Add STRIDE threat model and flag insecure default recovery-email secret

[Copilot]

This PR adds a full STRIDE-based threat model and OWASP-style security sweep for the Discool codebase, covering assets, trust boundaries, attack surfaces, abuse paths, and ranked findings. It also addresses the lowest-priority finding by surfacing insecure use of the example recovery-email server secret at startup.

• Threat model + security sweep

  • Added a repository security artifact at _bmad-output/implementation-artifacts/stride-threat-model-2026-03-29.md
  • Documents:
    • key assets and trust boundaries
    • REST, WebSocket, file upload, metrics, P2P, and WebRTC attack surfaces
    • STRIDE threats across app/API/service boundaries
    • abuse paths and OWASP-style findings ranked by severity
    • recommended mitigations for each finding

• Low-priority remediation

  • Added Config::uses_insecure_default_email_server_secret() to detect when email.server_secret is still set to the public example value
  • Emits a startup warning before normal server initialization continues
  • Clarified config.example.toml so the example secret is explicitly called out as warning-triggering and unsafe for production use

• Targeted safeguards

  • Added focused config tests for:
    • default config reporting the insecure example secret
    • custom secrets not being flagged

Example of the new guard:

if config.uses_insecure_default_email_server_secret() {
    tracing::warn!(
        "email.server_secret is using the example default; change it before enabling recovery email in production"
    );
}

The ranked findings in the new report call out the main residual risks still worth follow-up: transport security depending on external TLS termination, the current localStorage session model, public /metrics exposure when enabled, the admin auth stub, and the existing frontend dependency advisory.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• stun.l.google.com
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f972a8d89f01a /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f972a8d89f01a /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_sybil_controls-931671ab36cb73bc.9gaf9ldp8pcwa7mzllucg1ofy.04ghgx9.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_sybil_controls-931671ab36cb73bc.9lu2vhb2kl81ptlb98qno5xj7.04ghgx9.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_sybil_controls-931671ab36cb73bc.9mqxwnj1tyzckr26fgsaw7s47.04ghgx9.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_sybil_controls-931671ab36cb73bc.a1iodim0luk23lam7uwc53qwv.04ghgx9.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_sybil_controls-931671ab36cb73bc.bp03gxoyc5zbncy48bm8s6dee.04ghgx9.rcgu.o ance-f48ec705fb247a0b.02k1gtylg8lxj0yfqfjadrdn8.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.09u5iue7um9c7vdoq61n4i3y8.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.0ko7g51c4pndbv8v6d4lzl784.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.0xvsp74oteyxzo1o17r94qst8.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.0zdlf364hbpirq79ut3cd9css.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.16bj2hd5lkl4gc844ghhdgwbj.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.1i3f84twlc72d7289xk6zsccl.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.1l5zpgxsib4kdcq7gliz0e6cg.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.28la5uih1r76vodthe0xlh40d.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.28weqlkx9d27kwsxsd23h6gay.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.2j731du61uqanb4faqhp8wy3q.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.35fhe654bkio84xkb3bqa3apj.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.38s5qj0jur39f02c7wrnczbkr.0gwj8lp.rcgu.o ance-f48ec705fb247a0b.3mipu4kk523ix69ntsn4o2g3r.0gwj8lp.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1edo7bbhzvhn8orie6vf1vl1u.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1k181u6ki6t8r00m49m8zvuf4.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1sh0i83ui7fyzan6aw0t1rdp7.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1yrl04y62wzh0f4fplg612xef.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.26agjqh45cgkp9c5blb9pkbrl.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.26qvb54v2wct018hsohk78zh7.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.2ivc8u2gtbvp1iko2hwqiuyne.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.2k87s9r1xaa2or42c99ibib3j.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory�� /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.3qrvlp0if0kl7p6bb6o3xagoa.1b0n4zt.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.4l0mjezb2kwukezaqnoo7tqi5.1b0n4zt.rcgu.o alek�� alek_derive.dfde--error-format=json debug/deps/libsy--json=diagnostic-rendered-ansi,artifacts,future-incompat ool-server-322b77da8752ef06/build-script-build debug/deps/byteccc debug/deps/bytec-m64 debug/deps/bytec/tmp/rustcFah9un/symbols.o ool-server-322b7/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.0275wovb24coa12f8734rk7sd.1b0n4zt.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0cxg9gzn4xpx57rj33ps47w1s.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0ijzzcll73t2zq5b2vo949dwf.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0rtc6mhp8496iqb0pq04dxns4.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0spkxyfsuhxy6r1gkqlc6naqy.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0sttgstr8979fmnjmapadmvky.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0ulktfwvu62u2xbeeqxp1rvox.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0w8p9670oxg5am6ar0rtbc49v.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.12s5z8lfqda5ho8ygugq5tmhc.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd17411�� /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.14ny3zqdfy4hwxthvaslbvfjj.1sqcn76.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.14s001zz72xozmoh1qej8blgv.1sqcn76.rcgu.o know�� debug/build/psm-/home/REDACTED/work/discool/discool/server/target/debug/build/discool-server-322b7/home/REDACTED/work/discool/discool/server/target/debug/discool-server known-linux-gnu//home/REDACTED/work/discool/discool/server/target/debug/build/discool-server-322b7/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1edo7bbhzvhn8orie6vf1vl1u.1b0n4zt.rcgu.o bin/rustc 262b-cgu.05.rcgu/usr/libexec/gcc/x86_64-linux-gnu/13/collect2 262b-cgu.06.rcgu-plugin 262b-cgu.07.rcgu/usr/libexec/gcc/x86_64-linux-gnu/13/liblto_plugin.so bin/rustc (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[Copilot]

Pull request overview

Adds a small runtime safeguard and supporting documentation to help operators avoid deploying with a known-default recovery-email encryption secret, alongside a STRIDE/OWASP security write-up.

Changes:

• Emit a startup warning when email.server_secret is still set to the example default.
• Centralize the default secret string in config settings and add unit tests for the detection helper.
• Clarify the example config comment and add a STRIDE threat model / OWASP sweep artifact.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
server/src/main.rs	Logs a warning at startup when the email server secret is left at the example default.
server/src/config/settings.rs	Adds a helper + constant for detecting the example default secret and tests it.
config.example.toml	Documents that leaving the example secret triggers a startup warning.
_bmad-output/implementation-artifacts/stride-threat-model-2026-03-29.md	Adds STRIDE threat model + OWASP-style findings and mitigations summary.