Last updated 8 months ago
Midnight enables selective disclosure, but devs lack a Midnight-native tester to catch privacy leaks and under-constrained ZK logic before audits/launches. This slows releases and weakens trust.
CarthageX Safety Tool (CXST) delivers Privacy & Compliance Testing with static rules, LLM-guided fuzzing, selective-disclosure diffing, and CI-ready reports.
This is the total amount allocated to AI-powered privacy & compliance testing for Midnight.
Please provide your proposal title
AI-powered privacy & compliance testing for Midnight
Enter the amount of funding you are requesting in ADA
100000
Please specify how many months you expect your project to last
12
Please indicate if your proposal has been auto-translated
No
Original Language
en
What is the problem you want to solve?
Midnight enables selective disclosure, but devs lack a Midnight-native tester to catch privacy leaks and under-constrained ZK logic before audits/launches. This slows releases and weakens trust.
Supporting links
Does your project have any dependencies on other organizations, technical or otherwise?
No
Describe any dependencies or write 'No dependencies'
No dependencies
Will your project's outputs be fully open source?
Yes
License and Additional Information
Apache 2.0
Please choose the most relevant theme and tag related to the outcomes of your proposal
Developer Tools
Mention your open source license and describe your open source license rationale.
We want maximum adoption across the Midnight/Cardano community while still ensuring clear patent safety. Apache-2.0 strikes the right balance—open enough for grassroots contributions, safe enough for enterprise CI/CD integration, and composable with the broader Cardano open-source stack.
How do you make sure your source code is accessible to the public from project start, and people are informed?
CarthageX Safety Tool’s development is fully transparent from day one with a public GitHub repository that shows every commit, issue, and CI run. Immediate announcements via Cardano&Midnight Forum, and X engage early contributors. A clearly structured roadmap, weekly tagged snapshots, automated build and coverage badges, regularly synced GitBook documentation, and milestone-based community devlogs keep the Cardano and Midnight communities continuously informed of progress.
How will you provide high quality documentation?
We deliver high-quality documentation through a public GitBook that stays continuously in sync with our GitHub repo via automated CI workflows. Our docs include step-by-step setup guides, clear CLI examples, detailed explanations of static-analysis rules, troubleshooting FAQs, and integration tutorials. Docs are peer-reviewed and regularly updated, aligning precisely with each weekly snapshot release, ensuring accuracy, clarity, and ease of use for developers and auditors alike.
Please describe your proposed solution and how it addresses the problem
CarthageX Safety Tool provides a single entry point:
Please define the positive impact your project will have on the wider Cardano community
CarthageX Safety Tool (CXST) will materially improve how Cardano teams build private-by-design apps on Midnight and the broader ecosystem. By giving developers a Midnight-native tester—static rules, LLM-guided fuzzing, selective-disclosure diffing, and CI-ready reports—we help projects catch privacy leaks and under-constrained logic before audits or launch, raising baseline quality and trust across the network —protecting user funds and boosting confidence in Cardano dApps.
Its Apache-licensed code, rule sets, and documentation will be open-sourced, inviting community contributions and enabling auditors, researchers, and tooling vendors to build on a shared security foundation. The result is a safer, faster-growing ecosystem where more teams can launch robust applications and attract greater TVL, ultimately strengthening Cardano’s position as the most reliable smart-contract platform.
What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?
Our team combines 35+ years of expertise in software development, Blockchain, DevOps, QA, cloud, ZK, AI, Mobile and security from senior roles at Unity, BMW, Audi, Orange, Microsoft, and Amazon. This rare combination gives us a sharp edge in building a developer-first testing tool for the Cardano/Midnight ecosystem with enterprise track records. Delivery will be fully transparent through a public Apache-licensed GitHub repo, weekly releases, monthly Catalyst updates, external audits, and pilot dApps integration—ensuring accountability and high trust throughout the project lifecycle.
Milestone Title
Foundation & Static Analysis
Milestone Outputs
Public GitHub repo with governance files (README, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, LICENSE, CHANGELOG, CODEOWNERS), issue/PR templates, CI scaffold; CLI skeleton with cxst check; Compact+TypeScript parsers and a unified IR; Rule Catalog MX-101…106 (e.g., under-constraints, unbound nullifier, public/private data mixing, SDK/API drift); JSON/HTML reporters; example project; CI policy to fail on High/Critical findings. Designed Midnight-first (Compact DSL + selective disclosure).
