How it works

Apply, approve, disburse — without anyone untrusted seeing a name.

The agent and operator only send instructions. The enclave resolves identity, pays the provider, and sanitises the response — so PII never reaches untrusted hands.

010 PII

Operator

Sets policy & approves the run

020 PII

AI Agent

Orchestrates · sends instructions

03PII

TEE Enclave

Resolves PII · calls provider

04PII

Provider

Receives resolved PII

the PII boundary — left: never sees data · right: enclave only

Six steps, one sealed identity

1
Apply
The citizen proves identity by NIK. Issuers sign their true attributes with ed25519 — no uploads, no self-declaration.
2
Preview
Signatures verify instantly — "eligible: Tier G1, Rp 700,000" or "not eligible". Transparent, not yet binding.
3
Approve
The operator sees attested attributes only (✓ income=low · Tax Office) — never the salary or name. One click: approve or reject.
4
Decide
check-eligibility runs in the contract and sets the tier & amount by policy. The operator never types a number.
5
Disburse
The enclave resolves the name and pays the provider. The agent gets back only a tx_id and status.
6
Receive
The aid lands. Every decision and payment is sealed to an immutable, PII-free audit trail.

Amounts the operator can’t touch

The contract maps attested attributes to a fixed benefit tier. The figure is policy, not discretion.

G1 — Priority

income = low + elderly / disabled / single parent

Rp 700,000

G2 — Standard

income = low + head of family / married

Rp 600,000

G3 — Near-poor

income = medium

Rp 400,000

Who can do what

Citizen

✓ Owns their PII · applies · sees their aid

Issuer

✓ Signs attribute claims from its own records

✕ Cannot disburse

Operator

✓ Approves / rejects eligibility

✕ No amount · no PII · no diversion

Contract (TEE)

✓ Assigns tier · resolves PII · writes audit

See it live →