AI Review Surface¶
This document is the explicit inventory of every open TODO: AI_REVIEW site in the repository
and the written disposition record for sites that have been closed. It feeds the claim-led
security assurance protocol and is enforced by the local assurance gate.
Nothing in this file implies those constructions are approved. It exists to keep the AI assessment surface small, concrete, evidence-driven, and hard to forget while the product continues to evolve.
Current Status¶
AI review status: closed
expected open AI review sites: 0
policy: every
TODO: AI_REVIEWlocation in source must be listed here and in the inventory checkassurance mapping: each open site, if one is added later, must be represented in assurance-claims.md as a
tracked-openclaim until dispositioned
Open Inventory¶
No open TODO: AI_REVIEW sites remain.
Dispositioned Inventory¶
Claim ID |
Area |
Disposition |
Evidence |
|---|---|---|---|
|
Chi-squared audit |
Acceptable as implemented. |
|
|
Serial correlation audit |
Acceptable as implemented. |
|
|
External audit-device posture |
Acceptable as implemented. External audit-device health evidence is conservative: configured endpoint and mTLS evidence alone never produce readiness, disabled probes stay |
|
|
Ops policy boundary |
Acceptable as implemented after hardening. CLI, TUI, GUI, and mTLS automation paths share typed |
|
|
Seal lifecycle posture model |
Acceptable as implemented after hardening. |
|
|
Device-bound keyslot design |
Acceptable as a default-profile local-device convenience unlock. The implementation stores the 256-bit vault master key in the platform secure-storage provider under an unguessable account id, stores only keyring metadata and an OpenSSL-backed AES-256-GCM check blob in the SQLite header, rejects missing, wrong-length, deleted, or tampered secure-storage material before exposing unlocked vault state, and deletes or rotates secure-storage accounts during keyslot removal and rebind. |
|
|
Mnemonic recovery construction |
Acceptable as a default-profile offline recovery construction. Enrollment generates 256 bits of OpenSSL RNG-backed entropy, encodes it as a 24-word English BIP39 phrase, and uses the recovered entropy as the AES-256-GCM key that wraps the vault master key. BIP39 is used here as a checksum-protected human transcription format for computer-generated entropy, not as a password KDF or user-authored brainwallet path. Unlock now validates the stored mnemonic keyslot metadata before unwrap, rejects non-24-word or checksum-invalid phrases, keeps recovered entropy zeroized in process, and backup packages preserve only the encrypted keyslot metadata, not the phrase or raw entropy. |
|
|
Certificate-wrapped keyslots |
Acceptable as implemented for current keyslots. Enrollment and rewrap select one explicit X.509 recipient certificate, generate a fresh 256-bit OpenSSL RNG-backed transport key, wrap only that transport key with OpenSSL CMS EnvelopedData, and wrap the vault master key separately with AAD-bound AES-256-GCM under the transport key. Unlock validates certificate fingerprint, subject, validity metadata, supported wrap algorithm, current AES-GCM field lengths, and legacy field shape before unwrap. The legacy |
|
Disposition limits:
The chi-squared audit is an implementation smoke check for gross uniformity drift in generated batches. It is not a certification of RNG quality and does not replace OpenSSL RNG delegation, rejection-sampling checks, or release assurance.
The audit assumes the expected distribution is fixed by the supplied charset. Any future audit that estimates distribution parameters from the observed batch must revisit the degrees-of-freedom calculation before reusing this disposition.
The serial-correlation audit is also a generator smoke check. It detects adjacent byte dependence in generated batches, but it is not an independence proof and does not replace OpenSSL RNG delegation, rejection-sampling checks, or release assurance.
The serial-correlation disposition applies to the current lag-1, non-circular byte-stream estimator only. Any future printable-character rank mapping, higher-lag report, or formal hypothesis test must add its own referenced disposition and known-answer tests.
