threats.sarif

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Tachi",
          "semanticVersion": "1.1",
          "informationUri": "https://github.com/tachi-org/tachi",
          "supportedTaxonomies": [
            { "name": "OWASP", "index": 0 },
            { "name": "CWE", "index": 1 }
          ],
          "rules": [
            {
              "id": "tachi/stride/spoofing",
              "shortDescription": { "text": "Identity spoofing threats" },
              "fullDescription": { "text": "Detects threats where an attacker assumes the identity of another entity - user, service, or system component. Spoofing undermines authentication guarantees, enabling adversarial actions under a trusted identity." },
              "help": {
                "text": "Review authentication mechanisms, token validation, mutual TLS configuration, and service identity verification for all entry points and inter-service communication channels.",
                "markdown": "**Detection Guidance**\n\n- Review authentication mechanisms on all entry points\n- Verify mutual TLS for inter-service communication\n- Check token binding and session management\n\n**Framework References**\n- [OWASP A07:2021 - Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)\n- MITRE ATT&CK T1078: Valid Accounts"
              },
              "properties": {
                "tags": ["security", "stride", "spoofing", "authentication", "owasp", "cwe"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "A07", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-287", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/stride/tampering",
              "shortDescription": { "text": "Data tampering threats" },
              "fullDescription": { "text": "Detects threats where an attacker modifies data, code, or configuration without authorization. Tampering violates integrity guarantees, causing systems to operate on corrupted inputs or persist falsified records." },
              "help": {
                "text": "Review input validation, data integrity checks, HMAC signatures on inter-service messages, and write access controls on data stores.",
                "markdown": "**Detection Guidance**\n\n- Review input validation on all write paths\n- Verify integrity checks (HMAC, signatures) on inter-service messages\n- Check write access controls on data stores\n\n**Framework References**\n- [OWASP A08:2021 - Software and Data Integrity Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\n- [CWE-345: Insufficient Verification of Data Authenticity](https://cwe.mitre.org/data/definitions/345.html)\n- MITRE ATT&CK T1565: Data Manipulation"
              },
              "properties": {
                "tags": ["security", "stride", "tampering", "data-integrity", "owasp", "cwe"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "A08", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-345", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/stride/repudiation",
              "shortDescription": { "text": "Repudiation threats" },
              "fullDescription": { "text": "Detects threats where a user or system can deny having performed an action, and the system lacks sufficient evidence to prove otherwise. Repudiation failures undermine accountability and forensic investigation." },
              "help": {
                "text": "Review audit logging coverage, log integrity protection, non-repudiation controls, and timestamp synchronization across services.",
                "markdown": "**Detection Guidance**\n\n- Review audit logging for security-sensitive operations\n- Verify log integrity protection (append-only, cryptographic chaining)\n- Check non-repudiation controls on critical actions\n\n**Framework References**\n- [OWASP A09:2021 - Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n- [CWE-778: Insufficient Logging](https://cwe.mitre.org/data/definitions/778.html)\n- MITRE ATT&CK T1070: Indicator Removal"
              },
              "properties": {
                "tags": ["security", "stride", "repudiation", "logging", "accountability", "owasp", "cwe"],
                "security-severity": "8.0"
              },
              "relationships": [
                {
                  "target": { "id": "A09", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-778", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/stride/information-disclosure",
              "shortDescription": { "text": "Information disclosure threats" },
              "fullDescription": { "text": "Detects threats where sensitive information is exposed to unauthorized parties through direct data leaks, verbose error messages, side-channel observations, or insufficient access controls on stored data." },
              "help": {
                "text": "Review error handling, API response schemas, data-at-rest encryption, field-level access controls, and log data classification.",
                "markdown": "**Detection Guidance**\n\n- Review error messages for sensitive data exposure\n- Verify field-level projection on API responses\n- Check data-at-rest encryption and access controls\n\n**Framework References**\n- [OWASP A01:2021 - Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n- [CWE-200: Exposure of Sensitive Information](https://cwe.mitre.org/data/definitions/200.html)\n- MITRE ATT&CK T1005: Data from Local System"
              },
              "properties": {
                "tags": ["security", "stride", "information-disclosure", "data-exposure", "owasp", "cwe"],
                "security-severity": "8.0"
              },
              "relationships": [
