Aliipou
diff --git a/‎.github/workflows/tcb-tests.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/tcb-tests.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎attack_harness/attack_tree_coverage.py‎
Lines changed: 48 additions & 17 deletions b/‎attack_harness/attack_tree_coverage.py‎
Lines changed: 48 additions & 17 deletions
diff --git a/‎freedom-kernel/src/tcb/dag.rs‎
Lines changed: 124 additions & 52 deletions b/‎freedom-kernel/src/tcb/dag.rs‎
Lines changed: 124 additions & 52 deletions
@@ -11,7 +11,7 @@ env:
 
 jobs:
   rust-tcb:
-    name: Rust TCB tests (45 tests)
+    name: Rust TCB tests (56 in tests.rs + dag/engine/sequence modules)
     runs-on: windows-latest
     steps:
       - uses: actions/checkout@v4
@@ -40,7 +40,7 @@ jobs:
         continue-on-error: true
 
   python-attack-harness:
-    name: Python attack harness (41 tests)
+    name: Python attack harness (42 tests — AT-5.1 and AT-3.1 fixed)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
@@ -14,6 +14,9 @@
   AT-6: Crypto boundary (cross-context reuse, nonce uniqueness)
   AT-7: Integration boundary (adapter mutation, shadow execution — documented)
 
+AT-5.1 (delegation impersonation) and AT-3.1 (intermediate epoch) are now fixed.
+AT-7.5 (shadow execution) remains a KNOWN-GAP — requires architectural enforcement.
+
 Format: each test prints PASS / KNOWN-GAP / FAIL.
 """
 
@@ -139,6 +142,14 @@ def verify_action(actor_id, resource_hash, required_rights, min_epoch,
             return Decision(False, "capability epoch predates minimum required epoch")
         if not cap.get("sig_valid", True):
             return Decision(False, "root signature verification failed")
+        # AT-3.1 fix: intermediate (parent) node epoch must also meet min_epoch.
+        # parent_epoch defaults to the leaf's epoch — stale chains must set it explicitly.
+        parent_epoch = cap.get("parent_epoch", cap.get("epoch", 0))
+        if parent_epoch < min_epoch:
+            return Decision(False, "delegation chain node epoch predates minimum required epoch")
+        # AT-5.1 fix: issuer pubkey must bind to parent subject_id via SHA-256.
+        if not cap.get("issuer_binding_valid", True):
+            return Decision(False, "issuer pubkey does not correspond to parent subject identity")
         if cap.get("parent_rights") is not None:
             if (cap["rights"] & ~cap["parent_rights"]) != 0:
                 return Decision(False, "attenuation violation: child rights exceed parent")
@@ -173,7 +184,17 @@ def verify_action(actor_id, resource_hash, required_rights, min_epoch,
 
 
 def base_cap(actor=None, resource=None, rights=RIGHT_READ, expiry=EXPIRY,
-             epoch=EPOCH, sig_valid=True, parent_rights=None):
+             epoch=EPOCH, sig_valid=True, parent_rights=None,
+             issuer_binding_valid=True, parent_epoch=None):
+    """Build a capability proof descriptor.
+
+    issuer_binding_valid — simulates AT-5.1 check:
+        SHA-256(child.issuer_pubkey) == parent.subject_id.
+        False means the issuer's key does not correspond to the parent subject (impersonation).
+    parent_epoch — simulates AT-3.1 check: epoch of the parent (intermediate) node.
+        If parent_epoch < min_epoch, the chain is rejected even if the leaf is fresh.
+        Defaults to the leaf epoch (assumes parent is at least as fresh as the leaf).
+    """
     a = actor or ACTOR
     r = resource or RESOURCE
     ph = hashlib.sha256(a + r + struct.pack(">Q", rights)).digest()
@@ -185,6 +206,8 @@ def base_cap(actor=None, resource=None, rights=RIGHT_READ, expiry=EXPIRY,
         "epoch": epoch,
         "sig_valid": sig_valid,
         "parent_rights": parent_rights,
+        "issuer_binding_valid": issuer_binding_valid,
+        "parent_epoch": parent_epoch if parent_epoch is not None else epoch,
         "proof_hash": ph,
         "canonical_bytes": ph + a + r,
     }
@@ -428,23 +451,30 @@ def test_at4_stepwise_accumulation_detection():
 # AT-5: Identity binding
 # ---------------------------------------------------------------------------
 
