Policy, Governance and “What Gets Signed”

what is the secure policy engine, and what does it do? the secure policy engine is the gatekeeper it runs inside secure hardware and checks every request against your rules roles and quorums, per user and per asset limits, rate limits and time windows, destination allow or deny lists, dapp or function controls, and contextual checks such as price or gas parameters only when a request passes these checks does the engine compile the exact raw blockchain transaction and allow it to be signed will approvers actually see what they are approving? yes approvers see a clear summary of the action destination, asset, amount, any fees or limits, and a decoded view for smart contract calls they approve the intent from their phone the enclave then compiles the exact on chain payload that matches that intent if anything would differ at sign time (for example, a parameter or a simulation result), the system refuses to sign and logs the discrepancy what happens if there is no matching policy for a requested action or asset? if there is no rule, it does not go through primevault’s policy engine is fully deterministic when multiple rules match, the engine resolves them in order of specificity there are no “ambiguous” policies in the engine conflicts are either resolved by specificity or blocked at equal specificity until admins adjust the rules all such attempts are logged, and you can require explicit configuration before any new assets, destinations, or workflows become eligible can we create templates for policies and apply them at scale? yes you can define policy templates that include roles, limits, quorums, allow lists, and dapp or trade permissions attach them when you create vaults in the ui or via api this gives you consistent guardrails at scale and reduces configuration drift