UCCA Threat Model¶
Security Posture, Trust Boundaries, and Adversarial Analysis
| Status | Working Document |
| Version | 1.1 |
| Date | March 2026 |
| Classification | INTERNAL |
| Authors | Tim Rignold, Claude (Anthropic) |
| Source document | UCCA_Threat_Model_v1.1.docx |
Living Document
This is a living governance document. It must be updated when the architecture changes, new integrations are added, or gaps are closed. Sections 7 and 8 are deliberately honest about what is missing — this honesty is what gives the document credibility.
Governing Entities:
- United Central Colleges of Australia Pty Ltd trading as RTOpacks — Australian entity, governed by Australian law.
- United Community Colleges of America Inc DBA UCCA Inc — Delaware C-Corp, governed by US federal and state law.
Section 1 — What We Protect¶
Three assets. Everything in the threat model flows from these.
Engine Integrity¶
The deterministic processing engine must produce identical outputs given identical inputs, every time, without exception. If an adversary can alter how the engine processes a triumvirate — changing a compliance rule, modifying an outcome specification, tampering with a credential map — the entire value proposition collapses. A compliance engine that can be influenced is worse than no compliance engine at all, because it provides false assurance.
World Data Sovereignty¶
Each world's data is sovereign and contained. An RTO's compliance records in the AU VET world must be inaccessible from any other world. A defence client's data must be inaccessible to anyone outside their world, including other UCCA worlds. Cross-world data leakage is an existential threat — one breach means every client questions their containment.
Operational Provenance¶
Every action the engine takes is recorded — what was processed, when, by whom, against which version of which triumvirate, with what result. This audit trail is the evidence base for compliance claims. If provenance records can be altered, deleted, or fabricated, the engine's outputs are legally worthless. Provenance must be immutable and independently verifiable.
Data Residency Sovereignty¶
Each world's data must reside in a jurisdiction consistent with the governing legal entity and client contractual requirements. Data location is not just an operational decision — it is a legal and contractual obligation. The world control plane must surface data residency information transparently and the infrastructure must enforce residency constraints.
What We Are NOT Protecting (at this stage)¶
We do not hold payment card data, personal health records, classified government material, or biometric data. Our primary inputs are regulatory frameworks (public documents) and business registration data (publicly available from government registries). The sensitivity is in the processing logic and the compliance outputs, not in the raw source data.
Section 2 — Framework Alignment¶
UCCA does not claim certification against any of these frameworks today. What we claim is architectural awareness — our security posture is designed with these frameworks in mind, our controls map to their requirements, and our roadmap prioritises closing gaps against them. This section is a living self-assessment, not a compliance certificate.
Australian (Home Jurisdiction)¶
Essential Eight (ASD/ACSC) — The Australian Signals Directorate's baseline mitigation strategies. Current self-assessed maturity:
| Mitigation Strategy | Maturity | Notes |
|---|---|---|
| Application control | Level 1 | All compute on Cloudflare Workers, no user-installable code paths |
| Patch applications | Level 1 | Zero self-managed servers. npm dependencies manually reviewed |
| MS Office macros | N/A | No Office documents processed |
| User application hardening | Level 1 | CSP headers blocking inline scripts and external resources |
| Restrict admin privileges | Level 1 | Single admin account, scoped API tokens, Cloudflare Access OTP |
| Patch operating systems | N/A | No self-managed OS. Cloudflare manages compute layer |
| Multi-factor authentication | Level 1 | Google Workspace MFA, Cloudflare Access on internal surfaces |
| Regular backups | Level 1 | Daily D1/KV export to Google Drive via rclone. See Backup Strategy. |
ISM (Information Security Manual) — Referenced for data classification guidance. Our four-level system (PUBLIC, INTERNAL, RESTRICTED, CONTROLLED) is informed by ISM protective markings.
Privacy Act 1988 — Applicable to personal information collected through RTOpacks or future Australian worlds. Currently minimal personal data collection — RTO business data sourced from public government registries.
