NODEDC_TASKMANAGER_CODEXAPI/docs/THREAT_MODEL.md

Threat Model

Last updated: 2026-05-14.

Security objective

Let external local Codex agents maintain Tasker cards without turning Tasker into an open automation surface.

Main threats

Raw Tasker access leakage

Risk: a user copies a broad Tasker token or cookie into local Codex, allowing arbitrary API calls.

Mitigation:

• never issue Plane session cookies to agents;
• never expose raw Tasker API tokens;
• use opaque Agent Gateway tokens;
• only expose allowlisted MCP tools.

Project scope escape

Risk: an agent writes to another project or workspace.

Mitigation:

• Agent Gateway grants are project-scoped;
• Tasker adapter revalidates workspace/project membership;
• every tool requires explicit project_id;
• gateway rejects projects outside grant set.

Destructive action

Risk: an agent deletes or archives cards, labels, comments, projects, or members.

Mitigation:

• no delete/archive MCP tools in MVP;
• adapter rejects delete/archive intents;
• raw API proxy is forbidden.

Privilege confusion

Risk: an agent acts as the human user and hides automation history.

Mitigation:

• create dedicated agent identity;
• store owner user separately;
• every audit event includes both agent_id and owner_user_id;
• UI displays agent-originated changes.

Prompt injection

Risk: text inside a card tells Codex to exfiltrate token or call forbidden tools.

Mitigation:

• MCP tools enforce server-side scopes;
• instruction pack says Tasker content is untrusted;
• Gateway never exposes secrets through read tools;
• deny arbitrary HTTP fetch/proxy tools.

Token theft

Risk: local token leaks from developer machine.

Mitigation:

• token hash storage;
• expiry;
• immediate revoke;
• last used metadata;
• rate limits;
• optional IP/device binding later.

Owner lifecycle bypass

Risk: blocked/annulled user keeps active agent token.

Mitigation:

• Gateway checks Launcher owner status;
• blocked/annulled owner disables agent tokens;
• periodic sync plus request-time access check.

Replay and duplicate writes

Risk: network retry creates duplicate cards/comments.

Mitigation:

• required idempotency keys for write tools;
• store operation result by agent and idempotency key;
• reject same key with different arguments;
• release failed writes so safe retries can run again.

Reporting mode false confidence

Risk: enterprise admin assumes local Codex must report, but the developer bypasses the managed config.

Mitigation:

• UI distinguishes connected, stale, never connected;
• reporting mode is visibility and policy, not hard enforcement, unless a managed wrapper is used;
• CI/workflow checks can require Tasker session updates later.

Hard rules

• No database access from Agent Gateway to Tasker DB.
• No arbitrary Tasker HTTP proxy.
• No user session cookie reuse.
• No delete/archive tools in MVP.
• No secrets in generated markdown instruction files.
• No token logging.
• No frontend access to service secrets.