@@ -216,7 +216,7 @@ export function Example() {
Sign up
-
diff --git a/src/pages/learn/tempo/privacy.mdx b/src/pages/learn/tempo/privacy.mdx
index 256ef729..d750f3ff 100644
--- a/src/pages/learn/tempo/privacy.mdx
+++ b/src/pages/learn/tempo/privacy.mdx
@@ -29,15 +29,25 @@ When available, private tokens will enable:
All of this is achieved while preserving the compliance features that make stablecoins viable in regulated markets. Issuers will be able to maintain the ability to monitor, report, and enforce policies as required by regulation.
-## Coming Soon
+## Zones: Private Validium Chains
-The native private token standard is currently in development and will be available in a future release. This feature is being designed in close partnership with regulated stablecoin issuers to ensure it meets both privacy needs and regulatory requirements.
+Tempo has built-in support for privacy through [zones](/protocol/zones/overview) — native validium chains anchored to Tempo. Instead of being visible to the entire world, balances and transactions on zones are only visible to the zone sequencer, the users involved, and anyone they choose to selectively disclose to.
-If you're interested in private payment flows and want to explore how privacy features can benefit your use case, reach out to our team.
-
-## Help design this feature
+Read the full technical specification:
+
+
+ Z1["Zone 1 USDX, USDY"]
+ TE --> Z2["Zone 2 pathUSD, ..."]
+ end
+`} />
+
+The sequencer runs a Tempo node with one or more zone nodes attached. Each zone node:
+
+- Synchronizes the zone's view of Tempo Mainnet each time a Tempo Mainnet block finalizes
+- Executes zone transactions using privately submitted transactions and the zone's own state
+- Produces batches proving state transitions on the zone and posts them to Tempo Mainnet
+- Watches for deposits by monitoring portal events on Tempo Mainnet, and creates corresponding transactions on the zone once the block finalizes
+- Watches for withdrawals on the zone and submits transactions to Tempo Mainnet processing them once the batch has been proven
+
+
+## Contract Architecture
+
+The system consists of contracts on both Tempo Mainnet and within each Tempo Zone.
+
+ ZI["ZoneInbox (deposits)"]
+ ZO["ZoneOutbox (withdrawals)"] -- "withdrawals" --> ZP
+
+ subgraph TEMPO["Tempo Mainnet"]
+ ZF["ZoneFactory (deploys)"]
+ ZP
+ ZM["ZoneMessenger (callbacks)"]
+ end
+ subgraph ZONE["Zone"]
+ TS["TempoState (Tempo Mainnet view)"]
+ ZI
+ ZO
+ end
+`} />
+
+### Tempo Contracts
+
+- **`ZoneFactory`** deploys new Tempo Zones. Each zone gets its own portal and messenger contracts with deterministic addresses.
+- **`ZonePortal`** is the central bridge contract. It locks all deposited tokens, verifies validity proofs, and processes withdrawals. The portal maintains the authoritative state: which deposits have been made, which batches have been proven, and which withdrawals are pending.
+- **`ZoneMessenger`** handles withdrawals that include callbacks. When a user wants to withdraw tokens and trigger a contract call atomically, the messenger executes both operations together. If the callback fails, the entire withdrawal reverts and funds bounce back to the zone.
+
+### Zone Predeploys
+
+Tempo Zones have four system contract predeploys at fixed addresses:
+
+| Contract | Address | Purpose |
+|----------|---------|---------|
+| `TempoState` | `0x1c00...0000` | Stores the zone's view of Tempo Mainnet. The sequencer updates this with Tempo Mainnet block headers, allowing zone contracts to read Tempo Mainnet state within proofs. |
+| `ZoneInbox` | `0x1c00...0001` | Processes incoming deposits. Mints tokens to recipients and validates that processed deposits match what the portal expects. |
+| `ZoneOutbox` | `0x1c00...0002` | Handles withdrawal requests. Users burn their zone tokens here and specify a Tempo Mainnet recipient. |
+| `ZoneConfig` | `0x1c00...0003` | Central configuration. Reads sequencer and token registry from Tempo Mainnet. |
+
+## Creating a Zone
+
+Tempo Zones are created through the `ZoneFactory`:
+
+1. Choose a TIP-20 token to serve as the zone's initial asset.
+2. Select a verifier contract (ZK prover or TEE attestor).
+3. Designate a sequencer address.
+4. Call `ZoneFactory.createZone()` with these parameters.
+
+The factory deploys a new `ZonePortal` and `ZoneMessenger` for the Tempo Zone. The zone itself runs as a separate chain with the system contracts deployed at genesis. The sequencer can enable additional TIP-20 tokens at any time via `ZonePortal.enableToken()`.
+
+### Chain ID
+
+Each Tempo Zone has a unique EIP-155 chain ID derived deterministically from its on-chain zone ID:
+
+```
+chain_id = 421700000 + zone_id
+```
+
+The prefix `4217` corresponds to the Tempo Mainnet chain ID. This ensures replay protection between Tempo Zones. A transaction signed for one zone cannot be replayed on another.
+
+## Sequencer Transfer
+
+The sequencer can transfer control to a new address via a two-step process on Tempo Mainnet:
+
+1. Current sequencer calls `ZonePortal.transferSequencer(newSequencer)` to nominate a new sequencer.
