|
| 1 | +# Agentic Sync Threat Model |
| 2 | + |
| 3 | +Status: draft |
| 4 | +Scope: SourceOS local-first graph, sync engines, SourceChannel, agent registry, memory mesh, policy fabric, shell, browser, terminal, and workspace surfaces. |
| 5 | + |
| 6 | +## Security thesis |
| 7 | + |
| 8 | +In an agentic operating environment, synced configuration can become execution control. A remote graph write that changes an agent instruction, shell profile, model route, tool grant, memory object, MCP endpoint, extension state, browser bridge, or policy bundle can directly alter what the system does. |
| 9 | + |
| 10 | +Therefore, agentic sync is a control-plane security boundary, not convenience replication. |
| 11 | + |
| 12 | +## Primary assets |
| 13 | + |
| 14 | +- User identity and device identity |
| 15 | +- Workspace graph state |
| 16 | +- Agent manifests and capability leases |
| 17 | +- Policy bundles and policy decisions |
| 18 | +- Memory objects and memory provenance |
| 19 | +- Shell profiles, aliases, environment templates, and command templates |
| 20 | +- Browser workspace sessions and extension metadata |
| 21 | +- Model/provider routing preferences |
| 22 | +- Secret references and vault leases |
| 23 | +- Audit events and provenance records |
| 24 | +- Relay peer identities |
| 25 | +- SourceChannel bridge envelopes |
| 26 | + |
| 27 | +## Threat actors |
| 28 | + |
| 29 | +- Malicious remote relay |
| 30 | +- Compromised user device |
| 31 | +- Compromised enterprise profile |
| 32 | +- Malicious browser extension |
| 33 | +- Malicious workspace web app |
| 34 | +- Malicious or confused agent |
| 35 | +- Poisoned memory source |
| 36 | +- Malicious repo dependency |
| 37 | +- Malicious MCP server |
| 38 | +- Network attacker |
| 39 | +- Insider with partial repo or policy access |
| 40 | +- Stale device replaying old graph writes |
| 41 | + |
| 42 | +## Threats and controls |
| 43 | + |
| 44 | +### Remote graph poisoning |
| 45 | + |
| 46 | +Threat: an attacker submits graph objects that alter agent, memory, policy, shell, browser, or model state. |
| 47 | + |
| 48 | +Controls: |
| 49 | + |
| 50 | +- Require signatures on graph writes. |
| 51 | +- Validate schema version and collection ownership. |
| 52 | +- Quarantine unknown schemas and unsigned writes. |
| 53 | +- Enforce per-engine policy classes. |
| 54 | +- Require manual review for dangerous merge classes. |
| 55 | +- Emit audit events for accepted, rejected, and quarantined writes. |
| 56 | + |
| 57 | +### Agent capability escalation |
| 58 | + |
| 59 | +Threat: an agent gains tool, model, memory, shell, network, or MCP access through synced configuration. |
| 60 | + |
| 61 | +Controls: |
| 62 | + |
| 63 | +- Represent every privilege as an expiring capability lease. |
| 64 | +- Bind leases to agent ID, workspace ID, tool scope, policy bundle hash, and grantor. |
| 65 | +- Deny leases without a valid policy decision and audit pointer. |
| 66 | +- Revoke leases through SourcePolicy and Agent Registry. |
| 67 | +- Never trust agent self-declared capabilities without registry validation. |
| 68 | + |
| 69 | +### Memory injection |
| 70 | + |
| 71 | +Threat: remote or agent-generated memory silently changes long-term behavior. |
| 72 | + |
| 73 | +Controls: |
| 74 | + |
| 75 | +- Use lifecycle states: observed, proposed, scoped, approved, promoted, synced, expired, revoked. |
| 76 | +- Require provenance, confidence, sensitivity, retention, mutability, and scope. |
| 77 | +- Default agent writes to proposed memory only. |
| 78 | +- Require review for global or cross-profile memory promotion. |
| 79 | +- Quarantine memory from untrusted agents, browser surfaces, and unknown relays. |
| 80 | + |
| 81 | +### Shell profile injection |
| 82 | + |
| 83 | +Threat: synced shell aliases, functions, PATH changes, env templates, or startup scripts execute attacker-controlled commands. |
| 84 | + |
| 85 | +Controls: |
| 86 | + |
| 87 | +- Treat shell profile sync as high-risk. |
| 88 | +- Block raw shell history sync by default. |
| 89 | +- Redact secret-bearing environment state. |
| 90 | +- Require policy review for executable shell profile changes. |
| 91 | +- Emit SourceAudit events for every profile change. |
| 92 | +- Make TurtleTerm and sourceos-shell request changes through SourceChannel. |
| 93 | + |
| 94 | +### Browser-to-local bridge abuse |
| 95 | + |
| 96 | +Threat: a web origin, browser extension, or workspace UI controls local agents or shell through a localhost bridge. |
| 97 | + |
| 98 | +Controls: |
| 99 | + |
| 100 | +- Use SourceChannel envelopes for every privileged bridge request. |
| 101 | +- Bind requests to origin, profile, workspace, capability, nonce, expiry, and policy bundle hash. |
| 102 | +- Deny raw localhost trust. |
| 103 | +- Require explicit capability grants for browser-to-agent and browser-to-shell paths. |
| 104 | +- Audit every accepted and denied bridge call. |
| 105 | + |
| 106 | +### Policy downgrade |
| 107 | + |
| 108 | +Threat: remote policy weakens local, enterprise, repo, or safety controls. |
