Skip to content

Latest commit

 

History

History
3089 lines (2468 loc) · 204 KB

File metadata and controls

3089 lines (2468 loc) · 204 KB

Hack23 Logo

🎯 EU Parliament Monitor — Threat Model

🛡️ Proactive Security Through Structured Threat Analysis
🔍 STRIDE • MITRE ATT&CK • European Parliament Architecture • Democratic Transparency

Owner Version Effective Date Review Cycle OpenSSF Best Practices

📋 Document Owner: CEO | 📄 Version: 2.5 | 📅 Last Updated: 2026-06-02 (UTC)
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-09-02
🏷️ Classification: Public (Open Source European Parliament Monitoring Platform)


📚 Architecture Documentation Map

Document Focus Description Documentation Link
Architecture 🏛️ Architecture C4 model showing current system structure View Source
Future Architecture 🏛️ Architecture C4 model showing future system structure View Source
Mindmaps 🧠 Concept Current system component relationships View Source
Future Mindmaps 🧠 Concept Future capability evolution View Source
SWOT Analysis 💼 Business Current strategic assessment View Source
Future SWOT Analysis 💼 Business Future strategic opportunities View Source
Data Model 📊 Data Current data structures and relationships View Source
Future Data Model 📊 Data Enhanced European Parliament data architecture View Source
Flowcharts 🔄 Process Current data processing workflows View Source
Future Flowcharts 🔄 Process Enhanced AI-driven workflows View Source
State Diagrams 🔄 Behavior Current system state transitions View Source
Future State Diagrams 🔄 Behavior Enhanced adaptive state transitions View Source
Security Architecture 🛡️ Security Current security implementation View Source
Future Security Architecture 🛡️ Security Security enhancement roadmap View Source
Threat Model 🎯 Security STRIDE threat analysis View Source
Classification 🏷️ Governance CIA classification & BCP View Source
CRA Assessment 🛡️ Compliance Cyber Resilience Act View Source
Workflows ⚙️ DevOps CI/CD documentation View Source
Future Workflows 🚀 DevOps Planned CI/CD enhancements View Source
Business Continuity Plan 🔄 Resilience Recovery planning View Source
Financial Security Plan 💰 Financial Cost & security analysis View Source
End-of-Life Strategy 📦 Lifecycle Technology EOL planning View Source
Unit Test Plan 🧪 Testing Unit testing strategy View Source
E2E Test Plan 🔍 Testing End-to-end testing View Source
Performance Testing ⚡ Performance Performance benchmarks View Source
Security Policy 🔒 Security Vulnerability reporting & security policy View Source

🎯 Purpose & Scope

Establish a comprehensive threat model for the EU Parliament Monitor multi-language transparency platform (European Parliament data, automated news generation, AWS S3 + CloudFront deployment). This systematic threat analysis integrates multiple threat modeling frameworks to ensure proactive security through structured analysis.

🌟 Transparency Commitment

This threat model demonstrates 🛡️ cybersecurity consulting expertise through public documentation of advanced threat assessment methodologies, showcasing our 🏆 competitive advantage via systematic risk management and 🤝 customer trust through transparent security practices.

— Based on Hack23 AB's commitment to security through transparency and excellence

📚 Framework Integration

  • 🎭 STRIDE per architecture element: Systematic threat categorization
  • 🎖️ MITRE ATT&CK mapping: Advanced threat intelligence integration
  • 🏗️ Asset-centric analysis: Critical resource protection focus
  • 🎯 Scenario-centric modeling: Real-world attack simulation
  • ⚖️ Risk-centric assessment: Business impact quantification

🏛️ NIST CSF 2.0 GV (Govern) Alignment: This threat model directly supports the GV.OC (Organizational Context) function by documenting how the EU Parliament Monitor's democratic transparency mission shapes risk tolerance, asset priorities, and threat actor motivations. The platform's public-interest mandate — providing open access to European Parliament activities — defines its unique threat landscape: integrity of parliamentary data is the primary security concern, not confidentiality. This GV.OC alignment drives the prioritization of Impact and Initial Access tactics in ATT&CK coverage, and informs the Low risk appetite for content manipulation threats across all 14 supported languages.

🎯 Multi-Strategy Threat Modeling Integration

Following Hack23 AB Multi-Strategy Approach:

mindmap
  root)🎯 EU Parliament Monitor<br/>Threat Modeling Strategies(
    (🎖️ Attacker-Centric)
      [MITRE ATT&CK Mapping]
      [Kill Chain Analysis]
      [Attack Trees]
      [Threat Agent Profiling]
    (🏗️ Asset-Centric)
      [Crown Jewel Analysis]
      [Asset Inventory]
      [Data Flow Threat Analysis]
      [EP Data Classification]
    (🏛️ Architecture-Centric)
      [STRIDE per Element]
      [Trust Boundaries]
      [DFD with Threat Annotations]
      [Defense-in-Depth Layers]
    (🎯 Scenario-Centric)
      [Misuse Cases]
      [What-If Analysis]
      [Persona-Based Threats]
      [Election Period Scenarios]
    (⚖️ Risk-Centric)
      [Quantitative Risk Assessment]
      [Business Impact Analysis]
      [Likelihood × Impact Matrix]
      [Risk Treatment Plans]
Loading

🔍 Scope Definition

Included Systems:

  • 🌐 Static HTML/CSS site (14 languages: en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)
  • 🔄 News generation scripts (Node.js 26, European Parliament MCP integration)
  • 🤖 GitHub Actions CI/CD (daily automation, HTML validation, deployment)
  • 📄 AWS S3 + CloudFront hosting (primary static content delivery via OIDC deploy; GitHub Pages fallback mirror)
  • 🔌 European Parliament MCP Server integration (MEP data, committees, sessions)

Out of Scope:

  • Third-party downstream consumers of published open content (read-only usage)
  • External data source security (European Parliament official APIs)
  • GitHub infrastructure security (managed by GitHub)

🔗 Policy Alignment

Integrated with 🎯 Hack23 AB Threat Modeling Policy methodology and frameworks.


🌐 ENISA Threat Landscape 2024 Integration

Following Hack23 AB Threat Landscape Integration and aligned with ENISA Threat Landscape 2024:

📊 ENISA Priority Threat Mapping

# ENISA Priority Threat Relevance to EU Parliament Monitor Risk Level Key Mitigations ATT&CK Alignment
1 🔻 Ransomware Low — Static site architecture, no server-side persistence, no user data Low Static architecture, GitHub-managed infrastructure, no writable backend T1486
2 📡 Malware Low — No executable downloads, no user uploads, CDN-delivered static HTML Low CSP headers, Subresource Integrity, no dynamic content execution T1059
3 🎣 Social Engineering Medium — Contributor account targeting, maintainer impersonation Medium MFA enforcement, branch protection, required reviews, CODEOWNERS T1566
4 📊 Data Threats Medium — EP parliamentary data integrity, multi-language content accuracy Medium Schema validation, source verification, automated testing T1565
5 ⚡ Availability Threats Low — AWS CloudFront edge resilience, 24h RTO acceptable Low AWS CloudFront + S3 multi-AZ, static site caching, GitHub Pages fallback deployment T1499
6 📰 Information Manipulation High — Democratic transparency platform, political data integrity critical High Official EP API source, schema validation, multi-language consistency checks T1491
7 🔗 Supply Chain Attacks Medium — npm dependency chain, GitHub Actions supply chain Medium Minimal deps (0 prod), SHA-pinned actions, SBOM, Dependabot, package-lock T1195

🎯 ENISA Threat Relevance Assessment

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e3f2fd',
      'primaryTextColor': '#0d47a1',
      'lineColor': '#1976d2'
    }
  }
}%%
quadrantChart
    title 🌐 ENISA 2024 Threat Relevance to EU Parliament Monitor
    x-axis Low Relevance --> High Relevance
    y-axis Low Impact --> High Impact
    quadrant-1 Monitor Closely
    quadrant-2 Critical Focus
    quadrant-3 Accept Risk
    quadrant-4 Active Mitigation

    "📰 Information Manipulation": [0.85, 0.80]
    "📊 Data Threats": [0.70, 0.65]
    "🔗 Supply Chain": [0.60, 0.70]
    "🎣 Social Engineering": [0.55, 0.55]
    "⚡ Availability": [0.40, 0.35]
    "📡 Malware": [0.25, 0.30]
    "🔻 Ransomware": [0.15, 0.25]
Loading

📌 Key Insight: Information Manipulation is the highest-relevance ENISA threat for the EU Parliament Monitor due to its democratic transparency mission. Data integrity attacks targeting parliamentary content across 14 languages represent the primary concern, outweighing traditional infrastructure threats that are mitigated by the static site architecture.


📊 System Classification & Operating Profile

🏷️ Security Classification Matrix

Dimension Level Rationale Business Impact
🔐 Confidentiality Low/Public European Parliament open data Trust Enhancement
🔒 Integrity Medium News accuracy critical for democratic transparency Operational Excellence
⚡ Availability Medium Daily updates expected, 24h outage acceptable Revenue Protection

⚖️ Regulatory & Compliance Profile

Compliance Area Classification Implementation Status
📋 Regulatory Exposure Low Mostly open data; no personal data collection
🇪🇺 GDPR Minimal No PII collection, HTTPS-only, data minimization
🇪🇺 NIS2 Directive Low baseline Risk management, incident handling procedures
🇪🇺 CRA (EU Cyber Resilience Act) Low baseline Non–safety-critical transparency platform; secure development controls
📊 SLA Targets (Internal) 99.5% AWS CloudFront + S3 infrastructure reliability
🔄 RPO / RTO RPO ≤ 24h / RTO ≤ 24h Acceptable for daily news updates

💎 Critical Assets & Protection Goals

🏗️ Asset-Centric Threat Analysis

Following Hack23 AB Asset-Centric Threat Modeling methodology:

Asset Category Why Valuable Threat Goals Key Controls Business Value
📰 News Content Integrity Democratic transparency trust Tampering, misinformation injection Schema validation, HTML validation, CSP Trust Enhancement
🧠 Source Code News generation algorithms, MCP integration IP theft, malicious injection Private repo controls, CodeQL SAST, Dependabot Competitive Advantage
🔄 EP MCP Data Pipeline Freshness & correctness of parliamentary data Poisoned input, data manipulation Input validation, schema checks, retry logic Operational Excellence
🌍 Multi-Language Content 14-language accessibility Mistranslation, cultural bias injection Language-specific validation, cultural review Customer Trust
🔑 Repository Access Deployment control Privilege escalation, unauthorized changes Branch protection, MFA, CODEOWNERS, required reviews Security Excellence
🤖 GitHub Actions Config CI/CD security baseline Supply chain manipulation, workflow tampering SHA-pinned actions, SBOM generation, provenance attestations Revenue Protection

🔐 Crown Jewel Analysis

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8f5e9',
      'primaryTextColor': '#2e7d32',
      'lineColor': '#4caf50',
      'secondaryColor': '#ffcdd2',
      'tertiaryColor': '#fff3e0'
    }
  }
}%%
flowchart TB
    subgraph CROWN_JEWELS["💎 Crown Jewels"]
        NEWS[📰 News Content Integrity<br/>14-Language Democratic Transparency]
        SOURCE[🧠 Source Code<br/>Generation Algorithms & MCP Client]
        PIPELINE[🔄 EP MCP Data Pipeline<br/>Parliamentary Data Accuracy]
    end

    subgraph ATTACK_VECTORS["⚔️ Primary Attack Vectors"]
        DATA_POISON[💉 EP Data Poisoning]
        CODE_INJECT[💻 XSS/Code Injection]
        SUPPLY_CHAIN[🔗 Supply Chain Attack]
        MULTI_LANG[🌍 Translation Manipulation]
    end

    subgraph THREAT_AGENTS["👥 Key Threat Agents"]
        NATION_STATE[🏛️ Nation-State Actors<br/>Political Interference]
        CYBER_CRIME[💰 Cybercriminals<br/>Reputation Damage]
        HACKTIVISTS[🎭 Hacktivists<br/>Political Agenda]
        INSIDER[👤 Malicious Insider<br/>Privileged Access]
    end

    DATA_POISON --> NEWS
    CODE_INJECT --> NEWS
    SUPPLY_CHAIN --> SOURCE
    MULTI_LANG --> PIPELINE

    NATION_STATE --> DATA_POISON
    CYBER_CRIME --> CODE_INJECT
    HACKTIVISTS --> MULTI_LANG
    INSIDER --> SUPPLY_CHAIN

    style NEWS fill:#ffcdd2,stroke:#d32f2f,color:#000
    style SOURCE fill:#ffcdd2,stroke:#d32f2f,color:#000
    style PIPELINE fill:#ffcdd2,stroke:#d32f2f,color:#000
Loading

Executive Summary

This threat model provides a comprehensive security analysis of the EU Parliament Monitor system following the Hack23 ISMS Threat Modeling Policy. The analysis applies the STRIDE framework, integrates MITRE ATT&CK tactics and techniques, and provides risk-based prioritization aligned with the system's classification (CLASSIFICATION.md: Public/Medium/Medium).

📊 Key Findings

  • Total Threats Identified: 30 (T-001 to T-030)
  • Risk Distribution:
    • Critical: 0
    • High: 1 (T-029 — shell expansion injection, P1)
    • Medium: 4 (T-003, T-007, T-013 P1; T-030 P2)
    • Low-Medium: 10 (Monitored with existing controls)
    • Low: 7 (Managed with existing controls)
  • Primary Security Focus: Data integrity, supply chain security, information manipulation, agentic workflow sandboxing, AI/LLM security governance
  • Defense Posture: Multi-layer defense-in-depth with 30+ security controls, gh-aw 3-layer architecture
  • ENISA Alignment: 7/7 ENISA TL 2024 threat categories mapped
  • ATT&CK Coverage: 18 techniques across 9 tactics
  • AI Security: OWASP LLM Top 10 mapped, gh-aw defense-in-depth (Substrate → Configuration → Plan layers)

System Classification Foundation (from CLASSIFICATION.md):

  • Confidentiality: Public (Level 1) - European Parliament open data
  • Integrity: Medium (Level 2) - News accuracy critical for democratic transparency
  • Availability: Medium (Level 2) - Daily updates expected, 24h outage acceptable
  • RTO/RPO: 24 hours / 1 day

🔒 Trust Boundaries

The platform's attack surface is decomposed into 8 trust boundaries (TB-1 through TB-8) reflecting the full supply chain from citizen reader to release distribution. Each boundary enforces a distinct protocol/control stack, and threats are mapped to the boundary they cross.

graph TB
    Citizen[👤 Citizen / Reader]
    CF[🌐 AWS CloudFront<br/>euparliamentmonitor.com]
    S3[🪣 AWS S3 Origin<br/>Versioned Private Bucket]
    GHA[⚙️ GitHub Actions Runner<br/>ubuntu-latest]
    AWF[🧱 AWF Squid Firewall<br/>Egress Allowlist]
    INET[🌍 Internet<br/>WB + IMF + GitHub + npm + AWS]
    GHAW[🤖 gh-aw Agentic Container<br/>Docker]
    MCPGW[🔌 MCP Gateway<br/>EP + IMF + WB stdio JSON-RPC]
    LLM[🧠 LLM API<br/>Copilot / Claude / Codex]
    Maint[👩‍💻 Maintainer]
    GH[🐙 GitHub Repository<br/>Hack23/euparliamentmonitor]
    Release[🚀 Release Pipeline]
    NPM[📦 npm Registry]
    AWS[☁️ AWS S3+CloudFront]

    Citizen -->|TB-1 HTTPS| CF
    CF -->|TB-2 OAC| S3
    GHA -->|TB-3 Allowlisted HTTPS| AWF
    AWF --> INET
    GHAW -->|TB-4 Docker bridge stdio| MCPGW
    GHAW -->|TB-5 HTTPS tenant-scoped| LLM
    Maint -->|TB-6 2FA + signed commits| GH
    Release -->|TB-7 OIDC + provenance| NPM
    Release -->|TB-8 OIDC role assumption| AWS

    GHA -.hosts.-> GHAW
    GH -.triggers.-> GHA
    Release -.runs in.-> GHA
    AWS -.serves.-> CF

    style Citizen fill:#e3f2fd,stroke:#1565c0,color:#000
    style CF fill:#fff3e0,stroke:#ef6c00,color:#000
    style S3 fill:#fff3e0,stroke:#ef6c00,color:#000
    style GHA fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style AWF fill:#ffebee,stroke:#c62828,color:#000
    style GHAW fill:#e8f5e9,stroke:#2e7d32,color:#000
    style MCPGW fill:#e8f5e9,stroke:#2e7d32,color:#000
    style LLM fill:#fce4ec,stroke:#ad1457,color:#000
    style Maint fill:#e1f5fe,stroke:#0277bd,color:#000
    style GH fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style Release fill:#fff9c4,stroke:#f57f17,color:#000
    style NPM fill:#fff9c4,stroke:#f57f17,color:#000
    style AWS fill:#fff3e0,stroke:#ef6c00,color:#000
Loading
ID Boundary Protocol / Control Key Risks
TB-1 Citizen/reader ↔ CloudFront HTTPS (TLS 1.2+/1.3), static content, no PII, HSTS + CSP DDoS, TLS downgrade
TB-2 CloudFront ↔ S3 origin Origin Access Control (OAC), versioned bucket, private S3, no public reads Origin bypass, S3 bucket misconfiguration
TB-3 GitHub Actions runner ↔ AWF Squid firewall ↔ Internet Allowlisted egress (WB, IMF, GitHub, npm, AWS); all other domains denied Allowlist drift, DNS rebinding, egress exfiltration
TB-4 gh-aw agentic container ↔ MCP gateway Docker bridge network, local stdio JSON-RPC only (no network exposure) Container escape, MCP tool-list drift
TB-5 gh-aw agentic container ↔ LLM API HTTPS to Copilot/Claude/Codex, tenant-scoped tokens, engine-switch Prompt injection, token leakage, data exfiltration
TB-6 Maintainer ↔ GitHub repository 2FA required, signed commits, required PR reviews, branch protection Credential theft, social engineering
TB-7 Release pipeline ↔ npm registry OIDC federation (no long-lived tokens), npm provenance statements, SLSA L3 attestations OIDC trust policy bypass, registry compromise
TB-8 Release pipeline ↔ AWS OIDC federation (no long-lived keys), S3+CloudFront-scoped IAM role, branch + repo subject claims OIDC trust policy drift, IAM over-permission

📋 STRIDE × Trust Boundary Matrix

Each row identifies the most-relevant threat IDs (current catalog T-001…T-030) for each STRIDE category at each trust boundary, with a one-line mitigation summary.

