From 42df1a9991161edc72464688ecfb8d3e22aaf7cd Mon Sep 17 00:00:00 2001 From: Marcel Menk Date: Wed, 20 May 2026 17:46:17 +0200 Subject: [PATCH] docs: open threat model and risk assesment --- SECURITY.md | 6 +- apps/backend-agent-controller/README.md | 2 +- apps/backend-agent-manager/README.md | 2 +- docs/agenstra/README.md | 4 +- docs/agenstra/applications/README.md | 2 + docs/agenstra/architecture/README.md | 2 +- docs/agenstra/deployment/README.md | 2 +- docs/agenstra/security/README.md | 13 +- docs/agenstra/security/accepted-risks.md | 3 +- .../security/compliance-and-standards.md | 22 +- docs/agenstra/security/risk-profile.md | 229 ++++++++++++++++++ docs/agenstra/security/threat-model.md | 229 ++++++++++++++++++ 12 files changed, 496 insertions(+), 20 deletions(-) create mode 100644 docs/agenstra/security/risk-profile.md create mode 100644 docs/agenstra/security/threat-model.md diff --git a/SECURITY.md b/SECURITY.md index c905acca..b966cdab 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -92,7 +92,7 @@ This framework includes several built-in security features: ## Documented security deviations (accepted risks) -The product intentionally departs from stricter baselines in a few places. Each item below is **accepted** with compensating measures and a **review cadence**. Expanded register entries (BSI / ISMS-style fields, operator summaries, and withdrawal paths) live in **[docs/agenstra/security/accepted-risks.md](./docs/agenstra/security/accepted-risks.md)**. Additional threat context and backlog items may appear in [`thread-analysis.md`](./thread-analysis.md) (internal analysis note). +The product intentionally departs from stricter baselines in a few places. Each item below is **accepted** with compensating measures and a **review cadence**. Expanded register entries (BSI / ISMS-style fields, operator summaries, and withdrawal paths) live in **[docs/agenstra/security/accepted-risks.md](./docs/agenstra/security/accepted-risks.md)**. CRA-oriented **threat modeling** and **risk profiling** (per-service, probability × impact) are in **[docs/agenstra/security/threat-model.md](./docs/agenstra/security/threat-model.md)** and **[docs/agenstra/security/risk-profile.md](./docs/agenstra/security/risk-profile.md)**. | ID | Area | What we accept | Mitigations (short) | Next review | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | @@ -127,7 +127,9 @@ Details: **[Software Bill of Materials (SBOM)](./docs/agenstra/security/vulnerab ### Documentation - [Project overview and docs](./docs/agenstra/README.md) - Architecture, deployment, and setup -- [Security documentation](./docs/agenstra/security/README.md) - CRA- and BSI-oriented transparency, accepted-risk register, hardening, SBOM, disclosure, and CI scanning (Trivy) +- [Security documentation](./docs/agenstra/security/README.md) - CRA threat model and risk profile, accepted-risk register, hardening, SBOM, disclosure, and CI scanning (Trivy) +- [Threat model](./docs/agenstra/security/threat-model.md) - Trust boundaries and per-service threats +- [Risk profile](./docs/agenstra/security/risk-profile.md) - Probability × impact risk register ### External Resources diff --git a/apps/backend-agent-controller/README.md b/apps/backend-agent-controller/README.md index a18b9daf..1554ffc4 100644 --- a/apps/backend-agent-controller/README.md +++ b/apps/backend-agent-controller/README.md @@ -105,7 +105,7 @@ For library testing information, see the [library documentation](../../libs/doma ## Security Considerations -For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-controller/README.md#security-considerations). +For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-controller/README.md#security-considerations). CRA-oriented **[threat model](../../docs/agenstra/security/threat-model.md#backend-agent-controller)** and **[risk profile](../../docs/agenstra/security/risk-profile.md#backend-agent-controller)** for this service are in the docs site. ## Rate Limiting diff --git a/apps/backend-agent-manager/README.md b/apps/backend-agent-manager/README.md index 638a092c..99a9d671 100644 --- a/apps/backend-agent-manager/README.md +++ b/apps/backend-agent-manager/README.md @@ -105,7 +105,7 @@ For library testing information, see the [library documentation](../../libs/doma ## Security Considerations -For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-manager/README.md#security-considerations). +For security best practices and considerations, see the [library documentation](../../libs/domains/framework/backend/feature-agent-manager/README.md#security-considerations). CRA-oriented **[threat model](../../docs/agenstra/security/threat-model.md#backend-agent-manager)** and **[risk profile](../../docs/agenstra/security/risk-profile.md#backend-agent-manager)** for this service are in the docs site. ## Rate Limiting diff --git a/docs/agenstra/README.md b/docs/agenstra/README.md index ac17d9f1..b35f25b6 100644 --- a/docs/agenstra/README.md +++ b/docs/agenstra/README.md @@ -83,7 +83,9 @@ Deployment guides and configuration: Public security and compliance-oriented documentation: - [Compliance and standards](./security/compliance-and-standards.md) - EU CRA and BSI IT-Grundschutz documentation themes (informative) -- [Accepted risks](./security/accepted-risks.md) - Register AR-001 through AR-005 with mitigations and review dates +- [Threat model](./security/threat-model.md) - Per-service threats and trust boundaries (monorepo `apps/*`) +- [Risk profile](./security/risk-profile.md) - Probability × impact scoring (LOW / MEDIUM / HIGH / CRITICAL) +- [Accepted risks](./security/accepted-risks.md) - Register AR-001 through AR-006 with mitigations and review dates - [Container image security](./security/container-images.md) - Non-root users, bind mounts, restricted sudo - [Operational hardening](./security/operational-hardening.md) - Implemented controls (including container image hardening) and operator notes - [Vulnerability reporting and artifacts](./security/vulnerability-reporting-and-artifacts.md) - Disclosure process, SBOM paths, desktop integrity diff --git a/docs/agenstra/applications/README.md b/docs/agenstra/applications/README.md index 505f47e3..90722880 100644 --- a/docs/agenstra/applications/README.md +++ b/docs/agenstra/applications/README.md @@ -90,6 +90,8 @@ graph TB ## Related Documentation +- **[Security — Threat model](../security/threat-model.md)** - Per-application threats and trust