1  # SPEC-0006 — Security
 2  
 3  Status: Draft
 4  
 5  ## Threat model
 6  
 7  The browser is not trusted. Every client-originated frame may be malformed, replayed, delayed, reordered, oversized, or intentionally hostile.
 8  
 9  ## Requirements
10  
11  Lightspeed MUST provide or require hooks for:
12  
13  - session authentication
14  - CSRF/session binding
15  - origin validation
16  - event target validation
17  - payload size limits
18  - reconnect throttling
19  - transport close reasons
20  - rate limiting
21  - audit logging
22  
23  ## Server-side state
24  
25  Application state SHOULD remain server-side. The client may receive rendered projections of state, never a privileged state snapshot unless explicitly chosen by application code.
26  
27  ## Patches
28  
29  The server MUST NOT trust client acknowledgements without checking references.
30  
31  The client MUST NOT execute arbitrary JavaScript embedded in patch instructions.
32  
33  ## Hooks
34  
35  Client hooks are useful but dangerous. Hook APIs should distinguish:
36  
37  - local DOM-only behaviour
38  - event push to server
39  - privileged transport operations
40  
41  ## Open questions
42  
43  - Should signed event targets be mandatory?
44  - Should patch frames be encrypted beyond transport TLS?
45  - Should rate limiting be in core or adapter layer?