[F-02] Dummy BLS/ECDSA verifiers in mint_command give false confidence for TAIL pre-check

[almogdepaz]

Finding

Severity: MEDIUM
Source: Differential security review VEIL_DIFFERENTIAL_REVIEW_2026-03-15.md
File: src/cli.rs (~line 1281)
Blast radius: CLI sim mint command only (simulator path)

Description

The mint_command function defines dummy BLS and ECDSA verifiers that always return Ok(true):

fn dummy_bls(_pk: &[u8], _msg: &[u8], _sig: &[u8]) -> Result<bool, &'static str> {
    Ok(true)
}
fn dummy_ecdsa(_pk: &[u8], _msg: &[u8], _sig: &[u8]) -> Result<bool, &'static str> {
    Ok(true)
}

These are used for a local CLVM pre-execution of the TAIL program before sending it to the zkVM. If a TAIL uses signature verification (e.g. (mod (pk sig) (bls_verify pk "mint" sig))), the CLI pre-check passes with any signature, giving false confidence. The zkVM guest correctly rejects it on proof generation, but the user sees a confusing failure with no actionable error message.

Impact

• Not exploitable in production — the zkVM guest runs real crypto, false positives in the CLI pre-check don't affect proof validity
• Developer experience hazard — silent pre-check pass followed by cryptic zkVM failure makes signature-gated TAILs hard to debug during development

Options

A (recommended — minimal): Print a prominent warning when dummy verifiers are active:

⚠  TAIL pre-check uses stub BLS/ECDSA verifiers.
   Signature-gated TAILs will only be enforced by the zkVM.

B (thorough): Replace dummy verifiers with the real ones from clvm_zk_mock (already implemented: default_bls_verifier, default_ecdsa_verifier). Requires exposing them or pulling the mock crate as a non-test dependency of the CLI path.

Notes

This is a before-production item, not blocking merge of PR #17.