# Threat model + public launch prep

**Agent 5 of 9-agent wave, 2026-05-05.**

## Deliverable

Threat model written to `docs/THREAT-MODEL.md` (1492 words). Slots
into `docs/ROADMAP.md` v0.7 line item "Threat model published —
honest scope".

## Structure

1. **In-scope adversaries** (9 rows): lost laptop, browser RCE, USB
   attacks, SSH brute-force, forensics, supply chain, LPE, network
   surface, time MITM. Each maps to specific veilor mitigation
   (LUKS2 argon2id mem=1GB, SELinux + `veilor-systemd` policy,
   USBGuard, fail2ban+firewalld, auditd, NTS chrony, etc.).

2. **Out-of-scope adversaries** (9 rows): firmware implants,
   evil-maid on running system, hardware keylogger, session-level
   RCE (KDE not sandboxed), AES side-channels, TPM2 physical
   attacks, traffic correlation, TOFU MITM, sustained physical
   access. Each row points to right tool instead (Heads, Qubes,
   Tails).

3. **Hardening tradeoffs** (6 honest costs):
   - SELinux app-compat
   - Slow LUKS boot
   - USBGuard friction
   - Module lockdown breaking NVIDIA prop / VBox
   - Drop-zone breaking KDE Connect / mDNS
   - No PackageKit

4. **Like Tails/Whonix/Qubes:** published threat model, default-deny
   firewall, encrypted at rest.

5. **Differs from them:** daily-driver vs session-only; single-VM vs
   Qubes compartmentalisation; persistent identity vs Tails amnesia.

6. **Comparison matrix:** 10-axis × 6-distro grid (veilor-os / stock
   Fedora KDE / Kicksecure / Tails / Qubes / secureblue) covering
   encryption, MAC, firewall, USB, per-app isolation, anonymity,
   daily-driver fit, signed releases, threat-model publication,
   hardware compat.

7. **v0.7 launch checklist** (9 items):
   - Threat model finalised
   - GPG signing (v0.4 dep)
   - mkdocs-material on veilor.org
   - Comparison + benchmarks
   - Press kit
   - "What veilor-os is not" preempt page (covers "why not Qubes/Tails/Fedora?")
   - r/linux + r/Fedora + HN posts
   - GitHub Release with ISO+sha256+.asc
   - Repo flip-public + DNS + Mastodon/Matrix/SimpleX announce

## Tone

Matches repo voice — short paragraphs, no fluff, "honest scope"
framing reused from roadmap. No emojis (per CLAUDE.md style).

## See also

- `docs/THREAT-MODEL.md` (full document)
- `docs/ROADMAP.md` v0.7 section