You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a contributor or operator of the relay, I want a threat-model doc that catalogues the per-process attack surface (distinct from the wire-protocol threats already in the protocol spec) along with current mitigations and residual risk, so that future security work has a concrete document to update and the security-review agent has structured input.
Context
The protocol spec's Security model covers wire-protocol-level threats (prompt injection, server-id race, MITM, token leak, replay, DoS). This doc covers operational threats specific to the relay binary as a deployed process — concerns that don't appear in the protocol but matter for a real-world deployed service.
Independent of other tickets; the protocol spec is on main. WS upgrade and connection-registry work are not yet built (see docs/PROJECT-MEMORY.md), so threats around the WS library and connection limits are framed in this doc as v1-deferred or prospective rather than referencing a chosen library.
Acceptance Criteria
New file docs/threat-model.md exists, ~1–2 pages of markdown.
First paragraph (or front-matter) explicitly distinguishes this doc from the wire-protocol threats in the protocol spec, and links to the spec's Security model section.
The doc covers each of the following operational-threat domains, and for each gives: severity (low/medium/high), v1 mitigation (or "deferred"), residual risk, future hardening:
Deploy security. SSH key management for the VPS, who has access, OS update cadence, intrusion detection. What happens if the VPS is rooted (every byte through the relay is exposed; same threat as the protocol spec's "relay operator MITM" but framed from the operator's side).
Supply chain. Go dependencies (go.mod); govulncheck in CI; checksum verification (go.sum); SBOM as future work. Risk and mitigation for current deps (golang.org/x/crypto/acme/autocert) and the not-yet-chosen WebSocket library being compromised.
DoS resistance. Connection-count limits (none in v1); per-IP rate limiting (none in v1); slow-loris (mitigated by ReadHeaderTimeout); bandwidth amplification (relay forwards only; no amplification factor); accidental fork-bomb via runaway client retry (no protection in v1).
Log hygiene. What MUST NOT be logged (payload bodies, tokens, full headers); what IS logged (server-id, conn-id, device-name, remote host, event types). Log rotation policy; log retention.
Cert & key handling. Autocert cache dir at 0700 (enforced via ErrCacheDirInsecure); what happens if it becomes world/group-readable; key rotation (autocert handles it).
TLS configuration. Cipher suite policy (Go's secure defaults); pinned MinVersion: tls.VersionTLS12 (already in internal/relay/tls.go).
Error response leakage. Don't leak internal errors via 500 bodies; use generic messages to public paths.
The doc has a "Triggers for re-review" section listing when to update it (new dependency added, deploy target changed, new public endpoint exposed, security incident).
docs/architecture.md "Threat model" section is updated to link to the new doc instead of saying "to be written".
Technical Notes
This is documentation, not code. Use the protocol spec's "Security model" section as the structural template (severity / mitigation / residual / deferred per threat). The architect should produce the threat list before the documentation agent drafts; the architect understands the architecture.
nhooyr.io/websocket is not currently a dependency — supply-chain coverage should describe the deps that exist today and note that the WS library will be added to this list when chosen.
Out of scope:
Pen-test write-up (we haven't done one).
Compliance frameworks (no GDPR/SOC2 obligations in v1; user-data flows are minimal).
Per-CVE response runbook (premature; revisit when there are users).
Size Estimate
S — ~150 lines of markdown, single-doc deliverable.
User Story
As a contributor or operator of the relay, I want a threat-model doc that catalogues the per-process attack surface (distinct from the wire-protocol threats already in the protocol spec) along with current mitigations and residual risk, so that future security work has a concrete document to update and the security-review agent has structured input.
Context
The protocol spec's Security model covers wire-protocol-level threats (prompt injection, server-id race, MITM, token leak, replay, DoS). This doc covers operational threats specific to the relay binary as a deployed process — concerns that don't appear in the protocol but matter for a real-world deployed service.
Independent of other tickets; the protocol spec is on
main. WS upgrade and connection-registry work are not yet built (seedocs/PROJECT-MEMORY.md), so threats around the WS library and connection limits are framed in this doc as v1-deferred or prospective rather than referencing a chosen library.Acceptance Criteria
docs/threat-model.mdexists, ~1–2 pages of markdown.go.mod);govulncheckin CI; checksum verification (go.sum); SBOM as future work. Risk and mitigation for current deps (golang.org/x/crypto/acme/autocert) and the not-yet-chosen WebSocket library being compromised.ReadHeaderTimeout); bandwidth amplification (relay forwards only; no amplification factor); accidental fork-bomb via runaway client retry (no protection in v1).0700(enforced viaErrCacheDirInsecure); what happens if it becomes world/group-readable; key rotation (autocert handles it).MinVersion: tls.VersionTLS12(already ininternal/relay/tls.go).docs/architecture.md"Threat model" section is updated to link to the new doc instead of saying "to be written".Technical Notes
nhooyr.io/websocketis not currently a dependency — supply-chain coverage should describe the deps that exist today and note that the WS library will be added to this list when chosen.Size Estimate
S — ~150 lines of markdown, single-doc deliverable.