Acceptance Criteria
On the example project, cxst check produces JSON/HTML with at least one valid finding; CI fails on ≥High severity via exit codes; seeded test suite shows ≥60% detection on injected static issues; docs explain set-up and policy gates; repo is public and CI runs automatically on PRs (shift-left posture per OWASP DevSecOps/CI-CD guidance).
Evidence of Completion
GitHub release v1.0-alpha with binaries (or install script), sample JSON/HTML artifacts, CI run URL showing a blocked merge on High severity, and a results table (TP/FP/FN) for the seeded suite in /docs. Provide repo URL and a short tree of key files; screenshots of Issue/PR template pickers. (Meets Catalyst “clear outputs + proof” expectation.)
Delivery Month
2
Cost
20000
Progress
20 %
Milestone Title
Disclosure-Diff Engine (privacy regression detection) & CI gating
Milestone Outputs
Engine to diff privacy-relevant signals across commits: public fields, proof size, emitted events, metadata; configurable baselines and thresholds; CI policy to fail on regression; docs with examples (how to whitelist intended changes, how to review diffs in PR). Built to reflect Midnight’s selective-disclosure model so teams detect privacy drift early in CI rather than post-audit
Acceptance Criteria
On a seeded disclosure-change suite, engine flags ≥95% deltas; CI blocks merges when thresholds are exceeded; false-positive rate measured and ≤ agreed target; developer can override only via documented, auditable policy exceptions; docs include PR reviewer checklist and sample diff.json schema. Alignment with “shift-left” CI/CD control points.
Evidence of Completion
Release v1.0-alpha2; demo PR that intentionally changes disclosure outputs and is blocked by CI with attached diff artifacts (machine-readable + Markdown summary); evaluation table (TP/FP/FN) for the seeded suite; short walkthrough video linked from /docs. (Meets Catalyst PoA style: artifact links + reproducible runs.)
Delivery Month
4
Cost
18000
Progress
20 %
Milestone Title
AI-Guided Fuzzer & Local Verifier
Milestone Outputs
_cxst fuzz _implements grammar-aware, LLM-guided sequence generation with reward signals for coverage, unique failing witnesses, and disclosure deltas; seed corpora; reproducible witness capture + triage; UX flags for time budgets; local proof verifier plug-in with well-documented API and one working implementation; perf baseline docs for small/medium sample circuits. Approach is informed by peer-reviewed LLM-guided fuzzing research (e.g., ChatAFL).
Acceptance Criteria
On reference projects, fuzzing yields ≥20% coverage lift vs baseline unit/integration tests; at least 3 unique failing witnesses captured across targets and reproducible with minimal scripts; local verifier median time ≤2s on sample circuits; graceful fallback when verifier unavailable; docs include example seeds and “how to interpret witnesses” guide
Evidence of Completion
Release v1.0-beta; coverage reports (before/after) per target with method notes; zipped witness artifacts + repro scripts; CI job showing scheduled fuzz runs that upload artifacts; verifier performance report with hardware specs; short demo video. (Artifacts and metrics suitable for Catalyst Proof of Achievement.)
Delivery Month
2
Cost
28000
Progress
30 %
Milestone Title
Compliance Mode v1 (GDPR Art. 5 mapping) + SBOM & signed rulepacks
Milestone Outputs
cxst check --compliance gdpr outputs a controls matrix mapped to GDPR Article 5 (lawfulness/fairness, purpose limitation, data minimisation, integrity/confidentiality) and generates a DISCLOSE.md for audits; GitHub Actions policy templates to fail on breaches; SBOM for each release per NTIA Minimum Elements (e.g., SPDX/CycloneDX), plus signed rulepacks with verification instructions.
Acceptance Criteria
Example repo runs the command and produces matrix + DISCLOSE.md; CI gate blocks merges on configured compliance failures; SBOM file ships with releases and passes basic validation; rulepacks can be signature-verified with a published public key; docs include step-by-step review and verification procedures for auditors and devs.
