Threat model

This document is a self-driven threat model of the two components this repository ships: Cullis Mastio (mcp_proxy/), the per-organisation agent gateway, and the Cullis Python SDK (cullis_sdk/), the library agents link against to authenticate, make LLM calls, and call MCP tools through the gateway. It is written for security reviewers (CISO, blue-team architects, customer security engineering) who need to convince themselves that the component they are about to install on their infrastructure has been reasoned about adversarially, that the mitigations claimed are present in code, and that the residual risks are stated honestly.

It is not a substitute for a third-party penetration test. We intend to commission one once the first paying customer engagement funds it. Until then, this document plus the public /security-review output on every merged PR, the supply-chain attestations on every released artefact, and the audit-log hash chain that ships in the bundle are the artefacts we expect a reviewer to inspect.

Every claim in the per-component sections below has been cross-checked against the codebase by a verification pass on 2026-05-23. Where a stated mitigation is partial, aspirational, or implemented differently from the design intent, we say so explicitly inline (“on the roadmap”, “today: …”, “we do not currently …”) and list the corresponding gap in the open-items table at the end of the document. We would rather call out a real gap here than have a reviewer discover it.

Scope

In scope:

• Cullis Mastio (mcp_proxy/): FastAPI process that handles agent enrollment, DPoP-bound token issuance, the policy decision point (PDP), the MCP reverse proxy, the embedded AI gateway, and the append-only audit chain. Shipped as a Docker bundle (packaging/mastio-bundle/) and a Helm chart (deploy/helm/cullis-mastio/).
• Cullis SDK (cullis_sdk/): Python client used by an agent process to authenticate (from_identity_dir, login_via_proxy, login_via_proxy_with_local_key), call LLMs through the gateway (chat_completion, chat_completion_stream), and call MCP tools through the proxy (list_mcp_tools, call_mcp_tool).

Out of scope (treated as trust assumptions, see below):

• The operating system and container runtime hosting the bundle.
• The TLS PKI used to terminate edge connections.
• The downstream LLM providers reached through the embedded AI gateway (Anthropic, OpenAI, Bedrock, Vertex, Ollama, …).
• Identity providers federated through SAML SSO or SPIRE.
• The HashiCorp Vault deployment used as KMS in production: we assume the operator has secured it per the vendor’s hardening guide.
• Any component that lives outside this repository (desktop clients, multi-org federation services, additional dashboards): not shipped here, not analysed here.

Audience

Two readers:

• A reviewing CISO or security architect evaluating whether the Cullis Mastio is fit to live next to their existing fleet, carrying identity and policy decisions for AI agents that touch internal data. This reader wants STRIDE coverage, explicit residual risks, and references to the code where mitigations live.
• An operator on the customer side running the bundle. This reader wants to know which trust assumptions they are inheriting, what they must configure correctly, and what failure modes they are expected to monitor.

If you fit either profile and a section reads as marketing rather than as analysis, that is a bug. File an issue against cullis-security/cullis.

Methodology

The model uses STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) per trust boundary. For each component we:

1. Describe the data flow that crosses the boundary.
2. Enumerate STRIDE threats relevant to that flow.
3. Reference the mitigation already in code, with the architectural decision record (ADR), pull request, or operational runbook that establishes it.
4. Call out residual risk: the part of the threat that the mitigation does not cover, and what compensating control we expect the operator to provide.

