Air-gapped static analysis of Fabric configtx.yaml and Besu genesis.json. Validates endorsement policy completeness, MSP certificate expiry windows, Raft/QBFT quorum viability, PDC scoping, TLS/HSM flags, and chainId collision. Outputs a risk heatmap and permission topology summary.
Fabric rules (configtx.yaml): Endorsement policy completeness (at least 2 orgs referenced), MSP certificate path presence, Raft orderer detection, minimum 5-node quorum recommendation, PDC (Private Data Collection) scoping patterns, TLS enablement, FIPS HSM references, Travel Rule PDC presence (PDC_TR_ prefix).
Besu rules (genesis.json): QBFT validator set size (minimum 4 recommended for f=1 BFT tolerance), chainId presence and common collision values (1, 1337), Tessera endpoint references (deprecated June 2026), account permissioning flag, IBFT2 vs QBFT detection, alloc block structure.
Reference architecture: Fabric rules are derived from the 3-org MSP design documented in Post Oak Labs Fabric A2A (Org1MSP/Munich, Org2MSP/Paris, Org3MSP/Riyadh — 5-node Raft, PDC_TR_DE_SA for Travel Rule). Besu rules from the QBFT 3-validator design (BankFR/Paris, BankES/Madrid, BankSA/Riyadh).