+2. New sequencer calls `ZonePortal.acceptSequencer()` to accept the transfer.
+
+Sequencer management happens on Tempo Mainnet. Zone-side system contracts read the sequencer from Tempo Mainnet via `ZoneConfig`, which queries `TempoState` to get the sequencer address from the finalized `ZonePortal` storage.
+
+## Trust Model
+
+Tempo Zones make explicit tradeoffs between trust and performance:
+
+| What You Trust | What Could Go Wrong |
+|---|---|
+| Sequencer for liveness | The Tempo Zone halts if the sequencer stops. |
+| Sequencer for inclusion and ordering | Transactions (including withdrawals) can be excluded or reordered. |
+| Sequencer for privacy | The sequencer can see all transactions on the Tempo Zone. |
+| Sequencer for data | Reconstructing the state of the Tempo Zone without the sequencer is impossible. |
+| Sequencer + verifier for correctness | If a critical safety bug exists in the verifier or proving system, and the sequencer is malicious, they could exploit it to steal funds. |
+
+The sequencer cannot steal funds or forge state transitions. Validity proofs prevent this. However, the sequencer can halt the zone entirely, censor specific users, or reorder transactions for MEV.
+
+Failed withdrawals always bounce back to the zone `fallbackRecipient`, ensuring users retain their funds. TIP-403 policy changes or token pauses on Tempo Mainnet will cause affected withdrawals to bounce back rather than block the queue.
diff --git a/src/pages/protocol/zones/bridging.mdx b/src/pages/protocol/zones/bridging.mdx
new file mode 100644
index 00000000..9ae73502
--- /dev/null
+++ b/src/pages/protocol/zones/bridging.mdx
@@ -0,0 +1,97 @@
+---
+title: Zone Bridging
+description: Deposit and withdraw TIP-20 tokens between Tempo Mainnet and Tempo Zones, including encrypted deposits and composable withdrawal callbacks.
+---
+
+# Zone Bridging
+
+:::info
+Tempo Zones is still in early development and is available for testing purposes on Tempo Testnet only. While Tempo Zones are in this stage, expect breaking changes to the design and implementation. Do not use this in production. If you're interested in working with Tempo Labs as a design partner on the development of Tempo Zones, reach out to us at [zones@tempo.xyz](mailto:zones@tempo.xyz).
+:::
+
+Tempo Zones use Tempo-centric bridging for cross-chain operations: deposits flow from Tempo into a zone, and withdrawals flow from a zone back to Tempo with optional callbacks for composability.
+
+
+
+Above is an example of the type of complex transaction that can remain privacy-preserving via Tempo Zones, while performing operations such as bridging, deposits & sends, and withdrawals. Learn more about [encrypted deposits](#encrypted-deposits) and [verifiable withdrawals](#verifiable-withdrawals) below.
+
+## Deposits (Tempo → Zone)
+
+1. User calls `ZonePortal.deposit(token, to, amount, memo)` on Tempo, specifying which enabled TIP-20 to deposit.
+2. The portal validates the token is enabled and deposits are active, deducts the [deposit fee](/protocol/zones/execution#deposit-fees), holds the locked funds, and appends a deposit to the queue.
+3. The sequencer observes `DepositMade` events and processes deposits in order via `ZoneInbox.advanceTempo()`, minting the corresponding zone-side TIP-20 to the recipient.
+4. A batch proof must prove the zone correctly processed deposits by validating the Tempo state read inside the proof.
+
+
+### Encrypted Deposits
+
+For privacy-sensitive use cases, users can make encrypted deposits where the recipient and memo are encrypted using the sequencer's public key. Only the sequencer can decrypt and credit the correct recipient on the zone.
+
+**What's public vs. private:**
+
+| Field | Visibility | Reason |
+|-------|------------|--------|
+| `token` | Public | Needed for locked token accounting |
+| `sender` | Public | Needed for potential refunds if decryption fails |
+| `amount` | Public | Needed for on-chain accounting |
+| `to` | Encrypted | Only sequencer knows recipient |
+| `memo` | Encrypted | Only sequencer knows payment context |
+
+The encryption uses ECIES with secp256k1:
+
+1. Sequencer publishes a secp256k1 encryption public key via `setSequencerEncryptionKey()` with a proof of possession.
+2. User generates an ephemeral keypair and derives a shared secret via ECDH.
+3. User encrypts `(to || memo)` with AES-256-GCM using the derived key.
+4. User calls `depositEncrypted(token, amount, keyIndex, encryptedPayload)` on the portal.
+
+If decryption fails (invalid ciphertext, wrong key), the zone mints tokens to the `sender`'s address on the zone. The Tempo Mainnet funds remain locked in the portal. This ensures chain progress is never blocked by invalid encrypted deposits.
+
+
+## Withdrawals (Zone → Tempo)
+
+Users withdraw by creating a withdrawal request on the zone. Withdrawals are processed in two steps:
+
+1. **Batch submission.** The sequencer calls `finalizeWithdrawalBatch()` at the end of the final block in a batch. This constructs the withdrawal hash chain and writes the `withdrawalQueueHash` and `withdrawalBatchIndex` to state. The proof validates this state and adds withdrawals to Tempo's queue.
+2. **Withdrawal processing.** The sequencer calls `processWithdrawal()` on Tempo to process withdrawals from the queue's oldest slot.