                {
                  "target": { "id": "A01", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-200", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/stride/denial-of-service",
              "shortDescription": { "text": "Denial of service threats" },
              "fullDescription": { "text": "Detects threats where an attacker degrades or eliminates system availability through resource exhaustion, flooding, algorithmic complexity exploitation, or cascading dependency failures." },
              "help": {
                "text": "Review rate limiting, request size caps, timeout configurations, connection pool limits, and circuit breaker implementations.",
                "markdown": "**Detection Guidance**\n\n- Review rate limiting on all public endpoints\n- Verify request size caps and timeout configurations\n- Check circuit breaker implementations for external dependencies\n\n**Framework References**\n- [OWASP A05:2021 - Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)\n- MITRE ATT&CK T1499: Endpoint Denial of Service"
              },
              "properties": {
                "tags": ["security", "stride", "denial-of-service", "availability", "owasp", "cwe"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "A05", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-400", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/stride/elevation-of-privilege",
              "shortDescription": { "text": "Privilege escalation threats" },
              "fullDescription": { "text": "Detects threats where an attacker gains higher privileges than authorized, performing actions reserved for administrators, accessing other users' resources, or bypassing access control boundaries." },
              "help": {
                "text": "Review authorization checks on all endpoints, RBAC enforcement, tool-level permission manifests, and network-level access restrictions.",
                "markdown": "**Detection Guidance**\n\n- Review authorization checks on all API endpoints\n- Verify RBAC enforcement on tool dispatch\n- Check network policies restricting inter-service access\n\n**Framework References**\n- [OWASP A01:2021 - Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n- [CWE-269: Improper Privilege Management](https://cwe.mitre.org/data/definitions/269.html)\n- MITRE ATT&CK T1548: Abuse Elevation Control Mechanism"
              },
              "properties": {
                "tags": ["security", "stride", "elevation-of-privilege", "access-control", "owasp", "cwe"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "A01", "toolComponent": { "name": "OWASP" } },
                  "kinds": ["relevant"]
                },
                {
                  "target": { "id": "CWE-269", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/ai/agentic-threats",
              "shortDescription": { "text": "AI agent autonomy and misuse threats" },
              "fullDescription": { "text": "Detects threats from autonomous agent systems operating with insufficient constraints on decision-making, action scope, or operational boundaries, and from agentic tool invocation abuse including unauthorized access and capability escalation." },
              "help": {
                "text": "Review agent autonomy constraints, human-in-the-loop checkpoints, tool capability scoping, and cross-tool policy enforcement.",
                "markdown": "**Detection Guidance**\n\n- Review agent termination constraints (iteration limits, timeouts, cost caps)\n- Verify human-in-the-loop checkpoints for consequential actions\n- Check per-agent tool capability scoping\n- Validate cross-tool policy evaluation for composite effects\n\n**Framework References**\n- [OWASP Agentic Security Initiative (ASI)](https://owasp.org/www-project-agentic-security-initiative/)\n- [MCP Security Advisories](https://modelcontextprotocol.io/security)\n- MITRE ATLAS: Abuse of AI Agent Capabilities"
              },
              "properties": {
                "tags": ["security", "ai", "agentic", "autonomy", "tool-use", "mcp"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "CWE-693", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            },
            {
              "id": "tachi/ai/llm-threats",
              "shortDescription": { "text": "LLM-specific threats" },
              "fullDescription": { "text": "Detects prompt injection vulnerabilities, data poisoning risks, and model theft threats in LLM-integrated components, covering direct and indirect injection, RAG pipeline manipulation, and model extraction." },
              "help": {
                "text": "Review prompt template structure, input classifiers, RAG pipeline content validation, model API output restrictions, and query monitoring.",
                "markdown": "**Detection Guidance**\n\n- Review prompt template boundary enforcement\n- Verify input classifiers for adversarial prompt detection\n- Check RAG pipeline content sanitization\n- Validate model API output restrictions and query monitoring\n\n**Framework References**\n- [OWASP LLM Top 10 v2025](https://genai.owasp.org/)\n- [OWASP LLM01:2025 - Prompt Injection](https://genai.owasp.org/llmrisk/llm01-prompt-injection/)\n- [OWASP LLM03:2025 - Supply Chain Vulnerabilities](https://genai.owasp.org/llmrisk/llm03-supply-chain-vulnerabilities/)\n- MITRE ATLAS: LLM Prompt Injection (AML.T0051)"
              },
              "properties": {
                "tags": ["security", "ai", "llm", "prompt-injection", "data-poisoning", "model-theft"],
                "security-severity": "9.0"
