Security Model
What this page is
Stigmem's security model rests on five primitives that compose into the full trust story: scopes, signing, federation trust, source attestation, and capability tokens. Each is a small, well-defined piece — the strength of the model is in how they fit together.
Scopes — the visibility boundary
Every fact is written with one of four scopes.
localteamcompanyPeerDeclaration explicitly includes "company" in allowed_scopes.publicScope enforcement is read- AND write-time.
A misconfigured peer cannot escalate team facts to
public because the scope is checked before the fact is
admitted to the federation pipeline. See Spec-02-Scopes-and-ACL for
the normative spec.
Signing — Ed25519 over every cross-node payload
Every node publishes a federation_pubkey at /.well-known/stigmem.
Cross-node primitives are signed with the corresponding private key.
Key rotation uses a dual-trust window — the previous and current keys are both accepted for a configurable overlap, then the previous key is revoked via the transparency log.
Federation trust — quarantine and source-trust scoring
Each cross-org write is admitted via a source-trust score
t ∈ [0,1] derived from identity strength, peer history, scope
authority, and attestation mode. Effective confidence at recall time
is confidence × t.
Low-trust facts land in a quarantine garden.
Itself a Memory Garden (Spec-02-Scopes-and-ACL) with admin-only ACL
— operators triage, accept, or reject quarantined writes from a
single dashboard. Facts also accumulate
derived_from: [fact_hash...] and
attestation_chain: [signature...] for tamper-evident
audit.
See Federation Trust for the operator runbook.
Source attestation — binding writes to identities
Source Attestation (Spec-X6-Source-Attestation) binds an entity_uri
to an API key so every fact written by that key carries a verifiable
attested field.
enforcewarnoffAttestation is the trust anchor for the connector ecosystem: third-party integrations write under their own attested identity, and the curator dashboard can filter or quarantine by attestation.
Capability tokens — explicit, short-lived authority
Writing scope S on a peer node requires a short-lived capability
token signed by the scope owner. Each capability carries an
explicit subject + verb + object plus an expiry. Capabilities are
revocable via the transparency log, and the receiving node verifies
the chain at admission time.
Cross-org writes are authorized, not just authenticated.
A leaked capability has a bounded blast radius (the verb/object pair) and a bounded lifetime (the expiry).
How it fits together
A typical write path under the full security model.
- The agent obtains a capability token from the scope owner (e.g.
subject: agent:writer-bot,verb: assert,object: scope:public:project:loom,exp: now+5m). - The agent signs the request with its API key.
- The receiving node verifies (a) the API-key signature, (b) the capability chain, (c) the source-trust score against the current threshold, and (d) the scope rules.
- If trust ≥ threshold, the fact enters the canonical store with an
attestedchain. - If trust < threshold, the fact lands in the quarantine garden for admin review.
- At recall time, effective confidence is
confidence × tso low-trust facts are de-ranked even after admission.