git.stella-ops.org/docs/security/authority-threat-model.md

Authority Threat Model (STRIDE)

Prepared by Security Guild — 2025-10-12. Scope covers Authority host, Standard plug-in, CLI, bootstrap workflow, and offline revocation distribution.

1. Scope & Method

• Methodology: STRIDE applied to primary Authority surfaces (token issuance, bootstrap, revocation, operator tooling, plug-in extensibility).
• Assets in scope: identity credentials, OAuth tokens (access/refresh), bootstrap invites, revocation manifests, signing keys, audit telemetry.
• Out of scope: Third-party IdPs federated via OpenIddict (tracked separately in SEC6 backlog).

2. Assets & Entry Points

Asset / Surface	Description	Primary Actors
Token issuance APIs (/token, /authorize)	OAuth/OIDC endpoints mediated by OpenIddict	CLI, UI, automation agents
Bootstrap channel	Initial admin invite + bootstrap CLI workflow	Platform operators
Revocation bundle	Offline JSON + detached JWS consumed by agents	Concelier, Agents, Zastava
Plug-in manifests	Standard plug-in configuration and password policy overrides	Operators, DevOps
Signing keys	ES256 signing keys backing tokens and revocation manifests	Security Guild, HSM/KeyOps
Audit telemetry	Structured login/audit stream persisted to Mongo/observability stack	SOC, SecOps

3. Trust Boundaries

Boundary	Rationale	Controls
TB1 — Public network ↔️ Authority ingress	Internet/extranet exposure for /token, /authorize, /bootstrap	TLS 1.3, reverse proxy ACLs, rate limiting (SEC3.A / CORE8.RL)
TB2 — Authority host ↔️ Mongo storage	Credential store, revocation state, audit log persistence	Authenticated Mongo, network segmentation, deterministic serializers
TB3 — Authority host ↔️ Plug-in sandbox	Plug-ins may override password policy and bootstrap flows	Code signing, manifest validation, restart-time loading only
TB4 — Operator workstation ↔️ CLI	CLI holds bootstrap secrets and revocation bundles	OS keychain storage, MFA on workstations, offline kit checksum
TB5 — Authority ↔️ Downstream agents	Revocation bundle consumption, token validation	Mutual TLS (planned), detached JWS signatures, bundle freshness checks

4. Data Flow Diagrams

4.1 Runtime token issuance

flowchart LR
    subgraph Client Tier
        CLI[StellaOps CLI]
        UI[UI / Automation]
    end
    subgraph Perimeter
        RP[Reverse Proxy / WAF]
    end
    subgraph Authority
        AUTH[Authority Host]
        PLGIN[Standard Plug-in]
        STORE[(Mongo Credential Store)]
    end
    CLI -->|OAuth password / client creds| RP --> AUTH
    UI -->|OAuth flows| RP
    AUTH -->|PasswordHashOptions + Secrets| PLGIN
    AUTH -->|Verify / Persist hashes| STORE
    STORE -->|Rehash needed| AUTH
    AUTH -->|Access / refresh token| RP --> Client Tier

4.2 Bootstrap & revocation

flowchart LR
    subgraph Operator
        OPS[Operator Workstation]
    end
    subgraph Authority
        AUTH[Authority Host]
        STORE[(Mongo)]
    end
    subgraph Distribution
        OFFKIT[Offline Kit Bundle]
        AGENT[Authorized Agent / Concelier]
    end
    OPS -->|Bootstrap CLI (`stellaops auth bootstrap`)| AUTH
    AUTH -->|One-time invite + Argon2 hash| STORE
    AUTH -->|Revocation export (`stellaops auth revoke export`)| OFFKIT
    OFFKIT -->|Signed JSON + .jws| AGENT
    AGENT -->|Revocation ACK / telemetry| AUTH

