feat(remittance_split): add snapshot export integrity verification (#251)#404
Merged
Baskarayelu merged 3 commits intoRemitwise-Org:mainfrom Mar 28, 2026
Conversation
Miracle656
force-pushed
the
feature/remit-split-snapshot-integrity
branch
from
131a57f to
b092aa5
Compare
…emitwise-Org#251) Implements FNV-1a checksum-based tamper detection for split config snapshots and adds version gating, ownership binding, timestamp sanity checks, and replay protection via nonce to prevent malicious or corrupted payloads from being restored. Changes: - Add `exported_at` field to `ExportSnapshot` struct (snapshot format v2) - Replace trivial checksum with FNV-1a 64-bit hash over all config fields - Add SNAPSHOT_VERSION / MIN_SNAPSHOT_VERSION constants for version gating - Rewrite `import_snapshot` with 8 ordered integrity checks: 1. Version boundary (UnsupportedVersion) 2. FNV-1a checksum (ChecksumMismatch) 3. Initialized flag (SnapshotNotInitialized) 4. Per-field percentage range <= 100 (InvalidPercentageRange) 5. Sum == 100 (InvalidPercentages) 6. Timestamp sanity - no future timestamps (FutureTimestamp) 7. Caller is current owner (Unauthorized) 8. Snapshot owner matches caller (OwnerMismatch) - Add `verify_snapshot` read-only pre-flight function - Add new error variants: OwnerMismatch, SnapshotNotInitialized, FutureTimestamp, InvalidPercentageRange - Add SnapshotExported / SnapshotImported to SplitEvent enum - Rename PercentagesDoNotSumTo100 to InvalidPercentages throughout - Add 30+ snapshot integrity tests; fix 3 pre-existing test failures - Update remittance_split/README.md with full snapshot API docs - Resolve workspace ed25519-dalek conflict by excluding sdk-v20 crates
Miracle656
force-pushed
the
feature/remit-split-snapshot-integrity
branch
from
b092aa5 to
c390f0f
Compare
…artial move, and gas baseline - orchestrator: add Copy derive to ExecutionState enum (E0277) - orchestrator: implement missing validate_remittance_flow_addresses helper (E0599) - savings_goals: fix partial move bug in upgrade_admin matcher (E0382) - benchmarks: update gas baseline to match current remittance_split implementation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FNV-1a Checksum-Based Tamper Detection for Split Config Snapshots
Implements FNV-1a checksum-based tamper detection for split config snapshots and adds version gating, ownership binding, timestamp sanity checks, and replay protection via nonce to prevent malicious or corrupted payloads from being restored.
Changes
Snapshot Format
exported_atfield toExportSnapshotstruct (snapshot format v2)SNAPSHOT_VERSION/MIN_SNAPSHOT_VERSIONconstants for version gatingimport_snapshot— 8 Ordered Integrity ChecksRewrote
import_snapshotwith the following ordered checks:UnsupportedVersionChecksumMismatchSnapshotNotInitializedInvalidPercentageRangeInvalidPercentagesFutureTimestampUnauthorizedOwnerMismatchNew Additions
verify_snapshotread-only pre-flight functionOwnerMismatch,SnapshotNotInitialized,FutureTimestamp,InvalidPercentageRangeSnapshotExported/SnapshotImportedtoSplitEventenumRenames & Fixes
PercentagesDoNotSumTo100→InvalidPercentagesthroughoutDocs & Workspace
remittance_split/README.mdwith full snapshot API docsed25519-dalekconflict by excludingsdk-v20cratesCloses #251