+
+### Composable Withdrawals
+
+Withdrawals support callbacks to Tempo contracts via the `ZoneMessenger`. When `gasLimit > 0`, the messenger:
+
+1. Transfers tokens from the portal to the target via `transferFrom`.
+2. Calls the target with the provided `callbackData`.
+
+Both operations are atomic. If the callback reverts, the transfer reverts too. Receiving contracts implement `IWithdrawalReceiver` and verify `msg.sender == zoneMessenger` to authenticate calls. This enables direct composition with DEX swaps, staking, or cross-zone deposits.
+
+```solidity
+interface IWithdrawalReceiver {
+ function onWithdrawalReceived(
+ bytes32 senderTag,
+ address token,
+ uint128 amount,
+ bytes calldata callbackData
+ ) external returns (bytes4);
+}
+```
+
+### Withdrawal Failure and Bounce-Back
+
+Withdrawals can fail if the token transfer or callback reverts (out of gas, TIP-403 policy, token pause, etc.). When a withdrawal fails, the portal bounces back the funds by re-depositing into the same zone to the withdrawal's `fallbackRecipient`:
+
+- The withdrawal is **popped unconditionally** from the queue, even on failure.
+- A new deposit is enqueued for the `fallbackRecipient` on the zone.
+- The sequencer keeps the processing fee regardless of success or failure.
+
+This ensures failed withdrawals never block the queue and users always retain their funds.
+
+### Verifiable Withdrawals
+
+Zone transactions are private: transaction data is not published on Tempo Mainnet. To protect sender privacy during withdrawal processing on Tempo Mainnet, the plaintext `sender` is replaced with a commitment:
+
+```
+senderTag = keccak256(abi.encodePacked(sender, txHash))
+```
+
+The `txHash` acts as a blinding factor known only to the sender and sequencer. The sender can selectively disclose their identity by revealing `txHash` to any party, who verifies it against the `senderTag`.
+
+For automated disclosure, the sender can specify a `revealTo` public key. The sequencer encrypts `(sender, txHash)` to that key using ECDH, populating the `encryptedSender` field in the Tempo Mainnet-facing withdrawal struct. This enables cross-zone transfers where the destination zone's sequencer can automatically attribute incoming deposits.
diff --git a/src/pages/protocol/zones/execution.mdx b/src/pages/protocol/zones/execution.mdx
new file mode 100644
index 00000000..febf2e1a
--- /dev/null
+++ b/src/pages/protocol/zones/execution.mdx
@@ -0,0 +1,68 @@
+---
+title: Execution & Gas
+description: Specification for gas accounting, fee tokens, fixed TIP-20 gas costs, contract creation limits, and token management on Tempo Zones.
+---
+
+# Execution & Gas
+
+:::info
+Tempo Zones is still in early development and is available for testing purposes on Tempo Testnet only. While Tempo Zones are in this stage, expect breaking changes to the design and implementation. Do not use this in production. If you're interested in working with Tempo Labs as a design partner on the development of Tempo Zones, reach out to us at [zones@tempo.xyz](mailto:zones@tempo.xyz).
+:::
+
+This page specifies how Tempo Zones handle gas accounting, fee collection, and token management. For deposit and withdrawal flows, see the [bridging specification](/protocol/zones/bridging). For balance visibility and access control rules, see the [accounts specification](/protocol/zones/accounts).
+
+## Fee Tokens
+
+Tempo Zones reuse Tempo fee units and gas accounting. Each transaction includes a `feeToken` field. Any enabled TIP-20 token with USD currency is valid for gas payment. The sequencer accepts all enabled tokens directly, so no Fee AMM is needed.
+
+## Deposit Fees
+
+Deposits charge a fixed processing fee in the deposited token:
+
+```
+fee = FIXED_DEPOSIT_GAS × zoneGasRate
+```
+
+`FIXED_DEPOSIT_GAS` is fixed at 100,000 gas. The sequencer configures `zoneGasRate` through `ZonePortal.setZoneGasRate()`. The fee is deducted from the deposit amount and paid to the sequencer on Tempo Mainnet.
+
+## Withdrawal Fees
+
+Withdrawals charge a processing fee in the withdrawn token:
+
+```
+fee = gasLimit × tempoGasRate
+```
+
+The user specifies `gasLimit` to cover processing and any callback execution. The sequencer configures `tempoGasRate` through `ZoneOutbox.setTempoGasRate()`.
+
+## Fixed Gas Costs
+
+All user-facing TIP-20 transfer and approval operations cost exactly 100,000 gas. This removes gas-based information leaks tied to storage state. On a standard EVM chain, gas varies based on whether a transfer writes to a previously empty storage slot, revealing whether the recipient has received tokens before. Fixed costs eliminate that side channel.
+
+| Function | Gas Cost |
+|----------|----------|
+| `transfer(to, amount)` | 100,000 |
+| `transferFrom(from, to, amount)` | 100,000 |
+| `transferWithMemo(to, amount, memo)` | 100,000 |
+| `transferFromWithMemo(from, to, amount, memo)` | 100,000 |
+| `approve(spender, amount)` | 100,000 |
+
+System functions (`systemTransferFrom`, `transferFeePreTx`, `transferFeePostTx`) retain standard gas costs. Only restricted system callers can invoke them, so the gas side channel does not apply.
