Assurance Claims¶
This file is the claim inventory used by the security assurance protocol. Claims are stable identifiers that pull request assessors, CI reports, and release notes can cite.
Claim states:
enforced: deterministic source checks, tests, or CI gates directly protect the claimtracked-open: the implementation exists, but the repo deliberately keeps an open disposition marker until the construction is strengthened or formally acceptedprocess: the claim is about release, supply chain, or review workflow behavior
Core Generation and Audit Claims¶
Claim ID |
State |
Claim |
Evidence |
|---|---|---|---|
|
|
Password generation RNG and SHA-256 remain delegated to |
|
|
|
Rejection sampling keeps the inclusive boundary |
|
|
|
The chi-squared audit uses |
|
|
|
Serial-correlation reporting uses the NIST/Sematech lag-1 autocorrelation form over the generated byte stream, with adjacent non-circular windows, full-sample normalization, and exact known-answer tests. |
|
|
|
The product surface does not reintroduce the retired browser app, JavaScript secret-handling logic, DOM UI, webview wrappers, or retired C paths. |
|
|
|
The |
|
Vault and Recovery Claims¶
Claim ID |
State |
Claim |
Evidence |
|---|---|---|---|
|
|
Device-bound unlock is a default-profile local-device convenience path: the OS secure-storage value must be an exact 256-bit master-key candidate, the vault header stores only keyring metadata plus an AES-GCM check blob, tampered or missing provider material fails closed, backup packages do not export the device secure-storage secret, and removal/rebind lifecycle operations clean up provider accounts. |
|
|
|
Mnemonic recovery is a default-profile offline recovery path: enrollment generates a 256-bit OpenSSL RNG-backed recovery key, encodes it as a 24-word English BIP39 phrase, validates mnemonic keyslot metadata before unlock, rejects malformed or wrong phrases fail-closed, and backup packages do not export the phrase or raw entropy. |
|
|
|
Certificate-wrapped keyslots use a single explicit X.509 recipient certificate to CMS-wrap only a fresh 256-bit transport key; the vault master key is separately wrapped with AAD-bound AES-256-GCM, unlock validates certificate metadata and keyslot field shape before unwrap, legacy direct-CMS slots remain read-only compatibility, and backup packages do not export private keys or raw transport keys. |
|
|
|
The shared ops evaluator gates adapter-initiated vault operations, consumes non-secret seal posture for unlock policy, emits paired request/response audit evidence, preserves adapter surface metadata, rejects caller-supplied profile/context mismatches, and is used by CLI, TUI, GUI, and mTLS automation paths. |
|
|
|
Stable CLI/TUI/GUI vault operation trace fixtures pin typed command envelopes, policy decisions, redacted request/response audit events, and JSONL rendering. |
|
|
|
mTLS process-boundary command fixtures pin authenticated transport evidence, service-account actor context, and fail-closed policy when security-relevant commands lack authenticated transport evidence. |
|
|
|
External audit-device configuration and TCP reachability are reported as evidence only; the mTLS JSONL write-ack probe reports ready only after a matching protocol/version/probe/challenge acknowledgement. Unverified or unavailable external devices do not satisfy required audit policy, and the closed disposition documents that this is startup readiness evidence rather than federal authorization or durable ingestion proof. |
|
|
|
Federal startup evidence reports that Argon2id password recovery, BIP39 mnemonic recovery, and device-bound unlock are default-profile features disabled by strict federal-ready policy, while CLI/TUI vault unlocks must pass the typed unlock policy before loading plaintext state. |
|
|
|
Seal state and non-secret provider posture are owned by |
|
|
|
Federal-ready evidence is mapped to NIST SP 800-53 Rev5 families without claiming FedRAMP authorization, DoD IL5 authorization, or product FIPS validation. |
|
Supply Chain and Release Claims¶
Claim ID |
State |
Claim |
Evidence |
|---|---|---|---|
|
|
Cargo commands used by CI and release verification stay locked, frozen, offline, and backed by the vendored dependency tree. |
|
|
|
External GitHub Actions remain pinned to full commit SHAs, and scanner/tooling updates are tracked through the manifest-backed supply-chain verifier plus the Wolfi builder-owned quality-emulation path. |
|
|
|
Release artifacts are built, inspected, smoke-tested, checksummed, and verified by repo-owned scripts. |
|
|
|
Platform installer and signing status is explicit: current artifacts are checksummed and attested, not platform-signed by default; macOS signed mode is credential-gated through Developer ID Application signing and notarization, Windows GUI MSI packaging is built through pinned WiX tooling, Windows signed mode uses an imported certificate thumbprint without PFX password argv exposure, and additional Linux desktop packaging remains deferred unless justified. |
|
|
|
Recovery maintenance has an operator runbook that distinguishes encrypted backup/restore, selected-item transfer, daily passwordless unlock, disaster recovery, mnemonic rotation, certificate rollover, and device rebind flows. |
|
|
|
PR review has a neutral AI security-assessor profile, path-scoped Copilot instructions, and a deterministic CI gate. |
|
|
|
UI-sensitive PR review requires the GUI e2e harness and desktop, tablet, and narrow/mobile-class screenshot artifacts. |
|
Release Interpretation¶
If a future claim is marked tracked-open, that state will not mean approved. It will mean the
implementation is explicit, tested, and covered by a stable claim identifier while the repo carries
the source-level TODO: AI_REVIEW marker and inventory check. A stable release may say such areas
are tracked and gate-protected, but it must not say they have external cryptographic or statistical
approval until a written disposition exists.
When a pull request changes an enforced or process claim, it must update the relevant gate or documentation in the same PR. When it changes a tracked-open claim, it must update this file, ai-review.md, and the corresponding source comments or tests.