Threat Model (Lite)
Scope
- Services:
apps/api (FastAPI) and apps/worker (RQ)
- Data stores: Postgres, Redis
- Interfaces: HTTP API, background jobs
Assets
- User data and project metadata
- API key and service credentials
- Source code integrity and CI secrets
Trust Boundaries
- Internet ↔ reverse proxy/API
- API ↔ database/Redis
- API ↔ worker queue
Threats (Examples)
- AuthN/Z bypass on protected routes
- Injection (SQL, command), deserialization
- Sensitive data exposure via logs or error messages
- SSRF via URL inputs; path traversal in file ops
- Queue poisoning or job execution abuse
- Denial of service (resource exhaustion)
Mitigations (Current/Planned)
- API key via
x-api-key header; env‑based secrets
- Input validation with Pydantic; parameterized SQLAlchemy
- Least‑privilege DB roles; safe file ops in
fs_guard
- Structured logging; avoid secrets in logs
- Health checks (
/health, /status) and smoke tests
- Linting, tests, quality gates in CI
Residual Risks / TODOs
- Rate limiting and abuse detection
- Security headers and TLS termination guidance
- SBOM and container scanning in CI (
task scan)