+
+## Contract Creation Disabled
+
+Tempo Zones currently disable the `CREATE` and `CREATE2` opcodes. Each Tempo Zone runs a fixed set of system contracts and predeploys. Any transaction that attempts contract creation reverts.
+
+## Token Management
+
+
+
+The sequencer manages which TIP-20 tokens are available on a Tempo Zone:
+
+| Function | Behavior |
+|----------|----------|
+| `enableToken(token)` | Enables a TIP-20 token for bridging and gas payment. Irreversible. |
+| `pauseDeposits(token)` | Stops new deposits for the token. Withdrawals continue. |
+| `resumeDeposits(token)` | Restarts deposits for a previously paused token. |
+
+Once enabled, a token cannot be disabled. This preserves the withdrawal guarantee. Enabled tokens use the same address on the Tempo Zone as on Tempo Mainnet. `ZoneInbox` mints on deposit, `ZoneOutbox` burns on withdrawal. No mechanism exists to create new tokens on the Tempo Zone.
diff --git a/src/pages/protocol/zones/index.mdx b/src/pages/protocol/zones/index.mdx
new file mode 100644
index 00000000..0000b392
--- /dev/null
+++ b/src/pages/protocol/zones/index.mdx
@@ -0,0 +1,85 @@
+---
+title: Tempo Zones
+description: Tempo Zones are private execution environments on Tempo Mainnet where balances, transfers, and transaction history are invisible to the public chain.
+---
+
+import { Cards, Card } from 'vocs'
+
+# Tempo Zones
+
+:::info
+Tempo Zones is still in early development and is available for testing purposes on Tempo Testnet only. While Tempo Zones are in this stage, expect breaking changes to the design and implementation. Do not use this in production. If you're interested in working with Tempo Labs as a design partner on the development of Tempo Zones, reach out to us at [zones@tempo.xyz](mailto:zones@tempo.xyz).
+:::
+
+A Tempo Zone is a private execution environment attached to Tempo Mainnet. Inside a Tempo Zone, balances, transfers, and transaction history are invisible to block explorers, indexers, and other users on Tempo Mainnet. Each Tempo Zone runs its own sequencer and executes transactions independently.
+
+
+
+Funds deposited into a Tempo Zone are locked in the zone contract on Tempo Mainnet. [Validity proofs](/protocol/zones/proving) guarantee that the sequencer executed every transaction correctly. The sequencer orders and includes transactions, but cannot steal funds or forge state transitions.
+
+Each Tempo Zone operates as a separate chain, so adding more zones increases throughput without congesting Tempo Mainnet. Tempo Zones share liquidity through Tempo Mainnet. A zone can withdraw tokens, swap them on the Stablecoin DEX, and deposit the result into another zone without exposing who placed the trade. See [composable withdrawals](/protocol/zones/bridging#composable-withdrawals) for details.
+
+### Tempo Zones are private
+
+Tempo Zones make a key trade-off: Each zone has a sequencer who sees all activity on the zone. Privacy depends on the integrity of whoever is running the sequencer. Thanks to this trade-off, they achieve what few other privacy solutions do: Great privacy with good UX.
+
+Most privacy solutions offer either confidentiality (hide the amount) or anonymity (hide the sender). Tempo Zones provide both, and go further. Inside a Tempo Zone, balances, transaction history, and counterparty relationships are all invisible to outside observers. Block explorers and indexers see nothing. Other users cannot query your address.
+
+The [accounts specification](/protocol/zones/accounts) describes how balance and allowance reads are restricted at the contract level, and the [RPC specification](/protocol/zones/rpc) covers how the JSON-RPC interface is scoped per account.
+
+
+
+### Tempo Zones are compliant by design
+
+Every TIP-20 token carries its issuer's compliance policy (whitelists, blacklists, freeze controls) via the [TIP-403 registry](/protocol/tip403/overview). When deposited into a Tempo Zone, the policy is provably mirrored. The validity proof commits that every transaction in the batch followed the issuer's rules.
+
+
+
+### Tempo Zones are safe from theft
+
+Validity proofs guarantee correct state transitions. Sequencers order transactions but cannot steal deposited funds. See the [proving specification](/protocol/zones/proving) for how proofs are constructed and verified.
+
+### Tempo Zones are interoperable
+
+Tempo Zones are interoperable with Tempo Mainnet and with each other. Deposits and withdrawals settle in seconds. A Tempo Zone can withdraw tokens, swap them on the Stablecoin DEX, and deposit the result into another Tempo Zone in a single operation. The [bridging specification](/protocol/zones/bridging) covers deposits, withdrawals, encrypted deposits for private on-ramps, and composable withdrawal callbacks for cross-zone transfers.
+
+## Specifications
+
+
+
+
+
+
+
+
+
diff --git a/src/pages/protocol/zones/proving.mdx b/src/pages/protocol/zones/proving.mdx
new file mode 100644
index 00000000..d20ac4e6
--- /dev/null
+++ b/src/pages/protocol/zones/proving.mdx
@@ -0,0 +1,136 @@
+---
+title: Zone Proving
+description: Batch submission and proof verification for Tempo zones, including the state transition function, ZK and TEE deployment modes, and ancestry proofs.