              },
              "relationships": [
                {
                  "target": { "id": "CWE-74", "toolComponent": { "name": "CWE" } },
                  "kinds": ["relevant"]
                }
              ]
            }
          ]
        }
      },
      "taxonomies": [
        {
          "name": "OWASP",
          "version": "2021",
          "informationUri": "https://owasp.org/Top10/",
          "organization": "OWASP Foundation",
          "shortDescription": { "text": "OWASP Top 10 Web Application Security Risks" }
        },
        {
          "name": "CWE",
          "version": "4.13",
          "informationUri": "https://cwe.mitre.org/",
          "organization": "MITRE",
          "shortDescription": { "text": "Common Weakness Enumeration" }
        }
      ],
      "results": [
        {
          "ruleId": "tachi/stride/spoofing",
          "message": {
            "text": "Attacker may impersonate a legitimate user by replaying or forging authentication credentials when submitting prompts to the Guardrails Service, because user identity verification relies solely on bearer tokens without binding to client context.",
            "markdown": "Implement token binding using DPoP (Demonstration of Proof-of-Possession) or certificate-bound access tokens; enforce session binding to client fingerprint (IP range, user-agent, TLS session); require MFA for sensitive operations; set short token lifetimes (15 minutes) with rotation."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "User", "fullyQualifiedName": "User Zone/User", "kind": "external-entity" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "cf294989f8e17183",
            "findingId/v1": "S-1"
          }
        },
        {
          "ruleId": "tachi/stride/spoofing",
          "message": {
            "text": "Attacker may bypass the Guardrails Service by directly accessing the LLM Agent Orchestrator endpoint, impersonating the Guardrails Service identity, because inter-service authentication is not enforced.",
            "markdown": "Enforce mutual TLS (mTLS) between Guardrails Service and LLM Agent Orchestrator; validate service identity claims using signed JWTs with audience restriction; reject requests to the Orchestrator that do not originate from an authenticated Guardrails Service instance."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "3bab618930c304c5",
            "findingId/v1": "S-2"
          }
        },
        {
          "ruleId": "tachi/stride/spoofing",
          "message": {
            "text": "Attacker may forge tool call requests to the MCP Tool Server by impersonating the LLM Agent Orchestrator, because the JSON-RPC channel lacks mutual authentication.",
            "markdown": "Implement mutual TLS (mTLS) with certificate pinning between the LLM Agent Orchestrator and MCP Tool Server; sign all JSON-RPC requests with a per-session HMAC key; validate caller identity on every tool call before dispatch."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "86044d702033aaaa",
            "findingId/v1": "S-3"
          }
        },
        {
          "ruleId": "tachi/stride/spoofing",
          "message": {
            "text": "Attacker may redirect MCP Tool Server outbound API requests to an attacker-controlled endpoint by spoofing DNS responses, because certificate pinning is not enforced on outbound HTTPS connections.",
            "markdown": "Implement TLS certificate pinning for all outbound connections to the External API; validate DNS responses using DNSSEC; configure strict certificate chain verification; monitor for unexpected certificate changes."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "a5e9eb30090af448",
            "findingId/v1": "S-4"
          }
        },
        {
          "ruleId": "tachi/stride/tampering",
          "message": {
            "text": "Attacker may modify Guardrails Service validation rules at runtime, because configuration files are stored in a location writable by the application process without integrity verification.",
            "markdown": "Store Guardrails validation rules in an immutable configuration store with cryptographic integrity verification (SHA-256 checksums); enforce read-only filesystem mounts for configuration; implement change detection alerts."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "e6bc538cbd3fe085",
            "findingId/v1": "T-1"
          }
        },
        {
          "ruleId": "tachi/stride/tampering",
          "message": {
            "text": "Attacker may inject malicious content into the prompt context by tampering with the data flow between the Guardrails Service and the Orchestrator, because the validated prompt is not integrity-protected in transit.",
            "markdown": "Sign validated prompts with an HMAC before forwarding from Guardrails Service to Orchestrator; verify signature on receipt; reject prompts with invalid or missing signatures; encrypt the inter-service channel with TLS."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "b622281d4ca868aa",
            "findingId/v1": "T-2"
          }
        },
        {
          "ruleId": "tachi/stride/tampering",
          "message": {
            "text": "Attacker may manipulate JSON-RPC tool call parameters in transit, injecting malicious payloads such as SQL fragments or shell commands into tool arguments, because parameter integrity is not verified at the tool server boundary.",
