Skip to content

Add public threat model document (.github/THREAT_MODEL.md)#2391

Merged
dartpain merged 1 commit intomainfrom
codex/draft-threat-model-for-docsgpt
Apr 15, 2026
Merged

Add public threat model document (.github/THREAT_MODEL.md)#2391
dartpain merged 1 commit intomainfrom
codex/draft-threat-model-for-docsgpt

Conversation

@dartpain
Copy link
Copy Markdown
Contributor

@dartpain dartpain commented Apr 15, 2026

Motivation

  • Provide a centralized, public threat model for DocsGPT deployments to document risks and mitigations.
  • Clarify assumptions, scope, and security objectives for open-source and self-hosted instances.
  • Surface key attack surfaces and recommended baseline controls to guide secure deployments and future hardening.

Description

  • Add a new file .github/THREAT_MODEL.md that defines the DocsGPT Public Threat Model and metadata such as classification and last-updated date.
  • Document scope, trust boundaries, assets, main attack surfaces (auth, ingestion, SSRF, tool execution, frontend XSS, internal endpoints, DoS), and example attacker stories.
  • Provide concrete mitigations and baseline controls including auth requirements, secret rotation, SSRF protections, parsing hardening, tool least-privilege, rate limiting, CSP, and monitoring.
  • Include severity calibration, maintenance guidance, and references to OWASP resources and the repo SECURITY.md.

Testing

  • No automated tests were added or executed as part of this documentation-only change.
  • Existing CI/linting was not modified by this change and remains unchanged.
  • Manual review of the document content was performed during authoring.

Codex Task

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nextra-docsgpt Building Building Preview, Comment Apr 15, 2026 5:32pm
oss-docsgpt Ready Ready Preview, Comment Apr 15, 2026 5:32pm

Request Review

@github-actions github-actions bot added the github Github workflows label Apr 15, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 15, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.65%. Comparing base (aa938d7) to head (c18f85a).
⚠️ Report is 29 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2391   +/-   ##
=======================================
  Coverage   91.65%   91.65%           
=======================================
  Files         220      220           
  Lines       18372    18372           
=======================================
  Hits        16839    16839           
  Misses       1533     1533

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dartpain dartpain merged commit 951bdb8 into main Apr 15, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pabik pabik pabik approved these changes

Assignees

No one assigned

Labels

codex github Github workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dartpain @pabik