add: threat model. docs: revision.

Author: Felipe Campos Penha

initiatives/genai_red_team_handbook/sandboxes/RAG_local/README.md

@@ -352,9 +352,12 @@ Opens at `http://localhost:7860` with a user-friendly chat UI.
 ```
 .
 ├── config/                   # Configuration files
+│   ├── client_config.toml   # Client settings
 │   ├── model.toml           # Model settings (default model, Ollama config)
 │   └── prompts.toml         # Test prompts for automated testing
-├── data/                     # Placeholder for document files
+├── data/                     # Data directory
+│   ├── chromadb/            # ChromaDB persistence
+│   └── documents/           # Document files
 ├── app/                      # FastAPI mock server package
 │   ├── __init__.py
 │   ├── main.py              # FastAPI entry point
@@ -363,14 +366,19 @@ Opens at `http://localhost:7860` with a user-friendly chat UI.
 │       ├── __init__.py
 │       ├── openai.py        # Mock OpenAI API using Ollama
 │       ├── pinecone.py      # Mock Pinecone API using ChromaDB
+│       ├── s3.py            # Mock S3 API
 │       └── README.md        # Guide for adding new mocks
 ├── client/                   # Client scripts
 │   ├── main.py              # Automated test runner
 │   └── gradio_app.py        # Web UI client
 ├── threat_model/            # Threat modeling artifacts
+│   ├── RAG_TM_diagram.json
+│   ├── RAG_TM_report.md
+│   └── RAG_TM_report.pdf
 ├── Containerfile            # Podman container definition
 ├── entrypoint.sh            # Container entrypoint script
 ├── Makefile                 # Developer commands
+├── packages.txt             # System packages
 ├── pyproject.toml           # uv project definition
 ├── uv.lock                  # Lock file generated by uv
 └── README.md                # This file

initiatives/genai_red_team_handbook/sandboxes/llm_local/README.md

@@ -89,6 +89,11 @@ graph LR
 - **Application Server** → Containerized mock API (instead of cloud deployment)
 - **External Services** → Local Ollama + model (instead of cloud LLM/VectorDB)
 
+## Threat Modeling
+The threat model for this RAG architecture is available in the `threat_model/` directory. It includes:
+- **Diagram**: `RAG_TM_diagram.json` (ThreatCanvas compatible)
+- **Report**: `RAG_TM_report.md` and `RAG_TM_report.pdf`
+
 ## Prerequisites
 - **Python 3.10** (or newer, but <3.11)
 - **uv** – Python package manager (`pip install uv` if not already installed)
@@ -247,6 +252,7 @@ Opens at `http://localhost:7860` with a user-friendly chat UI.
 ```
 .
 ├── config/                   # Configuration files
+│   ├── client_config.toml   # Client settings
 │   ├── model.toml           # Model settings (default model, Ollama config)
 │   └── prompts.toml         # Test prompts for automated testing
 ├── data/                     # Placeholder for document files
@@ -261,9 +267,13 @@ Opens at `http://localhost:7860` with a user-friendly chat UI.
 │   ├── main.py              # Automated test runner
 │   └── gradio_app.py        # Web UI client
 ├── threat_model/            # Threat modeling artifacts
+│   ├── LLM_TM_diagram.json
+│   ├── LLM_TM_report.md
+│   └── LLM_TM_report.pdf
 ├── Containerfile            # Podman container definition
 ├── entrypoint.sh            # Container entrypoint script
 ├── Makefile                 # Developer commands
+├── packages.txt             # System packages
 ├── pyproject.toml           # uv project definition
 ├── uv.lock                  # Lock file generated by uv
 └── README.md                # This file

initiatives/genai_red_team_handbook/sandboxes/llm_local/threat_model/LLM_TM_diagram.json

