Blog.

A trust gate's worst failure is the one that looks like success — a silent allow on a token nobody screened. The silent-allow bugs we caught in our own gate (one in our own published tutorial), the enforced fail-closed contract that prevents them now, and why composition with honest failure semantics plus signed verdicts beats a raw single-source call. We don't claim a secret detection edge — we're precise about what we do.

PaladinFi OFAC trust-check responses are Ed25519-signed, and now you can verify it yourself — pinned public key, the canonical-JSON contract, and copy-paste verifiers in Python and JavaScript at /docs/verify-responses. Plus an honest scope: what signing catches (in-transit tampering of the verdict) and what it doesn't (us-compromise, replay).

Two new evaluation paths for builders: anonymous OFAC SDN screen at /v1/trust-check/ofac (no signup, real data, rate-limited) and a free-tier API key at paladinfi.com/signup with 1,000 requests/month at zero cost across /v1/quote + /v1/trust-check. Plus a tour of the auth stack — IAM Postgres, SSM peppers, kill switch — and an honest list of what's deferred to v0.11.78a-followup.

Stop your Coinbase AgentKit agent from signing swaps against poisoned token addresses. Drop-in ActionProvider, ~8 lines, free preview mode on Base — OFAC + GoPlus + Etherscan source verification + anomaly heuristics. Includes the hard-coded-constants pre-sign safety guarantee and an honest limitations section.

What changed between the internal v0.2.0 candidate and the public v0.3.0 + v0.3.1 release: typed-domain digest, explicit chainId binding, multi-RPC quorum on the server, and seven other items the 3-adversary Security audit surfaced. Plus what we didn't ship and why.

The v0.11.71 swap-router defense-in-depth: outer router whitelist, outer selector allowlist, and inner-target decode + Settler validation. Why the third layer is what binds the first two to the actual swap implementation contract, what the security-review framing was, and how to verify the defense is live.

Section-by-section walk through the 2026-05-07 homepage rewrite — the failure-mode lede, JSON in both product cards, and the four operational-posture rows (refresh cadence, fail-closed contract, rate limits, custody) that name what most DeFi infra leaves unstated.

A complete walkthrough from claude mcp add through a signed USDC → WETH swap on Base. Covers the three MCP tools (swap_quote, trust_check_preview, swap_health), the non-custodial sign-and-submit handoff, and the design reasoning behind a deliberately small surface.

How v0.11.73 closes a silent-allow vector on the trust gate that existed across the v0.11.5x patch window, what the new schema looks like, and what agent code should retest.