# Security Threat Model (Baseline)

## Method
STRIDE-aligned baseline for public-facing GPUaaS control plane.

## Assets
- User identity and access tokens
- Node access credentials and SSH materials
- Billing ledger and payment events
- Allocation and usage records
- Admin operations and audit trails

## Key Threats and Mitigations
### Spoofing
- Threat: token theft/session replay
- Controls: short-lived tokens, rotation, device/session anomaly checks

### Tampering
- Threat: modification of billing/ledger records
- Controls: immutable ledger entries, transactional writes, audit logs

### Repudiation
- Threat: admin action denial
- Controls: signed/immutable audit logs with actor and correlation IDs

### Information Disclosure
- Threat: secret leakage, over-broad API response
- Controls: secret manager, least-privilege data access, response minimization

### Denial of Service
- Threat: API abuse/websocket floods
- Controls: WAF, rate limits, backpressure, autoscaling thresholds

### Elevation of Privilege
- Threat: bypassing tenant/role checks
- Controls: centralized authorization policy enforcement + service-side checks

## Priority Threat Areas (MVP)
1. Payment/webhook replay and tampering
2. Provisioning privilege abuse
3. Multi-tenant data boundary leakage
4. Secret exfiltration via logs/config