-
Notifications
You must be signed in to change notification settings - Fork 0
Security Privacy and Reliability
James Daley edited this page Apr 25, 2026
·
3 revisions
Forsetti's security model is based on explicit capabilities, host-owned services, entitlement gates, and bounded module communication.
flowchart LR
Module["Module"] --> Context["ForsettiContext"]
Context --> Services["Host-owned services"]
Context --> EventBus["Event bus"]
Context --> Logger["Logger"]
Context --> Router["Overlay router"]
Host["Host app"] --> Policy["Capability and entitlement policy"]
Policy --> Runtime["Runtime activation"]
Runtime --> Module
Modules are not trusted with arbitrary host access. They receive the capabilities and services the host chooses to expose.
| Area | Practice |
|---|---|
| Capabilities | Request only the capabilities the module actually needs. |
| Entitlements | Treat iapProductID as activation policy, not display state. |
| Services | Resolve protocols from ForsettiContext; do not reach into host internals. |
| Secure storage | Replace InMemorySecureStorageService with a production secure store when persistence is required. |
| Events | Avoid sensitive payloads in broad framework events. |
| Logging | Do not log secrets, purchase tokens, or user-sensitive data. |
flowchart TD
Event["Module event or telemetry"] --> Review{"Contains user-sensitive data?"}
Review -- yes --> Minimize["Remove or minimize payload"]
Review -- no --> Policy{"Host telemetry policy allows it?"}
Minimize --> Policy
Policy -- yes --> Track["Track through TelemetryService"]
Policy -- no --> Drop["Do not emit"]
Telemetry is a host-owned decision. Modules should describe intent through service protocols and avoid embedding analytics vendors.
| Concern | Guidance |
|---|---|
| Cold start | Keep manifests small and module start(context:) fast. |
| Large module counts | Prefer service modules for shared background work and keep UI module discovery deterministic. |
| Offline entitlements | StoreKit can use local entitlement state; design paid modules to handle temporary refresh delays. |
| Activation failures | Fail before start(context:) when compatibility or entitlements are invalid. |
| Deactivation | Implement stop(context:) idempotently and release module-owned resources. |
| UI composition | Keep view injection slots stable and avoid expensive work during surface rebuilds. |
flowchart LR
Manifest["Manifest"] --> EarlyFail["Early compatibility failure"]
Entitlement["Entitlement"] --> EarlyFail
Registry["Registry"] --> Start["start(context)"]
Start --> Success["Active module"]
Start --> Failure["Rollback and log"]
Success --> EntitlementChange["Entitlement change"]
EntitlementChange --> Reconcile["Deactivate if no longer unlocked"]
- Capability list reviewed for each module.
- Entitlement provider is production-appropriate for the target platform.
- Debug unlock providers are not used in release builds.
- Sensitive services are host-owned and backed by production storage.
- Module
start(context:)andstop(context:)are idempotent. - Logs avoid user-sensitive payloads.
- Runtime failure paths have tests.