security_review/review_matrix.json

5772 bytes
Bundle Index Verify JSON 
{
  "mode": "spacecash-security-review-matrix-v1",
  "topics": [
    {
      "expected_controls": [
        "canonical JSON",
        "chain_id binding",
        "payload version",
        "address-derived public key"
      ],
      "id": "signature_payload_binding",
      "questions": [
        "Can a valid signature be replayed on another chain id, action, amount, recipient, or product id?",
        "Can malformed JWK or signature encodings bypass verification?"
      ],
      "severity_if_failed": "critical"
    },
    {
      "expected_controls": [
        "UNIQUE(sender, nonce)",
        "nonces table",
        "pending balance reservation"
      ],
      "id": "nonce_and_mempool_replay",
      "questions": [
        "Can a queued nonce be reused before mining?",
        "Can a mined nonce be resubmitted with a different payload hash?",
        "Can pending spends exceed available balance when combined?"
      ],
      "severity_if_failed": "critical"
    },
    {
      "expected_controls": [
        "audit recomputation",
        "versioned block hashes",
        "candidate readiness gates"
      ],
      "id": "ledger_supply_and_blocks",
      "questions": [
        "Can balances diverge from transaction history?",
        "Can block hashes, Merkle roots, or inclusion proofs be forged?",
        "Can legacy unsigned spends enter a mainnet candidate?"
      ],
      "severity_if_failed": "critical"
    },
    {
      "expected_controls": [
        "snapshot verification",
        "producer allowlist",
        "append-only fork choice",
        "pre-import backup"
      ],
      "id": "snapshot_sync_import",
      "questions": [
        "Can a non-append-only or malicious producer snapshot be imported?",
        "Does backup/rollback protect local state after failed import?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "consensus_spec_hash",
        "release manifest check",
        "bundle consensus_spec.json",
        "daemon /consensus/spec"
      ],
      "id": "consensus_spec_integrity",
      "questions": [
        "Does the published consensus spec accurately describe runtime fork-choice, producer, checkpoint, and sync behavior?",
        "Can a release bundle be reviewed against the same consensus spec hash exposed by the node API?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "monetary_policy_hash",
        "total supply invariant",
        "no mint route",
        "manual legal/compliance gate"
      ],
      "id": "monetary_policy_integrity",
      "questions": [
        "Does the published monetary policy match runtime supply, treasury, faucet, and fee behavior?",
        "Can any route mint beyond genesis supply or bypass treasury accounting?",
        "Are tokenomics, treasury controls, and market disclosures adequate before production use?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "genesis_plan_hash",
        "fresh reviewed genesis boundary",
        "candidate key exclusion",
        "allocation total review"
      ],
      "id": "genesis_allocation_boundary",
      "questions": [
        "Can historical devnet balances, legacy claim tokens, or candidate private keys leak into a mainnet allocation?",
        "Does the genesis plan clearly require a fresh reviewed allocation file before launch?",
        "Can allocation totals exceed or differ from the approved supply cap?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "genesis_allocation_template.json",
        "genesis_allocation_check.json",
        "tools/spacecash_genesis_allocation.py",
        "allocation_hash"
      ],
      "id": "genesis_allocation_schema",
      "questions": [
        "Does the verifier reject invalid addresses, duplicate allocations, non-positive amounts, missing basis fields, and supply mismatches?",
        "Does require-approved mode fail unless approval fields, manual legal/compliance gate, allocation hash, and supply totals are complete?",
        "Can reviewers reproduce the allocation hash from the canonical JSON body?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "wallet_policy_hash",
        "encrypted backup envelope",
        "no default private key bundle",
        "manual custody gate"
      ],
      "id": "wallet_recovery_custody_boundary",
      "questions": [
        "Does the published wallet policy accurately describe encrypted backup, address versioning, recovery gaps, and custody limits?",
        "Can private keys leak through server routes, logs, release bundles, or candidate artifacts by default?",
        "Are lost-key and compromised-key procedures adequate before production use?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "registered validator wallets",
        "tip-bound signed payload",
        "vote audit"
      ],
      "id": "checkpoint_quorum",
      "questions": [
        "Can non-validator wallets vote?",
        "Can votes for stale or altered tips count toward quorum?"
      ],
      "severity_if_failed": "high"
    },
    {
      "expected_controls": [
        "production deployment runbook",
        "external hardening review"
      ],
      "id": "daemon_exposure",
      "questions": [
        "Which routes require auth before public deployment?",
        "What rate limits, CORS policy, TLS, and monitoring are required?"
      ],
      "severity_if_failed": "high"
    }
  ]
}