boundaries +- **[Security — Risk profile](../security/risk-profile.md)** - Scored risks per application - **[Architecture Overview](../architecture/system-overview.md)** - System architecture - **[Getting Started](../getting-started.md)** - Setup and configuration - **[Deployment Guide](../deployment/README.md)** - Deployment documentation diff --git a/docs/agenstra/architecture/README.md b/docs/agenstra/architecture/README.md index 72a84892..3f5720c6 100644 --- a/docs/agenstra/architecture/README.md +++ b/docs/agenstra/architecture/README.md @@ -108,7 +108,7 @@ Agenstra uses a three-tier architecture: - **Secure Communication** - HTTPS and WSS in production - **Credential Management** - Secure storage and encryption -See **[Security documentation](../security/README.md)** for the accepted-risk register, CRA- and BSI-oriented transparency notes, and operational controls. +See **[Security documentation](../security/README.md)** for the **[threat model](../security/threat-model.md)**, **[risk profile](../security/risk-profile.md)**, accepted-risk register, CRA- and BSI-oriented transparency notes, and operational controls. ### Reliability diff --git a/docs/agenstra/deployment/README.md b/docs/agenstra/deployment/README.md index a2211036..6af317e8 100644 --- a/docs/agenstra/deployment/README.md +++ b/docs/agenstra/deployment/README.md @@ -116,7 +116,7 @@ nx serve frontend-agent-console - **[Getting Started](../getting-started.md)** - Quick start guide - **[Architecture](../architecture/README.md)** - System architecture - **[Applications](../applications/README.md)** - Application details -- **[Security](../security/README.md)** - Accepted risks, hardening, SBOM, and disclosure +- **[Security](../security/README.md)** - Threat model, risk profile, accepted risks, hardening, SBOM, and disclosure --- diff --git a/docs/agenstra/security/README.md b/docs/agenstra/security/README.md index 99a1fc7a..b7e39b49 100644 --- a/docs/agenstra/security/README.md +++ b/docs/agenstra/security/README.md @@ -2,14 +2,22 @@ This section collects **security, compliance-oriented transparency, and hardening** information for Agenstra: mapping to **EU Cyber Resilience Act (CRA)** and **BSI IT-Grundschutz** documentation themes, a formal **accepted-risk register**, **vulnerability reporting**, **SBOM** and **desktop integrity** artifacts, and pointers to **environment variables** for production. -For disclosure, supported versions, SBOM paths, and response-time commitments, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. A concise risk summary table is in **[Accepted risks](./accepted-risks.md)**. The same reporting policy is also published at the repository root as the file `SECURITY.md` (for example on GitHub’s Security tab). +For disclosure, supported versions, SBOM paths, and response-time commitments, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. A concise risk summary table is in **[Accepted risks](./accepted-risks.md)**. CRA-oriented **threat modeling** and **risk profiling** (probability × impact) are in **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)**. The same reporting policy is also published at the repository root as the file `SECURITY.md` (for example on GitHub’s Security tab). ## Overview -Agenstra spans browsers, multiple NestJS backends, Express frontends, optional Electron distribution, and customer-controlled remote endpoints. Security is enforced through authentication modes, SSRF guardrails, sanitized logging, content security policy choices, **hardened container images** (non-root users, no default secrets in images, least-privilege Docker socket access), and **documented** residual risks where product or deployment constraints apply. +Agenstra spans browsers, multiple NestJS backends, Express frontends, optional Electron distribution, and customer-controlled remote endpoints. Security is enforced through authentication modes, SSRF guardrails, sanitized logging, content security policy choices, **hardened container images** (non-root users, no default secrets in images, least-privilege Docker socket access), **documented threat models and risk registers** for monorepo services, and **documented** residual risks where product or deployment constraints apply. ## Documentation structure +### [Threat model](./threat-model.md) + +Trust boundaries, threat actors, and per-service threats (STRIDE-style) for all `apps/*` deployables, including controller, manager, frontends, billing, MCP, and desktop shell. + +### [Risk profile](./risk-profile.md) + +Scored risks per service using **LOW / MEDIUM / HIGH / CRITICAL** for **probability** and **impact**, with an **accumulated** score (P × I) and overall severity. + ### [Compliance and standards](./compliance-and-standards.md) How public documentation relates to **CRA** (Regulation (EU) 2024/2847) and **BSI IT-Grundschutz** / typical **ISMS** practice: expected artifacts, transparency goals, and a high-level product mapping. **Informative only**; conformity and certification require your own legal and audit advisors. @@ -40,6 +48,7 @@ For variable-by-variable deployment settings, including **`CLIENT_ENDPOINT_*`**, ## Related documentation +- **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)** — CRA Art. 13 evidence (informative) - **[Architecture](../architecture/README.md)** — Trust boundaries and component roles - **[Authentication feature](../features/authentication.md)** — User-facing authentication flows - **[Deployment](../deployment/README.md)** — Docker and production guides diff --git a/docs/agenstra/security/accepted-risks.md b/docs/agenstra/security/accepted-risks.md index 0c937be0..a842bcd2 100644 --- a/docs/agenstra/security/accepted-risks.md +++ b/docs/agenstra/security/accepted-risks.md @@ -1,6 +1,6 @@ # Accepted risks (register) -This register records **explicit risk acceptance** for product and deployment constraints that deviate from stricter security baselines. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation (risk treatment and transparency). A compact summary table may also be published at the repository root in `SECURITY.md` for hosts that surface that file. For vulnerability reporting, SBOM paths, and desktop checksum verification, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. +This register records **explicit risk acceptance** for product and deployment constraints that deviate from stricter security baselines. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation (risk treatment and transparency). Scored risks and threats are documented in **[Risk profile](./risk-profile.md)** and **[Threat model](./threat-model.md)**. A compact summary table may also be published at the repository root in `SECURITY.md` for hosts that surface that file. For vulnerability reporting, SBOM paths, and desktop checksum verification, see **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**. **Review cadence:** entries use acceptance **2026-05-06** and next review **2027-05-06** unless a row states otherwise; trigger an early review if the relevant templates, packaging, CSP integration, authentication resolution, or Electron shell policy change materially. @@ -151,6 +151,7 @@ New windows are **allowed** by design. Risk is **lower** than in a general-purpo ## Related documentation +- **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)** - **[Compliance and standards](./compliance-and-standards.md)** - **[Operational hardening](./operational-hardening.md)** - **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)** diff --git a/docs/agenstra/security/compliance-and-standards.md b/docs/agenstra/security/compliance-and-standards.md index 3b59bef4..5431ebda 100644 --- a/docs/agenstra/security/compliance-and-standards.md +++ b/docs/agenstra/security/compliance-and-standards.md @@ -16,8 +16,8 @@ The following themes are recurring CRA expectations for **manufacturers** (exact | Theme | What the regulation generally expects | Role of this repository’s documentation | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Risk assessment** | Identify and assess cybersecurity risks in light of the product’s intended and reasonably foreseeable use; use the assessment in design, development, delivery, and maintenance. | **[Operational hardening](./operational-hardening.md)** and **[Architecture](../architecture/README.md)** describe trust boundaries and controls. **[Accepted risks](./accepted-risks.md)** records deliberate residual risk and compensating measures. | -| **Technical documentation** | Document the risk assessment and the means chosen to meet **essential cybersecurity requirements** (Annex I); keep it available for **market surveillance** authorities. | This security section, deployment and environment docs, and the risk register form the **public** technical narrative. Build pipelines and internal records may hold additional evidence. For **important products with digital elements** of class I that are **free and open-source software**, the CRA allows **self-assessment** only if **technical documentation is made available to the public**—this folder is part of that transparency intent. | +| **Risk assessment** | Identify and assess cybersecurity risks in light of the product’s intended and reasonably foreseeable use; use the assessment in design, development, delivery, and maintenance. | **[Threat model](./threat-model.md)** and **[Risk profile](./risk-profile.md)** (probability × impact scoring). **[Operational hardening](./operational-hardening.md)** and **[Architecture](../architecture/README.md)** describe controls. **[Accepted risks](./accepted-risks.md)** records deliberate residual risk. | +| **Technical documentation** | Document the risk assessment and the means chosen to meet **essential cybersecurity requirements** (Annex I); keep it available for **market surveillance** authorities. | This security section (including threat model and risk profile), deployment and environment docs, and the accepted-risk register form the **public** technical narrative. Build pipelines and internal records may hold additional evidence. For **important products with digital elements** of class I that are **free and open-source software**, the CRA allows **self-assessment** only if **technical documentation is made available to the public**—this folder is part of that transparency intent. | | **Secure by design and default** | Implement Annex I requirements (e.g. no known exploitable vulnerabilities in the default configuration where feasible, hardening, confidentiality and integrity of data, limited attack surface). | **[Operational hardening](./operational-hardening.md)**, **[Container image security](./container-images.md)**, **[Production checklist](../deployment/production-checklist.md)**, and **[Environment configuration](../deployment/environment-configuration.md)** describe production-oriented controls and safe defaults where the product enforces them. | | **Vulnerability handling** | Establish processes to identify and remediate vulnerabilities **without undue delay**; supply **security updates**; in scope cases, **report** actively exploited vulnerabilities and severe incidents via the CRA reporting framework. | **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)** describes coordinated disclosure, supported versions, and response commitments. | | **Information for the user (Annex II)** | Provide instructions and information so users can **install, operate, and maintain** the product securely; include **support period** end date (month and year) where the regulation requires it for the economic operator placing the product on the market. | **[Getting started](../getting-started.md)**, **[Deployment](../deployment/README.md)**, **[Environment configuration](../deployment/environment-configuration.md)**, and **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)** (supported versions) support operator understanding. **Support period** for a **commercial** placement must be stated by the **manufacturer** or their documentation at the point of supply; this open documentation describes community-oriented support expectations in **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md#supported-versions-and-security-updates)**. | @@ -35,12 +35,12 @@ The CRA **entered into force** on 10 December 2024. **Full application** of many BSI methodology and training material stress **consistent, traceable** documentation across the security process. Themes that map well to public product documentation include: -| Theme | Typical expectation | How Agenstra documentation supports it | -| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Security concept and scope** | Describe the target of protection, boundaries, and roles. | **[System overview](../architecture/system-overview.md)**, **[Components](../architecture/components.md)**, **[Data flow](../architecture/data-flow.md)**. | -| **Protection