System boundaries

              ┌──────────────────────────────────────────────┐
              │                  Operator                    │
              │   (deploys + monitors + holds admin secret)  │
              └────────────────────┬─────────────────────────┘
                                   │ admin dashboard
                                   │ (HTTPS + CSRF + httponly cookie)
                                   ▼
┌────────────────────────────────────────────────────────────────────┐
│                          Cullis Mastio host                        │
│                                                                    │
│   ┌───────────┐    DPoP+JWT     ┌────────────────────────────┐     │
│   │   Agent   │  ◀──────────▶   │      Cullis Mastio         │     │
│   │  (SDK)    │   cert pinning  │  (mcp_proxy, FastAPI)      │     │
│   └───────────┘                 │                            │     │
│                                 │   ┌─────────────────┐      │     │
│                                 │   │   PDP + policy  │      │     │
│                                 │   │  (default-deny  │      │     │
│                                 │   │   session)      │      │     │
│                                 │   └─────────────────┘      │     │
│                                 │                            │     │
│   ┌───────────┐                 │   ┌─────────────────┐      │     │
│   │  MCP tool │  reverse proxy  │   │  AI gateway     │      │     │
│   │  upstream │  ◀───────────▶  │   │ (native:        │      │     │
│   │ (Slack…)  │                 │   │  Anthropic SDK, │      │     │
│   │           │                 │   │  OpenAI SDK,    │      │     │
│   │           │                 │   │  httpx→Ollama)  │      │     │
│   └───────────┘                 │   └─────────────────┘      │     │
│                                 │                            │     │
│                                 │   ┌─────────────────┐      │     │
│                                 │   │  Audit chain    │      │     │
│                                 │   │ (append-only,   │      │     │
│                                 │   │  hash-chained,  │      │     │
│                                 │   │  per-org)       │      │     │
│                                 │   └────────┬────────┘      │     │
│                                 │            │ KMS calls     │     │
│                                 │            ▼               │     │
│                                 │   ┌─────────────────┐      │     │
│                                 │   │ KMS backend     │      │     │
│                                 │   │ (Vault prod /   │      │     │
│                                 │   │  local dev)     │      │     │
│                                 │   └─────────────────┘      │     │
│                                 └────────────────────────────┘     │
└────────────────────────────────────────────────────────────────────┘

Each labelled arrow is a trust boundary; we enumerate STRIDE per arrow class in the per-component sections below.

Trust assumptions

The threat model is only meaningful relative to what we treat as trusted. The following are assumed correct and not analysed further in this document:

Anything below this line assumes the above hold.

Component: agent authentication

Data flow

• Agent enrollment via one of two paths supported in this repository: the dashboard-driven flow (POST /v1/admin/agents/... in mcp_proxy/admin/agents.py) which mints an agent cert under the Org CA, or BYOCA (the customer signs the cert from their own PKI and the Mastio pins the SHA-256 DER thumbprint at first contact, mcp_proxy/admin/enroll.py). SPIFFE / SPIRE SVIDs are a variant of BYOCA from the proxy’s point of view.
• Steady-state requests sign a DPoP proof (RFC 9449) bound to the per-agent keypair; the proxy validates htu (target URL), htm (HTTP method), iat (issued-at), and the ath claim binding to the access token, with cnf.jkt thumbprint matching enforced on the access token itself (mcp_proxy/auth/dpop.py).
• The proxy also supports client-cert pinning via a SHA-256 DER digest of the presented certificate (mcp_proxy/auth/client_cert.py). This is pinning, not formal RFC 8705 §3 cnf.x5t#S256 token-level binding; we treat it as defence in depth rather than a substitute for DPoP.

STRIDE

References

• mcp_proxy/auth/dpop.py, mcp_proxy/auth/client_cert.py, mcp_proxy/auth/dpop_jti_store.py
• mcp_proxy/admin/agents.py, mcp_proxy/admin/enroll.py, mcp_proxy/enrollment/router.py
• cullis_sdk/auth.py, cullis_sdk/dpop.py
• ADR-013 (layered defence)

Component: registry

Data flow

The registry is the SQLite (default) or Postgres (opt-in) database behind every PDP decision. It holds: agent enrollment records (public key, cert thumbprint, role, capabilities), local user principals (when the dashboard runs in multi-user mode), and configuration (proxy_config table).

