Security
Threat Model
MeshKit trust boundaries and major risks.
Use this page to reason about what MeshKit protects, what it detects, and what your application or operator still owns.
Trust Boundaries
| Boundary | Trusted for | Not trusted for |
|---|---|---|
| MeshKit Core | Envelope encryption, key wrapping, fail-closed checks | Protecting plaintext after app code receives it |
| Provider byte store | Storing encrypted bytes | Plaintext confidentiality |
| Metadata service | Proofs, capsules, mailboxes, sync records, logs | Hiding all relationship metadata |
| Gateway | Returning bytes for a CID | Authorization or plaintext integrity without CID verification |
| Identity directory | Resolving public keys | Proving user intent unless your app verifies it |
| Policy provider | External authorization decisions | Decrypting when unavailable or denied |
| Runtime key vault | Local identity protection | Stronger guarantees than the actual platform bridge provides |
Main Risks
| Risk | MeshKit behavior | Application/operator responsibility |
|---|---|---|
| Wrong bytes from provider or gateway | Verify CID before decrypting | Use trusted providers and monitor failures |
| Provider sees sensitive metadata | Encrypt content, but metadata may remain visible | Keep secrets out of metadata and design retention policy |
| Recipient key mismatch | Fail when key unwrap fails | Verify contacts and identity bindings |
| Stale or revoked share | Fail closed on future opens | Communicate revocation limits |
| Policy provider unavailable | Fail closed for policy-backed opens | Operate policy service reliably |
| Token leakage | Avoid returning secrets | Redact logs, CI, support bundles, and config dumps |
| Mobile bridge missing | Fall back or report weaker capabilities | Test production builds and document guarantees |
Share Open Flow
What To Test
- Wrong CID or gateway bytes are rejected before plaintext.
- Missing metadata prevents unsafe opens.
- Missing recipient key fails.
- Expired and revoked shares fail.
- Policy-denied shares fail closed.
- Telemetry and support output redact secrets.
- Runtime bridge absence changes reported capabilities.