# Threat Model

This document defines what SilverMetal defends against, what it does not, and how those choices flow through the rest of our design. We state this honestly so users can judge whether SilverMetal fits their situation.

## Who we defend

The primary user we design for is someone whose threat surface includes **one or more** of:

- **Pervasive commercial surveillance** — telemetry, advertising graphs, data brokers, behavioural tracking
- **Targeted commercial spyware** — stalkerware, off-the-shelf monitoring tools, opportunistic malware
- **Capable adversaries with lawful access** — search warrants, border seizures, civil discovery
- **Capable adversaries without lawful access (within reason)** — sophisticated criminal operations, opportunistic state-actor campaigns, supply-chain compromise
- **Coercion / duress** — physical compromise of the user (border crossing, mugging, kidnap)

We **do not** claim to defend against:

- A **dedicated, well-resourced state actor** specifically targeting one user (this is essentially undefendable on commodity hardware; if that's your threat model, talk to a specialist directly)
- **Endpoint compromise the user invites** — installing arbitrary software, sharing passwords, social engineering
- **Hardware implants installed before the user takes possession** — we mitigate via reproducible builds and hardware verification but cannot eliminate

## Adversary capabilities we assume

| Capability | Assumed? | Mitigation |
|---|---|---|
| Network observation (ISP, transit, Wi-Fi sniffing) | Yes | TLS everywhere; SilverVPN default-on; encrypted DNS |
| Subpoena to an upstream service (Google, Apple, ISP) | Yes | We don't depend on those services for sync, comms, or identity |
| Subpoena to SilverLABS itself | Yes | Minimum-data architecture: account numbers not emails; client-side encryption; no log retention beyond what's operationally required |
| Physical seizure of device, powered off | Yes | LUKS2 + Argon2id, TPM2-bound, BitLocker enforced, FileVault enforced |
| Physical seizure of device, powered on / unlocked | Partial | Lockdown Mode (Apple), screen lock policies, SilverDuress (v1.1) |
| Coerced unlock at border / by adversary | Partial | SilverDuress (v1.1) provides duress password / panic-wipe; iOS limited to OS primitives |
| Sophisticated remote exploitation (NSO-class) | No (honest) | Lockdown Mode where available, hardened kernels where we control them, but commodity-platform exploit chains exist for every OS |
| Supply-chain compromise of upstream packages | Partial | Reproducible builds, signed packages, SBOM published; cannot fully eliminate |
| Hardware implant / interdiction | Partial | Coreboot on supported laptops, sealed packaging, TPM measured boot; not a solved problem |

## What "hardened" means per platform

We ship the strongest hardening each platform physically allows. This varies and we are honest about it:

- **Linux**: full kernel-level hardening (KSPP, hardened_malloc, AppArmor strict, verified boot we control)
- **Android (Pixel)**: GrapheneOS-tier hardening (verified boot, hardened kernel, full app sandboxing)
- **Android (other)**: variable — see [`platform-matrix.md`](platform-matrix.md)
- **Windows**: configuration-layer hardening only — closed kernel, no developer-controlled verified boot, no extensible MAC framework. We turn every dial Microsoft exposes; we cannot turn dials they don't expose
- **macOS**: configuration-layer hardening + Lockdown Mode + FileVault enforcement; we cannot modify XNU
- **iOS**: profile-layer only; weakest tier in the family, labelled as such

The buyer-facing pros/cons table in [`platform-matrix.md`](platform-matrix.md) makes this explicit so users choose with eyes open.

## Trust roots

A SilverMetal user trusts:

1. **SilverLABS** — to ship what we say we ship. Mitigated by reproducible builds, published signing keys, open source clients, and SBOMs
2. **The platform vendor** of any closed platform (Microsoft / Apple) — we cannot escape this on Windows / macOS / iOS, and we say so
3. **Their hardware** — Coreboot SKUs reduce this; commodity hardware does not eliminate it
4. **Themselves** — to not negate the protections (installing arbitrary software, disabling SilverVPN, sharing devices)

If you cannot trust SilverLABS, our open source code + reproducible builds let you verify what we ship matches what we publish.

## Out-of-scope by design

- **Anonymity** is not the default goal — that's a Tor / Whonix-class product. SilverMetal targets *privacy*, *integrity*, and *confidentiality*. A Tor-by-default sibling product may follow.
- **Disposable / amnesic-by-default** is not the v1 default — Linux v1 has an optional amnesic session mode, but the product assumes a persistent device.
- **Offline-only / air-gapped operation** is not a target — SilverSync and SilverVPN both depend on network connectivity, with graceful offline degradation.

## Living document

This threat model is updated when the product scope changes or when new attacker capabilities become broadly relevant. Version history lives in git; substantive changes are called out in release notes.