1  # R006-genesis_security.component.cspec
  2  
  3  metadata:
  4    id: R006
  5    name: genesis_security
  6    version: 1.0.0
  7    domain: runtime
  8    stability: foundational
  9    updated: 2026-01-15
 10    cascade_priority: 10
 11    roles:
 12      primary: [Security, Dev]
 13      review: [Security]
 14    expertise:
 15      required: [security, access_control]
 16      helpful: [rust, smart_contracts]
 17    context_tags: [genesis, security, access_control, transfer_restrictions]
 18  
 19  dependencies:
 20    upstream: [R001, T001, T002]
 21    downstream: [A003, D003]
 22  
 23  interface:
 24    types_ref: _registry/types.cspec
 25    types:
 26      SYS_CALLER: system_caller_registry, program_id -> bool, genesis_initialized
 27    functions:
 28      is_system_caller: (caller: Address) -> bool
 29      gate_public_transfer: assert is_system_caller(caller)
 30    events:
 31      - system_caller_registered
 32      - unauthorized_public_transfer_blocked
 33  
 34  spec:
 35    purpose: |
 36      Enforce private-only transfers for users on both Alpha and Delta chains.
 37      Public transfer functions exist for internal system operations only.
 38  
 39    invariant: |
 40      Users CANNOT call public transfer functions directly.
 41      Only authorized system programs may invoke public transfers.
 42  
 43    alpha_chain:
 44      program: credits.alpha
 45      restricted_functions:
 46        - transfer_public
 47        - transfer_public_as_signer
 48        - transfer_private_to_public
 49        - transfer_public_to_private
 50      authorized_callers:
 51        - rewards.alpha
 52        - fees.alpha
 53        - governance.alpha
 54        - clp.alpha
 55      user_accessible:
 56        - transfer_private
 57        - join
 58        - split
 59        - fee_private
 60        - fee_public
 61  
 62    delta_chain:
 63      program: credits.delta
 64      restricted_functions:
 65        - transfer_public
 66        - transfer_public_as_signer
 67        - transfer_private_to_public
 68        - transfer_public_to_private
 69      authorized_callers:
 70        - dividends.delta
 71        - fees.delta
 72        - spot_engine.delta
 73        - perpetuals.delta
 74        - governance.delta
 75      user_accessible:
 76        - join
 77        - split
 78        - fee_private
 79        - fee_public
 80      note: |
 81        Delta users do NOT have transfer_private access.
 82        DX can only be traded on Delta chain, not transferred between users.
 83        Internal distributions (dividends, fees) use system-authorized transfers.
 84  
 85    genesis_initialization:
 86      alpha:
 87        system_callers:
 88          rewards.alpha: true
 89          fees.alpha: true
 90          governance.alpha: true
 91          clp.alpha: true
 92        default: false
 93      delta:
 94        system_callers:
 95          dividends.delta: true
 96          fees.delta: true
 97          spot_engine.delta: true
 98          perpetuals.delta: true
 99          governance.delta: true
100        default: false
101  
102    enforcement:
103      method: caller_check_at_function_entry
104      implementation: |
105        // In credits.alpha and credits.delta:
106        //
107        // mapping system_callers: address => bool;
108        //
109        // function transfer_public(...) {
110        //     assert(system_callers.get(self.caller).unwrap_or(false));
111        //     // ... existing logic
112        // }
113  
114    security_rationale:
115      - User privacy is non-negotiable; all user transfers are private
116      - Public balances exist only for system accounting
117      - Trading on Delta uses shielded orders, not balance transfers
118      - Prevents accidental privacy leaks through public function calls
119  
120  changelog:
121    - version: 1.0.0
122      date: 2026-01-15
123      type: initial
124      description: "Genesis security requirements for transfer restrictions"
125      breaking: false