Sealed envelope

The sealed envelope is the disclosure path. Every signed bundle produces one. It carries the full unredacted material. Oris stores the ciphertext. Oris cannot read it.

What is inside

For every payment:

• The full ComplianceBundle (1.5 KB).
• KYC artifacts that back the agent’s L1 identity.
• The operator signing identity that approved the active policy.
• Any escalation approvals fired during the transaction.

The envelope is referenced by sealed_envelope_id on every audit log row. Pulling the envelope requires the regulator quorum.

Encryption model

AGE encryption with a threshold of regulator public keys. Standard configuration:

• Quorum: 5 regulator-controlled public keys.
• Threshold: 3 of 5 signatures required to unseal.
• Algorithm: AGE with X25519 + ChaCha20-Poly1305.

The threshold can be configured per tenant (some jurisdictions require 5-of-7 or higher).

Why threshold

No single party can unseal. Not Oris, not any single regulator, not the developer. Disclosure requires a deliberate cross-party action. The threshold model survives compromise of any single regulator key.

Unseal flow

1. The regulator portal builds an unseal request (envelope id + reason).
2. Quorum members sign the request offline with their AGE secret keys.
3. The portal submits the request plus the quorum signatures.
4. Oris validates the threshold + signatures, then returns the plaintext.

If the threshold is not met, the request is rejected with no partial information leaked.

Where to go next

• Regulator portal guide for the operator-facing walkthrough.
• L4 Compliance Bundle for what goes into the envelope.
• Audit trail for how envelopes link to the activity log.