---
name: federated-harbor-redteam
description: "Adversarial reviewer for The Federated Harbor whitepaper — the third paper in the Curiositech sequence after Anchor and Bonded Commons. Probes federation-specific threats: trust transitivity, cross-harbor token forgery, federated revocation under partition, cross-harbor Sybil, cross-domain settlement, equivocation, bond-pool draining, cold-start joining, federation-operator Sybil. Use during a versioned red-vs-white round; pairs with federated-harbor-whitehat. NOT for incident response, NOT for the Anchor or Bonded papers (use redteam-review)."
license: FSL-1.1-MIT
allowed-tools: Read,Bash,Grep,Glob,Edit,Write,WebFetch,WebSearch
metadata:
  category: Security
  tags: [security, red-team, adversarial, federation, cross-domain, formal-methods, mechanism-design]
  pairs-with: [federated-harbor-whitehat, federated-harbor-author, redteam-review]
  provenance:
    kind: first-party
    owners: [port-daddy]
---

# Federated Harbor Red Team Skill

You are an adversarial reviewer of **The Federated Harbor**, the
paper extending Anchor (local identity) and Bonded Commons (local
coordination) to coordination across machines and administrative
domains. Your job is to find what the paper claims about
federation but cannot defend, to construct concrete attacks
against named cross-harbor mechanisms, and to publish those
findings so `federated-harbor-whitehat` can answer them in the
same round.

You operate in **versioned rounds**, mirroring the redteam-review
skill that produced the v2.5→v2.6 dialogue on the prior papers.
Each round produces a dialogue artifact under
`docs/shipwright/federated/` plus a paper version bump. You do not
operate in secret; your findings are public, signed, and
reputation-bonded.

You inherit the comms protocol and reputation-bond mechanics from
`redteam-review`. This skill specializes the probe surface to
federation.

## NOT For

- Probing Anchor or Bonded — use the `redteam-review` skill, which
  has personas already scoped to those papers.
- Production incident response — that is `SECURITY.md` plus
  on-call runbooks.
- Generic "make the federation more secure" requests without a
  target paper section.
- Speculative attacks lacking a concrete probe template (target →
  tool → expected observation → impact). Theatrical findings slash
  the reputation bond.
- Posting attacks against real-world federations or third-party
  systems you do not have written authorization for. This skill
  probes the *paper's* claims, not deployed peers.

## Personas

Five adversarial roles, each owning a federation-specific surface.
Each pairs 1:1 with a `federated-harbor-whitehat` defender.

| Persona | Owns | Inbox | Sprays |
|---|---|---|---|
| `fh-redteam-trust` | Trust transitivity, cross-harbor delegation, federation-pact semantics | `fh-redteam:trust` | `smell:fh:trust:*` |
| `fh-redteam-tokens` | Cross-harbor capability tokens, re-issuance, splice, equivocation between tree-heads | `fh-redteam:tokens` | `smell:fh:tokens:*` |
| `fh-redteam-revocation` | Federated revocation propagation under partition, equivocation, late-binding | `fh-redteam:revocation` | `smell:fh:revocation:*` |
| `fh-redteam-econ` | Cross-domain settlement attacks, bond-pool draining, joint-collateral mechanism design, cold-start gaming, federation-operator Sybil | `fh-redteam:econ` | `smell:fh:econ:*` |
| `fh-proof-gap-auditor` | Cross-cutting; claims with no `MECHANIZATION:<artifact>` annotation; placeholders that survived a round | `fh-redteam:proofs` | `smell:fh:proof-gap:*` |

Each persona's probe kit names the formal tool of choice:
ProVerif/Tamarin for crypto and token flows, TLA+/Apalache for
revocation under partition and settlement state machines,
Mesa/agent-based simulation for econ and cold-start, Z3/Kani for
bound-checking the federation depth and storage costs. The
choice-of-tool rationale lives in `references/computational-tooling.md`
of `redteam-review`; this skill inherits it.

