Skip to main content

Threat Model (Baseline)

Reviewed on: 2026-01-21 Status: Draft (requires deployment-specific review)

This document provides a baseline threat model for the Primus Platform when deployed inside your infrastructure. It must be customized and reviewed for each production environment.

Scope

  • In-scope: Primus Platform libraries, configuration, and integration points used by your services.
  • Out-of-scope: Third-party services outside your control unless explicitly integrated (IdP, payment providers, SMS, AI).

Assumptions

  • Primus runs inside your network boundary.
  • Network egress is controlled by your deployment.
  • Secrets are provided via secure mechanisms (not committed to source).
  • Customer data classification is defined by your organization.

Assets to Protect

  • Customer data (PII, PHI, PCI) handled by your services.
  • Secrets and credentials (API keys, webhook secrets, tokens).
  • Audit logs and security telemetry.
  • Source code and CI/CD artifacts.

Trust Boundaries

  • Client to API boundary (TLS required).
  • API to external providers (IdP, payments, SMS, AI).
  • Build/CI pipelines (source, artifacts, dependency scanning).
  • Storage and database boundaries (tenant isolation).

Key Threats

  • Unauthorized access to APIs or data (auth bypass, weak ACLs).
  • Data exfiltration through misconfigured egress or logging.
  • Secrets exposure in code, logs, or CI.
  • Supply-chain risk from dependencies.
  • Payment webhook spoofing.
  • Prompt injection or data leakage through AI providers.

Baseline Mitigations (Platform Support)

  • Identity validation for OIDC/JWT issuers (if configured).
  • Webhook signature validation for Stripe and PayPal (if configured).
  • Secret detection and dependency scanning (local-first, if enabled).
  • PII masking in logging (if enabled).
  • Feature flags and kill switches (if configured).

Required Deployment Controls

  • Enforce TLS and strong authentication.
  • Restrict outbound network egress to approved providers.
  • Store secrets in vaults or secret managers.
  • Enforce least privilege for service accounts.
  • Configure logging, monitoring, and alerting.
  • Establish incident response and rollback procedures.

Open Items (Must Be Filled Per Deployment)

  • Data flow diagrams and egress approval
  • Accepted data types (PII/PHI/PCI)
  • Third-party vendor risk review
  • Security testing coverage (SAST/DAST/penetration tests)
  • Compliance requirements (US, India)

Review Log

  • 2026-01-21: Baseline document created. Deployment-specific review pending.