security(evidence): add #335 spending-policy execution evidence verifier

.github/workflows/ci.yml

@@ -182,6 +182,7 @@ jobs:
           node --test scripts/security/check-session-signature-parity.test.mjs
           node --test scripts/security/verify-secure-defi-claims.test.mjs
           node --test scripts/security/evidence-manifest.test.mjs
+          node --test scripts/security/spending-policy-evidence.test.mjs
 
       - name: Build packages
         run: pnpm run build

.github/workflows/strict-security-proof.yml

@@ -31,6 +31,7 @@ jobs:
           set -euo pipefail
           node --test scripts/security/verify-secure-defi-claims.test.mjs
           node --test scripts/security/evidence-manifest.test.mjs
+          node --test scripts/security/spending-policy-evidence.test.mjs
 
       - name: Verify strict claims artifact
         env:

docs/security/LAUNCH_READINESS_TRACKER.md

@@ -11,6 +11,7 @@ without ambiguous "done" claims.
 - Session-signature parity and conformance (`#256`)
 - SNIP-12 v2 tracker hygiene and closure evidence (`#255`)
 - Signer proxy auth hardening evidence linkage (`#219`)
+- Spending-policy E2E/load/sign-off closure evidence (`#335`)
 
 ## P0 Closure Rules
 
@@ -49,6 +50,15 @@ without ambiguous "done" claims.
 - Rotation and incident runbook:
   - `docs/security/SIGNER_PROXY_ROTATION_RUNBOOK.md`
 
+### `#335` spending policy E2E/load/sign-off closure
+
+- Checklist and owner mapping:
+  - `docs/security/SPENDING_POLICY_AUDIT.md`
+- Evidence schema + verifier:
+  - `scripts/security/spending-policy-evidence.mjs`
+  - `docs/security/evidence/spending-policy/README.md`
+  - `docs/security/evidence/spending-policy/execution-report.template.json`
+
 ## Required Sign-off Comment Format
 
 Post this in each issue before closing:

docs/security/SPENDING_POLICY_AUDIT.md

@@ -630,6 +630,29 @@ fn test_zero_policy_disables_enforcement() {
 - [ ] Transfer with amount = max_per_call exactly
 - [ ] Non-spending call (balanceOf) → should not affect counter
 
+### 7.5 No-Backend Launch Ownership Map (`#335`)
+
+Use the canonical evidence schema at:
+- `docs/security/evidence/spending-policy/execution-report.template.json`
+
+Validate any run bundle with:
+- `node scripts/security/spending-policy-evidence.mjs --report <run_dir>/execution-report.json --bundle-dir <run_dir>`
+
+Required launch-blocking checks:
+
+| Check ID | Checklist Scope | Owner Role |
+|----------|------------------|------------|
+| `SP-01` | Sepolia SessionAccount deployment + funding setup evidence | contracts-maintainer |
+| `SP-02` | Spending-policy baseline configuration evidence | contracts-maintainer |
+| `SP-03` | Happy-path transfer acceptance evidence | runtime-maintainer |
+| `SP-04` | Per-call rejection evidence | runtime-maintainer |
+| `SP-05` | Window-limit rejection evidence | runtime-maintainer |
+| `SP-06` | Session-key policy-mutation blocklist rejection evidence | runtime-maintainer |
+| `SP-07` | Window-boundary behavior evidence (`now > boundary`) | contracts-maintainer |
+| `SP-08` | Multicall cumulative enforcement evidence | runtime-maintainer |
+| `SP-09` | Non-spending selector counter-invariance evidence | runtime-maintainer |
+| `SP-10` | Load validation evidence (`100+ tx/hour`) | qa-maintainer |
+
 ---
 
 ## 8. Formal Verification Candidates
@@ -670,24 +693,37 @@ only_self_or_owner can call set_spending_policy ∧ remove_spending_policy
 
