aethelred-foundation · ramtamilselvan · Apr 18, 2026 · Apr 15, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/.github/workflows/contracts-ci.yml b/.github/workflows/contracts-ci.yml
@@ -72,7 +72,7 @@ jobs:
           version: stable
       - name: Run Foundry unit and integration tests
         run: >
-          FOUNDRY_PROFILE=ci forge test -vv
+          FOUNDRY_PROFILE=ci forge test -vv --code-size-limit 1048576
           --no-match-path 'test/*Invariant.t.sol'
           --no-match-test '^(testFuzz_|test_Audit_|invariant_)'
 
@@ -98,8 +98,8 @@ jobs:
           version: stable
       - name: Run Foundry deep invariant and audit suites
         run: |
-          FOUNDRY_PROFILE=ci forge test -vv --match-path 'test/*Invariant.t.sol'
-          FOUNDRY_PROFILE=ci forge test -vv --match-test '^(testFuzz_|test_Audit_)'
+          FOUNDRY_PROFILE=ci forge test -vv --code-size-limit 1048576 --match-path 'test/*Invariant.t.sol'
+          FOUNDRY_PROFILE=ci forge test -vv --code-size-limit 1048576 --match-test '^(testFuzz_|test_Audit_)'
 
   contracts-required-gate:
     name: Contracts Required Gate

diff --git a/Aethelred Tokenomics.csv b/Aethelred Tokenomics.csv
@@ -319,7 +319,7 @@ Critical Path Timeline,April 1 2026,Enterprise,"Testnet infrastructure ready",,
 Critical Path Timeline,April 1 2026,Community,"Points begin accruing",,
 Critical Path Timeline,May-Jun 2026,Enterprise,"Strategic investor outreach",,
 Critical Path Timeline,May-Jun 2026,Community,"Echo round @ $150M (400M tokens)",,
-Critical Path Timeline,July 2026,Enterprise,"Trail of Bits audit complete",,
+Critical Path Timeline,July 2026,Enterprise,"External protocol audit complete",,
 Critical Path Timeline,July 2026,Community,"Points leaderboard visible",,
 Critical Path Timeline,August 2026,Enterprise,"Binance strategic allocation signed",,
 Critical Path Timeline,August 2026,Community,"5,000+ active point earners",,
@@ -350,4 +350,4 @@ Final Verification,Metric,"Strategic Bucket (500M) - Used",250,000,000,"Seed 100
 Final Verification,Metric,"Strategic Bucket (500M) - Remaining",250,000,000,,
 Final Verification,Metric,"Public Bucket (1,000M) - Used",575,000,000,"Echo 400M + Exchange 175M",
 Final Verification,Metric,"Public Bucket (1,000M) - Remaining",425,000,000,,
-Final Verification,Metric,"Airdrop Bucket (300M)",300,000,000,"Reserved within Public Sale",
+Final Verification,Metric,"Airdrop Bucket (300M)",300,000,000,"Reserved within Public Sale",
diff --git a/app/abci.go b/app/abci.go
@@ -1,6 +1,7 @@
 package app
 
 import (
+	"bytes"
 	cryptoRand "crypto/rand"
 	"fmt"
 	"time"
@@ -263,6 +264,22 @@ func (app *AethelredApp) VerifyVoteExtensionHandler() sdk.VerifyVoteExtensionHan
 			return reject(), nil
 		}
 
+		if voteExt.Height != req.Height {
+			app.Logger().Error("Vote extension height mismatch",
+				"request_height", req.Height,
+				"extension_height", voteExt.Height,
+			)
+			return reject(), nil
+		}
+
+		if !bytes.Equal(voteExt.ValidatorAddress, req.ValidatorAddress) {
+			app.Logger().Error("Vote extension validator identity mismatch",
+				"request_validator_address", fmt.Sprintf("%X", req.ValidatorAddress),
+				"extension_validator_address", fmt.Sprintf("%X", voteExt.ValidatorAddress),
+			)
+			return reject(), nil
+		}
+
 		// Validate the vote extension using mode-appropriate validation.
 		// Strict mode rejects unsigned extensions, simulated TEE, missing hashes.
 		now, ok := app.lastBlockTime(ctx)
@@ -491,7 +508,7 @@ func (app *AethelredApp) ProcessProposalHandler() sdk.ProcessProposalHandler {
 		// to prevent a malicious proposer from flooding ProcessProposal with
 		// expensive-to-verify payloads.
 		const (
-			maxInjectedTxsPerBlock = 50  // PR-17: bound O(n) verification work
+			maxInjectedTxsPerBlock = 50              // PR-17: bound O(n) verification work
 			maxTotalProofBytes     = 5 * 1024 * 1024 // H-4: 5MB total proof budget per block
 		)
 		injectedCount := 0

