Umbrella issue for the June 2026 review of [SPEC.md](./SPEC.md) v0.2. All findings carry the `spec-review` label; severity is on each issue. ## Critical (implementation blockers / security) - [x] #4 — §6.1/§6.3: Signature input and hash coverage of `proof[]` undefined (incl. `memorandum`↔§8.3 contradiction) - [x] #5 — §7.4: N-party `accept`s conflict with the linear hash chain - [x] #6 — §6.2.1/§13: Uncontested enforcement needs contract-readable anchor state (missing §13.1 requirement; Hedera/HCS inconsistency) - [x] #7 — §6.5: PQC-gated status mutation impractical to enforce on-chain - [x] #8 — §5.3: Mandate revocation TOCTOU via mutable status list - [x] #9 — §8.3/§9.2: VRF witness/arbiter selection grindable - [x] #10 — §9.4: No evidence window / ruling deadline (escrow stranded in CHALLENGED) ## High - [x] #11 — §7.2/§7.4: `execute` and escrow funding not atomic - [x] #12 — §9.4/§6.2.1: Asserter bond SHOULD-only; sections contradict each other - [x] #13 — §9.3/§7.4: Permissionless anchoring → thread pollution & dispute-freeze griefing - [x] #14 — §7.4/§10: No mutual-settlement fast path (challenge window on every happy path) - [x] #15 — §7: No amendment or mutual rescission after ACCEPTED/EXECUTED - [x] #16 — §7.3/App. A: Schema & trust-list references not hash-pinned ## Medium - [x] #17 — §12: GDPR "hash is not personal data" overstated (EDPB 02/2025) - [x] #18 — §5.3: Mandate verification leaks negotiation-sensitive caps - [x] #19 — §7.3/§10: Penalties lack collateral (no performance bond) - [x] #20 — §6.5: Quantum security numbers imprecise ## Opportunities - [x] #21 — §10: Small-claims process profile - [x] #22 — §7: Milestone / partial-performance support ## Suggested order of attack 1. **#4, #5** — pure spec-text fixes, unblock any implementation work. 2. **#6, #7** — architectural decisions that shape the settlement-interface design; resolve before Phase-2 PoC. 3. **#8, #9, #10, #12, #13** — security/liveness; mostly additive normative rules. 4. Rest in severity order; #14/#15/#22 fit naturally together (they all touch mutual co-signed Objects and the `basis: "mutual_settlement"` directive).
Umbrella issue for the June 2026 review of SPEC.md v0.2. All findings carry the
spec-reviewlabel; severity is on each issue.Critical (implementation blockers / security)
proof[]are undefined #4 — §6.1/§6.3: Signature input and hash coverage ofproof[]undefined (incl.memorandum↔§8.3 contradiction)accepts conflict with the linear hash chain #5 — §7.4: N-partyaccepts conflict with the linear hash chainHigh
executeand escrow funding are not atomic #11 — §7.2/§7.4:executeand escrow funding not atomicMedium
Opportunities
Suggested order of attack
proof[]are undefined #4, §7.4: N-partyaccepts conflict with the linear hash chain #5 — pure spec-text fixes, unblock any implementation work.basis: "mutual_settlement"directive).