-def test_at5_delegation_impersonation_gap_documented():
-    """AT-5.1 KNOWN GAP: validate_chain does not check that the delegation chain
-    issuer key corresponds to the parent's subject_id. An attacker who knows the
-    parent proof can forge a child without the parent subject's private key.
-    Fix: SHA-256(child.issuer_pubkey) == parent.subject_id.
-    This test documents the current (exploitable) behavior."""
-    # Simulate: attacker creates a child claiming delegation from [0xAA;32]
-    # but signs it with their own key, not [0xAA;32]'s key.
-    # In the Python model, parent_rights represents the linked parent's rights.
-    # The Python model doesn't check issuer_pubkey -> parent.subject_id, mirroring the gap.
-    attacker_cap = base_cap(ACTOR, RESOURCE, rights=RIGHT_READ, parent_rights=RIGHT_READ)
-    # The attacker's cap passes attenuation (READ <= READ) and sig_valid=True.
+def test_at5_delegation_impersonation_blocked():
+    """AT-5.1: Delegation impersonation is now blocked (formerly a known gap, now fixed).
+    Attacker forges a child proof claiming delegation from a parent they don't control.
+    issuer_binding_valid=False simulates SHA-256(attacker.pubkey) != parent.subject_id."""
+    # Attacker's cap: valid sig, rights within parent, but issuer key doesn't match
+    # the parent's subject_id — the binding check (AT-5.1 fix) rejects it.
+    attacker_cap = base_cap(ACTOR, RESOURCE, rights=RIGHT_READ, parent_rights=RIGHT_READ,
+                            issuer_binding_valid=False)
     action = sealed_action(caps=[attacker_cap])
     d = check_action(action)
-    # KNOWN GAP: currently Permits (impersonation succeeds in Python model too)
-    assert d.permit, f"KNOWN GAP AT-5.1: expected Permit to document gap, got: {d}"
-    print("AT-5.1 KNOWN-GAP: delegation impersonation not blocked (fix: bind issuer_pubkey to parent.subject_id)")
+    assert not d.permit and "issuer" in d.reason, f"AT-5.1 FAILED: expected Deny(issuer...), got: {d}"
+    print("AT-5.1 PASS: delegation impersonation blocked (issuer_pubkey must bind to parent.subject_id)")
+
+
+def test_at3_1_intermediate_node_stale_epoch_rejected():
+    """AT-3.1: Stale epoch on intermediate (parent) delegation node is now rejected.
+    Leaf has epoch=EPOCH (fresh), parent has epoch=1 (stale, < min_epoch=EPOCH).
+    validate_chain must check every node, not just the leaf."""
+    # Cap with stale parent_epoch — simulates a chain whose delegator is from a revoked epoch.
+    cap = base_cap(ACTOR, RESOURCE, rights=RIGHT_READ, epoch=EPOCH, parent_epoch=1)
+    action = sealed_action(caps=[cap], min_epoch=EPOCH)
+    d = check_action(action)
+    assert not d.permit and "epoch" in d.reason, f"AT-3.1 FAILED: {d}"
+    print("AT-3.1 PASS: stale intermediate node epoch rejected (chain-wide epoch enforcement)")
 
 
 def test_at5_zero_actor_vs_nonzero_subject():
@@ -567,7 +597,8 @@ def test_at7_post_verification_mutation_blocked():
     test_at4_stepwise_accumulation_detection()
 
     print("\n--- AT-5: Identity Binding ---")
-    test_at5_delegation_impersonation_gap_documented()
+    test_at5_delegation_impersonation_blocked()
+    test_at3_1_intermediate_node_stale_epoch_rejected()
     test_at5_zero_actor_vs_nonzero_subject()
 
     print("\n--- AT-6: Crypto Boundary ---")
 
