Seal the rules,
not just the amount.
A confidential cross-border payment corridor whose compliance rulebook is sealed. Everyone else encrypts the payment and publishes the policy — CLOISTRA encrypts the policy itself: the cap, the recipient screening, the velocity ceiling, every one still enforced onchain. No sender, observer, competitor, or operator can read where the compliance line sits.
cleared or nullified — decryptable only by the compliance officer.
A transfer crosses in four moves.
The sender encrypts the amount in the browser. No decryption key exists client-side — decryption lives with the FHEVM threshold KMS.
The corridor checks it against the sealed rulebook — cap, screening, velocity — homomorphically.
A single FHE.select yields the moved amount or an encrypted zero. The outcome is sealed, even to the sender.
Only the compliance officer can decrypt a flagged transfer, via EIP-712 — private to the world, accountable to the regulator.
Checked against thresholds no one can read.
The most a single transfer may move — held as ciphertext, compared homomorphically.
Allow / deny per recipient, default-deny. The address is public; whether it passes is sealed.
A per-sender encrypted running total that accumulates across transfers and resets on a public window.
A breach nullifies the transfer to zero through a single FHE.select — and reveals which rule caught it to no one, because the chain can’t.
A line you can’t see is a line you can’t structure around.
Publish your compliance thresholds and sophisticated actors probe them — splitting transfers just under the cap, routing around the screening list, pacing beneath the velocity ceiling. CLOISTRA keeps the boundary in ciphertext. Every transfer is still checked; none of them reveal where the edge is — not even which rule nullified a blocked one.