Security
The threat model and the mechanisms that defend against it. Read the threat model first — the other pages are the moving parts that implement it.
Pages
| Page | What it covers |
|---|---|
| Threat model | Who we defend against, what guarantees we make, what is explicitly out of scope |
| Host-key trust | The plugin’s own known-hosts store (separate from ~/.ssh/known_hosts), the trust dialog, and host-key rotation |
| Token handling | The 32-byte daemon session token: generation, on-disk lifecycle, what happens on a leak |
| Cosign verify | Sigstore keyless verification of the daemon binary you downloaded — what the workflow signs, how to check it |
Reading order
- Threat model — every other page assumes you’ve read this.
- Host-key trust — the most user-facing part of the security surface.
- Token handling + Cosign verify — operator-facing details that complete the picture.
See also
- API → Authentication — the wire-level auth handshake (uses the token from Token handling)
- Release pipeline — how the daemon binary gets signed in CI
- Privacy & data handling — adjacent topic; what data flows where, separate from “what the system defends against”
Reporting a vulnerability
GitHub Security Advisories: obsidian-remote-ssh/security/advisories/new. Coordinated disclosure preferred.