A SaaS platform that automates the creation, updating, and management of customized threat models for SaaS, self-hosted, and SDK applications, integrating attack vector analysis and mitigation recommendations.

Repository: traceroot-ai/traceroot Author: XinweiHe Goal Document a threat model covering TraceRoot's attack surface across SaaS, self-hosted, and SDK surfaces. Why We handle sensitive customer data: LLM provider API keys (encrypted at rest), GitHub OAuth tokens, agent traces, and billing info. A threat model makes our trust boundaries explicit, helps prioritize future security work, and is a prerequisite for enterprise customer trust reviews. Scope to cover - Trust boundaries: browser client / Next.js / FastAPI / Celery worker / ClickHouse / S3 - Data assets at risk: LLM keys, session tokens, trace payloads, Stripe data - Threat actors: external attacker, malicious OSS contributor, compromised dependency - Key attack vectors: SSRF, prompt injection via trace payloads, supply chain, credential exfiltration - Mitigations already in place vs. gaps Deliverable THREAT_MODEL.md in repo root, following STRIDE or a simplified 4-question model (What are we building? What can go wrong? What do we do about it? Did we do a good job?) References - Existing: SECURITY.md, INCIDENT_RESPONSE.md - OWASP Threat Modeling: https://owasp.org/www-community/Threat_Modeling