Boundary Spoofing Tampering Repudiation Info Disclosure Denial of Service Elevation of Privilege
TB-1 Reader↔CloudFront — · TLS server cert T-009 · integrity via Git-backed deploy — · CloudFront + GitHub audit logs — · no PII, public content T-004 · CloudFront edge + failover — · static content, no auth
TB-2 CloudFront↔S3 T-011 · OAC signed requests T-020 · S3 versioning + object lock — · S3 access logs — · private bucket, no listing T-004 · S3 regional redundancy — · least-privilege IAM
TB-3 Runner↔AWF↔Internet T-007 · TLS pinning via allowlist T-013, T-023 · schema validation + sanitize — · JSONL stdio audit T-010 · no secrets in egress T-007, T-023 · OR-gate + fallback envelope T-023 · Docker sandbox
TB-4 Container↔MCP T-006 · localhost stdio only T-023 · tool-list drift tests (IMF+WB) — · JSONL stdio audit — · local-only, no network T-006 · MCP restart + fallback T-024, T-028 · compile-gate + v0.77.3 pin
TB-5 Container↔LLM — · tenant-scoped tokens T-021, T-022 · validator gate + 2-pass review — · JSONL prompt/response log T-010, T-021 · prompt-scrub + AWF T-028 · engine-switch fallback T-021, T-025 · safe-outputs + patch-size cap
TB-6 Maintainer↔GitHub T-015 · 2FA + signed commits T-005 · required reviews + branch protection — · GitHub audit log T-010 · GitHub secret scanning — · GitHub SOC 2 T-005, T-015 · CODEOWNERS
TB-7 Release↔npm T-011 · OIDC subject claims T-002, T-012 · provenance + gh-advisory gate — · npm audit log — · public package T-019 · npm registry redundancy T-026 · least-privilege publish scope
TB-8 Release↔AWS T-011 · OIDC subject claims T-020 · S3 object versioning — · CloudTrail — · no PII in buckets T-020 · multi-AZ S3+CF T-026 · scoped IAM role

🌐 Data Flow & Architecture Analysis

🏛️ Architecture-Centric STRIDE Analysis

Following Architecture-Centric Threat Modeling methodology:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e3f2fd',
      'primaryTextColor': '#01579b',
      'lineColor': '#0288d1',
      'secondaryColor': '#f1f8e9',
      'tertiaryColor': '#fff8e1'
    }
  }
}%%
flowchart TB
    subgraph TRUST_BOUNDARY_1["🌐 Internet/Public Trust Boundary"]
        EXT[(🌍 European Parliament APIs)]
        USER[👤 Public Users<br/>14 Languages]
    end

    subgraph TRUST_BOUNDARY_2["🛡️ Build & Delivery Infrastructure Boundary"]
        ACTIONS[🤖 GitHub Actions]
        PAGES[🌐 AWS CloudFront CDN]
    end

    subgraph TRUST_BOUNDARY_3["🔒 Application Trust Boundary"]
        MCP[🔌 EP MCP Server<br/>Localhost 127.0.0.1]
        GENERATOR[📰 News Generator]
        VALIDATOR[✅ HTML Validator]
    end

    subgraph TRUST_BOUNDARY_4["📦 Artifact Trust Boundary"]
        HTML[🌐 Static HTML Files<br/>14 Languages]
        CSS[🎨 Stylesheets]
        SITEMAP[🗺️ Sitemap XML]
    end

    EXT -->|🎯 T1: API Abuse| MCP
    ACTIONS -->|🎯 T2: Workflow Tampering| GENERATOR
    MCP -->|🎯 T3: Data Poisoning| GENERATOR
    GENERATOR -->|🎯 T4: Content Injection| HTML
    HTML -->|🎯 T5: XSS Injection| VALIDATOR
    VALIDATOR -->|🎯 T6: Bypass Validation| PAGES
    PAGES -->|HTTPS Only| USER

    style TRUST_BOUNDARY_1 fill:#ffebee,stroke:#f44336,stroke-width:3px,stroke-dasharray: 5 5
    style TRUST_BOUNDARY_2 fill:#fff3e0,stroke:#ff9800,stroke-width:3px,stroke-dasharray: 5 5
    style TRUST_BOUNDARY_3 fill:#e8f5e9,stroke:#4caf50,stroke-width:3px,stroke-dasharray: 5 5
    style TRUST_BOUNDARY_4 fill:#e3f2fd,stroke:#2196f3,stroke-width:3px,stroke-dasharray: 5 5
Loading

🎭 STRIDE per Element Analysis

Element S T R I D E Notable Mitigations
🌐 CloudFront CDN Entry DNS spoof Header tamper Limited TLS downgrade CDN DDoS TLS 1.3, AWS Shield + CloudFront protection
📄 Static HTML Script injection (XSS) DOM manipulation CSP headers, branded SafeHtmlString escaping
📰 News Generator Data tampering Log forging EP data corruption Process failure Code injection Input validation, schema checks
🔌 EP MCP Server Impersonation Response manipulation Request replay Data poisoning Connection failure Local exploit Localhost-only binding, ephemeral execution
🤖 GitHub Actions Actor spoof (PR) Workflow tamper Action denial Secret exposure Runner exhaustion Escalated perms SHA-pinned actions, branch protection
📦 Dependencies (npm) Package spoof Artifact tamper Malicious code Registry down Dependency confusion package-lock.json, SBOM, Dependabot
🔐 Repository Commit spoof Branch tamper Force push Secret commit Admin escalation MFA, branch protection, required reviews
🔍 CodeQL SAST Scan bypass False negative Config manipulation Analysis failure Policy bypass Required checks, automated scanning

🎖️ MITRE ATT&CK Framework Integration

🔍 Attacker-Centric Analysis

Following MITRE ATT&CK-Driven Analysis methodology:

Phase Technique ID EP Monitor Context Control Detection
🔍 Initial Access Exploit Public-Facing App T1190 Static site, no server-side code Static architecture, CSP headers CloudFront/CDN monitoring
🔍 Initial Access Supply Chain Compromise T1195 npm dependencies, GitHub Actions Minimal deps, SHA-pinned actions Dependabot, SBOM scanning
⚡ Execution Command/Script Interpreter T1059 Node.js news generation scripts ESLint security rules, code review CodeQL SAST scanning
🔄 Persistence Valid Accounts T1078 GitHub repository access MFA requirement, access review GitHub audit logs
🎭 Defense Evasion Obfuscated Files T1027 Malicious libraries in dependencies SCA scanning, code review Static analysis, artifact scanning
🔑 Credential Access Brute Force T1110 GitHub account attacks GitHub-managed security GitHub security alerts
🔍 Discovery Application Enumeration T1083 Public repository, open source Transparency by design Public documentation
💥 Impact Data Manipulation T1565 News content tampering Schema validation, HTML validation Automated testing, manual review
💥 Impact Defacement T1491 Website content alteration Branch protection, required reviews Visual diff review, monitoring
🔍 Initial Access External Remote Services T1133 Unauthorized EP API access attempts Allowlist-only MCP access, public API only EP API access logs, rate monitoring
🔍 Initial Access Implant Internal Image T1525 Dependency confusion in npm registry package-lock.json, SHA verification Dependabot, SBOM integrity checks
🔍 Discovery Network Service Discovery T1046 Port scanning, MCP service enumeration Localhost-only MCP binding, firewall rules Network connection monitoring
📦 Collection Data from Cloud Storage T1530 CloudFront/S3 content scraping/access Public by design, no secrets in delivery Traffic monitoring, rate limiting
📦 Collection Data from Configuration Repository T1602 package.json, workflow config access No secrets in config files, SBOM tracking Repository access auditing
🔄 Persistence Services File Permissions Weakness T1574.010 GitHub Actions workflow tampering SHA-pinned actions, branch protection rules Workflow change alerts, PR review required
📡 Command & Control Application Layer Protocol T1071 MCP HTTP/HTTPS communication to EP API TLS enforcement, strict hostname allowlist Outbound traffic monitoring
📡 Command & Control Web Protocols T1071.001 HTTPS requests to data.europarl.europa.eu TLS 1.3, certificate validation HTTP request logging, anomaly detection
🎭 Defense Evasion Code Signing T1553.002 SLSA attestation bypass attempts SLSA Level 3, artifact signatures Attestation verification in CI

📊 ATT&CK Coverage Analysis

ATT&CK Coverage Covered Techniques

Comprehensive Coverage Tracking: This threat model provides systematic coverage analysis of MITRE ATT&CK techniques, identifying which tactics and techniques are relevant to the EU Parliament Monitor's threat landscape.

🎯 Coverage Heat Map by Tactic

Tactic Covered Techniques Total Techniques Coverage % Status
🔍 Initial Access 4 22 18.2% High Priority
💥 Impact 2 33 6.1% High Priority
⚡ Execution 1 51 2.0% Medium Priority
🔄 Persistence 2 130 1.5% Low Priority
🎭 Defense Evasion 2 218 0.9% Low Priority
🔑 Credential Access 1 67 1.5% Low Priority
🔍 Discovery 2 49 4.1% Medium Priority
🔀 Lateral Movement 0 25 0.0% Not Applicable
📦 Collection 2 41 4.9% Medium Priority
📤 Exfiltration 0 19 0.0% Not Applicable
📡 Command and Control 2 47 4.3% Medium Priority

Coverage Rationale: The EU Parliament Monitor's 2.3% overall coverage reflects focused threat modeling for a static site with EP MCP Server integration. Higher coverage in Initial Access (18.2%), Collection (4.9%), Command & Control (4.3%), and Discovery (4.1%) aligns with primary threat vectors for public-facing platforms with external API dependencies. The 16 techniques mapped include 7 EP MCP Server-specific vectors added in v1.1.

🛡️ Security Control to ATT&CK Mitigation Mapping

Comprehensive security controls are mapped to specific ATT&CK mitigations and techniques:

Security Control ATT&CK Mitigation Techniques Mitigated Implementation Status
Content Security Policy M1021: Restrict Web Content T1190, T1059 Implemented
Dependabot Scanning M1016: Vulnerability Scanning T1195 Implemented
GitHub Branch Protection M1035: Limit Access T1078, T1565 Implemented
CodeQL SAST Scanning M1047: Audit T1059, T1027 Implemented
Input Validation M1021: Restrict Web Content T1190, T1565 Implemented
SBOM Generation M1016: Vulnerability Scanning T1195 Implemented
MFA Enforcement M1032: Multi-factor Authentication T1078, T1110 Implemented
npm Package Lock M1016: Vulnerability Scanning T1525, T1195 Implemented
Localhost-Only MCP Binding M1030: Network Segmentation T1046, T1071 Implemented
SLSA Level 3 Attestation M1045: Code Signing T1553.002, T1195 Implemented

🔌 EP MCP Server Attack Surface Analysis

The European Parliament MCP Server integration (european-parliament-mcp-server) introduces a specific attack surface that requires dedicated threat analysis. As an ephemeral, localhost-only process invoked during GitHub Actions builds, its exposure window is narrow — but its role in data ingestion makes integrity controls critical.

Attack Vector MITRE Technique Threat Description Likelihood Impact Mitigation
MCP Data Poisoning T1565.001 (Stored Data Manipulation) Malicious EP API responses injecting XSS/HTML into generated articles Low High Response sanitization, HTML entity encoding, schema validation
MCP Protocol Abuse T1071 (Application Layer Protocol) Manipulated JSON-RPC 2.0 requests exploiting parsing flaws Very Low Medium Input validation, request ID tracking, strict error handling
Dependency Confusion T1525 (Implant Internal Image) Malicious npm package named european-parliament-mcp-server Very Low Critical Package provenance checking, npm registry lock, SHA verification
API Rate Abuse T1499 (Endpoint DoS) Exhausting EP API rate limits through excessive MCP calls Low Medium Retry limits, timeout enforcement, exponential backoff
Credential Exposure T1078 (Valid Accounts) EP API tokens or secrets exposed in GitHub Actions logs Very Low High No API keys used (public API), secrets scanning in CI
SSRF via MCP T1190 (Exploit Public-Facing App) MCP client making unauthorized requests to internal GitHub resources Very Low Medium Strict hostname allowlisting, localhost-only MCP communication
Schema Injection T1059 (Command/Script Interpreter) Malformed EP data exploiting TypeScript parser vulnerabilities Very Low Low TypeScript strict mode, schema validation, error boundaries
%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e3f2fd',
      'primaryTextColor': '#0d47a1',
      'lineColor': '#1976d2',
      'secondaryColor': '#fce4ec'
    }
  }
}%%
flowchart LR
    GHA[🤖 GitHub Actions Runner]
    MCP[🔌 EP MCP Server\nephemeral process]
    EPA[🇪🇺 EP Open Data API\ndata.europarl.europa.eu]
    NG[📰 News Generator\nNode.js scripts]
    GHP[🌐 AWS CloudFront\nStatic Site]

    GHA -->|"spawn localhost:stdio"| MCP
    MCP -->|"HTTPS / TLS 1.3"| EPA
    EPA -->|"JSON responses\n(schema-validated)"| MCP
    MCP -->|"Sanitized data"| NG
    NG -->|"HTML articles\n(SafeHtmlString escaped)"| GHP

    style GHA fill:#e8f5e9,stroke:#388e3c,color:#000
    style MCP fill:#fff3e0,stroke:#f57c00,color:#000
    style EPA fill:#e3f2fd,stroke:#1565c0,color:#000
    style NG fill:#f3e5f5,stroke:#7b1fa2,color:#000
    style GHP fill:#e8f5e9,stroke:#388e3c,color:#000
Loading

MCP Server Security Posture Summary:

Property Value Security Implication
Execution model Ephemeral (per-build, terminates after use) ✅ No persistent process to attack
Network binding Localhost stdio only (no TCP port) ✅ No remote attack surface
Authentication None required (EP public API) ✅ No credentials to steal or leak
Data direction Read-only inbound from EP API ✅ Cannot write back to EP systems
Output escaping Branded SafeHtmlString HTML-entity escaping (escapeHTML) + markdown-it rendering + CSP headers ✅ XSS injection from data poisoning blocked
Package provenance npm SHA lock + Dependabot monitoring ✅ Dependency confusion monitored
SLSA attestation SLSA Level 3 via GitHub Actions ✅ Build provenance verified end-to-end

🌳 Attack Tree Analysis

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#fff3e0',
      'primaryTextColor': '#e65100',
      'lineColor': '#ff9800',
      'secondaryColor': '#ffebee'
    }
  }
}%%
flowchart TD
    ROOT[🎯 Compromise EU Parliament Monitor]

    ROOT --> A1[💉 Inject Misinformation]
    ROOT --> A2[🔓 Gain Repository Access]
    ROOT --> A3[📦 Supply Chain Attack]
    ROOT --> A4[🌐 Deface Website]

    A1 --> B1[🔌 Compromise EP MCP Server]
    A1 --> B2[📰 Manipulate News Generator]
    A1 --> B3[🌍 Inject Translation Errors]

    A2 --> C1[🔑 Steal GitHub Credentials]
    A2 --> C2[⬆️ Escalate Repository Privileges]
    A2 --> C3[🎭 Social Engineer Maintainer]

    A3 --> D1[📦 Compromise npm Package]
    A3 --> D2[🤖 Tamper GitHub Actions]
    A3 --> D3[🔗 Dependency Confusion]

    A4 --> E1[💻 XSS Injection]
    A4 --> E2[📝 Direct HTML Modification]
    A4 --> E3[🎨 CSS Manipulation]

    style ROOT fill:#ffcdd2,stroke:#d32f2f,color:#000
    style A1 fill:#ffccbc,stroke:#e64a19,color:#000
    style A2 fill:#ffccbc,stroke:#e64a19,color:#000
    style A3 fill:#ffccbc,stroke:#e64a19,color:#000
    style A4 fill:#ffccbc,stroke:#e64a19,color:#000
Loading

🔗 Kill Chain Disruption Analysis

Following Hack23 AB Kill Chain Analysis methodology — mapping Cyber Kill Chain phases to EU Parliament Monitor defensive controls:

Kill Chain Phase EU Parliament Monitor Context Defensive Controls Detection Capability Disruption Effectiveness
1. Reconnaissance Public repository scanning, dependency enumeration, EP API discovery Transparency by design (public data), no sensitive endpoints exposed GitHub audit logs, repository traffic analytics High — Minimal attack surface
2. Weaponization Crafting malicious npm packages, preparing XSS payloads for EP data N/A (attacker-side phase) Threat intelligence feeds, npm advisory monitoring Medium — External phase
3. Delivery Malicious PR submission, dependency confusion, EP data poisoning Branch protection, required reviews, schema validation, package-lock.json CodeQL SAST on PRs, Dependabot alerts, EP data schema checks High — Multiple gates
4. Exploitation XSS via injected EP data, command injection in build scripts CSP headers, branded SafeHtmlString escaping, ESLint security rules, TypeScript strict mode CodeQL scanning, unit tests, HTML validation High — Defense-in-depth
5. Installation Persistent backdoor in codebase, modified GitHub Actions workflow SHA-pinned actions, CODEOWNERS enforcement, branch protection Workflow change alerts, PR diff review, SBOM integrity checks High — Strong access control
6. Command & Control Exfiltrating data via MCP channel, covert communication via build logs Localhost-only MCP binding, no outbound network from static site, TLS enforcement GitHub Actions log monitoring, network connection auditing High — Minimal C2 surface
7. Actions on Objectives Content manipulation, democratic process disruption, defacement Multi-layer validation, automated testing, schema checks, SLSA attestation Visual diff review, automated content verification, monitoring Medium — Detection gap for subtle manipulation
%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8f5e9',
      'primaryTextColor': '#1b5e20',
      'lineColor': '#388e3c'
    }
  }
}%%
flowchart LR
    R[🔍 Recon] --> W[⚙️ Weapon] --> D[📦 Deliver] --> X[💥 Exploit] --> I[📌 Install] --> C[📡 C2] --> A[🎯 Actions]

    R -.->|"Public by design<br/>Minimal attack surface"| DR[🛡️ Accept]
    D -.->|"Branch protection<br/>Schema validation<br/>Package lock"| DD[🛡️ Block]
    X -.->|"CSP + Auto-escape<br/>SAST + Type checking"| DX[🛡️ Block]
    I -.->|"SHA-pinned actions<br/>CODEOWNERS"| DI[🛡️ Block]
    C -.->|"Localhost MCP<br/>No outbound"| DC[🛡️ Block]
    A -.->|"Multi-layer validation<br/>SLSA attestation"| DA[🛡️ Detect]

    style DR fill:#c8e6c9,stroke:#388e3c
    style DD fill:#c8e6c9,stroke:#388e3c
    style DX fill:#c8e6c9,stroke:#388e3c
    style DI fill:#c8e6c9,stroke:#388e3c
    style DC fill:#c8e6c9,stroke:#388e3c
    style DA fill:#fff9c4,stroke:#f9a825
Loading

🎯 Priority Threat Scenarios

🔴 Critical Threat Scenarios

Following Risk-Centric Threat Modeling methodology:

