rspace-online/backlog/tasks/task-high.5 - Link-External-Wallets-to-EncryptID-Security-Hardening.md

id	title	status	assignee	created_date	updated_date	labels	dependencies	parent_task_id
TASK-HIGH.5	Link External Wallets to EncryptID + Security Hardening	Done		2026-03-10 01:07	2026-03-10 01:08			TASK-HIGH

Description

Implemented EIP-6963 wallet discovery, SIWE ownership verification, server-side AES-256-GCM encrypted storage, and Safe owner addition flow. Full security audit addressed 16 findings across Critical, High, Medium, Low, and Informational categories.

Acceptance Criteria

• #1 EIP-6963 provider discovery for browser wallets
• #2 SIWE (Sign-In with Ethereum) ownership verification
• #3 Server-side AES-256-GCM encryption at rest for linked wallet data
• #4 Safe add-owner-proposal with threshold validation
• #5 Security: real encryption replaces Base64 (C-1)
• #6 Security: XSS-safe token name escaping (H-1)
• #7 Security: salted address hashes (H-2)
• #8 Security: rate limiting on nonce endpoint (H-3)
• #9 Security: sender verified against JWT (H-4)
• #10 Security: icon URI sanitization (M-1)
• #11 Security: threshold bounds checking (M-2)
• #12 Security: SSRF prevention via address validation (M-3)
• #13 Security: no cleartext sessionStorage cache (M-4)
• #14 Security: low-severity hardening (L-1 through L-7)
• #15 Security: headers and EIP-712 fixes (I-1, I-9)

Implementation Notes

Implemented across 5 commits (c789481, d861c0a, 45f5cea, 92fde65, bc810d3). New files: eip6963.ts, external-signer.ts, linked-wallets.ts. Modified: server.ts, db.ts, session.ts, schema.sql, mod.ts, folk-wallet-viewer.ts. Full security audit: 16 findings (1C, 4H, 4M, 7L, 9I) — all actionable items resolved.