Document threat model and privilege boundaries

[Pectics]

Context

Roadmap item imported from PLAN_REQUEST.md and PLAN_RESPONSE.md for v1.0.0 — Stabilization.

Upstream references

• feat: add system-level service option and update related logic spencerwooo/mihoro#200
• [Feature]: TUN support spencerwooo/mihoro#190

Upstream decision

• Ported
• Reimplemented
• Deferred
• Rejected

Reason: Reimplemented as Mihoto documentation for service, TUN, controller, and secret boundaries.

Scope

• Document assets, attackers, unsafe overrides, user/system boundaries, secret storage, redaction, rollback, and recovery.
• Cover local user, LAN, compromised subscription, and failed TUN scenarios.

Acceptance criteria

• The scope above is implemented or documented in issue-linked PRs.
• Relevant upstream references are reviewed before implementation starts.
• Tests are added, or the PR explicitly explains why this is documentation-only.
• Documentation is updated, or the PR explicitly explains why no docs changed.
• Migration impact, security impact, and rollback behavior are evaluated.

Out of scope

• Work explicitly listed outside v1.0 in the roadmap remains deferred unless this issue is in v1.1+ — Post-v1 Backlog.
• No GitHub Project board, branch protection change, local commit, or repository file edit is part of this import pass.

Dependencies

• Depends on Harden controller defaults, file permissions and secret redaction #5
• Depends on Implement hardened system-level Mihomo deployment #13
• Depends on Implement TUN capability and route preflight checks #19
• Blocks Complete release-candidate migration testing #30
• Blocks Evaluate polkit-based privileged operations #35

Security and rollback considerations

Apply Mihoto's safety rule for this issue: updates, migrations, service changes, TUN/DNS changes, and credential handling must be explicit, validated, auditable, and recoverable. Secrets and subscription URLs must be redacted from logs and issue artifacts.