New Zealand¶
NZISM, Privacy Act 2020, and Protective Security Requirements (PSR). Noted for future alignment when NZ world is established. NZQA vocational standards are a candidate second world.
International¶
ISO 27001 — Our control structure maps to ISO 27001 domains without maintaining a formal ISMS. Key alignments: asset management (Terraform), access control (Cloudflare Access, scoped tokens), cryptography (TLS 1.3, post-quantum key exchange), operations security (ops console), communications security (Grade A headers).
SOC 2 Type II — Operational posture generates evidence against SOC 2 trust service criteria: Security (headers, access control), Availability (status page, health monitoring), Processing Integrity (deterministic engine, immutable provenance), Confidentiality (world data isolation). Formal audit targeted when first enterprise client is contracted.
United States¶
NIST Cybersecurity Framework — Architecture maps to five functions: Identify (Terraform), Protect (security headers, access control, TLS), Detect (health checks, monitoring, analytics), Respond (incident.io, status page), Recover (Terraform rebuild from declared state).
FedRAMP / CMMC — Noted for future alignment with US government or defence supply chain clients. Current architecture does not meet FedRAMP data residency requirements — compute runs on Cloudflare's global edge without region pinning.
European Union¶
GDPR — Applicable when EU data subjects interact with a UCCA world. Per-world database isolation supports data subject rights (access, deletion, portability) at the world level.
NIS2 Directive — Relevant if UCCA services organisations classified as essential or important entities. Our security posture becomes part of their supply chain risk assessment.
EU AI Act — The deterministic processing engine is not classified as AI under the Act. The future cross-LLM validation layer would fall under the Act's provisions. The architectural separation between deterministic engine and LLM analysis layer is a deliberate compliance design decision.
APAC¶
Singapore PDPA and China PIPL noted for awareness. No current operations in these jurisdictions.
Sector-Specific¶
- Defence: ITAR (US), DISP (Australia), NATO standards
- Healthcare: HIPAA (US), My Health Records Act (Australia)
- Aviation: ICAO standards, CASA regulatory framework
- Nuclear: ARPANSA, IAEA
Section 3 — Trust Boundaries¶
A trust boundary is where control or authority changes hands. Every trust boundary is a potential attack surface.
Boundary 1 — UCCA to Cloudflare¶
The most fundamental dependency. Cloudflare controls compute runtime, DNS resolution, SSL termination, database hosting, object storage, and edge network.
What we don't control: Cloudflare employee access to Workers runtime, D1 data at rest, R2 objects. Certificate issuance.
Mitigation: Portability architecture. Workers are standard JavaScript, D1 is SQLite, R2 is S3-compatible. Terraform declares everything for rebuild on alternative infrastructure.
Risk acceptance: We accept this dependency as reasonable. Same dependency every AWS/GCP/Azure customer accepts.
Boundary 2 — UCCA to Third-Party Services¶
Each external integration is a trust boundary with a third party:
GitHub — Holds source code. Compromise means code exposure, malicious commits, deployment pipeline access. Mitigation: gh CLI OAuth token (no expiry, revocable), HTTPS only, macOS Keychain via osxkeychain credential helper. Personal account with 2FA enabled.
incident.io / Slack — Incident communication. Low sensitivity — no proprietary data flows through these. Compromise allows false status updates (reputational damage, not data loss).
Twilio (Communications Infrastructure) — Handles voice communications for UCCA Inc via US number +1-302-300-3336 (Delaware). Twilio Studio flow handles inbound voice (voicemail → email via Gmail OAuth2). Twilio Functions service hosts 3 serverless functions. Setup performed January 2026.
Compromise impact: Attacker can intercept business calls, send SMS as UCCA, access call logs and recordings, use the number for social engineering against clients, and run up charges. Medium-High sensitivity.
Current controls: Account audited 2026-03-05. Account SID and Auth Token documented in External Services registry. SMTP dead code removed. Personal caller ID removed. SMS webhook cleared. No API keys beyond master credentials. Single operator access. Remaining gap: Not in Terraform (provider is pilot-status, deferred).
training.gov.au / ABN Lookup — Public government data APIs for RTO enrichment. Read-only, no sensitive data sent. ABN Lookup authenticates via GUID (stored as Worker secret). Compromise impact: Low — attacker could exhaust API quota or return poisoned data. Mitigation: Data is supplementary enrichment, not authoritative for compliance decisions.
