diff --git a/SECURITY.md b/SECURITY.md
index c905acca..b966cdab 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -92,7 +92,7 @@ This framework includes several built-in security features:
## Documented security deviations (accepted risks)
-The product intentionally departs from stricter baselines in a few places. Each item below is **accepted** with compensating measures and a **review cadence**. Expanded register entries (BSI / ISMS-style fields, operator summaries, and withdrawal paths) live in **[docs/agenstra/security/accepted-risks.md](./docs/agenstra/security/accepted-risks.md)**. Additional threat context and backlog items may appear in [`thread-analysis.md`](./thread-analysis.md) (internal analysis note).
+The product intentionally departs from stricter baselines in a few places. Each item below is **accepted** with compensating measures and a **review cadence**. Expanded register entries (BSI / ISMS-style fields, operator summaries, and withdrawal paths) live in **[docs/agenstra/security/accepted-risks.md](./docs/agenstra/security/accepted-risks.md)**. CRA-oriented **threat modeling** and **risk profiling** (per-service, probability × impact) are in **[docs/agenstra/security/threat-model.md](./docs/agenstra/security/threat-model.md)** and **[docs/agenstra/security/risk-profile.md](./docs/agenstra/security/risk-profile.md)**.
| ID | Area | What we accept | Mitigations (short) | Next review |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
@@ -127,7 +127,9 @@ Details: **[Software Bill of Materials (SBOM)](./docs/agenstra/security/vulnerab
### Documentation
- [Project overview and docs](./docs/agenstra/README.md) - Architecture, deployment, and setup
-- [Security documentation](./docs/agenstra/security/README.md) - CRA- and BSI-oriented transparency, accepted-risk register, hardening, SBOM, disclosure, and CI scanning (Trivy)
+- [Security documentation](./docs/agenstra/security/README.md) - CRA threat model and risk profile, accepted-risk register, hardening, SBOM, disclosure, and CI scanning (Trivy)
+- [Threat model](./docs/agenstra/security/threat-model.md) - Trust boundaries and per-service threats
+- [Risk profile](./docs/agenstra/security/risk-profile.md) - Probability × impact risk register
### External Resources
diff --git a/apps/backend-agent-controller/README.md b/apps/backend-agent-controller/README.md
index a18b9daf..1554ffc4 100644
--- a/apps/backend-agent-controller/README.md
+++ b/apps/backend-agent-controller/README.md
@@ -105,7 +105,7 @@ For library testing information, see the [library documentation](../../libs/doma
## Security Considerations
-For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-controller/README.md#security-considerations).
+For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-controller/README.md#security-considerations). CRA-oriented **[threat model](../../docs/agenstra/security/threat-model.md#backend-agent-controller)** and **[risk profile](../../docs/agenstra/security/risk-profile.md#backend-agent-controller)** for this service are in the docs site.
## Rate Limiting
diff --git a/apps/backend-agent-manager/README.md b/apps/backend-agent-manager/README.md
index 638a092c..99a9d671 100644
--- a/apps/backend-agent-manager/README.md
+++ b/apps/backend-agent-manager/README.md
@@ -105,7 +105,7 @@ For library testing information, see the [library documentation](../../libs/doma
## Security Considerations
-For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-manager/README.md#security-considerations).
+For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-manager/README.md#security-considerations). CRA-oriented **[threat model](../../docs/agenstra/security/threat-model.md#backend-agent-manager)** and **[risk profile](../../docs/agenstra/security/risk-profile.md#backend-agent-manager)** for this service are in the docs site.
## Rate Limiting
diff --git a/docs/agenstra/README.md b/docs/agenstra/README.md
index ac17d9f1..b35f25b6 100644
--- a/docs/agenstra/README.md
+++ b/docs/agenstra/README.md
@@ -83,7 +83,9 @@ Deployment guides and configuration:
Public security and compliance-oriented documentation:
- [Compliance and standards](./security/compliance-and-standards.md) - EU CRA and BSI IT-Grundschutz documentation themes (informative)
-- [Accepted risks](./security/accepted-risks.md) - Register AR-001 through AR-005 with mitigations and review dates
+- [Threat model](./security/threat-model.md) - Per-service threats and trust boundaries (monorepo `apps/*`)
+- [Risk profile](./security/risk-profile.md) - Probability × impact scoring (LOW / MEDIUM / HIGH / CRITICAL)
+- [Accepted risks](./security/accepted-risks.md) - Register AR-001 through AR-006 with mitigations and review dates
- [Container image security](./security/container-images.md) - Non-root users, bind mounts, restricted sudo
- [Operational hardening](./security/operational-hardening.md) - Implemented controls (including container image hardening) and operator notes
- [Vulnerability reporting and artifacts](./security/vulnerability-reporting-and-artifacts.md) - Disclosure process, SBOM paths, desktop integrity
diff --git a/docs/agenstra/applications/README.md b/docs/agenstra/applications/README.md
index 505f47e3..90722880 100644
--- a/docs/agenstra/applications/README.md
+++ b/docs/agenstra/applications/README.md
@@ -90,6 +90,8 @@ graph TB
## Related Documentation
+- **[Security — Threat model](../security/threat-model.md)** - Per-application threats and trust boundaries
+- **[Security — Risk profile](../security/risk-profile.md)** - Scored risks per application
- **[Architecture Overview](../architecture/system-overview.md)** - System architecture
- **[Getting Started](../getting-started.md)** - Setup and configuration
- **[Deployment Guide](../deployment/README.md)** - Deployment documentation
diff --git a/docs/agenstra/architecture/README.md b/docs/agenstra/architecture/README.md
index 72a84892..3f5720c6 100644
--- a/docs/agenstra/architecture/README.md
+++ b/docs/agenstra/architecture/README.md
@@ -108,7 +108,7 @@ Agenstra uses a three-tier architecture:
- **Secure Communication** - HTTPS and WSS in production
- **Credential Management** - Secure storage and encryption
-See **[Security documentation](../security/README.md)** for the accepted-risk register, CRA- and BSI-oriented transparency notes, and operational controls.
