Assurance Claims

This file is the claim inventory used by the security assurance protocol. Claims are stable identifiers that pull request assessors, CI reports, and release notes can cite.

Claim states:

  • enforced: deterministic source checks, tests, or CI gates directly protect the claim

  • tracked-open: the implementation exists, but the repo deliberately keeps an open disposition marker until the construction is strengthened or formally accepted

  • process: the claim is about release, supply chain, or review workflow behavior

Core Generation and Audit Claims

Claim ID

State

Claim

Evidence

rng.openssl-delegation

enforced

Password generation RNG and SHA-256 remain delegated to paranoid-core OpenSSL-backed paths.

crates/paranoid-core/src/lib.rs; scripts/hallucination_check.sh; make verify-assurance

rng.rejection-sampling-boundary

enforced

Rejection sampling keeps the inclusive boundary (256/N)*N - 1; modulo reduction is not allowed.

crates/paranoid-core/src/lib.rs; scripts/hallucination_check.sh; core tests

audit.chi-squared-tail

enforced

The chi-squared audit uses statrs, degrees of freedom N - 1, upper-tail p-values, and pass logic p > 0.01; its AI review disposition is closed with NIST/Sematech references and threshold-bracketing known-answer tests.

crates/paranoid-core/src/lib.rs; scripts/hallucination_check.sh; docs/reference/ai-review.md; core tests

audit.serial-correlation-estimator

enforced

Serial-correlation reporting uses the NIST/Sematech lag-1 autocorrelation form over the generated byte stream, with adjacent non-circular windows, full-sample normalization, and exact known-answer tests.

crates/paranoid-core/src/lib.rs; docs/reference/ai-review.md; core tests

surface.no-browser-runtime

enforced

The product surface does not reintroduce the retired browser app, JavaScript secret-handling logic, DOM UI, webview wrappers, or retired C paths.

scripts/hallucination_check.sh; docs/reference/architecture.md; .github/copilot-instructions.md

surface.wasm-gated-compile-check

enforced

The paranoid-gui wasm32 target is compile-checked only: its runtime branch never links paranoid-core/paranoid-vault/paranoid-audit/paranoid-ops, every wired callback returns the explicit runtime-disabled gate message, and no secret generation, vault unlock, storage, recovery, backup, or clipboard operation executes on that target. Storage and crypto for the wasm32 surface remain unthreat-modeled and this posture is a compile-check, not a shipped runtime.

crates/paranoid-gui/src/lib.rs; crates/paranoid-gui/Cargo.toml; scripts/hallucination_check.sh; scripts/security_assurance_gate.py

Vault and Recovery Claims

Claim ID

State

Claim

Evidence

vault.device-bound-keyslot

enforced

Device-bound unlock is a default-profile local-device convenience path: the OS secure-storage value must be an exact 256-bit master-key candidate, the vault header stores only keyring metadata plus an AES-GCM check blob, tampered or missing provider material fails closed, backup packages do not export the device secure-storage secret, and removal/rebind lifecycle operations clean up provider accounts.

crates/paranoid-vault/src/lib.rs; vault tests; CLI vault TUI tests; docs/reference/ai-review.md; make verify-assurance

vault.mnemonic-recovery-keyslot

enforced

Mnemonic recovery is a default-profile offline recovery path: enrollment generates a 256-bit OpenSSL RNG-backed recovery key, encodes it as a 24-word English BIP39 phrase, validates mnemonic keyslot metadata before unlock, rejects malformed or wrong phrases fail-closed, and backup packages do not export the phrase or raw entropy.

crates/paranoid-vault/src/lib.rs; vault tests; docs/reference/ai-review.md; docs/reference/vault-format.md; docs/reference/federal-readiness.md; make verify-assurance

vault.certificate-wrapped-keyslot

enforced

Certificate-wrapped keyslots use a single explicit X.509 recipient certificate to CMS-wrap only a fresh 256-bit transport key; the vault master key is separately wrapped with AAD-bound AES-256-GCM, unlock validates certificate metadata and keyslot field shape before unwrap, legacy direct-CMS slots remain read-only compatibility, and backup packages do not export private keys or raw transport keys.

crates/paranoid-vault/src/lib.rs; vault tests; docs/reference/ai-review.md; docs/reference/vault-format.md; docs/reference/federal-readiness.md; make verify-assurance

ops.shared-policy-boundary

enforced

The shared ops evaluator gates adapter-initiated vault operations, consumes non-secret seal posture for unlock policy, emits paired request/response audit evidence, preserves adapter surface metadata, rejects caller-supplied profile/context mismatches, and is used by CLI, TUI, GUI, and mTLS automation paths.

crates/paranoid-ops/src/lib.rs; CLI vault tests; TUI vault tests; native GUI automation tests; durable GUI JSONL tests; mTLS process-boundary fixtures; docs/reference/ai-review.md; make verify-assurance

ops.vault-trace-fixtures

enforced

Stable CLI/TUI/GUI vault operation trace fixtures pin typed command envelopes, policy decisions, redacted request/response audit events, and JSONL rendering.

crates/paranoid-ops/tests/ops_trace_fixtures.rs; crates/paranoid-ops/tests/fixtures/; docs/reference/testing.md

ops.mtls-process-boundary-fixture

enforced

mTLS process-boundary command fixtures pin authenticated transport evidence, service-account actor context, and fail-closed policy when security-relevant commands lack authenticated transport evidence.

