# Threat model (draft)

## Assets to protect
- host filesystem and secrets
- network access and credentials
- tool side effects (writes, API calls, deletes)
- user data and memory stores
- audit and provenance integrity

## Adversaries / failure modes
- prompt injection leading to unsafe tool usage
- malicious tool plugins
- hallucinated or forged tool outputs
- data exfiltration via tool channels
- runaway cost due to repeated retries/loops

## Strategy
- least authority via capabilities
- isolation domains for tool execution
- policy gate for side effects
- provenance for every tool call and memory commit