chore(security): add draft threat model and SECURITY.md for security-model discoverability#3509
Open
potiuk wants to merge 1 commit into
Open
chore(security): add draft threat model and SECURITY.md for security-model discoverability#3509potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
…ecurity-model discoverability Adds a draft (v0) project threat model plus a SECURITY.md, and links both from AGENTS.md so an automated scan agent can mechanically discover the model via AGENTS.md -> SECURITY.md -> THREAT_MODEL.md. The threat model is a proposal for the PMC to review; most claims are (inferred) and route to open questions in its section 14. Generated-by: Claude Code (Claude Opus 4.8)
PragmaTwice
reviewed
May 31, 2026
Comment on lines
+289
to
+293
| 1. Is running **without `requirepass`** a supported production posture (relying on `bind`/network controls), | ||
| or must operators set it before exposing the port — i.e. is an unauth-access report `BY-DESIGN` or `VALID`? | ||
| *Proposed:* operator must set it before non-localhost exposure; default no-auth is dev-only. | ||
| 2. Same question for **TLS-off** on an untrusted network — operator responsibility (§10) or a claimed gap? | ||
| *Proposed:* operator responsibility; plaintext is documented and opt-out. |
Member
There was a problem hiding this comment.
If requirepass is not set, operators are responsible for restricting access to trusted personnel only. The same applies to TLS.
Comment on lines
+294
to
+295
| 3. Are **replication / cluster peers trusted** (out of §7) or should a malicious peer holding valid topology | ||
| credentials be in the adversary model? *Proposed:* peers trusted; out of scope. |
Comment on lines
+304
to
+305
| 6. Is **RocksDB data-at-rest** considered out of model for confidentiality (operator-trusted disk), i.e. no | ||
| per-namespace encryption is claimed? *Proposed:* yes, at-rest is operator's domain. |
Member
There was a problem hiding this comment.
Yes, no per-namespace encryption is claimed.
Comment on lines
+301
to
+303
| 5. May **non-admin (namespace) clients run `EVAL`/`FUNCTION`**, and what is the Lua sandbox's scope — is host | ||
| I/O denied and is a script confined to its caller's namespace? *Proposed:* scripting confined to namespace; | ||
| no host access; `luajit_bytecode_dos` already treated as a bug. |
Member
There was a problem hiding this comment.
scripting confined to namespace; no host access.
Comment on lines
+298
to
+300
| 4. How is **namespace isolation** enforced at the command layer, and which commands (if any) can observe data | ||
| or metadata across namespaces (e.g. `INFO`, `CLIENT`, keyspace scans, `__namespace`)? *Proposed:* strict | ||
| per-namespace keyspace confinement; admin-only metadata. |
Member
There was a problem hiding this comment.
Strict per-namespace keyspace confinement; admin-only metadata. Known limit: pub/sub doesn't respect namespaces currently.
Comment on lines
+311
to
+312
| 8. Is `AUTH` **throttled / constant-time**, and is brute-force of the token in the model? *Proposed:* network | ||
| controls expected; constant-time compare desirable — confirm. |
Member
There was a problem hiding this comment.
network controls expected; constant-time compare desirable.
Comment on lines
+308
to
+310
| 7. Where is the **resource line** (§8.6)? Are super-linear commands / Lua run-time / deep pipelines bugs, or | ||
| is the only contract "configure `maxclients` and size limits"? *Proposed:* no intrinsic guarantee beyond | ||
| configured limits, except sandbox-DoS which is a bug. |
Member
There was a problem hiding this comment.
no intrinsic guarantee beyond configured limits.
PragmaTwice
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a draft proposal for the Kvrocks PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainers are the decision-makers, and this document describes Kvrocks as the PMC says it is.
This PR adds
THREAT_MODEL.md+SECURITY.mdand a Security section inAGENTS.md, so an automated scan agent can mechanically find the model viaAGENTS.md → SECURITY.md → THREAT_MODEL.md.It is draft-first and mostly inferred (~16 documented / 0 maintainer / ~50 inferred). Every
*(inferred)*claim routes to a numbered question in §14 Open questions — the fastest review is to walk §14 (three short waves) and answer in-thread; we then promote the tags to*(maintainer)*.The wave-1 rulings are load-bearing:
requirepass(the default) a supported posture relying onbind/network controls, or must operators set it before exposing the port — i.e. is an unauthenticated-access reportBY-DESIGNorVALID?apache/kvrocks-controlleris in scope for the scan too; per §14 q10 it will get its own model (its trust surface — the cluster control plane — differs), which we'll open as a separate PR.Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; a complete, discoverable threat model keeps that scan's output signal-rich. We drafted this via the threat-model-producer rubric. If you'd rather author it yourselves, close this PR and we'll regroup.