What fd0 defends. What it leaves to you.

Each threat T## is catalogued with status, mitigation, and a code reference. A representative slice below; the full catalogue lives in docs/THREATS.md.

T03
Server reads secret plaintext
Every secret AEAD-sealed under the per-scope OEK before reaching the server. Server-side decryption is impossible: there is no decryption code path.
mitigated
T07
Removed member decrypts post-removal writes
OEK rotates atomically on scope.remove-member. Subsequent secret.set events are sealed under the new OEK, which the removed card cannot unwrap.
mitigated
T12
Server forges a chain event
Every event signed by author's super_priv over fd0-event-v1. Server has no signing capability for member identities.
mitigated
T15
YubiKey slot 9d compromise
X25519 ECDH happens on-card; slot private key never exposed. Touch and PIN policies enforced per unwrap. Loss of physical card requires firmware-level extraction, not in scope.
mitigated
T22
Vault file stolen at rest
Vault body AEAD-sealed under a payload key wrapped to each auth method's key. Offline brute-force resistance depends on the strongest enrolled method (passphrase entropy or YubiKey PIN+touch).
mitigated
T35
Server equivocates (forks the log)
Independent witness cosign + first-contact pinning. Detection by any client that compares STHs with peers or the witness archive.
mitigated
T41
Witness host compromised
Single-witness deployment provides single-point detection. Group-managed witness consortium on the roadmap. A silently-compromised witness reduces detection but does not enable decryption.
accepted
T46
Vault and chain files rolled back together
Coordinated client-side rollback of both vault.enc and ~/.fd0/chains/ is explicitly out of scope. Documented in docs/PROTOCOL.md §6.4.
accepted
T52
Operator coerces a client to publish
Outside the cryptographic threat model. Use of physical security, jurisdictions, and operational controls is left to the deploying organisation.
accepted

The threat-coverage tool (go run ./tools/threat-coverage) cross-references every T## with a code annotation; CI fails if a mitigated threat loses its code reference.