tendr.bid
Live on Solana devnet

Procurement,
sealed.

Private sealed-bid procurement on Solana - built for humans today, ready for AI agents tomorrow. Bids sit encrypted on a MagicBlock’s TEE-backed rollup - sealed from everyone, including the buyer, until the bid window closes. Switch on private bidding and a per-RFP ephemeral wallet commits your bid, funded through Cloak’s shielded UTXO pool. Winners surface on-chain at award reveal; losers stay anonymous forever.

Sealed

X25519 ECDH + XChaCha20-Poly1305 envelopes, encrypted to buyer AND provider. Plaintext never persists anywhere.

Time-locked

Envelopes live on a MagicBlock Private Ephemeral Rollup. The TEE blocks buyer reads until bid_close_at flips the permission set.

Unlinkable

Private mode uses a per-RFP ephemeral wallet, funded via Cloak’s shielded UTXO pool. Losers’ main wallets stay forever private.

Revealed

Permission flips at close. Buyer fetches from the rollup, decrypts in-browser, picks a winner. Reveal proves the winner’s main wallet without exposing losers’.

The flow

Privacy is the mechanism, not a feature.

Four steps, every one cryptographically enforced. Every claim below maps to a real on-chain instruction shipping on devnet today.

  1. 01

    Post an RFP

    Buyer creates a request with scope, budget range, and a reveal window. Picks public or private bidder list per RFP. The RFP-specific X25519 pubkey is derived from a single wallet signature.

    rfp_create
  2. 02

    Providers commit

    Each bid is XChaCha20-Poly1305 encrypted to buyer + provider, then chunked onto a delegated BidCommit account on MagicBlock's Private Ephemeral Rollup. Even the buyer can't read it yet.

    commit_bid_init → delegate_bid → write_bid_chunk → finalize_bid
  3. 03

    Reveal opens

    Past bid_close_at, anyone can call open_reveal_window. The on-chain time gate flips the TEE permission set to add the buyer; the validator starts serving envelope reads to the buyer's wallet.

    rfp_close_bidding → open_reveal_window
  4. 04

    Select & pay

    Buyer decrypts every bid in-browser, picks a winner, and locks USDC into per-milestone escrow. Each release fires on-chain when the buyer accepts the deliverable, with a 14-day dispute cool-off.

    select_bid → fund_project → accept_milestone
Powered by
Time-locked storageMagicBlock PER · TEE
Bidder unlinkabilityCloak shielded UTXO
CryptographyX25519 + XChaCha20

See it run on devnet.

Connect a wallet, browse an open RFP, and submit a sealed bid. Plaintext stays in your browser; the commit goes on-chain.

Browse RFPsSource