S005-external_dependencies.component.cspec
1 # S005: External Dependencies Security Audit 2 # Component spec for tracking and auditing external dependencies 3 # CASCADE: MANUAL ONLY (security changes require human review) 4 5 metadata: 6 id: S005 7 name: external_dependencies 8 version: 1.0.0 9 domain: security 10 stability: stable 11 updated: 2026-01-16 12 cascade_priority: 100 13 cascade_override: never_auto 14 roles: 15 primary: [Security, Arch] 16 review: [Ops] 17 expertise: 18 required: [security, supply_chain, dependency_management] 19 helpful: [cryptography, rust, typescript] 20 context_tags: [dependencies, supply_chain, audit, crates, npm, security] 21 22 description: | 23 Comprehensive inventory of external dependencies across Alpha/Delta core components. 24 Includes software libraries, services, and any third-party code that touches: 25 - Cryptographic operations 26 - Key management and wallet operations 27 - Network communication 28 - Data serialization/parsing 29 - Blockchain state and consensus 30 - User authentication and authorization 31 32 Dependencies are categorized by security relevance (CRITICAL, HIGH, MEDIUM, LOW) 33 based on their potential impact if compromised. 34 35 dependencies: 36 upstream: [S001, S003] # Threat model, audit requirements 37 downstream: [] 38 39 # === CRYPTOGRAPHIC LIBRARIES (CRITICAL/HIGH) === 40 crypto_dependencies: 41 description: | 42 Core cryptographic libraries. Compromise could lead to key theft, 43 invalid signatures, broken encryption, or consensus failures. 44 45 rust_crates: 46 # Random Number Generation - CRITICAL 47 rand: 48 version: "0.8" 49 repos: [alphavm, deltavm, alphaos, deltaos, adnet, wallet-core, adl, ac-dc] 50 category: rng 51 security_relevance: CRITICAL 52 risk: "RNG compromise breaks all cryptographic operations" 53 audit_frequency: quarterly 54 55 rand_chacha: 56 version: "0.3.1" 57 repos: [alphavm, deltavm, alphaos, deltaos, adl] 58 category: rng 59 security_relevance: CRITICAL 60 risk: "Deterministic RNG for reproducible proofs" 61 62 getrandom: 63 version: "0.2" 64 repos: [wallet-core] 65 category: entropy 66 security_relevance: CRITICAL 67 risk: "OS entropy source for key generation" 68 69 # Hash Functions - HIGH 70 sha2: 71 version: "0.10" 72 repos: [alphavm, deltavm, alphaos, deltaos, adl, ac-dc, wallet-core] 73 category: hash 74 security_relevance: HIGH 75 risk: "SHA-256 used for block hashing, merkle trees" 76 77 blake2: 78 version: "0.10" 79 repos: [alphavm, wallet-core] 80 category: hash 81 security_relevance: HIGH 82 risk: "ZK proof hashing, alternative hash function" 83 84 sha3: 85 version: "0.10" 86 repos: [wallet-core] 87 category: hash 88 security_relevance: HIGH 89 risk: "Keccak-256 for Ethereum compatibility" 90 91 # Digital Signatures - HIGH 92 ed25519-dalek: 93 version: "2.1" 94 repos: [wallet-core] 95 category: signatures 96 security_relevance: HIGH 97 risk: "EdDSA keypair generation and signing" 98 audit_notes: "Well-audited library, used by many projects" 99 100 k256: 101 version: "0.13" 102 repos: [alphavm, wallet-core] 103 category: signatures 104 security_relevance: HIGH 105 risk: "secp256k1 ECDSA for Delta chain addresses" 106 107 # Key Exchange - HIGH 108 x25519-dalek: 109 version: "2.0" 110 repos: [wallet-core] 111 category: key_exchange 112 security_relevance: HIGH 113 risk: "ECDH key derivation for encrypted channels" 114 115 # ZK Proof Curves - HIGH 116 ark-bls12-377: 117 version: "0.5" 118 repos: [wallet-core] 119 category: zk_curves 120 security_relevance: HIGH 121 risk: "BLS12-377 curve for Alpha chain ZK proofs" 122 123 ark-ec: 124 version: "0.5" 125 repos: [wallet-core] 126 category: elliptic_curves 127 security_relevance: HIGH 128 risk: "Core elliptic curve operations" 129 130 ark-ff: 131 version: "0.5" 132 repos: [wallet-core] 133 category: finite_fields 134 security_relevance: HIGH 135 risk: "Finite field