Add draft threat model + SECURITY.md + AGENTS.md for security-model discoverability#397
Conversation
…l discoverability Adds a draft (v0) threat model for the control plane plus the SECURITY.md and AGENTS.md scaffold so an automated scan agent can mechanically discover the model via AGENTS.md -> SECURITY.md -> THREAT_MODEL.md. The model is a proposal for the PMC to review; most claims are (inferred) and route to open questions in section 14. Generated-by: Claude Code (Claude Opus 4.8)
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #397 +/- ##
============================================
+ Coverage 43.38% 49.67% +6.28%
============================================
Files 37 45 +8
Lines 2971 4103 +1132
============================================
+ Hits 1289 2038 +749
- Misses 1544 1839 +295
- Partials 138 226 +88
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Generated-by: Claude Code
|
Thanks @git-hulk — pushed a revision folding your answers in: no built-in authn/authz today, so the unauthenticated API is expected behavior (with auth tracked in #390); TLS via a fronting proxy (Nginx) rather than built-in; credentials stored in the backing store; node addresses validated as real Kvrocks nodes; the metadata store + peer nodes trusted as honest (trusted-environment requirement); and split-brain handling deferred to the store engine (majority-win with Raft/ETCD/ZK). Residual items kept as §14 questions for the PMC. Ready when you are. |
Thanks for your revise and follow-up questions. I have confirmed them, please take a look again when you get time. |
|
Thanks @git-hulk — your remaining answers are folded in, and §14 is now fully resolved:
Replied on and resolved the threads. The model is the PMC's to merge whenever — thanks for the thorough review. |
|
@potiuk Great thanks for your revise and help. |
4 participants
This is a draft proposal for the Kvrocks PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainers are the decision-makers.
This is the companion to the
apache/kvrocksthreat-model PR, covering the control plane (its trust surface differs from the data node). It addsTHREAT_MODEL.md+SECURITY.md+AGENTS.mdso a scan agent can followAGENTS.md → SECURITY.md → THREAT_MODEL.md.Draft-first, mostly inferred (~12 documented / 0 maintainer / ~40 inferred); every
*(inferred)*claim routes to a numbered §14 question.The wave-1 question is the whole ballgame for a control plane:
config.yamlshows no API-auth knob and defaultaddris127.0.0.1:9379)? If network-trust-only, is fronting it with an operator auth proxy the supported posture — so an "unauthenticated admin API" report isBY-DESIGNrather thanVALID?Also flagged: TLS posture, SSRF via node registration, and how managed-node admin credentials are stored.
Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; a discoverable threat model keeps that scan's output signal-rich. Drafted via the threat-model-producer rubric. If you'd rather author it yourselves, close this PR and we'll regroup.