feat: document TEE-based privacy patterns and their failure modes #28
Description
Many institutional pilots rely on TEEs for confidentiality or key management, but the assumptions and failure modes are rarely spelled out clearly. We should capture the main TEE-based patterns we see and make their trade-offs explicit.
Proposed scope:
- Identify common TEE patterns in institutional designs (for example: TEE-based matching engine, TEE relayer, TEE key manager, TEE price oracle, TEE bridge guardian).
- For each pattern, document:
- What the TEE is protecting.
- Who needs to be trusted (hardware vendor, cloud provider, operator, physical security).
- Main attack and failure modes (supply-chain, firmware, side channels, rollback, censorship, key exfiltration).
- Write at least one pattern card that uses a TEE and clearly calls out when TEEs are acceptable, when they are a temporary crutch, and what an eventual non-TEE upgrade path could look like.