# Security Model

- Canonical URL: https://docs.fairvisor.com/docs/reference/security-model/
- Section: docs
- Last updated: n/a
> Trust boundaries, assets, and security checklist for Fairvisor Edge.


## Trust boundaries

1. Gateway/client to Fairvisor Edge
2. Edge runtime to policy bundle source
3. Decision output to downstream services

## Primary assets

- Policy bundle integrity
- Correct allow/reject decisions
- Descriptor extraction correctness
- Shared-dict counter correctness
- Metrics/log integrity

## Threats considered

- Policy bypass via malformed header/query values
- Descriptor confusion across naming variants
- Retry synchronization storms
- Misconfiguration causing broad fail-open exposure
- Resource exhaustion in hot path

## Defensive principles

- Deterministic decisioning for equivalent inputs
- Kill switch evaluation before normal rules
- Explicit fail-open semantics only in defined paths
- No request-path network/disk I/O for decisioning
- Structured rejection metadata

## Sensitive data handling

- Avoid logging raw credentials
- Redact/hash identifiers where feasible
- Keep JWT/claim processing minimal

## Security review checklist

- Does change alter request context parsing?
- Does it change fail-open/fail-closed behavior?
- Does it add dynamic I/O in hot path?
- Does it affect kill-switch ordering or shadow semantics?
- Are new headers/claims normalized consistently?