Whenever an app needs to verify something (age, residency, ownership, etc.):

1. The app sends a request for a proof template.
2. The vault generates a zero-knowledge proof.
3. The user signs it with their control key.

The verifier checks:

• signature from a valid current control key
• that the proof matches the state_commitment
• that the state_commitment references a valid identity_root

Result:

Apps trust the claim, without seeing any personal data.