5. STRIDE Analysis

Threat	STRIDE Vector	Surface	Risk (L×I)	Existing Controls	Gaps / Actions	Owner
Spoofed revocation bundle	Spoofing	TB5 — Authority ↔️ Agents	Med×High	Detached JWS signature (planned), offline kit checksums	Finalise signing key registry & verification script (SEC4.B/SEC4.HOST); add bundle freshness requirement	Security Guild (follow-up: SEC5.B)
Parameter tampering on /token	Tampering	TB1 — Public ingress	Med×High	ASP.NET model validation, OpenIddict, rate limiter (CORE8.RL)	Tampered requests emit authority.token.tamper audit events (request.tampered, unexpected parameter names) correlating with /token outcomes (SEC5.C)	Security Guild + Authority Core (follow-up: SEC5.C)
Bootstrap invite replay	Repudiation	TB4 — Operator CLI ↔️ Authority	Low×High	One-time bootstrap tokens, Argon2id hashing on creation	Invites expire automatically and emit audit events on consumption/expiration (SEC5.D)	Security Guild
Token replay by stolen agent	Information Disclosure	TB5	Med×High	Signed revocation bundles, device fingerprint heuristics, optional mTLS	Monitor revocation acknowledgement latency via Zastava and tune replay alerting thresholds	Security Guild + Zastava (follow-up: SEC5.E)
Privilege escalation via plug-in override	Elevation of Privilege	TB3 — Plug-in sandbox	Med×High	Signed plug-ins, restart-only loading, configuration validation	Add static analysis on manifest overrides + runtime warning when policy weaker than host	Security Guild + DevOps (follow-up: SEC5.F)
Offline bundle tampering	Tampering	Distribution	Low×High	SHA256 manifest, signed bundles (planned)	Add supply-chain attestation for Offline Kit, publish verification CLI in docs	Security Guild + Ops (follow-up: SEC5.G)
Failure to log denied tokens	Repudiation	TB2 — Authority ↔️ Mongo	Med×Med	Serilog structured events (partial), Mongo persistence path (planned), Standard plug-in credential telemetry (authority.plugin.standard.password_verification)	Finalise audit schema (SEC2.A), require the same audit contract for third-party plug-ins, and ensure /token denies include subject/client/IP fields	Security Guild + Authority Core (follow-up: SEC5.H)

Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.

6. Follow-up Backlog Hooks

Backlog ID	Linked Threat	Summary	Target Owners
SEC5.PLG	TB3 — Plug-in sandbox	Standard plug-in mitigations documented: Argon2 bootstrap enforcement, password-policy warnings, and credential audit telemetry (plugin.retry_after_seconds, plugin.lockout_until) wired into SOC pipelines.	Security Guild + BE-Auth Plugin
SEC5.B	Spoofed revocation bundle	Complete libsodium/Core signing integration and ship revocation verification script.	Security Guild + Authority Core
SEC5.C	Parameter tampering on /token	Finalise audit contract (SEC2.A) and add request tamper logging.	Security Guild + Authority Core
SEC5.D	Bootstrap invite replay	Implement expiry enforcement + audit coverage for unused bootstrap invites.	Security Guild
SEC5.E	Token replay by stolen agent	Coordinate Zastava alerting with the new device fingerprint heuristics and surface stale revocation acknowledgements.	Security Guild + Zastava
SEC5.F	Plug-in override escalation	Static analysis of plug-in manifests; warn on weaker password policy overrides.	Security Guild + DevOps
SEC5.G	Offline bundle tampering	Extend Offline Kit build to include attested manifest + verification CLI sample.	Security Guild + Ops
SEC5.H	Failure to log denied tokens	Ensure audit persistence for all /token denials with correlation IDs.	Security Guild + Authority Core

Update src/__Libraries/StellaOps.Cryptography/TASKS.md (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.

5.1 Plugin telemetry status (SEC5.PLG — 2025-11-09)

• Standard plug-in password verification now emits authority.plugin.standard.password_verification with caller correlation IDs, client metadata, tenant IDs, and full network context sourced from AuthorityCredentialAuditContext. Events classify outcomes via the extended AuthEventOutcome set (LockedOut, RequiresFreshAuth, RequiresMfa) so SOC tooling can distinguish lockouts from MFA prompts.
• Audit properties were standardised: plugin.failed_attempts, plugin.lockout_until, plugin.retry_after_seconds, plugin.rehashed, and plugin.failure_code are present on both the plug-in event and the host-level /token record. plugin.retry_after_seconds is derived deterministically from the retry window, ensuring consistent rate-limit responses for air-gapped tenants.
• Bootstrap mitigations were documented in docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md: Argon2id hashing, enforced password policies, default RequirePasswordReset, and registrar warnings when an operator weakens the baseline policy. These measures close the SEC5.PLG action item and provide auditors with evidence hooks for Offline Kit reviews.