tendr.bid
Live on Solana devnet · End-to-end private RFP procurement

Procurement,
sealed.

End-to-end private RFP procurement on Solana. Bid contents sit encrypted on MagicBlock’s TEE-backed Private Ephemeral Rollup — sealed from everyone, including the buyer, until the bid window closes. Anonymous-buyer + anonymous-bidder modes route through Cloak’s shielded UTXO pool — same shielded path also funds USDC into per-milestone escrow with on-chain unlock rules (delivery + review windows, dispute cool-off, late-cancel refunds). One keychain signature per session powers every ephemeral you’ll need across both roles. Free SNS .tendr.sol identity per user, and a private QVAC AI sidecar for drafting + comparing bids without any closed AI provider in the loop.

Sealed bids on MagicBlock

X25519 ECDH + XChaCha20-Poly1305 envelopes encrypted to buyer + bidder, written to a TEE-backed Private Ephemeral Rollup. The on-chain time gate refuses to flip the read permission until bid_close_at.

Anonymous wallets + escrow via Cloak

Anonymous-buyer + anonymous-bidder modes fund HD-derived ephemerals through Cloak's shielded UTXO pool. Same shielded path funds USDC into per-milestone escrow — on-chain unlock rules (delivery + review windows, dispute cool-off, late-cancel refunds) gate every release.

Seamless keychain

One signature per session unlocks every ephemeral role you'll touch — buyer, bidder, funding, refund, payout. Cross-tab sync, instant per-action signing. Optimised for flow, not for re-prompting on every click.

Recognizable identity via SNS

Free <handle>.tendr.sol per user — surfaces everywhere a wallet appears (leaderboard, profiles, RFP cards, OG share-cards). Privacy-safe: never resolves ephemeral signers, never expands the public-identity surface.

Private AI on QVAC

Draft RFPs, draft bids, compare decrypted bids — all on a self-hosted QVAC sidecar running an open-weight model. Browser → sidecar direct; no closed AI provider, no Tendr backend in the prompt path.

Claim reputation when ready

Anonymous-mode activity accrues to the ephemeral's reputation PDA. After the project completes, one ix merges every counter — wins, completed projects, USDC totals — into your main wallet's public rep. Idempotent, on your terms.

The flow

Privacy is the mechanism, not a feature.

Five steps, every one cryptographically enforced. Every claim below maps to a real on-chain instruction running on devnet.

  1. 01

    Post an RFP

    Buyer creates a request with scope, budget range, and a reveal window. Picks bidder + buyer privacy axes independently — anonymous-buyer mode signs the RFP itself with an HD-derived ephemeral funded via Cloak's shielded pool.

    rfp_create
  2. 02

    Providers commit

    Each bid is XChaCha20-Poly1305 encrypted to buyer + bidder, then chunked onto a delegated BidCommit account on MagicBlock's Private Ephemeral Rollup. Anonymous-bidder mode signs with an HD-derived bidder ephemeral funded via Cloak — both ephemerals derive from one master signature per session.

    commit_bid_init → delegate_bid → write_bid_chunk → finalize_bid
  3. 03

    Reveal opens

    Past bid_close_at, anyone can call open_reveal_window. The on-chain time gate flips the TEE permission set to add the buyer; the validator starts serving envelope reads to the buyer's wallet.

    rfp_close_bidding → open_reveal_window
  4. 04

    Select & pay

    Buyer decrypts every bid in-browser, picks a winner, and locks USDC into per-milestone escrow. Each release fires on-chain when the buyer accepts the deliverable, with a built-in dispute cool-off + matching-split flow.

    select_bid → fund_project → accept_milestone
  5. 05

    Claim reputation

    Activity in private modes accrues to the ephemeral's rep PDA. After the project completes, one ix merges every counter — wins, completed projects, USDC totals — into your main wallet's public rep. Idempotent, gated to status Completed, surfaced as inline CTAs on the dashboard.

    attest_buyer_history · attest_win
Shielded UTXO Pool
by

HD-derived ephemerals + USDC milestone escrow funded through Cloak — anonymous end-to-end.

Private Ephemeral Rollup
by

Bid contents stay sealed even from the buyer until the reveal window opens.

On-Chain Identity
by

Free <handle>.tendr.sol per user - recognizable identity reputation accrues to.

Private AI Inference
by

Bid drafting + comparison run on QVAC, never on closed AI providers.

RPC Infrastructure
by

Low-latency Solana RPC powers every on-chain read, write, and reveal.

See it run on devnet.

Connect a wallet, browse an open RFP, and submit a sealed bid. Plaintext stays in your browser; the commit goes on-chain.

Browse RFPsRead the docsSource