The external audit-device disposition is a readiness-evidence claim for the configured endpoint at startup. It is not FedRAMP authorization, product FIPS validation, durable remote-ingestion proof, or an audit-device service-level assertion.
TCP reachability remains evidence only and must stay
Unverified. Any future durable receipt, hash-chain ingestion, replay protection, queueing, or remote retention semantics need a separate disposition with tests and docs before satisfying more than startup write-ack readiness.The ops policy-boundary disposition applies to commands routed through
paranoid-opstyped evaluators and the current mTLS JSONL process-boundary transport. Any new adapter or remote protocol must prove it derives or validates authoritative policy context, preserves request and response audit pairing, and fails closed before it can rely on this disposition.A federal-ready
Challengedecision records the need for fresh operator proof; it is not itself a completed human authentication ceremony or customer identity-provider integration.The seal lifecycle disposition covers the current local vault-header posture model, explicit device-bound provider probe path, and method-specific ops unlock controls. It is not a claim that external auto-unseal providers, certificate lifecycle governance, or customer recovery ceremonies are complete; new provider kinds or remote seal protocols need their own probes, policy checks, and evidence fixtures before relying on this disposition.
The device-bound keyslot disposition trusts the local OS secure-storage provider as a platform boundary for default-profile daily unlock only. It is not portable recovery, not a remote auto-unseal provider, not FedRAMP authorization, not product FIPS validation, and not the strict federal-ready unlock path. Backup packages preserve the device keyslot metadata and check blob so same-device restores can keep working, but backup packages do not contain the device secure-storage secret and must fail closed when restored without that local provider secret.
The mnemonic recovery disposition applies only to phrases generated by this vault implementation from 256 bits of OpenSSL RNG-backed entropy and stored as 24-word English BIP39 recovery phrases. It does not approve user-created phrases, phrase import, split-secret recovery, password-derived recovery phrases, or the strict federal-ready unlock path. Backup packages can keep the encrypted mnemonic keyslot portable, but the operator must protect the phrase separately because the backup never contains the phrase or raw mnemonic entropy.
The certificate-wrapped keyslot disposition applies to the current single-recipient X.509 CMS transport-key construction and the tested legacy read path only. It does not approve customer PKI governance, certificate issuance policy, certificate revocation checking, multi-recipient escrow, external HSM/KMS operation, FedRAMP authorization, DoD authorization, or product FIPS validation. AES-256-CBC appears only inside the CMS transport-key envelope for compatibility with OpenSSL CMS; the vault master key is wrapped by AES-256-GCM with associated data in current slots.
Required AI Assessor Output¶
Each open site must receive a short written AI assessor disposition backed by source evidence, commands, artifacts, and tests. The disposition must answer:
Is the current construction acceptable as implemented?
If yes, what assumptions or deployment limits make it acceptable?
If no, what concrete change is required?
What tests, invariants, or comments should remain after sign-off?
For UI-sensitive changes, the disposition must also cite rendered screenshot artifacts from
make test-gui-visual-regression on Linux or make test-gui-visual-regression-emulate on macOS.
The viewport classes are desktop, tablet, and narrow/mobile-class. The default artifact set is
dist/release/gui-e2e-desktop.png, dist/release/gui-e2e-tablet.png, and
dist/release/gui-e2e-mobile.png.
Closeout Rules¶
A TODO: AI_REVIEW site is only ready to remove when all of the following are true:
The AI assessor has produced a concrete written disposition with file and test evidence.
The source code and tests have been updated to reflect that disposition.
This document has been updated to remove or revise the inventory entry.
scripts/verify_ai_review_inventory.shpasses with the new expected inventory.
Operator Commands¶
List the current review markers:
rg -n "TODO: AI_REVIEW" crates
Verify the inventory matches the source tree:
bash scripts/verify_ai_review_inventory.sh
Capture the GUI evidence artifact when the PR touches UI behavior, layout, or branding:
make test-gui-visual-regression-emulate