+See **[Security documentation](../security/README.md)** for the **[threat model](../security/threat-model.md)**, **[risk profile](../security/risk-profile.md)**, accepted-risk register, CRA- and BSI-oriented transparency notes, and operational controls.
### Reliability
diff --git a/docs/agenstra/deployment/README.md b/docs/agenstra/deployment/README.md
index a2211036..6af317e8 100644
--- a/docs/agenstra/deployment/README.md
+++ b/docs/agenstra/deployment/README.md
@@ -116,7 +116,7 @@ nx serve frontend-agent-console
- **[Getting Started](../getting-started.md)** - Quick start guide
- **[Architecture](../architecture/README.md)** - System architecture
- **[Applications](../applications/README.md)** - Application details
-- **[Security](../security/README.md)** - Accepted risks, hardening, SBOM, and disclosure
+- **[Security](../security/README.md)** - Threat model, risk profile, accepted risks, hardening, SBOM, and disclosure
---
diff --git a/docs/agenstra/security/README.md b/docs/agenstra/security/README.md
index 99a1fc7a..b7e39b49 100644
--- a/docs/agenstra/security/README.md
+++ b/docs/agenstra/security/README.md
@@ -2,14 +2,22 @@
This section collects **security, compliance-oriented transparency, and hardening** information for Agenstra: mapping to **EU Cyber Resilience Act (CRA)** and **BSI IT-Grundschutz** documentation themes, a formal **accepted-risk register**, **vulnerability reporting**, **SBOM** and **desktop integrity** artifacts, and pointers to **environment variables** for production.
-For disclosure, supported versions, SBOM paths, and response-time commitments, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. A concise risk summary table is in **[Accepted risks](./accepted-risks.md)**. The same reporting policy is also published at the repository root as the file `SECURITY.md` (for example on GitHub’s Security tab).
+For disclosure, supported versions, SBOM paths, and response-time commitments, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. A concise risk summary table is in **[Accepted risks](./accepted-risks.md)**. CRA-oriented **threat modeling** and **risk profiling** (probability × impact) are in **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)**. The same reporting policy is also published at the repository root as the file `SECURITY.md` (for example on GitHub’s Security tab).
## Overview
-Agenstra spans browsers, multiple NestJS backends, Express frontends, optional Electron distribution, and customer-controlled remote endpoints. Security is enforced through authentication modes, SSRF guardrails, sanitized logging, content security policy choices, **hardened container images** (non-root users, no default secrets in images, least-privilege Docker socket access), and **documented** residual risks where product or deployment constraints apply.
+Agenstra spans browsers, multiple NestJS backends, Express frontends, optional Electron distribution, and customer-controlled remote endpoints. Security is enforced through authentication modes, SSRF guardrails, sanitized logging, content security policy choices, **hardened container images** (non-root users, no default secrets in images, least-privilege Docker socket access), **documented threat models and risk registers** for monorepo services, and **documented** residual risks where product or deployment constraints apply.
## Documentation structure
+### [Threat model](./threat-model.md)
+
+Trust boundaries, threat actors, and per-service threats (STRIDE-style) for all `apps/*` deployables, including controller, manager, frontends, billing, MCP, and desktop shell.
+
+### [Risk profile](./risk-profile.md)
+
+Scored risks per service using **LOW / MEDIUM / HIGH / CRITICAL** for **probability** and **impact**, with an **accumulated** score (P × I) and overall severity.
+
### [Compliance and standards](./compliance-and-standards.md)
How public documentation relates to **CRA** (Regulation (EU) 2024/2847) and **BSI IT-Grundschutz** / typical **ISMS** practice: expected artifacts, transparency goals, and a high-level product mapping. **Informative only**; conformity and certification require your own legal and audit advisors.
@@ -40,6 +48,7 @@ For variable-by-variable deployment settings, including **`CLIENT_ENDPOINT_*`**,
## Related documentation
+- **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)** — CRA Art. 13 evidence (informative)
- **[Architecture](../architecture/README.md)** — Trust boundaries and component roles
- **[Authentication feature](../features/authentication.md)** — User-facing authentication flows
- **[Deployment](../deployment/README.md)** — Docker and production guides
diff --git a/docs/agenstra/security/accepted-risks.md b/docs/agenstra/security/accepted-risks.md
index 0c937be0..a842bcd2 100644
--- a/docs/agenstra/security/accepted-risks.md
+++ b/docs/agenstra/security/accepted-risks.md
@@ -1,6 +1,6 @@
# Accepted risks (register)
-This register records **explicit risk acceptance** for product and deployment constraints that deviate from stricter security baselines. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation (risk treatment and transparency). A compact summary table may also be published at the repository root in `SECURITY.md` for hosts that surface that file. For vulnerability reporting, SBOM paths, and desktop checksum verification, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**.
+This register records **explicit risk acceptance** for product and deployment constraints that deviate from stricter security baselines. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation (risk treatment and transparency). Scored risks and threats are documented in **[Risk profile](./risk-profile.md)** and **[Threat model](./threat-model.md)**. A compact summary table may also be published at the repository root in `SECURITY.md` for hosts that surface that file. For vulnerability reporting, SBOM paths, and desktop checksum verification, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**.
**Review cadence:** entries use acceptance **2026-05-06** and next review **2027-05-06** unless a row states otherwise; trigger an early review if the relevant templates, packaging, CSP integration, authentication resolution, or Electron shell policy change materially.
