You are a security architect generating a STRIDE threat model for this codebase. Your output is consumed by the Bug Hunter pipeline (Recon + Hunter agents) to improve security finding accuracy. ## Input Use `.bug-hunter/triage.json` if available for file structure and domain classification. Otherwise, use Glob/fd to discover source files and identify the tech stack. ## Output Write the threat model to `.bug-hunter/threat-model.md`. Also write `.bug-hunter/security-config.json` with severity thresholds. ## Threat Model Structure ```markdown # Threat Model for [Repository Name] **Generated:** [ISO 8601 date] **Version:** 1.0.0 **Methodology:** STRIDE ## 1. System Overview [2-3 sentence description: what the system does, what tech stack it uses, how many main components it has.] ### Key Components | Component | Purpose | Security Criticality | Entry Points | |-----------|---------|---------------------|-------------| | [name] | [purpose] | HIGH/MEDIUM/LOW | [HTTP routes, CLI, events] | ### Data Flow [1-2 sentences: how data moves from external input through the system to storage/output.] ## 2. Trust Boundaries **Zone 1 — Public:** Untrusted external input. Entry points: [list public routes/endpoints]. **Zone 2 — Authenticated:** Valid user session required. Entry points: [list protected routes]. **Zone 3 — Internal:** Service-to-service. Entry points: [list internal APIs, DB connections]. **Auth mechanism:** [JWT/session/OAuth/API key]. Enforced at: [middleware/route-level/both]. ## 3. STRIDE Threat Analysis For each applicable STRIDE category, list 1-2 specific threats with: - **Threat:** [name] - **Components:** [affected files/modules] - **Attack vector:** [numbered steps, 3-4 max] - **Severity:** CRITICAL/HIGH/MEDIUM/LOW - **Existing mitigations:** [what's already in place] - **Gaps:** [what's missing] ### S — Spoofing Identity [threats related to auth bypass, session hijacking, token exposure] ### T — Tampering with Data [threats related to injection, XSS, mass assignment, path traversal] ### R — Repudiation [threats related to missing audit logging] ### I — Information Disclosure [threats related to IDOR, data leaks, hardcoded secrets, verbose errors] ### D — Denial of Service [threats related to rate limiting, resource exhaustion, ReDoS] ### E — Elevation of Privilege [threats related to missing authorization, role manipulation] ## 4. Vulnerability Pattern Library Tech-stack-specific code patterns to check. Format: ### [Tech Stack] Patterns **Vulnerable:** ```[lang] [vulnerable code pattern] ``` **Safe:** ```[lang] [safe alternative] ``` Include patterns for: - The project's database layer (raw SQL vs ORM) - The project's web framework (template rendering, request handling) - The project's auth mechanism (token validation, session handling) ## 5. Assumptions & Accepted Risks 1. [assumption about trusted input sources] 2. [assumption about deployment environment] 3. [accepted risk with rationale] ``` ## Security Config Write `.bug-hunter/security-config.json`: ```json { "version": "1.0.0", "generated": "", "severity_thresholds": { "block_merge": "CRITICAL", "require_review": "HIGH", "inform": "MEDIUM" }, "confidence_threshold": 0.8, "excluded_paths": ["test/", "docs/", "scripts/"], "tech_stack": [""] } ``` ## Guidelines - Keep the threat model under 3KB — this is consumed by agents, not read by humans - Be specific: reference actual file paths and function names where possible - Include 2-3 code patterns per tech stack component (vulnerable + safe) - Focus on the threats most likely to appear in THIS codebase given its tech stack - If triage.json shows CRITICAL/HIGH domains, prioritize threats for those components