+---
+
+import { StaticMermaidDiagram } from '../../../components/StaticMermaidDiagram'
+
+# Zone Proving
+
+:::info
+Tempo Zones is still in early development and is available for testing purposes on Tempo Testnet only. While Tempo Zones are in this stage, expect breaking changes to the design and implementation. Do not use this in production. If you're interested in working with Tempo Labs as a design partner on the development of Tempo Zones, reach out to us at [zones@tempo.xyz](mailto:zones@tempo.xyz).
+:::
+
+:::warning
+The zone prover is not yet live. This page describes the planned design. The prover will be added in a future release.
+:::
+
+Zone settlement uses validity proofs to verify correct execution. The prover implements a pure state transition function in Rust with `no_std` compatibility, allowing it to run in both ZKVMs (SP1) and TEEs (SGX/TDX).
+
+## Batch Submission
+
+The sequencer posts batches to Tempo Mainnet via `submitBatch` on the portal. Each batch covers one or more zone blocks and includes:
+
+| Field | Description |
+|-------|-------------|
+| `tempoBlockNumber` | Tempo block the zone committed to (from zone's TempoState) |
+| `recentTempoBlockNumber` | Optional recent block for ancestry proof (`0` = direct lookup) |
+| `blockTransition` | Zone block hash transition (`prevBlockHash` → `nextBlockHash`) |
+| `depositQueueTransition` | Deposit queue processing progress |
+| `withdrawalQueueHash` | Hash chain of withdrawals for this batch (`0` if none) |
+| `verifierConfig` | Opaque payload for the verifier (domain separation / attestation) |
+| `proof` | Validity proof or TEE attestation |
+
+The portal verifies that `prevBlockHash` matches the stored `blockHash`, calls the verifier, and on success updates `withdrawalBatchIndex`, `blockHash`, `lastSyncedTempoBlockNumber`, and adds withdrawals to the queue.
+
+## Verifier Interface
+
+The verifier is abstracted behind a minimal interface. ZK systems and TEE attesters implement the same contract:
+
+```solidity
+interface IVerifier {
+ function verify(
+ uint64 tempoBlockNumber,
+ uint64 anchorBlockNumber,
+ bytes32 anchorBlockHash,
+ uint64 expectedWithdrawalBatchIndex,
+ address sequencer,
+ BlockTransition calldata blockTransition,
+ DepositQueueTransition calldata depositQueueTransition,
+ bytes32 withdrawalQueueHash,
+ bytes calldata verifierConfig,
+ bytes calldata proof
+ ) external view returns (bool);
+}
+```
+
+The proof verifies that:
+
+1. Valid state transition from `prevBlockHash` to `nextBlockHash`.
+2. Zone committed to `tempoBlockNumber` via TempoState.
+3. Anchor block hash matches (direct or ancestry mode).
+4. `ZoneOutbox.lastBatch()` has the correct `withdrawalBatchIndex` and `withdrawalQueueHash`.
+5. Deposit processing is correct (validated via Tempo state read inside proof).
+6. Zone block `beneficiary` matches the registered sequencer.
+
+## State Transition Function
+
+The prover takes a complete witness of zone blocks and their dependencies, executes the EVM state transitions, and outputs commitments for on-chain verification:
+
+```rust
+pub fn prove_zone_batch(witness: BatchWitness) -> Result
+```
+
+### Execution Flow
+
+ B["Verify Tempo state proofs"]
+ B --> C["Initialize zone state from previous block hash"]
+ C --> D{"Next zone block"}
+ D --> E["Check parent hash and block number"]
+ E --> F["Verify beneficiary is the sequencer"]
+ F --> G["Execute advanceTempo system transaction if present"]
+ G --> H["Execute user transactions via revm"]
+ H --> I{"Final block in batch?"}
+ I -- No --> J["Compute simplified zone block hash"]
+ J --> D
+ I -- Yes --> K["Execute finalizeWithdrawalBatch"]
+ K --> L["Compute simplified zone block hash"]
+ L --> M["Extract output commitments"]
+ M --> N["Return batch output for verification"]
+`} />
+
+1. **Verify Tempo state proofs.** Validate MPT proofs for all Tempo storage reads against Tempo state roots.
+2. **Initialize zone state.** Load the zone state from the witness, binding the initial state root to the previous block hash.
+3. **Execute zone blocks.** For each block:
+ - Validate parent hash continuity and block number sequencing.
+ - Verify beneficiary matches the registered sequencer.
+ - Execute `advanceTempo()` system transaction (if present) to process deposits.
+ - Execute user transactions via revm.
+ - Execute `finalizeWithdrawalBatch()` in the final block only.
+ - Compute the zone block hash from the simplified header.
+4. **Extract output commitments.** Block hash transition, deposit queue transition, withdrawal queue hash, and last batch parameters.
+
+### Deployment Modes
+
+**ZKVM (SP1):** The prover runs inside a ZKVM. The witness is read from the ZKVM IO, and the output is committed to the proof.
+
+**TEE (SGX/TDX):** The same function runs inside a trusted execution environment. The output is signed by the TEE attestation.
+
+## Ancestry Proofs
+
+EIP-2935 provides access to the last ~8,192 block hashes on Tempo. If a zone is inactive longer than this window, `tempoBlockNumber` rotates out of EIP-2935, which would prevent batch submission.
+
+The solution verifies ancestry inside the ZK circuit:
+
+1. The portal reads `recentTempoBlockNumber` hash from EIP-2935 (must be recent).
