What it is: A regulator-side verification node for VCP-compliant trading audit trails
What it verifies: Merkle inclusion proofs + external anchors (TSA/blockchain) + timing metadata
What it outputs: Green/red integrity status + evidence bundle for regulatory review
"Verify, Don't Trust" — Mathematical proof over faith-based acceptance
The VCP Supervision Node is a Proof of Concept (PoC) implementation that enables regulatory authorities to independently verify the integrity, completeness, and temporal compliance of algorithmic trading logs submitted by market participants.
| Capability | Description | Regulatory Alignment |
|---|---|---|
| Signature Verification | Ed25519 digital signature validation | SEC Rule 17a-4, eIDAS |
| Merkle Proof Verification | RFC 6962 compliant inclusion proofs | MiFID II Article 17 |
| External Anchor Validation | TSA (RFC 3161) and blockchain anchors | eIDAS Article 42 |
| Timing Requirements Check | Clock sync and precision validation | EU RTS 25, CAT NMS |
| Completeness Detection | Gap and omission detection | DORA, MiFID II |
| Incident Reporting Support | DORA-aligned data preparation | DORA Article 19-23 |
Traditional Model:
Firm ──[Self-reported logs]──> Regulator ──[Trust]──> Accept
VCP Model:
Firm ──[Merkle Proof + Anchor]──> Regulator ──[Verify]──> Accept/Reject
↑ ↓
Third-party Anchor ←────[Independent Check]
(TSA/Blockchain)
- Python 3.10+
- pip or poetry
# Clone the repository
git clone https://github.com/veritaschain/vcp-supervision-node-poc.git
cd vcp-supervision-node-poc
# Install dependencies
pip install -e .
# Or using poetry
poetry installfrom vcp_supervision import SupervisionNode
from vcp_supervision.verification import VerificationEngine
# Initialize the supervision node
node = SupervisionNode(config_path="config/default.yaml")
# Verify a single VCP event with its proof
result = node.verify_event(
event=event_data,
merkle_proof=proof_data,
anchor_record=anchor_data
)
print(f"Verification Status: {result.status}") # PASSED, FAILED, WARNING
print(f"Compliance Score: {result.score}")# Start the compliance dashboard
python -m vcp_supervision.dashboard --port 8080
# Access at http://localhost:8080┌─────────────────────────────────────────────────────────────────────┐
│ VCP Supervision Node │
├─────────────────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Verification Engine │ │
│ ├──────────────┬──────────────┬──────────────┬─────────────────┤ │
│ │ Signature │ Merkle │ Anchor │ Timing │ │
│ │ Verifier │ Verifier │ Verifier │ Verifier │ │
│ │ (Ed25519) │ (RFC 6962) │ (TSA/BC) │ (RTS 25/CAT) │ │
│ └──────────────┴──────────────┴──────────────┴─────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Compliance Dashboard │ │
│ ├──────────────┬──────────────┬──────────────┬─────────────────┤ │
│ │ Score │ Alert │ Report │ DORA │ │
│ │ Display │ Manager │ Generator │ Support │ │
│ └──────────────┴──────────────┴──────────────┴─────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
Based on independent research across five AI research systems evaluating 300+ sources including academic literature, commercial products, regulatory publications, and standards body documents:
To the best of available knowledge, the VCP Supervision Node represents the first publicly documented reference implementation of a regulator-operated verification node for Merkle proof-based validation of financial trading logs with third-party anchoring.
Prior "Supervisory Node" concepts and VCP Supervision Node differ fundamentally in architecture:
| Approach | Examples | Architecture | Limitation |
|---|---|---|---|
| Layer 1 (Prior Art) | Boston Fed, MAS Project Ubin | Blockchain consensus participant | Requires firms to migrate to DLT |
| Layer 2 (VCP) | This PoC | Audit Overlay on existing systems | Works with MT4/cTrader/FIX as-is |
This PoC was evaluated against 15+ potential counterexamples:
| Prior Art | Similarity | Critical Difference |
|---|---|---|
| Certificate Transparency (RFC 9162) | Merkle proofs, third-party monitors | TLS certificates, not trading logs |
| IETF SCITT Architecture | Transparency logs, Verifier role | Software supply chain, not financial |
| Boston Fed Supervisory Node | "Supervisory" name | Layer 1 consensus, not Layer 2 overlay |
| BIS Embedded Supervision | Regulatory technology concept | Blockchain-native, not hybrid audit |
| SEC CAT | Trading audit trail | Centralized database, no crypto proofs |
| Guardtime KSI | Merkle trees, timestamps | Enterprise data, not trading-specific |
| Feature | VCP Supervision Node | SEC CAT | Eventus Validus | Boston Fed Node |
|---|---|---|---|---|
| Primary Purpose | Forensic Integrity | Reporting | Surveillance | DLT Participation |
| Trust Basis | Mathematics (Merkle) | Authority | Database | Consensus |
| External Anchor | Yes (TSA/Blockchain) | No | No | Blockchain-native |
| Works with Existing Infrastructure | Yes | N/A | Yes | No (requires DLT) |
| Cryptographic Verification | Yes | No | No | Yes (L1) |
See docs/world-first/WORLD_FIRST.md for complete analysis including methodology, confidence levels, and all 15+ counterexamples.
