Threat Model

简体中文

Executive Summary

Codex Quota Monitor is a self-hosted operator dashboard that reads sensitive CLIProxyAPI management state and, when configured, local Codex OAuth auth files. The highest-risk outcomes are management key or OAuth token disclosure, exposing account and quota metadata beyond the intended operator audience, and over-broad deployment choices that turn a local dashboard into an unauthenticated LAN or public endpoint.

Scope And Assumptions

In scope:

Out of scope:

Assumptions:

Open questions that can change risk ranking:

System Model

Primary Components

Data Flows And Trust Boundaries

Diagram

flowchart LR
  Operator["Trusted operator"] --> CLI["Monitor CLI and config"]
  CLI --> Server["Monitor HTTP server"]
  Server --> CPA["CLIProxyAPI management"]
  Server --> Auth["Codex auth files"]
  Server --> Provider["Codex usage API"]
  Server --> DB["SQLite history"]
  Server --> Browser["Browser and agents"]
  Proxy["Authenticated proxy"] --> Server
  Benchmark["Benchmark runner"] --> Results["Benchmark outputs"]

Assets

Entry Points

Threats And Mitigations

Threat Risk Existing controls Gaps and recommendations
Management key or OAuth token appears in API, metrics, history, logs, or support output. High Tests cover public endpoints, metrics, doctor JSON, history, and quota sampling; print-config sanitizes URLs; redact creates sanitized copies. Keep adding regression tests for every new public field. Treat benchmark/history schema additions as privacy changes.
Dashboard is exposed to LAN/public users without authentication. High Python/NixOS default to 127.0.0.1; NixOS openFirewall defaults false; doctor warns on non-loopback and allowed-host exposure; docs require authenticated proxy/access layer. Do not treat Host/Origin checks as auth. Future hardening could add explicit confirmation flags for broad bind addresses.
Over-broad Docker/NixOS mounts expose unrelated secrets. Medium Docs require mounting only the management key file and auth directory; auth files stay read-only unless auth live plan sync is explicitly enabled. NixOS uses a dedicated user, hardened systemd settings, and a separate writable sync unit. Keep examples from mounting whole home or config directories.
SQLite history or benchmark output leaks operational metadata. Medium Security docs classify these artifacts as sensitive; redact supports JSON, JSONL, CSV, Markdown/text, SQLite copy redaction, and dry-run/apply batch redaction for staged support directories. Avoid sharing raw history DB or benchmark directories. Add format-specific redaction tests as new benchmark files appear.
Reverse proxy path or host mismatch weakens boundary expectations. Medium Allowed-host checks reject unexpected Host/Origin; docs state v1 expects root-path deployment on a dedicated hostname. Keep reverse proxy examples aligned with root-path assumptions and authenticated access.
CI/release artifact tampering. Medium Release images are built from tagged source, Docker base image is pinned by digest, Dependabot updates dependencies, GHCR images include SBOM/provenance and keyless cosign signatures. Verify release workflow status, image attestations, and tag integrity before announcement.

Manual Review Focus

Quality Check