Security Model
Core controls
- Stake-gated registration for sybil friction.
- Authorized scorers + EIP-712 signatures.
- Score range enforcement (0..200 per dimension).
- Dispute and slashing for score integrity.
Governance controls
- Parameter updates only through timelocked governance.
- Lambda, decay table, min stake, scorer authorization, dispute parameters are governable.
API auth controls
- Challenge/verify signature flow for paid access.
- Single-use nonce with TTL (default 5 minutes).
- Nonce invalidation after verify.
- Optional/required on-chain
AresApiAccess.accessExpiryverification before session token mint. - Session expiry is clamped to on-chain access expiry when paid access is enabled.
Dispute correction controls
- Action-level invalidation with deterministic correction.
validActionsCountseparated fromtotalActionsCountto prevent replayed inflation.
Known Open Items
- External audit round-1 is completed; independent closure attestation on deployment target is still open.
- Production anti-bot/captcha policy tuning remains open.
- Wallet-AgentID binding verification requirement documented in the integration guide and known-risks pack. On-chain enforcement exists via
operatorOf(). Off-chain integrator responsibility is explicitly stated. - Production webhook ingress now enforces
hmacmode.dualremains only for non-production transition/testing environments. - Historical test private key literal found in legacy commit history is attested as non-operational and forbidden for reuse in any environment; CI banned-literal guard is active.