# Threat Model — STRIDE + MAESTRO

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | threat-model |
| **Target** | DFT data-platform RAG-system |
| **System** | rag-platform v3.2.0 |
| **Date** | 2026-05-05 |
| **Framework** | STRIDE + MAESTRO |
| **Version** | llm-security v7.4.0 |
| **Triggered by** | /security threat-model |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 52/100 |
| **Risk Band** | High |
| **Grade** | C |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 1 |
| High | 3 |
| Medium | 4 |
| Low | 2 |
| Info | 0 |
| **Total** | **10** |

**Verdict rationale:** 1 CRITICAL on token-theft via cross-tenant context bleed (M5/MAESTRO authorization). 3 HIGH on prompt-injection chains and source-document tampering. Threat model produced; mitigations pending architectural sign-off.

---

## Risikomatrise (5×5)

| Trussel | Sannsynlighet | Konsekvens | Score |
|---------|--------------:|-----------:|------:|
| TM-001 — Cross-tenant context bleed via index sharing | 4 | 5 | 20 |
| TM-002 — Prompt injection via source documents | 4 | 4 | 16 |
| TM-003 — Source document tampering (pre-ingest) | 3 | 4 | 12 |
| TM-004 — Embedding inversion attack | 2 | 5 | 10 |
| TM-005 — RAG output exfil via tool call | 3 | 3 | 9 |
| TM-006 — DOS via expensive query patterns | 4 | 2 | 8 |
| TM-007 — Authorization bypass on retrieval | 2 | 4 | 8 |
| TM-008 — Logging gap for prompt history | 3 | 2 | 6 |
| TM-009 — Side-channel via response timing | 2 | 3 | 6 |
| TM-010 — Stale embeddings post-rotation | 2 | 2 | 4 |

---

## Trusler

| ID | Beskrivelse | Severity | Mitigation |
|----|-------------|----------|-----------|
| TM-001 | Cross-tenant context bleed via index sharing — single Azure AI Search index across all tenants | critical | Tenant-isolated indexes OR row-level security with tenant_id filter |
| TM-002 | Prompt injection via source documents — adversarial PDF in corpus | high | Trust-Bus wrapper + Constrained Markdown parser + pre-ingest scanning |
| TM-003 | Source document tampering pre-ingest — supply chain on doc pipeline | high | Signed manifests + SHA-256 verification at ingest |
| TM-004 | Embedding inversion attack — recover source text from embeddings | medium | Use private embedding model OR add noise to stored embeddings |
| TM-005 | RAG output exfil via tool call (Bash, WebFetch chained from RAG output) | high | Hook-level data-flow tracking (post-session-guard.mjs trifecta) |
| TM-006 | DOS via expensive query patterns | medium | Query budget + per-tenant rate limit |
| TM-007 | Authorization bypass on retrieval | medium | Validate tenant_id from auth claim, not request payload |
| TM-008 | Logging gap for prompt history | medium | Append-only audit log, retain 90d |
| TM-009 | Side-channel via response timing | low | Constant-time response shaping for sensitive paths |
| TM-010 | Stale embeddings post-rotation | low | Embedding version tag + rotation playbook |

---

## STRIDE Coverage

| Category | Count | Notes |
|----------|------:|-------|
| Spoofing | 1 | TM-007 |
| Tampering | 2 | TM-003, TM-010 |
| Repudiation | 1 | TM-008 |
| Information Disclosure | 3 | TM-001, TM-004, TM-009 |
| Denial of Service | 1 | TM-006 |
| Elevation of Privilege | 2 | TM-002, TM-005 |

---

## MAESTRO Coverage

| Layer | Count | Notes |
|-------|------:|-------|
| L1 Foundation Models | 0 | Out of scope for this assessment |
| L2 Data Operations | 4 | TM-001, TM-003, TM-004, TM-010 |
| L3 Agentic Frameworks | 0 | RAG only, no agents in this layer |
| L4 Deployment & Infra | 1 | TM-006 |
| L5 Evaluation & Observability | 1 | TM-008 |
| L6 Security & Compliance | 1 | TM-009 |
| L7 Agent Ecosystem | 3 | TM-002, TM-005, TM-007 |

---

## Mitigation Roadmap

| Priority | Trussel | Mitigation | Owner | ETA |
|----------|---------|-----------|-------|-----|
| P0 | TM-001 | Tenant-isolated indexes | platform-eng | 2026-05-15 |
| P0 | TM-002 | Trust-Bus + Constrained Markdown | ai-platform | 2026-05-22 |
| P1 | TM-003 | Signed manifests + ingest verification | data-eng | 2026-05-29 |
| P1 | TM-005 | Hook-level data-flow tracking | security-eng | 2026-05-22 |
| P2 | TM-006, TM-007, TM-008 | Rate limit + auth + audit log | platform-eng | 2026-06-15 |
| P3 | TM-004, TM-009, TM-010 | Embedding hardening | research | 2026-Q3 |

---

## Recommendations

1. **Immediate (P0):** Tenant-isolated indexes — TM-001 is THE critical risk for this multi-tenant RAG.
2. **Immediate (P0):** Trust-Bus wrapper and Constrained Markdown parser — TM-002 closes the highest-volume injection vector.
3. **High (P1):** Signed-manifest pipeline (TM-003) and hook-level data-flow tracking (TM-005).
4. **Medium (P2):** Rate limit + auth fix + audit log — bundled together for one platform-eng sprint.

---

*Threat model complete. 10 threats across STRIDE + MAESTRO frameworks. 2 P0, 2 P1.*