# Scenario MITRE Tactic Impact Focus Likelihood Risk Key Mitigations Residual Action
1 📰 News Content Manipulation Impact Democratic transparency integrity Medium Medium Schema validation, HTML validation, CSP Add automated fact-checking pipeline
2 🔗 Supply Chain Dependency Attack Initial Access Build process compromise Low-Med Medium Minimal deps, SBOM, SHA-pinned actions Add provenance verification
3 🔑 Repository Credential Compromise Credential Access System-wide access Low Low MFA, branch protection, reviews Annual security review
4 🔌 EP MCP Server Data Poisoning Impact Parliamentary data integrity Low Low Localhost-only, ephemeral execution Monitor EP API changes
5 ⚡ GitHub Infrastructure Downtime Impact Service availability Low Low GitHub CDN, static architecture 24h RTO acceptable
6 💻 Cross-Site Scripting (XSS) Initial Access User trust damage Low Low CSP, SafeHtmlString escaping, validation Quarterly security review

⚖️ Risk Heat Matrix

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#fff',
      'primaryTextColor': '#000',
      'lineColor': '#333'
    }
  }
}%%
quadrantChart
    title 🎯 EU Parliament Monitor Risk Heat Matrix
    x-axis Low Likelihood --> High Likelihood
    y-axis Low Impact --> High Impact
    quadrant-1 Monitor & Prepare
    quadrant-2 Immediate Action Required
    quadrant-3 Accept Risk
    quadrant-4 Mitigate & Control

    "📰 News Manipulation": [0.6, 0.6]
    "🔗 Supply Chain Attack": [0.4, 0.7]
    "🔑 Credential Theft": [0.3, 0.6]
    "🔌 MCP Data Poison": [0.2, 0.5]
    "⚡ Infrastructure Down": [0.3, 0.4]
    "💻 XSS Injection": [0.2, 0.5]
    "🌍 Translation Error": [0.4, 0.4]
    "🤖 Workflow Tamper": [0.25, 0.55]
Loading

🎯 Scenario-Centric Threat Analysis

Following Hack23 AB Scenario-Centric Threat Modeling methodology:

🎭 Misuse Cases

# Misuse Case Threat Agent Attack Description Preconditions Impact Mitigation
MC-001 Nation-State Data Manipulation 🏛️ Nation-State Actor Compromises EP API upstream or MCP data pipeline to inject subtly biased MEP voting records, altering democratic perception across 14 languages Access to EP data pipeline or MCP server compromise Critical — Erosion of democratic transparency trust across EU EP official API verification, schema validation, cross-reference checks, content consistency monitoring
MC-002 Supply Chain Backdoor 💰 Cybercriminal Publishes malicious npm package mimicking european-parliament-mcp-server, injects code into build pipeline during GitHub Actions execution npm registry access, typosquatting opportunity High — Complete build process compromise, potential content manipulation Package provenance (SHA verification), Dependabot monitoring, SBOM generation, package-lock.json integrity
MC-003 Insider Bias Injection 👤 Malicious Insider Contributor with merge access introduces subtle political bias in news generation templates or translation strings for specific languages Trusted contributor access, code review gap High — Political bias in generated news, trust damage Required PR reviews, CODEOWNERS enforcement, automated bias detection, multi-language consistency checks
MC-004 Election Period Defacement 🎭 Hacktivist During European Parliament elections, defaces website content to spread political messaging or discredit specific MEPs/parties Repository access or XSS vulnerability High — Election integrity impact, voter confusion Enhanced monitoring during election periods, branch protection, CSP headers, rapid response procedures
MC-005 Translation Weaponization 🏛️ Nation-State Actor Targets specific language versions (e.g., AR, ZH) with deliberate mistranslations of parliamentary positions to serve geopolitical agenda Access to translation pipeline or template manipulation Medium — Language-specific democratic impact, regional trust damage Cross-language consistency validation, native speaker review, automated translation comparison
MC-006 CI/CD Pipeline Hijacking 💰 Cybercriminal Exploits GitHub Actions workflow to inject cryptocurrency miner or use compute resources, degrading news generation performance Workflow file modification or action compromise Medium — Service degradation, resource abuse SHA-pinned actions, workflow permissions review, resource monitoring, required status checks

🤔 What-If Analysis

# What-If Scenario Probability Impact Assessment Current Resilience Recommended Action
WI-001 What if the European Parliament changes its open data API format? Medium News generation fails until adaptation; stale content served Schema validation catches errors; cached content remains available Monitor EP API changelog; implement API version detection; maintain fallback templates
WI-002 What if a zero-day vulnerability is found in Node.js 26? Low Build pipeline compromised during news generation GitHub Actions auto-updates runners; Dependabot monitors dependencies Pin Node.js version; implement container-based builds; maintain rollback capability
WI-003 What if the AWS CloudFront/S3 delivery edge experiences a multi-day outage? Very Low Site unavailable; no news updates for > 24h RTO Static content cached by CDN; GitHub Pages fallback deployment possible Maintain GitHub Pages fallback target; document manual recovery; accept 24h RTO per classification
WI-004 What if a contributor's GitHub account is compromised? Low Potential unauthorized code changes or content manipulation MFA required; branch protection; required reviews; CODEOWNERS Quarterly access reviews; monitor for anomalous commits; incident response plan
WI-005 What if politically motivated content manipulation goes undetected? Low-Medium Gradual erosion of platform credibility and democratic trust Schema validation; automated testing; public source code Implement automated fact-checking pipeline (P1); add confidence scoring; cross-reference with official EP records
WI-006 What if the EP MCP Server package is deprecated or abandoned? Medium Loss of data integration capability; news generation stops Version pinning; local fallback data Monitor package health; maintain fork capability; implement direct EP API fallback

👥 Persona-Based Threat Scenarios

Persona 1: "Alexei" — State-Sponsored Information Operator

  • Profile: Advanced persistent threat operator working for a nation-state intelligence service
  • Motivation: Undermine EU parliamentary transparency and democratic processes
  • Capability: High (custom tooling, patient long-term operations, multiple attack vectors)
  • Attack Path: Targets EP data pipeline → injects subtle voting record modifications → affects 14 language versions → gradually erodes trust in parliamentary data
  • Countermeasures: Official EP API source verification, schema validation, cross-language consistency monitoring, anomaly detection

Persona 2: "Marco" — Disgruntled Political Activist

  • Profile: Technically skilled hacktivist with political agenda
  • Motivation: Promote specific political agenda or discredit EU institutions
  • Capability: Medium (public exploit tools, social engineering)
  • Attack Path: Social engineers a contributor → submits PR with biased translation strings → targets election-sensitive content
  • Countermeasures: Required PR reviews, CODEOWNERS, automated sentiment analysis, election period enhanced monitoring

Persona 3: "Chen" — Supply Chain Attacker

  • Profile: Organized cybercrime group specializing in supply chain attacks
  • Motivation: Financial gain through compute resource abuse or reputation extortion
  • Capability: Medium-High (registry manipulation, typosquatting infrastructure)
  • Attack Path: Publishes malicious npm package → dependency confusion during build → injects cryptominer or exfiltration code
  • Countermeasures: Zero production dependencies, package-lock.json, SHA verification, SBOM monitoring, Dependabot

⚖️ Quantitative Risk Assessment

Following Hack23 AB Risk-Centric Threat Modeling methodology:

📊 Risk Scoring Methodology

Risk Score = Likelihood × Impact

Score Likelihood Definition Impact Definition
1 — Very Low < 5% annual probability Minimal business impact, easily recoverable
2 — Low 5-15% annual probability Minor disruption, limited scope
3 — Medium 15-35% annual probability Moderate disruption, requires active response
4 — High 35-65% annual probability Significant disruption, affects core mission
5 — Critical > 65% annual probability Severe impact, existential or regulatory consequence

📈 Comprehensive Likelihood × Impact Matrix

Threat ID Threat Name Likelihood (L) Impact (I) Risk Score (L×I) Risk Level Treatment
T-001 XSS via EP Data Injection 1 3 3 🟢 Low Accept
T-002 Supply Chain npm Attack 1 4 4 🟡 Low-Medium Monitor
T-003 Incorrect News Generation 3 3 9 🟠 Medium Reduce
T-004 GitHub Actions Downtime 1 2 2 🟢 Low Accept
T-005 Repository Compromise 1 4 4 🟡 Low-Medium Monitor
T-006 MCP Server Compromise 1 3 3 🟢 Low Accept
T-007 EP API Format Change 3 3 9 🟠 Medium Reduce
T-008 Translation Manipulation 2 3 6 🟡 Low-Medium Monitor
T-009 Election Period Defacement 1 4 4 🟡 Low-Medium Monitor
T-010 GitHub Actions Secret Leak 1 3 3 🟢 Low Accept
T-011 SLSA Attestation Bypass 1 4 4 🟡 Low-Medium Monitor
T-012 Dependency Confusion 1 5 5 🟡 Low-Medium Monitor
T-013 MCP Data Poisoning via API 2 4 8 🟠 Medium Reduce
T-014 Cross-Language Inconsistency 2 2 4 🟡 Low-Medium Monitor
T-015 Contributor Account Compromise 1 4 4 🟡 Low-Medium Monitor
T-016 Automated Bot Abuse 2 1 2 🟢 Low Accept
T-017 MEP Data Integrity Failure 2 3 6 🟡 Low-Medium Monitor
T-018 Information Manipulation Campaign 1 5 5 🟡 Low-Medium Monitor
T-019 Node.js Runtime Vulnerability 1 3 3 🟢 Low Accept
T-020 CDN/Edge Delivery Compromise 1 3 3 🟢 Low Accept
T-021 Prompt Injection via EP Debate Content 2 3 6 🟡 Low-Medium Monitor
T-022 Reference Hallucination 2 3 6 🟡 Low-Medium Monitor
T-023 MCP Data Poisoning (EP/WB/IMF) 2 3 6 🟡 Low-Medium Monitor
T-024 Workflow Compile Drift 2 3 6 🟡 Low-Medium Monitor
T-025 Max-Patch-Size Bypass 1 3 3 🟢 Low Accept
T-026 AWS / npm OIDC Policy Bypass 1 4 4 🟡 Low-Medium Monitor
T-027 Translation Pipeline Weaponization 2 4 8 🟠 Medium Reduce
T-028 gh-aw Toolchain Break (v0.77.3 pin) 2 2 4 🟡 Low-Medium Monitor

🎯 Risk Distribution Summary

Risk Level Count Threats Treatment Strategy
🟠 Medium (6-9) 4 T-003, T-007, T-013, T-027 Active reduction — implement additional controls
🟡 Low-Medium (4-6) 16 T-002, T-005, T-008, T-009, T-011, T-012, T-014, T-015, T-017, T-018, T-021, T-022, T-023, T-024, T-026, T-028 Monitor — quarterly review and trending
🟢 Low (1-3) 8 T-001, T-004, T-006, T-010, T-016, T-019, T-020, T-025 Accept — existing controls sufficient

📊 Detailed Threat Analysis

Threat T-001: Cross-Site Scripting (XSS) via Parliamentary Data Injection

Attribute Value
Threat ID T-001
STRIDE Category Injection, Tampering
MITRE ATT&CK T1189 (Drive-by Compromise), T1059 (Command and Script Interpreter)
Threat Agent Malicious Insider, Nation-State Actor, Cybercriminal
Likelihood Low (1/5)
Impact Medium (3/5) - Integrity risk, user trust damage
Risk Score Low (3/25)
Priority P3

Existing Controls:

  • ✅ Content Security Policy (CSP) headers
  • ✅ Branded SafeHtmlString HTML-entity escaping (markdown-it renderer)
  • ✅ Input validation for EP data
  • ✅ ESLint security plugin
  • ✅ Code review required

Residual Risk: Low - Multiple defense layers

Risk Treatment: Accept - Existing controls sufficient


Threat T-002: Supply Chain Attack via npm Dependencies

Attribute Value
Threat ID T-002
STRIDE Category Elevation of Privilege, Tampering
MITRE ATT&CK T1195.002 (Compromise Software Supply Chain), T1608.001 (Upload Malware)
Threat Agent Cybercriminal, Nation-State Actor
Likelihood Low (1/5)
Impact High (4/5) - Could compromise build process
Risk Score Low (4/25)
Priority P2

Existing Controls:

  • ✅ Minimal dependencies (zero production, 17 dev-only)
  • ✅ Dependabot automated vulnerability scanning
  • ✅ SBOM generation (CycloneDX format)
  • ✅ SHA-pinned GitHub Actions
  • ✅ package-lock.json with integrity hashes

Residual Risk: Low - Minimal attack surface

Risk Treatment: Monitor and Review - Annual dependency audit


Threat T-003: Data Integrity - Incorrect News Generation ⚠️ P1

Attribute Value
Threat ID T-003
STRIDE Category Tampering, Information Disclosure
MITRE ATT&CK T1565.001 (Stored Data Manipulation), T1499 (Endpoint Denial of Service)
Threat Agent Accidental Insider, LLM Model Error, EP API Changes
Likelihood Medium (3/5)
Impact Medium (3/5) - News accuracy critical for democracy
Risk Score Medium (9/25)
Priority P1 (Requires Additional Controls)

Existing Controls:

  • ✅ Schema validation for EP data
  • ✅ Type checking (TypeScript with strict mode)
  • ✅ Error logging
  • ✅ Unit tests (82% line coverage, 70% branch)
  • ✅ Official European Parliament API source

Residual Risk: Medium - Automated content verification not yet implemented

Risk Treatment: Reduce Risk - Implement additional controls

Recommendations (Q3 2026):

  1. 🔄 Automated fact-checking pipeline
  2. 🔄 Confidence scoring (0.0-1.0) for each article
  3. 🔄 Human-in-the-loop review queue (<0.85 confidence)
  4. 🔄 Cross-reference generated content with source EP data

Target Residual Risk: Low (after Phase 1 implementation)


Threat T-004: Denial of Service - GitHub Actions Downtime

Attribute Value
Threat ID T-004
STRIDE Category Denial of Service
MITRE ATT&CK T1499 (Endpoint Denial of Service), T1498 (Network Denial of Service)
Threat Agent External Service Provider, Cyber Vandal, Hacktivist
Likelihood Low (1/5)
Impact Low (2/5) - 24h RTO acceptable per classification
Risk Score Low (2/25)
Priority P3

Existing Controls:

  • ✅ GitHub infrastructure (multi-region redundancy)
  • ✅ Manual workflow trigger available
  • ✅ Cached content remains online
  • ✅ RTO/RPO alignment (24h/1d)
  • ✅ Static site architecture (no real-time dependencies)

Residual Risk: Low - Within acceptable RTO/RPO

Risk Treatment: Accept - Availability Medium classification tolerates 24h outages


Threat T-005: Repository Compromise - Unauthorized Code Changes

Attribute Value
Threat ID T-005
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application)
Threat Agent Malicious Insider, Cybercriminal
Likelihood Low (1/5)
Impact High (4/5) - Could compromise entire site
Risk Score Low (4/25)
Priority P2

Existing Controls:

  • ✅ Branch protection (protected main branch)
  • ✅ Required pull request reviews
  • ✅ MFA requirement (GitHub organization)
  • ✅ CODEOWNERS enforcement
  • ✅ CodeQL automated SAST scanning
  • ✅ GitHub audit logging
  • ✅ Quarterly access review

Residual Risk: Low - Multiple access control layers

Risk Treatment: Monitor - Annual security review


Threat T-006: MCP Server Compromise

Attribute Value
Threat ID T-006
STRIDE Category Spoofing, Tampering
MITRE ATT&CK T1557 (Adversary-in-the-Middle), T1565 (Data Manipulation)
Threat Agent Nation-State Actor, Advanced Persistent Threat
Likelihood Very Low (0.5/5)
Impact Medium (3/5) - Could manipulate EP data
Risk Score Very Low (1.5/25)
Priority P4

Existing Controls:

  • ✅ Localhost-only binding (127.0.0.1)
  • ✅ Process isolation with limited permissions
  • ✅ Ephemeral execution (start/stop per run)
  • ✅ No persistent state (stateless operation)
  • ✅ GitHub Actions sandbox isolation

Residual Risk: Very Low - Local access required (GitHub Actions runner already secured)

Risk Treatment: Accept - Existing GitHub Actions isolation sufficient


Threat T-007: EP API Format Change / Breaking Change

Attribute Value
Threat ID T-007
STRIDE Category Denial of Service, Tampering
MITRE ATT&CK T1499 (Endpoint DoS), T1565 (Data Manipulation)
Threat Agent External Service Provider (EP API), Accidental Insider
Likelihood Medium (3/5)
Impact Medium (3/5) - News generation fails, stale content served
Risk Score Medium (9/25)
Priority P1 (Requires Additional Controls)

Existing Controls:

  • ✅ Schema validation for EP MCP responses
  • ✅ Error handling with graceful degradation
  • ✅ Cached content remains online during failures
  • ✅ Version-pinned EP MCP Server dependency

Residual Risk: Medium - API changes could break generation

Risk Treatment: Reduce Risk - Implement API version monitoring


Threat T-008: Translation Manipulation / Cultural Bias Injection

Attribute Value
Threat ID T-008
STRIDE Category Tampering, Information Disclosure
MITRE ATT&CK T1565 (Data Manipulation), T1491 (Defacement)
Threat Agent Nation-State Actor, Malicious Insider
Likelihood Low (2/5)
Impact Medium (3/5) - Language-specific democratic impact
Risk Score Low-Medium (6/25)
Priority P2

Existing Controls:

  • ✅ Template-based translation (consistent structure)
  • ✅ Code review for language file changes
  • ✅ Automated HTML validation per language
  • ✅ UTF-8 encoding enforcement

Residual Risk: Low-Medium - Subtle translation bias hard to detect

Risk Treatment: Monitor - Implement cross-language consistency checks


Threat T-009: Election Period Website Defacement

Attribute Value
Threat ID T-009
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1491 (Defacement), T1078 (Valid Accounts)
Threat Agent Hacktivist, Nation-State Actor
Likelihood Low (1/5)
Impact High (4/5) - Election integrity impact, voter confusion
Risk Score Low-Medium (4/25)
Priority P2

Existing Controls:

  • ✅ Branch protection with required reviews
  • ✅ MFA enforcement for all contributors
  • ✅ Automated deployment (no manual HTML changes)
  • ✅ AWS CloudFront CDN caching

Residual Risk: Low - Multiple access control layers

Risk Treatment: Monitor - Enhanced vigilance during election periods


Threat T-010: GitHub Actions Secret Exposure

Attribute Value
Threat ID T-010
STRIDE Category Information Disclosure
MITRE ATT&CK T1552 (Unsecured Credentials), T1078 (Valid Accounts)
Threat Agent Accidental Insider, Cybercriminal
Likelihood Low (1/5)
Impact Medium (3/5) - Potential workflow compromise
Risk Score Low (3/25)
Priority P3

Existing Controls:

  • ✅ GitHub secret scanning enabled
  • ✅ No API keys required (EP public API)
  • ✅ Environment-scoped secrets
  • ✅ Workflow permissions minimized (least privilege)