 **Testing:**
 - [x] 130/130 Cairo tests passing (123 original + 7 critical new)
-- [ ] E2E testnet validation complete
+- [ ] E2E testnet validation complete (`SP-01`..`SP-09`)
 - [x] Adversarial scenarios tested (window boundary, reentrancy, overflow)
-- [ ] Load testing (100+ tx/hour) - pending E2E
+- [ ] Load testing (100+ tx/hour) (`SP-10`)
 
 **Documentation:**
-- [ ] Threat model published
-- [ ] User guide with examples
-- [ ] Known limitations documented
+- [x] Threat model published (Section 1)
+- [x] User guide with examples (`docs/E2E_TESTING_GUIDE.md`, `docs/QUICK_START_E2E.md`)
+- [x] Known limitations documented (Section 3 + Conclusion)
 - [ ] Audit report finalized
 
 **Sign-Off:**
-- [ ] Lead Developer: _______________
-- [ ] Security Reviewer: _______________
-- [ ] QA Engineer: _______________
+- [ ] Lead Developer approved (`signoff.leadDeveloper`)
+- [ ] Security Reviewer approved (`signoff.securityReviewer`)
+- [ ] QA Engineer approved (`signoff.qaEngineer`)
+
+---
+
+## 10. `#335` Closure Procedure (No-Backend Profile)
+
+1. Create run bundle:
+   - `node scripts/security/spending-policy-evidence.mjs --init --report docs/security/evidence/spending-policy/runs/<run_id>/execution-report.json --run-id <run_id> --network starknet-sepolia`
+2. Execute required Sepolia checks (`SP-01`..`SP-10`) and attach tx/log evidence in the same run directory.
+3. Validate structure:
+   - `node scripts/security/spending-policy-evidence.mjs --report docs/security/evidence/spending-policy/runs/<run_id>/execution-report.json --bundle-dir docs/security/evidence/spending-policy/runs/<run_id>`
+4. Validate closure readiness:
+   - `node scripts/security/spending-policy-evidence.mjs --report docs/security/evidence/spending-policy/runs/<run_id>/execution-report.json --bundle-dir docs/security/evidence/spending-policy/runs/<run_id> --require-closed`
+5. Post run-directory links in `#335` and reference them from `#273`.
 
 ---
 
-## 10. Conclusion
+## 11. Conclusion
 
 **Current Status**: 🟢 READY FOR E2E TESTING
 

docs/security/evidence/spending-policy/README.md

@@ -0,0 +1,72 @@
+# Spending Policy Execution Evidence (`#335`)
+
+This directory stores reproducible evidence for the no-backend launch gate item:
+
+- `#335` Close `SPENDING_POLICY_AUDIT.md` E2E/load/sign-off checklist items
+
+The source-of-truth schema is validated by:
+
+- `scripts/security/spending-policy-evidence.mjs`
+
+## Canonical flow
+
+1. Create a run bundle from the template:
+
+```bash
+RUN_ID="sp-$(date -u +%Y%m%d-%H%M%S)"
+RUN_DIR="docs/security/evidence/spending-policy/runs/${RUN_ID}"
+
+node scripts/security/spending-policy-evidence.mjs \
+  --init \
+  --report "${RUN_DIR}/execution-report.json" \
+  --run-id "${RUN_ID}" \
+  --network "starknet-sepolia"
+```
+
+2. Execute the Sepolia E2E/load scenarios and attach evidence for each `SP-xx` check:
+
+- Transaction hash evidence (`type: "tx"`, `txHash`, explorer URL)
+- Command logs (`type: "log"`, relative `path` inside the run directory)
+- Optional reports/screenshots for load-test summaries
+
+3. Validate report structure before posting links:
+
+```bash
+node scripts/security/spending-policy-evidence.mjs \
+  --report "${RUN_DIR}/execution-report.json" \
+  --bundle-dir "${RUN_DIR}"
+```
+
+4. Validate closure readiness (all required checks + all three sign-offs approved):
+
+```bash
+node scripts/security/spending-policy-evidence.mjs \
+  --report "${RUN_DIR}/execution-report.json" \
+  --bundle-dir "${RUN_DIR}" \
+  --require-closed
+```
+
+## Required check IDs (launch-blocking)
+
+- `SP-01` Deploy SessionAccount evidence
+- `SP-02` Spending policy baseline evidence
+- `SP-03` Happy-path transfer evidence
+- `SP-04` Per-call limit rejection evidence
+- `SP-05` Window-limit rejection evidence
+- `SP-06` Selector blocklist rejection evidence
+- `SP-07` Window-boundary behavior evidence
+- `SP-08` Multicall cumulative enforcement evidence
+- `SP-09` Non-spending selector behavior evidence
+- `SP-10` Load validation evidence (`100+ tx/hour`)
+
+## Sign-off keys (required for `--require-closed`)
+
+- `signoff.leadDeveloper`
+- `signoff.securityReviewer`
+- `signoff.qaEngineer`
+
+## Notes
+
+- Evidence `path` values must be safe relative paths inside the run directory.
+- `status: "pass"` checks must include at least one evidence entry.
+- This process is backend-free and self-custodial: maintainers execute with local tooling/accounts and publish the resulting report links in `#335` and `#273`.

