# Threat Model

## Trust Model v1

- **Keys**: generated or imported through vetted sources; the library attempts to zeroise secrets after use but assumes applications keep keys confidential.
- **Randomness**: relies on the operating system's CSPRNG; deployments must ensure sufficient entropy.
- **KDF parameters**: conservative defaults are provided; tuning is bounded by documented ranges.
- **Padding choices**: authenticated modes are preferred; explicit padding helpers validate lengths.
- **Configuration surface**: minimal knobs to reduce foot-guns; unsafe switches require explicit opt-in.

## Misuse-Resistance Principles

### Must

- Provide safe defaults for all cryptographic parameters.
- Fail closed on invalid or missing parameters.
- Emit clear warnings when leaving secure operating envelopes.

### Should

- Offer contextual documentation and hints.
- Encourage composition patterns that avoid nonce and key reuse.

## Abuser Stories

- **Developer reuses a nonce**: high-level APIs auto-generate nonces and track uniqueness.
- **Developer picks trivial KDF iterations**: recipes lock in conservative iteration counts; core validates minimums.
- **Developer encrypts with password only**: APIs require explicit opt-in for weak schemes and warn about low entropy.
- **Developer transmits unpadded data**: recipes default to authenticated modes; padding helpers in core verify lengths.