needs and risk treatment** | Classify protection needs; treat risks (mitigate, transfer, avoid, **accept**) with rationale and owners. | **[Accepted risks](./accepted-risks.md)** gives **explicit acceptance**, **owners**, **dates**, **review cadence**, and **compensating controls** in a register form familiar to ISMS practice. | -| **Requirement fulfillment** | In check-based workflows, record fulfillment (e.g. fulfilled / partially / not fulfilled / not applicable) and **justify** deviations; plan remediation where needed. | Accepted-risk entries document **deviations** from stricter baselines with **mitigations** and **review** dates. **[Operational hardening](./operational-hardening.md)** states implemented controls. | -| **Operational measures** | Logging, configuration management, incident handling, and supplier relationships. | **[Operational hardening](./operational-hardening.md)**, **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**, deployment guides. | +| Theme | Typical expectation | How Agenstra documentation supports it | +| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| **Security concept and scope** | Describe the target of protection, boundaries, and roles. | **[System overview](../architecture/system-overview.md)**, **[Components](../architecture/components.md)**, **[Data flow](../architecture/data-flow.md)**. | +| **Protection needs and risk treatment** | Classify protection needs; treat risks (mitigate, transfer, avoid, **accept**) with rationale and owners. | **[Risk profile](./risk-profile.md)** scores risks per service; **[Accepted risks](./accepted-risks.md)** gives **explicit acceptance**, **owners**, **dates**, **review cadence**, and **compensating controls**. | +| **Requirement fulfillment** | In check-based workflows, record fulfillment (e.g. fulfilled / partially / not fulfilled / not applicable) and **justify** deviations; plan remediation where needed. | Accepted-risk entries document **deviations** from stricter baselines with **mitigations** and **review** dates. **[Operational hardening](./operational-hardening.md)** states implemented controls. | +| **Operational measures** | Logging, configuration management, incident handling, and supplier relationships. | **[Operational hardening](./operational-hardening.md)**, **[Vulnerability reporting and artifacts](./vulnerability-reporting-and-artifacts.md)**, deployment guides. | Formal IT-Grundschutz certification or **ISMS** certification requires **organizational** processes and often **German-language** artifacts; this English **open** documentation is aimed at **global** transparency and **supplier** due diligence, not at replacing BSI audit evidence. @@ -51,13 +51,15 @@ Understanding where data and credentials move supports both CRA-style technical 1. **Browser / Electron** to **Express frontend** to **backend APIs** (`/api`). 2. **Browser** to **Agent Controller WebSocket** to **remote agent-manager WebSocket** (`/agents`) using **client-stored** credentials toward the remote host (not the end-user’s controller JWT merged into HTTP proxy headers for those paths). 3. **Controller** to **customer `client.endpoint`** (SSRF and misconfiguration risk; mitigated by allowlists, TLS policy, DNS checks). -4. **Provisioning** to **cloud APIs and SSH** to new hosts (see **AR-001** in **[Accepted risks](./accepted-risks.md)**). +4. **Controller and billing-manager** to **cloud APIs, SSH, and cloud-init** on new hosts (see **AR-001** in **[Accepted risks](./accepted-risks.md)**; boundary **B4** in **[Threat model](./threat-model.md)**). 5. **Agent Manager** to **Docker / containers** (execution and file operations; non-root `agenstra` user, bind mounts under `/opt/agents`, restricted `sudo`). -Detail: **[Container image security](./container-images.md)**, **[Operational hardening](./operational-hardening.md)**. +Detail: **[Threat model](./threat-model.md)** (diagram and per-service tables), **[Container image security](./container-images.md)**, **[Operational hardening](./operational-hardening.md)**. ## Related documentation +- **[Threat model](./threat-model.md)** +- **[Risk profile](./risk-profile.md)** - **[Accepted risks](./accepted-risks.md)** - **[Operational hardening](./operational-hardening.md)** - **[Container image security](./container-images.md)** diff --git a/docs/agenstra/security/risk-profile.md b/docs/agenstra/security/risk-profile.md new file mode 100644 index 00000000..ce9a8f25 --- /dev/null +++ b/docs/agenstra/security/risk-profile.md @@ -0,0 +1,229 @@ +# Risk profile + +This register scores cybersecurity risks for **monorepo applications** (`apps/*`) and **cross-cutting** concerns. It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation ([Compliance and standards](./compliance-and-standards.md)). Threats are defined in **[Threat model](./threat-model.md)**. Treatment is **Mitigate** (controls listed), **Accept** (see **[Accepted risks](./accepted-risks.md)**), or **Monitor** (operator/deployer). + +**Review cadence:** service rows use last reviewed **2026-05-20** and next review **2027-05-06** unless a row or linked **AR-** entry states otherwise; trigger an early review when scores, architecture, or an accepted-risk entry changes materially. + +--- + +## Scoring methodology + +Each risk uses two dimensions. Levels are **LOW**, **MEDIUM**, **HIGH**, or **CRITICAL** (ordinal, not CVSS). + +### Probability (P) + +Likelihood the threat materializes in **intended or reasonably foreseeable** deployment without additional compensating controls. + +| Level | Numeric | Meaning | +| -------- | ------- | -------------------------------------------------------- | +| LOW | 1 | Unlikely in typical hardened production | +| MEDIUM | 2 | Possible with common misconfiguration or targeted attack | +| HIGH | 3 | Likely without documented compensating controls | +| CRITICAL | 4 | Expected in default or widely deployed weak posture | + +### Impact (I) + +Effect on **confidentiality, integrity, or availability** of the product or customer data (worst reasonable case). + +| Level | Numeric | Meaning | +| -------- | ------- | ----------------------------------------------------------------------------- | +| LOW | 1 | Limited annoyance or single-user scope | +| MEDIUM | 2 | Data exposure or service degradation for one tenant/workspace | +| HIGH | 3 | Multi-tenant or control-plane compromise | +| CRITICAL | 4 | Full infrastructure