@@ -151,6 +151,7 @@ New windows are **allowed** by design. Risk is **lower** than in a general-purpo
## Related documentation
+- **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)**
- **[Compliance and standards](./compliance-and-standards.md)**
- **[Operational hardening](./operational-hardening.md)**
- **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**
diff --git a/docs/agenstra/security/compliance-and-standards.md b/docs/agenstra/security/compliance-and-standards.md
index 3b59bef4..5431ebda 100644
--- a/docs/agenstra/security/compliance-and-standards.md
+++ b/docs/agenstra/security/compliance-and-standards.md
@@ -16,8 +16,8 @@ The following themes are recurring CRA expectations for **manufacturers** (exact
| Theme | What the regulation generally expects | Role of this repository’s documentation |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Risk assessment** | Identify and assess cybersecurity risks in light of the product’s intended and reasonably foreseeable use; use the assessment in design, development, delivery, and maintenance. | **[Operational hardening](./operational-hardening.md)** and **[Architecture](../architecture/README.md)** describe trust boundaries and controls. **[Accepted risks](./accepted-risks.md)** records deliberate residual risk and compensating measures. |
-| **Technical documentation** | Document the risk assessment and the means chosen to meet **essential cybersecurity requirements** (Annex I); keep it available for **market surveillance** authorities. | This security section, deployment and environment docs, and the risk register form the **public** technical narrative. Build pipelines and internal records may hold additional evidence. For **important products with digital elements** of class I that are **free and open-source software**, the CRA allows **self-assessment** only if **technical documentation is made available to the public**—this folder is part of that transparency intent. |
+| **Risk assessment** | Identify and assess cybersecurity risks in light of the product’s intended and reasonably foreseeable use; use the assessment in design, development, delivery, and maintenance. | **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)** (probability × impact scoring). **[Operational hardening](./operational-hardening.md)** and **[Architecture](../architecture/README.md)** describe controls. **[Accepted risks](./accepted-risks.md)** records deliberate residual risk. |
+| **Technical documentation** | Document the risk assessment and the means chosen to meet **essential cybersecurity requirements** (Annex I); keep it available for **market surveillance** authorities. | This security section (including threat model and risk profile), deployment and environment docs, and the accepted-risk register form the **public** technical narrative. Build pipelines and internal records may hold additional evidence. For **important products with digital elements** of class I that are **free and open-source software**, the CRA allows **self-assessment** only if **technical documentation is made available to the public**—this folder is part of that transparency intent. |
| **Secure by design and default** | Implement Annex I requirements (e.g. no known exploitable vulnerabilities in the default configuration where feasible, hardening, confidentiality and integrity of data, limited attack surface). | **[Operational hardening](./operational-hardening.md)**, **[Container image security](./container-images.md)**, **[Production checklist](../deployment/production-checklist.md)**, and **[Environment configuration](../deployment/environment-configuration.md)** describe production-oriented controls and safe defaults where the product enforces them. |
| **Vulnerability handling** | Establish processes to identify and remediate vulnerabilities **without undue delay**; supply **security updates**; in scope cases, **report** actively exploited vulnerabilities and severe incidents via the CRA reporting framework. | **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)** describes coordinated disclosure, supported versions, and response commitments. |
| **Information for the user (Annex II)** | Provide instructions and information so users can **install, operate, and maintain** the product securely; include **support period** end date (month and year) where the regulation requires it for the economic operator placing the product on the market. | **[Getting started](../getting-started.md)**, **[Deployment](../deployment/README.md)**, **[Environment configuration](../deployment/environment-configuration.md)**, and **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)** (supported versions) support operator understanding. **Support period** for a **commercial** placement must be stated by the **manufacturer** or their documentation at the point of supply; this open documentation describes community-oriented support expectations in **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md#supported-versions-and-security-updates)**. |
@@ -35,12 +35,12 @@ The CRA **entered into force** on 10 December 2024. **Full application** of many
BSI methodology and training material stress **consistent, traceable** documentation across the security process. Themes that map well to public product documentation include:
-| Theme | Typical expectation | How Agenstra documentation supports it |
-| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Security concept and scope** | Describe the target of protection, boundaries, and roles. | **[System overview](../architecture/system-overview.md)**, **[Components](../architecture/components.md)**, **[Data flow](../architecture/data-flow.md)**. |
-| **Protection needs and risk treatment** | Classify protection needs; treat risks (mitigate, transfer, avoid, **accept**) with rationale and owners. | **[Accepted risks](./accepted-risks.md)** gives **explicit acceptance**, **owners**, **dates**, **review cadence**, and **compensating controls** in a register form familiar to ISMS practice. |
-| **Requirement fulfillment** | In check-based workflows, record fulfillment (e.g. fulfilled / partially / not fulfilled / not applicable) and **justify** deviations; plan remediation where needed. | Accepted-risk entries document **deviations** from stricter baselines with **mitigations** and **review** dates. **[Operational hardening](./operational-hardening.md)** states implemented controls. |
-| **Operational measures** | Logging, configuration management, incident handling, and supplier relationships. | **[Operational hardening](./operational-hardening.md)**, **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**, deployment guides. |
+| Theme | Typical expectation | How Agenstra documentation supports it |
+| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Security concept and scope** | Describe the target of protection, boundaries, and roles. | **[System overview](../architecture/system-overview.md)**, **[Components](../architecture/components.md)**, **[Data flow](../architecture/data-flow.md)**. |
+| **Protection needs and risk treatment** | Classify protection needs; treat risks (mitigate, transfer, avoid, **accept**) with rationale and owners. | **[Risk profile](./risk-profile.md)** scores risks per service; **[Accepted risks](./accepted-risks.md)** gives **explicit acceptance**, **owners**, **dates**, **review cadence**, and **compensating controls**. |
+| **Requirement fulfillment** | In check-based workflows, record fulfillment (e.g. fulfilled / partially / not fulfilled / not applicable) and **justify** deviations; plan remediation where needed. | Accepted-risk entries document **deviations** from stricter baselines with **mitigations** and **review** dates. **[Operational hardening](./operational-hardening.md)** states implemented controls. |
+| **Operational measures** | Logging, configuration management, incident handling, and supplier relationships. | **[Operational hardening](./operational-hardening.md)**, **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**, deployment guides. |
Formal IT-Grundschutz certification or **ISMS** certification requires **organizational** processes and often **German-language** artifacts; this English **open** documentation is aimed at **global** transparency and **supplier** due diligence, not at replacing BSI audit evidence.
