App → "Request AgeOver18"
Vault → fetch birthdate leaf
Vault → build ZK circuit
Vault → compute proof
Vault → sign with control_key
Vault → deliver signed proof to app
App → verifies proof + signature + state_commitment
birthdate stays in vault
no database involved
no third-party sees anything
verifier only learns: “user is 18+”