Security
What this page is
Per ADR-005: "Lead Secure with the risk register." This page is the entry point to stigmem's security posture. The threat model and scenarios are the most important artifacts, surfaced first.
Risk register status (v0.9.0a2)
main, sanitizer remains defense-in-depth, and live certification plus operator validation evidence are still required before marking the risks mitigated.Most-severe structural risk: R-23 (admin-level storage tampering).
An attacker with admin privileges on a stigmem node can — without
ADR-016's
mitigations — overwrite stored facts, bypassing
ADR-003's
prompt-injection trust boundary by silently changing
interpret_as from content to
instruction at the storage layer. Mitigation is the
ADR-016 stack (L1–L5: append-only journal, SQLite triggers, CIDs per
ADR-017,
local hash chain, Sigstore Rekor anchor). Targeted: future hardened-core work.
The second-priority new risk is R-21 (agent feedback-loop worm). Main now has same-session read/write provenance controls, OpenClaw handoff-target allowlisting, supported adapter/session propagation, and outbound replication exclusion for provenance-derived facts. R-21 remains in review until release certification and operator validation cover those controls. The OpenClaw adapter remains an experimental alpha connector until that validation is complete.
For the full risk register: see the Threat Model (spec/security/threat-model.md).
For operator-facing scenarios: see the Security Scenarios.
For the trust boundary against prompt injection (L1–L6): see ADR-003 § Trust boundary.
v0.9.0a2 architectural posture
Per LIMITATIONS.md §11:
the default install of v0.9.0a2 ships with feature-specific code in
node/src/stigmem_node/ for features deferred from v1.0 critical-path
scope per ADR-002.
The routes are mounted but the features are dormant unless explicitly
configured (capability tokens, migrations, manifests). Per
ADR-019
iteration semantics, each v0.9.0aN extracts one cross-cutting feature
into a plugin per ADR-011.
For v0.9.0a2 evaluators
The user-visible default behavior matches v1.0 critical-path scope (single-tenant, no tombstones, no time-travel, no advanced ACL). Cross-cutting experimental behavior is being extracted into opt-in source packages across the v0.9.0aN line; signed/published plugin artifacts remain deferred until all planned plugins are built.
Main now includes the 22-hook registry foundation and plugin test harness needed for extraction work. The landed foundation includes typed hook semantics, deterministic manual/core registration, minimum manifest/context/capability APIs, hook-site wiring across assertion, recall, federation, auth, migration, and audit paths, registry audit/metrics plumbing, benchmark coverage, startup package discovery, production plugin signing enforcement, and operator CLI inspection. Per-feature plugin packages remain future alpha-series work.
Published advisories
Stigmem publishes GitHub Security Advisories for Critical and High CVSS 4.0 findings that affect a supported published artifact. The v0.9.0a2 hardening release patches the following advisory batch.
Security architecture
entity_uri naming, expires_at enforcement, session model.experimental/<feature>/security.md files.The federation-hardening control review lives with the
canonical security evidence at
spec/security/federation-control-review.md.
Operator surfaces
Human key issuance
Operator UX for issuing API keys.
Human surface
Human-facing operator concerns.
Pen-test handbook
Community pen-testing process and reproducer template.
Disclosure & policy
Compatibility commitment
Written commitment per ADR-013.
Security disclosure policy
How to report a vulnerability.
SECURITY.md
Supported versions, dependency posture.
Specification
The protocol specification is the contract security depends on. It lives under Secure per ADR-005.
Specification index
Section navigator with disposition table (which sections are stable in v0.9.0a2, which are deferred to experimental/<feature>/).
Canonical spec source
spec/stigmem-spec-v0.9.0a1.md. Section-by-section content review against the node/ implementation is ongoing.
Experimental & deferred features
Many features documented in earlier checkpoints are deferred from
v0.9.0a2's default install. They live in
experimental/<feature>/.
Alpha-series extraction may package some of them as opt-in
experimental plugins; promotion into the supported surface requires
the ADR-008
gate process. See Experimental & Deferred Features for the canonical list.
Quick-start for security researchers
- Read the Threat Model to understand the trust boundaries and current risk register.
- Read the Security Scenarios for operator-facing narratives.
- Read the Pen-test handbook for the engagement process and reproducer template.
- Set up a local node via the quickstart tutorial.
- File private advisories at github.com/eidetic-labs/stigmem/security/advisories.