calybris-core 0.3.11

Deterministic proof-carrying decision core with replay verification, WAL, and fixed-point budget proofs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# Security Policy


## Reporting a Vulnerability


Email: emirhuseyininci@gmail.com  
Subject: `[SECURITY] Calybris Core — <brief description>`

| Milestone | Target |
|-----------|--------|
| Acknowledgment | 48 hours |
| Severity assessment | 7 days |
| Fix or mitigation plan | 30 days (critical), 90 days (medium) |

Please include: affected version, reproduction steps, impact on invariants I1–I8 (see `docs/SECURITY_INVARIANTS.md`), and suggested fix if any.

**Do not** open public GitHub issues for undisclosed vulnerabilities.

## Scope


| Component | In scope | Notes |
|-----------|----------|-------|
| `calybris-core` on crates.io | Yes | This repository |
| Examples / benches | Yes | Same repo |
| Proprietary full engine | No | Separate disclosure channel |
| Your application integration | No | How you call `read_wal`, key storage, etc. |

## Supported Versions


| Version | Supported |
|---------|-----------|
| 0.3.5+  | Yes |
| 0.3.x   | Best effort |
| < 0.3   | No |

## Security Properties (OSS)


- `#![forbid(unsafe_code)]` in project code
- Integer-only kernel hot path (no `f64` in prescribe)
- Version-tagged canonical SHA-256 digests
- Hash-chained WAL with optional HMAC-SHA256 (`subtle` constant-time compare)
- CAS budget engine with conservation invariant
- Fail-closed audited WAL replay on digest or prescribe mismatch

## Audit Package


External reviewers should start with:

1. [docs/AUDIT_GUIDE.md](docs/AUDIT_GUIDE.md) — commands and module map
2. [docs/THREAT_MODEL.md](docs/THREAT_MODEL.md) — assets, trust boundaries, attackers
3. [docs/SECURITY_INVARIANTS.md](docs/SECURITY_INVARIANTS.md) — invariants I1–I8 and test mapping

```bash
cargo fmt --check
cargo clippy --locked --all-targets -- -D warnings
cargo test --locked --all-features
cargo test --locked --no-default-features
cargo test --locked --test audit_pipeline
PROPTEST_CASES=10000 cargo test --locked --all-features
```

## Known Limitations


- **Unkeyed WAL:** Detects accidental corruption; a filesystem attacker can recompute plain SHA-256 chain hashes. Use **keyed WAL** in production.
- **`read_wal`:** Does not verify chain — use `read_verified_wal*` only on trusted paths.
- **Caller responsibility:** `verify_decision` must be enforced by your control plane; the library does not block application logic on failure.
- **Formal concurrency proofs:** Loom/Miri in CI cover selected budget interleavings and UB paths; not exhaustive for all production schedules.

## Dependency Policy


- `Cargo.lock` committed; CI uses `--locked`
- Weekly `cargo audit` + `cargo deny` via `deny.toml` (see `.github/workflows/security.yml`)
- Dependabot for Cargo and GitHub Actions

## Full Engine Security


The proprietary engine adds API-plane separation, deployment hardening (read-only containers, no-new-privileges), provider credential isolation, and additional adversarial tests. Contact the maintainer for that scope.