boma/docs/security/accepted-risks.md
sjat f338bccd46 Expand ADR-002 into a security baseline + strategy
Add a managerial security frame on top of the host baseline: explicit threat
model (opportunistic external, lateral movement/blast radius, operator/agent
error; supply chain accepted-lower-priority), security principles, and four
governance mechanisms that ADR-002 establishes and links out to:

- docs/security/service-checklist.md — per-service security bar (referenced
  from the new-role runbook)
- docs/security/accepted-risks.md — living accepted-risk register (R1-R4)
- planned /security-review skill (TODO 8.5)
- agent guardrails in CLAUDE.md "what Claude must not do"

STATUS.md records the frame as present (manual enforcement) and /security-review
as planned-not-built.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 14:39:51 +02:00

1.8 KiB

Accepted security risks

Conscious security trade-offs we are choosing to live with — recorded so "what we are not doing" is explicit and revisitable, not forgotten. This register is a living document and is expected to change; it is deliberately kept out of ADR-002 (which records durable decisions) so the ADR stays stable.

Owned by ADR-002 (Security baseline and strategy). Re-challenged during the periodic security review (planned /security-review; see docs/TODO.md).

Each entry: the risk · why we accept it (rationale) · what would make us revisit (trigger).

# Accepted risk Rationale Revisit trigger
R1 Supply chain not actively defended — third-party container/base images, dependencies, and Ansible collections are trusted as pulled Out of proportion to a homelab's effort budget; the realistic threat is opportunistic, not a targeted supply-chain attack. gitleaks + version pinning (ADR-011) give partial cover Hosting high-value data/finances for others; a relevant upstream compromise; appetite for image signing / SBOM / pinned digests
R2 No full CIS benchmark hardening Significant complexity for marginal gain at this scale A compliance need, or hosting third-party data with obligations
R3 No SELinux / AppArmor mandatory access control Operational overhead exceeds benefit for the current threat model Threat model shifts toward targeted attackers; a service with a poor security history
R4 No intrusion detection system (IDS) Detection is only useful with the capacity to triage it; alerts no one reads are noise Monitoring/alerting stack (Prometheus/Loki/Grafana) is in place and someone will act on alerts

Last reviewed: 2026-06-04 (seeded — pending a first re-challenge pass).