            "markdown": "Implement strict JSON schema validation on all incoming tool call parameters at the MCP Tool Server; enforce parameterized queries and command sanitization; sign JSON-RPC payloads with HMAC at the Orchestrator and verify at the Tool Server."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "e4c35caf60102681",
            "findingId/v1": "T-3"
          }
        },
        {
          "ruleId": "tachi/stride/tampering",
          "message": {
            "text": "Attacker may inject malicious content into the Knowledge Base via the orchestrator's data ingestion path, because input sanitization is not enforced before persisting data to the vector store.",
            "markdown": "Implement content validation and sanitization on all write operations to the Knowledge Base; enforce allowlist-based content filtering; apply integrity checksums (SHA-256) on stored records; restrict write access to an authorized ingestion pipeline."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Knowledge Base", "fullyQualifiedName": "Application Zone/Knowledge Base", "kind": "data-store" }
              ]
            }
          ],
          "relatedLocations": [
            {
              "id": 0,
              "message": { "text": "LLM-2: Indirect prompt injection via adversarial content in Knowledge Base during RAG retrieval" },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "4f934bf44aadfb00",
            "findingId/v1": "T-4",
            "correlationGroup": "CG-1"
          }
        },
        {
          "ruleId": "tachi/stride/tampering",
          "message": {
            "text": "Attacker may modify or delete audit log entries to cover tracks after a security incident, because the Audit Logger stores logs in a location writable by application processes.",
            "markdown": "Deploy the Audit Logger as an append-only, immutable log store; separate write permissions from read/admin permissions; forward logs to an external SIEM within 60 seconds; implement cryptographic chaining to detect tampering."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Audit Logger", "fullyQualifiedName": "Application Zone/Audit Logger", "kind": "data-store" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "dc56897bffa6a276",
            "findingId/v1": "T-5"
          }
        },
        {
          "ruleId": "tachi/stride/repudiation",
          "message": {
            "text": "User may deny having submitted a specific prompt that triggered a harmful response, because the system does not capture non-repudiable evidence linking authenticated identity to the submission.",
            "markdown": "Implement non-repudiation controls: capture authenticated user ID, session ID, client IP, timestamp (UTC, sub-second precision), and cryptographic hash of the submitted prompt in an immutable audit record."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "User", "fullyQualifiedName": "User Zone/User", "kind": "external-entity" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "5a808890b239b615",
            "findingId/v1": "R-1"
          }
        },
        {
          "ruleId": "tachi/stride/repudiation",
          "message": {
            "text": "Guardrails Service may fail to log rejected prompts with sufficient detail to reconstruct filtering decisions, enabling disputes about legitimate prompts being incorrectly blocked.",
            "markdown": "Instrument the Guardrails Service to emit structured audit events for every filtering decision: include request correlation ID, authenticated user ID, original prompt hash, matched filter rule ID, confidence score, action taken, and UTC timestamp."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "ada85cea3b936bf4",
            "findingId/v1": "R-2"
          }
        },
        {
          "ruleId": "tachi/stride/repudiation",
          "message": {
            "text": "LLM Agent Orchestrator may execute tool calls and generate responses without logging the full decision chain, enabling denial of specific actions.",
            "markdown": "Instrument the Orchestrator to emit structured decision audit events: record authenticated user ID, session ID, input prompt hash, model reasoning trace, each tool call details, final response hash, and UTC timestamp."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "relatedLocations": [
            {
              "id": 0,
              "message": { "text": "AG-2: Orchestrator operates in unbounded reasoning loop without termination constraints" },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "1bad83b9f1d04f2f",
            "findingId/v1": "R-3",
            "correlationGroup": "CG-3"
          }
        },
        {
          "ruleId": "tachi/stride/repudiation",
          "message": {
            "text": "MCP Tool Server may execute tool operations without recording the requesting orchestrator context, preventing forensic attribution to specific user requests.",
            "markdown": "Log every tool execution with: requesting orchestrator session ID, originating user ID, tool name, input parameters, execution duration, response status, External API endpoint called, and UTC timestamp."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "c3bdb0ccc5a46449",
            "findingId/v1": "R-4"
          }
        },
        {
          "ruleId": "tachi/stride/repudiation",
          "message": {
            "text": "External API interactions may lack correlation identifiers that link API calls back to the originating user request, creating accountability gaps.",
            "markdown": "Include a unique request correlation ID in all External API calls (via HTTP header); log the correlation ID alongside the originating user request ID."