Google Workspace — CROWN JEWEL — admin@ucca.online is the identity root. Compromise cascades to: Cloudflare dashboard, Slack, incident.io, email (OTP interception), GitHub. Single highest-value credential in the organisation.
Boundary 3 — UCCA Ops to World Control Plane¶
UCCA ops has SU access into any world. World admin cannot see ops or other worlds. For external clients, SU access must be auditable — every access logged with timestamp, identity, action, and justification.
Boundary 4 — World Admin to Client¶
World admin manages their world and its clients. Clients see only their own records. Trust governed by world's terms of service and governing entity's privacy obligations. Architecture enforces client isolation within a world.
Boundary 5 — Deterministic Engine to LLM Layer¶
Critical boundary when cross-LLM validation is introduced. LLM outputs must never alter deterministic engine outputs. The LLM layer reads from the engine, never writes to it. This separation is both architectural and regulatory (EU AI Act).
Boundary 6 — Public Internet to UCCA Surfaces¶
- ucca.online — Low impact. Marketing content, no data.
- api.ucca.online — Low currently, critical when engine API is live.
- rtopacks.com.au — Medium. Search accepts user input. Enrichment processes external data.
- ops/docs/knowledge — Behind Cloudflare Access. Not publicly accessible.
Section 4 — Attack Surfaces¶
Public Endpoints (No Authentication)¶
| Surface | Exposure | Impact | Notes |
|---|---|---|---|
| ucca.online | High | Low | Marketing. CSP, Grade A headers. No user data. |
| rtopacks.com.au | High | Medium | Search accepts input. No rate limiting. No CAPTCHA. Database enumerable. |
| api.ucca.online | High | Low* | Static JSON now. *Critical when engine API is live. |
| status.ucca.online | High | None | Hosted by incident.io. Not our infrastructure. |
Authenticated Endpoints (Cloudflare Access)¶
| Surface | Exposure | Impact | Notes |
|---|---|---|---|
| ops.ucca.online | Low | Critical | Full platform visibility. No IP restriction. No session timeout documented. |
| docs/knowledge | Low | Medium | Architecture docs and threat model. Adversary gains understanding of controls. |
Infrastructure Credentials¶
| Credential | Impact | Current Controls & Gaps |
|---|---|---|
| admin@ucca.online | Critical | Crown jewel. Cascades to all services. MFA only, no hardware key, no break-glass. |
| Cloudflare dashboard | Critical | Via Google OAuth. No separate credentials. |
| ucca-terraform token | High | Scoped permissions, .tfvars (gitignored). On local filesystem. |
| GitHub OAuth token | High | gh CLI OAuth token (gho_ prefix). No expiry. Stored in macOS Keychain. Revocable via gh auth logout or GitHub dashboard. |
| Worker secrets | Medium-High | CF_API_TOKEN, GMAIL credentials, ENRICH_SECRET. In Worker secrets, not in code. |
| Twilio credentials | Medium-High | Account SID and Auth Token documented in External Services registry. Audited 2026-03-05. Voice number +1-302-300-3336. |
| Mac Mini | Critical | Contains ALL credentials, code, state. FileVault. No device security policy documented. |
Section 5 — Adversarial Scenarios¶
Scenario 1 — Opportunistic Scanner¶
Who: Automated bots, script kiddies, mass vulnerability scanners.
Likelihood: Certain. Happening now.
Approach: Port scanning, path enumeration, automated injection, credential stuffing.
Residual risk: Low. Architecture inherently resistant — no traditional server to compromise.
Scenario 2 — Data Scraper / Competitor¶
Who: Competitor wanting to replicate RTOpacks enriched RTO database.
Approach: Automated search queries to enumerate every RTO record.
Residual risk: Medium. No rate limiting. Raw data is public but enrichment adds commercial value.