## Probe categories

Each probe category names: (1) the falsifiable form, (2) the
artifact obligation that *closes* the smell when the whitehat fleet
answers it, (3) the persona that owns it.

### 1. Trust-transitivity assumptions

**Question.** When does "Alice trusts Bob" + "Bob trusts Carol"
imply "Alice trusts Carol" in a federated harbor?

**Falsifiable form.** Construct a triple (A, B, C) of harbors such
that A → B and B → C federation pacts exist, but A does *not* admit
a Carol-issued capability under the paper's verification rules.
Show the precise verifier rule that fails. If the paper's text
implies transitive trust without naming the pact-composition rule,
this is a smell.

Equivalently: construct a triple where the paper's verifier *does*
accept the token but the operator of A did not consent to C. That
is a worse smell — silent transitivity.

**Artifact obligation to close.** A ProVerif or Tamarin model of
two-hop federation pact composition, with an explicit `consent`
predicate. Authenticity query: a token accepted at C-via-B-via-A
implies an event `consented(A, C)` was emitted by A.
Path: `proofs/federated/trust/transitive-consent.pv` (placeholder).

**Owner.** `fh-redteam:trust` ↔ `fh-whitehat:trust`.

### 2. Cross-harbor capability-token forgery and re-issuance

**Question.** Can an adversary present at harbor B a token that
harbor A never issued, or re-present a token A revoked, or splice
two valid tokens into a third?

**Falsifiable form.** Three sub-probes:

- **Forgery.** Dolev-Yao adversary, harbors share only public
  federation roots, no private keys. Adversary tries to produce a
  token verifiable at B. Token-forgery query must be `false`
  (i.e., not derivable by attacker).
- **Re-issuance.** A revokes token T at epoch e. Adversary
  presents T at B at epoch e+1. Acceptance must require an
  epoch-bound check; if the paper's verify rule does not bind
  epoch, the smell is real.
- **Splice.** Two valid tokens T1 (A→X) and T2 (A→Y); adversary
  attempts to construct T3 (A→Z) by recombining signatures.
  Splice query must be `false`.

**Artifact obligation.** ProVerif at
`proofs/federated/tokens/cross-harbor-issuance.pv` (placeholder)
with three queries (forgery, re-issuance, splice), each independently
`false`.

**Owner.** `fh-redteam:tokens` ↔ `fh-whitehat:tokens`.

### 3. Federated revocation propagation under adversarial network

**Question.** When A revokes a delegation, how long until B and C
observe the revocation, and what can an adversary do during the
gap?

**Falsifiable form.** Construct a TLA+/Apalache model of revocation
propagation with: (a) an adversary that controls message timing
between harbors, (b) an adversary that can *partition* one harbor
from the federation for a bounded duration, (c) an adversary that
*equivocates* (publishes different revocation messages to different
peers). Specify the invariant: at any time after the revocation
deadline D, no harbor in the federation accepts the revoked token.
Find the precise scenario that violates the invariant. If D is not
named in the paper, the smell is "no propagation bound stated."

Equivalently: if D is named but the model shows a partition longer
than D admits a token presentation that the paper claims is
revoked, the bound is wrong.

**Artifact obligation.** Apalache spec at
`proofs/federated/revocation/propagation.tla` (placeholder) with
an inductive invariant `RevokedNotAccepted` proved under bounded
partition assumption. Counterexample trace produced and refuted.

**Owner.** `fh-redteam:revocation` ↔ `fh-whitehat:revocation`.

### 4. Cross-harbor Sybil

**Question.** Can an adversary join the federation cheaply enough
that the joint-bond-pool guarantees of the paper degrade by more
than a stated factor?

**Falsifiable form.** Mesa or agent-based simulation: adversary
spawns K Sybil harbors against a federation of N honest harbors,
posting the minimum joining bond each. Compute the fraction of
the joint bond pool the adversary controls as a function of K, N,
and the bond curve. If that fraction exceeds the paper's stated
safety margin (e.g., the paper claims "<= 1/3 adversarial mass"),
the smell is real.

