Weight encryption

[kylemcdonald]

The weights are publicly available here on GitHub, so there is no danger of them "leaking".

And the connection between the user and the client is encrypted over SSL.

If the weights can be used on the client, they can be copied by the client. If this is an attempt at some kind of DRM you should know that this will not work.

What is the threat model that the weight encryption is solving?

[bauratynov]

Hey @kylemcdonald — you're right and the README oversells it. Let me lay out the actual threat model so we agree on what this does and doesn't do.

What weight encryption is not:

• It's not DRM. Anyone with a debugger and 30 minutes can dump the decrypted ONNX bytes out of the WebAssembly heap after the WebCrypto decrypt() call. Mentioned in the wiki page but should be louder in the README.
• It's not a cryptographic boundary against a motivated reverse-engineer.
• It's not a substitute for server-side inference if you genuinely cannot afford the weights to leak.

What it actually does:

1. Stops casual extraction via DevTools → Network → "Save as". The most common path for someone to walk away with a model is a one-click download of the .onnx URL. Serving .enc blocks that without any per-customer infra.
2. Decouples model distribution from key distribution. Models can be cached on a CDN (cheap, fast). Keys come from a tiny authed endpoint (/api/model-key) — that endpoint is the only thing you need to revoke/rate-limit/audit per customer.
3. Per-customer key wrapping for licensing. With AES-KEYWRAP under a master, you can wrap the same model key under each customer key and stop serving a specific customer's wrap when their subscription ends. They can still use what they cached, but they can't get the next model release.
4. Audit trail signal. Every /api/model-key call is one row in your log with a customer ID, timestamp, IP. If a key shows up scraped, you know which customer leaked it.

When to use it:

• Browser SaaS where you ship the same model to many tenants and want one of: (a) friction against casual scraping, (b) ability to cut off specific tenants, (c) audit of model access.

When NOT to use it:

• You genuinely cannot afford the model bytes to leave your servers → server-side inference is the only honest answer.
• You're shipping a single open-source release to anonymous users → just ship the plain ONNX, the encryption is theater.

The current demo is in the second bucket so the encryption there is mostly a demonstration. The real value of tools/encrypt_models.py + the WebCrypto handoff in the demo HTML is as a copy-paste recipe for customers who do have a multi-tenant SaaS — the wiki Encrypted Weights page has the Express / FastAPI examples for that path.

Will tone down the README to make this distinction explicit. Thanks for pushing on it.