takeover, widespread data breach, or safety-relevant harm | + +### Accumulated score and overall severity + +**Accumulated score** = **Pnumeric × Inumeric** (range **1–16**). + +| Accumulated score | Overall severity | +| ----------------- | ---------------- | +| 1–2 | **LOW** | +| 3–6 | **MEDIUM** | +| 8–9 | **HIGH** | +| 10–16 | **CRITICAL** | + +Scores **7** map to **HIGH** (upper MEDIUM band). Document both **P**, **I**, and **accumulated** values for audit traceability. + +**Example:** P = HIGH (3), I = CRITICAL (4) → accumulated **12** → overall **CRITICAL**. + +--- + +## Service risk summary + +| Service | Highest open severity | Primary drivers | Last reviewed | Next review date | +| ----------------------------------- | --------------------- | ------------------------------------------------------------------------------------- | -------------- | ---------------- | +| `backend-agent-controller` | **CRITICAL** | SSRF when allowlists weak (R-AC-01; mitigated if `CLIENT_ENDPOINT_ALLOWED_HOSTS` set) | **2026-05-20** | **2027-05-06** | +| `backend-agent-manager` | **HIGH** | Docker socket abuse (R-AM-01) | **2026-05-20** | **2027-05-06** | +| `frontend-agent-console` | **MEDIUM** | XSS under weak CSP (R-FE-01, **AR-003**) | **2026-05-20** | **2027-05-06** | +| `backend-billing-manager` | **HIGH** | Provisioning root SSH (R-BM-01, **AR-001**) | **2026-05-20** | **2027-05-06** | +| `native-agent-console` | **MEDIUM** | Unsigned updates / pop-ups (R-NA-01, **AR-002**, **AR-005**) | **2026-05-20** | **2027-05-06** | +| `frontend-billing-console` | **LOW** | Billing data exposure (R-BC-01) | **2026-05-20** | **2027-05-06** | +| `mcp-proxy` | **MEDIUM** | Over-privileged MCP bridge (R-MCP-01) | **2026-05-20** | **2027-05-06** | +| `frontend-portal` / `frontend-docs` | **LOW** | Static content tampering (R-PO-01) | **2026-05-20** | **2027-05-06** | +| `platform-authentication` | **MEDIUM** | Dev IdP defaults (R-PA-01) | **2026-05-20** | **2027-05-06** | +| `mcp-devkit` | **LOW** | Dev-only misuse (R-MCP-02) | **2026-05-20** | **2027-05-06** | + +--- + +## `backend-agent-controller` + +| Field | Recorded value | +| ------------------------- | ---------------------- | +| **Highest open severity** | **CRITICAL** (R-AC-01) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | ----------------------------------------------------------------------------------- | ---------- | ------------ | ----------- | ------------ | --------------------------------------------------------------------------------------------------------------- | +| R-AC-01 | T-AC-03 | SSRF or DNS rebinding via misconfigured `client.endpoint` reaches internal services | HIGH (3) | CRITICAL (4) | 12 | **CRITICAL** | Mitigate: `CLIENT_ENDPOINT_*` allowlists, TLS, DNS checks — [Operational hardening](./operational-hardening.md) | +| R-AC-02 | T-AC-04 | Credential confusion on HTTP proxy leaks user token to remote manager | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: header stripping (implemented) | +| R-AC-03 | T-AC-01 | Compromise of `STATIC_API_KEY` grants full API access | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Mitigate + **AR-004**; prefer Keycloak | +| R-AC-04 | T-AC-06 | Abuse of admin import/automation APIs | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: RBAC, admin routes | +| R-AC-05 | T-X-01 | Unpatched dependency in controller image | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: Trivy, SBOM; **AR-006** for unfixed CVEs | + +**R-AC-01:** **CRITICAL** overall severity assumes **missing or over-broad** production **`CLIENT_ENDPOINT_ALLOWED_HOSTS`** (controller exits on startup if unset in production). Narrow allowlists, TLS verification, and DNS checks per [Operational hardening](./operational-hardening.md) are the expected mitigation. + +--- + +## `backend-agent-manager` + +| Field | Recorded value | +| ------------------------- | ------------------ | +| **Highest open severity** | **HIGH** (R-AM-01) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | ----------------------------------------------- | ---------- | ------------ | ----------- | ---------- | --------------------------------------------------------- | +| R-AM-01 | T-AM-03 | Compromised API + Docker socket → host takeover | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Mitigate: non-root, restricted sudo, network segmentation | +| R-AM-02 | T-AM-04 | Container escape from agent workspace | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: non-root `agenstra`, deployer seccomp/AppArmor | +| R-AM-03 | T-AM-06 | Leakage of Git credentials from worker home | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: mount permissions, secret rotation | +| R-AM-04 | T-AM-07 | VNC/SSH brute force on exposed sidecars | MEDIUM (2) | MEDIUM (2) | 4 | **MEDIUM** | Mitigate: network ACLs, strong passwords | +| R-AM-05 | T-AM-01 | Stolen agent password → workspace access | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: TLS, credential storage on controller | + +--- + +## `frontend-agent-console` (shared patterns for `frontend-*`) + +| Field | Recorded value | +| ------------------------- | -------------------------------- | +| **Highest open severity** | **MEDIUM** (R-FE-01; **AR-003**) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | -------------------------------------------- | ---------- | -------- | ----------- | ---------- | ----------------------------------------------------------- | +| R-FE-01 | T-FE-04 | XSS with report-only CSP exfiltrates session | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Accept **AR-003**; mitigate: `CSP_ENFORCE`, patching, HTTPS | +| R-FE-02 | T-FE-02 | Malicious remote `CONFIG` redirects users | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: `CONFIG_ALLOWED_HOSTS`, HTTPS | +| R-FE-03 | T-FE-01 | Token theft from browser | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: OIDC, secure cookies, short sessions | + +--- + +## `backend-billing-manager` / `frontend-billing-console` + +| Field | Recorded value | +| ------------------------- | ------------------------------ | +| **Highest open severity** | **HIGH** (R-BM-01; **AR-001**) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | ------------------------------------------------- | ---------- | ------------ | ----------- | ---------- | ------------------------------------------------------ | +| R-BM-01 | T-BM-02 | Provisioning key leak → **root** on new cloud VMs | MEDIUM (2) | CRITICAL (4) | 8 | **HIGH** | Accept **AR-001**; mitigate: key rotation, SG/firewall | +| R-BM-02 | T-BM-01 | Cloud API token theft | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: vault, least-privilege cloud IAM | +| R-BC-01 | T-BC-01 | Unauthorized access to billing console | LOW (1) | MEDIUM (2) | 2 | **LOW** | Mitigate: authN/Z, private network | + +--- + +## `native-agent-console` + +| Field | Recorded value | +| ------------------------- | -------------------------------------------- | +| **Highest open severity** | **MEDIUM** (R-NA-01; **AR-002**, **AR-005**) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | ----------------------------------------------- | ---------- | ---------- | ----------- | ---------- | --------------------------------------------- | +| R-NA-01 | T-NA-01 | Trojan installer without signature verification | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Accept **AR-002**; mitigate: SHA256 manifests | +| R-NA-02 | T-NA-02 | Phishing via allowed `window.open` | LOW (1) | MEDIUM (2) | 2 | **LOW** | Accept **AR-005** | + +--- + +## `frontend-portal` / `frontend-docs` + +| Field | Recorded value | +| ------------------------- | ----------------- | +| **Highest open severity** | **LOW** (R-PO-01) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | ---------------------------------------------------- | ------- | ---------- | ----------- | ------- | ------------------------------------------- | +| R-PO-01 | T-PO-01 | Compromised CI or CDN serves malicious static assets | LOW (1) | MEDIUM (2) | 2 | **LOW** | Mitigate: signed releases, hosting controls | + +--- + +## `mcp-proxy` / `mcp-devkit` + +| Field | Recorded value | +| ------------------------- | --------------------- | +| **Highest open severity** | **MEDIUM** (R-MCP-01) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| -------- | ---------- | ------------------------------------------------ | ---------- | -------- | ----------- | ---------- | ---------------------------------------------- | +| R-MCP-01 | T-MCP-01 | MCP client drives manager APIs with stolen creds | MEDIUM (2) | HIGH (3) | 6 | **MEDIUM** | Mitigate: bind localhost, same auth as manager | +| R-MCP-02 | T-MCP-02 | Devkit misconfiguration in CI | LOW (1) | LOW (1) | 1 | **LOW** | Avoid production deployment | + +--- + +## `platform-authentication` + +| Field | Recorded value | +| ------------------------- | -------------------- | +| **Highest open severity** | **MEDIUM** (R-PA-01) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | -------------------------------------------------------- | ------- | -------- | ----------- | ---------- | ------------------------------------------------- | +| R-PA-01 | T-PA-01 | Default Keycloak credentials in dev compose used in prod | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: production IdP only; document dev scope | + +--- + +## Cross-cutting risks + +| Field | Recorded value | +| ------------------------- | ----------------------------- | +| **Highest open severity** | **HIGH** (R-X-01; **AR-006**) | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| Risk ID | Threat ref | Description | P | I | Accumulated | Overall | Treatment | +| ------- | ---------- | --------------------------------------------- | -------- | ------------ | ----------- | ---------- | ----------------------------------------------------------------------- | +| R-X-01 | T-X-01 | Critical CVE in dependency without vendor fix | HIGH (3) | HIGH (3) | 9 | **HIGH** | Accept **AR-006**; monitor SARIF/SBOM | +| R-X-02 | T-X-02 | Cleartext HTTP/WSS in production | LOW (1) | HIGH (3) | 3 | **MEDIUM** | Mitigate: [Production checklist](../deployment/production-checklist.md) | +| R-X-03 | T-X-03 | PostgreSQL credential leak | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: secrets management, network isolation | +| R-X-04 | T-X-04 | Malicious insider uses admin APIs | LOW (1) | CRITICAL (4) | 4 | **MEDIUM** | Mitigate: RBAC, audit logs, least privilege | + +--- + +## Risk treatment and traceability + +| Overall severity | Count (open, pre-acceptance) | Notes | +| ---------------- | ---------------------------- | ------------------------------------------------------------------------------------- | +| **CRITICAL** | 1 | R-AC-01 — if allowlists absent or `*`; mitigated when production hosts are restricted | +| **HIGH** | 4 | R-AC-03, R-AM-01, R-BM-01, R-X-01 | +| **MEDIUM** | 17 | Includes accepted-risk areas with compensating controls | +| **LOW** | 4 | R-BC-01, R-NA-02, R-MCP-02, R-PO-01 | + +Accepted risks **AR-001** through **AR-006** correspond to elevated scores that remain **documented** after compensating controls; they do not remove the need for deployer diligence. + +## Related documentation + +- **[Threat model](./threat-model.md)** +- **[Accepted risks](./accepted-risks.md)** +- **[Compliance and standards](./compliance-and-standards.md)** diff --git a/docs/agenstra/security/threat-model.md b/docs/agenstra/security/threat-model.md new file mode 100644 index 00000000..0376069b --- /dev/null +++ b/docs/agenstra/security/threat-model.md @@ -0,0 +1,229 @@ +# Threat model + +This model covers **deployable applications** in the Agenstra monorepo (`apps/*`). It supports **BSI / ISMS-style** traceability and **CRA-oriented** technical documentation ([Compliance and standards](./compliance-and-standards.md), Art. 13 and Annex I) using **trust boundaries**, **data-flow review**, and **STRIDE**-style categories. It is not a penetration-test report. Scored risks are in **[Risk profile](./risk-profile.md)**; deliberate residuals are in **[Accepted risks](./accepted-risks.md)**. + +**Review cadence:** service rows use last reviewed **2026-05-20** and next review **2027-05-06** unless a row states otherwise; trigger an early review if trust boundaries, authentication, proxy behavior, container layout, or an application’s exposure model changes materially. + +--- + +## Product scope and intended use + +**Intended use:** Operators run Agenstra to manage **remote agent-manager** instances, interact with **AI agents** in containers, edit workspace files, run Git operations, provision cloud hosts, and (where licensed) use billing and portal surfaces. + +**Reasonably foreseeable use:** Misconfigured `client.endpoint` or `CONFIG` URLs; shared `STATIC_API_KEY`; exposing manager Docker sockets to untrusted networks; using the desktop shell for general