OOpenclawnet
  • Introduction
  • Docs
      • 20260425 concept review
      • 20260503 repo split decision
      • Agent runtime
      • Components
      • Glossary
      • Jobs
      • Memory service proposal
      • Nemoclaw mapping
      • Openclaw mapping
      • Overview
      • Provider model
      • Runtime flow
      • Scenarios s4 s5 plan
      • Secrets vault admin ui
      • Secrets vault azure readiness
      • Secrets vault evolution
      • Secrets vault lifecycle phase4
      • Secrets vault lifecycle phase5
      • Secrets vault phase5
      • Secrets vault phase6
      • Secrets vault threat model
      • Source of truth rules
      • Storage
  • Scripts
  • Sessions
    • RELEASE CHECKLIST
    • Session 2 guide es
    • Session 2 guide
    • Session 3 guide es
    • Session 3 guide
    • Session 4 guide es
    • Session 4 guide
    • Session 5 guide es
    • Session 5 guide
    • Speakers
  • Src
  • Tests
Powered by Docsbook
Docs/Architecture/Secrets vault threat model
Secrets vault phase6PreviousSource of truth rulesNext

On this page

  • 1. Scope
  • In Scope
  • Out of Scope
  • 2. Trust Boundaries
  • Process Boundary
  • Storage Boundary
  • Tool Boundary
  • Audit Boundary
  • 3. Asset Inventory
  • Asset 1: Stored Secrets
  • Asset 2: DataProtection Key Ring
  • Asset 3: Audit Log
  • Asset 4: In-Memory Secret Values
  • 4. Threat Actors
  • Actor 1: External Attacker with Code Execution in Gateway Process
  • Actor 2: Malicious or Hijacked Agent
  • Actor 3: Compromised Tool Author (Supply Chain)
  • Actor 4: Insider with Disk Access to SQLite + Key Ring
  • Actor 5: Backup/Snapshot Theft
  • 5. STRIDE Analysis Per Asset
  • Asset 1: Stored Secrets (Encrypted Ciphertext)
  • Asset 2: DataProtection Key Ring
  • Asset 3: Audit Log
  • Asset 4: In-Memory Secret Values
  • 6. Specific Concerns & Required Mitigations
  • Concern 1: Prompt Injection → Secret Exfiltration ⚠️ CRITICAL
  • Concern 2: Audit Log Evidentiary Value ⚠️ MEDIUM
  • Concern 3: Key Ring Disaster Recovery ⚠️ CRITICAL
  • Concern 4: Side-Channel via Audit Log (Naming Enumeration) ⚠️ MEDIUM
  • Concern 5: Cache Side-Channel via Memory Dump ⚠️ MEDIUM
  • Concern 6: Resolution-Time Exception Leakage ⚠️ CRITICAL
  • 7. Logging Guidance
  • REQUIRED Logging (Safe)
  • FORBIDDEN Logging (Dangerous)
  • Example Safe Log
  • Example Unsafe Log (Anti-Pattern)
  • 8. Acceptance Gates for Phase 1 Shipping
  • 9. Open Questions for Mark (Architecture Lead)
  • 10. Known Risks & Accepted Residuals
  • Risk 1: In-Memory Secrets Not Zeroed (Phase 4 hardening)
  • Risk 2: Audit Log Not Tamper-Evident (Phase 4 hardening)
  • Risk 3: No Per-Tool ACL in Phase 1 (Phase 2 work)
  • Risk 4: Key Ring ACL Not Enforced (Phase 2 hardening)
  • Risk 5: Cache Side-Channel (Phase 4 hardening)
  • 11. Integration with S5 (Google Workspace OAuth) Security Review
  • Finding 1: Potential Token Leak in Error Response Logging (Mitigated)
  • Finding 2: Disconnect Endpoint Lacks Authentication (Separate from vault)
  • 12. Glossary & References
  • Related Documents
  • Appendix A: Threat Model Change Log
  • Appendix B: Assumptions

Was this page helpful?