          },
          "level": "note",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "External API", "fullyQualifiedName": "External Services/External API", "kind": "external-entity" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "af01fd610f22994d",
            "findingId/v1": "R-5"
          }
        },
        {
          "ruleId": "tachi/stride/information-disclosure",
          "message": {
            "text": "Guardrails Service may return detailed rejection reasons revealing internal filtering rules, enabling attackers to craft prompts that evade detection.",
            "markdown": "Return generic rejection messages to users without exposing filter rule details; log detailed rejection reasons only to the internal Audit Logger; implement separate user-facing and internal-facing error response schemas."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "2b7cc5858485093d",
            "findingId/v1": "I-1"
          }
        },
        {
          "ruleId": "tachi/stride/information-disclosure",
          "message": {
            "text": "LLM Agent Orchestrator may leak sensitive internal state through verbose error messages, exposing service topology, Knowledge Base schema, or model configuration.",
            "markdown": "Implement standardized error responses that strip internal details; return generic error codes to users; route detailed error information to internal monitoring only."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "cda734dd6fbe58e9",
            "findingId/v1": "I-2"
          }
        },
        {
          "ruleId": "tachi/stride/information-disclosure",
          "message": {
            "text": "MCP Tool Server may forward raw External API error responses without sanitization, potentially exposing third-party API keys or internal endpoint URLs.",
            "markdown": "Sanitize all External API responses before returning to the Orchestrator; strip authentication headers, internal URLs, and API keys from error payloads; implement an error response allowlist."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "6c078f5b90987fc2",
            "findingId/v1": "I-3"
          }
        },
        {
          "ruleId": "tachi/stride/information-disclosure",
          "message": {
            "text": "Knowledge Base may return full document contents including internal metadata, embedding vectors, and storage schema details, because field-level projection is not enforced.",
            "markdown": "Implement field-level projection on Knowledge Base query responses to return only content fields required by the Orchestrator; strip internal metadata, embedding vectors, and storage identifiers."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Knowledge Base", "fullyQualifiedName": "Application Zone/Knowledge Base", "kind": "data-store" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "8a5dd9d4db40eaaf",
            "findingId/v1": "I-4"
          }
        },
        {
          "ruleId": "tachi/stride/information-disclosure",
          "message": {
            "text": "Audit log entries may contain sensitive data including full prompt content, user PII, and API credentials, accessible to operations staff beyond the security team.",
            "markdown": "Implement log data classification: separate sensitive fields into a restricted log tier with strict access controls; apply PII masking or tokenization; enforce role-based access to audit logs."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Audit Logger", "fullyQualifiedName": "Application Zone/Audit Logger", "kind": "data-store" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "bc274bb03ddf8fb7",
            "findingId/v1": "I-5"
          }
        },
        {
          "ruleId": "tachi/stride/denial-of-service",
          "message": {
            "text": "Attacker may flood the Guardrails Service with high-volume prompt submissions to exhaust CPU on regex-based filtering, because no rate limiting or request size caps are enforced.",
            "markdown": "Enforce per-client rate limiting at the API gateway layer; cap prompt input size at 4096 characters; implement request timeout at 10 seconds; use compiled regex with ReDoS-safe patterns; deploy auto-scaling with circuit breaker."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "15c3f25289888c15",
            "findingId/v1": "D-1"
          }
        },
        {
          "ruleId": "tachi/stride/denial-of-service",
          "message": {
            "text": "Attacker may send concurrent maximum-length prompts to exhaust LLM inference compute and memory, blocking legitimate requests.",
            "markdown": "Enforce per-client rate limiting of 10 requests/minute; cap prompt input at 4096 tokens; configure request timeout at 30 seconds with circuit breaker; set memory limit at 1GB per worker."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "76996bc32d9e361b",