@@ -2,12 +2,22 @@
 ///
 /// `validate_chain` walks from a leaf capability proof back to the root, verifying:
 ///   1. Every node's ed25519 signature is cryptographically valid.
-///   2. Every intermediate node's signature is by the key it claims as issuer.
-///   3. Child rights ⊆ parent rights (attenuation invariant, Bug 5 fix).
+///   2. Every node's epoch >= min_epoch (AT-3.1 fix: intermediate delegation nodes
+///      issued in a compromised epoch cannot serve as valid chain links).
+///   3. Every intermediate node's issuer_pubkey binds to the parent's subject_id
+///      via SHA-256 (AT-5.1 fix: closes delegation impersonation gap).
+///   4. Child rights ⊆ parent rights (attenuation invariant).
 ///
 /// The root is identified by `IssuerRef::Root` — its signature is verified
 /// against the root key passed into verify(). No other node is implicitly trusted.
+///
+/// Identity model: subject_id = SHA-256(pubkey). This is the invariant that
+/// AT-5.1 relies on. All capability issuers must have their pubkey enrolled
+/// as SHA-256(pubkey) = subject_id in the granting proof.
+#![forbid(unsafe_code)]
+
 use ed25519_dalek::{Signature, VerifyingKey, Verifier};
+use sha2::{Digest, Sha256};
 use crate::tcb::types::{CapabilityProof, IssuerRef};
 
 const MAX_CHAIN_DEPTH: usize = 16;
@@ -17,11 +27,15 @@ const MAX_CHAIN_DEPTH: usize = 16;
 /// `all_proofs` is the full bundle from `CanonicalAction` — intermediate nodes
 /// must be present here. Proofs absent from the bundle cannot be trusted.
 ///
+/// `min_epoch` is the caller's minimum required epoch. Every node in the chain
+/// must have `epoch >= min_epoch` (AT-3.1 fix).
+///
 /// Returns `Ok(())` if the chain is valid; `Err(reason)` otherwise.
 pub fn validate_chain(
     leaf: &CapabilityProof,
     all_proofs: &[CapabilityProof],
     root_key: &VerifyingKey,
+    min_epoch: u64,
 ) -> Result<(), &'static str> {
     let mut current = leaf;
     let mut depth = 0usize;
@@ -32,50 +46,50 @@ pub fn validate_chain(
         }
         depth += 1;
 
-        let msg = current.signing_message();
+        // AT-3.1 fix: epoch check on every chain node, not just the leaf.
+        // A delegator whose key was compromised in epoch N cannot serve as a
+        // valid chain link even if the leaf was reissued in a later epoch.
+        if current.epoch < min_epoch {
+            return Err("delegation chain node epoch predates minimum required epoch");
+        }
 
+        let msg = current.signing_message();
         let sig = Signature::from_bytes(&current.signature)
             .map_err(|_| "malformed signature encoding")?;
 
         match &current.issuer {
             IssuerRef::Root => {
-                // This node claims to be root-signed — verify against root_key.
                 root_key
                     .verify(&msg, &sig)
                     .map_err(|_| "root signature verification failed")?;
-                // Reached root without violation — chain is valid.
                 return Ok(());
             }
 
             IssuerRef::Delegated { parent_hash } => {
-                // Verify this node's signature with the issuer's own key.
-                // We cannot trust self-reported issuer_pubkey blindly —
-                // it will be validated when we traverse up to the parent.
                 let issuer_key = VerifyingKey::from_bytes(&current.issuer_pubkey)
                     .map_err(|_| "malformed issuer pubkey in proof")?;
                 issuer_key
                     .verify(&msg, &sig)
                     .map_err(|_| "intermediate signature verification failed")?;
 
-                // Locate parent in the bundle — reject if absent.
                 let parent = all_proofs
                     .iter()
                     .find(|p| p.proof_hash == *parent_hash)
                     .ok_or("parent proof not found in bundle")?;
 
-                // Verify that `issuer_pubkey` in this node matches what the parent
-                // was issued to. This closes the impersonation gap:
-                // a proof claiming a different issuer's key would fail here.
-                if current.issuer_pubkey != parent.issuer_pubkey
-                    && matches!(parent.issuer, IssuerRef::Root)
-                {
-                    // At root level, the "issuer pubkey" of children must come from
-                    // what root actually granted — checked via signature above.
-                    // No additional check needed here; root_key verify in next iteration.
+                // AT-5.1 fix: the principal this node claims as issuer must be
+                // the same principal the parent capability was issued to.
+                // Identity model: subject_id = SHA-256(pubkey).
+                // Without this, an attacker who knows the parent proof can sign a
+                // child with their own key and set parent_hash to the real parent —
+                // the chain would traverse correctly despite no key from the parent's
+                // subject ever being used.
+                let claimed_issuer_id: [u8; 32] = Sha256::digest(&current.issuer_pubkey).into();
+                if claimed_issuer_id != parent.subject_id {
+                    return Err("issuer pubkey does not correspond to parent subject identity");
                 }
 
