You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Capture the security audit's STRIDE reasoning as a written threat-model document. The audit passes under #178 applied STRIDE per entry point, but the result was never recorded as a durable artifact.
Scope
Produce docs/security/threat-model.md (or an ADR) covering, per entry point — management API, web UI, agent enroll/poll, OIDC, CLI, config:
Assets at stake (CA private keys, master KEK, operator credentials, enrollment tokens, signing authority).
STRIDE categories per entry point (Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege).
A written model lets future changes be checked against a baseline and makes the "verified safe" conclusions reproducible instead of living only in issue comments.
Summary
Capture the security audit's STRIDE reasoning as a written threat-model document. The audit passes under #178 applied STRIDE per entry point, but the result was never recorded as a durable artifact.
Scope
Produce
docs/security/threat-model.md(or an ADR) covering, per entry point — management API, web UI, agent enroll/poll, OIDC, CLI, config:Why
A written model lets future changes be checked against a baseline and makes the "verified safe" conclusions reproducible instead of living only in issue comments.
Part of #178 (checklist: Threat model document).