@@ -51,13 +51,15 @@ Understanding where data and credentials move supports both CRA-style technical
1. **Browser / Electron** to **Express frontend** to **backend APIs** (`/api`).
2. **Browser** to **Agent Controller WebSocket** to **remote agent-manager WebSocket** (`/agents`) using **client-stored** credentials toward the remote host (not the end-user’s controller JWT merged into HTTP proxy headers for those paths).
3. **Controller** to **customer `client.endpoint`** (SSRF and misconfiguration risk; mitigated by allowlists, TLS policy, DNS checks).
-4. **Provisioning** to **cloud APIs and SSH** to new hosts (see **AR-001** in **[Accepted risks](./accepted-risks.md)**).
+4. **Controller and billing-manager** to **cloud APIs, SSH, and cloud-init** on new hosts (see **AR-001** in **[Accepted risks](./accepted-risks.md)**; boundary **B4** in **[Threat model](./threat-model.md)**).
5. **Agent Manager** to **Docker / containers** (execution and file operations; non-root `agenstra` user, bind mounts under `/opt/agents`, restricted `sudo`).
-Detail: **[Container image security](./container-images.md)**, **[Operational hardening](./operational-hardening.md)**.
+Detail: **[Threat model](./threat-model.md)** (diagram and per-service tables), **[Container image security](./container-images.md)**, **[Operational hardening](./operational-hardening.md)**.
## Related documentation
+- **[Threat model](./threat-model.md)**
+- **[Risk profile](./risk-profile.md)**
- **[Accepted risks](./accepted-risks.md)**
- **[Operational hardening](./operational-hardening.md)**
- **[Container image security](./container-images.md)**
diff --git a/docs/agenstra/security/risk-profile.md b/docs/agenstra/security/risk-profile.md
new file mode 100644
index 00000000..ce9a8f25
--- /dev/null
+++ b/docs/agenstra/security/risk-profile.md
@@ -0,0 +1,229 @@
+# Risk profile
+
+This register scores cybersecurity risks for **monorepo applications** (`apps/*`) and **cross-cutting** concerns. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation ([Compliance and standards](./compliance-and-standards.md)). Threats are defined in **[Threat model](./threat-model.md)**. Treatment is **Mitigate** (controls listed), **Accept** (see **[Accepted risks](./accepted-risks.md)**), or **Monitor** (operator/deployer).
+
+**Review cadence:** service rows use last reviewed **2026-05-20** and next review **2027-05-06** unless a row or linked **AR-** entry states otherwise; trigger an early review when scores, architecture, or an accepted-risk entry changes materially.
+
+---
+
+## Scoring methodology
+
+Each risk uses two dimensions. Levels are **LOW**, **MEDIUM**, **HIGH**, or **CRITICAL** (ordinal, not CVSS).
+
+### Probability (P)
+
+Likelihood the threat materializes in **intended or reasonably foreseeable** deployment without additional compensating controls.
+
+| Level | Numeric | Meaning |
+| -------- | ------- | -------------------------------------------------------- |
+| LOW | 1 | Unlikely in typical hardened production |
+| MEDIUM | 2 | Possible with common misconfiguration or targeted attack |
+| HIGH | 3 | Likely without documented compensating controls |
+| CRITICAL | 4 | Expected in default or widely deployed weak posture |
+
+### Impact (I)
+
+Effect on **confidentiality, integrity, or availability** of the product or customer data (worst reasonable case).
+
+| Level | Numeric | Meaning |
+| -------- | ------- | ----------------------------------------------------------------------------- |
+| LOW | 1 | Limited annoyance or single-user scope |
+| MEDIUM | 2 | Data exposure or service degradation for one tenant/workspace |
+| HIGH | 3 | Multi-tenant or control-plane compromise |
+| CRITICAL | 4 | Full infrastructure takeover, widespread data breach, or safety-relevant harm |
+
+### Accumulated score and overall severity
+
+**Accumulated score** = **Pnumeric × Inumeric** (range **1–16**).
+
+| Accumulated score | Overall severity |
+| ----------------- | ---------------- |
+| 1–2 | **LOW** |
+| 3–6 | **MEDIUM** |
+| 8–9 | **HIGH** |
+| 10–16 | **CRITICAL** |
+
+Scores **7** map to **HIGH** (upper MEDIUM band). Document both **P**, **I**, and **accumulated** values for audit traceability.
+
+**Example:** P = HIGH (3), I = CRITICAL (4) → accumulated **12** → overall **CRITICAL**.
