# Threat model — trust boundaries in a Laurel build Laurel is a static site generator. Everything inside this document is about **what runs at build time** on the operator's machine (or in CI) and **what ends up in the static HTML/CSS/JS** that visitors see. There is no Laurel process at request time — see [hosting.md](./hosting.md) for the headers the host has to set on top of what Laurel emits. This document exists because Laurel deliberately consumes three different kinds of input — Markdown content, a Ghost theme, and `laurel.toml` config — and the trust each one carries is wildly different. A blog operator who accepts outside contributions to `content/` is not necessarily extending the same trust to whoever wrote the theme, and the threat surface differs accordingly. If you maintain a Laurel site and merge PRs from people other than yourself, read this end-to-end. Most issues here boil down to "review the diff" — but you have to know which lines in the diff matter. ## Trust levels | Surface | Default trust | Effect if abused | Mitigation surface | | -------------------- | --------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------- | | `content/**/*.md` body | Untrusted by default | Markdown is sanitized; raw HTML stripped unless `unsafe_html: true` set per post | Markdown sanitizer + per-post `unsafe_html` opt-in | | `content/**/*.md` frontmatter | Semi-trusted | Most fields land in `` / `