STPA and STPA-Sec analysis¶
System-Theoretic Process Analysis (Leveson and Thomas, MIT) is the method by which this project derives its safety and security requirements. STPA-Sec extends it by treating an adversary as a cause that actively drives unsafe control actions.
This directory is the authoritative hazard analysis. The traceability chain is: security constraint -> the UCA it prevents -> the loss scenario it mitigates -> the loss it avoids. Every state-changing MCP tool must appear in the UCA table; every constraint must map to an enforcement mechanism (a code assertion, a policy rule, or a human-in-the-loop gate).
Artifacts (complete; BL-003)¶
01-losses.mdnumbered losses (L-1..L-6).02-hazards.mdhazards (H-1..H-10) mapped to losses.03-system-constraints.mdsystem-level constraints (SC-1..SC-10).04-control-structure.mdthe control-structure diagram and narrative (operator -> MCP server -> execution path -> fleet hosts, with feedback paths and trust boundaries).05-ucas.mdthe Unsafe Control Action table (every state-changing tool x the four modes: provided wrongly, not provided, wrong timing/order, wrong duration x hazard).06-loss-scenarios.mdcausal-factor scenarios per UCA, including adversary-driven paths (indirect prompt injection in collected host data).07-security-constraints.mdthe derived mitigations (SEC-1..SEC-10), each mapped to its enforcement mechanism and a proving test. This is the keystone traceability table.
The seed losses, hazards, and constraints that scaffolded this directory are now superseded by the numbered artifacts above; see those files for the authoritative, complete sets.