arithmetic for ZK proofs" 136 137 ark-serialize: 138 version: "0.5" 139 repos: [wallet-core] 140 category: serialization 141 security_relevance: HIGH 142 risk: "Proof serialization format" 143 144 ark-std: 145 version: "0.5" 146 repos: [wallet-core] 147 category: stdlib 148 security_relevance: HIGH 149 risk: "ARKworks standard library" 150 151 # Symmetric Encryption - HIGH 152 aes-gcm: 153 version: "0.10" 154 repos: [wallet-core] 155 category: encryption 156 security_relevance: HIGH 157 risk: "AES-GCM authenticated encryption for wallet data" 158 159 # Key Derivation - HIGH 160 hmac: 161 version: "0.12" 162 repos: [wallet-core] 163 category: kdf 164 security_relevance: HIGH 165 risk: "HMAC for BIP32 key derivation" 166 167 hkdf: 168 version: "0.12" 169 repos: [wallet-core] 170 category: kdf 171 security_relevance: HIGH 172 risk: "HKDF for symmetric key derivation" 173 174 argon2: 175 version: "0.5" 176 repos: [wallet-core] 177 category: password_hash 178 security_relevance: HIGH 179 risk: "Password-based key derivation for wallet encryption" 180 181 pbkdf2: 182 version: "0.12" 183 repos: [wallet-core] 184 category: password_hash 185 security_relevance: HIGH 186 risk: "BIP39 mnemonic to seed derivation" 187 188 # Memory Safety - HIGH 189 zeroize: 190 version: "1.0+" 191 repos: [alphavm, wallet-core] 192 category: memory_safety 193 security_relevance: HIGH 194 risk: "Secret zeroization to prevent memory leaks" 195 196 javascript_packages: 197 "@scure/base": 198 version: "^2.0.0" 199 repos: [sdk] 200 category: encoding 201 security_relevance: HIGH 202 risk: "Base58/Base16/Base32 encoding for keys" 203 204 # === KEY MANAGEMENT & AUTHENTICATION (CRITICAL) === 205 key_management_dependencies: 206 description: | 207 Libraries handling key generation, storage, derivation, and authentication. 208 Direct access to user funds and identity. 209 210 rust_crates: 211 jsonwebtoken: 212 version: "9.2" 213 repos: [alphaos] 214 category: authentication 215 security_relevance: HIGH 216 risk: "JWT handling for REST API authentication" 217 location: "alphaos/node/rest" 218 219 encoding_crates: 220 bech32: 221 version: "0.11" 222 repos: [wallet-core] 223 category: address_encoding 224 security_relevance: HIGH 225 risk: "Address format encoding (ax1/dx1 prefixes)" 226 227 bs58: 228 version: "0.5" 229 repos: [wallet-core] 230 category: encoding 231 security_relevance: MEDIUM 232 risk: "Base58 encoding for legacy compatibility" 233 234 base64: 235 version: "0.22" 236 repos: [alphaos, deltaos, sdk, wallet-core] 237 category: encoding 238 security_relevance: LOW 239 risk: "Standard base64 encoding" 240 241 hex: 242 version: "0.4.3" 243 repos: [alphavm, deltavm, alphaos, deltaos, adl, wallet-core] 244 category: encoding 245 security_relevance: LOW 246 risk: "Hex encoding for display" 247 248 # === NETWORK & COMMUNICATION (HIGH) === 249 network_dependencies: 250 description: | 251 Networking libraries handling P2P communication, API servers, and external requests. 252 Compromise could enable MITM, DoS, or data exfiltration. 253 254 rust_crates: 255 tokio: 256 version: "1.42+" 257 repos: [alphaos, deltaos, adnet, ac-dc] 258 category: async_runtime 259 security_relevance: HIGH 260 risk: "Core async runtime, foundation for all networking" 261 audit_frequency: quarterly 262 263 axum: 264 version: "0.7-0.8" 265 repos: [alphaos, deltaos, adnet, ac-dc] 266 category: web_framework 267 security_relevance: HIGH 268 risk: "HTTP API server framework" 269 270 tower-http: 271 version: "0.6" 272 repos: [alphaos, deltaos, adnet, ac-dc] 273 category: http_middleware 274 security_relevance: HIGH 275 risk: "CORS, tracing, security headers middleware" 276 277 tower_governor: 278 version: "0.7" 279 repos: [alphaos] 280 category: rate_limiting 281 security_relevance: MEDIUM 282 risk: "DoS protection via rate limiting" 283 location: "alphaos/node/rest" 284 285 reqwest: 