A runtime toggle named paper=true is reversible and therefore weak. Make paper-only scope irreversible within this product: omit authenticated dependencies, reject trading credential names, allow no write methods, use fictional points, and make build checks fail if prohibited capability appears.
Create a safety manifest listing allowed outbound hosts, HTTP methods, imported packages, environment names, database tables, and command entry points. The production research worker may fetch public GET data; the paper worker has no network. Neither includes an authenticated venue library.
Add static checks across source, lockfile, configuration, and documentation for forbidden patterns. Avoid relying only on words, because names can vary; also inspect dependency graphs and exercise runtime network policy. The CI job should create an environment containing fake suspicious keys and prove startup rejects them.
Use fictional paper_points as an integer unit. The schema prohibits currency codes, account balances, deposit references, addresses, signatures, and provider order IDs. Reports display “simulation points” and a banner that points cannot be redeemed or mapped to PKR.
Safety events are append-only: forbidden setting seen, network denied, unknown dependency, and schema violation. A failed gate stops the run before data processing. No admin override exists inside the application; changing scope would require a different reviewed product, which this course neither designs nor promises.
Make the manifest reviewable in continuous integration. Generate a software bill of materials, compare outbound-host and dependency lists with the approved baseline, scan source and compiled artifacts, and run network-denial tests. A checksum-approved release is promoted only when all gates refer to the same commit. Document false positives explicitly; never add a broad exclusion merely to make the scan green.
Review transitive dependencies as well as direct packages. A harmless-looking reporting library can add a network client or telemetry component. The build fails when the dependency graph changes until the new graph is assessed and the approved checksum baseline is deliberately updated. Runtime file permissions prevent the paper worker from loading undeclared plugins.
🇵🇰 Pakistan Angle
The project avoids payment workarounds, venue eligibility, and account setup entirely. Pakistani regulatory guidance may evolve; a codebase with zero execution capability keeps the educational lab clearly focused on software testing and forecast evaluation.
Hands-On Exercise
Write safety-manifest.json and CI checks. Add a fake package named trade-client, a fake EXCHANGE_SECRET, a POST attempt, and a currency field in separate negative tests. Each must fail before a run starts and append a sanitized safety event.
Completion Rubric
- Paper-only scope cannot be changed by config or environment.
- Dependency, method, host, credential, and schema allowlists are enforced.
- Fictional points have no monetary mapping.
- Negative tests prove every prohibited capability fails closed.
- No override or “real later” pathway is documented.
Sources
- OWASP Secure Product Design Cheat Sheet
- NIST Secure Software Development Framework
- PVARA regulations
Key takeaway: Paper-only safety is credible when execution capabilities are absent, prohibited by schema, and continuously tested.