Security review spec for Agent Clearing House escrow contract

Security Review Spec for Agent Clearing House sBTC Escrow Contract. Deliverables completed: - Threat model with 5 adversary classes (Malicious Poster, Malicious Worker, Colluding Multisig, External Attacker, Gas Griever) - 26 attack vectors across 7 categories: escrow locking, claim/proof, verification/release, dispute/arbitration, timeout/refund, gas treasury, re-entrancy - 10 contract invariants to verify (fund conservation, state machine, access control, arithmetic bounds) - 25 test scenarios: 10 unit tests, 5 integration tests, 5 adversarial tests, 5 edge cases - 7 architecture recommendations: state machine enforcement, block-height deadlines, minimum bounty floor, dispute bonds, auto-release timer, event emission, upgradability plan Key critical findings: 1. Signature replay risk if bounty UUID + nonce not included in signed messages 2. Ransom holdout: poster can refuse sign-off indefinitely without auto-release timer 3. Claim-after-timeout race condition if deadline check not atomic 4. Gas treasury theft if not protected by multisig + timelock 5. Refund-to-wrong-address if not locked to original tx-sender Full document: 200+ lines covering all 5 core flows described in repo README.