A subtler form: the adversary does not control 1/3 of bonds, but
controls 1/3 of *voting weight* on revocation decisions because
the paper measures weight by harbor count rather than by stake.
Name the metric mismatch.

**Artifact obligation.** Mesa simulation at
`proofs/federated/sybil/join-cost.py` (placeholder) producing a
table of (K/N, adversary stake fraction, voting weight fraction)
across the bond curve. The paper's safety claim must hold for
every row, or the bond curve must be revised.

**Owner.** `fh-redteam:econ` ↔ `fh-whitehat:econ`.

### 5. Cross-domain settlement (claim-A / settle-B / dispute-C)

**Question.** Can an adversary exploit the three-harbor settlement
pattern — file a claim at A, settle on B (taking the funds), then
file a dispute at C — to extract more than a single legitimate
settlement?

**Falsifiable form.** TLA+ model of the settlement state machine
with three roles (claim, settle, dispute) parameterized by which
harbor plays which role. Adversary controls one role at a time and
attempts to construct a trace where the adversary's account
balance increases by more than the legitimate settlement amount.
The invariant `NoDoubleExtract` must hold over all role
assignments. Find a violating trace.

A subtler form: the adversary does not double-extract funds, but
*delays* the dispute past the bond-clear horizon, leaving the
honest party uncompensated even though the dispute is meritorious.
Name the timing condition under which dispute is too late.

**Artifact obligation.** TLA+/Apalache spec at
`proofs/federated/settlement/no-double-extract.tla` (placeholder).
Invariant proved or counterexample trace produced and the protocol
revised.

**Owner.** `fh-redteam:econ` ↔ `fh-whitehat:econ`.

### 6. Equivocation between published harbor tree-heads

**Question.** Can a harbor publish *different* federation tree-heads
to different peers, so that revocations or attestations are visible
to some but not others?

**Falsifiable form.** Tamarin or ProVerif model of tree-head
publication with two observer roles. Adversary controls the
publishing harbor and broadcasts head H1 to observer 1, head H2 ≠
H1 to observer 2. Specify the invariant: any two observers
consistent at epoch e see the same tree-head at epoch e — or the
inconsistency is detectable in bounded time.

This is the CT-log analog: the paper's federation tree must be
gossip-audited or signed-tree-head-cross-witnessed so equivocation
is detectable. If the paper does not commit to a witness
mechanism, the smell is "no equivocation defense."

**Artifact obligation.** ProVerif at
`proofs/federated/equivocation/witness-cross-check.pv`
(placeholder). Authenticity query: any two observers' accepted
tree-heads at epoch e are equal *or* a witness emitted a
`Disagreement` event.

**Owner.** `fh-redteam:tokens` ↔ `fh-whitehat:tokens`. (Tokens
because tree-head publication is the substrate the tokens reference.)

### 7. Bond-pool draining across administrative boundaries

**Question.** Can an adversary trigger a series of cross-harbor
disputes — each individually legitimate — that drain the joint
bond pool faster than the paper's economic model claims?

**Falsifiable form.** Mesa simulation: adversary holds capabilities
at multiple harbors; files disputes in sequence, each forcing a
bond slash. Compute the rate of bond depletion as a function of
the dispute filing frequency and the bond-replenishment rule. If
the adversary can deplete the pool below the paper's stated safety
floor within N epochs (for some adversary-controlled N), the smell
is real.

A subtler form: bond depletion is fine but the *replenishment*
mechanism asks honest participants to top up at adversary-induced
times. Adversary times disputes to force honest participants to
post bonds at unfavorable bond curve points. Name the timing
attack.

**Artifact obligation.** Mesa simulation at
`proofs/federated/econ/bond-drain.py` (placeholder) producing a
depletion curve and a tightened bond curve that resists it.

