chore: sync ABI proof modifications + audit docs

Staged Idris2 ABI modifications (SafeCORS, SafeHTTP,
SafePromptInjection, SafeWebSocket) + new SafetyLemmas.idr
from prior proof session. Added PROOF-NEEDS.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

PROOF-NEEDS.md

@@ -0,0 +1,27 @@
+# Proof Requirements
+
+## Current state
+- `src/abi/Boj/Protocol.idr` (77 lines) — MCP protocol types
+- `src/abi/Boj/Domain.idr` (118 lines) — Domain types
+- `src/abi/Boj/Catalogue.idr` (220 lines) — Cartridge catalogue types
+- `src/abi/Boj/Menu.idr` (130 lines) — Menu system types
+- `src/abi/Boj/Federation.idr` (164 lines) — Federation types
+- `src/abi/Boj/Guardian.idr` — Guardian safety types
+- `src/abi/Boj/Safety.idr` — General safety types
+- `src/abi/Boj/SafeHTTP.idr`, `SafePromptInjection.idr`, `SafeCORS.idr`, `SafeAPIKey.idr`, `SafeWebSocket.idr` — Security-specific ABI definitions
+- No dangerous patterns (`believe_me`, `sorry`, etc.) found in ABI layer
+
+## What needs proving
+- **Prompt injection safety**: Prove that `SafePromptInjection` filtering is complete (no bypass possible for known injection patterns)
+- **CORS policy correctness**: Prove `SafeCORS` origin validation admits only explicitly allowed origins
+- **API key non-leakage**: Prove that API keys in `SafeAPIKey` never appear in response bodies or logs
+- **WebSocket frame safety**: Prove `SafeWebSocket` rejects malformed frames and enforces message size limits
+- **HTTP request validation**: Prove `SafeHTTP` correctly validates all request components before forwarding
+- **Cartridge isolation**: Prove cartridges cannot access resources outside their declared capability set
+- **Federation trust chain**: Prove federation handshakes establish authentic, non-replayable trust
+
+## Recommended prover
+- **Idris2** — Already used for ABI definitions; dependent types are ideal for proving security properties over protocol types
+
+## Priority
+- **HIGH** — BoJ is an MCP server that handles API keys, HTTP requests, and WebSocket connections. The `Safe*` ABI files explicitly claim safety properties that should be formally verified. Security-critical code with explicit safety claims demands proofs.

