Spanda

Phase 18 — Security, stability, and performance hardening

Follow-up to the post–Phase 17 audit (security B, stability A−, performance B). This plan closes P0–P3 gaps without undoing the lean-core crate layout.

Goals

Track Outcome
Security Registry integrity, safe extraction, agent auth defaults, bridge timeouts
Stability Fewer production panics, shim sunset plan, tests in owning crates
Performance Optional slim CLI, pipeline benchmarks, faster incremental builds preserved

P0 — Security (this phase)

ID Item Implementation
P0.1 Registry tarball SHA-256 Complete — sidecar + version_checksums in index
P0.2 Safe tar extraction Completetar_extract.rs rejects path traversal
P0.3 Agent auth defaults Complete — non-loopback bind requires --token

P1 — Stability

ID Item Implementation
P1.1 Shim sunset Complete (Phase 19) — removed remaining transport* shims
P1.2 Panic audit Complete — replaced .unwrap() on twin state in runtime_twin.rs; audited CLI hot paths
P1.3 Test distribution Complete (Phase 20) — package security tests in spanda-package; agent auth tests in spanda-ota / spanda-fleet

P2 — Performance

ID Item Implementation
P2.1 Slim CLI Completespanda-cli feature slim omits spanda-llvm (default keeps full binary)
P2.2 Bridge timeouts CompleteSPANDA_BRIDGE_TIMEOUT_SECS (default 30) in spanda-bridge::protocol
P2.3 Dependency audit CI Completecargo audit job in GitHub Actions

P3 — Observability

ID Item Implementation
P3.1 Pipeline benchmark Completecargo test -p spanda-driver pipeline_bench -- --ignored

Phase 18b — Signed registry (complete)

ID Item Status
B1 Ed25519 signatures on publish (SPANDA_REGISTRY_SIGN_KEY) Complete
B2 Verify on install (SPANDA_REGISTRY_TRUST_KEY, SPANDA_REGISTRY_REQUIRE_SIGNATURE) Complete
B3 version_signatures in registry index Complete
B4 Production deploy gate (official_provenance, registry_signatures) Completespanda deploy gate --policy production; see deployment-gates.md

Phase 21 — Complete ✓ (hosted registry signing + embedder slimming)

Goal: sign curated hosted registry tarballs in CI and make certification / FFI shims optional on spanda-core.

Step Status
registry-index-maintain binary refreshes checksums + Ed25519 version_signatures Complete
CI verifies hosted registry signatures (registry/TRUST_KEY) Complete
Optional certify / bridge features on spanda-core (default-features = false omits FFI + certify shims) Complete

Hosted packages are signed with material spanda-hosted-registry-v1 unless SPANDA_REGISTRY_SIGN_KEY is set. Trust key: registry/TRUST_KEY.

Deferred (post–Phase 21)

Tier 3 product items now have experimental foundations in Phase 22 — see tier-3-experimental.md. LLVM-as-primary, production blockchain, and full self-hosting remain future work.

Verification

cargo test -p spanda-package
cargo test -p spanda-ota
cargo test -p spanda-deploy-http
cargo test -p spanda-bridge
cargo test --workspace
cargo clippy --workspace -- -D warnings
python3 scripts/update_registry_checksums.py   # refresh hosted index checksums + signatures
cargo run -p spanda-package --bin registry-index-maintain -- --verify