Appearance
Security from simplicity
Most software-security disasters aren't sophisticated. They're the predictable consequence of having a lot of surface to defend. Every centralised app has the same shopping list: a public endpoint, a multi-tenant database, a session store, a password column, and an admin panel. Each one is something a well-meaning engineering team has to harden, monitor, and respond to. Each one has its own canonical attack class. Each one has produced major breaches.
The Wish architecture removes most of these by removing the thing that needs defending in the first place.
What disappears
Public endpoint. There isn't one. Your app code runs on the user's device, not on a server with port 443 facing the open internet. The entire OWASP top-ten, in its public-API form, simply doesn't apply — no SQL injection target, no rate-limit-evasion vector, no DDoS surface, no exposed admin route.
Multi-tenant database. There isn't one. Each user's data lives on each user's device. The class of breach where one tenant's query accidentally returns another tenant's rows — the most common kind of "data leak between customers" — has no model in Wish.
Password store. There isn't one. Identity is an Ed25519 keypair the user holds. There is no column anywhere with hashed passwords for someone to dump.
Session store. There isn't one. Authentication is "did this message arrive signed by the right key," verified on the spot, not "is this token still in Redis." Session hijacking, fixation, and replay don't apply.
Admin panel. There isn't one to compromise. The Wish Dashboard runs on the user's own device, accessible only over a local Unix socket. A SolarWinds-shape supply chain attack against your admin tooling can't reach into other users' data because there is no central tool to compromise.
What's left
These don't go away. Naming them honestly:
- Sync poisoning — a peer you've trusted sends you a maliciously crafted document. The signature checks pass; the content is hostile. Same shape as any user-input validation problem.
- Key compromise — if someone steals an identity key, they are that identity until rotation. The mitigation is multi-signer identities, so revoking a stolen key doesn't lose the identity.
- Endpoint compromise — if the user's device is compromised, all bets are off. This is true everywhere.
- Social engineering — Wish makes phishing harder (identities are cryptographic, not strings) but doesn't make people impossible to fool.
The bet isn't "security is solved." The bet is that an architecture with a tenth the attack surface produces apps with a fraction of the breach reports. The hard problems that remain are bounded, well-known, and don't have a billion users' data behind them when something goes wrong.