# ProofBridge Liner — Developer Onboarding Guide **Safety Kernel v1.1.1 | 14-Day Sandbox Integration** > Goal: Integrate the Safety Kernel into the Bank's Credit Switchboard sandbox. > No prior blockchain experience required. --- ## ⚡ 60-Second QuickStart ```bash git clone https://github.com/divhanimajokweni-ctrl/proofbridge-liner cd proofbridge-liner npm install cp .env.example .env # populate API keys — see credentials checklist below ./setup.sh # TEE init + PCR0 hash verification npm start # monitoring dashboard → http://localhost:5000 npm run audit # first ghost-risk audit run ``` --- ## Prerequisites | Requirement | Version | Notes | |---|---|---| | Node.js | >= 20.0 | Required | | Foundry | latest | For contract interaction only | | Docker | >= 24 | For TSS quorum (optional in sandbox) | | TEE | AWS Nitro or Azure Confidential | PCR0 hash must be recorded before first run | --- ## Phase 1 — Environment & Auth (Days 1–3) ### Day 1: Register Credentials **Standard Bank OneHub** (`developer.standardbank.co.za`) - [ ] Create App ID → `Create New App` → record API Key + Client Secret - [ ] Subscribe to `Property Deeds Office API` under CIB Marketplace - [ ] Whitelist your TEE enclave's static IP in the API Sandbox settings **Absa Access Developer Portal** (`developer.absa.africa`) - [ ] Create application container → record Client ID + Client Secret - [ ] Generate CSR → upload to portal for mTLS certificate issuance - [ ] Request a "Sandbox User" for customer-authorized deed lookup tests **LexisNexis WinDeed** (`windeed.co.za`) - [ ] Confirm a Primary User exists in your org who can approve API access - [ ] Submit WinCredit Registration Form for ID/ownership verification data - [ ] Email `windeed.admin@lexisnexis.co.za` for sandbox REST API credentials **Deeds Office (e-DRS / DeedsWeb)** (`deeds.gov.za`) - [ ] Register on DeedsWeb portal for DRS credentials - [ ] For financial institutions: obtain Certificate of Confirmation for bi-directional e-DRS access ### Day 2: Initialise TEE Enclave ```bash ./setup.sh ``` This script: 1. Initialises the TEE environment 2. Generates and seals the enclave private key (never leaves hardware boundary) 3. Records the PCR0 hash to `config/pcr0.lock` 4. Runs attestation verification > ⚠️ Record the PCR0 hash. Any change to the proofbridge-liner image invalidates it. ### Day 3: Connectivity Check ```bash npm run test:health ``` Verifies all gateway endpoints are reachable from the enclave: - e-DRS portal - WinDeed sandbox - Standard Bank switchboard - Absa Access sandbox --- ## Phase 2 — Data Bridge (Days 4–7) ### Days 4–5: Configure Adapters Edit `adapters/deeds-registry.js`: ```javascript // Point to your bank's internal Property Deeds API const DEEDS_ENDPOINT = process.env.STANDARD_BANK_DEEDS_API_URL; const WINDEED_FALLBACK = process.env.WINDEED_API_URL; ``` Edit `config/scoring.json` for production thresholds: ```json { "jurisdiction": "South Africa", "deterministicOverride": true, "deterministicFloor": 0.8, "thresholdA": 0.60, "thresholdB": 0.355, "minMismatchesB": 2, "gamma": 20 } ``` ### Day 6: Verify Latency ```bash npm run test:load ``` Target: p95 < 50ms on the bank's internal switchboard. If latency exceeds 50ms, check gateway routing and enclave network configuration. ### Day 7: Schema Validation ```bash npm run test:schema ``` Runs Act 47 / 1937 deed structure checks against a sample of known-valid SA deed documents. All 6 regex integrity checks must pass at 100% on valid documents. --- ## Phase 3 — Compliance & Reporting (Days 8–14) ### Days 8–9: Red Team Simulation ```bash node scripts/simulate-red-team-attack.js ``` This simulates: - **Mirror Attack**: 5 gateways all returning a forged deed (TEE clamp must fire) - **Partial Collusion**: 3-of-5 gateways returning tampered data - **Class B Structural Fraud**: identity theft / unauthorized bond cancellation pattern Expected outputs: - SOC Slack alert - Email alert to configured CISO inbox - `INVALID_SLASH` decision logged in `prover-state.json` - Forensic bundle written to `docs/audit/` ### Days 10–11: goAML Export Test ```bash node scripts/goaml-export.js --test ``` Validates that flagged Class B events generate compliant goAML XML SAR reports. Check output against the FIC schema validator before submitting to compliance. ### Days 12–13: Audit Review ```bash npm run audit:review ``` Confirms that all red-team logs in `docs/audit/` are: - PII-sanitized (no raw identity data) - Compliant with FSCA JS2 Section 12 requirements - Timestamped and hash-chained ### Day 14: Steering Committee Readout Present results to the bank's risk/CISO team. Provide: - Pass/fail summary per compliance checkpoint - Sample Forensic Evidence Bundle (sealed, anonymised) - Latency and detection accuracy metrics - Recommendation: proceed to live shadow pilot or extend sandbox --- ## Shadow Pilot Mode (Days 1–7) During Phase 2, ProofBridge operates in **shadow mode**: - Flags and logs all anomalies - Does **not** block live transactions - Generates alerts and reports as if in production Blocking activates only in Phase 3 (Days 8–14) after joint review with the bank's risk team. --- ## Environment Variables Reference ``` # Standard Bank STANDARD_BANK_DEEDS_API_URL= STANDARD_BANK_API_KEY= STANDARD_BANK_CLIENT_SECRET= # Absa Access ABSA_CLIENT_ID= ABSA_CLIENT_SECRET= ABSA_MTLS_CERT_PATH= ABSA_MTLS_KEY_PATH= # LexisNexis WinDeed WINDEED_API_KEY= WINDEED_API_URL=https://api.windeed.co.za/v1 # Deeds Office EDRS_API_URL= EDRS_CERTIFICATE_PATH= # TEE ENCLAVE_PCR0_HASH= TEE_PROVIDER=aws_nitro # or azure_confidential # Alerting SOC_SLACK_WEBHOOK= CISO_EMAIL= GOAML_OUTPUT_DIR=./docs/audit/goaml # Blockchain (Polygon) PRIVATE_KEY= RPC_URL=https://rpc-amoy.polygon.technology CIRCUIT_BREAKER_ADDRESS=0x770342c49e1F4710E0Eed605dCe41e7f3F7600Eb ``` --- ## Key Non-Negotiables 1. The TEE enclave's private key **never leaves the hardware boundary**. 2. PII sanitization in audit logs is **hardware-enforced**. Exported logs contain no raw identity data. 3. Circuit trip decisions are **off-chain** (scorer + validator). The on-chain contract enforces only. 4. The bank's existing AML system remains the **authoritative compliance record**. ProofBridge augments it. --- ## Contact **Technical questions**: divhanimajokweni@gmail.com **Repository**: https://github.com/divhanimajokweni-ctrl/proofbridge-liner **Live demo**: Polygon Amoy testnet — operational **Jurisdiction**: South Africa | Act 47 of 1937 | FSCA JS2 | Cybercrimes Act 19/2020