Our current threat model requires the database acting properly, and not changing data beneath us.

We rely on database joins to compute ACLs. This means a malicious database could mis-compute those joins, and return a list of secrets a client shouldn't have access to.

While the database can't directly steal secrets (they're encrypted), we shouldn't rely on its correct behaviour.

We should explore signing database objects, and verifying those signatures on every retrieval.

👍

🎉