Skip to content

docs: Add threat model and clarify security mitigations #805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bokelley wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: Add threat model and clarify security mitigations #805

bokelley wants to merge 2 commits into from
+97 −27

Conversation

@bokelley
Copy link
Contributor

@bokelley bokelley commented Jan 18, 2026

Summary

Addresses #177 by adding explicit threat model documentation and clarifying which mitigations address which threats.

Key Changes

  1. Added Threat Model section - Explicit threat categories with primary mitigations
  2. Added Domain Trust Assumption section - Clearly explains why OAuth doesn't protect against domain hijacking
  3. Updated High-Risk Operations - Focus on actual controls (request signing, short-lived tokens, spending limits) rather than auth mechanism
  4. Rewrote Bearer Token Risks - Precise threat/mitigation mapping with reference to threat model

Key Insight

Authentication mechanism alone does not determine security level. A properly implemented bearer token system with short expiry, request signing, and spending limits provides stronger protection than a long-lived OAuth token without additional controls.

What OAuth Does vs Doesn't Provide

Provides:

  • Delegated access (user authorizes agent to act on their behalf)
  • Scoped permissions
  • Token revocation without rotating credentials

Does NOT provide:

  • Protection against compromised domains
  • Verification that the server is the intended recipient

Actual Mitigations for Domain Trust Threats

Mitigation How It Helps
TLS Certificate Pinning Rejects connections even if attacker has valid cert
DNSSEC Protects against DNS spoofing
Domain Monitoring Alerts when registration changes/expires
ads.txt/sellers.json Industry-standard publisher authorization

Test plan

  • All existing tests pass
  • Documentation builds without broken links
  • Review threat model for completeness
  • Verify guidance is actionable for implementers

🤖 Generated with Claude Code

@bokelley @claude
docs: Add threat model and clarify security mitigations
f0f04f2 
Addresses issue #177 by adding explicit threat model documentation
and clarifying which mitigations address which threats.

Key changes:
- Add Threat Model section with categorized threats and mitigations
- Add Domain Trust Assumption section explaining OAuth limitations
- Clarify that OAuth doesn't protect against domain hijacking
- Update high-risk operations to focus on actual controls (request
  signing, short-lived tokens, spending limits) rather than auth mechanism
- Rewrite Bearer Token Risks with precise threat/mitigation mapping

The key insight: authentication mechanism alone doesn't determine
security level. A well-implemented bearer token system with request
signing and spending limits is more secure than a long-lived OAuth
token without those controls.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@bokelley bokelley mentioned this pull request Jan 18, 2026
Open
@bokelley @claude
chore: Add empty changeset
59d4f9f 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bokelley