browsing; relying on report-only CSP in production without monitoring. + +## Trust boundaries + +```mermaid +flowchart TB + subgraph external [External] + U[User browser / Electron] + IdP[Keycloak / customer IdP] + Cloud[Cloud APIs Hetzner DO] + RemoteAM[Customer agent-manager endpoints] + MCP[MCP clients / tools] + end + + subgraph tier_fe [Frontend tier] + FAC[frontend-agent-console] + FBC[frontend-billing-console] + FP[frontend-portal] + FD[frontend-docs] + NAC[native-agent-console] + end + + subgraph tier_ctrl [Controller tier] + BAC[backend-agent-controller] + DB1[(PostgreSQL)] + end + + subgraph tier_mgr [Manager tier] + BAM[backend-agent-manager] + DB2[(PostgreSQL)] + DK[Docker / agent containers] + end + + subgraph tier_bill [Billing / platform] + BBM[backend-billing-manager] + PA[platform-authentication Keycloak compose] + end + + subgraph tier_mcp [MCP tooling] + MCPP[mcp-proxy] + end + + U --> FAC + U --> FBC + U --> FP + U --> NAC + FAC --> BAC + FBC --> BBM + BAC --> DB1 + BAC -->|"HTTP/WS via stored client.endpoint"| RemoteAM + BAC --> Cloud + BAC --> IdP + BAM --> DB2 + BAM --> DK + RemoteAM -.-> BAM + BBM --> Cloud + MCP --> MCPP + MCPP --> BAM + FAC --> IdP + PA --> IdP +``` + +The controller reaches an agent-manager (**BAM** or another host) only through each client’s stored **`client.endpoint`** (**RemoteAM**). The dotted edge means that URL often resolves to a manager instance; it is not a separate bypass of **B3**. + +| Boundary | Crosses | Primary assets | +| -------- | ------------------------------------------------------------------------------------------ | -------------------------------------------------------- | +| B1 | Internet → frontend Express/Angular | Session tokens, runtime config, CSP surface | +| B2 | Frontend → controller API/WS | User auth, client IDs, ticket data | +| B3 | Controller → customer `client.endpoint` | Stored client credentials, SSRF target | +| B4 | Controller and **billing-manager** → cloud provisioning APIs (SSH, cloud-init; **AR-001**) | API tokens, SSH keys, user-data | +| B5 | Controller/manager → PostgreSQL | Clients, agents, credentials, tickets | +| B6 | Manager → Docker socket | Container lifecycle, host filesystem under `/opt/agents` | +| B7 | Manager → agent containers | Workspace files, Git creds, agent passwords, VNC/SSH | +| B8 | MCP client → mcp-proxy → manager | Tool invocation, agent APIs | +| B9 | Desktop shell → same as browser | Local storage, `window.open`, no code signing (AR-002) | + +Detail: [System overview](../architecture/system-overview.md), [Data flow](../architecture/data-flow.md), [Compliance — trust boundaries](./compliance-and-standards.md#trust-boundaries-summary). + +## Threat actors + +| Actor | Capability | Typical goal | +| ----------------------------- | -------------------------------- | ----------------------------------------------------------- | +| **Anonymous remote** | Network access to exposed APIs | Probe auth, abuse rate limits, fuzz endpoints | +| **Authenticated user** | Valid portal/console session | Escalate to other clients/agents, exfiltrate workspace data | +| **Compromised browser** | XSS, malicious extension (web) | Steal tokens, drive API calls, WebSocket abuse | +| **Compromised controller** | DB + outbound proxy | Pivot to all connected managers, SSRF internal networks | +| **Compromised manager** | Docker socket | Escape to host, mine crypto, lateral movement | +| **Malicious agent/container** | Code in workspace | Steal mounted secrets, attack manager API | +| **Cloud / supply chain** | Weak cloud-init, image tampering | Host takeover, credential theft | +| **Insider operator** | Admin APIs, env secrets | Data theft, disable controls | + +## Service inventory + +| Application | Role | Default exposure | Last reviewed | Next review date | +| -------------------------- | ------------------------------------ | --------------------------- | -------------- | ---------------- | +| `frontend-agent-console` | Primary web IDE / chat | Public HTTPS | **2026-05-20** | **2027-05-06** | +| `backend-agent-controller` | Control plane, proxy, provisioning | Internal or public API | **2026-05-20** | **2027-05-06** | +| `backend-agent-manager` | Agents, Docker, WebSocket | Customer network / internal | **2026-05-20** | **2027-05-06** | +| `frontend-billing-console` | Billing UI | Restricted / admin | **2026-05-20** | **2027-05-06** | +| `backend-billing-manager` | Billing, provisioning templates | Restricted / admin | **2026-05-20** | **2027-05-06** | +| `frontend-portal` | Marketing / landing | Public static | **2026-05-20** | **2027-05-06** | +| `frontend-docs` | Documentation site | Public static | **2026-05-20** | **2027-05-06** | +| `native-agent-console` | Electron wrapper | User desktop | **2026-05-20** | **2027-05-06** | +| `mcp-proxy` | MCP bridge to manager APIs | Local or trusted network | **2026-05-20** | **2027-05-06** | +| `mcp-devkit` | MCP development utilities | Dev machines only | **2026-05-20** | **2027-05-06** | +| `platform-authentication` | Keycloak docker-compose for dev/demo | Local / private network | **2026-05-20** | **2027-05-06** | + +Worker, VNC, and SSH **images** are not separate Node apps but are in scope as **manager-spawned** attack surfaces (boundary B7). Review dates for those images follow **`backend-agent-manager`** unless spawn logic or sidecar images change materially. + +--- + +## `frontend-agent-console` (and shared `frontend-*` Express) + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| T-FE-01 | Spoofing | Stolen session or API key reused from browser storage | HTTPS, HttpOnly cookies where used, Keycloak/OIDC; see [Authentication](../features/authentication.md) | +| T-FE-02 | Tampering | Malicious runtime `CONFIG` JSON alters API endpoints | `CONFIG_*` allowlists, HTTPS, DNS checks — [Operational hardening](./operational-hardening.md#frontend-runtime-configuration-get-config) | +| T-FE-03 | Repudiation | Insufficient client-side logging of security events | Server-side access logs with correlation IDs on backends | +| T-FE-04 | Information disclosure | XSS exfiltrates tokens or workspace paths | CSP (report-only default); **AR-003**; Monaco requires `unsafe-eval` | +| T-FE-05 | Denial of service | Large payloads to Express static/API | Rate limits on backends; CDN/size limits for static | +| T-FE-06 | Elevation | Client-side route guard bypass only | Server-side authorization on all