Omega

Zero-Knowledge Compliance Attestation for AI Training Data.Prove everything. Reveal nothing.

Comment

Inspiration

Every AI company in 2026 faces the same structural tension. The European Union AI Act requires demonstrable audit trails of training data compliance. Regulators want visibility. Companies cannot afford exposure. The existing answer upload your dataset to a third-party compliance vendor creates IP liability, GDPR risk, and a single point of trust that contradicts the zero-trust architecture regulators increasingly demand.

We asked: what if compliance attestation were a cryptographic primitive instead of a legal opinion? What if you could prove what scans you ran, on which dataset, with which results without uploading a single byte?

What it does

Omega is a zero-knowledge compliance attestation platform built on Midnight Network. An organization uploads a dataset locally. A scanner engine runs heuristic compliance checks : PII detection, copyright markers, bias scoring, diversity metrics, license verification, consent metadata, PHI detection, and governance flags entirely within the browser. The dataset never leaves the machine.

The scan results are cryptographically bound to the dataset's SHA-256 hash inside a Compact zero-knowledge circuit. A ZK proof is published to the Midnight ledger. The original data remains private by construction. No one not the verifier, not the network, not the proof server ever sees the dataset.

Selective disclosure tokens allow the compliance owner to reveal specific bundles to specific verifiers. A European regulator receives only the GDPR attestation. A healthcare partner receives only HIPAA. A licensing partner receives only Copyright. Tokens carry expiry and can be revoked. Scope is subset-enforced by the ZK circuit itself, not by application logic.

Four compliance frameworks are covered: GDPR, EU AI Act, Copyright, and HIPAA. Each is backed by an independent ZK circuit. Eight circuits in total across the contract.

How we built it

The smart contract is written in Compact, Midnight's zero-knowledge DSL. Eight circuits: four for the attestation lifecycle (submit, issue token, verify, revoke) and four independent bundle circuits that independently attest to GDPR, EU AI Act, Copyright, and HIPAA compliance. All circuits are compiled to ZK intermediate representation with prover and verifier keys.

The TypeScript SDK wraps the contract adapter, the local scanner engine, cryptographic hashing, bundle mask logic, timestamp anchoring via the Midnight indexer, and dataset lineage chain building. The scanner is regex-based and heuristic it is not regulator-certified, and the platform's claims boundary is explicit about this.

The frontend is built with React and Vite, rendering six routes: Home, Submit, Dashboard, Verify, Explorer, and Onboarding. It uses Midnight's DApp connector API for wallet interaction, the 1AM Wallet browser extension for identity, and a custom design system with sharp corners, mono typography for cryptographic data, and blue reserved exclusively for verified states. The complete pipeline submit attestation, issue disclosure token, verify, revoke passes end-to-end in integration tests against the same contract adapter that runs on-chain.

Challenges we ran into

Deploying to Midnight Preprod exposed a persistent infrastructure-level issue: the wallet SDK's state synchronization requires a functioning RPC WebSocket connection, and Preprod's RPC endpoint consistently rejected WebSocket connections from our environment with an abnormal closure. The HTTP endpoints node, indexer, proof server were all healthy. The WebSocket alone failed. This blocked live contract deployment through twelve separate attempts across four SDK version configurations.

Fixing this required upgrading four wallet SDK packages across major versions facade from 3.0.0 to 4.0.0, shielded from 2.1.0 to 3.0.0, unshielded from 2.1.0 to 3.0.0, and dust from 3.0.0 to 4.0.0. Each upgrade broke imports and type contracts. A DustParameters version mismatch between the root ledger and the dust wallet's bundled ledger required pinning the exact same version across all packages. The InMemoryTransactionHistoryStorage export moved between packages. An RxJS filter in the deployment script waited indefinitely for a synced state that never arrived, requiring a timeout fallback.

The integration test adapter fell out of sync with the contract's new bundle parameter list when the four sub-circuits were added. Seven new boolean parameters consent metadata, data minimization, human oversight, fair use check, PHI detection, de-identification, minimum necessary shifted every downstream parameter index. Both the integration test and the unit test needed their call-site indices rebuilt.

We attempted switching to Blockfrost as an alternative RPC provider but encountered a service-wide Cloudflare 525 outage across all their Midnight Preprod endpoints.

Accomplishments that we're proud of

All eight ZK circuits compile and generate valid prover and verifier keys. The full compliance pipeline submit, issue token, verify, revoke passes end-to-end with eight out of eight integration and unit tests green. The frontend builds to a production bundle with the complete six-page OMEGA design system.

The documentation was rewritten to industry standard: a formal README framing the product around the EU AI Act market, a complete setup and deployment guide with current SDK version tables and workflow validation steps, and a clean five-step quick start.

Every broken import, every version mismatch, every infinite hang in the deployment pipeline was identified and fixed. The codebase compiles, the tests pass, and the product is real. What remains is infrastructure access.

What we learned

Midnight's dual-state architecture is genuinely unique. The separation between private local state and public ledger state is not a wrapper it is a structural property of the network. This is what makes Omega possible. Compliance scans run in local state. Proofs are published to the ledger. At no architectural point do the two states intersect.

The Midnight developer toolchain Compact compiler, proof server, wallet SDK, indexer is mature enough to build a production-grade application but the deployment pipeline is sensitive to RPC endpoint availability. A project this serious needs a reliable WebSocket path to the network. For hackathon validation, the integration test suite with an in-memory adapter is sufficient to prove correctness. For production, the infrastructure needs to be there.

Selective disclosure as a circuit-level primitive — not an application-layer permission is the right abstraction for regulated industries. Regulators do not want access controls. They want cryptographic guarantees.

What's next for Omega

Contract deployment to Midnight Preprod is the immediate next step. The contract, SDK, and frontend are ready. The deployment script is instrumented. As soon as a reliable RPC WebSocket endpoint is available either through Midnight's official infrastructure or through a provider like Blockfrost deployment is a single command.

Post-deployment, the priority is an end-to-end live flow: submit a real attestation with the local scanner, issue a verifier-scoped disclosure token, verify the token as an auditor, revoke the record, and confirm revocation enforcement. This will be captured as the product demo.

Longer-term: hardware-attested scanner integration via TEE for regulator-grade confidence, a dedicated regulator portal for streamlined auditor workflows, automated token renewal for ongoing compliance relationships, and dataset lineage chains that allow verifiers to walk the provenance graph when one dataset derives from another.

Omega is the foundation for compliance-as-a-service on Midnight Network. The cryptographic attestation primitive is built. The rest is distribution.

Built With

  • compact
  • midnight
Share this project:

Updates