Security Sprint: bridge proof verification, signed transfer nonce ledger, and safer trust boundaries

[Scottcjn]

Summary

This umbrella tracks the next security-hardening pass for RustChain’s money-moving and trust-sensitive surfaces.

Why This Matters

RustChain now has enough real user flow that soft trust assumptions are the biggest risk. The bridge, signed transfer path, and admin-controlled flows need stronger verification and replay resistance before more growth features sit on top of them.

Scope

• harden /bridge/lock so user-supplied claims are not accepted without verifiable proof
• persist nonce/idempotency state for /wallet/transfer/signed
• tighten proxy/IP trust assumptions where request metadata influences accounting or anti-abuse logic
• document the exact trust boundaries and failure behavior
• land tests for replay, duplicate processing, and invalid proof paths

Candidate Child Work

• bridge lock proof verification or signed lock receipt validation
• signed transfer nonce ledger and replay rejection
• trusted proxy enforcement and header handling review
• admin key reduction or service-signing follow-up

Acceptance Criteria

• bridge lock acceptance requires verifiable proof or signed receipt, not raw user claims
• signed transfer path rejects nonce replay across process restarts
• trust assumptions around request metadata are explicit and test-covered
• operator docs explain the security model and deployment expectations

Non-Goals

• Phase 2 fully trustless bridge architecture
• unrelated wallet UI work
• bounty queue cleanup

Routing

Use this umbrella to coordinate the hardening sprint. Implementation should land in child issues or PRs linked back here.

[Scottcjn]

Child issues opened for the first concrete security pass:

• #727 bridge lock proof verification / signed receipt enforcement
• #728 persisted nonce ledger and signed-transfer replay rejection

Use this parent for coordination and tradeoffs. Use the child issues for implementation.

[Scottcjn]

Shipped wallet review-hold flow on main in commit 6c10b80.

What changed:

• attestation now checks wallet_review_holds before hard blocks
• wallets in needs_review/held return a coaching review response instead of an immediate hard block
• admin endpoints now exist to create, list, release, dismiss, escalate, or hard-block wallet review holds
• legacy blocked_wallets entries still resolve as hard blocks for backward compatibility

Focused verification:

• python3 -m pytest -q /home/scott/Rustchain/tests/test_wallet_review_holds.py
• result: 3 passed

[Scottcjn]

Shipped the wallet review hold admin UI. Added GET/POST /admin/wallet-review-holds/ui as a small operator page over the existing hold registry, with create/release/dismiss/escalate/block actions and focused regression coverage in tests/test_wallet_review_holds.py. Verified with python3 -m pytest -q /home/scott/Rustchain/tests/test_wallet_review_holds.py (4 passed). Pushed on main as dccb098.

[Scottcjn]

Added a small operator landing page at GET /admin/ui and linked the wallet review UI from it. The wallet review page now links back to the admin index so operators have an actual HTML entrypoint instead of jumping straight into JSON endpoints. Verified with python3 -m pytest -q /home/scott/Rustchain/tests/test_wallet_review_holds.py (5 passed). Pushed on main as df24552.

[Scottcjn]

Added live wallet-review queue counts to GET /admin/ui, so operators can see open_total, needs_review, held, escalated, and blocked without clicking through to the review page. Verified with python3 -m pytest -q /home/scott/Rustchain/tests/test_wallet_review_holds.py (5 passed). Pushed on main as b6b407a.

[Scottcjn]

Closing the umbrella on main.

Final piece landed in 2a6521c:

• forwarded client-IP headers are now trusted only when REMOTE_ADDR matches RC_TRUSTED_PROXY_IPS (default loopback-only)
• direct peers can no longer spoof attestation/accounting IPs by sending X-Real-IP
• docs now spell out the reverse-proxy trust boundary and deployment expectation
• regression coverage now includes both untrusted-peer spoof rejection and trusted-proxy pass-through

Verification for the final piece:

• python3 -m pytest -q tests/test_rip201_fleet_bypass.py tests/test_signed_transfer_replay.py
• 7 passed
• python3 -m py_compile node/rustchain_v2_integrated_v2.2.1_rip200.py tests/test_rip201_fleet_bypass.py

This closes the remaining acceptance criteria on top of the earlier child work:

• #727 bridge lock proof / signed receipt enforcement
• #728 persisted signed-transfer nonce ledger and replay rejection
• network-security/trust-boundary docs and tests are now explicit on main