TEST-NEEDS.md

@@ -0,0 +1,72 @@
+# Test & Benchmark Requirements
+
+## Current State
+- Unit tests: 1 Rust test file + 1 aspect_tests.sh script — effectively NONE for the main codebase
+- Integration tests: NONE
+- E2E tests: NONE
+- Benchmarks: 63 benchmark files exist (likely V-lang ecosystem benchmarks)
+- panic-attack scan: 1 report found (panic-attack-report.json)
+
+## What's Missing
+### Point-to-Point (P2P)
+This is a major MCP server with 228 Zig + 108 Idris2 + 29 JS + 128 V + 8 Rust + 5 ReScript source files. The test coverage is catastrophically low:
+
+- **src/** (entire MCP bridge implementation) — ZERO tests
+- **cartridges/** (all cartridge implementations) — no tests
+- **adapter/** — no tests
+- **mcp-bridge/** — no tests
+- **ffi/** (Zig) — no tests
+- **tools/** — no tests
+- **tray/** — no tests
+- All 228 Zig source files — ZERO tests
+- All 108 Idris2 ABI definitions — ZERO verification tests
+- All 128 V source files — ZERO tests
+- All 29 JS source files — ZERO tests
+
+### End-to-End (E2E)
+- MCP server startup and health check
+- Cartridge loading and invocation
+- Browser cartridge: navigate, click, type, read_page
+- GitHub cartridge: CRUD on repos, issues, PRs
+- GitLab cartridge: project management, CI pipeline interaction
+- Cloud cartridges (Cloudflare, Vercel, Verpex) — CRUD operations
+- Gmail/Calendar cartridge operations
+- Research cartridge: search and retrieval
+- Cartridge discovery and listing
+- Error handling for unavailable services
+- Authentication flow for each cartridge
+
+### Aspect Tests
+- [ ] Security (MCP protocol injection, cartridge sandboxing, credential handling, SSRF via browser cartridge)
+- [ ] Performance (concurrent cartridge invocations, large response handling, connection pooling)
+- [ ] Concurrency (parallel MCP requests, cartridge state isolation, browser session management)
+- [ ] Error handling (network failures, API rate limits, invalid tool calls, timeout handling)
+- [ ] Accessibility (N/A — server)
+
+### Build & Execution
+- [ ] zig build — not verified
+- [ ] npm/deno run — not verified
+- [ ] MCP server starts and responds to health check — not verified
+- [ ] CLI --help works — not verified
+- [ ] Self-diagnostic — aspect_tests.sh exists but unclear if comprehensive
+
+### Benchmarks Needed
+- MCP request/response latency per cartridge
+- Concurrent request throughput
+- Browser cartridge page load and interaction speed
+- Memory usage under sustained load
+- Cartridge hot-loading performance
+- Connection pool efficiency
+
+### Self-Tests
+- [x] panic-attack assail — report exists (verify findings)
+- [ ] Built-in health check (boj_health exists — verify coverage)
+
+## Priority
+- **HIGH** — This is THE central MCP server for the entire ecosystem. 228 Zig + 108 Idris2 + 128 V + 29 JS + 8 Rust + 5 ReScript source files with effectively ZERO functional tests. The 63 benchmark files appear to be from V-lang ecosystem rather than boj-server itself. A single test script (aspect_tests.sh) is not adequate for a server handling browser automation, GitHub/GitLab operations, cloud infrastructure management, and email. Security testing is especially critical given the privileged operations this server performs.
+
+## FAKE-FUZZ ALERT
+
+- `tests/fuzz/placeholder.txt` is a scorecard placeholder inherited from rsr-template-repo — it does NOT provide real fuzz testing
+- Replace with an actual fuzz harness (see rsr-template-repo/tests/fuzz/README.adoc) or remove the file
+- Priority: P2 — creates false impression of fuzz coverage

src/abi/Boj/SafeCORS.idr

@@ -11,11 +11,14 @@
 ||| - Origin reflection without validation
 ||| - Overly permissive method/header lists
 ||| - Missing Vary: Origin header
+|||
+||| All proofs are constructive. Zero believe_me. Zero postulates.
 module Boj.SafeCORS
 
 import Data.List
 import Data.Nat
 import Data.String
+import Boj.SafetyLemmas
 
 %default total
 
@@ -30,6 +33,14 @@ isOriginChar c =
   isAlphaNum c || c == '-' || c == '.' || c == ':' || c == '/' ||
   c == '[' || c == ']'
 
+||| Predicate: an origin character list contains only valid characters.
+public export
+data OriginCharsValid : List Char -> Type where
+  MkOriginCharsValid : (cs : List Char) ->
+                       {auto nonEmpty : NonEmpty cs} ->
+                       {auto prf : all isOriginChar cs = True} ->
+                       OriginCharsValid cs
+
 ||| Predicate: an origin string contains only valid characters.
 public export
 data OriginValid : String -> Type where
@@ -50,6 +61,30 @@ data NotWildcard : String -> Type where
                   {auto prf : (s == wildcardOrigin) = False} ->
                   NotWildcard s
 
