> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloak.ag/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Trust boundaries and security controls implemented in Cloak runtime surfaces

This page covers runtime trust boundaries for integrators. For the user-facing security
story — audit status, threat model, and what Cloak cannot do — see [Security](/guide/security).

## Trust boundaries

* **Program**: verifies proofs, enforces nullifier uniqueness, validates roots, and applies transfer invariants.
* **Client SDK**: derives keys, builds witness/proof inputs, and enforces registration paths by default.

## Key controls

* Viewing-key registration uses one-time nonce challenge + Ed25519 signature.
* Identifier canonicalization prevents mismatched key mapping.

## On-chain protections

* Root membership checks against ring-buffered root history.
* Nullifier PDA checks prevent double spend.
* Mint-scoped PDA checks for pool/treasury/merkle isolation.
* Swap state timeout + close paths for stuck settlement handling.

## Compliance and privacy posture

* Chain-note scanner flow is chain-native — history is reconstructed directly from on-chain data using the viewing key.
* Registered viewing keys enable compliance export for authorized admin paths.
* Client apps should never log raw keys, seed material, or decrypted note payloads.
* Transaction signatures are public, but only log them when needed for support/debugging.

## Recommended operational practice

* Rotate admin credentials and encryption keys under change control.
* Monitor swap timeout/close frequency and root-staleness retries.