+
+---
+
+## Service risk summary
+
+| Service | Highest open severity | Primary drivers | Last reviewed | Next review date |
+| ----------------------------------- | --------------------- | ------------------------------------------------------------------------------------- | -------------- | ---------------- |
+| `backend-agent-controller` | **CRITICAL** | SSRF when allowlists weak (R-AC-01; mitigated if `CLIENT_ENDPOINT_ALLOWED_HOSTS` set) | **2026-05-20** | **2027-05-06** |
+| `backend-agent-manager` | **HIGH** | Docker socket abuse (R-AM-01) | **2026-05-20** | **2027-05-06** |
+| `frontend-agent-console` | **MEDIUM** | XSS under weak CSP (R-FE-01, **AR-003**) | **2026-05-20** | **2027-05-06** |
+| `backend-billing-manager` | **HIGH** | Provisioning root SSH (R-BM-01, **AR-001**) | **2026-05-20** | **2027-05-06** |
+| `native-agent-console` | **MEDIUM** | Unsigned updates / pop-ups (R-NA-01, **AR-002**, **AR-005**) | **2026-05-20** | **2027-05-06** |
+| `frontend-billing-console` | **LOW** | Billing data exposure (R-BC-01) | **2026-05-20** | **2027-05-06** |
+| `mcp-proxy` | **MEDIUM** | Over-privileged MCP bridge (R-MCP-01) | **2026-05-20** | **2027-05-06** |
+| `frontend-portal` / `frontend-docs` | **LOW** | Static content tampering (R-PO-01) | **2026-05-20** | **2027-05-06** |
+| `platform-authentication` | **MEDIUM** | Dev IdP defaults (R-PA-01) | **2026-05-20** | **2027-05-06** |
+| `mcp-devkit` | **LOW** | Dev-only misuse (R-MCP-02) | **2026-05-20** | **2027-05-06** |
+
+---
+
+## `backend-agent-controller`
+
+| Field | Recorded value |
+| ------------------------- | ---------------------- |
+| **Highest open severity** | **CRITICAL** (R-AC-01) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | ----------------------------------------------------------------------------------- | ---------- | ------------ | ----------- | ------------ | --------------------------------------------------------------------------------------------------------------- |
+| R-AC-01 | T-AC-03 | SSRF or DNS rebinding via misconfigured `client.endpoint` reaches internal services | HIGH (3) | CRITICAL (4) | 12 | **CRITICAL** | Mitigate: `CLIENT_ENDPOINT_*` allowlists, TLS, DNS checks — [Operational hardening](./operational-hardening.md) |
+| R-AC-02 | T-AC-04 | Credential confusion on HTTP proxy leaks user token to remote manager | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: header stripping (implemented) |
+| R-AC-03 | T-AC-01 | Compromise of `STATIC_API_KEY` grants full API access | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Mitigate + **AR-004**; prefer Keycloak |
+| R-AC-04 | T-AC-06 | Abuse of admin import/automation APIs | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: RBAC, admin routes |
+| R-AC-05 | T-X-01 | Unpatched dependency in controller image | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: Trivy, SBOM; **AR-006** for unfixed CVEs |
+
+**R-AC-01:** **CRITICAL** overall severity assumes **missing or over-broad** production **`CLIENT_ENDPOINT_ALLOWED_HOSTS`** (controller exits on startup if unset in production). Narrow allowlists, TLS verification, and DNS checks per [Operational hardening](./operational-hardening.md) are the expected mitigation.
+
+---
+
+## `backend-agent-manager`
+
+| Field | Recorded value |
+| ------------------------- | ------------------ |
+| **Highest open severity** | **HIGH** (R-AM-01) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | ----------------------------------------------- | ---------- | ------------ | ----------- | ---------- | --------------------------------------------------------- |
+| R-AM-01 | T-AM-03 | Compromised API + Docker socket → host takeover | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Mitigate: non-root, restricted sudo, network segmentation |
+| R-AM-02 | T-AM-04 | Container escape from agent workspace | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: non-root `agenstra`, deployer seccomp/AppArmor |
+| R-AM-03 | T-AM-06 | Leakage of Git credentials from worker home | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: mount permissions, secret rotation |
+| R-AM-04 | T-AM-07 | VNC/SSH brute force on exposed sidecars | MEDIUM (2) | MEDIUM (2) | 4 | **MEDIUM** | Mitigate: network ACLs, strong passwords |
+| R-AM-05 | T-AM-01 | Stolen agent password → workspace access | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: TLS, credential storage on controller |
+
+---
+
+## `frontend-agent-console` (shared patterns for `frontend-*`)
+
+| Field | Recorded value |
+| ------------------------- | -------------------------------- |
+| **Highest open severity** | **MEDIUM** (R-FE-01; **AR-003**) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | -------------------------------------------- | ---------- | -------- | ----------- | ---------- | ----------------------------------------------------------- |
+| R-FE-01 | T-FE-04 | XSS with report-only CSP exfiltrates session | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Accept **AR-003**; mitigate: `CSP_ENFORCE`, patching, HTTPS |
+| R-FE-02 | T-FE-02 | Malicious remote `CONFIG` redirects users | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: `CONFIG_ALLOWED_HOSTS`, HTTPS |
+| R-FE-03 | T-FE-01 | Token theft from browser | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: OIDC, secure cookies, short sessions |
+
+---
+
+## `backend-billing-manager` / `frontend-billing-console`
+
+| Field | Recorded value |
+| ------------------------- | ------------------------------ |
+| **Highest open severity** | **HIGH** (R-BM-01; **AR-001**) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | ------------------------------------------------- | ---------- | ------------ | ----------- | ---------- | ------------------------------------------------------ |
+| R-BM-01 | T-BM-02 | Provisioning key leak → **root** on new cloud VMs | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Accept **AR-001**; mitigate: key rotation, SG/firewall |
+| R-BM-02 | T-BM-01 | Cloud API token theft | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: vault, least-privilege cloud IAM |
+| R-BC-01 | T-BC-01 | Unauthorized access to billing console | LOW (1) | MEDIUM (2) | 2 | **LOW** | Mitigate: authN/Z, private network |
+
+---
+
+## `native-agent-console`
+
+| Field | Recorded value |
+| ------------------------- | -------------------------------------------- |
+| **Highest open severity** | **MEDIUM** (R-NA-01; **AR-002**, **AR-005**) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | ----------------------------------------------- | ---------- | ---------- | ----------- | ---------- | --------------------------------------------- |
+| R-NA-01 | T-NA-01 | Trojan installer without signature verification | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Accept **AR-002**; mitigate: SHA256 manifests |
