Public alpha. Stripe Live in ~2 weeks. → Get on the launch list
SecurityThreat model

Threat model

Status: stub. Day 5 deliverable.

WOS’s threat model is published in full so customers’ security teams don’t have to reverse-engineer it from the runtime behavior.

Categories addressed in this document (forthcoming):

  • Supply-chain. Sigstore-signed CLI, SBOM published per release, cosign verification recipe.
  • Edge. L−1 plane R1–R6 (rate-limit, body-size, anonymous-block, WAF, ASN reputation, geo).
  • Compiler bombs. §5.1 hard limits + 5,000 ms CPU budget.
  • Key compromise. Shamir 3-of-5 distributed across four jurisdictions and one cross-cloud HSM.
  • Audit log integrity. R2-First WAL + Merkle + OpenTimestamps — any tampering is detectable from the daily Bitcoin anchor alone.
  • Insider. L4 overrides are immutable, signed, and counted against a public budget. Excessive overrides trip a tenant-visible alarm.
R2-First WALVerifying artifacts