacy of what you asked. Those are different properties. This page covers both — what we secure, what's private, and where the limits are.

Threat model

The signed-inference promise: given a receipt, a third party can verify that a specific LLM call happened with the parameters claimed. Three parties whose behavior we model:

PartyWhat they could tryWhat stops them today
An agentLie about what the model returnedThe receipt is hash-bound to the prompt + response. Recompute → mismatch detectable.
A man-in-the-middleModify the response in flightTLS everywhere. Plus the response_hash binds the content.
Nexus itselfIssue fraudulent receipts (claim a call happened that didn't)The receipt JSON is Ed25519-signed by the Nexus operator key (receipt.nexus_signature, v=2). The on-chain tx_signature independently anchors the payment. verifyReceipt from @vdm-nexus/x402 runs both checks.

What's secured today

  • Identity: Ed25519 keypair, the same primitive Solana uses
  • Replay prevention: unique tx_signature constraint on credits_ledger; nonces table on /inference
  • Failure mode: route fails-closed if no facilitator is configured; no silent acceptance
  • Transit: TLS everywhere
  • Idempotency: repeating a paid call returns 409 payment_replay, not double-charge
  • Receipt integrity: hashes bind content; on-chain tx proves payment; Ed25519 signature by the Nexus operator key proves Nexus issued the receipt. Fetch the public key at GET /api/v1/operator-key and verify with verifyReceipt from @vdm-nexus/x402.

What's NOT secured yet (and tracked)

  • Per-agent rate limiting. An attacker can hammer the 402 challenge endpoint without paying. Costs us bandwidth, not money (inference only fires after settled payment). Still a hardening priority. Roadmap item, Horizon 1.
  • Independent security audit. ~2000 lines of TypeScript handling real USDC. Audit before mainnet announcement. Roadmap item, Horizon 2.
  • Operator economic security. Today the facilitator's behavior is on the operator's honor system. Future operator staking + slashing makes fraud expensive. Token-utility item, Horizon 3.

Privacy: what we store and don't store

What we keep in the database per call:

inference_logs:
  agent_pubkey       — the payer's pubkey (already public on-chain)
  upstream           — "openrouter"
  model              — e.g. "openai/gpt-4o-mini"
  prompt_tokens      — count, not content
  completion_tokens  — count, not content
  cost_usdc          — upstream's reported cost
  latency_ms         — server-side latency
  status             — success or error
  request_nonce      — tx signature (for idempotency)

What we do NOT keep:

  • The prompt text itself
  • The response text itself
  • Any IP address or location data
  • Any user-agent or device fingerprint

The receipt itself contains hashes of the prompt and response, not the content. The agent is the sole keeper of the actual prompt/response strings. If you lose them, you can no longer verify the receipt — that's by design.

Privacy: what's NOT private

Being honest about the limits:

  1. Prompts go through the upstream provider unmasked. Today the model runs on OpenRouter's network, which routes to OpenAI/Anthropic/etc. They see the full content. Their logging and training policies are theirs. Until we add TEE / ZKML upstream providers, this is unavoidable.
  2. Solana payments are public. Anyone watching the chain knows which wallets paid the Nexus deposit address, when, and how much. The content stays private; the usage pattern doesn't.
  3. Agent pubkey is permanent. Once observed, all of that agent's Nexus calls are linkable under that pubkey. No mixing built in.

How to reason about this for your use case

If you need...What to do
Proof of what the model returned, for auditToday's Nexus is enough — receipts + tx_signature
Privacy of prompt content from NexusAlready done — we don't store prompt text
Privacy of prompt content from the model providerWait for TEE / ZKML upstream support, or self-host
Unlinkability across callsRotate agent pubkeys per use case
Cryptographic proof Nexus itself issued the receiptverifyReceipt from @vdm-nexus/x402 v0.2 — shipped

The honest summary

Nexus today is strong on verifiability and integrity (hash-bound content, operator-signed receipts, on-chain settlement), decent on availability (self-hosted facilitator removes a third-party dependency), and explicitly not a privacy product for content sent to the model. If privacy of prompt content is the requirement, signed inference alone is the wrong tool — we'd need to add a private-inference upstream first, which is a Horizon 3+ roadmap item.

Reporting security issues

Please don't open public GitHub issues for security problems. Email dennis@vdmnexus.com with details. We'll respond within 48 hours.

Receipt structure

Field-by-field walkthrough of what's in a Nexus receipt.

@vdm-nexus/sdk reference

API reference for the lean prepaid-flow SDK.

On this page

Threat modelWhat's secured todayWhat's NOT secured yet (and tracked)Privacy: what we store and don't storePrivacy: what's NOT privateHow to reason about this for your use caseThe honest summaryReporting security issues