@@ -0,0 +1 @@
+{"version":5,"meta":{"description":"","generalNotes":"","projectType":"web","riskTemplates":["OWASP Top 10"],"selectedRiskTemplates":{"OWASP Top 10":true},"riskModifiers":{"paymentData":false,"personalData":false,"healthData":false,"missionCritical":false,"internetFacing":false}},"nodes":[{"id":"n1","label":"Client Application","notes":"","outOfScope":false,"componentId":3,"trustBoundary":"t1","threats":[{"id":4259,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4197,"notes":"","implemented":false,"rationale":""},{"id":4313,"notes":"","implemented":false,"rationale":""},{"id":3467,"notes":"","implemented":false,"rationale":""}]},{"id":3431,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3477,"notes":"","implemented":false,"rationale":""}]},{"id":4233,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4273,"notes":"","implemented":false,"rationale":""},{"id":4312,"notes":"","implemented":false,"rationale":""},{"id":4281,"notes":"","implemented":false,"rationale":""}]},{"id":4237,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4276,"notes":"","implemented":false,"rationale":""},{"id":4269,"notes":"","implemented":false,"rationale":""}]},{"id":4243,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4270,"notes":"","implemented":false,"rationale":""},{"id":4287,"notes":"","implemented":false,"rationale":""}]},{"id":3418,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3452,"notes":"","implemented":false,"rationale":""},{"id":3459,"notes":"","implemented":false,"rationale":""},{"id":4057,"notes":"","implemented":false,"rationale":""}]}],"position":[86.733347577279,-262.81003707553236]},{"id":"n2","label":"LLM API Gateway","notes":"","outOfScope":false,"componentId":3,"trustBoundary":"t2","threats":[{"id":4233,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4273,"notes":"","implemented":false,"rationale":""},{"id":4312,"notes":"","implemented":false,"rationale":""},{"id":4281,"notes":"","implemented":false,"rationale":""}]},{"id":4237,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4276,"notes":"","implemented":false,"rationale":""},{"id":4269,"notes":"","implemented":false,"rationale":""}]},{"id":4243,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4270,"notes":"","implemented":false,"rationale":""},{"id":4287,"notes":"","implemented":false,"rationale":""}]},{"id":4245,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4021,"notes":"","implemented":false,"rationale":""},{"id":3468,"notes":"","implemented":false,"rationale":""},{"id":3451,"notes":"","implemented":false,"rationale":""},{"id":3473,"notes":"","implemented":false,"rationale":""},{"id":4291,"notes":"","implemented":false,"rationale":""}]},{"id":4249,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":3471,"notes":"","implemented":false,"rationale":""},{"id":3460,"notes":"","implemented":false,"rationale":""}]},{"id":3418,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3452,"notes":"","implemented":false,"rationale":""},{"id":3459,"notes":"","implemented":false,"rationale":""},{"id":4057,"notes":"","implemented":false,"rationale":""}]},{"id":4254,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4058,"notes":"","implemented":false,"rationale":""},{"id":4056,"notes":"","implemented":false,"rationale":""},{"id":3465,"notes":"","implemented":false,"rationale":""},{"id":4272,"notes":"","implemented":false,"rationale":""}]},{"id":4259,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4197,"notes":"","implemented":false,"rationale":""},{"id":4313,"notes":"","implemented":false,"rationale":""},{"id":3467,"notes":"","implemented":false,"rationale":""}]},{"id":3428,"notes":"","status":"Open","rationale":"","riskRating":1,"controls":[{"id":3479,"notes":"","implemented":false,"rationale":""}]},{"id":3431,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3477,"notes":"","implemented":false,"rationale":""}]},{"id":3443,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3460,"notes":"","implemented":false,"rationale":""}]}],"position":[-5.5227265793002545,-36.5197770143488]},{"id":"n3","label":"Application