diff --git a/app/abci_vote_extension_test.go b/app/abci_vote_extension_test.go
@@ -0,0 +1,69 @@
+package app
+
+import (
+	"testing"
+	"time"
+
+	abci "github.com/cometbft/cometbft/abci/types"
+	"github.com/stretchr/testify/require"
+
+	pouwtypes "github.com/aethelred/aethelred/x/pouw/types"
+)
+
+func makeStrictVoteExtensionForABCI(t *testing.T, height int64, validatorAddr []byte, ts time.Time) []byte {
+	t.Helper()
+
+	ve := NewVoteExtensionAtBlockTime(height, validatorAddr, ts)
+	ve.Signature = make([]byte, 64)
+
+	bz, err := ve.Marshal()
+	require.NoError(t, err)
+	return bz
+}
+
+func TestVerifyVoteExtensionHandlerRejectsMismatchedValidatorAddress(t *testing.T) {
+	t.Parallel()
+
+	app := newTestApp(t)
+	ctx := app.BaseApp.NewContext(true).
+		WithBlockHeight(42).
+		WithBlockTime(time.Unix(1_700_000_042, 0).UTC())
+
+	require.NoError(t, app.PouwKeeper.SetParams(ctx, pouwtypes.DefaultParams()))
+	app.persistLastBlockTime(ctx)
+
+	reqValidatorAddr := []byte("validator-consensus-addr")
+	embeddedValidatorAddr := []byte("different-validator-addr")
+	req := &abci.RequestVerifyVoteExtension{
+		Height:           42,
+		ValidatorAddress: reqValidatorAddr,
+		VoteExtension:    makeStrictVoteExtensionForABCI(t, 42, embeddedValidatorAddr, ctx.BlockTime()),
+	}
+
+	resp, err := app.VerifyVoteExtensionHandler()(ctx, req)
+	require.NoError(t, err)
+	require.Equal(t, abci.ResponseVerifyVoteExtension_REJECT, resp.Status)
+}
+
+func TestVerifyVoteExtensionHandlerRejectsMismatchedHeight(t *testing.T) {
+	t.Parallel()
+
+	app := newTestApp(t)
+	ctx := app.BaseApp.NewContext(true).
+		WithBlockHeight(42).
+		WithBlockTime(time.Unix(1_700_000_042, 0).UTC())
+
+	require.NoError(t, app.PouwKeeper.SetParams(ctx, pouwtypes.DefaultParams()))
+	app.persistLastBlockTime(ctx)
+
+	reqValidatorAddr := []byte("validator-consensus-addr")
+	req := &abci.RequestVerifyVoteExtension{
+		Height:           42,
+		ValidatorAddress: reqValidatorAddr,
+		VoteExtension:    makeStrictVoteExtensionForABCI(t, 41, reqValidatorAddr, ctx.BlockTime()),
+	}
+
+	resp, err := app.VerifyVoteExtensionHandler()(ctx, req)
+	require.NoError(t, err)
+	require.Equal(t, abci.ResponseVerifyVoteExtension_REJECT, resp.Status)
+}
diff --git a/app/consensus_evidence_handler.go b/app/consensus_evidence_handler.go
@@ -2,13 +2,22 @@ package app
 
 import (
 	"encoding/json"
+	"errors"
 	"net/http"
+	"strings"
 )
 
 type consensusEvidenceAuditErrorResponse struct {
 	Error string `json:"error"`
 }
 
