Parent epic: #155
Deliver docs/security/threat-model.md per E19's (#155) outline. Cross-linked from SECURITY.md (S19.03).
Content
- Library scope: what it does (RFC 5424/5426/6587/5425 formatting + transport) and does not (aggregation, storage, analysis, PII handling).
- Trust boundaries: inside (library, caller, host process) vs outside (network, receiver, log storage); where attacker control starts.
- Caller obligations: pre-resolved IPs for UDP; mTLS cert provisioning/validation per RFC 5425; log-content correctness; buffer sizing via the MAX_SIZE tunables; lifecycle management.
- Protected against: malformed caller inputs (MISRA posture, no overflow by construction); network tampering (TLS); replay/eavesdropping (mTLS).
- Not protected against: compromised calling process; side channels (timing/cache); crypto attacks on the underlying TLS impl; network DoS; log-content confidentiality.
- Residual risks: non-constant-time formatting; library does not enforce max message size against the caller.
- Threat actors: in scope — network MITM, passive eavesdroppers, malicious calling code (defends invariants where feasible); out of scope — physical attackers, nation-state exploitation of underlying TLS/OS.
- Review policy: living document; reviewed when architecture changes (new transport, field type, platform).
Acceptance
docs/security/threat-model.md present and linked from SECURITY.md.
Parent epic: #155
Deliver
docs/security/threat-model.mdper E19's (#155) outline. Cross-linked fromSECURITY.md(S19.03).Content
Acceptance
docs/security/threat-model.mdpresent and linked from SECURITY.md.