+2. The prover includes Tempo headers from `tempoBlockNumber + 1` to `recentTempoBlockNumber` as witness data.
+3. The proof verifies the parent hash chain: each header's parent hash must match the previous header's hash.
+4. The portal verifies the constant-size proof against the recent block hash.
+
+| Mode | Condition | Behavior |
+|------|-----------|----------|
+| Direct | `recentTempoBlockNumber = 0` | Portal reads `tempoBlockNumber` hash from EIP-2935 |
+| Ancestry | `recentTempoBlockNumber > tempoBlockNumber` | Portal reads `recentTempoBlockNumber` hash; proof verifies parent chain |
+
+Proving time increases linearly with the block gap (each gap block adds ~1 keccak operation), but on-chain verification cost remains constant. This prevents the zone from becoming stuck after an extended downtime.
+
+## Tempo State Access
+
+The zone accesses Tempo state via the TempoState predeploy (`0x1c00...0000`). During batch execution:
+
+1. `ZoneInbox` calls `TempoState.finalizeTempo(header)` to advance the zone's view of Tempo.
+2. System contracts read Tempo storage via `TempoState.readTempoStorageSlot()`, restricted to zone system contracts only.
+3. The proof includes Merkle proofs for each Tempo account and storage slot accessed during the batch.
+
+Tempo state staleness depends on how frequently the sequencer calls `advanceTempo()`. The zone client must only finalize Tempo headers after finality to avoid reorg risk.
diff --git a/src/pages/protocol/zones/rpc.mdx b/src/pages/protocol/zones/rpc.mdx
new file mode 100644
index 00000000..c18d4c31
--- /dev/null
+++ b/src/pages/protocol/zones/rpc.mdx
@@ -0,0 +1,145 @@
+---
+title: Zone RPC
+description: Authenticated JSON-RPC interface for Tempo Zones with per-account scoping, timing side channel mitigations, and event filtering.
+---
+
+# Zone RPC
+
+:::info
+Tempo Zones is still in early development and is available for testing purposes on Tempo Testnet only. While Tempo Zones are in this stage, expect breaking changes to the design and implementation. Do not use this in production. If you're interested in working with Tempo Labs as a design partner on the development of Tempo Zones, reach out to us at [zones@tempo.xyz](mailto:zones@tempo.xyz).
+:::
+
+The zone RPC starts from the standard Ethereum JSON-RPC and restricts it to enforce privacy guarantees. Every RPC request must include an authorization token that proves the caller controls a Tempo account and scopes all responses to that account.
+
+## Authorization Tokens
+
+Authorization tokens are short-lived credentials (maximum 1 month) signed by the caller's Tempo account key. Tempo accounts support multiple signature types (secp256k1, P256, WebAuthn), and accounts with Access Keys via the `AccountKeychain` precompile can use those keys to authenticate.
+
+The signed message includes:
+- `"TempoZoneRPC"` magic prefix for domain separation
+- Spec version, zone ID, and chain ID for replay protection (zone 0 can be used to allow access to all zones)
+- Issuance and expiry timestamps
+
+Tokens are sent via the `X-Authorization-Token` HTTP header on every request.
+
+## Method Access Control
+
+Each JSON-RPC method falls into one of four categories:
+
+Available to any authenticated caller:
+
+| Method | Access Type | Notes |
+|--------|-------------|-------|
+| `eth_chainId` | Allowed | Zone chain ID |
+| `eth_blockNumber` | Allowed | Latest block number |
+| `eth_gasPrice` | Allowed | Current gas price |
+| `eth_maxPriorityFeePerGas` | Allowed | Current priority fee |
+| `eth_feeHistory` | Allowed | Fee history |
+| `eth_getBlockByNumber` | Allowed | Block headers **without transaction details** |
+| `eth_getBlockByHash` | Allowed | Block headers **without transaction details** |
+| `eth_subscribe("newHeads")` | Allowed | Block headers with `logsBloom` zeroed |
+| `eth_syncing` | Allowed | Sync status |
+| `eth_coinbase` | Allowed | Sequencer address |
+| `net_version` | Allowed | Network ID |
+| `net_listening` | Allowed | Node status |
+| `web3_clientVersion` | Allowed | Client version |
+| `web3_sha3` | Allowed | Pure Keccak-256 hash |
+| `eth_getBalance` | Scoped | Returns balance for the authenticated account only. Queries for other accounts return `0x0`. |
+| `eth_getTransactionCount` | Scoped | Returns nonce for the authenticated account only. Other accounts return `0x0`. |
+| `eth_call` | Scoped | Executes with `from` set to the authenticated account. [Execution-level privacy](/protocol/zones/accounts) enforces `balanceOf` access control at the contract level. |
+| `eth_estimateGas` | Scoped | Only allowed when `from` equals the authenticated account. |
+| `eth_getTransactionByHash` | Scoped | Returns the transaction only if the authenticated account is the sender. Returns `null` otherwise. |
+| `eth_getTransactionReceipt` | Scoped | Returns the receipt only if the authenticated account is the sender. Logs are filtered (see [Event Filtering](#event-filtering)). |
+| `eth_sendRawTransaction` | Scoped | Validates that the transaction sender matches the authenticated account. |
+| `eth_getLogs` | Scoped | Filtered to TIP-20 events where the authenticated account is a relevant party (see [Event Filtering](#event-filtering)). |
+| `eth_getFilterLogs` | Scoped | Same filtering as `eth_getLogs`. |
+| `eth_getFilterChanges` | Scoped | Same filtering. Only returns new events since last poll. |
+| `eth_newFilter` | Scoped | Creates a filter implicitly scoped to the authenticated account. |
+| `eth_subscribe("logs")` | Scoped | Subscription scoped to the authenticated account. |
+| `eth_newBlockFilter` | Scoped | Returns new block hashes. |
+| `eth_uninstallFilter` | Scoped | Removes a previously created filter. |
+
+**Error vs. silent response**: Methods where the user explicitly provides a mismatched parameter (`eth_sendRawTransaction` with wrong sender, `eth_call` with wrong `from`) return explicit errors, since the user already knows the address they supplied and the error leaks nothing. Methods that query *about* other accounts return silent dummy values (`0x0`, `null`, empty results) instead of errors; an error would reveal "this data exists but you can't see it."