+const (
+	adminAuditAuthTokenEnv = "AETHELRED_ADMIN_API_TOKEN"
+	adminAuditMaxBodyBytes = 4 << 20
+)
+
+var errConsensusAuditUnauthorized = errors.New("admin consensus audit endpoint requires loopback access or a valid bearer token")
+
 // ConsensusEvidenceAuditHandler exposes deterministic consensus evidence
 // auditing for proposal preflight checks.
 func (app *AethelredApp) ConsensusEvidenceAuditHandler() http.Handler {
@@ -18,10 +27,26 @@ func (app *AethelredApp) ConsensusEvidenceAuditHandler() http.Handler {
 			return
 		}
 
+		if err := authorizeLoopbackOrBearer(r, adminAuditAuthTokenEnv, errConsensusAuditUnauthorized.Error()); err != nil {
+			writeConsensusAuditError(w, http.StatusForbidden, err.Error())
+			return
+		}
+
+		if r.ContentLength > adminAuditMaxBodyBytes {
+			writeConsensusAuditError(w, http.StatusRequestEntityTooLarge, "request body exceeds admin audit size limit")
+			return
+		}
+
+		r.Body = http.MaxBytesReader(w, r.Body, adminAuditMaxBodyBytes)
+
 		var req ConsensusEvidenceAuditRequest
 		dec := json.NewDecoder(r.Body)
 		dec.DisallowUnknownFields()
 		if err := dec.Decode(&req); err != nil {
+			if strings.Contains(err.Error(), "http: request body too large") {
+				writeConsensusAuditError(w, http.StatusRequestEntityTooLarge, "request body exceeds admin audit size limit")
+				return
+			}
 			writeConsensusAuditError(w, http.StatusBadRequest, "invalid request body: "+err.Error())
 			return
 		}

diff --git a/app/consensus_evidence_handler_test.go b/app/consensus_evidence_handler_test.go
@@ -43,6 +43,7 @@ func TestConsensusEvidenceAuditHandler_Post(t *testing.T) {
 
 	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
 	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", bytes.NewReader(body))
+	req.RemoteAddr = "127.0.0.1:26657"
 	rec := httptest.NewRecorder()
 
 	handler.ServeHTTP(rec, req)
@@ -62,6 +63,7 @@ func TestConsensusEvidenceAuditHandler_Post(t *testing.T) {
 func TestConsensusEvidenceAuditHandler_InvalidRequestBody(t *testing.T) {
 	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
 	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", strings.NewReader("{"))
+	req.RemoteAddr = "127.0.0.1:26657"
 	rec := httptest.NewRecorder()
 
 	handler.ServeHTTP(rec, req)
@@ -79,10 +81,142 @@ func TestConsensusEvidenceAuditHandler_InvalidTxPayload(t *testing.T) {
 
 	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
 	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", strings.NewReader(body))
+	req.RemoteAddr = "127.0.0.1:26657"
 	rec := httptest.NewRecorder()
 
