Security Review

Implemented controls, known limitations, and recommended reviewer questions.

Security posture summary
Not yet third-party reviewed
status: not_yet_third_party_reviewed
CerbaSeal is currently a deterministic enforcement library and demo with no external API calls, no database, and no authentication layer. Security review should focus on enforcement integrity, bypass resistance, evidence integrity, replay correctness, and deployment assumptions. The in-memory audit log, caller-supplied fields, and absence of cryptographic signing are known limitations documented below.
Implemented controls
Control Invariant / Fix Tested
AI non-authority invariant — AI actor + AI proposal → always REJECTINV-05✓ yes
Approval artifact binding — forRequestId must match request.requestId exactlyINV-03 / Fix 1✓ yes
Workflow-level approval enforcement — fraud_triage always requires approvalFix 2✓ yes
Gate issuance registry — WeakSet prevents forged GateResults entering evidence layerINV-06 / Fix 3✓ yes
Fail-closed catch-all — all unexpected exceptions produce controlled REJECTFix 6✓ yes
Known action class validation — proposedActionClass must be a valid memberINV-11✓ yes
Proposal/request action match — proposedActionClass must equal requestedActionClassINV-12✓ yes
Policy pack required — no execution without policyPackRefINV-01✓ yes
Provenance required — modelVersion, ruleSetVersion, sourceHash all non-emptyINV-02✓ yes
Logging readiness required — loggingReady must be trueINV-04✓ yes
Trust state required — trustState.trusted must be trueINV-09✓ yes
Stale controls block sensitive release — criticalControlsValid + not staleINV-08✓ yes
Prohibited use immediate reject — prohibitedUse:true → REJECT before other checksINV-10✓ yes
Immutable decision envelope — immutable literal true on every code pathINV-07✓ yes
Evidence bundle deep cloning — no shared mutable references in bundlesEvidenceBundleService✓ yes
Append-only audit log with SHA-256 hash chaining (entryHash over previousHash)AppendOnlyLogService✓ yes
Export hash verification by index — not just countFix 5✓ yes
requestId non-empty validationINV-11 / Fix 7✓ yes
Threats covered
ThreatControlTested
AI attempts to authorize its own actionINV-05✓ yes
Caller bypasses gate by constructing GateResult directlyINV-06 WeakSet✓ yes
Caller reuses approval artifact from another requestINV-03 forRequestId binding✓ yes
Caller omits approvalRequired flag for gated workflowFix 2✓ yes
Caller supplies forged GateResult to evidence layerassertIsGateIssued✓ yes
Caller mutates evidence bundle after creationdeep clone✓ yes
Caller omits provenanceINV-02✓ yes
Caller provides stale controls on sensitive requestINV-08✓ yes
Caller provides malformed or unknown action classINV-11✓ yes
Caller mismatches proposed and requested action classINV-12✓ yes
Caller attempts prohibited useINV-10✓ yes
Unexpected exception produces silent ALLOWFix 6✓ yes
Known limitations — clearly stated
Known Limitations / Not Yet Solved

Listed without softening. These are real boundaries of the current build.

What Would Need To Change For Production

These items are required before production deployment with real client data.

Claim discipline
ClaimStatus
AI cannot produce authority-bearing actionsCode Tests
Approval artifacts are request-boundCode Tests
All errors fail closedCode Tests
Evidence bundles are immutable after creationCode Tests
Replay matches original outcomesCode Tests
Evidence is cryptographically signedNot implemented
Identity of callers is independently verifiedNot implemented
Third-party security review completeRequires review
Production-ready for client deploymentFuture deployment requirement
Recommended reviewer questions
Current limitation notice: This is a review-ready core demo, not a production client deployment. No third-party security review has been completed. The limitations listed above are accurate and documented.