From 2d82c75f0b3eca5aff8f7dfd77554d5d61551625 Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Wed, 3 Jun 2026 19:51:58 +0200 Subject: [PATCH] =?UTF-8?q?Stage=208:=20document=20the=20friend-code=20bru?= =?UTF-8?q?te-force=20mitigation=20(ARCHITECTURE=20=C2=A712)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/ARCHITECTURE.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md index e9998c5..6152aaf 100644 --- a/docs/ARCHITECTURE.md +++ b/docs/ARCHITECTURE.md @@ -423,6 +423,15 @@ This is an explicit, accepted MVP risk: compromise of the gateway↔backend network segment defeats backend authentication. Mitigated by network isolation; mutual auth is a future hardening step. +**Short numeric codes** (email confirm-codes and Stage 8 friend codes) are stored +only as SHA-256 hashes and are short-lived and single-use. The unauthenticated +email path carries a tight per-IP sub-limit (5 / 10 min); the **friend-code redeem** +is authenticated, so it rides the per-user limit (120 / min) and is further bounded +by the code's 12 h TTL, single use, and **one live code per issuer** (which caps the +valid-code population). Brute-forcing a 6-digit friend code within these limits is an +accepted MVP risk with low blast radius (an unwanted friendship is removable/blockable); +a dedicated redeem sub-limit or a longer code is the hardening step if abuse appears. + ## 13. Deployment (informational) Single public origin, path-routed: the UI, the gateway public surface and the