            "findingId/v1": "D-2"
          }
        },
        {
          "ruleId": "tachi/stride/denial-of-service",
          "message": {
            "text": "Attacker may trigger resource exhaustion on the MCP Tool Server through concurrent tool calls, because no concurrency cap is enforced.",
            "markdown": "Enforce a maximum of 5 concurrent tool calls per user request; implement per-tool rate limiting; configure tool execution timeout at 15 seconds; deploy circuit breaker for external API calls."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "relatedLocations": [
            {
              "id": 0,
              "message": { "text": "AG-4: Tool call chaining enables capability escalation beyond individual permissions" },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "ea4650776a79cded",
            "findingId/v1": "D-3",
            "correlationGroup": "CG-4"
          }
        },
        {
          "ruleId": "tachi/stride/denial-of-service",
          "message": {
            "text": "Attacker may exhaust Knowledge Base resources via unbounded vector search queries with adversarial high-dimensional inputs.",
            "markdown": "Enforce maximum result count (top-k limit of 10) on all Knowledge Base queries; cap query vector dimensions; implement query timeout at 5 seconds; deploy connection pool limits."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Knowledge Base", "fullyQualifiedName": "Application Zone/Knowledge Base", "kind": "data-store" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "0de917a8d1f81eec",
            "findingId/v1": "D-4"
          }
        },
        {
          "ruleId": "tachi/stride/denial-of-service",
          "message": {
            "text": "Attacker may cause audit log storage exhaustion through rapid request submission, disrupting services that depend on log writing.",
            "markdown": "Implement log volume throttling with per-source rate limits; set storage quotas with automatic rotation; deploy log sampling for high-volume event sources during load spikes."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Audit Logger", "fullyQualifiedName": "Application Zone/Audit Logger", "kind": "data-store" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "53dcc0228ab127cd",
            "findingId/v1": "D-5"
          }
        },
        {
          "ruleId": "tachi/stride/elevation-of-privilege",
          "message": {
            "text": "Attacker may bypass the Guardrails Service entirely via alternate route to the Orchestrator, because authorization is only enforced at the Guardrails layer.",
            "markdown": "Implement defense-in-depth: enforce authorization checks at both the Guardrails Service and the Orchestrator; configure network policies to restrict Orchestrator access; validate origin service identity."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "Guardrails Service", "fullyQualifiedName": "Application Zone/Guardrails Service", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "985d7f3b74246327",
            "findingId/v1": "E-1"
          }
        },
        {
          "ruleId": "tachi/stride/elevation-of-privilege",
          "message": {
            "text": "Attacker may escalate from standard user to administrative capabilities by manipulating tool selection through prompt injection, because RBAC is not enforced on tool dispatch.",
            "markdown": "Implement RBAC policy on tool dispatch: map each tool to required permissions; validate user role against tool permission manifest before dispatch; reject unauthorized invocations with 403; enforce least privilege."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "relatedLocations": [
            {
              "id": 0,
              "message": { "text": "AG-1: Orchestrator executes consequential actions without human approval gates" },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "59650eea6f521b03",
            "findingId/v1": "E-2",
            "correlationGroup": "CG-2"
          }
        },
        {
          "ruleId": "tachi/stride/elevation-of-privilege",
          "message": {
            "text": "Authenticated user may invoke administrative tool endpoints by manipulating the tool_name parameter, because RBAC is not enforced on tool dispatch.",
            "markdown": "Implement RBAC policy on the MCP Tool Server mapping each tool endpoint to required permissions; validate caller role before dispatch; reject unauthorized invocations with 403."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "0e2d607fa0b581c8",
            "findingId/v1": "E-3"
          }
        },
        {
          "ruleId": "tachi/ai/agentic-threats",
          "message": {
