Threat Model
Sovereign Edge & Security Assumptions
> [!CAUTION] SECURITY OBJECTIVE
To preserve the integrity of the local economic ledger under adversarial request conditions, while failing closed on identity ambiguity.
"Evolution from Project Discovery to Sovereign Infrastructure."
Data Flow & Trust Boundaries
User / Attacker
→
Cloudflare Tunnel
→
Sentry Perimeter
→
Brain (FastAPI)
→
Vault (SQLite WAL)
Enforcing Fail-Closed Logic at Sentry
Identified Threat ID System
-
T-01: Economic Tampering
Threat: Client attempts to alter the 60/30/10 split via request injection.
Mitigation: Split logic is enforced Brain-side only. Vault ignores client split parameters.
-
T-02: Ingress Spoofing
Threat: Attacker bypasses the tunnel to hit the local port directly.
Mitigation: Sentry Perimeter configured to Fail-Closed. Requests without routing headers are rejected.
-
T-03: Database Integrity
Threat: Concurrent writes or power loss corrupting the ledger.
Mitigation: SQLite WAL Mode & atomic integer-based math. Validated via 1M Stress Test.
-
T-04: Ingress Reliance
Threat: Ingress provider (Cloudflare) outage or censorship.
Mitigation: Accepted Risk: Ingress is agnostic; operators may swap to Nginx or wait for P2P.
Boundary Conditions
- The Insider Threat: Malicious node operators are out of scope. The operator is the "Root of Trust" for their local data.
- Adversarial Anonymity: Phase 1.4.0 focuses on state correctness, not hiding IP from state-level actors.
Security Properties Verification
| Property |
Mechanism |
Status |
| Ledger Integrity |
1M Stress Test / WAL |
✅ Verified |
| Crash Resilience |
ACID Transactions |
✅ Verified |
| Fail-Closed |
Sentry Identity Resolution |
✅ Verified |
| Crypto-Identity |
peaq/IoTeX Adapters |
🚧 In Progress |