archy/docs/security-audit-prep.md

# Security Audit Preparation

## Scope for External Audit

### Priority 1: Critical Path
- Authentication (bcrypt, session management, CSRF, rate limiting)
- Cryptography (Ed25519 signing, ChaCha20-Poly1305 backup encryption, Argon2 KDF)
- Container isolation (Podman security, cap-drop, no-new-privileges)
- Network security (Tor integration, federation over hidden services)
- Input validation (RPC endpoints, path traversal prevention)

### Priority 2: Data Security
- Secrets management (identity keys, wallet credentials)
- Backup encryption (key derivation, storage format)
- DWN message integrity (peer sync, deduplication)
- Verifiable Credentials (W3C VC issuance, verification)

### Priority 3: Infrastructure
- Nginx configuration (headers, proxy settings, CSP)
- Systemd service hardening (watchdog, capabilities)
- UFW firewall rules (Podman subnet access)
- Log sanitization (no secrets in logs)

## Completed Internal Audits
- SEC-01: RPC endpoint input validation audit (100+ endpoints)
- SEC-02: Rate limiting on federation endpoints
- SEC-03: CSRF validation on all state-changing endpoints
- SEC-04: Container security profiles (cap-drop ALL, no-new-privileges)
- SEC-05: Log rotation configured
- SEC-06: Security headers verified (X-Frame-Options, CSP, etc.)

## Recommended Audit Firms
- Trail of Bits (Rust + cryptography expertise)
- NCC Group (infrastructure + application security)
- Cure53 (web application + browser security)
- Doyensec (Rust + WebSocket + API security)

## Budget Estimate
- Comprehensive audit (2-4 weeks): $50,000 - $150,000
- Focused crypto + auth audit (1-2 weeks): $25,000 - $60,000
- Penetration test only (1 week): $15,000 - $30,000
feat: hardware compatibility, TPM attestation, security audit prep - Y2-01: docs/hardware-compatibility.md — 2 certified platforms, 4 planned, minimum requirements, known quirks - Y3-04: tpm.rs — TPM 2.0 attestation types (TpmStatus, TpmAttestation, detect_tpm), ready for tss-esapi integration - Y5-03: docs/security-audit-prep.md — audit scope, completed internal audits, recommended firms, budget estimates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 05:57:32 +00:00			`# Security Audit Preparation`

			`## Scope for External Audit`

			`### Priority 1: Critical Path`
			`- Authentication (bcrypt, session management, CSRF, rate limiting)`
			`- Cryptography (Ed25519 signing, ChaCha20-Poly1305 backup encryption, Argon2 KDF)`
			`- Container isolation (Podman security, cap-drop, no-new-privileges)`
			`- Network security (Tor integration, federation over hidden services)`
			`- Input validation (RPC endpoints, path traversal prevention)`

			`### Priority 2: Data Security`
			`- Secrets management (identity keys, wallet credentials)`
			`- Backup encryption (key derivation, storage format)`
			`- DWN message integrity (peer sync, deduplication)`
			`- Verifiable Credentials (W3C VC issuance, verification)`

			`### Priority 3: Infrastructure`
			`- Nginx configuration (headers, proxy settings, CSP)`
			`- Systemd service hardening (watchdog, capabilities)`
			`- UFW firewall rules (Podman subnet access)`
			`- Log sanitization (no secrets in logs)`

			`## Completed Internal Audits`
			`- SEC-01: RPC endpoint input validation audit (100+ endpoints)`
			`- SEC-02: Rate limiting on federation endpoints`
			`- SEC-03: CSRF validation on all state-changing endpoints`
			`- SEC-04: Container security profiles (cap-drop ALL, no-new-privileges)`
			`- SEC-05: Log rotation configured`
			`- SEC-06: Security headers verified (X-Frame-Options, CSP, etc.)`

			`## Recommended Audit Firms`
			`- Trail of Bits (Rust + cryptography expertise)`
			`- NCC Group (infrastructure + application security)`
			`- Cure53 (web application + browser security)`
			`- Doyensec (Rust + WebSocket + API security)`

			`## Budget Estimate`
			`- Comprehensive audit (2-4 weeks): $50,000 - $150,000`
			`- Focused crypto + auth audit (1-2 weeks): $25,000 - $60,000`
			`- Penetration test only (1 week): $15,000 - $30,000`