Threat Modeling

Identify attack surface, enumerate threats, prioritize mitigations before writing code.

Process for Planned Work

1. Identify assets:

• What are we protecting? (API keys, conversation history, user data)
• What would attacker want? (credentials, code execution, data exfil)

2. Enumerate entry points:

• User input (terminal, config, environment)
• Network (LLM API responses)
• Filesystem (config files, database)

3. Apply STRIDE per entry point:

• Spoofing: Can attacker impersonate?
• Tampering: Can attacker modify data?
• Repudiation: Can actions be denied?
• Information disclosure: Can secrets leak?
• Denial of service: Can availability be impacted?
• Elevation of privilege: Can attacker gain capabilities?

4. Prioritize:

• Likelihood × Impact = Risk
• Address high-risk items first
• Document accepted risks

For new features ask:

• What new entry points does this create?
• What can go wrong if input is malicious?
• What's the blast radius if this component is compromised?