Scenario 3 — Credential Compromise¶
Who: Targeted attacker, phishing campaign, or malware on development machine.
Approach: Phish admin@ucca.online. Compromise Mac Mini. Intercept Cloudflare Access OTP via email compromise.
Residual risk: High. Single identity root. MFA is the only barrier. No hardware key. Total compromise from one credential.
Scenario 4 — Supply Chain Attack¶
Who: Compromised npm package or malicious dependency.
Approach: Inject code via dependency that runs in Worker with access to D1, R2, KV, and secrets.
Residual risk: Medium. Dependencies not audited or pinned. Worker bindings limit blast radius per-Worker.
Scenario 5 — Insider Threat¶
Who: Alex, Jimmy, or future team member with legitimate access.
Residual risk: Low currently. Single operator. Increases with team expansion. No code review process, no branch protection.
Scenario 6 — Targeted Attack on World Client¶
Who: Adversary targeting a UCCA world client's data, not the platform.
Residual risk: Depends on world. Low for RTOpacks (public data). Critical for future defence/healthcare worlds.
Section 6 — Current Controls¶
Network and Transport¶
TLS 1.3 enforced. Post-quantum key exchange (X25519MLKEM768). HTTP to HTTPS redirect. HSTS with preload. Certificate management by Cloudflare with CAA records.
Assessment: Strong. Standardise HSTS duration across all surfaces.
Application Security¶
CSP with zero external origins on public surfaces. Self-hosted fonts. X-Frame-Options DENY. Permissions-Policy disabling 13 browser features. Full header suite.
Assessment: Strong on public surfaces. Internal surface gaps being closed.
Authentication and Access Control¶
Cloudflare Access email OTP on internal surfaces. Google Workspace MFA. Scoped API tokens. Worker secrets for sensitive values.
Assessment: Functional but fragile. Single identity root. No hardware keys. No break-glass. Must harden before team expansion.
Infrastructure as Code¶
Terraform declares 120+ Cloudflare resources with zero drift. State tracked in git. Infrastructure rebuildable from declarations.
Assessment: Strong. Ahead of most organisations at this stage.
Monitoring and Observability¶
Ops console with live health checks. Cloudflare platform monitoring. Traffic analytics with historical storage. incident.io status page.
Assessment: Good detection, weak alerting. No automated notification. No after-hours monitoring.
Data Protection¶
Per-world database isolation. Data classification system (PUBLIC, INTERNAL, RESTRICTED, CONTROLLED). UCCA fingerprinting restricted to internal surfaces.
Assessment: Architecture sound. Independent backup implemented (D1/KV to Google Drive, daily). 90-day manual retention. No DSAR procedure yet.
Code and Deployment Security¶
Private GitHub repos. Deployment via wrangler from local machine. No CI/CD pipeline. No branch protection. No dependency auditing.
Assessment: Acceptable for single operator. Significant gaps when team expands.
Incident Response¶
incident.io with public status page. Security.txt with PGP key. Threat model (this document) in progress.
Assessment: Framework exists, not tested. No runbooks. No tabletop exercises. No regulatory notification procedure.
Communications Infrastructure¶
Twilio account with US voice number +1-302-300-3336 (Delaware area code, aligned with UCCA Inc jurisdiction). Twilio Studio flow configured for inbound voice handling with voicemail-to-email via Gmail OAuth2. Functions service hosts 3 serverless endpoints. Setup performed January 2026 with Alex.
Assessment: Audited 2026-03-05. Account renamed to "UCCA Inc", credentials documented in External Services registry, dead SMTP code removed, personal caller ID removed, SMS webhook cleared. Not yet in Terraform (provider pilot-status, deferred). Not yet monitored in ops. Remaining gap: add to ops health checks.
Section 7 — Known Gaps and Roadmap¶
Honest accounting of what is missing, prioritised by risk.
Priority 1 — Critical (30 days)¶
~~Backup Strategy~~ — ✅ CLOSED 2026-03-06. Daily backup implemented: D1 databases (ops-db, rtopacks-db) and KV namespace (LEADS) exported via wrangler, compressed, and uploaded to Google Drive via rclone. Automated via launchd at 03:00 AEST. Verification and restore scripts included. See Backup Strategy. Remaining: Migrate to AWS S3 when startup credits are approved. Add R2 backup when rtopacks-media bucket is in use.