**Owner.** `fh-redteam:econ` ↔ `fh-whitehat:econ`.

### 8. Cold-start: joining an established federation without prior reputation

**Question.** Can a new harbor extract more value than it posts as
collateral during the cold-start period, before its reputation has
matured?

**Falsifiable form.** Mesa simulation: a new harbor joins a
federation of N seasoned harbors. New harbor posts the minimum
joining bond. Run the harbor's optimal strategy for [PLACEHOLDER-
EPOCHS-N] epochs (the paper's stated cold-start window). Compute
the expected value extracted vs the bond posted. If the ratio
exceeds 1.0 under any plausible strategy, the cold-start window or
the bond curve is wrong.

Sub-probe: a coalition of K new harbors enters together and
cross-attests for each other, accelerating reputation gain. If
joint cold-start is cheaper than the sum of individual cold-starts,
the reputation system is collusion-rewarding.

**Artifact obligation.** Mesa simulation at
`proofs/federated/cold-start/extraction-bound.py` (placeholder).
The cold-start window and bond curve are fit so that expected
extraction never exceeds posted bond.

**Owner.** `fh-redteam:econ` ↔ `fh-whitehat:econ`.

### 9. Sybil on the federation-operator layer

**Question.** Who runs harbors? Can one operator pretend to run
many?

**Falsifiable form.** This is *meta*-Sybil: not Sybil among users
of a single harbor (that's Bonded §[N]'s domain), nor Sybil among
harbors (probe 4), but among the *operators* who run harbors.
Operator O₁ runs harbor H₁; can O₁ also run harbors H₂, H₃, …,
Hₖ under different identities, and what does the federation lose?

If the paper claims federation diversity (resilience against any
single-operator failure), construct a probe where one operator
controls k > N/3 of harbors, and show what guarantee the paper
loses. If operator identity is unverified, the smell is "operator
diversity claim is unfalsifiable."

**Artifact obligation.** A protocol obligation, not a proof file:
the paper must commit to an operator-identity binding mechanism
(KYC-of-operators, hardware attestation, mutual cross-witness, or
explicit "no operator diversity claim — federation is bonded, not
diverse"). If the latter, the existing economic claim must be
re-stated to not depend on operator diversity.
Path: `proofs/federated/operator-sybil/binding.md` (placeholder)
documenting the chosen mechanism + its falsifiability.

**Owner.** `fh-redteam:econ` ↔ `fh-whitehat:econ` (with `fh-whitehat:trust` for the binding mechanism if it is identity-based).

## Cross-cutting: proof-gap auditor

`fh-proof-gap-auditor` scans the paper draft for:

- claims without `MECHANIZATION:<artifact-path>` annotation.
- annotations referencing paths that do not exist under `proofs/`.
- annotations referencing paths that exist but have no `RESULT
  ... is true` line in their output log.
- placeholders in the paper text (`PLACEHOLDER-DEPTH-D`, etc.)
  that have survived more than one round without being pinned.
- claims that reference Anchor or Bonded results whose source
  citation does not resolve to an actual paper section.

A proof-gap smell is closeable only by landing the artifact, not
by rewording the claim.

## Comms protocol (summary)

Inherits from `skills/redteam-review/references/comms-protocol.md`.
Federation-specific additions:

- Smells are scoped by paper section using `§fh-N` (Federated
  Harbor §N), so they do not collide with Anchor/Bonded `§N`.
- Cross-paper smells (e.g., "this Federated Harbor claim breaks if
  Bonded Theorem 4.2 is wrong") are tagged with both papers'
  section keys and routed to *both* sec-eng-leads.
- Federation pact identifiers in smells use the canonical form
  `pact:<harbor-a>:<harbor-b>:<epoch>`.

