Fix inaccurate claims in SECURITY.md and THREAT_MODEL.md

jarrodwatts · claude · jarrodwatts · commit 348b736e4f5e · 2026-03-23T17:33:23.000+11:00
- SECURITY.md: replace "policy-registry preflight checks" with accurate
  description (execution-time validation). Remove stale SECURITY_EXCEPTIONS
  section (file was deleted).
- THREAT_MODEL.md: replace "on-chain state validation" with accurate
  description (Privy server-side enforcement).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -13,20 +13,8 @@ The AGW platform executes wallet actions via delegated session keys and companio
 - No secret or session material in logs. All logging goes to stderr only.
 - Clear separation between read-only and state-changing command behaviors.
 - Companion callback payloads are signed and verified before local session materialization.
-- Mainnet write paths pass policy-registry preflight checks before execution.
+- Write operations are validated against session policy at execution time.
 
 ## Reporting
 
 Please report vulnerabilities privately to the Abstract security channel before public disclosure.
-
-## Dependency Exceptions
-
-Some upstream transitive vulnerabilities may remain when no patched version exists yet. These are tracked in
-`SECURITY_EXCEPTIONS.md` with:
-
-- package/advisory details
-- impact assessment and scope
-- explicit acceptance rationale
-- review cadence and exit criteria
-
-As of February 23, 2026, no high/critical dependency exceptions are permitted for release.
diff --git a/THREAT_MODEL.md b/THREAT_MODEL.md
@@ -14,4 +14,4 @@
 | Over-broad policies allowing unsafe agent actions | Default-deny policy validation. Policy templates with explicit target, selector, and value limits. |
 | Prompt injection causing unintended state-changing calls | Structured input validation on all command handlers. Risky commands require explicit `execute: true` confirmation. |
 | Misleading tool responses that hide execution risk | Explicit risk/impact labeling on `preview_transaction`. Preview-by-default on `send_transaction`. |
-| Stale session used after revocation/expiry | Session status checked before every write call. On-chain state validation via `get_session_status`. |
+| Stale session used after revocation/expiry | Session status checked before every write call. Expiry enforced server-side by Privy policy rules. |
