Security

Small trust boundary.
Explicit invariants.

Lattice is still early, but the sharp edges are concrete and understandable. The main rule is simple: keys sign ownership, and servers must enforce what the UI merely suggests.

// Core

Protocol-level guarantees

  • Name and app record updates are signature checked.
  • Content integrity comes from hashes and signed manifests.
  • Outer signed wrappers prevent arbitrary payload injection into owned namespaces.
// Local

Privileged localhost surfaces

Anything that can sign arbitrary JSON or mutate local moderation state is privileged. Those endpoints should be localhost-only and, where possible, require signed requests bound to method and path.

// Fray

Fray-specific hardening

  • Handle changes are not allowed through the normal claim endpoint.
  • Handle transfers use an explicit flow.
  • Post and comment signatures bind full context to prevent replay across frays or threads.
  • Admin request signatures bind method, path, and body.
// Open edges

What still needs work

The biggest remaining product rough edge is moderation durability. Local deletions are useful, but they are not yet a durable, network-wide tombstone protocol.