docs: threat model and attack surface analysis (OSPS-SA-03.02) (#90)

paradoxbound · web-flow · commit bc22082d9ec6 · 2026-03-09T14:59:18.000Z
## Summary - Renames the \"Security Assessment\" section in `SECURITY.md` to \"Threat Model and Attack Surface Analysis\" - Adds an explicit **Attack Surface** subsection documenting trust boundaries, entry points, and critical code paths - Notes that the threat model is reviewed at each release - Satisfies OSPS-SA-03.02 ## Test plan - [ ] Review `SECURITY.md` changes for accuracy and completeness - [ ] Approve and merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: paradoxbound <paradoxbound@users.noreply.github.com> Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -35,9 +35,27 @@ This project uses no manually stored CI/CD secrets. The only secret in the pipel
 
 If you discover that credentials have been accidentally committed or exposed, rotate them immediately, then report the incident privately using the process in the [Reporting a Vulnerability](#reporting-a-vulnerability) section below.
 
-## Security Assessment
+## Threat Model and Attack Surface Analysis
 
-This section documents the most likely and impactful security risks for this project.
+This section documents the attack surface, trust boundaries, and identified threats for this project. It is reviewed and updated at each release.
+
+### Attack Surface
+
+**Trust boundaries:**
+- **MCP client → MCP server (stdio):** The server is spawned as a local subprocess by the MCP client (e.g. Claude Desktop, LibreChat). Communication is over stdio; no network socket is exposed. The client is considered trusted.
+- **MCP server → BookStack API (HTTPS):** All requests are authenticated with a Bearer token. The server enforces HTTPS and rejects plain-HTTP base URLs at startup.
+- **Operator → MCP server (environment variables):** `BOOKSTACK_BASE_URL`, `BOOKSTACK_TOKEN_ID`, `BOOKSTACK_TOKEN_SECRET`, and `BOOKSTACK_ENABLE_WRITE` are supplied at deployment time by the operator. They are not accepted from MCP clients or end users.
+
+**Entry points:**
+- MCP tool input parameters (validated by Zod schemas before use)
+- Environment variables (read once at startup; never re-read or logged)
+- BookStack API responses (relayed to the MCP client; not interpreted by the server)
+
+**Critical code paths:**
+- Credential loading and HTTP request construction (`packages/core/src/bookstack-client.ts`)
+- Write operation gating — `BOOKSTACK_ENABLE_WRITE` check before registering write tools (`packages/stdio/src/index.ts`)
+- HTTPS enforcement — URL validation at startup rejects non-HTTPS base URLs
+- Tool input validation — Zod schemas on all MCP tool parameters
 
 ### 1. API credential exposure (HIGH)
 
