🔐 Security & Compliance Threat Report
v1.21.0 — Defensive Pressure Test
Live attack surface analysis, trust boundary verification, and regulatory exposure mapping
for the OPTKAS cryptographic training vault infrastructure.
—
0 checks passed
0 warnings
0 failures
Not yet scanned
⚠️
Attack Vector Analysis
5 Threat Surfaces
T1
CRITICAL
Client-Side Enforcement Bypass
Mode 1 (local vault) means a user can open DevTools, patch JS functions, flip localStorage flags,
or inject "certified" state. UI flags are untrusted — only signed attestations count.
Attack Vector
Set
Patch
Inject fake certification state.
examPassed=true in localStorage.Patch
checkSalesFreeze() to return false.Inject fake certification state.
Mitigation (v1.21.0)
OPTKAS_TRUST.verifyCertificationTrust()OPTKAS_TRUST.detectUnsignedCertClaim()Only signed ECDSA attestations are accepted as proof.
File References
optkas-trust-boundary.js — lines 46–170optkas-attestations.js — verifyAttestation()
Live Status
⚫ Not scanned
T2
HIGH
Key Handling & Passphrase Security
If private key material leaks to plaintext storage or PBKDF2 parameters are weak,
the "cryptographic" claim collapses. Private keys must only exist as encrypted bundles.
Attack Vector
Plaintext JWK in localStorage or IndexedDB.
Weak PBKDF2 iterations (<600k).
Missing salt or IV in encrypted bundles.
Weak PBKDF2 iterations (<600k).
Missing salt or IV in encrypted bundles.
Mitigation (v1.21.0)
OPTKAS_TRUST.scanForPlaintextKeys()Scans IndexedDB profiles + all localStorage keys.
Validates PBKDF2 bundle format (salt, IV, 600k iter).
Crypto Parameters
PBKDF2: 600,000 iterations (OWASP 2023)
AES-GCM-256 with random 12-byte IV
32-byte random salt per encryption
AES-GCM-256 with random 12-byte IV
32-byte random salt per encryption
Live Status
⚫ Not scanned
T3
CRITICAL
Attestation Replay / Spoof
An attacker copies an old or foreign signed attestation blob and reuses it.
Requires userId binding, public key binding, version binding, and freshness checks.
Attack Vector
Replay old "pass" attestation after version bump.
Copy another user's attestation blob.
Inject attestation with forged public key.
Copy another user's attestation blob.
Inject attestation with forged public key.
Mitigation (v1.21.0)
OPTKAS_TRUST.deepVerifyAttestation()5-layer check: signature → userId → key → version → freshness.
Audit chain head bound into attestation payload.
Anti-Replay Bindings
🔒 userId binding
🔑 Public key fingerprint match
📅 90-day freshness window
🔗 Audit chain head hash
🛠️ Platform version binding
🔑 Public key fingerprint match
📅 90-day freshness window
🔗 Audit chain head hash
🛠️ Platform version binding
Live Status
⚫ Not scanned
T4
MEDIUM
Document Locker URL Leakage
Templates are static files. In Mode 1, UI gating works but direct URL access bypasses it.
Documents are now classified as PUBLIC_REFERENCE or RESTRICTED_PRIVATE.
Attack Vector
Open template file URL directly in a fresh browser.
No registration required for static file access.
Mode 1 limitation: UI gating only.
No registration required for static file access.
Mode 1 limitation: UI gating only.
Mitigation
Mode 1: UI gating + audit logging on access.
Mode 2 (future): Server-side auth or encrypted file delivery.
Classification labels applied to all 11 documents.
Mode 2 (future): Server-side auth or encrypted file delivery.
Classification labels applied to all 11 documents.
Document Classification
Loading...
Risk Acceptance
PUBLIC_REFERENCE docs: ✅ acceptable in Mode 1
RESTRICTED_PRIVATE docs: ⚠️ requires Mode 2 for true control
RESTRICTED_PRIVATE docs: ⚠️ requires Mode 2 for true control
T5
CRITICAL
Hash-Chain Audit Trail Tamper
An attacker deletes, reorders, or inserts events in the IndexedDB audit chain.
Chain verification must run before sensitive operations and trigger freeze on failure.
Attack Vector
Delete a middle event → chain hash breaks.
