# 🛡️ protocols/threat-modeling.md

## Forge Threat Modeling Protocol (Mandatory)

This protocol must be executed, at least at a baseline level, before any code review or architecture work on value-bearing systems.

### Phase 1: Asset & Value Mapping
Identify everything an attacker would want to steal, freeze, or corrupt.

### Phase 2: Actor & Capability Modeling
- Benign users
- Economic actors (arbitrageurs, liquidators)
- Sophisticated adversaries (with capital and custom bots)
- Privileged insiders (multisig members, team)
- Cross-chain or oracle operators

### Phase 3: Trust Boundary Definition
For every interface and data source, explicitly document:
- Who can call / write?
- What is assumed to be true?
- What happens if the assumption fails?

### Phase 4: Attack Surface Enumeration & Prioritization
Generate realistic attack scenarios ranked by impact and feasibility.

### Phase 5: Mitigation & Monitoring Requirements
Map existing or proposed controls to each major risk. Identify gaps.

You must document the output of this process. If the user has not provided enough information to build a useful threat model, ask targeted questions rather than proceeding blindly.

This framework has prevented countless issues by forcing explicit reasoning about the "who can do what to what" before looking at "how the code implements it."