286 version: "0.12" 287 repos: [ac-dc] 288 category: http_client 289 security_relevance: MEDIUM 290 risk: "External HTTP requests" 291 292 russh: 293 version: "0.44" 294 repos: [ac-dc] 295 category: ssh 296 security_relevance: MEDIUM 297 risk: "SSH protocol for remote operations" 298 299 russh-keys: 300 version: "0.44" 301 repos: [ac-dc] 302 category: ssh 303 security_relevance: MEDIUM 304 risk: "SSH key handling" 305 306 trust-dns-resolver: 307 version: "0.23" 308 repos: [ac-dc] 309 category: dns 310 security_relevance: MEDIUM 311 risk: "DNS resolution for service discovery" 312 313 javascript_packages: 314 xmlhttprequest-ssl: 315 version: "^3.1.0" 316 repos: [sdk] 317 category: http 318 security_relevance: MEDIUM 319 risk: "HTTP transport for browser environments" 320 321 sync-request: 322 version: "^6.1.0" 323 repos: [sdk] 324 category: http 325 security_relevance: MEDIUM 326 risk: "Synchronous HTTP for simple scripts" 327 328 # === DATA PERSISTENCE (HIGH) === 329 storage_dependencies: 330 description: | 331 Database and storage libraries. Corruption or unauthorized access 332 could compromise blockchain state or user data. 333 334 rust_crates: 335 rocksdb: 336 version: "0.21" 337 repos: [adnet, alphavm, deltavm] 338 category: database 339 security_relevance: HIGH 340 risk: "Blockchain state persistence" 341 locations: 342 - "alphavm/ledger/store" 343 - "deltavm/ledger/store" 344 - "adnet/crates/adnet-storage" 345 audit_notes: "Critical for consensus - data integrity essential" 346 347 # === SERIALIZATION (MEDIUM) === 348 serialization_dependencies: 349 description: | 350 Data serialization libraries. Parsing vulnerabilities could enable 351 DoS or remote code execution. 352 353 rust_crates: 354 serde: 355 version: "1.0.188+" 356 repos: [alphavm, deltavm, alphaos, deltaos, adnet, adl, ac-dc, wallet-core] 357 category: serialization 358 security_relevance: MEDIUM 359 risk: "Core serialization framework" 360 audit_frequency: quarterly 361 362 serde_json: 363 version: "1.0" 364 repos: [alphavm, deltavm, alphaos, deltaos, adnet, adl, ac-dc, wallet-core] 365 category: json 366 security_relevance: MEDIUM 367 risk: "JSON parsing - potential DoS via large payloads" 368 369 bincode: 370 version: "1.3.3" 371 repos: [alphavm, deltavm, alphaos, deltaos] 372 category: binary 373 security_relevance: MEDIUM 374 risk: "Binary protocol encoding" 375 376 toml: 377 version: "0.8+" 378 repos: [adnet, ac-dc] 379 category: config 380 security_relevance: LOW 381 risk: "Configuration file parsing" 382 383 nom: 384 version: "7.1" 385 repos: [alphavm] 386 category: parsing 387 security_relevance: MEDIUM 388 risk: "Parser combinators - input validation critical" 389 390 javascript_packages: 391 comlink: 392 version: "^4.4.2" 393 repos: [sdk] 394 category: messaging 395 security_relevance: LOW 396 risk: "Worker thread messaging" 397 398 core-js: 399 version: "^3.40.0" 400 repos: [sdk] 401 category: polyfills 402 security_relevance: MEDIUM 403 risk: "JavaScript compatibility layer - supply chain target" 404 405 # === ENCRYPTION AT REST (HIGH) === 406 encryption_dependencies: 407 description: | 408 File and data encryption libraries for sensitive data protection. 409 410 rust_crates: 411 age: 412 version: "0.10" 413 repos: [ac-dc] 414 category: file_encryption 415 security_relevance: HIGH 416 risk: "Backup encryption, sensitive file protection" 417 418 rcgen: 419 version: "0.13" 420 repos: [ac-dc] 421 category: certificates 422 security_relevance: HIGH 423 risk: "TLS certificate generation" 424 425 x509-parser: 426 version: "0.16" 427 repos: [ac-dc] 428 category: certificates 429 security_relevance: HIGH 430 risk: "X.509 certificate validation" 431 432 # === UPDATE & DISTRIBUTION (MEDIUM) === 433 distribution_dependencies: 434 description: | 435 Self-update and binary distribution. Supply chain attack vector. 