            "text": "LLM Agent Orchestrator may execute consequential actions without human approval gates, because no risk-tier classification distinguishes reversible from irreversible operations.",
            "markdown": "Classify operations into risk tiers: Tier 1 (read-only, auto-approve), Tier 2 (reversible writes, require confirmation), Tier 3 (irreversible external actions, require human approval with mandatory wait period)."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "ddbc56d7cbc35a3f",
            "findingId/v1": "AG-1"
          }
        },
        {
          "ruleId": "tachi/ai/agentic-threats",
          "message": {
            "text": "LLM Agent Orchestrator may operate in an unbounded reasoning loop without termination constraints, enabling indefinite resource consumption through ambiguous prompts.",
            "markdown": "Implement mandatory termination constraints: maximum iteration count (25 iterations), execution timeout (5 minutes), and cumulative cost cap ($10 per request); add circuit breaker for repeated action patterns."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "ddbc56d7cbc35a3f",
            "findingId/v1": "AG-2"
          }
        },
        {
          "ruleId": "tachi/ai/agentic-threats",
          "message": {
            "text": "MCP Tool Server may expose all registered tools to every connected client without per-agent capability scoping, violating the principle of least privilege for tool access.",
            "markdown": "Implement per-agent tool allowlists at the MCP Tool Server; enforce capability scoping based on originating user role; log all tool invocations with agent identity."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "720c1c38843a2fe5",
            "findingId/v1": "AG-3"
          }
        },
        {
          "ruleId": "tachi/ai/agentic-threats",
          "message": {
            "text": "Attacker may manipulate the MCP Tool Server to chain individually authorized tool calls to achieve data exfiltration that no single authorization would permit.",
            "markdown": "Implement a tool chain policy engine evaluating composite effects; define forbidden tool combinations; require human approval for cross-boundary chains; enforce max chain depth of 3."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "MCP Tool Server", "fullyQualifiedName": "Application Zone/MCP Tool Server", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "720c1c38843a2fe5",
            "findingId/v1": "AG-4"
          }
        },
        {
          "ruleId": "tachi/ai/llm-threats",
          "message": {
            "text": "Attacker may submit adversarial prompts that override the Orchestrator's system prompt, bypassing safety constraints, because user input lacks structured boundary enforcement.",
            "markdown": "Implement structured prompt templates with explicit delimiter tokens; deploy an input classifier for adversarial patterns; apply output filtering; implement canary tokens in system prompts."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "bc8145867ba52dd5",
            "findingId/v1": "LLM-1"
          }
        },
        {
          "ruleId": "tachi/ai/llm-threats",
          "message": {
            "text": "Attacker may exploit the RAG pipeline by injecting adversarial content into the Knowledge Base that overrides system behavior during context retrieval (indirect prompt injection).",
            "markdown": "Sanitize retrieved document content before injection into the prompt context; implement provenance tracking; apply content integrity checks on documents before indexing."
          },
          "level": "error",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "bc8145867ba52dd5",
            "findingId/v1": "LLM-2"
          }
        },
        {
          "ruleId": "tachi/ai/llm-threats",
          "message": {
            "text": "Attacker may systematically query the Orchestrator's inference endpoint to extract a functional model copy through distillation, because rich response data is returned without query volume limits.",
            "markdown": "Restrict API output to top-k predictions only; implement per-API-key query budgets with alerts; deploy query pattern analysis for systematic probing; add watermarking to model outputs."
          },
          "level": "warning",
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "docs/security/2026-03-25T19-49-23/threats.md" },
                "region": { "startLine": 1 }
              },
              "logicalLocations": [
                { "name": "LLM Agent Orchestrator", "fullyQualifiedName": "Application Zone/LLM Agent Orchestrator", "kind": "process" }
              ]
            }
          ],
          "partialFingerprints": {
            "primaryLocationLineHash": "bc8145867ba52dd5",
            "findingId/v1": "LLM-3"
          }
        }
      ]
    }
  ]
}