Skip to content
z4j docs

Threat model

Actors

Section titled “Actors”
ActorCapabilityTrust
External attackerInternet traffic onlyUntrusted
Agent host (your app)Holds an agent token; can emit any eventsPartially trusted
Dashboard userHas a role on one or more projectsRole-scoped trust
Brain operatorFull DB + env accessFully trusted
Postgres adminDirect SQLFully trusted (breaks audit-log semantics)

Assumptions

Section titled “Assumptions”
  • TLS terminates in front of the brain. No plaintext HTTP in production.
  • Env vars are secret. Leaking Z4J_SECRET / Z4J_AUDIT_SECRET compromises sessions / audit.
  • Postgres is on a private network. Direct access is the operator’s responsibility.
  • Time is monotonic enough. Audit log ordering is by ID (sequence), not wall time.

In-scope threats

Section titled “In-scope threats”
  1. Credential stuffing / brute force - defended by argon2id + rate limits + dummy-hash timing.
  2. Session theft - HttpOnly + Secure + SameSite=Lax cookies; session invalidation on password change.
  3. Prompt injection via events - event payloads are data, never instructions. The brain never evals or templates untrusted text into action pipelines.
  4. Token enumeration - tokens are HMAC-hashed; wrong-token login takes the same time as right-token-wrong-password (dummy hash).
  5. Agent impersonation - tokens are per-agent; revocation immediate. (project_id, name) uniqueness prevents duplicate-register races.
  6. Replay attacks - WebSocket frames have monotonic seq; duplicates deduped on persist.
  7. SSRF via public_url - Z4J_PUBLIC_URL is validated (no whitespace, no user:pass, http/https only).
  8. Audit tampering - HMAC chain detects it. Not prevented at the DB level - see “out of scope” below.

Out of scope (v1.0)

Section titled “Out of scope (v1.0)”
  • Physical access to brain host / Postgres - anyone with DB access can rewrite audit. The chain makes it detectable, not impossible.
  • MFA - planned post-v1.1.
  • SSO / OAuth2 - planned.
  • Compliance certifications (SOC 2 / HIPAA / ISO 27001) - not in v1, no plans for v1.
  • Browser fingerprinting / anti-automation - we’re not that kind of product.

Disclosed audits

Section titled “Disclosed audits”
  • Two rounds of pre-release internal audits (see docs/SECURITY_AUDIT_PRERELEASE.md in the repo).
  • External audit is planned before GA, results will be published.

Reporting issues

Section titled “Reporting issues”

security@z4j.com. Do not file a public issue for undisclosed vulnerabilities. See disclosure.