436 437 rust_crates: 438 self_update: 439 version: "0.41-0.42" 440 repos: [adl, ac-dc] 441 category: updates 442 security_relevance: MEDIUM 443 risk: "Binary self-update mechanism" 444 audit_notes: "Verify signed releases before update" 445 mitigation: "Signature verification required" 446 447 # === INFRASTRUCTURE (MEDIUM) === 448 infrastructure_dependencies: 449 description: | 450 Logging, synchronization, and operational support libraries. 451 452 rust_crates: 453 tracing: 454 version: "0.1" 455 repos: [alphavm, deltavm, alphaos, deltaos, adnet, adl, ac-dc] 456 category: logging 457 security_relevance: MEDIUM 458 risk: "Structured logging - ensure no secret leakage" 459 460 tracing-subscriber: 461 version: "0.3.19" 462 repos: [alphaos, deltaos, adl, ac-dc] 463 category: logging 464 security_relevance: MEDIUM 465 risk: "Log filtering and output" 466 467 parking_lot: 468 version: "0.12" 469 repos: [alphavm, deltavm, alphaos, deltaos, adnet] 470 category: synchronization 471 security_relevance: MEDIUM 472 risk: "Mutex/lock implementation - deadlock potential" 473 474 chrono: 475 version: "0.4" 476 repos: [ac-dc] 477 category: time 478 security_relevance: LOW 479 risk: "Timestamp handling" 480 481 regex: 482 version: "1.11+" 483 repos: [adl, ac-dc] 484 category: parsing 485 security_relevance: MEDIUM 486 risk: "ReDoS potential on untrusted input" 487 488 dirs: 489 version: "4.0-6.0" 490 repos: [acdc-core, ac-dc] 491 category: paths 492 security_relevance: LOW 493 risk: "Cross-platform path handling" 494 495 # === AUDIT SCHEDULE === 496 audit_schedule: 497 quarterly: 498 - rand 499 - tokio 500 - serde 501 - rocksdb 502 - ed25519-dalek 503 - k256 504 505 annually: 506 - all ARKworks crates (ark-*) 507 - aes-gcm 508 - age 509 - bincode 510 511 on_update: 512 - All cryptographic libraries 513 - self_update 514 - jsonwebtoken 515 516 ci_continuous: 517 tool: cargo-audit 518 frequency: every_build 519 action: fail_on_critical 520 521 # === SUPPLY CHAIN MITIGATIONS === 522 supply_chain_mitigations: 523 cargo: 524 - Use cargo-deny for license and advisory checks 525 - Pin exact versions in Cargo.lock 526 - Verify crate checksums 527 - Review changelogs before major updates 528 529 npm: 530 - Use package-lock.json 531 - Run npm audit in CI 532 - Avoid postinstall scripts from untrusted packages 533 - Consider vendoring critical dependencies 534 535 general: 536 - Reproducible builds 537 - Signed releases 538 - Monitor security advisories (RustSec, npm advisories) 539 - Maintain fork capability for critical dependencies 540 541 # === KNOWN EXCLUSIONS === 542 excluded_from_audit: 543 description: "Dependencies excluded from security audit scope" 544 545 dev_only: 546 - criterion (benchmarking) 547 - proptest (property testing) 548 - pretty_assertions (test output) 549 550 build_only: 551 - proc-macro2 552 - quote 553 - syn 554 555 rationale: "These never run in production and don't handle user data" 556 557 # === EXTERNAL SERVICES === 558 external_services: 559 description: | 560 External services the system depends on. Not code dependencies 561 but operational dependencies that could affect security. 562 563 infrastructure: 564 forgejo: 565 url: source.ac-dc.network 566 purpose: Source code hosting, CI/CD 567 security_relevance: HIGH 568 risk: "Supply chain - code injection via compromised CI" 569 mitigation: "Signed commits, branch protection" 570 571 radicle: 572 purpose: Decentralized code backup 573 security_relevance: MEDIUM 574 risk: "Availability of code mirrors" 575 576 network: 577 dns: 578 providers: [system_resolver] 579 purpose: Domain resolution 580 security_relevance: MEDIUM 581 risk: "DNS poisoning could redirect traffic" 582 mitigation: "DNSSEC where supported" 583 584 changelog: 585 - version: 1.0.0 586 date: 2026-01-16 587 type: initial 588 description: "Initial external dependencies security audit" 589 breaking: false 590 author: orchestrator