STRIDE

References

• mcp_proxy/db.py, mcp_proxy/db_models.py
• Append-only triggers: migration mcp_proxy/alembic/versions/0031_audit_append_only_v2.py
• Hash chain: mcp_proxy/audit_chain.py, migration 0023_audit_hash_chain.py
• DPoP-on-row: migration 0033_audit_dpop_jkt.py

Component: MCP proxy (reverse proxy + DPoP gateway)

Data flow

Agents call MCP tool endpoints through Cullis Mastio rather than directly. The proxy:

1. Validates the DPoP proof and the access token against the registry.
2. Consults the PDP (mcp_proxy/policy/) for (agent, session, tool, model, server) allow/deny decisions.
3. Reverse-proxies to the upstream MCP server (mcp_proxy/reverse_proxy/forwarder.py, mcp_proxy/tools/mcp_resource_forwarder.py), stripping or rewriting headers as policy dictates.
4. Writes the call + result hash to the audit chain.

STRIDE

References

• mcp_proxy/reverse_proxy/, mcp_proxy/tools/, mcp_proxy/middleware/
• ADR-029 (tool-level PDP)
• mcp_proxy/audit_chain.py (per-org chain, retry path _AUDIT_CHAIN_MAX_RETRIES = 5)

Component: AI gateway (native per-provider dispatch)

Data flow

ADR-039 (supersedes ADR-017 on the dispatch layer): Mastio dispatches outbound LLM calls (/v1/llm/..., /v1/chat/completions, /v1/messages) through a per-provider native adapter. The selection is driven by settings.ai_gateway_backend (mcp_proxy/config.py); the default cullis_native routes Anthropic through anthropic.AsyncAnthropic, OpenAI through openai.AsyncOpenAI, and Ollama through raw httpx against /api/chat. No third-party AI gateway library is in the critical path. The legacy litellm_embedded backend remains in tree as an opt-in fallback for providers not yet wired natively (Gemini, Bedrock, Vertex); operators pinning it see a deprecation warning at startup. The gateway terminates an OpenAI-shaped or Anthropic-shaped client request, applies per-agent rate limits and key selection, and forwards to the configured upstream provider.

STRIDE

References

• ADR-017 (original embedded gateway)
• ADR-039 (native per-provider adapters, drop LiteLLM critical path)
• mcp_proxy/egress/ai_gateway.py (dispatcher), mcp_proxy/egress/adapters/{anthropic,openai,ollama}.py (native providers), mcp_proxy/egress/adapters/{litellm,portkey}.py (legacy backends), mcp_proxy/egress/llm_chat_router.py, mcp_proxy/egress/provider_catalog.py
• mcp_proxy/tools/secret_encrypt.py

Component: policy bridge (OPA Data API + CloudEvents sink)

Data flow

PR #907: Mastio exposes its policy + audit surface via two standards-shaped endpoints so external data planes (any gateway that speaks OPA + CloudEvents) can use Cullis as control plane without writing glue. POST /v1/data/cullis/policy/{path} accepts an OPA Data API request ({"input": {...}}) and returns {"result": {"decision": ...}}. POST /v1/integrations/cloudevents accepts a CloudEvents HTTP-binding event and persists it as one row on the hash-chained audit_log. Both endpoints share a single HMAC-SHA256 guard via X-Cullis-Integration-Signature keyed on MCP_PROXY_INTEGRATIONS_HMAC_SECRET.

STRIDE

References

• mcp_proxy/integrations/policy_bridge.py, mcp_proxy/integrations/__init__.py
• mcp_proxy/main.py route registration
• mcp_proxy/middleware/strip_x_cullis_headers.py allowlist entry for x-cullis-integration-signature
• operate/policy-bridge.md or integrations/policy-bridge.md for the operator-side deploy

Component: Rego policy engine (embedded WASM)

Data flow

PR #908 + #909: the operator authors Rego in the dashboard Policies → Rego tab. The backend compiles via the bundled opa build -t wasm (OPA v1.16.2, SHA-256-pinned in scripts/opa-sha256.txt) and persists both the source and the base64-encoded WASM bundle inside the existing proxy_config.policy_rules JSON document. At decision time, try_rego_decision (in mcp_proxy.policy.__init__) reads the WASM, instantiates OPAPolicy via opa-wasmtime (process-wide cached on SHA-256), evaluates against the OPA-shaped input, and returns {"decision": ..., "reason"?}. The legacy allowlist (blocked_agents, allowed_orgs, tool_rules) backs up the Rego path: empty Rego → allowlist; Rego runtime eval error → allowlist + warning log.

