KYA — Technical Self-Review

of 33 passing

Daml Script tests

compiler warnings

Clean build

of 13 templates created

Template coverage

of 21 choices exercised

Choice coverage

01 — Build verification

Compiled and tested
against Daml SDK 3.4.10

Pass

daml build

Compiles to kya-0.1.0.dar with zero errors and zero warnings. All imports verified, no dead code.

Pass

daml test

33 Daml Script tests execute against the in-memory ledger. All pass. No flaky or skipped tests.

Verified

Dependencies

daml-prim, daml-stdlib, daml-script. No external packages. FeaturedAppStub used in place of splice DAR.

02 — Security review

Authorization, access control,
and input validation

Every Daml template, choice, and verification function was reviewed for authorization gaps, missing validations, and data integrity problems.

Findings requiring action

ID	Finding	Module	Status
SEC-001	rewardSplit had no validation — values >1.0 or negative would produce invalid reward weights Fixed: added `ensure rewardSplit >= 0.0 && rewardSplit <= 1.0` to KyaSettlementHook	Application.daml	Fixed
SEC-002	agentParty on verification request was not validated against agentCredential.holder Fixed: added assertMsg checking holder == agentParty in KyaVerificationRequest_Verify	Application.daml	Fixed
SEC-003	Settlement hook controller changed from integratingApp to kyaProvider for visibility correctness Fixed: kyaProvider must exercise settlement to have visibility on FeaturedAppRight. Authority flows correctly via bilateral signatory set.	Application.daml	Fixed
SEC-004	principalParty on proof is derived from agentCredential.issuer rather than principalCredential.holder Noted: correct for the two-hop delegation model where the principal issues the agent credential. Monitor if delegation model changes.	Application.daml	Noted

Passing checks

ID	Check	Module	Status
SEC-010	Credential signatory requires both issuer and holder	CredentialStub.daml	Pass
SEC-011	KyaVerificationRequest signatory is requester only; kyaProvider is observer	Application.daml	Pass
SEC-012	KyaVerificationRequest_Verify controlled by kyaProvider	Application.daml	Pass
SEC-013	KyaVerificationProof signatory is kyaProvider; verifier is observer	Application.daml	Pass
SEC-014	KyaVerificationProof_Consume checks expiry before archiving	Application.daml	Pass
SEC-015	Credential validFrom/validUntil checked during verification	Verifier.daml	Pass
SEC-016	Schema version validated (“1”) before any other checks	Verifier.daml	Pass
SEC-017	Transaction value checked against maxTransactionValue	Verifier.daml	Pass
SEC-018	Instrument ID checked against allowedInstruments list	Verifier.daml	Pass
SEC-019	Delegation chain validates issuer is in trusted issuers list	Verifier.daml	Pass
SEC-020	Settlement hook requires bilateral signatures (kyaProvider + integratingApp)	Application.daml	Pass
SEC-021	KyaSettlementHook_Execute is nonconsuming (reusable across transactions)	Application.daml	Pass
SEC-022	Revocation registry checks credential ID before issuing proof	Application.daml	Pass
SEC-023	Daily volume tracker checked and updated atomically in verify choice	Application.daml	Pass
SEC-024	KyaDailyVolumeTracker ensures usedVolume >= 0.0	Application.daml	Pass
SEC-025	Validation hook results fetched and all must pass before proof creation	Application.daml	Pass

Warnings — acceptable risk

ID	Warning	Status
SEC-030	proofValiditySeconds has no upper bound — KYA provider is trusted, and excessively long proofs are an operational concern not a security one	Warn
SEC-031	Claim values are all Text with no type enforcement at the Daml level — validation happens in verifier functions which return typed results	Warn
SEC-032	FeaturedAppRight is a stub — real Canton splice-api-featured-app DAR may have a different interface	Warn

03 — Test coverage

33 Daml Script tests
in a single test module

Verifier & Schema

Pure verification tests

Application layer

On-ledger flow tests

Hooks & profiles

Validation & discovery

What the tests cover

Verifier

Credential validation

Valid credential, expired, missing version, bad agent class, capability check, instrument filtering, tx limits, decimal parsing (3 tests), code hash extraction

Verifier

Delegation chains

Valid two-hop chain, broken chain (untrusted issuer), principal credential matching

Application

Verification flow

Full request-to-proof flow, verification failure, expired proof rejection, hook results wired into proof

Application

Settlement

Settlement hook exercise, activity marker creation with reward split, proof consumption on settlement

Application

Revocation & volume

Revoked credential blocked, clean registry passes, daily volume within limit, daily volume exceeds limit

Hooks & profiles

Validation & discovery

Sanctions hook (pass/fail), exposure limit hook (pass/fail), profile publish & disclose, attestation creation

04 — Code quality

Structure, naming,
and module design

Source modules

714

Source LOC

Test module

1,026

Test LOC

Naming Consistent kya: prefix for all claim properties. Template and choice names follow Daml conventions (PascalCase templates, underscore-separated choices).

Imports All imports are explicit with listed symbols. No wildcard imports. Zero unused import warnings after cleanup.

Layers Clean separation: CredentialStub / FeaturedAppStub (stubs) → Schema (constants) → Types (data) → Verifier (pure logic) → Application (on-ledger) → Profile, Attestation, Hooks (extensions).

Complexity No function exceeds 30 lines. Verification logic is pure (no ledger effects) and composed from small helpers. Application choices are sequential and readable.

Dead code None. Previously identified unused helpers (hasClaim, parseAgentClass) have been removed.

05 — Known limitations

What this review
does not cover

01 This is a self-review, not a third-party audit
The same team that wrote the code reviewed it. Independent verification is required before production use.
02 FeaturedAppStub is a placeholder
The real Canton Featured App API (splice-api-featured-app-v1.dar) may have a different interface. Integration testing on DevNet is required.
03 No multi-participant testing
All tests run on a single simulated ledger. Real deployments involve multiple Canton participant nodes with separate visibility domains.
04 No adversarial authorization tests
Tests verify the happy path and expected failures, but do not systematically test whether unauthorized parties are blocked from every choice.
05 42.9% choice exercise coverage
9 of 21 template choices are exercised in tests. The remaining 12 include nonconsuming read-only choices, profile management, and hook validate paths.
06 No load or concurrency testing
Performance under concurrent transaction submission has not been measured.

Self-Review

Compiled and tested
against Daml SDK 3.4.10

daml build

daml test

Dependencies

Authorization, access control,
and input validation

Findings requiring action

Passing checks

Warnings — acceptable risk

33 Daml Script tests
in a single test module

What the tests cover

Credential validation

Delegation chains

Verification flow

Settlement

Revocation & volume

Validation & discovery

Structure, naming,
and module design

What this review
does not cover

Path to production readiness

Review the code yourself

Self-Review

Compiled and testedagainst Daml SDK 3.4.10

daml build

daml test

Dependencies

Authorization, access control,and input validation

Findings requiring action

Passing checks

Warnings — acceptable risk

33 Daml Script testsin a single test module

What the tests cover

Credential validation

Delegation chains

Verification flow

Settlement

Revocation & volume

Validation & discovery

Structure, naming,and module design

What this reviewdoes not cover

Path to production readiness

Review the code yourself

Compiled and tested
against Daml SDK 3.4.10

Authorization, access control,
and input validation

33 Daml Script tests
in a single test module

Structure, naming,
and module design

What this review
does not cover