Context
PR #88 hardens the current local-file signer posture: Mainnet requires MAINNET=true, inline Mainnet keys are rejected by default, credential files must be restrictive, local-file Mainnet signing requires CARDANO402_ALLOW_MAINNET_LOCAL_FILE_SIGNER=true, and /health exposes non-secret signer posture.
That is an acceptable interim low-value/hot-wallet posture, but it is not the final posture for high-value Mainnet operation. The remaining security target is documented in docs/mainnet-signer-isolation.md and docs/security-review-2026-05-25.md.
Required work
Implement a signer boundary so the HTTP facilitator process and signing key live in different trust domains.
Minimum shape:
- Define a
SignerProvider interface for root facilitator signing operations.
- Keep
local-file for Preview, Preprod, and explicitly acknowledged low-value Mainnet deployments.
- Add at least one policy signer mode, for example
remote-policy or unix-socket.
- The signer request schema must be narrow and typed: network, intent, unsigned tx CBOR, bounded expiry, request ID, and policy.
- The signer must independently enforce network, expiry, replay/freshness, allowed outputs, per-request ceilings, rolling spend ceilings, and audit logging before key material is touched.
- Signer RPC must not be exposed unauthenticated on LAN/WAN.
/health should report the non-secret signer mode/posture so monitors can fail unsafe deployments.
Acceptance criteria
- Mainnet high-value deployment docs no longer rely on
local-file as the recommended signer mode.
- Config validation accepts the new signer mode and rejects unsafe/incomplete remote signer config.
- Unit/integration tests prove policy-violating signer requests are rejected.
- Release readiness checks assert that the signer boundary docs and config invariants stay present.
- The protocol monitor or a companion operational check can distinguish
local-file hot-wallet mode from the new policy signer mode.
- Documentation explains migration from current
local-file mode to the signer boundary.
Context
PR #88 hardens the current local-file signer posture: Mainnet requires
MAINNET=true, inline Mainnet keys are rejected by default, credential files must be restrictive,local-fileMainnet signing requiresCARDANO402_ALLOW_MAINNET_LOCAL_FILE_SIGNER=true, and/healthexposes non-secret signer posture.That is an acceptable interim low-value/hot-wallet posture, but it is not the final posture for high-value Mainnet operation. The remaining security target is documented in
docs/mainnet-signer-isolation.mdanddocs/security-review-2026-05-25.md.Required work
Implement a signer boundary so the HTTP facilitator process and signing key live in different trust domains.
Minimum shape:
SignerProviderinterface for root facilitator signing operations.local-filefor Preview, Preprod, and explicitly acknowledged low-value Mainnet deployments.remote-policyorunix-socket./healthshould report the non-secret signer mode/posture so monitors can fail unsafe deployments.Acceptance criteria
local-fileas the recommended signer mode.local-filehot-wallet mode from the new policy signer mode.local-filemode to the signer boundary.