Rubin Protocol Audits Go Path Normalization Gap Against Rust Datadir Contract

A security review has flagged a bounded normalization gap in the Rubin Protocol's Go implementation. The issue centers on `--datadir` path handling: Go operators supply datadir paths that are used to derive chainstate and blockstore filesystem paths, but these paths are not lexically normalized before derivation. The existing Rust implementation already enforces a `normalize_data_dir` contract for paths containing `.` / `..` or symlink-sensitive components. The Go codebase lacks equivalent normalization, creating an architectural inconsistency across the two language implementations.

The triage verdict, finalized May 1, 2026, clarifies that while the gap requires a bounded fix, it does not constitute an arbitrary-write vulnerability. Investigators determined that the direct `tmpPath` construction is not itself exploitable. The `tempPathFor(path, pid, seq)` function appends a protected suffix (`.tmp.<pid>.<seq>`) to the destination path, keeping the temporary file adjacent to its target. The use of `O_CREATE|O_EXCL` flags guards against stale file conflicts. This containment means the risk is limited to specific path manipulation scenarios rather than broad filesystem write access.

The fix requirement is architectural class B—a bounded CLI/config path-normalization correction. All Go operator-facing datadir paths must undergo a single lexical normalization pass before `ChainStatePath`, `BlockStorePath`, `LoadChainState`, or `ChainState.Save` operations derive filesystem paths. This alignment with the Rust contract closes the normalization gap and ensures consistent security boundaries across the codebase. The target repository is `rubin-protocol`.