Add draft project security threat-model document#1293
Conversation
Adds a v0 THREAT_MODEL.md for Apache Knox drafted by the ASF Security team for the Knox PMC to review, adjust, and own (path 3 of the Frontier Model Preparation pre-flight, per the Knox PMC's 2026-07-02 go-ahead), plus the discoverability wiring: AGENTS.md -> SECURITY.md -> THREAT_MODEL.md. Generated-by: Claude (Opus 4.8, 1M context)
Test Results32 tests 32 ✅ 3s ⏱️ Results for commit 7f2caa4. ♻️ This comment has been updated with latest results. |
…nore apache-rat 0.13 (this repo's version) does not recognise the short SPDX identifier, so it flagged THREAT_MODEL.md / SECURITY.md / AGENTS.md. Switching to the full AL-2.0 header (HTML comment) makes them pass the license check on every RAT version, so the .ratignore exemption is no longer needed. Generated-by: Claude Code
|
Quick note on the CI: the red was One alternative worth flagging: No strong preference from our side; the header fix already gets you green, so the bump is purely optional cleanup. |
What
Adds a v0
THREAT_MODEL.mdfor Apache Knox, plus the discoverability wiring (SECURITY.mdandAGENTS.md), drafted by the ASF Security team for the Knox PMC to review, adjust, and own.This is path 3 of the Frontier Model Preparation pre-flight — the Knox PMC (Larry McCay, chair) asked on 2026-07-02 for a v0 draft to react to. The document follows the Security team's threat-model rubric: it describes the assumptions Knox makes about its environment and callers, the security properties it upholds and the ones it explicitly disclaims, the operator's responsibilities, and a triage-disposition table for routing a security report.
THREAT_MODEL.md— the v0 draft (provenance-tagged(documented)/(maintainer)/(inferred); §14 collects the open questions for the PMC, prioritized in waves).SECURITY.md— a reporting policy (Knox had none) that links the threat model.AGENTS.md— points toSECURITY.md→THREAT_MODEL.mdso the model is mechanically discoverable.For the PMC — highest-leverage open questions
HeaderPreAuth(trusting an identity header without an mTLS/IP gate) a supported posture, or a misconfiguration the operator must avoid?The
(inferred)claims are the ones needing PMC confirmation; promoting them to(maintainer)as you answer §14 is the fastest path to a ratified model.🤖 Generated with Claude Code