This file is read by automated agents (security scanners, code analyzers, AI assistants) operating on this repository. It points them at the human-authored references they should consult before producing output.
Security model: SECURITY.md -> THREAT_MODEL.md
Agents that scan this repository should consult SECURITY.md and the linked THREAT_MODEL.md before reporting issues. Fediz is a WS-Federation / SAML-SSO system: the security pivot is SAML token validation at the Relying-Party plugin (signature against a trusted IdP cert, audience/wtrealm, Conditions/timestamps, replay, anti-signature-wrapping) and token issuance at the IdP (reply-URL allow-listing, login CSRF/throttling). The token travels through the untrusted browser, so most properties are about validating it.