-                // Bug 5: Attenuation enforcement.
-                // A delegator cannot grant rights they don't possess.
+                // Attenuation: a delegator cannot grant rights they don't possess.
                 if (current.rights & !parent.rights) != 0 {
                     return Err("attenuation violation: child rights exceed parent");
                 }
@@ -94,6 +108,10 @@ mod tests {
     use rand_core::OsRng;
     use sha2::{Digest, Sha256};
 
+    fn subject_id_of(sk: &SigningKey) -> [u8; 32] {
+        Sha256::digest(sk.verifying_key().to_bytes()).into()
+    }
+
     fn make_root_proof(
         root_sk: &SigningKey,
         subject_id: [u8; 32],
@@ -116,60 +134,114 @@ mod tests {
         };
         let msg = p.signing_message();
         p.signature = root_sk.sign(&msg).to_bytes();
-        let hash: [u8; 32] = Sha256::digest(p.to_canonical_bytes()).into();
-        p.proof_hash = hash;
+        p.proof_hash = Sha256::digest(p.to_canonical_bytes()).into();
+        p
+    }
+
+    fn make_delegated_proof(
+        delegator_sk: &SigningKey,
+        parent: &CapabilityProof,
+        subject_id: [u8; 32],
+        resource_hash: [u8; 32],
+        rights: u64,
+        expiry: u64,
+        epoch: u64,
+    ) -> CapabilityProof {
+        let issuer_pubkey = delegator_sk.verifying_key().to_bytes();
+        let mut p = CapabilityProof {
+            proof_hash: [0u8; 32],
+            subject_id,
+            resource_hash,
+            rights,
+            expiry,
+            epoch,
+            issuer: IssuerRef::Delegated { parent_hash: parent.proof_hash },
+            signature: [0u8; 64],
+            issuer_pubkey,
+        };
+        let msg = p.signing_message();
+        p.signature = delegator_sk.sign(&msg).to_bytes();
+        p.proof_hash = Sha256::digest(p.to_canonical_bytes()).into();
         p
     }
 
+    const RESOURCE: [u8; 32] = [0x02; 32];
+    const MIN_EPOCH: u64 = 1;
+
     #[test]
     fn valid_root_proof_passes() {
         let root_sk = SigningKey::generate(&mut OsRng);
         let root_vk = root_sk.verifying_key();
-        let proof = make_root_proof(
-            &root_sk,
-            [1u8; 32],
-            [2u8; 32],
-            RIGHT_READ,
-            u64::MAX,
-            1,
-        );
-        assert!(validate_chain(&proof, &[proof.clone()], &root_vk).is_ok());
+        let proof = make_root_proof(&root_sk, [1u8; 32], RESOURCE, RIGHT_READ, u64::MAX, 1);
+        assert!(validate_chain(&proof, &[proof.clone()], &root_vk, MIN_EPOCH).is_ok());
     }
 
     #[test]
     fn wrong_root_key_fails() {
         let root_sk = SigningKey::generate(&mut OsRng);
         let other_sk = SigningKey::generate(&mut OsRng);
         let other_vk = other_sk.verifying_key();
-        let proof = make_root_proof(&root_sk, [1u8; 32], [2u8; 32], RIGHT_READ, u64::MAX, 1);
-        assert!(validate_chain(&proof, &[proof.clone()], &other_vk).is_err());
+        let proof = make_root_proof(&root_sk, [1u8; 32], RESOURCE, RIGHT_READ, u64::MAX, 1);
+        assert!(validate_chain(&proof, &[proof.clone()], &other_vk, MIN_EPOCH).is_err());
     }
 
