Skip to content

[codex] add system workflow diagrams#265

Open
anupsv wants to merge 2 commits into
masterfrom
codex/system-workflows
Open

[codex] add system workflow diagrams#265
anupsv wants to merge 2 commits into
masterfrom
codex/system-workflows

Conversation

@anupsv

@anupsv anupsv commented Jun 1, 2026
edited by blacksmith-sh Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Add docs/system-workflows.md with Mermaid flows for MDM enrollment, provider trust upgrade, ACME trust, provider auth tokens, key binding, inference encryption, and sender-to-coordinator sealing.
  • Link the new workflow reference from docs/ARCHITECTURE.md.

Validation

  • Verified the workflows against coordinator and Swift provider code paths.
  • Checked Mermaid fence balance manually.
  • Not run: code tests (docs-only).

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.

@vercel

vercel Bot commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
d-inference Ready Ready Preview Jun 5, 2026 4:26pm
d-inference-console-ui-dev Ready Ready Preview Jun 5, 2026 4:26pm
d-inference-landing Ready Ready Preview Jun 5, 2026 4:26pm

Request Review

@anupsv anupsv force-pushed the codex/system-workflows branch from e7d752a to 5e9fb96 Compare June 2, 2026 19:41
@github-actions

github-actions Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

No security-relevant code was changed in this PR — both modified files are documentation only.

Neither docs/ARCHITECTURE.md nor docs/system-workflows.md appears in any affected_files list in the threat model, and neither file introduces executable code, configuration, or data-handling logic.

One concern worth a quick check: documentation that describes trust boundaries, authentication flows, or internal API shapes can itself become a security liability if it is more detailed or more accurate than what an adversary could learn by probing the live system. Before merging, confirm that neither document:

  • Exposes non-public internal endpoint paths, secret naming conventions, or key material formats beyond what is already public.
  • Describes bypass conditions, known weaknesses, or open findings (e.g. the SEC-0xx series) in a way that provides a meaningful "attack recipe" to an external reader with no prior access.

If the documents are intended to be public-facing (e.g. linked from a README or hosted on a docs site), the threat model's affected_files lists for TB-001 through TB-009 should be reviewed to determine whether the newly documented workflows reveal attack surface that warrants adding these files as covered paths — particularly if system-workflows.md describes the attestation chain (TB-005, TB-009), device auth (TB-006), or the coordinator→provider WebSocket flow (TB-002).

No existing threats are weakened, strengthened, or resolved by this PR. No SEC-* findings are closed.

🔐 Threat model: docs/threat-model.yaml · Updates on each push to this PR

@anupsv anupsv marked this pull request as ready for review June 5, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anupsv