crates/paranoid-ops/src/lib.rs; crates/paranoid-ops/tests/ops_trace_fixtures.rs; crates/paranoid-ops/tests/fixtures/ops_trace_mtls_process_boundary_allowed.json; docs/reference/testing.md

audit.external-device-health

enforced

External audit-device configuration and TCP reachability are reported as evidence only; the mTLS JSONL write-ack probe reports ready only after a matching protocol/version/probe/challenge acknowledgement. Unverified or unavailable external devices do not satisfy required audit policy, and the closed disposition documents that this is startup readiness evidence rather than federal authorization or durable ingestion proof.

crates/paranoid-audit/src/lib.rs; crates/paranoid-ops/src/lib.rs; audit probe tests; stable federal startup fixtures; CLI evidence tests; docs/reference/ai-review.md; make verify-assurance

federal.recovery-disposition-evidence

process

Federal startup evidence reports that Argon2id password recovery, BIP39 mnemonic recovery, and device-bound unlock are default-profile features disabled by strict federal-ready policy, while CLI/TUI vault unlocks must pass the typed unlock policy before loading plaintext state.

crates/paranoid-ops/src/lib.rs; crates/paranoid-cli/src/vault_cli.rs; crates/paranoid-cli/src/vault_tui.rs; federal startup fixtures; tests/test_vault_cli.sh; docs/reference/federal-readiness.md; docs/reference/control-mapping.md

seal.lifecycle-boundary

enforced

Seal state and non-secret provider posture are owned by paranoid-seal, consumed by method-specific ops unlock policy, re-exported by ops for adapter stability, and emitted by vault seal-status; explicit provider probes can confirm device-bound availability without decrypting item payloads, while generic auto-unseal availability cannot satisfy a device-bound unlock.

crates/paranoid-seal/src/lib.rs; crates/paranoid-ops/src/lib.rs; CLI vault tests; tests/test_vault_cli.sh; docs/reference/ai-review.md; docs/reference/architecture.md; make verify-assurance

federal.control-mapping-evidence

process

Federal-ready evidence is mapped to NIST SP 800-53 Rev5 families without claiming FedRAMP authorization, DoD IL5 authorization, or product FIPS validation.

docs/reference/control-mapping.md; docs/reference/federal-readiness.md; scripts/security_assurance_gate.py

Supply Chain and Release Claims

Claim ID

State

Claim

Evidence

supply-chain.locked-offline-cargo

process

Cargo commands used by CI and release verification stay locked, frozen, offline, and backed by the vendored dependency tree.

.cargo/config.toml; Cargo.lock; vendor/; scripts/supply_chain_verify.sh

supply-chain.sha-pinned-actions

process

External GitHub Actions remain pinned to full commit SHAs, and scanner/tooling updates are tracked through the manifest-backed supply-chain verifier plus the Wolfi builder-owned quality-emulation path.

.github/workflows/*.yml; .github/actions/builder/Dockerfile; Makefile; supply-chain/scanner-toolchain.env; scripts/supply_chain_verify.sh

release.payload-verification

process

Release artifacts are built, inspected, smoke-tested, checksummed, and verified by repo-owned scripts.

scripts/build_release_artifact.sh; scripts/release_validate.sh; scripts/verify_published_release.sh

release.installer-signing-boundary

process

Platform installer and signing status is explicit: current artifacts are checksummed and attested, not platform-signed by default; macOS signed mode is credential-gated through Developer ID Application signing and notarization, Windows GUI MSI packaging is built through pinned WiX tooling, Windows signed mode uses an imported certificate thumbprint without PFX password argv exposure, and additional Linux desktop packaging remains deferred unless justified.

docs/reference/platform-installers.md; scripts/verify_platform_signing.sh; scripts/macos_sign_notarize.sh; scripts/windows_sign_artifact.sh; scripts/build_release_artifact.sh; tests/test_platform_signing_verify.sh; scripts/validate-docs.sh; docs/reference/remaining-work-prd.md

release.recovery-operations-runbook

process

Recovery maintenance has an operator runbook that distinguishes encrypted backup/restore, selected-item transfer, daily passwordless unlock, disaster recovery, mnemonic rotation, certificate rollover, and device rebind flows.

docs/guides/recovery-operations.md; scripts/validate-docs.sh; tests/test_vault_cli.sh; make verify-assurance

assurance.pr-neutral-ai-assessor

process

PR review has a neutral AI security-assessor profile, path-scoped Copilot instructions, and a deterministic CI gate.

.github/agents/paranoid-security-auditor.md; .github/instructions/security-assurance.instructions.md; .github/workflows/security-assurance.yml; scripts/security_assurance_gate.py

assurance.gui-screenshot-evidence

process

UI-sensitive PR review requires the GUI e2e harness and desktop, tablet, and narrow/mobile-class screenshot artifacts.

Makefile; tests/test_gui_e2e.sh; docs/reference/ai-review.md; .github/agents/paranoid-security-auditor.md

Release Interpretation

If a future claim is marked tracked-open, that state will not mean approved. It will mean the implementation is explicit, tested, and covered by a stable claim identifier while the repo carries the source-level TODO: AI_REVIEW marker and inventory check. A stable release may say such areas are tracked and gate-protected, but it must not say they have external cryptographic or statistical approval until a written disposition exists.

When a pull request changes an enforced or process claim, it must update the relevant gate or documentation in the same PR. When it changes a tracked-open claim, it must update this file, ai-review.md, and the corresponding source comments or tests.