Residual Risk: Low - Minimal secrets to expose

Risk Treatment: Accept - Secret scanning provides adequate coverage


Threat T-011: SLSA Build Provenance Bypass

Attribute Value
Threat ID T-011
STRIDE Category Tampering, Repudiation
MITRE ATT&CK T1553.002 (Code Signing), T1195 (Supply Chain Compromise)
Threat Agent Advanced Persistent Threat, Nation-State Actor
Likelihood Very Low (1/5)
Impact High (4/5) - Undermines build integrity guarantee
Risk Score Low-Medium (4/25)
Priority P3

Existing Controls:

  • ✅ SLSA Level 3 via GitHub Actions
  • ✅ Artifact signatures with provenance attestation
  • ✅ SHA-pinned actions in all workflows
  • ✅ SBOM generation (CycloneDX format)

Residual Risk: Very Low - SLSA Level 3 provides strong guarantees

Risk Treatment: Accept - Industry-standard provenance


Threat T-012: Dependency Confusion / Typosquatting

Attribute Value
Threat ID T-012
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1525 (Implant Internal Image), T1195.002 (Supply Chain)
Threat Agent Cybercriminal, Nation-State Actor
Likelihood Very Low (1/5)
Impact Critical (5/5) - Complete build compromise
Risk Score Low-Medium (5/25)
Priority P2

Existing Controls:

  • ✅ package-lock.json with SHA integrity hashes
  • ✅ Zero production dependencies
  • ✅ Dependabot automated scanning
  • ✅ npm provenance checking

Residual Risk: Very Low - Package lock prevents confusion

Risk Treatment: Monitor - Annual dependency audit


Threat T-013: EP MCP Data Poisoning via Upstream API Compromise

Attribute Value
Threat ID T-013
STRIDE Category Tampering, Information Disclosure
MITRE ATT&CK T1565.001 (Stored Data Manipulation), T1557 (Adversary-in-Middle)
Threat Agent Nation-State Actor, Advanced Persistent Threat
Likelihood Low (2/5)
Impact High (4/5) - Parliamentary data integrity compromised
Risk Score Medium (8/25)
Priority P1 (Requires Additional Controls)

Existing Controls:

  • ✅ Official EP API as single data source
  • ✅ MCP schema validation
  • ✅ TypeScript strict mode parsing
  • ✅ Ephemeral MCP execution (no persistent compromise)

Residual Risk: Medium - Upstream compromise difficult to detect

Risk Treatment: Reduce Risk - Implement cross-reference validation with multiple EP data sources


Threat T-014: Cross-Language Content Inconsistency

Attribute Value
Threat ID T-014
STRIDE Category Tampering
MITRE ATT&CK T1565 (Data Manipulation)
Threat Agent Accidental Insider, LLM Model Error
Likelihood Low (2/5)
Impact Low (2/5) - Content mismatch between language versions
Risk Score Low-Medium (4/25)
Priority P3

Existing Controls:

  • ✅ Template-based generation (consistent structure)
  • ✅ Same EP data source for all languages
  • ✅ Automated HTML validation per language
  • ✅ E2E tests for multi-language content

Residual Risk: Low - Template structure ensures consistency

Risk Treatment: Monitor - Quarterly cross-language audit


Threat T-015: Contributor Account Compromise

Attribute Value
Threat ID T-015
STRIDE Category Spoofing, Elevation of Privilege
MITRE ATT&CK T1078 (Valid Accounts), T1566 (Phishing)
Threat Agent Cybercriminal, Nation-State Actor
Likelihood Low (1/5)
Impact High (4/5) - Could push malicious code with trusted identity
Risk Score Low-Medium (4/25)
Priority P2

Existing Controls:

  • ✅ MFA required for organization members
  • ✅ Branch protection rules
  • ✅ Required PR reviews
  • ✅ GitHub audit logging of all access

Residual Risk: Low - MFA significantly reduces account compromise risk

Risk Treatment: Monitor - Quarterly access review


Threat T-016: Automated Bot Abuse

Attribute Value
Threat ID T-016
STRIDE Category Denial of Service
MITRE ATT&CK T1499 (Endpoint DoS)
Threat Agent Automated Bots, Script Kiddies
Likelihood Low (2/5)
Impact Very Low (1/5) - Static site resilient to bot traffic
Risk Score Low (2/25)
Priority P4

Existing Controls:

  • ✅ AWS CloudFront CDN (DDoS protection)
  • ✅ Static site architecture (no dynamic endpoints)
  • ✅ robots.txt configured
  • ✅ No authentication endpoints to brute-force

Residual Risk: Very Low - Static architecture inherently resilient

Risk Treatment: Accept - GitHub CDN provides adequate protection


Threat T-017: MEP Data Integrity Failure

Attribute Value
Threat ID T-017
STRIDE Category Tampering, Information Disclosure
MITRE ATT&CK T1565 (Data Manipulation)
Threat Agent EP API Error, Accidental Insider, LLM Model Error
Likelihood Low (2/5)
Impact Medium (3/5) - Incorrect MEP information published
Risk Score Low-Medium (6/25)
Priority P2

Existing Controls:

  • ✅ EP MCP Server schema validation
  • ✅ TypeScript type checking
  • ✅ Unit tests for data transformation
  • ✅ Official EP API as authoritative source

Residual Risk: Low-Medium - EP API data assumed accurate

Risk Treatment: Monitor - Implement MEP data cross-referencing


Threat T-018: Information Manipulation Campaign

Attribute Value
Threat ID T-018
STRIDE Category Tampering, Repudiation
MITRE ATT&CK T1491 (Defacement), T1565 (Data Manipulation)
Threat Agent Nation-State Actor, Organized Disinformation Group
Likelihood Very Low (1/5)
Impact Critical (5/5) - Democratic process manipulation
Risk Score Low-Medium (5/25)
Priority P2

Existing Controls:

  • ✅ Official EP data sources only
  • ✅ Transparent open-source methodology
  • ✅ Public audit trail (Git history)
  • ✅ Multi-layer validation pipeline

Residual Risk: Low - Multiple integrity controls

Risk Treatment: Monitor - Enhanced during election periods


Threat T-019: Node.js Runtime Vulnerability

Attribute Value
Threat ID T-019
STRIDE Category Elevation of Privilege, Execution
MITRE ATT&CK T1059 (Command/Script Interpreter)
Threat Agent Cybercriminal, Opportunistic Attacker
Likelihood Low (1/5)
Impact Medium (3/5) - Build pipeline compromise
Risk Score Low (3/25)
Priority P3

Existing Controls:

  • ✅ Pinned Node.js 26 version
  • ✅ GitHub Actions runner auto-updates
  • ✅ Build-time only execution (no runtime server)
  • ✅ Dependabot monitors Node.js advisories

Residual Risk: Low - Ephemeral build execution limits exposure

Risk Treatment: Accept - Automated patching via GitHub Actions


Threat T-020: CDN/Edge Delivery Compromise (CloudFront primary, GitHub Pages fallback)

Attribute Value
Threat ID T-020
STRIDE Category Tampering, Denial of Service
MITRE ATT&CK T1584 (Compromise Infrastructure)
Threat Agent Nation-State Actor, Advanced Persistent Threat
Likelihood Very Low (1/5)
Impact Medium (3/5) - Content served to users could be manipulated
Risk Score Low (3/25)
Priority P4

Existing Controls:

  • ✅ GitHub-managed infrastructure (SOC 2 compliant)
  • ✅ TLS 1.3 enforcement
  • ✅ HSTS headers
  • ✅ Content integrity via Git-backed deployment

Residual Risk: Very Low - GitHub infrastructure security

Risk Treatment: Accept - Risk transferred to GitHub infrastructure


Threat T-021: Prompt Injection via EP Debate Content

Attribute Value
Threat ID T-021
STRIDE Category Elevation of Privilege, Tampering
MITRE ATT&CK T1059 (Command/Script Interpreter), T1565 (Data Manipulation)
Threat Agent Nation-State Actor, Disinformation Campaign
Likelihood Low-Medium (2/5)
Impact Medium (3/5) — Generated content steered by adversarial text
Risk Score Low-Medium (6/25)
Priority P2

Description: Adversarial text embedded in MCP-fetched EP debates, plenary transcripts, or MEP-authored documents contains instructions intended to steer downstream LLM generation (bypass safety, rewrite facts, inject URLs, or exfiltrate system prompts) during the gh-aw agentic news pipeline.

Existing Controls:

  • scripts/utils/validate-analysis-completeness.js scans FALLBACK_TEMPLATE_PATTERNS and AI_MARKER sentinels
  • ✅ Reference thresholds enforced: mcp-reliability-audit ≥200 words (breaking ≥385) and reference-analysis-quality ≥140 (breaking ≥190)
  • ✅ Sandboxed Docker execution + AWF Squid firewall egress allowlist
  • ✅ gh-aw safe-outputs limits scope to PR-only (no direct push to main)
  • ✅ Mandatory 2-pass iterative AI review before safe-outputs emission
  • ✅ Human PR review required before merge

Residual Risk: Low-Medium — Validator gate + 2-pass review reduce but do not eliminate sophisticated injection

Risk Treatment: Monitor — Extend validator corpus when new attack patterns are observed


Threat T-022: Reference Hallucination

Attribute Value
Threat ID T-022
STRIDE Category Tampering, Information Disclosure
MITRE ATT&CK T1565.001 (Stored Data Manipulation)
Threat Agent LLM Stochasticity, Insufficient Grounding
Likelihood Low-Medium (2/5)
Impact Medium (3/5) — Fabricated citations erode credibility
Risk Score Low-Medium (6/25)
Priority P2

Description: The LLM fabricates citations (EP document references, MEP names, voting dates, procedure IDs) that do not exist, producing plausible-looking but false parliamentary references in generated articles.

Existing Controls:

  • analysis/methodologies/reference-analysis-quality.md word-count gate (≥140, breaking ≥190)
  • ✅ Cross-reference validation in src/utils/validate-analysis-completeness.ts (compiled to scripts/utils/validate-analysis-completeness.js)
  • ✅ Mandatory 2-pass AI review (Pass 2 re-verifies every citation against MCP-retrieved evidence)
  • ✅ Human PR review catches remaining fabrications before merge
  • ✅ MCP fetches return canonical IDs which can be grep-verified against source output

Residual Risk: Low-Medium — Automated validator + human review catches most, but not all, hallucinations

Risk Treatment: Monitor — Extend validate-analysis-completeness.ts with reference-existence checks against MCP cache


Threat T-023: MCP Data Poisoning (EP/WB/IMF Upstream)

Attribute Value
Threat ID T-023
STRIDE Category Tampering, Spoofing
MITRE ATT&CK T1584 (Compromise Infrastructure), T1565 (Data Manipulation)
Threat Agent Nation-State Actor, Advanced Persistent Threat
Likelihood Low-Medium (2/5)
Impact Medium (3/5) — Poisoned data propagates to all 14 languages
Risk Score Low-Medium (6/25)
Priority P2

Description: Compromise of an upstream MCP data source (EP Open Data Portal, World Bank MCP, or IMF REST/SDMX 3.0) causes poisoned MEP records, voting data, or economic indicators to flow into generated articles. Extends T-013 to cover the expanded MCP surface after the Wave-2 OR-gate / Wave-3 strict-gate introduction. Under Wave-3, IMF (dataservices.imf.org) is the primary economic source; a compromise of that single host has higher impact than under Wave-2 because no parallel WB economic citation is required.

Existing Controls:

  • ✅ TLS 1.2+/1.3 on all outbound HTTPS to WB and IMF
  • ✅ Local EP MCP via Docker bridge (trust boundary is Docker bridge, not public internet)
  • ✅ Tool-list drift tests: IMF_MCP_TOOLS and WORLD_BANK_MCP_TOOLS asserted in test/integration/mcp/*
  • ✅ Stage-C completeness review enforces IMF-or-WB economic-context citation per .github/prompts/03-analysis-completeness-gate.md — if one source fails, the other satisfies the editorial policy
  • {status:"unavailable"} envelope handling degrades gracefully when a source is unreachable
  • src/utils/html-sanitize.ts sanitizes every MCP string before rendering

Residual Gap: EP MCP client does NOT yet export a canonical EP_MCP_TOOLS list → no drift test parity with IMF+WB.

Residual Risk: Low-Medium — OR-gate + sanitization limits impact; EP tool-list drift test pending

Risk Treatment: Monitor — Close EP tool-list gap (tracked in CRA gap table)


Threat T-024: Workflow Compile Drift

Attribute Value
Threat ID T-024
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1195 (Supply Chain Compromise), T1554 (Compromise Client Binary)
Threat Agent Malicious Contributor, Compromised Maintainer
Likelihood Low-Medium (2/5)
Impact Medium (3/5) — Agent bypasses policy encoded in lock-file
Risk Score Low-Medium (6/25)
Priority P2

Description: An agent workflow bypasses its compiled .lock.yml by shipping only the .md source without recompiling, causing the runtime executor to load a stale lock file while maintainers believe the new policy is active.

Existing Controls:

  • .github/workflows/compile-agentic-workflows.yml validates GH_AW_VERSION=v0.77.3 pin (manual workflow_dispatch — run before merging agentic-workflow changes)
  • ✅ Branch protection prevents merge when compile check fails (when manually triggered)
  • .lock.yml MUST match {{#runtime-import}} directive in the source .md
  • ✅ Branch protection prevents merge when compile check fails
  • actions-lock.json tracked in VCS for supply-chain auditability

Residual Risk: Low-Medium — Compile gate is strong but depends on branch-protection enforcement

Risk Treatment: Monitor — Quarterly review of branch-protection settings


Threat T-025: Max-Patch-Size Bypass

Attribute Value
Threat ID T-025
STRIDE Category Elevation of Privilege, Tampering
MITRE ATT&CK T1566 (Phishing), T1195 (Supply Chain Compromise)
Threat Agent Malicious Agent, Compromised LLM Session
Likelihood Low (1/5)
Impact Medium (3/5) — Large unreviewable patch in safe-outputs
Risk Score Low (3/25)
Priority P3

Description: A malicious or runaway agent emits a very large patch via safe-outputs that overwhelms human review capacity, hiding malicious edits within bulk legitimate-looking content.

Existing Controls:

  • max-patch-size: 1024 KB default applied to all gh-aw workflows
  • ✅ Elevated cap of 10240 KB ONLY at the news-translate top level, with documented justification (13 languages × ~1 MB each = ~13 MB fan-out)
  • ✅ Safe-outputs schema validation during gh-aw compile
  • ✅ PR review required for merge (no direct push)
  • ✅ GitHub diff UI renders large PRs as "load diff" — reviewers are explicitly prompted

Residual Risk: Low — Caps + PR review are strong; news-translate exception is auditable

Risk Treatment: Accept — Revisit cap values quarterly


Threat T-026: AWS / npm OIDC Policy Bypass

Attribute Value
Threat ID T-026
STRIDE Category Elevation of Privilege, Spoofing
MITRE ATT&CK T1078 (Valid Accounts), T1550 (Use Alternate Authentication)
Threat Agent Nation-State Actor, Advanced Persistent Threat
Likelihood Low (1/5)
Impact High (4/5) — Unauthorized npm publish or S3 deploy
Risk Score Low-Medium (4/25)
Priority P2

Description: An overly broad OIDC trust policy on AWS IAM or npm allows a workflow from a different repository, branch, or environment to assume the release role and publish/deploy unauthorized artifacts.

Existing Controls:

  • ✅ OIDC trust policies scoped to branch + repo subject claims (repo:Hack23/euparliamentmonitor:ref:refs/heads/main)
  • ✅ Least-privilege IAM role: S3 PutObject + CloudFront CreateInvalidation only
  • ✅ Least-privilege npm publish scope limited to euparliamentmonitor package
  • ✅ CloudTrail audit of all role assumptions
  • ✅ npm audit logs for every publish

Residual Risk: Low-Medium — Trust-policy drift is the primary residual concern

Risk Treatment: Monitor — Quarterly IAM policy + npm publish scope review


Threat T-027: Translation Pipeline Weaponization

Attribute Value
Threat ID T-027
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1565 (Data Manipulation), T1204 (User Execution)
Threat Agent Nation-State Actor, Disinformation Campaign
Likelihood Low-Medium (2/5)
Impact High (4/5) — 13-language fan-out amplifies bad content
Risk Score Medium (8/25) ⚠️ P1
Priority P1

Description: A bad actor uses the 13-language translation fan-out to scale disinformation: contaminated English source → 13 translations → published across all locales simultaneously, amplifying reach beyond what single-language manipulation could achieve.

Existing Controls:

  • news-translate.md §"AI-First Pre-Translation Gate" blocks contaminated English sources before fan-out
  • ✅ Reference thresholds (mcp-reliability-audit ≥200/385, reference-analysis-quality ≥140/190) apply to source English before translation
  • ✅ Human PR review required for merge (catches translation of contaminated source)
  • news-translate-reconciler.yml sweeps orphaned translations (one locale without matching source)
  • ✅ Pre-translation validator gate documented and enforced in lock file

Residual Risk: Medium — Pre-translation gate is the single point that must hold; if bypassed, all 13 locales are impacted simultaneously

Risk Treatment: Reduce — Harden pre-translation validator with additional sentinels; add per-locale post-translation spot-check


Threat T-028: gh-aw Toolchain Break (v0.77.3 pin)

Attribute Value
Threat ID T-028
STRIDE Category Denial of Service, Tampering
MITRE ATT&CK T1195 (Supply Chain Compromise)
Threat Agent Upstream Project Breakage, Dependency Drift
Likelihood Low-Medium (2/5)
Impact Low-Medium (2/5) — Pipeline halts until recompile
Risk Score Low-Medium (4/25)
Priority P3

Description: An upstream breaking change to gh-aw renders the compiled .lock.yml artifacts unexecutable (e.g., schema change, runtime-import signature change, executor removal), halting the 15 agentic workflows (14 article + 1 translate) until recompile + manual bump.

Existing Controls:

  • GH_AW_VERSION: v0.77.3 pinned in .github/workflows/compile-agentic-workflows.yml
  • actions-lock.json tracked in VCS
  • ✅ BCP Scenario 11 documents git-revert rollback procedure if bump fails
  • ✅ Drift detection via CI compile job on every PR (catches incompatible bumps early)
  • ✅ 10 .lock.yml files centrally recompiled when pin is changed

Residual Risk: Low-Medium — Pin + rollback procedure limits outage window to <24h RTO

Risk Treatment: Monitor — Watch gh-aw release notes beyond the current v0.77.3 pin and test-bump in fork before production


Threat T-029: Shell Expansion Injection in Agentic Workflows

Attribute Value
Threat ID T-029
STRIDE Category Tampering, Elevation of Privilege
MITRE ATT&CK T1059.004 (Unix Shell), T1027 (Obfuscated Files/Information), T1546 (Event-Triggered Execution)
Threat Agent Prompt-injection attacker (via EP debate text, IMF metadata, contributor PRs)
Likelihood Medium (3/5) — AI agents emit bash on every news-generation run
Impact High (4/5) — Arbitrary code execution inside the agentic sandbox
Risk Score High (12/25)
Priority P1

Description: A prompt-injection payload embedded in untrusted upstream content (parliamentary debate text, IMF dataset descriptions, contributor PR diff content) coerces an AI agent (Copilot/Claude/Codex) into emitting bash that uses dangerous expansion patterns — ${var@P} (parameter transformation re-eval), ${!var} (indirect expansion), ${A:-${B:-$(cmd)}} (nested default with command substitution), eval "$str", or $(cmd < $(inner)) (nested substitution with redirection). If the gh-aw shell-safety filter does not catch the pattern at parse time, or if a developer commits a hand-written scripts/*.sh that contains such a pattern, an attacker can pivot from injected content to arbitrary command execution inside the GitHub Actions runner — exfiltrating ephemeral tokens, modifying analysis artefacts before PR creation, or persisting via lock-file manipulation.