STRIDE

References

• mcp_proxy/policy/rego_engine.py (compile + cache + eval)
• mcp_proxy/policy/__init__.py (try_rego_decision two-layer dispatcher)
• mcp_proxy/dashboard/rego_rules.py + templates/rego_rules.html (authoring surface)
• scripts/opa-sha256.txt (binary pin)
• mcp_proxy/Dockerfile (opa-build stage)
• scripts/bench-rego-eval.py (perf bench)
• operate/rego-policies.md for the operator workflow

Component: license verifier

Data flow

The Mastio carries an offline RS256 license verifier (mcp_proxy/license.py) that gates paid feature dispatch. In the public repository the bundled public key is a placeholder; a real deployment overrides it via CULLIS_LICENSE_PUBKEY_PATH. The token itself is read from CULLIS_LICENSE_KEY (raw JWT) or CULLIS_LICENSE_PATH (file). Missing or invalid token = community tier, no paid features.

STRIDE

References

• mcp_proxy/license.py
• mcp_proxy/admin/approval_hook.py (ACTION_LICENSE_IMPORT)

Component: KMS backend

Data flow

The Org CA private key (used to sign agent certificates) can live in two places in this repository, chosen at deploy time via MCP_PROXY_KMS_BACKEND (mcp_proxy/kms/factory.py):

• local (development default): the key is stored in the proxy_config table of the Mastio’s own SQLite or Postgres database. The row is wrapped in a Fernet envelope keyed by MCP_PROXY_DB_ENCRYPTION_KEY (pki_key_store table, migration 0038_pki_key_store.py).
• vault (production): HashiCorp Vault KV v2 path (ADR-031, mcp_proxy/kms/vault.py).

The production-mode startup validator (mcp_proxy/config.py:1007) refuses MCP_PROXY_KMS_BACKEND=local and exits with SystemExit(1): running production requires the Vault backend (or an enterprise cloud-KMS plugin loaded out-of-tree). It additionally refuses an empty MCP_PROXY_DB_ENCRYPTION_KEY, so even local mode in dev will not silently fall back to an unencrypted key store.

A separate env var, MCP_PROXY_SECRET_BACKEND, governs how short-lived agent credentials are encrypted (env vs Vault). The production-mode startup validator also refuses MCP_PROXY_SECRET_BACKEND=env in production.

STRIDE

References

• ADR-031 (Vault as Org CA private key store)
• mcp_proxy/kms/factory.py, mcp_proxy/kms/vault.py, mcp_proxy/kms/local.py, mcp_proxy/kms/pki_at_rest.py
• mcp_proxy/cli/ (migrate-org-ca-to-vault)
• operate/vault-org-ca.md

Component: Cullis SDK (client-side)

Data flow

The SDK runs in the agent’s process and holds the agent’s private key on disk. It uses from_identity_dir to load the cert + key, calls login_via_proxy to obtain a short-lived bearer + DPoP nonce, and uses _authed_request to attach a DPoP proof to every subsequent call. It re-logs in on 401 (token expiry, _relogin_callable).

STRIDE

References

• cullis_sdk/auth.py, cullis_sdk/client.py, cullis_sdk/dpop.py
• cullis_sdk/README.md

Cross-cutting threats

Supply chain

Every released image and bundle ships with:

• A cosign signature generated by GitHub Actions OIDC keyless signing; the certificate identity is verifiable against the release workflow path on cullis-security/cullis.
• A CycloneDX SBOM generated by Syft, attached to the GitHub Release.
• A Trivy scan that gates HIGH/CRITICAL vulnerabilities with ignore-unfixed=true: vulnerabilities without an upstream fix are documented as residual rather than blocking the release. The base image typically carries a small number of HIGH unfixed CVEs that we list explicitly in each release’s SBOM rather than blocking on.