| 109 | + |
| 110 | +Controls: |
| 111 | + |
| 112 | +- Stronger policy wins. |
| 113 | +- Enterprise restrictions beat personal convenience inside enterprise profiles. |
| 114 | +- Local safety floor cannot be weakened remotely. |
| 115 | +- Repo policy beats agent preference. |
| 116 | +- Unsigned policy bundles are ignored or quarantined. |
| 117 | +- Policy downgrade requires signed authority and audit visibility. |
| 118 | + |
| 119 | +### Secret leakage |
| 120 | + |
| 121 | +Threat: secrets are synced as ordinary graph state or leaked through command history, environment snapshots, memory, logs, or browser state. |
| 122 | + |
| 123 | +Controls: |
| 124 | + |
| 125 | +- Never store raw tokens, private keys, or passwords as SourceGraph values. |
| 126 | +- Use SecretRef and vault-backed capability leases. |
| 127 | +- Redact secret-bearing environment state. |
| 128 | +- Block raw shell history sync by default. |
| 129 | +- Mark secret references as never_merge. |
| 130 | +- Audit secret lease issuance and revocation. |
| 131 | + |
| 132 | +### Relay compromise |
| 133 | + |
| 134 | +Threat: a sync relay observes, mutates, drops, replays, or reorders graph objects. |
| 135 | + |
| 136 | +Controls: |
| 137 | + |
| 138 | +- Encrypt payloads by profile, workspace, org, or device scope. |
| 139 | +- Sign all graph objects. |
| 140 | +- Use nonce, causal metadata, tombstones, and replay protection. |
| 141 | +- Treat relay identity as transport metadata, not authority. |
| 142 | +- Allow local-only operation when relay trust is insufficient. |
| 143 | + |
| 144 | +### Model/provider route manipulation |
| 145 | + |
| 146 | +Threat: synced model routing moves execution from local/private models to remote providers, or from approved providers to unapproved providers. |
| 147 | + |
| 148 | +Controls: |
| 149 | + |
| 150 | +- Treat model provider enablement as policy-controlled. |
| 151 | +- Bind model route changes to policy decisions. |
| 152 | +- Require approval for remote provider enablement in sensitive profiles. |
| 153 | +- Audit route changes and provider decisions. |
| 154 | +- Support local-only mode and enterprise firewall profiles. |
| 155 | + |
| 156 | +### Audit tampering |
| 157 | + |
| 158 | +Threat: attackers erase or rewrite audit records. |
| 159 | + |
| 160 | +Controls: |
| 161 | + |
| 162 | +- SourceAudit is append-only. |
| 163 | +- Deletion is handled through retention policy, not ordinary mutation. |
| 164 | +- Audit records should include hash-linked provenance where supported. |
| 165 | +- Sherlock/Holmes must surface gaps, invalid chains, and rejected audit writes. |
| 166 | + |
| 167 | +## Required security classifications |
| 168 | + |
| 169 | +Low risk: |
| 170 | + |
| 171 | +- View layout |
| 172 | +- Presence |
| 173 | +- Cursors |
| 174 | +- Non-executable UI preferences |
| 175 | + |
| 176 | +Medium risk: |
| 177 | + |
| 178 | +- Workspace graph references |
| 179 | +- Task metadata |
| 180 | +- Artifact metadata |
| 181 | +- Browser workspace sessions |
| 182 | + |
| 183 | +High risk: |
| 184 | + |
| 185 | +- Agent manifests |
| 186 | +- Memory objects |
| 187 | +- Shell profiles |
| 188 | +- Model routing |
| 189 | +- Extension enablement |
| 190 | +- MCP server definitions |
| 191 | + |
| 192 | +Critical risk: |
| 193 | + |
| 194 | +- Policy bundles |
| 195 | +- Capability leases |
| 196 | +- Secret references |
| 197 | +- Device keys |
| 198 | +- Org keys |
| 199 | +- Cross-device commands |
| 200 | +- Wipe or replace commands |
| 201 | + |
| 202 | +## Required audit events |
| 203 | + |
| 204 | +- graph.write.accepted |
| 205 | +- graph.write.rejected |
| 206 | +- graph.write.quarantined |
| 207 | +- sync.engine.started |
| 208 | +- sync.engine.completed |
| 209 | +- sync.conflict.detected |
| 210 | +- sync.conflict.resolved |
| 211 | +- policy.decision.allow |
| 212 | +- policy.decision.deny |
| 213 | +- policy.decision.require_review |
| 214 | +- agent.lease.granted |
| 215 | +- agent.lease.revoked |
| 216 | +- agent.execution.started |
| 217 | +- agent.execution.denied |
| 218 | +- memory.proposed |
| 219 | +- memory.promoted |
| 220 | +- memory.revoked |
| 221 | +- shell.profile.changed |
| 222 | +- browser.bridge.accepted |
| 223 | +- browser.bridge.denied |
| 224 | +- model.route.changed |
| 225 | +- secret.lease.issued |
| 226 | +- secret.lease.revoked |
| 227 | + |
| 228 | +## Acceptance criteria |
| 229 | + |
| 230 | +1. Every high-risk and critical-risk sync object has a policy class, merge rule, and audit event. |
| 231 | +2. Every privileged bridge path uses SourceChannel. |
| 232 | +3. Every agent privilege is represented as a capability lease. |
| 233 | +4. Every memory mutation has provenance and lifecycle state. |
| 234 | +5. Every policy decision has an explainable reason code. |
| 235 | +6. Every relay-originated write can be traced to identity, signature, policy, and audit. |
| 236 | +7. Every unsafe merge path has quarantine or review behavior. |
0 commit comments