Existing Controls:

  • Drift-guard test (test/unit/shell-safety.test.js) — recursively scans every scripts/**.sh file against 9 forbidden-pattern regexes (nested parameter expansion, indirect expansion, parameter transformation @P/@Q/@E/@A/@K/@a, nested command substitution, default-with-command-substitution, redirection inside $(), adjacent ${RANDOM}${RANDOM}, eval). Runs in standard npm run test Vitest suite — gates every PR.
  • Prompt-level rules.github/prompts/00-scope-and-ground-rules.md §47 (short-form forbidden-pattern list, imported by every news-<type>.md workflow body) + .github/prompts/08-infrastructure.md §177-181 (long-form safe-replacement idioms) + .github/prompts/02-analysis-protocol.md §10 (mandates delegation to pre-audited scripts/*.sh helpers).
  • gh-aw shell-safety filter — sandbox-side parser rejects forbidden patterns at workflow execution time (defence-in-depth against patterns that escape the test suite).
  • AWF Squid egress firewall — even if RCE succeeds, outbound traffic is restricted to the upstream allowlist (no exfiltration to arbitrary hosts).
  • Ephemeral GITHUB_TOKEN — workflow-scoped, expires at job completion; least-privilege permissions: block per workflow.
  • Safe-outputs constraints — agent cannot push to protected branches; the only write path is safeoutputs___create_pull_request which lands a PR for review.

Attack Vectors:

  1. Prompt-injection via EP debate content — hostile MEP debate text crafted to coerce the agent into emitting ${VAR@P} or eval $(curl ...).
  2. Contributor PR with crafted scripts/*.sh — committed shell helper containing forbidden patterns; relies on test suite catching at PR-time.
  3. Workflow .md body editing — direct injection into .github/workflows/*.md bash blocks; must pass the gh-aw compile step + lint.

Residual Risk: Low-Medium — Three independent layers (test drift-guard + prompt rules + sandbox parser) + AWF egress containment. The dominant residual risk is a novel expansion pattern not covered by the regex set; mitigated by quarterly review of bash-injection literature and the gh-aw upstream filter rules.

Risk Treatment: Mitigate — Maintain the drift-guard test as part of the test/unit/ baseline; review prompt rules every release; subscribe to the gh-aw security advisory feed for new pattern disclosures.


Threat T-030: MCP Gateway Impersonation & Safe-Outputs Constraint Escape

Attribute Value
Threat ID T-030
STRIDE Category Spoofing, Elevation of Privilege, Information Disclosure
MITRE ATT&CK T1557 (Adversary-in-the-Middle), T1078 (Valid Accounts), T1199 (Trusted Relationship)
Threat Agent Compromised dependency, malicious MCP server registration, Docker bridge attacker
Likelihood Low (2/5) — Docker bridge is local-only, but supply-chain risk is real
Impact High (4/5) — Tampered analysis artefacts → flawed political-intelligence output
Risk Score Medium (8/25)
Priority P2

Description: Two related attack paths share the same trust-boundary surface:

  1. MCP Gateway Impersonation — a malicious process binds to host.docker.internal:8080 (or to a port advertised in /home/runner/.copilot/mcp-config.json) and serves crafted responses to the European Parliament MCP, IMF fetch-proxy, or World Bank MCP endpoints. The agentic workflow consumes the poisoned data and writes plausible-looking but factually false analysis artefacts. Because the agent is gradient-corrected toward Economist-quality prose, the resulting articles would still pass Stage-C completeness gates while encoding the attacker's narrative.
  2. Safe-Outputs Constraint Escape — the safe-outputs subsystem enforces that the only way an agent can mutate the repository is via a constrained create_pull_request call (no direct push, no branch deletion, no protected-ref edits). An attacker who finds a parser bug in the safe-outputs validator, or who tampers with the compiled .lock.yml between compile and execute, could inject extra mutations (e.g. modifying package-lock.json to introduce a typosquat).

Existing Controls:

  • Local-only MCP transportEP_MCP_GATEWAY_URL defaults to host.docker.internal:8080. The Docker bridge is not reachable from outside the runner; impersonation requires a co-located malicious container.
  • Auth-token extraction via scripts/mcp-setup.sh — uses node -e JSON parsing, not shell expansion of untrusted JSON values; eliminates the class of "API key injected via shell metacharacter" attacks.
  • 180s MCP timeout (MCP_CLIENT_TIMEOUT_MS=180000) — bounds the blast radius of a hung or slow-loris MCP impersonator.
  • Drift-proofing tool list assertionstest/integration/mcp/imf-mcp.test.js, worldbank-mcp.test.js, and ep-mcp.test.js assert that the tool catalogue exposed by each MCP server matches the canonical exports in src/mcp/*-mcp-client.ts. Any silent tool addition (a likely impersonation indicator) fails CI.
  • Cross-source triangulation — IMF + EP + World Bank are independent providers. Stage-C validators flag claims supported by only one source; the editorial IMF-primary policy means any economic claim must reconcile across IMF and the article narrative.
  • Lock-file compilation (compile-agentic-workflows.yml) — compiles .github/workflows/*.md to .lock.yml deterministically; PR diff review catches unexpected changes to the compiled artefact.
  • Safe-outputs schema validation — the agent's create_pull_request call payload is schema-validated; non-conforming mutations are rejected before reaching the GitHub API.
  • max-patch-size cap — limits how large a single safe-output PR can be, bounding the impact of a successful escape (T-025 covers the bypass attempt).
  • OIDC for AWS / npm — no long-lived deployment credentials accessible to a compromised MCP server.

Attack Vectors:

  1. Co-located malicious container binding host.docker.internal:8080 first (race condition with the legitimate MCP gateway). Mitigated by gh-aw startup sequencing + drift-proofing tool list checks.
  2. **Compromised european-parliament-mcp-server npm package (T-002 / T-012 coverage). Pinned to 1.3.12 with provenance verification.
  3. Parser bug in the safe-outputs validator allowing extra fields. Mitigated by gh-aw upstream test coverage + lock-file diff review.
  4. .lock.yml tampering between compile and execute (T-024 coverage).

Residual Risk: Low — Docker-bridge locality + drift-proofing + cross-source triangulation + safe-outputs schema together cap exploitability. Residual risk is dominated by undisclosed parser bugs in the gh-aw safe-outputs validator (out of repository control).

Risk Treatment: Mitigate — Maintain drift-proofing tool list assertions; subscribe to gh-aw security advisories; quarterly review of .lock.yml diff patterns for anomalies.


🤖 AI Security Analysis — OWASP LLM Top 10 Mapping

Per Hack23 AI Policy and OWASP LLM Security Policy

This section maps the OWASP Top 10 for LLM Applications 2025 to the EU Parliament Monitor's agentic workflow architecture, documenting implemented controls, residual risk, and planned mitigations.

🗺️ AI Threat Landscape Overview

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8eaf6',
      'primaryTextColor': '#1a237e',
      'lineColor': '#3f51b5',
      'secondaryColor': '#fff3e0',
      'tertiaryColor': '#e8f5e9'
    }
  }
}%%
flowchart TD
    subgraph INPUT_THREATS["🚨 Input Threats"]
        LLM01[🎯 LLM01 Prompt Injection]
        LLM07[🔓 LLM07 System Prompt Leakage]
    end

    subgraph DATA_THREATS["📂 Data Threats"]
        LLM02[📋 LLM02 Sensitive Info Disclosure]
        LLM04[☠️ LLM04 Data Poisoning]
        LLM08[📍 LLM08 Vector and Embedding Weaknesses]
    end

    subgraph INTEGRATION_THREATS["🔗 Integration Threats"]
        LLM03[📦 LLM03 Supply Chain Vulnerabilities]
        LLM05[⚠️ LLM05 Improper Output Handling]
        LLM06[🤖 LLM06 Excessive Agency]
    end

    subgraph OPERATIONAL_THREATS["⚡ Operational Threats"]
        LLM09[❌ LLM09 Misinformation]
        LLM10[🔌 LLM10 Unbounded Consumption]
    end

    subgraph GH_AW_CONTROLS["🛡️ gh-aw Defense Controls"]
        AWF[🔥 Agent Workflow Firewall]
        SAFE[📦 SafeOutputs Isolation]
        MCP[🔌 MCP Sandboxing]
        DETECT[🔍 Threat Detection Pipeline]
        COMPILE[⚙️ Compilation-Time Security]
        SANITIZE[🧹 Content Sanitization]
    end

    LLM01 -.->|mitigated by| AWF
    LLM01 -.->|mitigated by| COMPILE
    LLM05 -.->|mitigated by| SANITIZE
    LLM06 -.->|mitigated by| SAFE
    LLM06 -.->|mitigated by| MCP
    LLM03 -.->|mitigated by| COMPILE
    LLM09 -.->|mitigated by| DETECT
    LLM02 -.->|mitigated by| SAFE
    LLM10 -.->|mitigated by| AWF

    style LLM01 fill:#ffcdd2,stroke:#c62828,color:#000
    style LLM06 fill:#ffcdd2,stroke:#c62828,color:#000
    style LLM09 fill:#ffe0b2,stroke:#ef6c00,color:#000
    style LLM03 fill:#fff9c4,stroke:#f9a825,color:#000
    style LLM05 fill:#fff9c4,stroke:#f9a825,color:#000
    style AWF fill:#c8e6c9,stroke:#2e7d32,color:#000
    style SAFE fill:#c8e6c9,stroke:#2e7d32,color:#000
    style MCP fill:#c8e6c9,stroke:#2e7d32,color:#000
    style DETECT fill:#c8e6c9,stroke:#2e7d32,color:#000
    style COMPILE fill:#c8e6c9,stroke:#2e7d32,color:#000
    style SANITIZE fill:#c8e6c9,stroke:#2e7d32,color:#000
Loading

📋 OWASP LLM Top 10 — EU Parliament Monitor Control Matrix

# OWASP LLM Threat Risk to Platform Implemented Controls gh-aw Layer Status
🎯 LLM01 Prompt Injection Agent workflow manipulation via crafted EP data ✅ AWF egress control ✅ Compilation-time validation (actionlint, zizmor, poutine) ✅ Workflow prompt compilation (.lock.yml) ✅ Input schema validation Layer 2 + Layer 3 🟢 Strong
📋 LLM02 Sensitive Information Disclosure Leaking internal config, API keys in generated content ✅ SafeOutputs isolation (read-only agent) ✅ Secret scanning in CI ✅ No credentials in workflow outputs ✅ Content sanitization Layer 1 + Layer 3 🟢 Strong
📦 LLM03 Supply Chain Vulnerabilities Compromised model providers, malicious MCP servers ✅ Pinned gh-aw version (v0.77.3) ✅ SBOM generation ✅ Dependabot + CodeQL ✅ MCP server allowlisting ✅ zizmor + poutine static analysis Layer 2 🟢 Strong
☠️ LLM04 Data Poisoning Corrupted EP data causing biased news generation ✅ Official EP Open Data Portal only ✅ Multi-source triangulation ✅ Schema validation ✅ Data freshness checks ✅ Human review pipeline Layer 3 🟡 Moderate
⚠️ LLM05 Improper Output Handling Unsafe HTML/Markdown injection in generated articles SafeHtmlString branded types ✅ Content sanitization (XML/HTML conversion, URI filtering) ✅ @mention neutralization ✅ Bot trigger protection ✅ Control char removal Layer 3 🟢 Strong
🤖 LLM06 Excessive Agency Agent performing unauthorized actions (pushing malicious code) ✅ SafeOutputs (agent = read-only, writes buffered as artifacts) ✅ Separate safe-output jobs with scoped permissions ✅ MCP tool allowlisting ✅ No direct push capability Layer 1 + Layer 3 🟢 Strong
🔓 LLM07 System Prompt Leakage Workflow prompts exposed via generated content .lock.yml compilation separates prompts from runtime ✅ Prompt content not in output artifacts ✅ Error handling prevents prompt echo Layer 2 🟡 Moderate
📍 LLM08 Vector and Embedding Weaknesses N/A — no vector DB or RAG in current architecture ℹ️ Not applicable (static site, no embeddings) N/A
LLM09 Misinformation AI-generated parliamentary news containing hallucinations ✅ Multi-source EP data triangulation ✅ Threat detection pipeline (hallucination checks) ✅ Human review gates ✅ AI disclaimer labeling ✅ Source citation requirements Layer 3 🟡 Moderate
🔌 LLM10 Unbounded Consumption Runaway workflow costs, API exhaustion timeout-minutes: 60 cap per workflow ✅ AWF egress rate limiting ✅ Workflow concurrency limits ✅ Budget monitoring Layer 2 🟢 Strong

🎯 AI Security Risk Heatmap

Category LLM Threats Overall Risk Controls Active Residual
🚨 Input LLM01, LLM07 Medium AWF, Compilation, Lock files Low
📂 Data LLM02, LLM04, LLM08 Low-Medium SafeOutputs, Schema validation, N/A Low
🔗 Integration LLM03, LLM05, LLM06 Medium Pinning, Sanitization, SafeOutputs Low
Operational LLM09, LLM10 Medium Detection pipeline, Timeouts Low-Medium

🏛️ Democratic AI-Specific Threats

AI threats with particular relevance to democratic transparency and parliamentary monitoring:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e3f2fd',
      'primaryTextColor': '#0d47a1',
      'lineColor': '#1976d2',
      'secondaryColor': '#fce4ec',
      'tertiaryColor': '#f3e5f5'
    }
  }
}%%
flowchart TD
    subgraph AI_DEMOCRATIC_THREATS["🏛️ AI Threats to Democracy"]
        T_DEEPFAKE[🎭 AI-Generated Deepfakes of MEPs]
        T_DISINFO[📰 AI-Powered Disinformation Campaigns]
        T_BIAS[⚖️ Algorithmic Bias in Coverage]
        T_NARRATIVE[🗣️ LLM Manipulation of Political Narratives]
        T_ASTROTURF[🤖 AI-Powered Astroturfing]
        T_SUPPRESS[🔇 Algorithmic Suppression of Dissent]
    end

    subgraph DEMOCRATIC_IMPACTS["🗳️ Impacts on Democracy"]
        I_TRUST[💔 Erosion of Public Trust]
        I_PARTICIPATION[📉 Reduced Civic Participation]
        I_POLARIZATION[⚡ Political Polarization]
        I_ACCOUNTABILITY[🔍 Weakened Accountability]
        I_MANIPULATION[🎯 Electoral Manipulation]
    end

    subgraph EU_DEFENSES["🇪🇺 EU Parliament Monitor Defenses"]
        D_TRANSPARENCY[📖 Open Source Transparency]
        D_MULTISOURCE[🔗 Multi-Source Verification]
        D_MULTILANG[🌍 14-Language Cross-Check]
        D_HUMAN[👤 Human Editorial Review]
        D_AUDIT[📋 Full Audit Trail]
        D_DISCLAIMER[⚠️ AI Content Labeling]
    end

    T_DEEPFAKE --> I_TRUST
    T_DISINFO --> I_POLARIZATION
    T_BIAS --> I_ACCOUNTABILITY
    T_NARRATIVE --> I_MANIPULATION
    T_ASTROTURF --> I_PARTICIPATION
    T_SUPPRESS --> I_ACCOUNTABILITY

    D_TRANSPARENCY -.->|counters| T_DISINFO
    D_MULTISOURCE -.->|counters| T_DEEPFAKE
    D_MULTILANG -.->|counters| T_BIAS
    D_HUMAN -.->|counters| T_NARRATIVE
    D_AUDIT -.->|counters| T_ASTROTURF
    D_DISCLAIMER -.->|counters| T_SUPPRESS

    style T_DEEPFAKE fill:#ffcdd2,stroke:#c62828,color:#000
    style T_DISINFO fill:#ffcdd2,stroke:#c62828,color:#000
    style T_BIAS fill:#ffe0b2,stroke:#ef6c00,color:#000
    style T_NARRATIVE fill:#ffe0b2,stroke:#ef6c00,color:#000
    style T_ASTROTURF fill:#fff9c4,stroke:#f9a825,color:#000
    style T_SUPPRESS fill:#fff9c4,stroke:#f9a825,color:#000
    style D_TRANSPARENCY fill:#c8e6c9,stroke:#2e7d32,color:#000
    style D_MULTISOURCE fill:#c8e6c9,stroke:#2e7d32,color:#000
    style D_MULTILANG fill:#c8e6c9,stroke:#2e7d32,color:#000
    style D_HUMAN fill:#c8e6c9,stroke:#2e7d32,color:#000
    style D_AUDIT fill:#c8e6c9,stroke:#2e7d32,color:#000
    style D_DISCLAIMER fill:#c8e6c9,stroke:#2e7d32,color:#000
Loading
Democratic AI Threat OWASP LLM Attack Vector Impact on EU Democracy Mitigation
🎭 AI-Generated Deepfakes LLM09 Synthetic media impersonating MEPs to spread false statements Voter deception, institutional delegitimization Multi-source EP data verification, official source anchoring, AI provenance tracking
📰 AI Disinformation Campaigns LLM09, LLM01 Coordinated injection of false narratives about EP proceedings Political polarization, reduced trust in democratic institutions Multi-language cross-verification, temporal consistency checks, editorial review gates
⚖️ Algorithmic Bias LLM04, LLM09 Training data biases amplifying coverage of certain political groups Unfair representation, democratic imbalance EP-official data only, balanced coverage monitoring, multi-language parity checks
🗣️ Narrative Manipulation LLM01, LLM05 Prompt injection to alter editorial framing of parliamentary votes Public opinion manipulation, policy misunderstanding Compiled workflow prompts (.lock.yml), output content sanitization, threat detection
🤖 AI Astroturfing LLM06, LLM10 Using compromised agents to generate synthetic public commentary False consensus signals, democratic process subversion SafeOutputs isolation, no direct citizen interaction, output artifact review
🔇 Algorithmic Suppression LLM04, LLM06 Biasing LLM to systematically under-report certain MEP activities Selective transparency, accountability gaps Complete EP data coverage requirements, coverage balance monitoring, editorial oversight

🛡️ gh-aw Defense-in-Depth Architecture

GitHub Agentic Workflows (gh-aw) security architecture as implemented in EU Parliament Monitor (15 agentic workflows, pinned at v0.77.3)

The gh-aw platform provides a 3-layer defense-in-depth architecture that forms the security foundation for all AI-powered news generation workflows. This section documents the security controls per gh-aw architecture documentation.

