Harden the trust layer before stronger claims.
v6.4 defines the security and compliance hardening direction for SafeGate before any production API, broader pilot, or agent-ready claim.
The goal is simple: every receipt verification, access unlock, merchant record, and audit event must remain bounded, rate-limited, replay-aware, privacy-aware, and safe on failure.
30-Second v6.4 Summary
SafeGate hardening means: no secret exposure, no unsafe unlock, no unlogged verification, no stack trace leakage, no replay abuse, and no overclaim.
1. Hardening Checklist
Secret Management
Service role keys, wallet passphrases, access tokens, API keys, and database strings must never appear in public responses, frontend code, screenshots, or logs.
Secret Rotation Direction
Production design should include rotation playbooks for API keys, receipt signing secrets, service keys, webhook secrets, and compromised credentials.
Merchant/API Rate Limiting
Future rate limits should be scoped by merchant, API key, receipt ID, and suspicious behavior patterns, not only by IP address.
Replay Protection
Duplicate or replay-like verification attempts must preserve existing state, avoid new unlocks, and create audit-relevant events.
Safe Error Handling
500 errors must be generic and safe. No stack trace, Supabase/Postgres strings, env names, tokens, file paths, or provider payloads.
Audit Log Retention
Verification, mismatch, replay, rate limit, ambiguous state, and internal safe errors should become minimal audit events with retention policy direction.
Privacy Boundary
Public evidence should show enough for review but not expose unnecessary buyer, merchant, wallet, order, or internal metadata.
Role-Based Visibility
Future viewers should distinguish public, merchant, reviewer, operator, and admin visibility instead of exposing one universal evidence view.
Incident Response
Define what happens if a key leaks, payment provider is ambiguous, database writes fail, rate limits are abused, or a malicious actor probes receipt IDs.
2. Hardening Control Matrix
| Risk | Control | Safe Result | Audit Event |
|---|---|---|---|
| Secret exposure | Server-side only secrets + safe response filter | No secret in public artifact | SECURITY_RESPONSE_FILTERED |
| Replay attempt | Idempotency + existing state preservation | No new unlock | VERIFY_REPLAY_ATTEMPT |
| Ambiguous payment state | Fail-secure verification boundary | No unlock until confirmed | VERIFY_AMBIGUOUS_FAIL_SECURE |
| Rate-limit abuse | Merchant/key scoped throttling direction | Request throttled | VERIFY_RATE_LIMITED |
| Receipt ID probing | Bounded errors + no enumeration hints | No extra detail leak | VERIFY_RECEIPT_NOT_FOUND |
| Internal server error | Generic safe error | No stack trace | VERIFY_INTERNAL_ERROR_SAFE |
3. Public-Safe Error Response Pattern
{
"ok": false,
"statusCode": 500,
"code": "INTERNAL_ERROR_SAFE",
"message": "Verification could not be completed safely.",
"safeBehavior": "NO_UNLOCK",
"auditEvent": {
"eventType": "VERIFY_INTERNAL_ERROR_SAFE",
"result": "ERROR_SAFE",
"createdAt": "mock_timestamp"
},
"debug": null,
"backendSecretExposed": false,
"stackTraceExposed": false,
"databaseStringExposed": false,
"piMainnetSettlementClaim": false
}
4. Future Role-Based Visibility Direction
| Viewer Role | Can See | Must Not See |
|---|---|---|
| Public | Summary result, event names, bounded status, public boundary | Private buyer data, merchant private metadata, secrets, raw provider payload |
| Merchant | Own receipts, order mapping, access state, merchant evidence state | Other merchant records, service role keys, internal logs |
| Reviewer | Evidence summary, audit timeline, selected proof fields | Unnecessary PII, raw secrets, unrelated merchant data |
| Operator | Operational alerts, rate-limit events, safe error categories | Wallet passphrase, exposed tokens, avoidable raw sensitive data |
5. Pre-Production Hardening Gates
Gate 1: Secret Safety
No secret appears in frontend bundle, public page, JSON response, logs, screenshots, or GitHub public docs.
Gate 2: Verification Safety
Invalid, missing, ambiguous, replayed, mismatched, unauthorized, and rate-limited cases do not unlock access.
Gate 3: Audit Completeness
Every verification attempt produces a minimal audit event: event, time, result, boundary.
Gate 4: Privacy Boundary
Public/reviewer/merchant views expose only necessary information for their role.
Gate 5: Abuse Control
Rate-limit, replay, enumeration, and automated probing behaviors are blocked or throttled and logged.
Gate 6: Incident Readiness
There is a written response path for key leak, provider ambiguity, database failure, and malicious probing.
6. What v6.4 Does Not Claim
v6.4 is a security and compliance hardening direction page. It does not claim that all controls are production-implemented today.
It defines the control gates SafeGate should satisfy before stronger working-proof, public API, or production-readiness claims.
7. V6 Progression
v6.0 Audit Trail Planning
v6.1 Endpoint Direction
v6.2 Edge Case Plan
v6.3 Evidence Timeline
v6.4 Security Hardening
Current stage: controls, gates, and compliance boundary.
8. Public Boundary
SafeGate v6.4 is a public hardening direction page. It does not claim a production public API, does not issue real API keys, does not create production merchant accounts, does not expose backend secrets, and does not claim Pi Mainnet settlement proof.
Current evidence remains Pi Testnet controlled post-payment trust flow.