Residual: customers who require a zero-unfixed posture should rebuild from source with their own base image; the recipe is documented in the bundle README.

Insider threat

We treat the bundle operator as semi-trusted: they can deploy, take backups, and rotate keys. They can also read the data bind mount and the SQLite file. The defences against an insider with operator credentials are:

• Audit chain: every state-changing action goes into the append-only log, which hash-chains under SHA-256. An insider who tampers with the log breaks the chain; the dashboard’s Verify chain action and the standalone CLI catch it.
• 4-eyes approval hook: at configurable depth, a set of state-changing actions requires a second admin’s signoff before they take effect. The currently wired set is policies.save, pki.rotate_ca, mastio_key.rotate, vault.migrate_keys, users.delete, agents.delete, agent.enroll, license.import. Federation peer changes (federation.peer) are defined but not yet wired in this repository’s open-core surface.
• Append-only triggers: the local_audit table has SQLite (and Postgres) triggers that raise on UPDATE / DELETE (mcp_proxy/alembic/versions/0031_audit_append_only_v2.py). Even admin DB access cannot rewrite history without dropping the triggers (an act that itself leaves an audit trail elsewhere).

Residual: a colluding pair of admins defeats 4-eyes. A single admin with all roles has full control by design.

Key lifecycle

Audit log integrity

• Append-only schema: triggers on local_audit (and the legacy audit_log table) reject UPDATE / DELETE on SQLite and Postgres alike (mcp_proxy/alembic/versions/ 0031_audit_append_only_v2.py).
• Each entry has an entry_hash (SHA-256 of canonical representation) and a previous_hash linking to the prior entry (mcp_proxy/alembic/versions/0023_audit_hash_chain.py, mcp_proxy/audit_chain.py). The DPoP jkt thumbprint is denormalised onto the row (0033_audit_dpop_jkt.py) so a forensic query does not have to re-derive trust state from a separate request log.
• Multi-worker safety: writes go through a bounded retry path (mcp_proxy.db._AUDIT_CHAIN_MAX_RETRIES = 5) that resolves UNIQUE(chain_seq) contention from concurrent uvicorn workers. Validated under sustained 4-worker writes (≈ 472k rows / 30 min, 0 IntegrityError) in the 2026-05-18 stress run.
• Online verify: POST /proxy/audit/verify (dashboard) runs the same per-org chain check as the standalone CLI (scripts/cullis-audit-verify.py) and reports first-broken-seq + expected vs actual hash.

Residual: this repository does not ship a cross-org anchor. An operator who needs an external append-only witness should pipe audit exports into a SIEM or external timestamp service. The Cullis Audit Envelope export format (per-org NDJSON with the chain head + verify metadata) is the offline ship format; see operate/audit-export.md.

Residual risk summary

The threats this model does not mitigate:

• Host compromise: root on the Mastio host reads everything on the data bind mount. KMS (Vault) raises the bar for the Org CA key; everything else is in scope.
• Compromised license signing key: a single Cullis-side key custody failure affects every customer of that build. Annual rotation is the commitment; HSM-backed signing is a P2 item once funded.
• Colluding admins: 4-eyes assumes the two admins are not the same person and not colluding.
• Upstream LLM provider behaviour: Cullis is not a content classifier. Prompt-injection defence at the upstream is the upstream’s responsibility.
• Quantum-resistant cryptography: not in scope yet. RSA-4096, ECDSA P-256, and RSA-OAEP-SHA256 are the current primitives.
• Side-channels on bcrypt: cost factor 12; we treat this as meeting OWASP 2024 guidance but not as eliminating offline attacks on a leaked hash.

Open items (planned hardening)

References

• SECURITY.md (responsible disclosure, severity-tier SLA)
• operate/runbook.md (incident response)
• operate/disaster-recovery.md (backup + restore)
• operate/rotate-keys.md (agent cert + Org CA rotation)
• operate/audit-export.md (chain viewer + verify + offline export)
• operate/vault-org-ca.md (KMS migration to Vault)