Break-Glass Procedure — If admin@ucca.online is compromised or locked out, there is no recovery path. Action: Create secondary admin (security@ucca.online) with independent MFA. Document emergency procedures. Store recovery codes in physical safe.
~~GitHub Security Audit~~ — ✅ CLOSED 2026-03-05. Full audit completed. Corrected to personal account (not org), 2FA confirmed, Builder.io webhook removed, Dependabot enabled, unused PAT deleted. See GitHub Security Audit. Remaining: Migrate to GitHub organisation before adding collaborators.
~~Twilio Audit and Onboarding~~ — ✅ CLOSED 2026-03-05. Account audited, renamed to "UCCA Inc", credentials documented in External Services registry, SMTP dead code removed, personal caller ID removed, SMS webhook cleared. Terraform deferred (provider pilot-status). Remaining: Add Twilio health check to ops monitoring.
Priority 2 — High (90 days)¶
Rate Limiting on RTOpacks Search — Search interface can enumerate entire RTO database. Action: Rate limiting per IP, CAPTCHA for high-volume, API key for programmatic access.
Automated Alerting — No notification when surfaces go down outside business hours. Action: Connect health checks to alerting channel.
Dependency Auditing — npm dependencies never audited. Action: npm audit, dependabot or equivalent, pin critical dependencies.
Incident Response Runbooks — No documented procedures. Action: Write runbooks for credential compromise, surface outage, data breach notification (AU and US), DNS hijacking, supply chain compromise.
Priority 3 — Medium (180 days)¶
Hardware Security Keys — admin@ucca.online protected by software MFA only. Action: YubiKey or equivalent for admin and Cloudflare dashboard.
Service Account Separation — Single admin account for all services. Action: Purpose-specific service accounts to reduce blast radius.
Data Retention Policy — No defined retention periods. Action: Define aligned with legal entity obligations. Implement automated purging.
SOC 2 Preparation — Action: Engage auditor for gap assessment when first enterprise client is contracted.
Priority 4 — Lower (12 months)¶
- Branch protection and PR reviews — before team expansion
- Penetration testing — when engine API is live
- ISO 27001 alignment — when scale justifies
- FedRAMP / CMMC readiness — when US defence world is in discussion
Section 8 — Scope Exclusions¶
What we explicitly do not defend against and why.
- Nation-state actors with Cloudflare-level access. If a state actor compromises Cloudflare infrastructure, our controls are ineffective. Same risk every cloud customer accepts.
- Zero-day exploits in V8 JavaScript engine. Cloudflare Workers run on V8. Cloudflare's responsibility to patch. Portability to alternative runtime is our mitigation.
- Physical theft with coerced unlock. FileVault protects against casual theft, not coercion. Physical security concern outside information security scope.
- DDoS against Cloudflare's network. Cloudflare's entire business is DDoS mitigation. We inherit their protection.
- Social engineering of Cloudflare support. Limited mitigation. Strong account authentication and monitoring for suspicious activity.
Version History¶
| Version | Date | Change | Author |
|---|---|---|---|
| 1.0 | 2026-03-03 | Initial creation — complete threat model | Tim Rignold / Claude |
| 1.1 | 2026-03-03 | Added Twilio communications infrastructure as unaudited asset | Tim Rignold / Claude |
| 1.2 | 2026-03-05 | Updated Twilio assessment — audit complete, gaps closed, Priority 1 item resolved | Claude Code |
| 1.3 | 2026-03-05 | GitHub auth corrected to gh OAuth token, unused PAT removed, GitHub audit finding closed | Claude Code |
| 1.4 | 2026-03-06 | Backup Strategy gap closed — D1/KV daily backup to Google Drive implemented | Claude Code |
| 1.5 | 2026-03-03 | Added training.gov.au and ABN Lookup as external data source trust boundaries | Claude Code |