# Security Model

## What ZDrive cannot see

| Data                | Reason                                                               |
| ------------------- | -------------------------------------------------------------------- |
| Plaintext inputs    | AES-256-GCM encrypted in browser before transmission                 |
| Plaintext outputs   | TEE-enforced hardware isolation; operator cannot read enclave memory |
| Vault contents      | Encrypted client-side; worker only receives ciphertext               |
| Your encryption key | Derived from wallet signature; never leaves browser context          |
| Inference semantics | TEE operator cannot inspect model inputs/outputs at hardware level   |

## What ZDrive can see

| Data                             | Notes                                            |
| -------------------------------- | ------------------------------------------------ |
| Wallet address                   | Public by design                                 |
| Query frequency and model choice | Request metadata for billing and abuse detection |
| Credit balance                   | On-chain, visible to anyone                      |
| Arweave TX IDs                   | Immutable upload receipts                        |
| Encrypted ciphertext             | Useless without the decryption key               |
| IP address / ASN                 | Used for datacenter blocking; not persisted      |

> If you use the same wallet across sessions, your query pattern is linkable on-chain. For correlation resistance, use a dedicated wallet or Tor.

## Trust boundaries

```mermaid
graph TD
    subgraph "You control"
        KEY["Encryption key\n(wallet-derived)"]
        WALLET["Wallet private key"]
        ARWEAVETX["Arweave TX ID\n(retrieve from any gateway)"]
    end

    subgraph "Verified on-chain"
        CREDITS["Credit balance\n(Base contract)"]
        ATT["TEE attestation\n(TDX quote + model hash)"]
    end

    subgraph "Trust: Chutes.ai hardware"
        TEE["Intel TDX isolation\n(hardware-enforced)"]
    end

    subgraph "Trust: Arweave network"
        PERM["Data permanence\n(consensus-backed)"]
    end

    subgraph "Trust: ZDrive operator"
        ROUTING["Request routing\ncorrectness"]
        IRYSSIGN["Irys DataItem signing\n(operator key)"]
    end

    KEY --> ATT
    WALLET --> KEY
    CREDITS --> TEE
    TEE --> PERM
```

## Threat model

**Compromised CF Worker** An attacker with worker access can see request metadata (wallet address, timestamps, model choice) and perform denial-of-service. They cannot decrypt vault contents (no key), cannot read inference inputs/outputs (TEE isolation), and cannot forge credits (on-chain). Impact: metadata leak, service disruption.

**Compromised Chutes.ai TEE provider** A global TEE provider compromise (e.g., stolen Intel key material) could allow an attacker to create fake attestations. This would affect all TEE customers globally, not just ZDrive. Mitigated by: multiple attestation nonces per request, on-chain attestation records for audit.

**Compromised Irys/Arweave upload path** An attacker who intercepts the Irys upload sees ciphertext only. They cannot modify the DataItem without invalidating the operator signature. They cannot decrypt the contents. Worst case: upload fails or is delayed; user retries.

**Wallet private key stolen** If your wallet key is compromised, an attacker can: derive your encryption key (and decrypt your vault), sign new auth sessions, spend your credits. This is equivalent to losing your password with no recovery mechanism — protect your wallet key accordingly.

**Session token replay** An attacker who intercepts a session token + wallet signature can replay it within the session window. The UUID binding limits this to the current session only. Mitigation: use HTTPS (enforced), rotate sessions regularly, use a hardware wallet.

## What is not guaranteed

* Worker operator honesty about log retention policies
* Uptime or availability of free tiers
* Correctness of inference outputs (a TEE guarantees isolation, not accuracy)
* Future contract upgrades (UUPS proxy means the contract logic can change — monitor upgrade events on-chain)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.zdrive.io/security/model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.