template: add Threat Model & Security Requirements section#45
Draft
fryorcraken wants to merge 4 commits intomasterfrom
Draft
template: add Threat Model & Security Requirements section#45fryorcraken wants to merge 4 commits intomasterfrom
fryorcraken wants to merge 4 commits intomasterfrom
Conversation
Add a top-level section to the RFP template listing common privacy/security scenarios grouped by adversary class (O, A, C, S, F, X), each with stable codes that protocol-specific scenarios extend. Add appendix/logos-stack-trust-assumptions.md as a dated snapshot (2026-04-28) of the five component FURPS at roadmap.logos.co, with verbatim citations and a distilled list of what RFPs can rely on vs must not assume. Retarget Supportability item 9 so the privacy and anonymisation document must address every Threat Model scenario. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Rework the Threat Model section so it covers any application built on any part of the Logos stack, not only LEZ programs. Adversary classes are stack-wide: - N (Network observer): any public surface the app touches - A (Active attacker): any layer - C (Malicious counterparty): any user-mediated exchange - P (Platform operator with elevated visibility): sequencer, Waku store/relay, Codex cache/provider, RPC, RLNaaS — replaces the prior LEZ-specific S - F (Malicious or buggy client): any client surface - X (External identity correlator): any cross-system linkage Common scenarios are component-agnostic. Component-specific scenarios move to dedicated subsections (Blockchain/LEZ, AnonComms, Logos Core, Messaging/Waku, Storage/Codex) that apply only when the RFP declares the component in a new "Stack components consumed" subsection. The deshield→interact→re-shield language and ephemeral-account hygiene now live under L-1..L-6 in the LEZ-specific section instead of in the common scenarios. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Use stack-level names "Messaging" and "Storage" throughout instead of the deprecated "Waku" and "Codex" codenames. Renumber the component-specific scenarios accordingly: - Messaging scenarios W-1..W-4 → M-1..M-4 - Storage scenarios CX-1..CX-3 → ST-1..ST-3 The one remaining "Waku" string in the appendix is inside a verbatim quote from the upstream FURPS source; it is annotated to indicate the current stack-level term. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
@kaiserd to provide feedback as this attempts to address his concerns. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
## 🛡️ Threat Model & Security Requirementssection toRFPs/RFP-000-template.mdlisting common privacy/security scenarios grouped by adversary class (Oon-chain observer,Aactive attacker,Cmalicious counterparty,Ssequencer,Fmalicious/buggy client,Xexternal identity correlator). Each scenario has a stable code so other documents can reference them, and protocol-specific scenarios extend the same numbering per RFP.appendix/logos-stack-trust-assumptions.mdas a dated snapshot (2026-04-28) of the five component FURPS published at roadmap.logos.co, pulled from logos-co/roadmap@v4. The appendix quotes each relevant FURPS item verbatim, then distils aStack-wide trust assumptions an RFP can rely onlist and aStack-wide non-guarantees an RFP must not assumelist. Notable non-guarantees: no anonymous transaction submission at the network layer, no mempool/pre-confirmation privacy, no anonymous indexer RPC queries, no off-chain LEZ-state privacy, no sequencer-level censorship resistance.Why draft
Open for discussion before applying the new section to the existing RFPs (001, 002, 003, 004, 008, 012, 015, 016). Each of those will get its own follow-up PR adding protocol-specific scenarios under the relevant adversary class.
Specific items worth feedback before merging:
S(sequencer) is included because the appendix found that LEZ FURPS does not commit to non-censorship or non-correlation against the sequencer. Reasonable, or fold into trust assumptions?O-5requires the SDK/mini-app not to issue RPC queries that re-link ephemeral accounts. This is non-trivial to implement and may be a meaningful new requirement on every RFP. Acceptable bar?Test plan
appendix/(current) or underRFPs/next to the template🤖 Generated with Claude Code