🏗️ Three-Layer Security Architecture

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8eaf6',
      'primaryTextColor': '#1a237e',
      'lineColor': '#3f51b5',
      'secondaryColor': '#e8f5e9',
      'tertiaryColor': '#fff3e0'
    }
  }
}%%
flowchart TD
    subgraph LAYER1["🔒 Layer 1: Substrate-Level Trust"]
        direction LR
        L1_DOCKER[🐳 Docker Container Isolation]
        L1_NETWORK[🌐 Network Namespace Separation]
        L1_IPTABLES[🔥 iptables Egress Filtering]
        L1_READONLY[📖 Read-Only Repository Access]
        L1_NOPUSH[🚫 No Direct Push Capability]
    end

    subgraph LAYER2["⚙️ Layer 2: Configuration-Level Trust"]
        direction LR
        L2_LOCK[🔐 Workflow Lock File Compilation]
        L2_ALLOWLIST[📋 Domain Allowlisting via Squid]
        L2_TOOLS[🔧 MCP Tool Allowlisting]
        L2_TIMEOUT[⏰ Timeout Enforcement 60min]
        L2_PIN[📌 Version Pinning v0.77.3]
    end

    subgraph LAYER3["📋 Layer 3: Plan-Level Trust"]
        direction LR
        L3_SAFE[📦 SafeOutputs Artifact Buffering]
        L3_DETECT[🔍 Threat Detection Pipeline]
        L3_SANITIZE[🧹 Content Sanitization]
        L3_REVIEW[👤 Human Review Gates]
        L3_SCHEMA[📐 Output Schema Validation]
    end

    LAYER1 --> LAYER2
    LAYER2 --> LAYER3

    style LAYER1 fill:#e3f2fd,stroke:#1565c0,color:#000
    style LAYER2 fill:#e8f5e9,stroke:#2e7d32,color:#000
    style LAYER3 fill:#fff3e0,stroke:#e65100,color:#000
    style L1_DOCKER fill:#bbdefb,stroke:#1565c0,color:#000
    style L1_NETWORK fill:#bbdefb,stroke:#1565c0,color:#000
    style L1_IPTABLES fill:#bbdefb,stroke:#1565c0,color:#000
    style L1_READONLY fill:#bbdefb,stroke:#1565c0,color:#000
    style L1_NOPUSH fill:#bbdefb,stroke:#1565c0,color:#000
    style L2_LOCK fill:#c8e6c9,stroke:#2e7d32,color:#000
    style L2_ALLOWLIST fill:#c8e6c9,stroke:#2e7d32,color:#000
    style L2_TOOLS fill:#c8e6c9,stroke:#2e7d32,color:#000
    style L2_TIMEOUT fill:#c8e6c9,stroke:#2e7d32,color:#000
    style L2_PIN fill:#c8e6c9,stroke:#2e7d32,color:#000
    style L3_SAFE fill:#ffe0b2,stroke:#e65100,color:#000
    style L3_DETECT fill:#ffe0b2,stroke:#e65100,color:#000
    style L3_SANITIZE fill:#ffe0b2,stroke:#e65100,color:#000
    style L3_REVIEW fill:#ffe0b2,stroke:#e65100,color:#000
    style L3_SCHEMA fill:#ffe0b2,stroke:#e65100,color:#000
Loading

🔒 Layer 1: Substrate-Level Trust (Platform Enforcement)

Controls enforced by the gh-aw runtime platform — cannot be bypassed by workflow authors or agents:

Control Mechanism Security Property EU Parliament Monitor Application
🐳 Container Isolation Docker container per workflow run Process isolation, filesystem separation Each news-generation workflow runs in isolated container
🌐 Network Namespace Separate network namespace per container Network isolation from host and other containers Agent cannot access GitHub internal networks or other runners
🔥 iptables Egress Kernel-level packet filtering Prevent unauthorized outbound connections Only allowlisted EP API endpoints reachable
📖 Read-Only Clone Repository mounted read-only to agent Prevent source code tampering Agent reads prompts and templates but cannot modify them
🚫 No Push Git push disabled in agent context Prevent unauthorized code deployment All output goes through SafeOutputs artifact path
🔑 Token Scoping Minimal GitHub token permissions Least privilege access Agent token has contents: read only during generation

⚙️ Layer 2: Configuration-Level Trust (Repository Owner Controls)

Controls configured by the repository maintainer in workflow definitions:

Control Mechanism Security Property EU Parliament Monitor Application
🔐 Lock File Compilation .md.lock.yml compilation via actionlint + zizmor + poutine Prompt integrity, static analysis Prevents runtime prompt manipulation; 15 workflows compiled
📋 Domain Allowlist Squid proxy with explicit domain allowlist (AWF) Egress filtering, data exfiltration prevention Only data.europarl.europa.eu, europarl.europa.eu, api.imf.org allowed
🔧 MCP Tool Allowlist Explicit tool enumeration per MCP server Capability restriction Only EP MCP client tools enabled per workflow
Timeout Enforcement timeout-minutes: 60 hard cap Denial of service prevention Emergency flush at 40 min elapsed; prevents runaway costs
📌 Version Pinning GH_AW_VERSION=v0.77.3 explicit pin Supply chain integrity Prevents auto-upgrade to potentially vulnerable versions
📏 Patch Size Limit max-patch-size: 10240 KB Output size control Prevents exfiltration of large data blobs via patches

📋 Layer 3: Plan-Level Trust (Runtime Verification)

Controls applied during and after workflow execution to validate outputs:

Control Mechanism Security Property EU Parliament Monitor Application
📦 SafeOutputs Agent writes → artifact buffer → threat detection → separate safe-output job Permission isolation Generated articles reviewed before any write permission granted
🔍 Threat Detection Multi-stage pipeline scanning output artifacts Malicious content detection Detects prompt injection attempts, malicious links, script injection
🧹 Content Sanitization 7-layer sanitization pipeline Output safety @mention neutralization, bot trigger protection, XML/HTML conversion, URI filtering, special char handling, content limits, control char removal
👤 Human Review PAT PR fallback with manual review gates Human-in-the-loop Failed safe-outputs trigger PAT-based PR for human review
📐 Schema Validation Output structure validation against expected schema Data integrity Article metadata, frontmatter, and content structure validated

🔥 Agent Workflow Firewall (AWF) Detail

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8f5e9',
      'primaryTextColor': '#1b5e20',
      'lineColor': '#4caf50',
      'secondaryColor': '#fff3e0',
      'tertiaryColor': '#fce4ec'
    }
  }
}%%
flowchart LR
    subgraph AGENT["🤖 Agent Container"]
        CODE[📝 Generated Content]
        API_CALL[🌐 API Requests]
        TOOL_CALL[🔧 MCP Tool Calls]
    end

    subgraph AWF_LAYER["🔥 Agent Workflow Firewall"]
        SQUID[🦑 Squid Proxy]
        IPTABLES[🔥 iptables Rules]
        DNS[📡 DNS Filtering]
    end

    subgraph ALLOWED["✅ Allowed Destinations"]
        EP_API[🏛️ EP Open Data Portal]
        EP_DOCS[📄 europarl.europa.eu]
        IMF_API[💰 IMF SDMX API]
    end

    subgraph BLOCKED["🚫 Blocked"]
        MALICIOUS[☠️ C2 Servers]
        EXFIL[📤 Data Exfiltration]
        UNAUTH[🔒 Unauthorized APIs]
    end

    CODE --> SQUID
    API_CALL --> SQUID
    TOOL_CALL --> SQUID
    SQUID --> IPTABLES
    IPTABLES --> EP_API
    IPTABLES --> EP_DOCS
    IPTABLES --> IMF_API
    IPTABLES -.->|DENY| MALICIOUS
    IPTABLES -.->|DENY| EXFIL
    IPTABLES -.->|DENY| UNAUTH

    style SQUID fill:#a5d6a7,stroke:#2e7d32,color:#000
    style IPTABLES fill:#a5d6a7,stroke:#2e7d32,color:#000
    style DNS fill:#a5d6a7,stroke:#2e7d32,color:#000
    style EP_API fill:#c8e6c9,stroke:#2e7d32,color:#000
    style EP_DOCS fill:#c8e6c9,stroke:#2e7d32,color:#000
    style IMF_API fill:#c8e6c9,stroke:#2e7d32,color:#000
    style MALICIOUS fill:#ffcdd2,stroke:#c62828,color:#000
    style EXFIL fill:#ffcdd2,stroke:#c62828,color:#000
    style UNAUTH fill:#ffcdd2,stroke:#c62828,color:#000
Loading

🧹 Content Sanitization Pipeline

The 7-layer sanitization pipeline processes all agent-generated content before it reaches the repository:

Layer Sanitization Threat Mitigated Implementation
1️⃣ @Mention Neutralization Strip/escape GitHub @mentions Social engineering, unwanted notifications Regex replacement in output processing
2️⃣ Bot Trigger Protection Remove patterns that trigger GitHub bots Unauthorized automation, workflow recursion Pattern matching for bot command prefixes
3️⃣ XML/HTML Conversion Sanitize markup to safe subset XSS, HTML injection, script execution SafeHtmlString branded types, allowlisted tags
4️⃣ URI Filtering Validate and sanitize all URLs Phishing links, malicious redirects, data exfiltration URL scheme allowlisting (https only), domain validation
5️⃣ Special Character Handling Escape shell metacharacters, path traversal Command injection, path traversal Character class filtering, path canonicalization
6️⃣ Content Size Limits Enforce maximum content length Buffer overflow, resource exhaustion max-patch-size: 10240 KB enforcement
7️⃣ Control Character Removal Strip non-printable control characters Terminal injection, log manipulation Unicode category filtering

⚙️ Compilation-Time Security

Static analysis tools applied during workflow compilation (.md.lock.yml):

Tool Purpose Threats Detected
🔍 actionlint GitHub Actions workflow linting Syntax errors, undefined references, type mismatches
🛡️ zizmor Security-focused Actions analyzer Token exposure, injection vulnerabilities, permission escalation
🐻 poutine Supply chain security scanner Unpinned actions, known-vulnerable dependencies, artifact poisoning
📐 Schema Validation Workflow structure validation Invalid configurations, missing required fields

📊 gh-aw Security Effectiveness Matrix

Attack Scenario Layer 1 Layer 2 Layer 3 Overall
🎯 Prompt injection to exfiltrate secrets ✅ No secrets in agent scope ✅ Egress filtering blocks exfil ✅ Threat detection catches attempts 🟢 Blocked
📤 Agent pushes malicious code ✅ No push capability ✅ Lock file prevents flow change ✅ SafeOutputs buffers all writes 🟢 Blocked
🌐 Agent contacts C2 server ✅ Network namespace isolation ✅ AWF domain allowlist ✅ N/A (blocked before Layer 3) 🟢 Blocked
🔄 Workflow recursion bomb ✅ Container resource limits ✅ Timeout enforcement (60 min) ✅ Concurrency limits 🟢 Blocked
📝 Inject XSS in generated HTML ✅ N/A (output path) ✅ N/A (output path) ✅ 7-layer sanitization pipeline 🟢 Blocked
🤖 Agent impersonates maintainer ✅ Token scoping (read-only) ✅ No write permissions in agent ✅ PAT PR fallback requires human 🟢 Blocked
☠️ Poisoned MCP server response ✅ Container isolation limits blast ✅ MCP tool allowlisting ✅ Output schema validation 🟡 Mitigated
📊 Hallucinated parliamentary data ⚪ N/A ⚪ N/A ✅ Multi-source triangulation + detection 🟡 Mitigated

🏛️ European Parliament-Specific Threats

🇪🇺 Parliamentary Data Integrity Threats

Following democratic transparency requirements from CLASSIFICATION.md:

📊 Parliamentary Data Manipulation Scenarios

Parliamentary Element Threat Impact Mitigation Validation
👥 MEP Information Incorrect biographical data, voting records Democratic transparency, voter trust EP MCP schema validation, official source verification Cross-reference with official EP database
📋 Committee Data Misleading committee assignments, responsibilities Policy understanding, democratic accountability EP API validation, data freshness checks Committee membership verification
🗳️ Plenary Sessions Incorrect session data, voting outcomes Legislative transparency, public trust Session data schema validation, temporal checks Official EP session records
🌍 Multi-Language Content Translation errors, cultural bias injection 14-language accessibility, inclusivity Language-specific validation, cultural review Native speaker validation per language
📜 Legislative Documents Document reference errors, misattribution Policy accuracy, research integrity Document ID validation, cross-referencing Official EP document database

🗳️ Democratic Transparency Threats

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8eaf6',
      'primaryTextColor': '#1a237e',
      'lineColor': '#3f51b5',
      'secondaryColor': '#f3e5f5',
      'tertiaryColor': '#e8f5e9'
    }
  }
}%%
flowchart TD
    subgraph DEMOCRATIC_THREATS["🗳️ Democratic Transparency Threats"]
        BIAS[📰 News Bias Injection]
        MISINFO[💭 Misinformation Spread]
        MANIPULATION[🎭 Democratic Process Manipulation]
        TRUST_EROSION[🔍 Public Trust Erosion]
        AI_DISINFO[🤖 AI-Generated Disinformation]
        DEEPFAKE[🎬 Synthetic Media Attacks]
    end

    subgraph ATTACK_METHODS["⚔️ Attack Methods"]
        GRADUAL[🔄 Gradual Content Corruption]
        TIMING[⏰ Strategic Timing Exploitation]
        LANG_TARGET[🌍 Language-Specific Targeting]
        SELECTIVE[📊 Selective Data Presentation]
        PROMPT_INJECT[🎯 Prompt Injection via EP Data]
        TRAINING_BIAS[📐 Training Data Manipulation]
    end

    subgraph PARLIAMENTARY_IMPACTS["🏛️ Parliamentary Impacts"]
        VOTER_CONFUSION[🗳️ Voter Confusion]
        POLICY_MISUNDERSTANDING[📜 Policy Misunderstanding]
        MEP_REPUTATION[👥 MEP Reputation Damage]
        INSTITUTIONAL_HARM[🏛️ Institutional Trust Damage]
        ELECTORAL_INTERFERENCE[⚡ Electoral Process Interference]
        ACCOUNTABILITY_GAP[🔓 Democratic Accountability Gap]
    end

    BIAS --> GRADUAL
    MISINFO --> TIMING
    MANIPULATION --> LANG_TARGET
    TRUST_EROSION --> SELECTIVE
    AI_DISINFO --> PROMPT_INJECT
    DEEPFAKE --> TRAINING_BIAS

    GRADUAL --> VOTER_CONFUSION
    TIMING --> POLICY_MISUNDERSTANDING
    LANG_TARGET --> MEP_REPUTATION
    SELECTIVE --> INSTITUTIONAL_HARM
    PROMPT_INJECT --> ELECTORAL_INTERFERENCE
    TRAINING_BIAS --> ACCOUNTABILITY_GAP

    style BIAS fill:#ffcdd2,stroke:#c62828,color:#000
    style MISINFO fill:#ffe0b2,stroke:#ef6c00,color:#000
    style MANIPULATION fill:#f3e5f5,stroke:#6a1b9a,color:#000
    style TRUST_EROSION fill:#e3f2fd,stroke:#1565c0,color:#000
    style AI_DISINFO fill:#ffcdd2,stroke:#c62828,color:#000
    style DEEPFAKE fill:#ffcdd2,stroke:#c62828,color:#000
    style ELECTORAL_INTERFERENCE fill:#ffcdd2,stroke:#c62828,color:#000
    style ACCOUNTABILITY_GAP fill:#ffe0b2,stroke:#ef6c00,color:#000
Loading

🌍 Multi-Language Content Manipulation

🔤 Translation Integrity Threats

Language Threat Cultural Impact Mitigation Validation
🇩🇪 German (de) Formal/informal register manipulation Political tone misrepresentation Native speaker review, context validation German political discourse expert
🇫🇷 French (fr) Political terminology mistranslation Policy misinterpretation French parliamentary terminology expert EU French language service
🇪🇸 Spanish (es) Regional dialect bias (Spain vs. Latin America) Geographic inclusivity Neutral Spanish usage, expert review Spanish linguistic diversity expert
�🇪 Swedish (sv) Nordic political terminology Swedish political culture representation Swedish EU terminology expert Swedish EU correspondent
🇩🇰 Danish (da) Danish political nuance Danish democratic culture Danish political expert Danish EU journalist
🇳🇴 Norwegian (no) Norwegian political terminology Norwegian political culture representation Norwegian EU terminology expert Norwegian EU correspondent
🇫🇮 Finnish (fi) Finnish parliamentary terms Finnish political system understanding Finnish parliamentary glossary Finnish EU expert
🇳🇱 Dutch (nl) Parliamentary term accuracy Dutch parliamentary procedure understanding Official Dutch EP glossary Dutch parliamentary expert
🇸🇦 Arabic (ar) RTL layout and political sensitivity Arabic political discourse Arabic political expert, RTL validation Arabic EU analyst
🇮🇱 Hebrew (he) RTL layout and terminology accuracy Hebrew political culture Hebrew political expert, RTL validation Hebrew EU correspondent
🇯🇵 Japanese (ja) Honorific and formal register accuracy Japanese political culture representation Japanese EU terminology expert Japanese political analyst
🇰🇷 Korean (ko) Korean political terminology Korean political culture representation Korean EU terminology expert Korean political analyst
🇨🇳 Chinese (zh) Simplified vs. Traditional, political nuance Chinese political discourse representation Chinese EU specialist Chinese political analyst

🌐 Cultural Bias Detection Framework

Systematic Multi-Language Validation:

  • ✅ Native speaker review for each language (14 languages)
  • ✅ Cultural context preservation across translations
  • ✅ Political terminology accuracy verification
  • ✅ Gender-neutral language where culturally appropriate
  • ✅ Regional sensitivity (avoiding dialect bias)
  • ✅ Consistent political tone across all languages

Bias Detection Mechanisms:

  • 🔍 Automated sentiment analysis per language
  • 🔍 Comparative analysis across language versions
  • 🔍 Expert review for political terminology
  • 🔍 Community feedback integration
  • 🔍 Regular linguistic audits

📊 Comprehensive Threat Agent Analysis

👥 Threat Agent Classification

Following Threat Agent Analysis methodology:

🏛️ Agent Type 1: Nation-State Actors

Attribute Assessment
Motivation Political interference, election influence, undermining EU democratic institutions
Capability High — Advanced persistent threat (APT), custom tooling, patient long-term operations
Resources Unlimited — State-funded with dedicated cyber units and intelligence services
Tactics Subtle data manipulation, targeted language exploitation, supply chain infiltration
Preferred ATT&CK Techniques T1565 (Data Manipulation), T1195 (Supply Chain), T1566 (Phishing), T1078 (Valid Accounts)
Priority Targets News content integrity, MEP voting records, multi-language content accuracy
Threat Priority Critical