+| R-NA-02 | T-NA-02 | Phishing via allowed `window.open` | LOW (1) | MEDIUM (2) | 2 | **LOW** | Accept **AR-005** |
+
+---
+
+## `frontend-portal` / `frontend-docs`
+
+| Field | Recorded value |
+| ------------------------- | ----------------- |
+| **Highest open severity** | **LOW** (R-PO-01) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | ---------------------------------------------------- | ------- | ---------- | ----------- | ------- | ------------------------------------------- |
+| R-PO-01 | T-PO-01 | Compromised CI or CDN serves malicious static assets | LOW (1) | MEDIUM (2) | 2 | **LOW** | Mitigate: signed releases, hosting controls |
+
+---
+
+## `mcp-proxy` / `mcp-devkit`
+
+| Field | Recorded value |
+| ------------------------- | --------------------- |
+| **Highest open severity** | **MEDIUM** (R-MCP-01) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| -------- | ---------- | ------------------------------------------------ | ---------- | -------- | ----------- | ---------- | ---------------------------------------------- |
+| R-MCP-01 | T-MCP-01 | MCP client drives manager APIs with stolen creds | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: bind localhost, same auth as manager |
+| R-MCP-02 | T-MCP-02 | Devkit misconfiguration in CI | LOW (1) | LOW (1) | 1 | **LOW** | Avoid production deployment |
+
+---
+
+## `platform-authentication`
+
+| Field | Recorded value |
+| ------------------------- | -------------------- |
+| **Highest open severity** | **MEDIUM** (R-PA-01) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | -------------------------------------------------------- | ------- | -------- | ----------- | ---------- | ------------------------------------------------- |
+| R-PA-01 | T-PA-01 | Default Keycloak credentials in dev compose used in prod | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: production IdP only; document dev scope |
+
+---
+
+## Cross-cutting risks
+
+| Field | Recorded value |
+| ------------------------- | ----------------------------- |
+| **Highest open severity** | **HIGH** (R-X-01; **AR-006**) |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment |
+| ------- | ---------- | --------------------------------------------- | -------- | ------------ | ----------- | ---------- | ----------------------------------------------------------------------- |
+| R-X-01 | T-X-01 | Critical CVE in dependency without vendor fix | HIGH (3) | HIGH (3) | 9 | **HIGH** | Accept **AR-006**; monitor SARIF/SBOM |
+| R-X-02 | T-X-02 | Cleartext HTTP/WSS in production | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: [Production checklist](../deployment/production-checklist.md) |
+| R-X-03 | T-X-03 | PostgreSQL credential leak | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: secrets management, network isolation |
+| R-X-04 | T-X-04 | Malicious insider uses admin APIs | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: RBAC, audit logs, least privilege |
+
+---
+
+## Risk treatment and traceability
+
+| Overall severity | Count (open, pre-acceptance) | Notes |
+| ---------------- | ---------------------------- | ------------------------------------------------------------------------------------- |
+| **CRITICAL** | 1 | R-AC-01 — if allowlists absent or `*`; mitigated when production hosts are restricted |
+| **HIGH** | 4 | R-AC-03, R-AM-01, R-BM-01, R-X-01 |
+| **MEDIUM** | 17 | Includes accepted-risk areas with compensating controls |
+| **LOW** | 4 | R-BC-01, R-NA-02, R-MCP-02, R-PO-01 |
+
+Accepted risks **AR-001** through **AR-006** correspond to elevated scores that remain **documented** after compensating controls; they do not remove the need for deployer diligence.
+
+## Related documentation
+
+- **[Threat model](./threat-model.md)**
+- **[Accepted risks](./accepted-risks.md)**
+- **[Compliance and standards](./compliance-and-standards.md)**
diff --git a/docs/agenstra/security/threat-model.md b/docs/agenstra/security/threat-model.md
new file mode 100644
index 00000000..0376069b
--- /dev/null
+++ b/docs/agenstra/security/threat-model.md
@@ -0,0 +1,229 @@
+# Threat model
+
+This model covers **deployable applications** in the Agenstra monorepo (`apps/*`). It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation ([Compliance and standards](./compliance-and-standards.md), Art. 13 and Annex I) using **trust boundaries**, **data-flow review**, and **STRIDE**-style categories. It is not a penetration-test report. Scored risks are in **[Risk profile](./risk-profile.md)**; deliberate residuals are in **[Accepted risks](./accepted-risks.md)**.
+
+**Review cadence:** service rows use last reviewed **2026-05-20** and next review **2027-05-06** unless a row states otherwise; trigger an early review if trust boundaries, authentication, proxy behavior, container layout, or an application’s exposure model changes materially.
+
+---
+
+## Product scope and intended use
+
+**Intended use:** Operators run Agenstra to manage **remote agent-manager** instances, interact with **AI agents** in containers, edit workspace files, run Git operations, provision cloud hosts, and (where licensed) use billing and portal surfaces.
+
+**Reasonably foreseeable use:** Misconfigured `client.endpoint` or `CONFIG` URLs; shared `STATIC_API_KEY`; exposing manager Docker sockets to untrusted networks; using the desktop shell for general browsing; relying on report-only CSP in production without monitoring.
+
+## Trust boundaries
+
+```mermaid
+flowchart TB
+ subgraph external [External]
+ U[User browser / Electron]
+ IdP[Keycloak / customer IdP]
+ Cloud[Cloud APIs Hetzner DO]
+ RemoteAM[Customer agent-manager endpoints]
+ MCP[MCP clients / tools]
+ end
+
+ subgraph tier_fe [Frontend tier]
+ FAC[frontend-agent-console]
+ FBC[frontend-billing-console]
+ FP[frontend-portal]
+ FD[frontend-docs]
+ NAC[native-agent-console]
+ end
+
+ subgraph tier_ctrl [Controller tier]
+ BAC[backend-agent-controller]
+ DB1[(PostgreSQL)]
+ end
+
+ subgraph tier_mgr [Manager tier]
+ BAM[backend-agent-manager]
+ DB2[(PostgreSQL)]
+ DK[Docker / agent containers]
+ end
+
+ subgraph tier_bill [Billing / platform]
+ BBM[backend-billing-manager]
+ PA[platform-authentication Keycloak compose]
+ end
+
+ subgraph tier_mcp [MCP tooling]
+ MCPP[mcp-proxy]
+ end
+
+ U --> FAC
+ U --> FBC
+ U --> FP
+ U --> NAC
+ FAC --> BAC
+ FBC --> BBM
+ BAC --> DB1
+ BAC -->|"HTTP/WS via stored client.endpoint"| RemoteAM
+ BAC --> Cloud
+ BAC --> IdP
+ BAM --> DB2
+ BAM --> DK
+ RemoteAM -.-> BAM
+ BBM --> Cloud
+ MCP --> MCPP
+ MCPP --> BAM
+ FAC --> IdP
+ PA --> IdP
+```
+
+The controller reaches an agent-manager (**BAM** or another host) only through each client’s stored **`client.endpoint`** (**RemoteAM**). The dotted edge means that URL often resolves to a manager instance; it is not a separate bypass of **B3**.
