docs: close DESIGN.md gaps — layout, levels, process hardening, bridge, cache#66
Merged
jgowdy-godaddy merged 2 commits intomainfrom Apr 17, 2026
Merged
docs: close DESIGN.md gaps — layout, levels, process hardening, bridge, cache#66jgowdy-godaddy merged 2 commits intomainfrom
jgowdy-godaddy merged 2 commits intomainfrom
Conversation
…e, cache Sweep of DESIGN.md against the code on main: - Workspace layout diagram was missing enclaveapp-app-adapter, enclaveapp-cache, enclaveapp-tpm-bridge, enclaveapp-build-support. Added. - 'Three integration types' while the following paragraphs define four. Fixed; Type 4 (CredentialSource) was already described. - Level 5 'Linux musl plaintext' shown as a production backend on two security-level tables. Actually the only plaintext backend is enclaveapp-test-software (explicitly marked 'NOT for production'), and CLAUDE.md states musl is not supported. Tables now show Level 4 as the terminal glibc-keyring row and reference the test-only crate as an unnumbered out-of-band entry. - 'macOS signed vs. unsigned' section described an auto-detecting two-path runtime that doesn't exist. There is one code path; SE is always in it; Path 1 (entitled) is deferred per fix-macos.md. Rewrote as 'macOS path in practice (signed and unsigned)' framed around Keychain prompt UX. New sections documenting features that were in code but not in DESIGN: - Process hardening (harden_process, PR_SET_DUMPABLE, PR_SET_NO_NEW_PRIVS, RLIMIT_CORE=0, mlock_buffer). - Shared infrastructure crates (app-adapter, cache, tpm-bridge, build-support). - WSL bridge discovery (fixed paths only; PATH fallback was removed; 64 KB cap; ENCLAVEAPP_BRIDGE_TIMEOUT_SECS; BridgeSession::Drop). - Credential cache file tamper (consumer-layer max(header, config) mitigation; AAD binding deferred). Consumer mapping table expanded with shipped binary names, including gitenc and npxenc which were previously invisible.
# Conflicts: # DESIGN.md
jgowdy-godaddy
pushed a commit
that referenced
this pull request
Apr 17, 2026
Resolves conflicts where origin/main's #66/#67 docs PRs touched the same DESIGN.md/THREAT_MODEL.md regions I rewrote for the hardening pass. Our side supersedes — the new sections already include all of main's refinements plus the envelope, HMAC sidecar, Windows mitigations, SecretRead, env-scrub, bridge mutex, and Authenticode notes. fix-macos.md: accept main's deletion (#67 folded the findings into THREAT_MODEL.md).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Audit of DESIGN.md against the code on main identified several gaps and two stale claims:
Stale claims corrected
New sections documenting features that were in code but absent from DESIGN
Consumer mapping expanded
Now shows shipped binaries per consumer, so `gitenc` and `npxenc` are no longer invisible.
Test plan