💰 Agent Type 2: Cybercriminals

Attribute Assessment
Motivation Financial gain through compute resource abuse, reputation extortion, data resale
Capability Medium — Professional tooling, organized groups, exploit marketplace access
Resources Medium — Profit-driven with reinvested returns
Tactics Supply chain attacks, dependency confusion, CI/CD hijacking for cryptomining
Preferred ATT&CK Techniques T1195 (Supply Chain), T1525 (Implant Image), T1059 (Script Interpreter)
Priority Targets GitHub Actions compute, npm dependency chain, repository credentials
Threat Priority High

🎭 Agent Type 3: Hacktivists

Attribute Assessment
Motivation Political agenda promotion, EU institution discrediting, visibility and attention
Capability Medium — Motivated individuals, public exploit tools, social engineering skills
Resources Low-Medium — Volunteer-based, crowd-sourced
Tactics Website defacement, content manipulation during elections, social media amplification
Preferred ATT&CK Techniques T1491 (Defacement), T1078 (Valid Accounts), T1566 (Phishing)
Priority Targets Public-facing content, election-period news, high-visibility MEP pages
Threat Priority Medium

👤 Agent Type 4: Malicious Insiders

Attribute Assessment
Motivation Ideological bias, financial incentive, coercion by external actors
Capability High — Trusted access, deep system knowledge, ability to bypass external controls
Resources Low — Individual actor, but leverages existing legitimate access
Tactics Subtle bias injection in translation strings, gradual content manipulation, backdoor insertion
Preferred ATT&CK Techniques T1078 (Valid Accounts), T1565 (Data Manipulation), T1059 (Script Interpreter)
Priority Targets News generation templates, language files, source code
Threat Priority Medium

🔧 Agent Type 5: Accidental Insiders

Attribute Assessment
Motivation Unintentional errors, lack of training, misunderstanding of political context
Capability Low — No malicious intent, but errors can have significant impact
Resources N/A — Legitimate contributors making honest mistakes
Tactics Incorrect EP data mapping, translation errors, configuration mistakes
Preferred ATT&CK Techniques N/A — Not adversarial; impacts via T1565 (unintentional data manipulation)
Priority Targets News generation accuracy, multi-language translations, CI/CD configuration
Threat Priority Low

🔍 Threat Agent Summary Matrix

Threat Agent Motivation Capability Opportunity Impact Potential Likelihood Key Targets
🏛️ Nation-State Actors Political interference, election influence High (advanced persistent threat) Medium (public platform) Critical (democratic process) Low-Medium News content integrity, MEP data
💰 Cybercriminals Financial gain, reputation damage Medium (professional tools) Medium (public repository) Medium (service disruption) Low Repository access, supply chain
🎭 Hacktivists Political agenda, visibility Medium (motivated individuals) High (open source) Medium (temporary defacement) Low Website content, public messaging
👤 Malicious Insiders Ideological, financial High (trusted access) Low (vetted contributors) High (privileged access) Very Low Source code, news generation
🔧 Accidental Insiders Unintentional errors Low (no malice) Medium (contributors) Medium (data integrity) Medium News generation, translations
🤖 Automated Bots Mass exploitation Low (scripted attacks) High (public site) Low (minimal impact) Low XSS attempts, DoS attempts

🎯 Threat Agent Capability Matrix

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#fce4ec',
      'primaryTextColor': '#880e4f',
      'lineColor': '#c2185b'
    }
  }
}%%
quadrantChart
    title 🎯 EU Parliament Monitor Threat Agent Capability vs Motivation
    x-axis Low Capability --> High Capability
    y-axis Low Motivation --> High Motivation
    quadrant-1 Critical Concern
    quadrant-2 Strategic Focus
    quadrant-3 Monitor Only
    quadrant-4 Vigilant Watch

    "🏛️ Nation-State": [0.85, 0.75]
    "💰 Cybercriminals": [0.65, 0.55]
    "🎭 Hacktivists": [0.55, 0.70]
    "👤 Malicious Insider": [0.80, 0.40]
    "🔧 Accidental Insider": [0.30, 0.15]
    "🤖 Automated Bots": [0.25, 0.20]
Loading

🛡️ Comprehensive Security Control Framework

🔒 Defense-in-Depth Architecture

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e0f2f1',
      'primaryTextColor': '#004d40',
      'lineColor': '#00695c',
      'secondaryColor': '#fce4ec',
      'tertiaryColor': '#fff3e0'
    }
  }
}%%
flowchart TB
    subgraph LAYER_1["🌐 Layer 1: Perimeter"]
        direction LR
        L1A[🌍 AWS CloudFront CDN]
        L1B[🔒 TLS 1.3 Enforcement]
        L1C[🛡️ DDoS Protection]
    end

    subgraph LAYER_2["📡 Layer 2: Network"]
        direction LR
        L2A[🔐 HTTPS-Only]
        L2B[🛡️ CSP Headers]
        L2C[🔒 HSTS]
    end

    subgraph LAYER_3["🖥️ Layer 3: Application"]
        direction LR
        L3A[✅ Input Validation]
        L3B[🎨 SafeHtmlString Escaping]
        L3C[📋 Schema Validation]
    end

    subgraph LAYER_4["📊 Layer 4: Data"]
        direction LR
        L4A[🔍 EP MCP Schema]
        L4B[🏷️ Type Checking]
        L4C[📝 Error Logging]
    end

    subgraph LAYER_5["🔎 Layer 5: Monitoring"]
        direction LR
        L5A[🤖 CodeQL SAST]
        L5B[🔄 Dependabot]
        L5C[📊 GitHub Audit Logs]
    end

    LAYER_1 --> LAYER_2
    LAYER_2 --> LAYER_3
    LAYER_3 --> LAYER_4
    LAYER_4 --> LAYER_5

    style LAYER_1 fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
    style LAYER_2 fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
    style LAYER_3 fill:#e8f5e9,stroke:#388e3c,stroke-width:2px
    style LAYER_4 fill:#fff3e0,stroke:#f57c00,stroke-width:2px
    style LAYER_5 fill:#fce4ec,stroke:#c2185b,stroke-width:2px
Loading

🎭 STRIDE → Control Mapping

STRIDE Category Primary Controls Secondary Controls Monitoring Controls Threats Addressed Status
S — Spoofing Localhost-only MCP binding, MFA enforcement, Git commit signing CODEOWNERS, required PR reviews, contributor identity verification GitHub audit logs, commit history verification, access alerts T-006, T-015 Implemented
T — Tampering Branch protection, required reviews, SHA-pinned actions, schema validation SLSA Level 3 attestation, package-lock.json integrity, CSP headers CodeQL SAST scanning, Dependabot alerts, automated testing, diff review T-001, T-002, T-003, T-007, T-008, T-013, T-014, T-020 Implemented
R — Repudiation GitHub audit logs, commit history, Git signed commits SLSA provenance attestation, SBOM tracking, workflow logging CodeQL logs, GitHub Actions run history, PR review trail T-005, T-011, T-018 Implemented
I — Information Disclosure Secret scanning, no PII collection, public data only, environment-scoped secrets Workflow permission minimization (least privilege), no secrets in config GitHub secret scanning alerts, repository traffic monitoring T-010 Implemented
D — Denial of Service AWS CloudFront CDN (AWS Shield DDoS protection), static site architecture, manual workflow triggers Retry logic with backoff, cached content persistence, 24h RTO alignment AWS + GitHub status monitoring, workflow failure alerts, deployment health checks T-004, T-016, T-020 Implemented
E — Elevation of Privilege MFA enforcement, CODEOWNERS, workflow permissions (least privilege) Branch protection rules, required status checks, role-based access Quarterly access reviews, workflow change alerts, PR approval audit T-005, T-009, T-012, T-015, T-019 Implemented

🔐 Comprehensive Control Catalog

Layer Control Threats Mitigated Status
1. Perimeter AWS CloudFront CDN T-004 (DoS) ✅ Implemented
1. Perimeter TLS 1.3 Enforcement T-006 (MITM) ✅ Implemented
2. Network HTTPS-Only T-001 (XSS), T-006 (MITM) ✅ Implemented
2. Network Content Security Policy (CSP) T-001 (XSS) ✅ Implemented
2. Network HSTS Headers T-006 (Protocol Downgrade) ✅ Implemented
3. Application Branded SafeHtmlString Escaping T-001 (XSS) ✅ Implemented
3. Application Input Validation T-001 (XSS), T-003 (Data Integrity) ✅ Implemented
3. Application HTML Validation T-001 (XSS), T-003 (Data Integrity) ✅ Implemented
3. Application ESLint Security Rules T-001 (Code Injection) ✅ Implemented
4. Data EP MCP Schema Validation T-003 (Data Integrity) ✅ Implemented
4. Data Type Checking (JSDoc) T-003 (Data Integrity) ✅ Implemented
4. Data Error Logging T-003 (Data Integrity) ✅ Implemented
4. Data Unit Testing (82% coverage) T-003 (Data Integrity) ✅ Implemented
5. Supply Chain Minimal Dependencies (0 prod) T-002 (Supply Chain) ✅ Implemented
5. Supply Chain Dependabot Scanning T-002 (Vulnerabilities) ✅ Implemented
5. Supply Chain SBOM Generation (CycloneDX) T-002 (Transparency) ✅ Implemented
5. Supply Chain SHA-Pinned Actions T-002 (Workflow Tampering) ✅ Implemented
5. Supply Chain package-lock.json T-002 (Integrity) ✅ Implemented
6. Access Control Branch Protection T-005 (Unauthorized Changes) ✅ Implemented
6. Access Control Required PR Reviews T-005 (Code Review) ✅ Implemented
6. Access Control MFA Requirement T-005 (Credential Theft) ✅ Implemented
6. Access Control CODEOWNERS Enforcement T-005 (Ownership) ✅ Implemented
7. Monitoring CodeQL SAST Scanning T-001 (Code Vulnerabilities) ✅ Implemented
7. Monitoring GitHub Audit Logs T-005 (Unauthorized Access) ✅ Implemented
7. Monitoring Quarterly Access Review T-005 (Access Management) ✅ Implemented
8. Isolation MCP Localhost-Only T-006 (Network Exposure) ✅ Implemented
8. Isolation Ephemeral Execution T-006 (Persistence) ✅ Implemented
8. Isolation GitHub Actions Sandbox T-006 (Environment Isolation) ✅ Implemented

📋 Compliance Framework Mapping

🏛️ ISO 27001:2022 Control Mapping

ISO 27001 Control Description EU Parliament Monitor Implementation Status
A.5.1 Policies for information security ISMS policies, SECURITY_ARCHITECTURE.md, THREAT_MODEL.md ✅ Implemented
A.8.3 Access restriction Branch protection, MFA, CODEOWNERS, required reviews ✅ Implemented
A.8.9 Configuration management package-lock.json, pinned dependencies, SHA-pinned actions ✅ Implemented
A.8.16 Monitoring activities CodeQL SAST, Dependabot, GitHub audit logs, workflow monitoring ✅ Implemented
A.8.25 Secure development lifecycle Automated CI/CD, code review, SAST, SCA, SBOM generation ✅ Implemented
A.8.26 Application security requirements CSP headers, input validation, schema validation, TypeScript strict ✅ Implemented
A.8.28 Secure coding ESLint security rules, CodeQL, branded SafeHtmlString escaping ✅ Implemented

🔒 NIST CSF 2.0 Function Mapping

NIST CSF 2.0 Function Sub-Category EU Parliament Monitor Implementation Threat Coverage
GV (Govern) GV.OC — Organizational Context Democratic transparency mission drives risk tolerance All threats
ID (Identify) ID.AM — Asset Management Asset inventory, Crown Jewel analysis, CLASSIFICATION.md T-003, T-013
ID (Identify) ID.RA — Risk Assessment Quantitative risk matrix, STRIDE per element, ATT&CK mapping All threats
PR (Protect) PR.AA — Identity & Access MFA, branch protection, CODEOWNERS, role-based access T-005, T-015
PR (Protect) PR.DS — Data Security Schema validation, CSP, input validation, TLS 1.3 T-001, T-003, T-013
PR (Protect) PR.PS — Platform Security SHA-pinned actions, SLSA Level 3, Dependabot T-002, T-011, T-012
DE (Detect) DE.CM — Continuous Monitoring CodeQL scanning, Dependabot alerts, secret scanning T-001, T-002, T-010
DE (Detect) DE.AE — Adverse Event Analysis GitHub audit logs, workflow monitoring, anomaly detection T-005, T-009
RS (Respond) RS.AN — Incident Analysis SECURITY.md disclosure policy, incident response procedures All high-impact threats
RC (Recover) RC.RP — Recovery Planning BCPPlan.md, 24h RTO/RPO, AWS CloudFront CDN caching T-004, T-007

🛡️ CIS Controls v8.1 Mapping

CIS Control Description EU Parliament Monitor Implementation Coverage
CIS 1 Inventory of Enterprise Assets Asset inventory table, CLASSIFICATION.md ✅ Full
CIS 2 Inventory of Software Assets package.json, SBOM (CycloneDX), Dependabot ✅ Full
CIS 3 Data Protection Public data classification, no PII, HTTPS-only, CSP ✅ Full
CIS 4 Secure Configuration ESLint, TypeScript strict mode, pinned versions ✅ Full
CIS 6 Access Control Management MFA, branch protection, CODEOWNERS, required reviews ✅ Full
CIS 7 Continuous Vulnerability Management Dependabot, CodeQL SAST, npm audit, SBOM tracking ✅ Full
CIS 8 Audit Log Management GitHub audit logs, commit history, workflow logs ✅ Full
CIS 16 Application Software Security Input validation, CSP, auto-escaping, SAST scanning ✅ Full

🔄 Continuous Validation & Assessment

🎪 European Parliament Monitor Threat Workshop

Following Hack23 AB Workshop Framework with parliamentary transparency adaptations:

🔄 Workshop Process (PRE → MONITOR)

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8f5e9',
      'primaryTextColor': '#1b5e20',
      'lineColor': '#388e3c'
    }
  }
}%%
flowchart LR
    PRE[📋 PRE<br/>Scope & Context] --> ENUM[🔍 ENUM<br/>Asset Enumeration]
    ENUM --> THREATS[⚔️ THREATS<br/>Threat Identification]
    THREATS --> MAP[🗺️ MAP<br/>ATT&CK Mapping]
    MAP --> PLAN[📝 PLAN<br/>Mitigation Planning]
    PLAN --> VALIDATE[✅ VALIDATE<br/>Control Testing]
    VALIDATE --> MONITOR[📡 MONITOR<br/>Continuous Monitoring]
    MONITOR -->|"Quarterly Review"| PRE

    style PRE fill:#e3f2fd,stroke:#1565c0,stroke-width:2px
    style ENUM fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
    style THREATS fill:#ffebee,stroke:#c62828,stroke-width:2px
    style MAP fill:#fff3e0,stroke:#ef6c00,stroke-width:2px
    style PLAN fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style VALIDATE fill:#e0f7fa,stroke:#00695c,stroke-width:2px
    style MONITOR fill:#fce4ec,stroke:#ad1457,stroke-width:2px
Loading
Phase Activity EU Parliament Monitor Context Output
📋 PRE Scope definition, context gathering Review EP data sources, 14-language coverage, recent API changes, election calendar Updated scope document, stakeholder map
🔍 ENUM Asset enumeration, data flow mapping Inventory EP data types (MEPs, committees, sessions, votes, documents), trust boundaries Asset inventory, DFD updates
⚔️ THREATS STRIDE analysis, threat identification Apply STRIDE per element, identify new EP-specific threats, LLM-related risks Updated threat register (T-001 to T-020+)
🗺️ MAP ATT&CK technique mapping Map threats to MITRE ATT&CK techniques, update coverage heat map ATT&CK Navigator layer, technique updates
📝 PLAN Mitigation planning, control design Design controls for new threats, update risk treatment plan Prioritized mitigation backlog
✅ VALIDATE Control testing, effectiveness verification Run SAST/SCA scans, verify CSP effectiveness, test schema validation Test results, control effectiveness report
📡 MONITOR Continuous monitoring, trend analysis Monitor EP API changes, dependency advisories, access patterns Monitoring dashboard, quarterly metrics

🎯 EP Monitor-Specific Workshop Scope

  • 🏛️ Parliamentary Process Mapping: MEP activities, committee work, plenary sessions, legislative procedures
  • 📰 News Generation Integrity: Content accuracy, bias detection, source verification, multi-language consistency
  • 🌍 Multi-Language Considerations: 14-language translation accuracy, cultural sensitivity, terminology consistency
  • 👥 Democratic Stakeholder Impact: Citizens, MEPs, journalists, researchers, EU institutions

👥 Parliamentary Platform Team Assembly

  • 🏛️ European Parliament Expert: Parliamentary procedures, MEP activities, legislative processes
  • 📰 Political Journalism Specialist: News accuracy, democratic transparency, editorial standards
  • 🛡️ Static Site Security Expert: Frontend security, CSP, XSS prevention, GitHub Pages
  • 🌍 Multi-Language Coordinator: Translation accuracy, cultural sensitivity, linguistic diversity
  • ⚖️ EU Compliance Officer: GDPR, NIS2, EU Cyber Resilience Act, transparency regulations

📊 Parliamentary Context Analysis Framework

🏛️ Democratic Transparency Assessment:

  • How might different political actors attempt to manipulate parliamentary data?
  • What are the critical democratic periods requiring enhanced security (elections, major votes)?
  • How do we maintain neutrality while protecting against political manipulation?
  • What transparency measures prevent and detect bias injection?

📰 News Integrity Evaluation:

  • How could the news generation process introduce bias or misinformation?
  • What safeguards prevent misrepresentation of MEP activities or voting records?
  • How do we ensure accuracy across all 14 language versions?
  • What emergency procedures exist for critical errors or misinformation?

🌍 Multi-Language Security Analysis:

  • How do we prevent language-specific manipulation or targeted misinformation?
  • What validation ensures translation accuracy for parliamentary terminology?
  • How do we protect against cultural bias injection across language versions?
  • What monitoring detects inconsistencies between language versions?