+
+| Boundary | Crosses | Primary assets |
+| -------- | ------------------------------------------------------------------------------------------ | -------------------------------------------------------- |
+| B1 | Internet → frontend Express/Angular | Session tokens, runtime config, CSP surface |
+| B2 | Frontend → controller API/WS | User auth, client IDs, ticket data |
+| B3 | Controller → customer `client.endpoint` | Stored client credentials, SSRF target |
+| B4 | Controller and **billing-manager** → cloud provisioning APIs (SSH, cloud-init; **AR-001**) | API tokens, SSH keys, user-data |
+| B5 | Controller/manager → PostgreSQL | Clients, agents, credentials, tickets |
+| B6 | Manager → Docker socket | Container lifecycle, host filesystem under `/opt/agents` |
+| B7 | Manager → agent containers | Workspace files, Git creds, agent passwords, VNC/SSH |
+| B8 | MCP client → mcp-proxy → manager | Tool invocation, agent APIs |
+| B9 | Desktop shell → same as browser | Local storage, `window.open`, no code signing (AR-002) |
+
+Detail: [System overview](../architecture/system-overview.md), [Data flow](../architecture/data-flow.md), [Compliance — trust boundaries](./compliance-and-standards.md#trust-boundaries-summary).
+
+## Threat actors
+
+| Actor | Capability | Typical goal |
+| ----------------------------- | -------------------------------- | ----------------------------------------------------------- |
+| **Anonymous remote** | Network access to exposed APIs | Probe auth, abuse rate limits, fuzz endpoints |
+| **Authenticated user** | Valid portal/console session | Escalate to other clients/agents, exfiltrate workspace data |
+| **Compromised browser** | XSS, malicious extension (web) | Steal tokens, drive API calls, WebSocket abuse |
+| **Compromised controller** | DB + outbound proxy | Pivot to all connected managers, SSRF internal networks |
+| **Compromised manager** | Docker socket | Escape to host, mine crypto, lateral movement |
+| **Malicious agent/container** | Code in workspace | Steal mounted secrets, attack manager API |
+| **Cloud / supply chain** | Weak cloud-init, image tampering | Host takeover, credential theft |
+| **Insider operator** | Admin APIs, env secrets | Data theft, disable controls |
+
+## Service inventory
+
+| Application | Role | Default exposure | Last reviewed | Next review date |
+| -------------------------- | ------------------------------------ | --------------------------- | -------------- | ---------------- |
+| `frontend-agent-console` | Primary web IDE / chat | Public HTTPS | **2026-05-20** | **2027-05-06** |
+| `backend-agent-controller` | Control plane, proxy, provisioning | Internal or public API | **2026-05-20** | **2027-05-06** |
+| `backend-agent-manager` | Agents, Docker, WebSocket | Customer network / internal | **2026-05-20** | **2027-05-06** |
+| `frontend-billing-console` | Billing UI | Restricted / admin | **2026-05-20** | **2027-05-06** |
+| `backend-billing-manager` | Billing, provisioning templates | Restricted / admin | **2026-05-20** | **2027-05-06** |
+| `frontend-portal` | Marketing / landing | Public static | **2026-05-20** | **2027-05-06** |
+| `frontend-docs` | Documentation site | Public static | **2026-05-20** | **2027-05-06** |
+| `native-agent-console` | Electron wrapper | User desktop | **2026-05-20** | **2027-05-06** |
+| `mcp-proxy` | MCP bridge to manager APIs | Local or trusted network | **2026-05-20** | **2027-05-06** |
+| `mcp-devkit` | MCP development utilities | Dev machines only | **2026-05-20** | **2027-05-06** |
+| `platform-authentication` | Keycloak docker-compose for dev/demo | Local / private network | **2026-05-20** | **2027-05-06** |
+
+Worker, VNC, and SSH **images** are not separate Node apps but are in scope as **manager-spawned** attack surfaces (boundary B7). Review dates for those images follow **`backend-agent-manager`** unless spawn logic or sidecar images change materially.
