potiuk opened a new pull request, #133:
URL: https://github.com/apache/solr-sandbox/pull/133

   **This is a proposal for the Solr PMC to review — please correct, reject, or 
discuss as needed.** The maintainers are the decision-makers; nothing here is a 
requirement.
   
   This adds a **v0 draft threat model** (`THREAT_MODEL.md`) for Solr Sandbox 
plus the conventional `AGENTS.md → SECURITY.md → THREAT_MODEL.md` 
discoverability chain, so an automated agentic security scanner can 
mechanically find the project's security model.
   
   **Context.** The ASF Security team is preparing Apache Solr's repositories 
for an automated agentic security scan. The Solr *search server* 
(`apache/solr`) already has its model merged, and we've opened equivalents for 
the operator (`apache/solr-operator#841`) and the MCP server 
(`apache/solr-mcp#160`). This PR completes the set for **solr-sandbox** — which 
is different again: unreleased, experimental modules that people build from 
source and run inside/alongside Solr. The model cross-references 
`apache/solr`'s `THREAT_MODEL.md` for the shared search-server posture rather 
than duplicating it.
   
   **This is a v0 draft — mostly `*(inferred)*`.** The Security team drafted it 
from the repo's own docs and code (`README.md`, `ENCRYPTION.md`, `CROSSDC.md`, 
the module sources) using the 
[`threat-model-producer`](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)
 rubric. Every claim carries a provenance tag; every `*(inferred)*` tag routes 
to a matching question in **§14 Open questions**. The fastest way to review is 
to **react** to §14 (a one-line confirm / correct / strike per question) rather 
than compose from scratch — we then fold your answers in and the tags become 
`*(maintainer)*`.
   
   The draft is built around what's actually in the repo today — the AES-CTR 
index-encryption module (including the `/admin/encrypt` handler whose 
`no_key_id` value decrypts the index to cleartext, and the "AES-CTR is 
confidentiality, not integrity" false friend) and the CrossDC Kafka replication 
modules (the Producer plugins, and the Consumer's `/threads` / `/metrics` HTTP 
port). The **headline open question (§14 Q-line)** is the one only the PMC can 
settle: where the line sits between "experimental, use at your own risk = out 
of model" and "a real, exploitable defect in a module you do anticipate people 
building and using = in model." We've proposed an answer for you to confirm or 
move.
   
   **Scope note:** solr-sandbox was one of the four repos in the Solr scan 
enrollment. If the PMC would rather **not** include it in scanning, just close 
the PR and we'll drop it. If you'd rather own the model yourselves, close it 
and we'll wait.
   
   Questions / pushback welcome — happy to adjust anything to match project 
conventions.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to