https://docs.sankofa.foundation/overview/Recent content in Overview on Sankofa Engine DocumentationHugoenhttps://docs.sankofa.foundation/overview/introduction/Mon, 01 Jan 0001 00:00:00 +0000https://docs.sankofa.foundation/overview/introduction/<h2 id="what-is-sankofa-engine">What is Sankofa Engine</h2> <p>Sankofa Engine is a <strong>sharded, privacy-preserving financial ledger engine</strong> purpose-built for digital assets. It delivers cryptographically auditable transaction processing with zero-knowledge proof capabilities, enabling organizations to operate compliant, high-throughput ledger infrastructure without exposing sensitive financial data.</p> <p>Traditional ledger systems force a choice between transparency and privacy. Sankofa Engine eliminates that trade-off: every transaction is recorded in a tamper-evident hash chain and signed with a cryptographic receipt, while encrypted balances and ZKP assertions ensure that only authorized parties can observe account state.</p>https://docs.sankofa.foundation/overview/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://docs.sankofa.foundation/overview/architecture/<h2 id="architectural-style">Architectural Style</h2> <p>Sankofa Engine follows <strong>Hexagonal Architecture</strong> (Ports &amp; Adapters) combined with <strong>Domain-Driven Design</strong> (DDD). This separation ensures the business logic remains independent of infrastructure concerns and can be tested, reviewed, and evolved without touching database drivers, message brokers, or HTTP frameworks.</p> <p>The codebase is organized into four layers:</p> <table> <thead> <tr> <th>Layer</th> <th>Path</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><strong>Domain Core</strong></td> <td><code>internal/core/</code></td> <td>Pure business logic and domain models. Zero infrastructure dependencies.</td> </tr> <tr> <td><strong>Ports</strong></td> <td><code>internal/core/port/</code></td> <td>Go interfaces that define contracts between the domain and the outside world (e.g., <code>LedgerRepository</code>, <code>EventPublisher</code>).</td> </tr> <tr> <td><strong>Adapters</strong></td> <td><code>internal/adapter/</code></td> <td>Concrete implementations of ports — ScyllaDB repositories, NATS publishers, OpenBao key providers, etc.</td> </tr> <tr> <td><strong>Services</strong></td> <td><code>internal/service/</code></td> <td>Application services that orchestrate domain operations, coordinate across ports, and enforce transaction boundaries.</td> </tr> </tbody> </table> <p>Dependencies always point inward: adapters depend on ports, ports depend on domain types, and the domain core depends on nothing external.</p>https://docs.sankofa.foundation/overview/services/Mon, 01 Jan 0001 00:00:00 +0000https://docs.sankofa.foundation/overview/services/<p>Sankofa Engine is composed of seven microservices plus a shared health-check contract. Each service is independently deployable and communicates with other services exclusively through NATS JetStream.</p> <h2 id="api-gateway">API Gateway</h2> <table> <thead> <tr> <th>Property</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><strong>Port</strong></td> <td>8080 (HTTP) / 9090 (health)</td> </tr> <tr> <td><strong>Replicas</strong></td> <td>2 + HPA</td> </tr> <tr> <td><strong>Dependencies</strong></td> <td>NATS</td> </tr> </tbody> </table> <p>The API Gateway is the public REST API entry point for all client interactions with the Sankofa Engine.</p> <p><strong>Key Responsibilities:</strong></p> <ul> <li>Request validation against JSON schemas</li> <li>JWT authentication and ECDSA request signature verification</li> <li>RBAC policy enforcement via Casbin</li> <li>Rate limiting per tenant and per endpoint</li> <li>FNV-1a shard routing — deterministically maps <code>account_id</code> to the correct shard subject</li> <li>NATS RPC proxying — publishes validated requests to JetStream and returns signed receipts to callers</li> </ul> <h2 id="shard-worker">Shard Worker</h2> <table> <thead> <tr> <th>Property</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><strong>Port</strong></td> <td>9090 (health only)</td> </tr> <tr> <td><strong>Replicas</strong></td> <td>3 + HPA</td> </tr> <tr> <td><strong>Dependencies</strong></td> <td>NATS, ScyllaDB, OpenBao</td> </tr> </tbody> </table> <p>Shard Workers are the core transaction-processing units. Each worker is assigned one or more shards by the Shard Orchestrator and processes all transactions routed to those shards.</p>https://docs.sankofa.foundation/overview/security/Mon, 01 Jan 0001 00:00:00 +0000https://docs.sankofa.foundation/overview/security/<p>The Sankofa Engine implements defense-in-depth security across authentication, authorization, encryption, and audit logging. This page provides a high-level overview — for detailed documentation, see the <a href="https://docs.sankofa.foundation/security/">Security &amp; Compliance</a> section.</p> <h2 id="security-architecture-summary">Security Architecture Summary</h2> <table> <thead> <tr> <th>Layer</th> <th>Implementation</th> </tr> </thead> <tbody> <tr> <td><strong>Authentication</strong></td> <td>JWT tokens via API key exchange, ECDSA P-256 transaction signing for self-custody</td> </tr> <tr> <td><strong>Authorization</strong></td> <td>Casbin v2 RBAC with policy-based access control</td> </tr> <tr> <td><strong>Encryption at Rest</strong></td> <td>AES-GCM-256 envelope encryption with KMS-derived keys</td> </tr> <tr> <td><strong>Encryption in Transit</strong></td> <td>mTLS between services, TLS for client connections</td> </tr> <tr> <td><strong>Audit Trail</strong></td> <td>SHA-256 hash chains per account, ECDSA P-256 signed receipts</td> </tr> <tr> <td><strong>Key Management</strong></td> <td>OpenBao (Vault fork) transit backend, AWS KMS support</td> </tr> <tr> <td><strong>Infrastructure</strong></td> <td>Kubernetes namespace isolation, network policies, secret scoping</td> </tr> </tbody> </table> <h2 id="detailed-documentation">Detailed Documentation</h2> <ul> <li><a href="https://docs.sankofa.foundation/security/controls/">Security Controls</a> — SOC 2 Trust Service Criteria mapping</li> <li><a href="https://docs.sankofa.foundation/security/encryption/">Encryption</a> — Encryption at rest, in transit, and key management</li> <li><a href="https://docs.sankofa.foundation/security/access-control/">Access Control</a> — Authentication, authorization, and infrastructure access</li> <li><a href="https://docs.sankofa.foundation/security/audit-logging/">Audit Logging</a> — Hash chains, signed receipts, and event retention</li> <li><a href="https://docs.sankofa.foundation/security/data-residency/">Data Residency</a> — Storage tiers, retention policies, and archival</li> </ul>