mutations | + +## `backend-agent-controller` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | +| T-AC-01 | Spoofing | Weak or shared `STATIC_API_KEY` | Prefer Keycloak; rotate keys; **AR-004** | +| T-AC-02 | Tampering | Ticket/client record tampering via IDOR | Per-client permissions, repository checks | +| T-AC-03 | Information disclosure | SSRF via `client.endpoint` to internal services | Allowlists, TLS, DNS rebinding checks — [Operational hardening](./operational-hardening.md#agent-controller--remote-client-endpoints-ssrf) | +| T-AC-04 | Information disclosure | User JWT forwarded to remote manager on HTTP proxy | Stripped proxy headers; separate client credentials — [Operational hardening](./operational-hardening.md#http-proxy-to-remote-agent-manager--headers) | +| T-AC-05 | Denial of service | WebSocket fan-out exhaustion | Rate limits; connection management | +| T-AC-06 | Elevation | Admin automation/import APIs abused | Role guards; admin-only routes | +| T-AC-07 | Information disclosure | Logs leak secrets | `redactSecretsInString`, `redactSensitive` | + +## `backend-agent-manager` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | ------------------------------------------- | --------------------------------------------------------------------------------------------------- | +| T-AM-01 | Spoofing | Agent login with stolen password/API key | Per-agent credentials; WebSocket auth | +| T-AM-02 | Tampering | Arbitrary file write in container workspace | Path validation; container isolation | +| T-AM-03 | Information disclosure | Docker socket abuse from compromised API | Non-root `agenstra`, restricted `sudo`, socket GID sync — [Container images](./container-images.md) | +| T-AM-04 | Elevation | Container escape to host | Non-root user, minimal caps; deployer hardening | +| T-AM-05 | Denial of service | Runaway containers / log streams | Resource limits (deployer); manager controls | +| T-AM-06 | Information disclosure | Git credentials in worker `$HOME` | Credentials under `/home/agenstra`; host mount permissions | +| T-AM-07 | Spoofing | VNC/SSH sidecar password guessing | Runtime passwords; network isolation | + +## `backend-billing-manager` / `frontend-billing-console` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | -------------------------------------------------- | --------------------------------------------------- | +| T-BM-01 | Information disclosure | Cloud provider API keys in env | Secrets via env/vault; not in images | +| T-BM-02 | Elevation | Provisioning scripts yield **root SSH** on new VMs | **AR-001**; key-only SSH; deployer network controls | +| T-BM-03 | Tampering | Billing or subscription data altered | DB authz; admin-only surfaces | +| T-BC-01 | Information disclosure | Billing UI exposes PII | AuthN/Z on billing routes; HTTPS | + +## `frontend-portal` / `frontend-docs` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | ----------------------------------- | -------------------------------------------------- | +| T-PO-01 | Tampering | Static site supply-chain defacement | Build integrity, hosting controls | +| T-PO-02 | Information disclosure | Form or analytics data leakage | Minimal collection; cookie consent util where used | + +## `native-agent-console` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | ----------------------------------------------- | ------------------------------------------------------- | +| T-NA-01 | Spoofing | Unsigned binary substituted in download | **AR-002**; SHA256 manifests | +| T-NA-02 | Elevation | `window.open` opens attacker-controlled content | **AR-005**; sandbox, contextIsolation | +| T-NA-03 | Information disclosure | Local Electron storage read by malware | OS disk encryption; prefer web client for untrusted use | + +## `mcp-proxy` / `mcp-devkit` + +| ID | STRIDE | Threat | Mitigation / note | +| -------- | --------- | -------------------------------------------------- | ------------------------------------------------------------ | +| T-MCP-01 | Elevation | MCP tool invokes manager APIs with excessive scope | Bind to localhost; same auth as manager; dev-only for devkit | +| T-MCP-02 | Tampering | Malicious MCP server configuration | Operator-controlled config only | + +## `platform-authentication` + +| ID | STRIDE | Threat | Mitigation / note | +| ------- | ---------------------- | ------------------------------------------------- | ------------------------------------------------ | +| T-PA-01 | Spoofing | Default Keycloak admin credentials in dev compose | Not for production; production uses customer IdP | +| T-PA-02 | Information disclosure | IdP misconfiguration exposes realms | Harden Keycloak per vendor guidance | + +--- + +## Cross-cutting threats + +| Field | Recorded value | +| -------------------- | --------------------------------------- | +| **Scope** | All deployables and shared dependencies | +| **Last reviewed** | **2026-05-20** | +| **Next review date** | **2027-05-06** | + +| ID | Threat | Affected services | Controls | +| ------ | ------------------------------ | ------------------- | --------------------------------------- | +| T-X-01 | Dependency CVE | All | Trivy CI, SBOM, **AR-006** | +| T-X-02 | Weak TLS or HTTP in production | All public tiers | Enforce HTTPS/WSS; production checklist | +| T-X-03 | Database credential leak | Backends | Env secrets; least-privilege DB users | +| T-X-04 | Insider admin abuse | Controller, billing | RBAC, audit features, logging | + +## Mitigation summary map + +| Control area | Documentation | +| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------- | +| Authentication / authorization | [Authentication](../features/authentication.md), [Operational hardening](./operational-hardening.md) | +| SSRF / config fetch | [Operational hardening](./operational-hardening.md), [Environment configuration](../deployment/environment-configuration.md) | +| Containers | [Container images](./container-images.md), [Docker deployment](../deployment/docker-deployment.md) | +| Vulnerabilities | [Vulnerability reporting](./vulnerability-reporting-and-artifacts.md), [CI scanning](./ci-security-scanning.md) | +| Accepted residuals | [Accepted risks](./accepted-risks.md) | + +## Related documentation + +- **[Risk profile](./risk-profile.md)** +- **[Accepted risks](./accepted-risks.md)** +- **[Compliance and standards](./compliance-and-standards.md)** +- **[Architecture components](../architecture/components.md)**