rspace-online/backlog/tasks/task-high.5 - Link-External-Wallets-to-EncryptID-Security-Hardening.md

---
id: TASK-HIGH.5
title: Link External Wallets to EncryptID + Security Hardening
status: Done
assignee: []
created_date: '2026-03-10 01:07'
updated_date: '2026-03-10 01:08'
labels: []
dependencies: []
parent_task_id: TASK-HIGH
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Implemented EIP-6963 wallet discovery, SIWE ownership verification, server-side AES-256-GCM encrypted storage, and Safe owner addition flow. Full security audit addressed 16 findings across Critical, High, Medium, Low, and Informational categories.
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 EIP-6963 provider discovery for browser wallets
- [x] #2 SIWE (Sign-In with Ethereum) ownership verification
- [x] #3 Server-side AES-256-GCM encryption at rest for linked wallet data
- [x] #4 Safe add-owner-proposal with threshold validation
- [x] #5 Security: real encryption replaces Base64 (C-1)
- [x] #6 Security: XSS-safe token name escaping (H-1)
- [x] #7 Security: salted address hashes (H-2)
- [x] #8 Security: rate limiting on nonce endpoint (H-3)
- [x] #9 Security: sender verified against JWT (H-4)
- [x] #10 Security: icon URI sanitization (M-1)
- [x] #11 Security: threshold bounds checking (M-2)
- [x] #12 Security: SSRF prevention via address validation (M-3)
- [x] #13 Security: no cleartext sessionStorage cache (M-4)
- [x] #14 Security: low-severity hardening (L-1 through L-7)
- [x] #15 Security: headers and EIP-712 fixes (I-1, I-9)
<!-- AC:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
Implemented across 5 commits (c789481, d861c0a, 45f5cea, 92fde65, bc810d3). New files: eip6963.ts, external-signer.ts, linked-wallets.ts. Modified: server.ts, db.ts, session.ts, schema.sql, mod.ts, folk-wallet-viewer.ts. Full security audit: 16 findings (1C, 4H, 4M, 7L, 9I) — all actionable items resolved.
<!-- SECTION:NOTES:END -->