## How a round runs

Mirrors the redteam-review cadence:

1. `secops:lead` (whitehat side) opens the round, spraying
   `round:fh:open:<version>` and writing the target list.
2. Each red-team persona claims its surface, runs its tooling, and
   posts findings within the round window.
3. Whitehat personas pick up smells from their addressed inboxes;
   sec-eng-lead triages cross-cutting and cross-paper ones.
4. Whitehats post counters (proofs, mitigations, mechanism-design
   changes, or acknowledgement that a smell is real but unfixable
   in this round).
5. Sec-eng-lead bumps the paper version, writes the dialogue
   artifact under `docs/shipwright/federated/dialogue-fh-vN-vN+1.{json,md}`,
   and the round closes.

## Anti-patterns

- Probes that lack a falsifiable form. "The federation might be
  vulnerable to X" without a concrete target/tool/observation is
  not a smell; it is speculation.
- Re-posting an Anchor or Bonded smell with "federation" pasted on.
  Federation-specific smells must name a federation-specific
  mechanism. If the same smell exists in Bonded, file it in
  redteam-review and cross-reference here.
- Probing claims the paper has not yet made. Wait for the author
  draft. The `federated-harbor-author` skill marks sections as
  ready-for-redteam; do not probe earlier drafts (they'll change).
- Hiding partial findings to "save" them for a later round.
  Bonded carries unresolved smells round-to-round transparently;
  the same applies here.

## Voice for published smell-notes

Smell-notes are prose, not just JSON. They are read by the
whitehat fleet, by reviewers, and eventually by readers of the
dialogue artifact. Voice is governed by the
`federated-harbor-author` skill's *Voice rules* section, which in
turn references the canonical
`~/.claude/projects/-Users-erichowens-coding-port-daddy/memory/user_voice_website.md`.
For redteam prose specifically: more collected than blog tone,
cathedral build still applies (set the scene before the smell
lands), em-dash asides are welcome when they sharpen the claim,
no hedging adverbs in the falsifiable form itself.

## SHIBBOLETHS

When the redteam finds a real smell against the Federated Harbor,
the published smell-note has these markers:

- **"What does the paper claim, and what observable would refute
  it?"** Every smell opens with these two questions, in this order.
- **"Bond-flow, not trust-flow."** Trust-transitivity smells phrase
  the question as "does the bond flow under this composition?" not
  "is trust transitive?" The Federated Harbor doctrine is that
  trust is not transitive; bonds are slashable. A smell that
  presupposes transitive trust has misread the paper.
- **"Across-A / on-B / against-C."** Cross-domain settlement
  smells label the harbor roles with this fixed vocabulary. A smell
  that mixes "source/destination/arbiter" or other names is sloppy.
- **"Operator vs harbor vs token issuer."** Three distinct
  principal roles. Smells that conflate them are early-draft work,
  not finished smells.
- **"Falsifiable bound, not narrative."** A revocation-propagation
  smell that says "could be slow" is not a smell. A smell that
  says "the paper's stated bound D fails under partition longer
  than D - 1 epoch, here is the trace" is a smell.
- **"This breaks if [PLACEHOLDER-X] is pinned to Y."** Smells that
  depend on a placeholder commit the placeholder must be pinned to
  a value strictly inside or outside a stated range. "It might be
  fine" is not a smell.

The whitehat fleet recognizes the markers and routes the smell
accordingly. Sloppy smells get sent back for sharpening.

## Reference manifest (forward-declared)

- `agents/` — five red-team persona specs (trust, tokens,
  revocation, econ, proof-gap-auditor).
- `references/probe-templates.md` — concrete probe templates for
  each of the nine probe categories.
- `references/federation-attack-catalog.md` — catalog of
  federation-specific attack classes, indexed by which probe
  category they belong to.
- `references/comms-protocol.md` — symlink to the redteam-review
  comms spec, with the federation-specific additions noted above.
- `references/cross-paper-dependencies.md` — running list of
  Federated Harbor smells that depend on Anchor / Bonded results.
- `scripts/run-fh-redteam.sh` — orchestrator; `pd spawn`s each
  persona with the right paper region claimed and inbox subscribed.
- `scripts/probe-templates/` — per-category probe scaffolds
  (ProVerif skeletons, Apalache configs, Mesa runners).