c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(fapp): add security model + profile_url for verification

Browse Source 
docs/specs/fapp-security.md:
- Full threat model for patient protection
- 3-level verification roadmap (transparency → endorsements → registry)
- UI warning mockups
- Technical implementation plan
- Honest assessment of limitations

SlotAnnounce changes:
- Added profile_url field for therapist verification
- New with_profile() constructor
- profile_url included in signature

docs/specs/fapp-protocol.md:
- Added Security & Anti-Fraud section
- Link to full security spec
This commit is contained in:
Christian Nennemann
2026-04-01 07:56:19 +02:00
parent 12846bd2a0
commit 56331632fd
3 changed files with 291 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/specs/fapp-protocol.md
View File

@@ -136,14 +136,39 @@ Therapist confirms or rejects a reservation.
- `duration_minutes: u16` — Duration (typically 50 or 25 minutes)
- `slot_type: SlotType` — Type of appointment
## Anti-Spam
## Security & Anti-Fraud
1. **Approbation hash binding.** The `approbation_hash` field contains SHA-256 of the therapist's Approbation number. While mesh nodes cannot verify this against a registry, it creates accountability — a therapist's identity is tied to a real credential.
> **See [fapp-security.md](fapp-security.md) for the full security model.**
### Patient Protection
Patients are vulnerable. FAPP must protect against fraudulent "therapists":
| Threat | Mitigation |
|--------|------------|
| Fake Therapist | `profile_url` for cross-verification, UI warnings |
| Impersonation | Ed25519 signatures, endorsement system (planned) |
| Data Harvesting | Anonymous queries, no patient identity in protocol |
| Financial Fraud | "Never pay upfront" warnings, reputation (planned) |
### Verification Levels
| Level | Mechanism | Trust |
|-------|-----------|-------|
| 0 | None — only mesh signature | Low |
| 1 | Endorsement by trusted relay | Medium |
| 2 | Registry verification (KBV) | High |
**Current implementation:** Level 0 with `profile_url` for transparency.
### Anti-Spam
1. **Approbation hash binding.** The `approbation_hash` field contains SHA-256 of the therapist's Approbation number. Creates accountability — therapist identity tied to real credential.
2. **Signature verification.** All SlotAnnounces are Ed25519-signed. Relay nodes reject unsigned or invalid announcements.
3. **Rate limiting.** Relay nodes enforce a maximum announcement rate per therapist address (e.g., max 10 SlotAnnounces per hour per therapist_address).
4. **Sequence-based dedup.** Each therapist maintains a monotonic sequence counter. Relay nodes only accept announces with sequence >= last seen for that therapist.
5. **TTL enforcement.** Expired announcements are garbage collected. Default TTL is 7 days.
6. **Hop limit.** SlotAnnounces have a max_hops field (default 8) to prevent infinite propagation.
3. **Rate limiting.** Relay nodes enforce max 10 SlotAnnounces per hour per therapist_address.
4. **Sequence-based dedup.** Monotonic counter; relays only accept sequence >= last seen.
5. **TTL enforcement.** Expired announcements are garbage collected. Default 7 days.
6. **Hop limit.** max_hops field (default 8) prevents infinite propagation.
## Wire Format