From 6adde912089b186906fdd3dee9f66d54eabe4649 Mon Sep 17 00:00:00 2001
From: ddidderr <ddidderr@paul.network>
Date: Thu, 21 May 2026 21:23:01 +0200
Subject: [PATCH] docs: document relay trust boundary

The plan explicitly calls out that the MVP relay sees plaintext Ethernet frames
because it terminates QUIC for every peer connection. Document that boundary in
the README so operators and future security work do not infer end-to-end payload
privacy from QUIC alone.

Also state the intended future direction: room-key payload encryption should
keep the relay routing header visible while encrypting Ethernet payload bytes
between clients and the LAN gateway.

Test Plan:
- git diff --check

Refs: PLAN.md
---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 3986cf9..dcf22df 100644
--- a/README.md
+++ b/README.md
@@ -123,6 +123,18 @@ When a peer joins or leaves, the relay sends a reliable lifecycle control event
 to peers that are still present in the room. Newly joined peers also receive
 `PeerJoined` events for peers that were already present.
 
+### MVP Trust Model
+
+The MVP relay terminates QUIC for every client and gateway connection. QUIC
+protects traffic on the public network path, but the relay process sees
+plaintext Ethernet frames while forwarding them between peers in a room. That is
+acceptable for the first LAN-party proof, where the relay is an operator-trusted
+component, but it is not end-to-end encrypted.
+
+Future room-key payload encryption should keep the relay-visible routing header
+small and leave only Ethernet payload bytes encrypted end-to-end between clients
+and the LAN gateway.
+
 ## Gateway
 
 ```bash