Threat model (LCDL)

This document is engineering-oriented, not a formal certification artifact. Use it to align security reviews with how LCDL actually behaves.

Updated

Assets worth protecting

Asset Notes
Prompts + task inputs May contain PII, proprietary text, retrieval snippets
Model outputs May leak training biases or echo secrets from prompts
JSON schemas + contracts Define validation surface—tampering changes safety posture
Environment variables / profiles Gateway URLs, bearer tokens, model IDs
Logs + traces Often easier to exfiltrate than raw DB dumps
Handbook + CI artifacts Describe capabilities—helps attackers pick abuse paths

Trust boundaries

Boundary Inside Outside
Core library forge_lcdl tasks, operators, verification primitives Consumer apps, browsers, databases
Transport Callable injected into TaskRunner Corporate gateways, vendor APIs
MCP / Cursor Tool manifests + policy docs Host IDE policies, stdio bridges
Static handbook Published docs CDN/hosting account compromise

LCDL trust boundary flow

How governed task calls cross from consumer hosts through MCP transport into LCDL core and out to gateways.

  1. Consumer / IDE hostsHost applications and IDE integrations that invoke LCDL workloads.
  2. MCP tools + callable chat transportTool manifests and injectable transport bridge hosts to TaskRunner.
  3. LCDL TaskRunner (core library zone)Governed tasks, operators, and verification run inside the library.
  4. model gateways (outside LCDL)Corporate or vendor APIs that receive outbound model traffic.

Threats (representative)

Threat Example Mitigations
Prompt injection via task input User text steers model to ignore policy Schema validation, output verification, allowlists
Schema bypass Crafted JSON avoids validation Strict schemas, tests, audit_contract_docs.py
Secret leakage via logs Logging raw HTTP bodies Redaction, structured logging policies in consumer
Stale or poisoned contracts Wrong schema shipped CI audits, semver + compatibility doc
Retrieval poisoning Bad evidence text in RAG flows Evidence governance in consumer, citations review
Live gateway instability Timeouts treated as silent success Time-boxed retries, explicit Err, benchmarks

Controls shipped or documented in-repo

Residual risks

  • LCDL cannot enforce organizational IAM, network egress, or data retention—consumers must layer controls.
  • LLM nondeterminism remains even with schemas; treat outputs as untrusted until verified.