 	handler.ServeHTTP(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("expected 400, got %d body=%s", rec.Code, rec.Body.String())
 	}
 }
+
+func TestConsensusEvidenceAuditHandler_RejectsNonLoopbackWithoutToken(t *testing.T) {
+	t.Setenv(adminAuditAuthTokenEnv, "")
+
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", strings.NewReader(`{}`))
+	req.RemoteAddr = "203.0.113.10:8443"
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestConsensusEvidenceAuditHandler_AllowsBearerTokenOffLoopback(t *testing.T) {
+	t.Setenv(adminAuditAuthTokenEnv, "test-admin-token")
+
+	reqPayload := ConsensusEvidenceAuditRequest{
+		ConsensusThreshold: 67,
+		ProposedLastCommit: testConsensusAuditCommit(),
+		Txs: []json.RawMessage{
+			mustMarshalRawJSON(t, map[string]interface{}{
+				"type":            "create_seal_from_consensus",
+				"job_id":          "job-handler-token",
+				"output_hash":     make32Bytes(),
+				"validator_count": 2,
+				"total_votes":     2,
+				"agreement_power": 2,
+				"total_power":     2,
+			}),
+		},
+	}
+	body, err := json.Marshal(reqPayload)
+	if err != nil {
+		t.Fatalf("marshal request: %v", err)
+	}
+
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", bytes.NewReader(body))
+	req.RemoteAddr = "203.0.113.10:8443"
+	req.Header.Set("Authorization", "Bearer test-admin-token")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestConsensusEvidenceAuditHandler_RejectsForwardedLoopbackWithoutToken(t *testing.T) {
+	t.Setenv(adminAuditAuthTokenEnv, "")
+
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", strings.NewReader(`{}`))
+	req.RemoteAddr = "127.0.0.1:26657"
+	req.Header.Set("X-Forwarded-For", "203.0.113.10")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestConsensusEvidenceAuditHandler_AllowsBearerTokenOnForwardedLoopback(t *testing.T) {
+	t.Setenv(adminAuditAuthTokenEnv, "test-admin-token")
+
+	reqPayload := ConsensusEvidenceAuditRequest{
+		ConsensusThreshold: 67,
+		ProposedLastCommit: testConsensusAuditCommit(),
+		Txs: []json.RawMessage{
+			mustMarshalRawJSON(t, map[string]interface{}{
+				"type":            "create_seal_from_consensus",
+				"job_id":          "job-handler-forwarded-token",
+				"output_hash":     make32Bytes(),
+				"validator_count": 2,
+				"total_votes":     2,
+				"agreement_power": 2,
+				"total_power":     2,
+			}),
+		},
+	}
+	body, err := json.Marshal(reqPayload)
+	if err != nil {
+		t.Fatalf("marshal request: %v", err)
+	}
+
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", bytes.NewReader(body))
+	req.RemoteAddr = "127.0.0.1:26657"
+	req.Header.Set("Forwarded", "for=203.0.113.10;proto=https")
+	req.Header.Set("Authorization", "Bearer test-admin-token")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestConsensusEvidenceAuditHandler_RejectsInvalidBearerToken(t *testing.T) {
+	t.Setenv(adminAuditAuthTokenEnv, "expected-token")
+
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(http.MethodPost, "/admin/consensus/evidence/audit", strings.NewReader(`{}`))
+	req.RemoteAddr = "203.0.113.10:8443"
+	req.Header.Set("Authorization", "Bearer wrong-token")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestConsensusEvidenceAuditHandler_RejectsOversizedBody(t *testing.T) {
+	handler := (&AethelredApp{}).ConsensusEvidenceAuditHandler()
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/admin/consensus/evidence/audit",
+		strings.NewReader(strings.Repeat("x", adminAuditMaxBodyBytes+1)),
+	)
+	req.RemoteAddr = "127.0.0.1:26657"
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusRequestEntityTooLarge {
+		t.Fatalf("expected 413, got %d body=%s", rec.Code, rec.Body.String())
+	}
+}
diff --git a/app/coverage_helpers_test.go b/app/coverage_helpers_test.go
@@ -171,6 +171,26 @@ func TestTEEQuoteSchemaValidationCoverage(t *testing.T) {
 	nitro.Quote = []byte("{invalid-json")
 	require.ErrorContains(t, validateTEEQuoteSchema(nitro), "invalid nitro quote json")
 
+	simulatedPayload := quotePayload
+	simulatedPayload.SimulationSignature = []byte("sim-sig")
+	simulatedBytes, err := json.Marshal(simulatedPayload)
+	require.NoError(t, err)
+	require.NoError(t, validateTEEQuoteSchema(&TEEAttestationData{
+		Platform: "nitro-simulated",
+		Quote:    simulatedBytes,
+		UserData: []byte("user"),
+		Nonce:    []byte("nonce"),
+	}))
+	simulatedPayload.SimulationSignature = nil
+	simulatedBytes, err = json.Marshal(simulatedPayload)
+	require.NoError(t, err)
+	require.ErrorContains(t, validateTEEQuoteSchema(&TEEAttestationData{
+		Platform: "nitro-simulated",
+		Quote:    simulatedBytes,
+		UserData: []byte("user"),
+		Nonce:    []byte("nonce"),
+	}), "simulation_signature")
+
 	sgxQuote := make([]byte, sgxQuoteHeaderLen)
 	binary.LittleEndian.PutUint16(sgxQuote[0:2], 3)
 	require.NoError(t, validateTEEQuoteSchema(&TEEAttestationData{