+||| Theorem: origin char validity implies no spaces (prevents header injection).
+export
+originCharsNoSpace : OriginCharsValid cs -> Not (Elem ' ' cs)
+originCharsNoSpace (MkOriginCharsValid cs {prf}) elemPrf =
+  let charFails : isOriginChar ' ' = True
+      charFails = allTrueElem prf elemPrf
+  in absurd charFails
+
+||| Theorem: origin char validity implies no newlines (prevents response splitting).
+export
+originCharsNoNewline : OriginCharsValid cs -> Not (Elem '\n' cs)
+originCharsNoNewline (MkOriginCharsValid cs {prf}) elemPrf =
+  let charFails : isOriginChar '\n' = True
+      charFails = allTrueElem prf elemPrf
+  in absurd charFails
+
+||| Theorem: origin char validity implies no carriage returns.
+export
+originCharsNoCR : OriginCharsValid cs -> Not (Elem '\r' cs)
+originCharsNoCR (MkOriginCharsValid cs {prf}) elemPrf =
+  let charFails : isOriginChar '\r' = True
+      charFails = allTrueElem prf elemPrf
+  in absurd charFails
+
 --------------------------------------------------------------------------------
 -- CORS Policy Types
 --------------------------------------------------------------------------------
@@ -74,18 +109,22 @@ data CORSHeader : Type where
 public export
 record SafeCORSPolicy where
   constructor MkSafeCORSPolicy
-  allowedOrigins  : List String
-  allowedMethods  : List CORSMethod
-  allowedHeaders  : List CORSHeader
+  allowedOrigins   : List String
+  allowedMethods   : List CORSMethod
+  allowedHeaders   : List CORSHeader
   allowCredentials : Bool
-  maxAge          : Nat  -- Preflight cache seconds
+  maxAge           : Nat  -- Preflight cache seconds
 
 --------------------------------------------------------------------------------
 -- Safety Predicates
 --------------------------------------------------------------------------------
 
 ||| Predicate: a CORS policy does not combine wildcard origin with credentials.
 ||| This is the most critical CORS misconfiguration to prevent.
+|||
+||| Constructors encode the two safe cases:
+||| - NoCredentials: credentials is False, so wildcard is harmless
+||| - NoWildcard: wildcard is not in origins, so credentials are safe
 public export
 data CORSCredentialSafe : SafeCORSPolicy -> Type where
   NoCredentials : (p : SafeCORSPolicy) ->
@@ -95,7 +134,7 @@ data CORSCredentialSafe : SafeCORSPolicy -> Type where
                   {auto prf : not (elem wildcardOrigin p.allowedOrigins) = True} ->
                   CORSCredentialSafe p
 
-||| Predicate: all origins in the policy are valid (no wildcards with credentials).
+||| Predicate: all origins in the policy are valid character-wise.
 public export
 data AllOriginsValid : List String -> Type where
   NilOrigins  : AllOriginsValid []
@@ -106,23 +145,65 @@ public export
 data ReasonableMaxAge : Nat -> Type where
   MkReasonableMaxAge : (n : Nat) -> {auto prf : LTE n 86400} -> ReasonableMaxAge n
 
+||| A fully validated CORS policy: credential-safe, valid origins, bounded max-age.
+public export
+record ValidatedCORSPolicy where
+  constructor MkValidatedCORSPolicy
+  policy          : SafeCORSPolicy
+  0 credSafe      : CORSCredentialSafe policy
+  0 originsValid  : AllOriginsValid policy.allowedOrigins
+  0 maxAgeBounded : ReasonableMaxAge policy.maxAge
+
 --------------------------------------------------------------------------------
 -- Core Theorems
 --------------------------------------------------------------------------------
 
 ||| Theorem: a policy with credentials=False is always credential-safe,
 ||| regardless of origin list contents.
+||| Proof: directly construct NoCredentials with the Refl witness.
 export
 noCredsAlwaysSafe : (p : SafeCORSPolicy) ->
                     {auto prf : p.allowCredentials = False} ->
                     CORSCredentialSafe p
 noCredsAlwaysSafe p = NoCredentials p
 
 ||| Theorem: the empty origin list is valid.
+||| Proof: NilOrigins constructor directly.
 export
 emptyOriginsValid : AllOriginsValid []
 emptyOriginsValid = NilOrigins
 