Note: This determination is based on publicly accessible information. VSO welcomes information about any prior art that may have been missed.
This PoC is designed to align with requirements from 10 jurisdictions:
| Jurisdiction | Key Regulations | Timestamp Precision | Retention |
|---|---|---|---|
| EU | MiFID II, RTS 25, DORA, AI Act | 100µs (HFT) | 5-10 years |
| UK | UK MiFID II, PS21/3, FCA MAR 7A | 100µs (HFT) | 5-7 years |
| US | SEC 17a-4, CAT NMS, Reg SCI | 50ms-100µs | 3-6 years |
| Japan | FIEA, Cabinet Office Ordinance 338 | ms recommended | 7-10 years |
| Singapore | MAS TRM Guidelines | 1 second | 5 years |
| Hong Kong | SFC Electronic Trading Guidelines | µs (HFT) | 7 years |
| Australia | ASIC Market Integrity Rules | ms | 7 years |
| Canada | NI 23-103, UMIR | 50ms | 7 years |
| Switzerland | FINMA Circular 2013/8 | MiFID-like | 5-10 years |
All regulatory references are classified by evidence strength:
- Primary Law: EU Regulations, national laws (highest authority)
- RTS/ITS: Delegated/implementing regulations
- Regulator Rule: FCA Handbook, SEC Rules
- Regulator Guidance: Supervisory guidance (soft law)
- SRO Rule: FINRA rules, exchange rules
vcp-supervision-node-poc/
├── src/
│ └── vcp_supervision/
│ ├── __init__.py
│ ├── node.py # Main SupervisionNode class
│ ├── models.py # Data models
│ ├── cli.py # Command-line interface
│ ├── api/ # REST API (FastAPI)
│ │ ├── server.py
│ │ ├── routes.py
│ │ └── auth.py # Authentication (placeholder)
│ ├── verification/
│ │ ├── engine.py # VerificationEngine
│ │ ├── signature.py # Ed25519 verification
│ │ ├── merkle.py # RFC 6962 Merkle verification
│ │ ├── anchor.py # TSA/Blockchain anchor verification
│ │ └── timing.py # RTS 25/CAT timing verification
│ ├── reporting/
│ │ └── incident/ # Incident reporting support
│ │ └── dora.py # DORA support tools
│ └── dashboard/
│ └── app.py # Web dashboard
├── schemas/ # JSON Schemas (Assertion C spec)
│ ├── batch_envelope.schema.json
│ ├── challenge_request.schema.json
│ └── challenge_response.schema.json
├── tests/
│ ├── vectors/ # RFC test vectors
│ │ ├── rfc6962_merkle.json
│ │ ├── rfc8032_ed25519.json
│ │ └── rfc3161_tsa.json
│ ├── fixtures/ # PoC sample data
│ │ ├── sample_batch.json
│ │ └── sample_challenge_request.json
│ ├── unit/
│ └── integration/
├── docs/
│ ├── api/
│ ├── architecture/
│ ├── regulatory/
│ └── world-first/
├── examples/
├── config/
├── SECURITY.md # Threat model & data handling
└── README.md
# Run all tests
pytest
# Run with coverage
pytest --cov=vcp_supervision --cov-report=html
# Run specific test categories
pytest tests/unit/
pytest tests/integration/Configuration is managed via YAML files in the config/ directory:
# config/default.yaml
verification:
signature:
algorithm: "Ed25519"
require_manifest: true
merkle:
hash_algorithm: "SHA-256"
rfc6962_compliant: true
timing:
default_jurisdiction: "EU"
hft_precision_us: 100
non_hft_precision_ms: 1
reporting:
dora:
initial_report_target_hours: 4
intermediate_report_hours: 72
fca:
submission_deadline_days: 14
dashboard:
host: "0.0.0.0"
port: 8080
refresh_interval_seconds: 5See docs/api/ for detailed API documentation.
SupervisionNode: Main entry point for verification operationsVerificationEngine: Core verification logicSignatureVerifier: Ed25519 signature verificationMerkleVerifier: RFC 6962 Merkle proof verificationAnchorVerifier: External anchor (TSA/Blockchain) verificationTimingVerifier: Timestamp precision and clock sync verificationDORAReporter: DORA-compliant incident reporting supportComplianceDashboard: Web-based visualization
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
# Clone and install dev dependencies
git clone https://github.com/veritaschain/vcp-supervision-node-poc.git
cd vcp-supervision-node-poc
pip install -e ".[dev]"
# Run linting
ruff check src/
mypy src/
# Run tests
pytestThis project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- VCP Specification - VeritasChain Protocol specification
- VCP SDK - SDK for VCP implementation
- VCP Explorer - Web-based VCP event explorer
- EU RTS 25 (Regulation 2017/574)
- EU DORA (Regulation 2022/2554)
- EU AI Act (Regulation 2024/1689)
- SEC Rule 17a-4
- CAT NMS Plan
- RFC 6962 - Certificate Transparency
- RFC 3161 - Time-Stamp Protocol
- RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA)
VeritasChain Standards Organization (VSO)
- Email: info@veritaschain.org
- Website: https://veritaschain.org
- GitHub: https://github.com/veritaschain
"Verify, Don't Trust" — AI's Flight Recorder