potiuk opened a new pull request, #61: URL: https://github.com/apache/tapestry-5/pull/61
**This is a draft proposal for the Tapestry PMC to review — please correct, reject, or discuss as needed.** Nothing here is a requirement; the maintainers are the decision-makers. This PR adds `THREAT_MODEL.md` + `SECURITY.md` + `AGENTS.md`, wiring `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. Framing: Tapestry is a *framework* — the application developer's pages/components/handlers and the operator's config are **trusted**, while the **web client is the adversary**. The most load-bearing mechanism is the **HMAC-protected serialized client state**: Tapestry round-trips serialized objects through the browser and deserializes them on return, gated by `tapestry.hmac-passphrase` (the post-CVE-2021-27850 protection). Draft-first, mostly inferred (~12 documented / 0 maintainer / ~46 inferred); every `*(inferred)*` claim routes to a numbered **§14** question. The **wave-1** rulings: - Is a configured **`tapestry.hmac-passphrase`** effectively required (fail-closed) so the serialized-state deserialization is always HMAC-gated — and what happens if it is unset? - Is framework-rendered output **HTML-escaped by default** (raw output opt-in)? - Are **assets** protected against path traversal / arbitrary classpath read by default? I also tried to fold in the component categorization shared earlier — please confirm the §2 family table and the §11a "deserialization is HMAC-gated" non-finding. Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting. Drafted via the [threat-model-producer](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. If you'd rather author it yourselves, close this PR and we'll regroup. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
