3.7 KiB
DBIS Rail — Control Mapping v1
Network: DBIS Mainnet (ChainID 138)
Document type: Mapping of controls to checklist, Spec, Rulebook, and Threat Model
Companion: Audit Readiness Checklist v1, Audit Readiness Results v1
Purpose: Lightweight control mapping for internal audit and future SOC 2 / ISO 27001 alignment. Each control is traceable to a checklist section and to the governing document(s).
Control summary
| ID | Control | Checklist | Spec | Rulebook | Threat Model |
|---|---|---|---|---|---|
| C1 | Mint path restricted to SettlementRouter | 1 | 6.5, 2.2 | 4, 5 | 3.D |
| C2 | Owner / direct mint revoked for GRU/c* | 1 | 6.5, 11 | 4 | 3.D |
| C3 | EIP-712 domain separation (chainId, verifyingContract) | 2 | 4.2, 7 | - | 3.A |
| C4 | messageId replay protection (one-time use) | 2 | 6.4 | 9 | 3.A |
| C5 | Time window (notBefore, expiresAt) enforced | 2 | 4.2, 6.4 | 4.6 | 3.A |
| C6 | Quorum and category (3-of-5, COMPLIANCE) enforced | 2, 3 | 6.3, 6.4 | 4.5, 6 | 3.A, 3.F |
| C7 | Signer allowlist and revocation | 3 | 6.3 | 6 | 3.A, 3.F |
| C8 | Deterministic accountingRef | 4 | - | 3.2 | 3.B |
| C9 | Evidence bundle hashed (isoHash) | 4 | 4.2, 5 | 4.4 | 3.B |
| C10 | One-to-one messageId / accountingRef / mint | 4 | 6.4 | 3.3, 8 | 3.B |
| C11 | ReentrancyGuard and CEI on Router | 5 | 6.4 | - | 3.C |
| C12 | Caps enforced before mint | 5 | 6.4 | - | 3.C |
| C13 | Router and Mint Controller pause | 5, 7 | 6.4, 6.5, 8 | 7 | 3.C, 3.D |
| C14 | Corridor limits enforced | 5, 7 | 6.4 | - | 3.C |
| C15 | Participant suspension (no mint to suspended) | 7 | 6.2, 6.4 | 7 | 3.F |
| C16 | Validator segregation and monitoring | 6 | 3 | - | 3.E |
| C17 | Good funds and finality (Rulebook) | 4 | 1, 4 | 2, 4 | 3.B, 5 |
| C18 | Documentation versioning and review | 8 | - | 9 | 6 |
Section numbers refer to the respective document sections (e.g. Spec 6.5 = DBIS_GRU_MintController, Rulebook 3.2 = deterministic accountingRef).
Jurisdiction matrices and policy profiles
Obligations in per-jurisdiction compliance matrices map to these control IDs where the Rail is in scope. Full obligation → control → policyProfileId → URA field mapping lives in DBIS_RAIL_JURISDICTION_TRACEABILITY.md.
| Artifact | Role |
|---|---|
| compliance-matrices/README.md | Index of jurisdiction folders (ID, stubs, drafts). |
| policy-profiles.json | Machine-readable policyProfileId registry with minimumGruGovernanceLevel. |
| POLICY_PROFILES_REGISTRY.md | Doc control and legal sign-off table for profile versions. |
When a jurisdiction adds local controls (prefix e.g. J-ID-AML-001), document them in that jurisdiction’s matrix and extend the traceability doc; they do not replace C1–C18 for on-chain Rail behavior.
References
- Spec: DBIS_RAIL_TECHNICAL_SPEC_V1.md
- Rulebook: DBIS_RAIL_RULEBOOK_V1.md
- Threat Model: DBIS_RAIL_SECURITY_THREAT_MODEL_V1.md
- Checklist: DBIS_RAIL_AUDIT_READINESS_CHECKLIST_V1.md
- Results: DBIS_RAIL_AUDIT_READINESS_RESULTS_V1.md
Document control
| Field | Value |
|---|---|
| Title | DBIS Rail — Control Mapping v1 |
| Network | DBIS Mainnet (ChainID 138) |
| Version | 1 |
| Status | Active |