Insert a fake event → hash mismatch.
Truncate chain → incomplete/missing events.
Insert a fake event → hash mismatch.
Truncate chain → incomplete/missing events.
Mitigation (v1.21.0)
OPTKAS_TRUST.enforceChainIntegrity()Auto-freeze on chain failure.
Chain verified before cert/template/vault access.
Chain Mechanics
Genesis:
Event hash:
14 event types, sequential indexing
SHA-256("OPTKAS_AUDIT_GENESIS|1.20.0")Event hash:
SHA-256(prevHash + "|" + JSON)14 event types, sequential indexing
Live Status
⚫ Not scanned
🔬
Live Trust Boundary Checks
Registration Active
⚫ —
Vault Store Accessible
⚫ —
Audit Chain Integrity
⚫ —
No Plaintext Keys
⚫ —
Certification Backed by Signature
⚫ —
PBKDF2 / AES-GCM Parameters
⚫ —
Trust Boundary Status
⚫ —
⚖️
Regulatory Exposure Map
5 Risk Categories
R1 — Solicitation & Distribution Risk
PARTIALLY COVERED
Triggers if: Someone is compensated for bringing investors, general solicitation occurs,
or discussions cross into offer/price/terms without proper framework.
✅ Your Controls: Sales Academy forbidden phrases (F-01–F-12),
solicitor disclosure + comp agreement, cooling-off notice, jurisdiction gating,
73+ capability register with allowed phrasing.
⚠️ Still Needs Counsel: What the compensation structure constitutes;
whether any activity crosses BD/financial promotion thresholds in each jurisdiction.
R2 — Securities Offering Classification
NEEDS COUNSEL
Risk depends on: What is being offered, to whom, in which jurisdictions,
and what exemptions are used (e.g., Reg D 506(b)/(c), Reg S).
✅ Your Controls: Document stack + signing order templates,
accredited investor checks, audit trail, training attestations,
PPM template, subscription agreement template.
⚠️ Still Needs Counsel: Actual offering structure per jurisdiction;
communications policy review; exemption election documentation.
R3 — Custody & Funds Flow
PARTIALLY COVERED
Anything involving: Holding client funds, directing settlement, custody representations.
✅ Your Controls: "Third-party custodian" explicit positioning,
Artifact Vault for custody proof documents, Operating Manual custody section,
Verification Domain E (Operational Control).
⚠️ Still Needs Counsel + Ops: Ensure all statements match operational reality;
custody agreement template should be reviewed by counsel.
R4 — Secondary Trading / Market Facilitation
NEEDS COUNSEL
If enabled: Secondary liquidity triggers new rules depending on jurisdiction.
✅ Your Controls: Explicit "not an exchange" positioning,
native XRPL DEX/AMM usage documentation, total loss risk disclosures,
liquidity disclaimers in library (L3-04).
⚠️ Still Needs Counsel: How secondary trading is allowed/limited per jurisdiction;
transfer restrictions; whitelisting, lockups, and legends implementation.
R5 — Privacy & Data Security
PARTIALLY COVERED
You're collecting: PII (name, email, role, jurisdictions) and generating cryptographic keys.
Even if encrypted, data governance rules apply.
✅ Your Controls: Encryption at rest (AES-GCM-256, PBKDF2 600k),
local-only Mode 1 (no server transmission), registration acknowledgments,
audit trail for access logging.
⚠️ Still Needs Policy: Privacy notice for registrants;
data retention/deletion process; breach response plan;
jurisdictional privacy compliance (GDPR if EU users, US state laws).
🔴
Red Team Checklist
Weekend Audit
Loading checklist...
📈
Architecture Maturity Assessment
Engineering Sophistication
████████▁▁ 8/10
Governance Maturity
████████▁▁ 8/10
Compliance Containment
███████▁▁▁ 7/10
Tamper Resistance
███████▁▁▁ 7/10
Institutional Readiness
████████▁▁ 8/10
External Verifiability
████▁▁▁▁▁▁ 4/10
🎯 Next Threshold:
External anchoring (XRPL hash) + DD Export Engine moves the system from ~8 to ~9.
Server-backed Mode 2 + third-party security audit reaches ~9.5.
Legal template review by counsel + SOC audit = 10.