+
+---
+
+## `frontend-agent-console` (and shared `frontend-*` Express)
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
+| T-FE-01 | Spoofing | Stolen session or API key reused from browser storage | HTTPS, HttpOnly cookies where used, Keycloak/OIDC; see [Authentication](../features/authentication.md) |
+| T-FE-02 | Tampering | Malicious runtime `CONFIG` JSON alters API endpoints | `CONFIG_*` allowlists, HTTPS, DNS checks — [Operational hardening](./operational-hardening.md#frontend-runtime-configuration-get-config) |
+| T-FE-03 | Repudiation | Insufficient client-side logging of security events | Server-side access logs with correlation IDs on backends |
+| T-FE-04 | Information disclosure | XSS exfiltrates tokens or workspace paths | CSP (report-only default); **AR-003**; Monaco requires `unsafe-eval` |
+| T-FE-05 | Denial of service | Large payloads to Express static/API | Rate limits on backends; CDN/size limits for static |
+| T-FE-06 | Elevation | Client-side route guard bypass only | Server-side authorization on all mutations |
+
+## `backend-agent-controller`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
+| T-AC-01 | Spoofing | Weak or shared `STATIC_API_KEY` | Prefer Keycloak; rotate keys; **AR-004** |
+| T-AC-02 | Tampering | Ticket/client record tampering via IDOR | Per-client permissions, repository checks |
+| T-AC-03 | Information disclosure | SSRF via `client.endpoint` to internal services | Allowlists, TLS, DNS rebinding checks — [Operational hardening](./operational-hardening.md#agent-controller--remote-client-endpoints-ssrf) |
+| T-AC-04 | Information disclosure | User JWT forwarded to remote manager on HTTP proxy | Stripped proxy headers; separate client credentials — [Operational hardening](./operational-hardening.md#http-proxy-to-remote-agent-manager--headers) |
+| T-AC-05 | Denial of service | WebSocket fan-out exhaustion | Rate limits; connection management |
+| T-AC-06 | Elevation | Admin automation/import APIs abused | Role guards; admin-only routes |
+| T-AC-07 | Information disclosure | Logs leak secrets | `redactSecretsInString`, `redactSensitive` |
+
+## `backend-agent-manager`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | ------------------------------------------- | --------------------------------------------------------------------------------------------------- |
+| T-AM-01 | Spoofing | Agent login with stolen password/API key | Per-agent credentials; WebSocket auth |
+| T-AM-02 | Tampering | Arbitrary file write in container workspace | Path validation; container isolation |
+| T-AM-03 | Information disclosure | Docker socket abuse from compromised API | Non-root `agenstra`, restricted `sudo`, socket GID sync — [Container images](./container-images.md) |
+| T-AM-04 | Elevation | Container escape to host | Non-root user, minimal caps; deployer hardening |
+| T-AM-05 | Denial of service | Runaway containers / log streams | Resource limits (deployer); manager controls |
+| T-AM-06 | Information disclosure | Git credentials in worker `$HOME` | Credentials under `/home/agenstra`; host mount permissions |
+| T-AM-07 | Spoofing | VNC/SSH sidecar password guessing | Runtime passwords; network isolation |
+
+## `backend-billing-manager` / `frontend-billing-console`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | -------------------------------------------------- | --------------------------------------------------- |
+| T-BM-01 | Information disclosure | Cloud provider API keys in env | Secrets via env/vault; not in images |
+| T-BM-02 | Elevation | Provisioning scripts yield **root SSH** on new VMs | **AR-001**; key-only SSH; deployer network controls |
+| T-BM-03 | Tampering | Billing or subscription data altered | DB authz; admin-only surfaces |
+| T-BC-01 | Information disclosure | Billing UI exposes PII | AuthN/Z on billing routes; HTTPS |
+
+## `frontend-portal` / `frontend-docs`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | ----------------------------------- | -------------------------------------------------- |
+| T-PO-01 | Tampering | Static site supply-chain defacement | Build integrity, hosting controls |
+| T-PO-02 | Information disclosure | Form or analytics data leakage | Minimal collection; cookie consent util where used |
+
+## `native-agent-console`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | ----------------------------------------------- | ------------------------------------------------------- |
+| T-NA-01 | Spoofing | Unsigned binary substituted in download | **AR-002**; SHA256 manifests |
+| T-NA-02 | Elevation | `window.open` opens attacker-controlled content | **AR-005**; sandbox, contextIsolation |
+| T-NA-03 | Information disclosure | Local Electron storage read by malware | OS disk encryption; prefer web client for untrusted use |
+
+## `mcp-proxy` / `mcp-devkit`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| -------- | --------- | -------------------------------------------------- | ------------------------------------------------------------ |
+| T-MCP-01 | Elevation | MCP tool invokes manager APIs with excessive scope | Bind to localhost; same auth as manager; dev-only for devkit |
+| T-MCP-02 | Tampering | Malicious MCP server configuration | Operator-controlled config only |
+
+## `platform-authentication`
+
+| ID | STRIDE | Threat | Mitigation / note |
+| ------- | ---------------------- | ------------------------------------------------- | ------------------------------------------------ |
+| T-PA-01 | Spoofing | Default Keycloak admin credentials in dev compose | Not for production; production uses customer IdP |
+| T-PA-02 | Information disclosure | IdP misconfiguration exposes realms | Harden Keycloak per vendor guidance |
+
+---
+
+## Cross-cutting threats
+
+| Field | Recorded value |
+| -------------------- | --------------------------------------- |
+| **Scope** | All deployables and shared dependencies |
+| **Last reviewed** | **2026-05-20** |
+| **Next review date** | **2027-05-06** |
+
+| ID | Threat | Affected services | Controls |
+| ------ | ------------------------------ | ------------------- | --------------------------------------- |
+| T-X-01 | Dependency CVE | All | Trivy CI, SBOM, **AR-006** |
+| T-X-02 | Weak TLS or HTTP in production | All public tiers | Enforce HTTPS/WSS; production checklist |
+| T-X-03 | Database credential leak | Backends | Env secrets; least-privilege DB users |
+| T-X-04 | Insider admin abuse | Controller, billing | RBAC, audit features, logging |
+
+## Mitigation summary map
+
+| Control area | Documentation |
+| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------- |
+| Authentication / authorization | [Authentication](../features/authentication.md), [Operational hardening](./operational-hardening.md) |
+| SSRF / config fetch | [Operational hardening](./operational-hardening.md), [Environment configuration](../deployment/environment-configuration.md) |
+| Containers | [Container images](./container-images.md), [Docker deployment](../deployment/docker-deployment.md) |
+| Vulnerabilities | [Vulnerability reporting](./vulnerability-reporting-and-artifacts.md), [CI scanning](./ci-security-scanning.md) |
+| Accepted residuals | [Accepted risks](./accepted-risks.md) |
+
+## Related documentation
+
+- **[Risk profile](./risk-profile.md)**
+- **[Accepted risks](./accepted-risks.md)**
+- **[Compliance and standards](./compliance-and-standards.md)**
+- **[Architecture components](../architecture/components.md)**