Threat Model
Document Version: 1.0 Last Updated: January 6, 2026 Classification: Internal / Partner
Table of Contents
- Scope & Boundaries
- Threat Identification (STRIDE)
- Risk Assessment
- Mitigations
- Residual Risks
- References
Scope & Boundaries
The threat model covers the Fulcrum platform end‑to‑end, including: - Public API surface (gRPC & optional REST) - Dashboard UI (Next.js) and authentication via Clerk - Service‑to‑service communication (mTLS) - Data stores: PostgreSQL, TimescaleDB, Redis, NATS JetStream - Infrastructure components: Kubernetes/Docker, Prometheus, Grafana, Loki
Trust Zones
+-------------------+ +-------------------+ +-------------------+
| Internet | | Perimeter | | Internal Network |
| (Clients, Users) |-->| (TLS, Rate‑limit) |-->| (Docker/K8s) |
+-------------------+ +-------------------+ +-------------------+
Threat Identification (STRIDE)
| Category | Threat | Affected Component | Example |
|---|---|---|---|
| Spoofing | Credential theft | API keys, Clerk tokens | Stolen API key used to impersonate tenant |
| Tampering | Data manipulation | PostgreSQL, Redis | Unauthorized update of policy via missing RBAC |
| Repudiation | Lack of audit logs | All services | Missing trace for policy change |
| Information Disclosure | Sensitive data leak | Logs, Metrics | Logs expose secret keys in plaintext |
| Denial of Service | Resource exhaustion | NATS, Prometheus | Flood of events causing back‑pressure |
| Elevation of Privilege | Role escalation | RBAC enforcement | Tenant gains admin scope |
Risk Assessment
| Threat | Likelihood | Impact | Risk Rating |
|---|---|---|---|
| Stolen API key | Medium | High (data breach) | High |
| Unauthorized DB write | Low | High | Medium |
| Missing audit log | Low | Medium | Low |
| Log leakage | Low | Medium | Low |
| DDoS on NATS | Medium | Medium | Medium |
| RBAC bypass | Low | High | Medium |
Mitigations
- API Key Hashing – SHA‑256 stored, never plaintext (see
SECURITY_OVERVIEW). - Scope‑based RBAC – Enforced in middleware (
HasScope). - Row‑Level Security – PostgreSQL RLS isolates tenant data.
- Audit Logging – All policy evaluations logged with trace IDs.
- Rate Limiting – Redis‑backed token bucket per tenant.
- mTLS – Mutual TLS for internal services.
- Secret Management – Keys loaded from Vault/K8s secrets, not env files.
- Monitoring – Alerts for auth failures, rate‑limit violations.
Residual Risks
- Compromise of a privileged service account could bypass tenant isolation – mitigated by rotating service keys regularly.
- Zero‑day vulnerabilities in third‑party libraries – addressed by continuous scanning (see
SECURITY_OVERVIEW).
References
- OWASP Top 10 (2021)
- NIST SP 800‑53 controls
- Fulcrum
SECURITY_OVERVIEW.md - Fulcrum
ACCESS_CONTROL.md - Prometheus alerts for auth failures
Document version: 1.0 (January 6 2026)