docs(architecture): Layer 7 — STRIDE threat model on the container DFD

[Yambr]

What

Layer 7 of the next/v1 architecture: a STRIDE-per-element threat model over the Layer 6 container DFD.

• docs/architecture/06-threat-model.md — the model.
• docs/architecture/diagrams/06-threat-model.mmd — overlay marking the OPEN/residual threats on the DFD.

Method

STRIDE-per-element (Microsoft element-type mapping: process S/T/R/I/D/E; data-flow T/I/D + boundary S/E; data-store T/I/D, +R for the audit log; external entity S/R). Severity is a qualitative Likelihood × Impact → High/Med/Low. The in-sandbox process is the primary adversary holding in-sandbox root, so the high-value rows weight its outbound and host-facing edges, not the inbound caller edge.

Each threat row resolves to a canon NFR (with the per-zone framework cell from 02-trust-boundaries.md §11) or routes to a tracked open hole. The twenty OPEN/residual rows map to existing security issues (#149, #176, #181–#188); the snapshot-at-rest (#184) and guest-self-audit (#181) gaps surface as OPEN, not silently mitigated.

Deferred

• Machine-checkable Threagile threat-model-as-code → Layer 7: Threagile threat-model-as-code + CI gate #194 (lands with its CI gate).
• LINDDUN privacy pass over the same DFD → Layer 7: LINDDUN privacy-threat pass over the Layer 6 DFD #195.

Scope

No code, no NFR changes — a new analysis layer over the existing DFD. The DFD itself (05-c4-container.md, c4-container.mmd) is referenced, not redrawn.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added a comprehensive threat model draft with scope, dataflow references, STRIDE mappings, qualitative Likelihood×Impact ratings, a detailed threat table (threats, ratings, mitigations, residuals, status) and tracked open risks linked to follow-up items.
  • Added accompanying architecture diagrams that visualize components, threat overlays, residual exposures, and styling to highlight open/affected elements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: bf7fcf5d-846e-423d-a05d-c5e9f3e1dfac

📥 Commits

Reviewing files that changed from the base of the PR and between 1cd8efe and 61e6be0.

📒 Files selected for processing (1)

• docs/architecture/06-threat-model.md

✅ Files skipped from review due to trivial changes (1)

• docs/architecture/06-threat-model.md

---

Walkthrough

Adds a draft STRIDE-per-element threat model for the Layer 6 container DFD and an accompanying Mermaid diagram. The doc records scope, STRIDE applicability, Likelihood×Impact ratings, a per-element threat table with mitigations and residuals, an OPEN risk tracker, deferred automation notes, and open questions.

Changes

Threat Model Documentation and Visualization

Layer / File(s)	Summary
Threat model scope and element inventory docs/architecture/06-threat-model.md (lines 1–34)	Document front-matter, STRIDE-per-element narrative, scope, rating scheme, and inventory of processes/data stores/flows/external actors with trust-boundary notes.
STRIDE threat table and residual risks docs/architecture/06-threat-model.md (lines 35–146)	Core STRIDE table listing threats, Likelihood/Impact ratings, mitigations, NFR/zone anchors, residual exposure notes, per-threat status, and an aggregated residual-risk tracking table linking OPEN items to issues.
Deferred work and open questions docs/architecture/06-threat-model.md (lines 147–157)	Defers threat-model-as-code automation and enumerates unresolved items (per-tool/per-action auth, cross-tenant side-channels, trusted-time/clock-rollback, out-of-band evidence, LINDDUN).
Threat model visualization docs/architecture/diagrams/06-threat-model.mmd	Mermaid flowchart overlaying Layer 7 STRIDE elements on the Layer 6 container DFD with node/edge wiring, OPEN/residual annotations, and styling for external vs. residual elements.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Layer 7: Threagile threat-model-as-code + CI gate #194 — Tracks implementing threat-model-as-code and CI gate referenced by the doc's deferred automation section.

Possibly related PRs

• Wide-Moat/open-computer-use#173: Introduced the Layer 6 container structure (gateway, control API, credential custody, storage broker, session sandbox, egress proxy, audit pipeline) that this threat model annotates.
• Wide-Moat/open-computer-use#189: Related trust-boundary and diagram updates informing the threat model's Operator/control-plane and storage-broker analysis.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a STRIDE threat model documentation at Layer 7 to the container DFD, which aligns with the pull request's core objective of introducing threat modeling analysis.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/layer7-threat-model

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/architecture/06-threat-model.md`:
- Line 104: In the P6-E1 row update the clause "Deny-by-default allow-list is
the only outbound path; sandbox has no route out except the edge" to remove the
superlative—reword to state the same constraint without "only" (e.g., "Outbound
traffic is restricted by a deny-by-default allow-list; the sandbox is configured
with no alternate route and must egress via the edge") so the technical claim is
preserved while avoiding the AI-slop trigger.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6c175bb9-e428-494b-8697-7b87cc18e691

📥 Commits

Reviewing files that changed from the base of the PR and between 7c15d6a and 1cd8efe.

📒 Files selected for processing (2)

• docs/architecture/06-threat-model.md
• docs/architecture/diagrams/06-threat-model.mmd