security_review/README.md

2829 bytes
Bundle Index Verify JSON 
# SpaceCash Security Review Packet

This packet prepares an external security review. It is not an audit result.

- Chain: `spacecash-devnet-1`
- Source hash: `EDBB518F077F0B26281B2FB653E456AEDB268EC022522B021A57ACEB62ED45C6`
- Review status: `packet_only_not_audit`
- Genesis allocation template hash: `131ED3AD0536152AB3D6590D7804DCF614206617DEAE41D238905913E36944E1`
- Genesis allocation ready: `False`
- Manual gate evidence ready: `False`
- Public testnet evidence ready: `False`
- Security review evidence ready: `False`
- Legal/compliance evidence ready: `False`
- Wallet custody evidence ready: `False`
- Production deployment evidence ready: `False`
- Mainnet decision ready: `False`
- Symbolic value hash: `3CDE23ABCAF5383009C9B9A13467118AACCD3D97B4766FFEFEE91A999FC709DF`
- Files hashed: `88`

Reviewer order:

1. Verify `SHA256SUMS.txt`.
2. Review `source_manifest.json` and source hash.
3. Review `docs/spacecash/SECURITY_AUDIT_SCOPE.md` and `docs/spacecash/THREAT_MODEL.md`.
4. Review `consensus_spec.json` for the current devnet consensus envelope.
5. Review `monetary_policy.json` for supply, issuance, fee, and treasury boundaries.
6. Review `symbolic_value.json` for the non-monetary VORATH imaginary-value overlay.
7. Review `genesis_plan.json` for the devnet-to-mainnet allocation boundary.
8. Review `genesis_allocation_template.json` and `genesis_allocation_check.json` for allocation schema enforcement.
9. Review `manual_gate_evidence_template.json` and `manual_gate_evidence_check.json` for human signoff blockers.
10. Review `public_testnet_evidence_template.json` and `public_testnet_evidence_check.json` for public-testnet exit evidence.
11. Review `security_review_evidence_template.json` and `security_review_evidence_check.json` for audit closure criteria.
12. Review `legal_compliance_evidence_template.json` and `legal_compliance_evidence_check.json` for legal/compliance launch criteria.
13. Review `wallet_custody_evidence_template.json` and `wallet_custody_evidence_check.json` for recovery/custody launch criteria.
14. Review `production_deployment_evidence_template.json` and `production_deployment_evidence_check.json` for deployment launch criteria.
15. Review `mainnet_decision_template.json` and `mainnet_decision_check.json` for final launch decision criteria.
16. Review `wallet_policy.json` for recovery and custody boundaries.
17. Use `ATTACK_SURFACE.md` and `review_matrix.json` to drive testing.
18. Fill `audit/topics/*.md` workpapers for every required review topic.
19. Record findings in `FINDINGS_LOG.md`, `audit/findings/`, and `remediation_tracker.json`.
20. Use `security_review_evidence_workbench.json` as the path-connected draft evidence file.
21. Attach final auditor closure before changing the external security review gate.