docs/security/evidence/spending-policy/execution-report.template.json

@@ -0,0 +1,108 @@
+{
+  "schemaVersion": "1",
+  "issue": "#335",
+  "profile": "no-backend",
+  "network": "starknet-sepolia",
+  "runId": "sp-template",
+  "generatedAt": "2026-03-06T00:00:00.000Z",
+  "checks": [
+    {
+      "checkId": "SP-01",
+      "title": "Deploy SessionAccount to Sepolia and capture deploy tx evidence",
+      "owner": "contracts-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-02",
+      "title": "Set spending policy baseline and capture policy-state evidence",
+      "owner": "contracts-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-03",
+      "title": "Happy path transfers within limits validated on Sepolia",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-04",
+      "title": "Per-call limit rejection validated",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-05",
+      "title": "Window-limit rejection validated",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-06",
+      "title": "Session key blocked from policy mutation selectors",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-07",
+      "title": "Window-boundary behavior validated (reset only when now > boundary)",
+      "owner": "contracts-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-08",
+      "title": "Multicall cumulative enforcement validated",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-09",
+      "title": "Non-spending selector validation (counter unchanged)",
+      "owner": "runtime-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    },
+    {
+      "checkId": "SP-10",
+      "title": "Load validation (100+ tx/hour) completed with consistency evidence",
+      "owner": "qa-maintainer",
+      "status": "pending",
+      "evidence": [],
+      "notes": ""
+    }
+  ],
+  "signoff": {
+    "leadDeveloper": {
+      "name": "",
+      "status": "pending",
+      "signedAt": null
+    },
+    "securityReviewer": {
+      "name": "",
+      "status": "pending",
+      "signedAt": null
+    },
+    "qaEngineer": {
+      "name": "",
+      "status": "pending",
+      "signedAt": null
+    }
+  },
+  "residualRisks": []
+}

package.json

@@ -19,6 +19,8 @@
     "test": "pnpm -r test",
     "lint": "pnpm -r lint",
     "verify:evidence": "node scripts/security/evidence-manifest.mjs --manifest examples/secure-defi-demo/artifacts/artifact-manifest.json --require-strict",
+    "spending:evidence:init": "node scripts/security/spending-policy-evidence.mjs --init --report docs/security/evidence/spending-policy/execution-report.template.json --run-id sp-template --generated-at 2026-03-06T00:00:00.000Z --network starknet-sepolia --force",
+    "spending:evidence:verify": "node scripts/security/spending-policy-evidence.mjs --report docs/security/evidence/spending-policy/execution-report.template.json --bundle-dir docs/security/evidence/spending-policy",
     "demo:hello-agent": "node examples/hello-agent/index.mjs",
     "ci:version": "changeset version",
     "ci:release": "pnpm build && changeset publish"
@@ -39,6 +41,7 @@
     "overrides": {
       "ajv@^6.0.0": "6.14.0",
       "ajv@^8.0.0": "8.18.0",
+      "express-rate-limit": "8.3.0",
       "hono": "4.12.2",
       "qs": "6.14.2",
       "minimatch": "10.2.3",