+
+### Restricted (sequencer-only)
+
+| Method | Reason |
+|--------|--------|
+| `eth_getStorageAt` | Raw storage reads bypass all access control |
+| `eth_getCode` | No legitimate non-sequencer use case |
+| `eth_createAccessList` | Reveals storage layout |
+| `eth_getBlockByNumber` (with `true`) | Full block with all transactions |
+| `eth_getBlockByHash` (with `true`) | Full block with all transactions |
+| `eth_getBlockTransactionCountByNumber` | Transaction counts reveal activity levels |
+| `eth_getBlockTransactionCountByHash` | Same as above |
+| `eth_getTransactionByBlockNumberAndIndex` | Arbitrary transaction access |
+| `eth_getTransactionByBlockHashAndIndex` | Same as above |
+| `debug_*`, `admin_*`, `txpool_*` | All debug, admin, and txpool namespaces |
+
+### Disabled
+
+| Method | Reason |
+|--------|--------|
+| `eth_getProof` | Merkle proofs leak state trie structure |
+| `eth_newPendingTransactionFilter` | Mempool observation |
+| `eth_subscribe("newPendingTransactions")` | Mempool observation |
+| Mining-related methods | Tempo Zones have no mining |
+
+Any method not explicitly listed returns error code `-32601` (method not found), ensuring new methods are not accidentally exposed.
+
+## Timing Side Channels
+
+Scoped methods that fetch data before checking authorization have a mandatory **100 ms minimum response time**. This ensures that `eth_getTransactionByHash` for a non-existent transaction hash and for another user's transaction have indistinguishable response times, preventing existence probing.
+
+Methods that need the speed bump:
+
+| Method | Reason |
+|--------|--------|
+| `eth_getTransactionByHash` | Must fetch the transaction to check if sender matches |
+| `eth_getTransactionReceipt` | Must fetch the receipt to check the sender |
+| `eth_getLogs` | Response time correlates with total log volume, not just the caller's logs |
+| `eth_getFilterLogs` | Same as `eth_getLogs` |
+| `eth_getFilterChanges` | Same as `eth_getLogs` |
+
+Methods that do **not** need the speed bump include `eth_getBalance` and `eth_getTransactionCount` (address checked before any data fetch), `eth_call` and `eth_estimateGas` (`from` validated before execution), and `eth_sendRawTransaction` (sender verified during decoding).
+
+## Block Responses
+
+Block headers returned to non-sequencer callers are sanitized:
+
+- `transactions` is always an empty array.
+- `logsBloom` is replaced with a zero Bloom. The real Bloom filter would allow probing whether a specific address had activity in a block.
+- All other header fields (`number`, `hash`, `gasUsed`, `stateRoot`, etc.) are returned normally.
+
+## Event Filtering
+
+Log queries are restricted to TIP-20 events where the authenticated account is a relevant party:
+
+| Event | Visible if |
+|-------|-----------|
+| `Transfer` | `from == caller` OR `to == caller` |
+| `Approval` | `owner == caller` OR `spender == caller` |
+| `TransferWithMemo` | `from == caller` OR `to == caller` |
+| `Mint` | `to == caller` |
+| `Burn` | `from == caller` |
+
+All other event topics (system events, role events, configuration events) are filtered out.
