Security Threat Model

1---
2name: "security-threat-model"
3description: "Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Trigger only when the user explicitly asks to threat model a codebase or path, enumerate threats/abuse paths, or perform AppSec threat modeling. Do not trigger for general architecture summaries, code review, or non-security design work."
4---
5 
6# Threat Model Source Code Repo
7 
8Deliver an actionable AppSec-grade threat model that is specific to the repository or a project path, not a generic checklist. Anchor every architectural claim to evidence in the repo and keep assumptions explicit. Prioritizing realistic attacker goals and concrete impacts over generic checklists.
9 
10## Quick start
11 
121) Collect (or infer) inputs:
13- Repo root path and any in-scope paths.
14- Intended usage, deployment model, internet exposure, and auth expectations (if known).
15- Any existing repository summary or architecture spec.
16- Use prompts in `references/prompt-template.md` to generate a repository summary.
17- Follow the required output contract in `references/prompt-template.md`. Use it verbatim when possible.
18 
19## Workflow
20 
21### 1) Scope and extract the system model
22- Identify primary components, data stores, and external integrations from the repo summary.
23- Identify how the system runs (server, CLI, library, worker) and its entrypoints.
24- Separate runtime behavior from CI/build/dev tooling and from tests/examples.
25- Map the in-scope locations to those components and exclude out-of-scope items explicitly.
26- Do not claim components, flows, or controls without evidence.
27 
28### 2) Derive boundaries, assets, and entry points
29- Enumerate trust boundaries as concrete edges between components, noting protocol, auth, encryption, validation, and rate limiting.
30- List assets that drive risk (data, credentials, models, config, compute resources, audit logs).
31- Identify entry points (endpoints, upload surfaces, parsers/decoders, job triggers, admin tooling, logging/error sinks).
32 
33### 3) Calibrate assets and attacker capabilities
34- List the assets that drive risk (credentials, PII, integrity-critical state, availability-critical components, build artifacts).
35- Describe realistic attacker capabilities based on exposure and intended usage.
36- Explicitly note non-capabilities to avoid inflated severity.
37 
38 
39### 4) Enumerate threats as abuse paths
40- Prefer attacker goals that map to assets and boundaries (exfiltration, privilege escalation, integrity compromise, denial of service).
41- Classify each threat and tie it to impacted assets.
42- Keep the number of threats small but high quality.
43 
44### 5) Prioritize with explicit likelihood and impact reasoning
45- Use qualitative likelihood and impact (low/medium/high) with short justifications.
46- Set overall priority (critical/high/medium/low) using likelihood x impact, adjusted for existing controls.
47- State which assumptions most influence the ranking.
48 
49### 6) Validate service context and assumptions with the user
50- Summarize key assumptions that materially affect threat ranking or scope, then ask the user to confirm or correct them.
51- Ask 1–3 targeted questions to resolve missing context (service owner and environment, scale/users, deployment model, authn/authz, internet exposure, data sensitivity, multi-tenancy).
52- Pause and wait for user feedback before producing the final report.
53- If the user declines or can’t answer, state which assumptions remain and how they influence priority.
54 
55### 7) Recommend mitigations and focus paths
56- Distinguish existing mitigations (with evidence) from recommended mitigations.
57- Tie mitigations to concrete locations (component, boundary, or entry point) and control types (authZ checks, input validation, schema enforcement, sandboxing, rate limits, secrets isolation, audit logging).
58- Prefer specific implementation hints over generic advice (e.g., "enforce schema at gateway for upload payloads" vs "validate inputs").
59- Base recommendations on validated user context; if assumptions remain unresolved, mark recommendations as conditional.
60 
61### 8) Run a quality check before finalizing
62- Confirm all discovered entrypoints are covered.
63- Confirm each trust boundary is represented in threats.
64- Confirm runtime vs CI/dev separation.
65- Confirm user clarifications (or explicit non-responses) are reflected.
66- Confirm assumptions and open questions are explicit.
67- Confirm that the format of the report matches closely the required output format defined in prompt template: `references/prompt-template.md`
68- Write the final Markdown to a file named `<repo-or-dir-name>-threat-model.md` (use the basename of the repo root, or the in-scope directory if you were asked to model a subpath).
69 
70 
71## Risk prioritization guidance (illustrative, not exhaustive)
72- High: pre-auth RCE, auth bypass, cross-tenant access, sensitive data exfiltration, key or token theft, model or config integrity compromise, sandbox escape.
73- Medium: targeted DoS of critical components, partial data exposure, rate-limit bypass with measurable impact, log/metrics poisoning that affects detection.
74- Low: low-sensitivity info leaks, noisy DoS with easy mitigation, issues requiring unlikely preconditions.
75 
76## References
77 
78- Output contract and full prompt template: `references/prompt-template.md`
79- Optional controls/asset list: `references/security-controls-and-assets.md`
80 
81Only load the reference files you need. Keep the final result concise, grounded, and reviewable.
82