+||| Theorem: credential safety is decidable for any policy.
+||| Proof: case split on allowCredentials; if False, NoCredentials;
+||| if True, check for wildcard in origins.
+export
+decideCredentialSafe : (p : SafeCORSPolicy) ->
+                       Either (CORSCredentialSafe p)
+                              (p.allowCredentials = True, elem wildcardOrigin p.allowedOrigins = True)
+decideCredentialSafe p with (p.allowCredentials) proof credPrf
+  decideCredentialSafe p | False = Left (NoCredentials p {prf = credPrf})
+  decideCredentialSafe p | True with (elem wildcardOrigin p.allowedOrigins) proof elemPrf
+    decideCredentialSafe p | True | False =
+      Left (NoWildcard p {prf = rewrite elemPrf in Refl})
+    decideCredentialSafe p | True | True =
+      Right (credPrf, elemPrf)
+
+||| Theorem: adding a valid origin to valid origins preserves validity.
+||| Proof: ConsOrigins constructor.
+export
+consOriginsValid : OriginValid o -> AllOriginsValid os -> AllOriginsValid (o :: os)
+consOriginsValid = ConsOrigins
+
+||| Theorem: max-age of 0 is always reasonable.
+export
+zeroMaxAgeReasonable : ReasonableMaxAge 0
+zeroMaxAgeReasonable = MkReasonableMaxAge 0
+
+||| Theorem: max-age of 3600 (1 hour) is reasonable.
+export
+oneHourMaxAgeReasonable : ReasonableMaxAge 3600
+oneHourMaxAgeReasonable = MkReasonableMaxAge 3600
+
 --------------------------------------------------------------------------------
 -- Default Policies
 --------------------------------------------------------------------------------
@@ -139,6 +220,12 @@ bojDefaultCORS = MkSafeCORSPolicy
   , maxAge          = 3600
   }
 
+||| Theorem: the default CORS policy is credential-safe.
+||| Proof: credentials is False, so NoCredentials applies.
+export
+bojDefaultCORSIsSafe : CORSCredentialSafe SafeCORS.bojDefaultCORS
+bojDefaultCORSIsSafe = NoCredentials bojDefaultCORS
+
 ||| The BoJ production CORS policy: specific origins, with credentials.
 public export
 bojProductionCORS : SafeCORSPolicy
@@ -150,6 +237,12 @@ bojProductionCORS = MkSafeCORSPolicy
   , maxAge          = 7200
   }
 
+||| Theorem: the production CORS policy is credential-safe.
+||| Proof: allowedOrigins is empty, so wildcard cannot be an element.
+export
+bojProductionCORSIsSafe : CORSCredentialSafe SafeCORS.bojProductionCORS
+bojProductionCORSIsSafe = NoWildcard bojProductionCORS
+
 --------------------------------------------------------------------------------
 -- FFI Bridge Declarations
 --------------------------------------------------------------------------------
@@ -173,19 +266,24 @@ boj_safety_check_cors_policy : (originsPtr : AnyPtr) -> (methodsPtr : AnyPtr) ->
 ||| Summary of CORS safety properties proven in this module:
 |||
 ||| 1. **Credential/Wildcard Exclusion**: Credentials=True and Origin=* are
-|||    mutually exclusive. Proof: CORSCredentialSafe is a sum type requiring
-|||    either credentials=False OR wildcard not in origins.
+|||    mutually exclusive. Proof: CORSCredentialSafe sum type; decideCredentialSafe
+|||    provides a decision procedure that returns evidence for either case.
 |||
 ||| 2. **Origin Validation**: All origin strings validated against character set.
-|||    Proof: OriginValid requires all chars pass isOriginChar.
+|||    Proofs: originCharsNoSpace, originCharsNoNewline, originCharsNoCR use
+|||    allTrueElem to derive contradiction from isOriginChar.
 |||
 ||| 3. **Method Restriction**: Only GET/POST/OPTIONS allowed — no PUT/DELETE
-|||    from cross-origin contexts by default.
+|||    from cross-origin contexts by default. Proof: CORSMethod ADT.
 |||
 ||| 4. **Max-Age Bounds**: Preflight cache capped at 24 hours to limit
-|||    stale policy window.
+|||    stale policy window. Proof: ReasonableMaxAge carries LTE witness.
 |||
 ||| 5. **Default Policies**: Pre-built safe policies for dev and production.
+|||    Proofs: bojDefaultCORSIsSafe and bojProductionCORSIsSafe are witnesses.
+|||
+||| 6. **Composition**: ValidatedCORSPolicy bundles all safety properties
+|||    into a single record with erased proofs.
 public export
 corsSafetyGuarantees : String
-corsSafetyGuarantees = "BoJ SafeCORS: 5 proven properties preventing CORS misconfiguration"
+corsSafetyGuarantees = "BoJ SafeCORS: 6 proven properties preventing CORS misconfiguration"