# Regulator-grade threat and evidence model

This summary captures the regulator-facing threat and evidence model for the
platform without project-specific schedules or delivery notes.

Threat model goals
- Preserve decision integrity, evidence integrity, confidentiality, and
  availability across online and air-gapped deployments.
- Ensure non-repudiation for approvals and decisions.
- Keep evidence replayable and deterministic.

Evidence principles
- Integrity: content-addressed and immutable storage.
- Authenticity: signed artifacts and verified trust roots.
- Traceability: decisions link to all inputs and transformations.
- Reproducibility: decisions are replayable with frozen inputs.
- Confidentiality: redaction profiles and scoped access.
- Known unknowns are captured explicitly.

Evidence taxonomy (high level)
- Input artifacts: SBOM, VEX, provenance, scan outputs.
- Normalization artifacts: identity resolution and mapping logs.
- Analysis artifacts: reachability, diffs, scoring traces.
- Governance artifacts: policies, approvals, exceptions.
- Decision artifacts: verdicts, explanations, signatures.

Controls and audit expectations
- Strong auth and scoped tokens for ingestion and admin flows.
- Signed manifests and optional transparency anchors.
- Rate limiting and size guards for ingestion DoS protection.
- Least privilege and separation of duties for policy changes.
- Audit packages with hashes, signatures, and policy versions.

Offline and export
- Offline bundles carry signed manifests and dataset snapshots.
- Exports include redaction profiles and integrity metadata.

Related references
- docs/28_LEGAL_COMPLIANCE.md
- docs/security-and-governance.md
- docs2/architecture/evidence-and-trust.md