Logic","notes":"","outOfScope":false,"componentId":3,"trustBoundary":"t2","threats":[{"id":4233,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4273,"notes":"","implemented":false,"rationale":""},{"id":4312,"notes":"","implemented":false,"rationale":""},{"id":4281,"notes":"","implemented":false,"rationale":""}]},{"id":4237,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4276,"notes":"","implemented":false,"rationale":""},{"id":4269,"notes":"","implemented":false,"rationale":""}]},{"id":4243,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4270,"notes":"","implemented":false,"rationale":""},{"id":4287,"notes":"","implemented":false,"rationale":""}]},{"id":4245,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4021,"notes":"","implemented":false,"rationale":""},{"id":3468,"notes":"","implemented":false,"rationale":""},{"id":3451,"notes":"","implemented":false,"rationale":""},{"id":3473,"notes":"","implemented":false,"rationale":""},{"id":4291,"notes":"","implemented":false,"rationale":""}]},{"id":3418,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3452,"notes":"","implemented":false,"rationale":""},{"id":3459,"notes":"","implemented":false,"rationale":""},{"id":4057,"notes":"","implemented":false,"rationale":""}]},{"id":4254,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4058,"notes":"","implemented":false,"rationale":""},{"id":4056,"notes":"","implemented":false,"rationale":""},{"id":3465,"notes":"","implemented":false,"rationale":""},{"id":4272,"notes":"","implemented":false,"rationale":""}]},{"id":4259,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4197,"notes":"","implemented":false,"rationale":""},{"id":4313,"notes":"","implemented":false,"rationale":""},{"id":3467,"notes":"","implemented":false,"rationale":""}]},{"id":3428,"notes":"","status":"Open","rationale":"","riskRating":1,"controls":[{"id":3479,"notes":"","implemented":false,"rationale":""}]},{"id":3431,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3477,"notes":"","implemented":false,"rationale":""}]}],"position":[176.5574377861043,133.524939916715]},{"id":"n4","label":"Language Model Service","notes":"","outOfScope":false,"componentId":3,"trustBoundary":"t3","threats":[{"id":4233,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4273,"notes":"","implemented":false,"rationale":""},{"id":4312,"notes":"","implemented":false,"rationale":""},{"id":4281,"notes":"","implemented":false,"rationale":""}]},{"id":4237,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4276,"notes":"","implemented":false,"rationale":""},{"id":4269,"notes":"","implemented":false,"rationale":""}]},{"id":4243,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4270,"notes":"","implemented":false,"rationale":""},{"id":4287,"notes":"","implemented":false,"rationale":""}]},{"id":4245,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4021,"notes":"","implemented":false,"rationale":""},{"id":3468,"notes":"","implemented":false,"rationale":""},{"id":3451,"notes":"","implemented":false,"rationale":""},{"id":3473,"notes":"","implemented":false,"rationale":""},{"id":4291,"notes":"","implemented":false,"rationale":""}]},{"id":4249,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":3471,"notes":"","implemented":false,"rationale":""},{"id":3460,"notes":"","implemented":false,"rationale":""}]},{"id":3418,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3452,"notes":"","implemented":false,"rationale":""},{"id":3459,"notes":"","implemented":false,"rationale":""},{"id":4057,"notes":"","implemented":false,"rationale":""}]},{"id":4254,"notes":"","status":"Open","rationale":"","riskRating":3,"controls":[{"id":4058,"notes":"","implemented":false,"rationale":""},{"id":4056,"notes":"","implemented":false,"rationale":""},{"id":3465,"notes":"","implemented":false,"rationale":""},{"id":4272,"notes":"","implemented":false,"rationale":""}]},{"id":4259,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":4197,"notes":"","implemented":false,"rationale":""},{"id":4313,"notes":"","implemented":false,"rationale":""},{"id":3467,"notes":"","implemented":false,"rationale":""}]},{"id":3428,"notes":"","status":"Open","rationale":"","riskRating":1,"controls":[{"id":3479,"notes":"","implemented":false,"rationale":""}]},{"id":3431,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3477,"notes":"","implemented":false,"rationale":""}]},{"id":3443,"notes":"","status":"Open","rationale":"","riskRating":2,"controls":[{"id":3460,"notes":"","implemented":false,"rationale":""}]}],"position":[86.73334757727902,359.81522621078693]}],"links":[{"id":"l1","from":"n1","to":"n2","label":"HTTPS","twoWay":true},{"id":"l2","from":"n2","to":"n3","label":"","twoWay":true},{"id":"l3","from":"n3","to":"n4","label":"API Call","twoWay":true}],"trustBoundaries":[{"id":"t1","label":"Client Environment"},{"id":"t2","label":"Application Server"},{"id":"t3","label":"External Services"}]}