     #[test]
     fn attenuation_violation_rejected() {
         let root_sk = SigningKey::generate(&mut OsRng);
         let root_vk = root_sk.verifying_key();
-        // Parent has READ only; child claims READ|WRITE — must be rejected.
-        let parent = make_root_proof(&root_sk, [1u8; 32], [2u8; 32], RIGHT_READ, u64::MAX, 1);
         let child_sk = SigningKey::generate(&mut OsRng);
-        let parent_hash = parent.proof_hash;
-        let issuer_pubkey = child_sk.verifying_key().to_bytes();
-        let mut child = CapabilityProof {
-            proof_hash: [0u8; 32],
-            subject_id: [3u8; 32],
-            resource_hash: [2u8; 32],
-            rights: RIGHT_READ | RIGHT_WRITE, // violation
-            expiry: u64::MAX,
-            epoch: 1,
-            issuer: IssuerRef::Delegated { parent_hash },
-            signature: [0u8; 64],
-            issuer_pubkey,
-        };
-        let msg = child.signing_message();
-        child.signature = child_sk.sign(&msg).to_bytes();
-        child.proof_hash = Sha256::digest(child.to_canonical_bytes()).into();
-        let result = validate_chain(&child, &[parent.clone(), child.clone()], &root_vk);
+        // Parent grants READ to child_sk's identity.
+        let parent = make_root_proof(&root_sk, subject_id_of(&child_sk), RESOURCE, RIGHT_READ, u64::MAX, 1);
+        // Child claims READ|WRITE — attenuation violation.
+        let child = make_delegated_proof(&child_sk, &parent, [3u8; 32], RESOURCE, RIGHT_READ | RIGHT_WRITE, u64::MAX, 1);
+        let result = validate_chain(&child, &[parent.clone(), child.clone()], &root_vk, MIN_EPOCH);
         assert!(result.is_err());
         assert!(result.unwrap_err().contains("attenuation"));
     }
+
+    // AT-5.1: attacker with a different key cannot forge delegation from [0xAA;32]
+    #[test]
+    fn at5_delegation_impersonation_rejected() {
+        let root_sk = SigningKey::generate(&mut OsRng);
+        let root_vk = root_sk.verifying_key();
+        let attacker_sk = SigningKey::generate(&mut OsRng);
+        // Parent issued to [0xAA;32] — NOT to attacker_sk's identity.
+        let parent = make_root_proof(&root_sk, [0xAA; 32], RESOURCE, RIGHT_READ, u64::MAX, 1);
+        // Attacker signs a child claiming delegation from that parent, using their own key.
+        let fake_child = make_delegated_proof(&attacker_sk, &parent, [0x01; 32], RESOURCE, RIGHT_READ, u64::MAX, 1);
+        let result = validate_chain(&fake_child, &[parent.clone(), fake_child.clone()], &root_vk, MIN_EPOCH);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("issuer pubkey"));
+    }
+
+    // AT-3.1: intermediate node with stale epoch fails even if leaf epoch is fresh
+    #[test]
+    fn at3_1_intermediate_stale_epoch_rejected() {
+        let root_sk = SigningKey::generate(&mut OsRng);
+        let root_vk = root_sk.verifying_key();
+        let delegator_sk = SigningKey::generate(&mut OsRng);
+        let next_sk = SigningKey::generate(&mut OsRng);
+        // Parent issued at epoch 0 (stale).
+        let parent = make_root_proof(&root_sk, subject_id_of(&delegator_sk), RESOURCE, RIGHT_READ, u64::MAX, 0);
+        // Child at fresh epoch — but its parent node is stale.
+        let child = make_delegated_proof(&delegator_sk, &parent, subject_id_of(&next_sk), RESOURCE, RIGHT_READ, u64::MAX, 5);
+        let result = validate_chain(&child, &[parent.clone(), child.clone()], &root_vk, 5);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains("epoch"));
+    }
+
+    // Valid two-level chain with proper identity binding
+    #[test]
+    fn valid_two_level_chain() {
+        let root_sk = SigningKey::generate(&mut OsRng);
+        let root_vk = root_sk.verifying_key();
+        let delegator_sk = SigningKey::generate(&mut OsRng);
+        let actor = [0x01; 32];
+        // Parent granted to delegator_sk's identity.
+        let parent = make_root_proof(&root_sk, subject_id_of(&delegator_sk), RESOURCE, RIGHT_READ, u64::MAX, 1);
+        // delegator_sk issues to actor.
+        let child = make_delegated_proof(&delegator_sk, &parent, actor, RESOURCE, RIGHT_READ, u64::MAX, 1);
+        let result = validate_chain(&child, &[parent.clone(), child.clone()], &root_vk, MIN_EPOCH);
+        assert!(result.is_ok());
+    }
 }