Handbook
Threat model (LCDL)
This document is engineering-oriented, not a formal certification artifact. Use it to align security reviews with how LCDL actually behaves.
Updated
Assets worth protecting
| Asset | Notes |
|---|---|
| Prompts + task inputs | May contain PII, proprietary text, retrieval snippets |
| Model outputs | May leak training biases or echo secrets from prompts |
| JSON schemas + contracts | Define validation surface—tampering changes safety posture |
| Environment variables / profiles | Gateway URLs, bearer tokens, model IDs |
| Logs + traces | Often easier to exfiltrate than raw DB dumps |
| Handbook + CI artifacts | Describe capabilities—helps attackers pick abuse paths |
Trust boundaries
| Boundary | Inside | Outside |
|---|---|---|
| Core library | forge_lcdl tasks, operators, verification primitives |
Consumer apps, browsers, databases |
| Transport | Callable injected into TaskRunner |
Corporate gateways, vendor APIs |
| MCP / Cursor | Tool manifests + policy docs | Host IDE policies, stdio bridges |
| Static handbook | Published docs | CDN/hosting account compromise |
LCDL trust boundary flow
How governed task calls cross from consumer hosts through MCP transport into LCDL core and out to gateways.
- Consumer / IDE hostsHost applications and IDE integrations that invoke LCDL workloads.
- MCP tools + callable chat transportTool manifests and injectable transport bridge hosts to TaskRunner.
- LCDL TaskRunner (core library zone)Governed tasks, operators, and verification run inside the library.
- model gateways (outside LCDL)Corporate or vendor APIs that receive outbound model traffic.
Consumer / IDE hosts
|
v
MCP tools + callable chat transport
|
v
LCDL TaskRunner (core library zone)
|
v
model gateways (outside LCDL)Threats (representative)
| Threat | Example | Mitigations |
|---|---|---|
| Prompt injection via task input | User text steers model to ignore policy | Schema validation, output verification, allowlists |
| Schema bypass | Crafted JSON avoids validation | Strict schemas, tests, audit_contract_docs.py |
| Secret leakage via logs | Logging raw HTTP bodies | Redaction, structured logging policies in consumer |
| Stale or poisoned contracts | Wrong schema shipped | CI audits, semver + compatibility doc |
| Retrieval poisoning | Bad evidence text in RAG flows | Evidence governance in consumer, citations review |
| Live gateway instability | Timeouts treated as silent success | Time-boxed retries, explicit Err, benchmarks |
Controls shipped or documented in-repo
- Fake transport defaults for learning and CI (
pytest -m not granitepattern). - ContractSpec + audits (ContractSpec,
audit_contract_docs.py). - Responsible use framing (Security and responsible use).
Residual risks
- LCDL cannot enforce organizational IAM, network egress, or data retention—consumers must layer controls.
- LLM nondeterminism remains even with schemas; treat outputs as untrusted until verified.