File size: 6,694 Bytes
93c7565 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 | # ProofBridge Liner β Developer Onboarding Guide
**Safety Kernel v1.1.1 | 14-Day Sandbox Integration**
> Goal: Integrate the Safety Kernel into the Bank's Credit Switchboard sandbox.
> No prior blockchain experience required.
---
## β‘ 60-Second QuickStart
```bash
git clone https://github.com/divhanimajokweni-ctrl/proofbridge-liner
cd proofbridge-liner
npm install
cp .env.example .env # populate API keys β see credentials checklist below
./setup.sh # TEE init + PCR0 hash verification
npm start # monitoring dashboard β http://localhost:5000
npm run audit # first ghost-risk audit run
```
---
## Prerequisites
| Requirement | Version | Notes |
|---|---|---|
| Node.js | >= 20.0 | Required |
| Foundry | latest | For contract interaction only |
| Docker | >= 24 | For TSS quorum (optional in sandbox) |
| TEE | AWS Nitro or Azure Confidential | PCR0 hash must be recorded before first run |
---
## Phase 1 β Environment & Auth (Days 1β3)
### Day 1: Register Credentials
**Standard Bank OneHub** (`developer.standardbank.co.za`)
- [ ] Create App ID β `Create New App` β record API Key + Client Secret
- [ ] Subscribe to `Property Deeds Office API` under CIB Marketplace
- [ ] Whitelist your TEE enclave's static IP in the API Sandbox settings
**Absa Access Developer Portal** (`developer.absa.africa`)
- [ ] Create application container β record Client ID + Client Secret
- [ ] Generate CSR β upload to portal for mTLS certificate issuance
- [ ] Request a "Sandbox User" for customer-authorized deed lookup tests
**LexisNexis WinDeed** (`windeed.co.za`)
- [ ] Confirm a Primary User exists in your org who can approve API access
- [ ] Submit WinCredit Registration Form for ID/ownership verification data
- [ ] Email `windeed.admin@lexisnexis.co.za` for sandbox REST API credentials
**Deeds Office (e-DRS / DeedsWeb)** (`deeds.gov.za`)
- [ ] Register on DeedsWeb portal for DRS credentials
- [ ] For financial institutions: obtain Certificate of Confirmation for bi-directional e-DRS access
### Day 2: Initialise TEE Enclave
```bash
./setup.sh
```
This script:
1. Initialises the TEE environment
2. Generates and seals the enclave private key (never leaves hardware boundary)
3. Records the PCR0 hash to `config/pcr0.lock`
4. Runs attestation verification
> β οΈ Record the PCR0 hash. Any change to the proofbridge-liner image invalidates it.
### Day 3: Connectivity Check
```bash
npm run test:health
```
Verifies all gateway endpoints are reachable from the enclave:
- e-DRS portal
- WinDeed sandbox
- Standard Bank switchboard
- Absa Access sandbox
---
## Phase 2 β Data Bridge (Days 4β7)
### Days 4β5: Configure Adapters
Edit `adapters/deeds-registry.js`:
```javascript
// Point to your bank's internal Property Deeds API
const DEEDS_ENDPOINT = process.env.STANDARD_BANK_DEEDS_API_URL;
const WINDEED_FALLBACK = process.env.WINDEED_API_URL;
```
Edit `config/scoring.json` for production thresholds:
```json
{
"jurisdiction": "South Africa",
"deterministicOverride": true,
"deterministicFloor": 0.8,
"thresholdA": 0.60,
"thresholdB": 0.355,
"minMismatchesB": 2,
"gamma": 20
}
```
### Day 6: Verify Latency
```bash
npm run test:load
```
Target: p95 < 50ms on the bank's internal switchboard.
If latency exceeds 50ms, check gateway routing and enclave network configuration.
### Day 7: Schema Validation
```bash
npm run test:schema
```
Runs Act 47 / 1937 deed structure checks against a sample of known-valid SA deed documents.
All 6 regex integrity checks must pass at 100% on valid documents.
---
## Phase 3 β Compliance & Reporting (Days 8β14)
### Days 8β9: Red Team Simulation
```bash
node scripts/simulate-red-team-attack.js
```
This simulates:
- **Mirror Attack**: 5 gateways all returning a forged deed (TEE clamp must fire)
- **Partial Collusion**: 3-of-5 gateways returning tampered data
- **Class B Structural Fraud**: identity theft / unauthorized bond cancellation pattern
Expected outputs:
- SOC Slack alert
- Email alert to configured CISO inbox
- `INVALID_SLASH` decision logged in `prover-state.json`
- Forensic bundle written to `docs/audit/`
### Days 10β11: goAML Export Test
```bash
node scripts/goaml-export.js --test
```
Validates that flagged Class B events generate compliant goAML XML SAR reports.
Check output against the FIC schema validator before submitting to compliance.
### Days 12β13: Audit Review
```bash
npm run audit:review
```
Confirms that all red-team logs in `docs/audit/` are:
- PII-sanitized (no raw identity data)
- Compliant with FSCA JS2 Section 12 requirements
- Timestamped and hash-chained
### Day 14: Steering Committee Readout
Present results to the bank's risk/CISO team. Provide:
- Pass/fail summary per compliance checkpoint
- Sample Forensic Evidence Bundle (sealed, anonymised)
- Latency and detection accuracy metrics
- Recommendation: proceed to live shadow pilot or extend sandbox
---
## Shadow Pilot Mode (Days 1β7)
During Phase 2, ProofBridge operates in **shadow mode**:
- Flags and logs all anomalies
- Does **not** block live transactions
- Generates alerts and reports as if in production
Blocking activates only in Phase 3 (Days 8β14) after joint review with the bank's risk team.
---
## Environment Variables Reference
```
# Standard Bank
STANDARD_BANK_DEEDS_API_URL=
STANDARD_BANK_API_KEY=
STANDARD_BANK_CLIENT_SECRET=
# Absa Access
ABSA_CLIENT_ID=
ABSA_CLIENT_SECRET=
ABSA_MTLS_CERT_PATH=
ABSA_MTLS_KEY_PATH=
# LexisNexis WinDeed
WINDEED_API_KEY=
WINDEED_API_URL=https://api.windeed.co.za/v1
# Deeds Office
EDRS_API_URL=
EDRS_CERTIFICATE_PATH=
# TEE
ENCLAVE_PCR0_HASH=
TEE_PROVIDER=aws_nitro # or azure_confidential
# Alerting
SOC_SLACK_WEBHOOK=
CISO_EMAIL=
GOAML_OUTPUT_DIR=./docs/audit/goaml
# Blockchain (Polygon)
PRIVATE_KEY=
RPC_URL=https://rpc-amoy.polygon.technology
CIRCUIT_BREAKER_ADDRESS=0x770342c49e1F4710E0Eed605dCe41e7f3F7600Eb
```
---
## Key Non-Negotiables
1. The TEE enclave's private key **never leaves the hardware boundary**.
2. PII sanitization in audit logs is **hardware-enforced**. Exported logs contain no raw identity data.
3. Circuit trip decisions are **off-chain** (scorer + validator). The on-chain contract enforces only.
4. The bank's existing AML system remains the **authoritative compliance record**. ProofBridge augments it.
---
## Contact
**Technical questions**: divhanimajokweni@gmail.com
**Repository**: https://github.com/divhanimajokweni-ctrl/proofbridge-liner
**Live demo**: Polygon Amoy testnet β operational
**Jurisdiction**: South Africa | Act 47 of 1937 | FSCA JS2 | Cybercrimes Act 19/2020 |