{"ok":true,"checkedAt":"2026-07-17T20:52:55.330Z","contractVersion":"moral-trade-account-security-v0.1-2026-06","purpose":"Require frozen account-security policies and non-blocking account-security events before real-money, reliance-bearing, privacy-disclosing, or exposure-increasing actions.","validation":{"status":"pass","validatorName":"moral-trade-account-security-contract","validatorVersion":"moral-trade-account-security-validator-v0.1","contractVersion":"moral-trade-account-security-v0.1-2026-06","checks":[{"id":"first-class-record-tables","label":"Account-security policy and event tables are first-class records.","status":"pass","evidence":"moral_trade_account_security_policies, moral_trade_account_security_events"},{"id":"policy-snapshot-subject","label":"Account security resolves through an immutable policy snapshot subject.","status":"pass","evidence":"account_security"},{"id":"high-risk-actions","label":"The contract covers confirmations, payment methods, capture, payout, privacy grants, identity changes, contact introductions, account recovery, MFA/email changes, exposure increases, and reliance-bearing agreements.","status":"pass","evidence":"payment_method_change, participant_confirmation, payment_authorization, payment_capture, payout_release, privacy_grant, identity_artifact_change, contact_introduction, account_recovery, email_change, mfa_change, exposure_increase, reliance_bearing_agreement"},{"id":"event-types","label":"The event taxonomy includes new devices, session anomalies, payment-method changes, email/MFA changes, recovery, identity artifacts, and step-up outcomes.","status":"pass","evidence":"login, password_change, new_device, session_anomaly, payment_method_change, email_change, mfa_change, account_recovery, identity_artifact_change, participant_identity_change, step_up_passed, step_up_failed, manual_review"},{"id":"fail-closed-statuses","label":"High-risk, stale, missing, step-up, notice, cooldown, trusted-device, manual-review, and account-recovery blockers are explicit.","status":"pass","evidence":"policy_missing, policy_mutable, policy_stale, policy_superseded, event_missing, event_stale, high_risk_event_open, blocked_risk_state, step_up_required, step_up_failed, notice_missing, cooldown_active, manual_review_required, trusted_device_required, invalid_event_hash, invalid_participant_hash, account_recovery_block"},{"id":"browser-session-not-sufficient","label":"The contract explicitly rejects browser-session-only trust for high-risk actions.","status":"pass","evidence":"A browser session alone is not trusted for confirmations, captures, payout releases, privacy grants, contact introductions, identity changes, or exposure increases. Missing, stale, mutable, high-risk, unresolved, or silently waived account-security evidence fails closed until step-up, notice, cooldown, or manual review satisfies the frozen account-security policy."},{"id":"privacy-boundary","label":"The public contract excludes raw device, session, recovery, provider, and security-signal details.","status":"pass","evidence":"Account-security events are private, participant-scoped records. Public contract responses expose only policy/action keys and validation summaries, never device fingerprints, session anomalies, recovery details, provider payloads, or raw security signals."},{"id":"sample-evaluations","label":"The public contract exposes passing confirmation and privacy-grant samples plus a blocked payment-capture sample.","status":"pass","evidence":"participant_confirmation:pass, payment_capture:blocked, privacy_grant:pass"},{"id":"contract-tests","label":"Account-security contract test hooks are published.","status":"pass","evidence":"account_security_contract_validator, account_security_missing_or_mutable_policy_fails_closed, account_security_high_risk_events_require_step_up_notice_cooldown_or_review, account_security_browser_session_only_never_authorizes_high_risk_actions, account_security_route_health_spec_and_schema_wiring"}],"blockers":[]},"publicContract":{"privacyRule":"Account-security events are private, participant-scoped records. Public contract responses expose only policy/action keys and validation summaries, never device fingerprints, session anomalies, recovery details, provider payloads, or raw security signals.","failClosedRule":"A browser session alone is not trusted for confirmations, captures, payout releases, privacy grants, contact introductions, identity changes, or exposure increases. Missing, stale, mutable, high-risk, unresolved, or silently waived account-security evidence fails closed until step-up, notice, cooldown, or manual review satisfies the frozen account-security policy.","firstClassRecordTables":["moral_trade_account_security_policies","moral_trade_account_security_events"],"policySnapshotSubjects":["account_security"],"highRiskActions":["payment_method_change","participant_confirmation","payment_authorization","payment_capture","payout_release","privacy_grant","identity_artifact_change","contact_introduction","account_recovery","email_change","mfa_change","exposure_increase","reliance_bearing_agreement"],"eventTypes":["login","password_change","new_device","session_anomaly","payment_method_change","email_change","mfa_change","account_recovery","identity_artifact_change","participant_identity_change","step_up_passed","step_up_failed","manual_review"],"failClosedStatuses":["policy_missing","policy_mutable","policy_stale","policy_superseded","event_missing","event_stale","high_risk_event_open","blocked_risk_state","step_up_required","step_up_failed","notice_missing","cooldown_active","manual_review_required","trusted_device_required","invalid_event_hash","invalid_participant_hash","account_recovery_block"],"actions":[{"key":"login","blocksRiskClasses":["blocked","manual_review"],"userFacingBlockerCategory":"Account access needs a security check"},{"key":"payment_method_change","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Payment settings need a security check"},{"key":"participant_confirmation","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Confirmation needs account-security review"},{"key":"payment_authorization","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Payment authorization needs account-security review"},{"key":"payment_capture","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Payment capture needs account-security review"},{"key":"payout_release","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Payout release needs account-security review"},{"key":"privacy_grant","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Private-data disclosure needs account-security review"},{"key":"identity_artifact_change","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Identity changes need account-security review"},{"key":"contact_introduction","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Contact introduction needs account-security review"},{"key":"account_recovery","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Account recovery needs review before high-risk actions"},{"key":"email_change","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Email changes need account-security review"},{"key":"mfa_change","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"MFA changes need account-security review"},{"key":"exposure_increase","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Exposure increases need account-security review"},{"key":"reliance_bearing_agreement","blocksRiskClasses":["high","blocked","manual_review","stale"],"userFacingBlockerCategory":"Reliance-bearing agreements need account-security review"}],"accountSecuritySampleEvaluationStatuses":{"participant_confirmation":"pass","payment_capture":"blocked","privacy_grant":"pass"},"contractTests":["account_security_contract_validator","account_security_missing_or_mutable_policy_fails_closed","account_security_high_risk_events_require_step_up_notice_cooldown_or_review","account_security_browser_session_only_never_authorizes_high_risk_actions","account_security_route_health_spec_and_schema_wiring"]},"blockers":[]}