Evidence of Completion
Release v1.0-rc; committed example outputs; links to CI runs showing a failed merge due to a policy breach; SBOM file (e.g., sbom.spdx.json or CycloneDX) in the release plus signature & verify script; short guide mapping findings to GDPR Art. 5 with clause references. (Clear, linkable Proof of Achievement per Catalyst docs.)
Delivery Month
3
Cost
22000
Progress
20 %
Milestone Title
v1 GA Release + CXST-Bench v1 + 2 public case studies & adoption KPIs
Milestone Outputs
General-availability v1.0 release; CXST-Bench v1 with seeded under-constraints and measurement harness (precision/recall, coverage deltas); two public case studies with partner projects (methods, results, lessons); tutorials and onboarding videos; monthly adoption snapshot (e.g., external CI runs/week). This milestone packages all prior work for ecosystem scale-out and auditability.
Acceptance Criteria
On CXST-Bench: ≥80% detection of seeded under-constraints and sustained ≥20% coverage lift vs baseline; both case studies published with repo links and reproducible steps; tutorials available; a monthly KPI snapshot reports active CI usage. Materials are organized so reviewers can independently reproduce results (Catalyst PoA expectation).
Evidence of Completion
GitHub release v1.0 with binaries, SBOM, signatures; benchmark report (PDF/MD) and dataset; links to 2 case-study write-ups + example repos; video tutorials; a one-page “adoption & outcomes” summary (CI runs/week, issues opened/resolved). Provide all URLs in the PoA submission.
Delivery Month
2
Cost
12000
Progress
10 %
Please provide a cost breakdown of the proposed work and resources
Cost categories across the year sum to:
Personnel assumptions are benchmarked to reputable EU/Germany sources (e.g., Senior SWE Germany ~€93k/yr median; IT freelancers ~€91–104/hr, appropriate for senior, privacy/AI/testing work.
LLM/API spend is sized to official price cards (we right-size models by task to control cost).
CI minutes on public repos are free on GitHub-hosted runners, but we budget for artifact storage/retention and release tooling (e.g., signing, SBOM validation), which are billed per GitHub’s Actions billing model.
Compliance deliverables are grounded in GDPR Article 5 principles, and our software supply-chain posture follows the NTIA “Minimum Elements” for SBOM, keeping outputs auditor-friendly for teams and reviewers.
How does the cost of the project represent value for the Cardano ecosystem?
The CarthageX Safety Tool delivers exceptional value to the Cardano ecosystem by significantly reducing the risk, time, and cost associated with privacy-focused smart-contract development. By automating ZK-testing and catching critical vulnerabilities early, the tool saves developer-hours, accelerates dApp launches, and prevents costly privacy and security breaches. Given that a single smart-contract exploit can cost millions, the proactive identification of even one critical vulnerability easily justifies the project’s 100k ADA investment. Additionally, our transparent, open-source approach ensures the entire community benefits from continuous improvements, compounding long-term ecosystem value.
Terms and Conditions:
Yes
The CarthageX Labs founding team combines deep, complementary expertise across entrepreneurship, blockchain technology, AI systems, mobile development, cloud architecture, cybersecurity and digital identity.
Ahmed Amine Gargoura (Co-Founder)
→ Investor and entrepreneur with over 12 years of experience in software engineering. Formerly at Unity, BMW, and Audi, led high-performing teams delivering mission-critical software. Brings deep expertise in blockchain infrastructure, zero-knowledge systems, and decentralized finance.
→ LinkedIn: https://www.linkedin.com/in/aagargoura/
Oussama Chelly, Ph.D. (Co-Founder)
→ Entrepreneur and Cloud Architect with over 11 years of AI experience. Former Microsoftee and Amazonian. Led AI and cloud projects for 100+ companies, helping them design, develop, and deploy solutions on Azure and AWS.
→ LinkedIn: https://www.linkedin.com/in/oussamachelly/
Ahmed Bel Hadj (Co-Founder)
→ Entrepreneur and a Seasoned Mobile Architect with over 12 years experience and a track record of building apps that have reached millions of users globally. A mastery of native Android/iOS development, combined with a deep understanding of mobile security standards, decentralized identity frameworks and user-centric identity workflows.
→ LinkedIn: https://www.linkedin.com/in/ahmed-bel-hadj-a164b471/