Skip to main content
Flomisma

Documentation · Security

Threat model

Flomisma is infrastructure software. This model covers trust components — not payment processors. See also security hardening.

Relay

Assets
In-transit frames, API keys, room membership
Threats
Key leakage, room hijack, quota DoS, malicious large payloads
Controls
HMAC keys with rotation grace slot; hard session caps; zero disk for payloads; TLS; rate limits
Residual risk
In-memory rooms lost on restart; operators must reconnect clients

Obligation ledger

Assets
Contract metadata, proof digests, webhook delivery logs
Threats
Replay of settle instructions, tenant cross-talk, forged webhooks
Controls
Idempotency-Key; tenant-scoped keys; signed webhooks; audit hashes; no fund custody
Residual risk
Licensee must validate events before moving money on their rails

Credential vault

Assets
Encrypted secrets (not cash), DEK/KEK material, access logs
Threats
KEK compromise, memory dump of DEK cache, frequency analysis on blind index
Controls
AES-256-GCM; HKDF per-tenant DEK; hash-chained access log; anomaly rate limits; shred via kv
Residual risk
Prefer customer-managed KEK / HSM for Enterprise; document scrypt params

Public verifier

Assets
pipelineRootHash, stage chain, public reputation
Threats
Enumeration of contractIds, phishing fake verifier UIs, stale proofs
Controls
Read-only public API; hash-based lookup; no PII in stage digests; official flomisma.com host
Residual risk
Share root hashes carefully; prefer expiring share links (Enterprise)
Threat model · Flomisma