+
+## Zone-Specific RPC Methods
+
+| Method | Access | Description |
+|--------|--------|-------------|
+| `zone_getAuthorizationTokenInfo` | Any authenticated | Returns the authenticated account address and token expiry |
+| `zone_getZoneInfo` | Any authenticated | Returns zone metadata: `zoneId`, `zoneTokens`, `sequencer`, `chainId` |
+| `zone_getDepositStatus` | Scoped | Returns whether deposits from a given Tempo block have been processed, filtered to the caller's deposits |
+
+## Error Codes
+
+| Code | Message | Meaning |
+|------|---------|---------|
+| `-32001` | Authorization token required | No authorization token provided |
+| `-32002` | Authorization token expired | The authorization token has expired |
+| `-32003` | Transaction rejected | Transaction sender does not match authenticated account |
+| `-32004` | Account mismatch | The `from` field does not match the authenticated account |
+| `-32005` | Sequencer only | Method requires sequencer access |
+| `-32006` | Method disabled | Method is not available on zones |
diff --git a/src/wagmi.config.ts b/src/wagmi.config.ts
index 89007557..d9dffbfd 100644
--- a/src/wagmi.config.ts
+++ b/src/wagmi.config.ts
@@ -16,23 +16,32 @@ import {
} from 'wagmi'
import { KeyManager, webAuthn } from 'wagmi/tempo'
import { alphaUsd, betaUsd, pathUsd, thetaUsd } from './components/guides/tokens'
-
-const feeToken = '0x20c0000000000000000000000000000000000001'
+import { feeToken, moderatoZones } from './lib/private-zones.ts'
const chain =
import.meta.env.VITE_TEMPO_ENV === 'localnet'
? tempoLocalnet.extend({ feeToken })
: import.meta.env.VITE_TEMPO_ENV === 'devnet'
? tempoDevnet.extend({ feeToken })
- : tempoModerato.extend({ feeToken })
+ : tempoModerato.extend({ feeToken, zones: moderatoZones })
const rpId = (() => {
const hostname = globalThis.location?.hostname
if (!hostname) return undefined
+
+ // IP hosts and localhost must use the exact hostname as the RP ID.
+ if (hostname === 'localhost' || isIpAddress(hostname)) return hostname
+
+ // Vercel preview hosts live under the public suffix `vercel.app`, so the
+ // RP ID must stay scoped to the exact preview hostname.
+ if (hostname.endsWith('.vercel.app')) return hostname
+
const parts = hostname.split('.')
return parts.length > 2 ? parts.slice(-2).join('.') : hostname
})()
+export const webAuthnRpId = rpId
+
export function getConfig(options: getConfig.Options = {}) {
const { multiInjectedProviderDiscovery = false } = options
return createConfig({
@@ -64,10 +73,7 @@ export function getConfig(options: getConfig.Options = {}) {
},
}),
webAuthn({
- grantAccessKey: {
- // @ts-expect-error - TODO: migrate to webAuthn on Accounts SDK
- chainId: BigInt(chain.id),
- },
+ grantAccessKey: true,
keyManager: KeyManager.http('https://keys.tempo.xyz'),
rpId,
}),
@@ -110,6 +116,8 @@ export namespace getConfig {
export type Config = ReturnType
+export const config = getConfig()
+
export const queryClient = new QueryClient()
export function useTempoWalletConnector() {
@@ -130,6 +138,10 @@ export function useWebAuthnConnector() {
)
}
+function isIpAddress(hostname: string) {
+ return /^(?:\d{1,3}\.){3}\d{1,3}$/.test(hostname) || hostname.includes(':')
+}
+
declare module 'wagmi' {
interface Register {
config: Config
diff --git a/vocs.config.ts b/vocs.config.ts
index 73ce4857..6e4cb9f0 100644
--- a/vocs.config.ts
+++ b/vocs.config.ts
@@ -154,6 +154,40 @@ export default defineConfig({
// },
],
},
+ {
+ text: 'Connect to Zones',
+ collapsed: true,
+ items: [
+ {
+ text: 'Overview',
+ link: '/guide/private-zones',
+ },
+ {
+ text: 'Connect to a zone',
+ link: '/guide/private-zones/connect-to-a-zone',
+ },
+ {
+ text: 'Deposit to a zone',
+ link: '/guide/private-zones/deposit-to-a-zone',
+ },
+ {
+ text: 'Send tokens within a zone',
+ link: '/guide/private-zones/send-tokens-within-a-zone',
+ },
+ {
+ text: 'Send tokens across zones',
+ link: '/guide/private-zones/send-tokens-across-zones',
+ },
+ {
+ text: 'Swap across zones',
+ link: '/guide/private-zones/swap-across-zones',
+ },
+ {
+ text: 'Withdraw from a zone',
+ link: '/guide/private-zones/withdraw-from-a-zone',
+ },
+ ],
+ },
{
text: 'Issue Stablecoins',
collapsed: true,
@@ -588,6 +622,45 @@ export default defineConfig({
},
],
},
+ {
+ text: 'Tempo Zones',
+ collapsed: true,
+ items: [
+ {
+ text: 'Overview',
+ link: '/protocol/zones',
+ },
+ {
+ text: 'Reference',
+ items: [
+ {
+ text: 'Architecture',
+ link: '/protocol/zones/architecture',
+ },
+ {
+ text: 'Accounts',
+ link: '/protocol/zones/accounts',
+ },
+ {
+ text: 'Bridging',
+ link: '/protocol/zones/bridging',
+ },
+ {
+ text: 'RPC',
+ link: '/protocol/zones/rpc',
+ },
+ {
+ text: 'Execution & Gas',
+ link: '/protocol/zones/execution',
+ },
+ {
+ text: 'Proving',
+ link: '/protocol/zones/proving',
+ },
+ ],
+ },
+ ],
+ },
{
text: 'Network Upgrades',
collapsed: true,
@@ -1151,6 +1224,16 @@ export default defineConfig({
source: '/quickstart',
destination: '/quickstart/integrate-tempo',
},
+ {
+ source: '/protocol/zones/overview',
+ destination: '/protocol/zones',
+ status: 301,
+ },
+ {
+ source: '/protocol/zones/privacy',
+ destination: '/protocol/zones/accounts',
+ status: 301,
+ },
{
source: '/protocol/blockspace',
destination: '/protocol/blockspace/overview',