📅 Assessment Lifecycle

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#e8eaf6',
      'primaryTextColor': '#1a237e',
      'lineColor': '#3f51b5'
    }
  }
}%%
flowchart LR
    QUARTERLY[📅 Quarterly Reviews]
    ANNUAL[📊 Annual Comprehensive]
    INCIDENT[🚨 Incident-Triggered]
    MAJOR_CHANGE[🔄 Major Changes]

    QUARTERLY -->|Every 3 months| ASSESS[🔍 Assessment]
    ANNUAL -->|Yearly deep dive| ASSESS
    INCIDENT -->|Post-incident| ASSESS
    MAJOR_CHANGE -->|Feature/tech| ASSESS

    ASSESS --> WORKSHOP[🎪 Threat Workshop]
    WORKSHOP --> UPDATE[📝 Update Threats]
    UPDATE --> CONTROLS[🛡️ Review Controls]
    CONTROLS --> RISK[⚖️ Re-assess Risks]
    RISK --> APPROVE[✅ Approval]
    APPROVE --> IMPLEMENT[🔨 Implement Changes]
    IMPLEMENT --> QUARTERLY

    style ASSESS fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
    style WORKSHOP fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
    style APPROVE fill:#e8f5e9,stroke:#388e3c,stroke-width:2px
Loading

Review Schedule:

  • 📅 Quarterly Reviews: Every 3 months (threat landscape updates, new features)
  • 📊 Annual Comprehensive: Yearly deep dive (full workshop, control audit)
  • 🚨 Incident-Triggered: Post-incident analysis (lessons learned, control updates)
  • 🔄 Major Changes: Feature additions, technology updates, compliance changes

🎯 Threat Modeling Maturity Framework

📈 EU Parliament Monitor Maturity Levels

Following Hack23 AB Maturity Levels with parliamentary adaptations:

🟢 Level 1: Democratic Foundation

Current Status: ✅ Achieved

  • 🏛️ Basic Parliamentary Architecture: Core transparency documentation with EP data integration
  • 📰 News Generation Security: Basic input validation and HTML validation
  • 👥 Stakeholder Identification: Key democratic actors mapped (citizens, MEPs, journalists)
  • 📊 Transparency Baseline: Public methodology documentation and source attribution
  • 🛡️ Democratic Security Controls: Basic protections against data manipulation

Evidence:

  • ✅ THREAT_MODEL.md (this document)
  • ✅ CLASSIFICATION.md (system classification)
  • ✅ SECURITY_ARCHITECTURE.md (security controls)
  • ✅ 6 identified threats with mitigation strategies
  • ✅ 25+ security controls implemented

🟡 Level 2: Democratic Process Integration

Current Status: 🔄 In Progress

  • 📅 Electoral Cycle Integration: Threat assessment aligned with European Parliament calendar
  • 📝 Political Context Documentation: Enhanced threat models including political scenarios (this document)
  • 🔧 Democratic Tool Integration: EP MCP integration with schema validation
  • 🔄 Community Engagement Tracking: Public repository with transparent development

Planned:

  • 🔄 European election period security protocols
  • 🔄 Enhanced monitoring during critical parliamentary votes
  • 🔄 Automated EP calendar integration for threat prioritization

🟠 Level 3: Democratic Analysis Excellence

Target: Q3 2026

  • 🔍 Comprehensive Parliamentary STRIDE: Systematic threat categorization for all parliamentary processes
  • ⚖️ Democratic Risk Assessment: Political impact, citizen trust, and democratic integrity criteria
  • 🛡️ Political Mitigation Strategies: Comprehensive controls for democratic threats
  • 🎓 Civic Security Education: Public education on democratic platform security

Planned:

  • 🔄 Automated fact-checking pipeline (T-003 mitigation)
  • 🔄 Confidence scoring for news articles
  • 🔄 Human-in-the-loop review queue
  • 🔄 Cross-reference validation with EP sources

🔴 Level 4: Advanced Democratic Intelligence

Target: 2027

  • 🌐 Advanced Political Modeling: Real-world political attack simulations and democratic war gaming
  • 📊 Continuous Democratic Monitoring: Real-time political threat landscape integration
  • 📈 Democratic Health Metrics: Comprehensive civic engagement and trust measurement
  • 🔄 Public Validation Sessions: Community-driven threat identification and mitigation validation

Vision:

  • 🔮 Real-time monitoring of EP data integrity
  • 🔮 AI-enhanced bias detection across 14 languages
  • 🔮 Community-driven threat reporting
  • 🔮 International collaboration with democratic transparency organizations

🟣 Level 5: Democratic Innovation Leadership

Target: 2028+

  • 🔮 Proactive Democratic Protection: Emerging political threat anticipation and countermeasures
  • 🤖 AI-Enhanced Democratic Security: Machine learning for bias detection and political manipulation identification
  • 📊 Global Democratic Intelligence: International democratic security collaboration and best practice sharing
  • 🔬 Predictive Democratic Analytics: Advanced modeling for democratic health and threat prediction

Vision:

  • 🔮 Leading EU transparency platform security standards
  • 🔮 Open-source democratic security frameworks
  • 🔮 AI-powered misinformation detection
  • 🔮 Global democratic platform security consortium

🌟 Security Best Practices

🏛️ Parliamentary Platform Security Principles

🗳️ Democratic Integrity by Design

  • 🔍 Transparent Methodology: All news generation methodologies publicly documented and verifiable
  • ⚖️ Political Neutrality Enforcement: Systematic bias detection across 14 languages
  • 📊 Multi-Source Validation: Official European Parliament APIs as single source of truth
  • 🛡️ Election Period Protection: Enhanced monitoring during critical democratic periods

Implementation:

  • ✅ Official EP MCP Server integration (verified source)
  • ✅ Schema validation for all EP data
  • ✅ HTML validation for all generated content
  • ✅ Public source code (open-source transparency)

🌍 Multi-Language Security

  • 🤝 Cultural Sensitivity: Respect for 14 language cultures and political contexts
  • 📢 Translation Validation: Native speaker review for parliamentary terminology
  • 🔍 Consistency Verification: Cross-language comparison for content consistency
  • 📈 Linguistic Diversity: Equal treatment of all supported languages

Implementation:

  • ✅ 14 language versions (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)
  • ✅ Language-specific HTML files with proper encoding (UTF-8)
  • ✅ Cultural context preservation in translations
  • 🔄 Native speaker validation (planned for Level 3 maturity)

🔄 Continuous Democratic Improvement

  • ⚡ Proactive Threat Detection: Early identification of emerging democratic manipulation techniques
  • 📊 Evidence-Based Security: Data-driven democratic security decisions with public accountability
  • 🤝 European Cooperation: Collaboration with EU democratic transparency organizations
  • 💡 Innovation in Democratic Security: Leading development of new civic platform protection methods

Implementation:

  • ✅ Quarterly threat model reviews
  • ✅ GitHub issue tracking for security concerns
  • ✅ Public documentation of security practices
  • ✅ Open-source contribution model

📊 Risk Treatment Plan

Priority-Based Treatment

Threat ID Threat Name Risk Level Priority Treatment Timeline Owner
T-003 Data Integrity - Incorrect News Medium P1 Reduce Q3 2026 Product Team
T-007 EP API Format Change Medium P1 Reduce Q3 2026 Product Team
T-013 EP MCP Data Poisoning Medium P1 Reduce Q3 2026 Security Team
T-002 Supply Chain Attack Low-Medium P2 Monitor Annual Review Security Team
T-005 Repository Compromise Low-Medium P2 Monitor Annual Review Security Team
T-008 Translation Manipulation Low-Medium P2 Monitor Quarterly Review Product Team
T-009 Election Period Defacement Low-Medium P2 Monitor Election periods Security Team
T-012 Dependency Confusion Low-Medium P2 Monitor Annual Review Security Team
T-015 Contributor Account Compromise Low-Medium P2 Monitor Quarterly Review Security Team
T-017 MEP Data Integrity Failure Low-Medium P2 Monitor Quarterly Review Product Team
T-018 Information Manipulation Low-Medium P2 Monitor Election periods Security Team
T-001 XSS via Data Injection Low P3 Accept Quarterly Review Security Team
T-004 GitHub Actions Downtime Low P3 Accept Monitor DevOps Team
T-006 MCP Server Compromise Low P4 Accept Annual Review Security Team
T-016 Automated Bot Abuse Low P4 Accept Monitor DevOps Team

Risk Matrix (30 Threats)

      │ V.Low (1)  │  Low (2)       │  Med (3)       │  High (4)          │ Crit (5)
──────┼────────────┼────────────────┼────────────────┼────────────────────┼──────────
Crit  │            │                │                │                    │
(5)   │            │                │                │                    │
──────┼────────────┼────────────────┼────────────────┼────────────────────┼──────────
High  │            │ T-002,T-005    │                │                    │
(4)   │            │ T-009,T-011    │ T-013 ★ (P1)  │                    │
──────┼────────────┼────────────────┼────────────────┼────────────────────┼──────────
Med   │ T-006      │ T-001,T-004   │ T-003 ★ (P1)  │                    │
(3)   │ T-010,T-019│ T-008,T-014   │ T-007 ★ (P1)  │                    │
      │ T-020      │ T-017         │                │                    │
──────┼────────────┼────────────────┼────────────────┼────────────────────┼──────────
Low   │            │ T-016         │                │                    │
(2)   │            │               │                │                    │
──────┼────────────┼────────────────┼────────────────┼────────────────────┼──────────
V.Low │            │               │                │ T-015              │ T-012
(1)   │            │               │                │ T-018              │
──────┴────────────┴────────────────┴────────────────┴────────────────────┴──────────
      │ V.Low (1)  │  Low (2)       │  Med (3)       │  High (4)          │ Crit (5)
                                    Impact

Legend: ★ = Requires action (P1), Others = Monitor/Accept



📚 Related Documents

🏗️ Architecture Documentation

Document Description Link
CLASSIFICATION.md System classification (Public/Medium/Medium) CLASSIFICATION.md
SECURITY_ARCHITECTURE.md Security controls and compliance mapping SECURITY_ARCHITECTURE.md
ARCHITECTURE.md System architecture and design ARCHITECTURE.md
DATA_MODEL.md Data structures and EP MCP integration DATA_MODEL.md
FLOWCHART.md Process flows and workflows FLOWCHART.md
STATEDIAGRAM.md State transitions and lifecycle STATEDIAGRAM.md
MINDMAP.md Conceptual overview MINDMAP.md
SWOT.md Strengths, weaknesses, opportunities, threats SWOT.md

🔮 Future Architecture

Document Description Link
FUTURE_SECURITY_ARCHITECTURE.md Planned security enhancements FUTURE_SECURITY_ARCHITECTURE.md
FUTURE_THREAT_MODEL.md Future threat landscape evolution FUTURE_THREAT_MODEL.md
FUTURE_ARCHITECTURE.md Planned architectural improvements FUTURE_ARCHITECTURE.md
FUTURE_DATA_MODEL.md Enhanced data structures FUTURE_DATA_MODEL.md
FUTURE_FLOWCHART.md Enhanced workflows FUTURE_FLOWCHART.md
FUTURE_STATEDIAGRAM.md Enhanced state management FUTURE_STATEDIAGRAM.md
FUTURE_MINDMAP.md Vision and roadmap FUTURE_MINDMAP.md
FUTURE_SWOT.md Strategic analysis FUTURE_SWOT.md

📋 ISMS Policies (Hack23)

Policy Description Link
Threat Modeling Policy Threat modeling methodology and frameworks Hack23 ISMS - Threat Modeling
Classification Framework Information classification guidelines Hack23 ISMS - Classification
Secure Development Policy Secure SDLC practices Hack23 ISMS - Secure Development
Access Control Policy Access management and MFA requirements Hack23 ISMS - Access Control
Incident Response Policy Security incident handling Hack23 ISMS - Incident Response
Supply Chain Security Policy Third-party risk management Hack23 ISMS - Supply Chain Security
Change Management Policy Change control and approval Hack23 ISMS - Change Management
Vulnerability Management Vulnerability lifecycle management Hack23 ISMS - Vulnerability Management
Network Security Policy Network segmentation and TLS standards Hack23 ISMS - Network Security
Cryptography Policy Encryption and key management standards Hack23 ISMS - Cryptography

🛡️ Security & Compliance

Document Description Link
SECURITY.md Security disclosure and contact SECURITY.md
CRA-ASSESSMENT.md EU Cyber Resilience Act assessment CRA-ASSESSMENT.md
BCPPlan.md Business Continuity Plan BCPPlan.md

🔗 External Standards & Frameworks

Standard Description Link
STRIDE Threat categorization framework Microsoft STRIDE
MITRE ATT&CK Adversarial tactics and techniques MITRE ATT&CK
OWASP Top 10 Web application security risks OWASP
CIS Controls v8.1 Cybersecurity best practices CIS Controls
ISO 27001:2022 Information security management ISO/IEC 27001
NIST CSF 2.0 Cybersecurity Framework NIST CSF
GDPR EU data protection regulation GDPR
NIS2 Directive EU cybersecurity directive NIS2
EU Cyber Resilience Act EU product security regulation CRA

Approval and Review

Role Name Date Signature
Security Architect Security Team 2026-05-30 Approved
Product Owner Product Team 2026-05-30 Approved
CEO / CISO CEO 2026-05-30 Approved

🔄 Review Schedule

  • Current Review: 2026-05-30
  • Next Quarterly Review: 2026-08-30
  • Annual Comprehensive Review: 2027-05-30

📝 Version History

Version Date Author Changes
2.5 2026-06-02 Security Team AI security analysis: OWASP LLM Top 10 mapping, gh-aw 3-layer defense-in-depth architecture documentation (Substrate/Configuration/Plan layers, AWF, SafeOutputs, MCP sandboxing, content sanitization pipeline, compilation-time security), democratic AI threat scenarios (deepfakes, disinformation, algorithmic bias, narrative manipulation, astroturfing, suppression), enhanced Mermaid diagrams with security control visualization.
2.4 2026-05-30 Security Team Deep-review refresh: corrected templating reference (Handlebars → SafeHtmlString branded types), aligned delivery model (GitHub Pages → CloudFront/S3 with GitHub Pages fallback), catalogued threat T-030, realigned T-028 risk treatment to the current v0.77.3 gh-aw pin, and refreshed the approval/review cycle to the 2026-05-30 quarterly cadence.
2.3 2026-02-26 Security Team Quarterly review: STRIDE-per-element coverage, MITRE ATT&CK mapping, ENISA TL 2024 integration, and quantitative risk treatment plan.

📊 Review Criteria

Quarterly Reviews (Every 3 Months):

  • ✅ New threats identified in the landscape
  • ✅ Changes to European Parliament data sources
  • ✅ New features or technologies introduced
  • ✅ Compliance requirement updates
  • ✅ Incident learnings and control adjustments

Annual Comprehensive Reviews:

  • ✅ Full threat workshop with all stakeholders
  • ✅ Complete control audit and effectiveness assessment
  • ✅ Maturity level progression evaluation
  • ✅ Strategic alignment with Hack23 ISMS policies
  • ✅ European Parliament transparency requirements review

📊 Document Status

Document Status: ✅ Complete and Approved
ISMS Compliance: Full — Meets all Hack23 Threat Modeling Policy requirements (5-strategy integration, ENISA TL 2024, Kill Chain, Quantitative Risk)
Maturity Level: 🟡 Level 2 (Democratic Process Integration) - In Progress
Next Action: Implement P1 controls (T-003, T-007, T-013) by Q3 2026

📈 Threat Model Metrics

Metric Value Status
Total Threats Identified 30 ✅ Documented (T-001 to T-030)
OWASP LLM Top 10 9/10 mapped (LLM08 N/A) ✅ Full coverage for applicable threats
gh-aw Security Layers 3 layers, 16+ controls ✅ Defense-in-depth documented
MITRE ATT&CK Coverage 2.3% (18/793 techniques) ✅ Appropriate for static site
Security Controls 40+ ✅ Implemented (including gh-aw controls)
Defense Layers 8 (Perimeter to Isolation) ✅ Complete
Languages Supported 14 languages ✅ Multi-language security
ENISA TL 2024 Coverage 7/7 categories mapped ✅ Full alignment
Kill Chain Phases Mapped 7/7 phases ✅ Complete disruption analysis
Threat Agent Profiles 5 detailed + 1 summary ✅ Comprehensive classification
Misuse Cases 6 scenarios ✅ Scenario-Centric analysis
Compliance Frameworks 3 (ISO 27001, NIST, CIS) ✅ Full mapping
Democratic AI Threats 6 scenarios ✅ AI-specific democracy threats mapped
Document Lines 2900+ ✅ Comprehensive (matching Hack23 standards)
Maturity Level Level 2 (In Progress) 🔄 Advancing to Level 3
P1 Threats 4 (T-003, T-007, T-013, T-029) ⚠️ Requires action by Q3 2026
Risk Distribution 1 High, 4 Medium, 10 Low-Med, 7 Low ✅ Acceptable risk profile

🎯 Success Criteria

Threat Model Completeness (5-Strategy Integration):

  • ✅ 🎖️ Attacker-Centric: MITRE ATT&CK mapping (18 techniques), Kill Chain analysis, Attack Trees
  • ✅ 🏗️ Asset-Centric: Crown Jewel Analysis, Asset Inventory (6 categories), Data Flow Threats
  • ✅ 🏛️ Architecture-Centric: STRIDE per Element (8 elements), Trust Boundaries (4), DFD
  • ✅ 🎯 Scenario-Centric: 6 Misuse Cases, 6 What-If scenarios, 3 Persona-Based Threats
  • ✅ ⚖️ Risk-Centric: Quantitative Likelihood×Impact matrix, Risk Treatment Plan, Business Impact
  • ✅ 🌐 ENISA Threat Landscape 2024 Integration (7 priority categories)
  • ✅ 🔗 Kill Chain Disruption Analysis (7 phases mapped)
  • ✅ 👥 Comprehensive Threat Agent Classification (5 detailed profiles)
  • ✅ 📋 Compliance Framework Mapping (ISO 27001, NIST CSF 2.0, CIS Controls v8.1)
  • ✅ 🔄 Continuous Validation with PRE→ENUM→THREATS→MAP→PLAN→VALIDATE→MONITOR
  • ✅ 🎯 Multi-Strategy Integration Mindmap
  • ✅ 📚 Architecture Documentation Map (26+ documents)
  • ✅ 🔗 ISMS Policy Links (7 policies referenced)
  • ✅ 🤖 OWASP LLM Top 10 Mapping (9/10 applicable threats addressed)
  • ✅ 🛡️ gh-aw Defense-in-Depth Documentation (3 layers, 16+ controls)
  • ✅ 🏛️ Democratic AI Threat Scenarios (6 AI-specific democracy threats)

Democratic Transparency Goals:

  • ✅ Parliamentary data integrity protection
  • ✅ Multi-language content security (14 languages)
  • ✅ Democratic transparency threat mitigation
  • ✅ Public accountability through open documentation
  • ✅ EU compliance (GDPR, NIS2, CRA)
  • ✅ AI-specific democratic threat scenarios documented
  • ✅ Algorithmic bias and narrative manipulation addressed

Next Steps:

  1. Q3 2026: Implement T-003, T-007, T-013 mitigations (automated fact-checking, API monitoring, cross-reference validation)
  2. Q3 2026: Advance to Maturity Level 3 (Democratic Analysis Excellence)
  3. Q3 2026: Deploy confidence scoring and automated QA for LLM09 (Misinformation) mitigation
  4. 2026-09-02: Conduct next quarterly threat model review
  5. 2027-06-02: Annual comprehensive threat model update

🔗 Related ISMS-PUBLIC Policies


📋 Document Control:
✅ Approved by: James Pether Sörling, CEO - Hack23 AB
📤 Distribution: Public
🏷️ Classification: Confidentiality: Public Integrity: Medium Availability: Medium


This threat model demonstrates Hack23 AB's commitment to cybersecurity excellence through transparency, systematic risk management, and democratic accountability. For questions or feedback, contact: security@hack23.com