potiuk opened a new pull request, #133: URL: https://github.com/apache/solr-sandbox/pull/133
**This is a proposal for the Solr PMC to review — please correct, reject, or discuss as needed.** The maintainers are the decision-makers; nothing here is a requirement. This adds a **v0 draft threat model** (`THREAT_MODEL.md`) for Solr Sandbox plus the conventional `AGENTS.md → SECURITY.md → THREAT_MODEL.md` discoverability chain, so an automated agentic security scanner can mechanically find the project's security model. **Context.** The ASF Security team is preparing Apache Solr's repositories for an automated agentic security scan. The Solr *search server* (`apache/solr`) already has its model merged, and we've opened equivalents for the operator (`apache/solr-operator#841`) and the MCP server (`apache/solr-mcp#160`). This PR completes the set for **solr-sandbox** — which is different again: unreleased, experimental modules that people build from source and run inside/alongside Solr. The model cross-references `apache/solr`'s `THREAT_MODEL.md` for the shared search-server posture rather than duplicating it. **This is a v0 draft — mostly `*(inferred)*`.** The Security team drafted it from the repo's own docs and code (`README.md`, `ENCRYPTION.md`, `CROSSDC.md`, the module sources) using the [`threat-model-producer`](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. Every claim carries a provenance tag; every `*(inferred)*` tag routes to a matching question in **§14 Open questions**. The fastest way to review is to **react** to §14 (a one-line confirm / correct / strike per question) rather than compose from scratch — we then fold your answers in and the tags become `*(maintainer)*`. The draft is built around what's actually in the repo today — the AES-CTR index-encryption module (including the `/admin/encrypt` handler whose `no_key_id` value decrypts the index to cleartext, and the "AES-CTR is confidentiality, not integrity" false friend) and the CrossDC Kafka replication modules (the Producer plugins, and the Consumer's `/threads` / `/metrics` HTTP port). The **headline open question (§14 Q-line)** is the one only the PMC can settle: where the line sits between "experimental, use at your own risk = out of model" and "a real, exploitable defect in a module you do anticipate people building and using = in model." We've proposed an answer for you to confirm or move. **Scope note:** solr-sandbox was one of the four repos in the Solr scan enrollment. If the PMC would rather **not** include it in scanning, just close the PR and we'll drop it. If you'd rather own the model yourselves, close it and we'll wait. Questions / pushback welcome — happy to adjust anything to match project conventions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
