| TM-001 | External attacker or low-privilege authenticated user | At least one public function or manual-auth path misses complete org/role enforcement. Service-role DB client is reachable in handler logic. | Invoke edge function path to read/mutate data for another tenant using crafted org IDs. | Cross-tenant confidentiality and integrity breach; potential PHI disclosure. | PHI/PII, tenant boundary state, audit trust. | RLS baseline + org checks exist (verifyOrgAccess, verifyOrgRole) and many handlers explicitly filter by organization_id (supabase/functions/_shared/auth.ts, supabase/functions/telehealth-create-session/index.ts). | verify_jwt = false is broad in config, and control correctness is distributed per function. Manual consistency risk is high. | Add centralized middleware enforcing org context + role checks for all non-webhook verify_jwt=false functions; add static policy audit that blocks deploy when required checks are absent. | Alert on denied-org access spikes and anomalous cross-org lookup attempts; log normalized caller org + requested org for all privileged handlers. | Medium | High | high |
| TM-002 | External attacker, replay attacker, or compromised webhook sender | Access to valid payload/signature pair or weak replay window controls. | Replay or forge webhook events to trigger duplicate or stale state transitions. | Financial/telephony/background-check workflow corruption and potential unauthorized processing. | Financial records, call/message records, HR screening states, audit logs. | Signature validation is implemented in multiple handlers (verifyWebhookSignature, computeCheckrSignature, verifySignature, verifyPlaidWebhook) with timing-safe comparisons in key paths. | Replay resistance is not uniformly explicit (nonce/timestamp cache not consistently evident across all webhook handlers). | Enforce per-provider replay controls (timestamp tolerance + event-id dedupe store + idempotency TTL) as shared library used by all webhook handlers. | Monitor duplicate provider event IDs and signature-fail rates by endpoint; alert on unusual re-delivery bursts. | Medium | High | high |
| TM-003 | External attacker with leaked secret | Service-role key compromise via environment leak, logging, or operational mistake. | Use service-role key as Bearer token where validateAuth allows internal service shortcut. | Broad authorization bypass at edge layer where additional checks are absent; high blast radius. | Service credentials, tenant boundaries, PHI/PII. | validateAuth verifies JWT and supports service-role internal mode; many handlers still perform explicit org lookups (supabase/functions/_shared/auth.ts, supabase/functions/ai-skill-execute/index.ts). | Service-role shortcut expands blast radius if key leaks; key use is binary and powerful. | Remove Bearer service-role shortcut for internet-facing routes; require mTLS/internal network assertion or dedicated signed internal token with narrow claims. | Alert on any request authenticated as service-role outside approved internal origins/functions; continuous secret scanning and rotation telemetry. | Low | High | high |
| TM-004 | Authenticated insider or compromised tenant account | Valid user access to AI skill endpoint and skill/tool availability. | Submit PHI-rich prompts or extraction prompts that pass to external provider/tool path, including fallback provider. | PHI confidentiality risk, policy/regulatory exposure, unintended data disclosure. | PHI-containing prompts, AI outputs, tool-accessible data sets. | Auth + org resolution + usage logging + PHI detection warning are present (validateAuth, detectPHI, logUsage) and fallback path is explicit (callOpenRouterFallback). | PHI detection appears advisory (warn/log) rather than hard block/redaction; provider fallback may expand data egress surface. | Add enforceable PHI policy gate (block/redact before external provider call), skill-level data classification controls, and explicit allow/deny matrix for tool categories by role. | Monitor PHI-detection hit rates, provider-fallback usage, and high-volume extraction-like prompt patterns per user/org. | Medium | High | high |
| TM-005 | Authenticated attacker with org foothold or header spoofing attempt | Access to a credential-brokerage endpoint and ability to manipulate request context. | Abuse an org-scoped credential/token brokerage path to mint or use credentials for unauthorized actions or data pulls. | Sensitive data exposure and integrity compromise for the brokered integration. | Integration tokens, brokered session tokens, HR data. | Org access checks and server-side credential handling exist for credential brokerage paths (checkr-session-token org access checks). | Trust in forwarded headers can be fragile if edge/network trust boundaries are misconfigured; token misuse detection unclear. | Enforce strict trusted-proxy CIDR validation + signed internal forwarding headers; add per-user action authorization checks before brokering. | Alert on anomalous IP/header patterns, repeated token-mint failures, and unusual brokered API call volume by org/user. | Medium | High | high |
| TM-006 | External attacker or message spoofing actor | Access to SMS callback routes and ability to craft provider-like payload patterns. | Trigger inbound/status processing to manipulate consent or communication records. | Compliance risk (TCPA/workflow), incorrect outreach state, data integrity loss. | SMS consent state, message delivery records, partner/contact linkage. | RingCentral subscription-token validation and opt-out keyword handling exist (sms-webhook). | Replay/idempotency not clearly universal across callback processing. | Require mandatory provider auth artifact per request; add idempotent message/event key enforcement. | Alert on opt-out spikes, unknown payload rates, and callback format anomalies. | Medium | Medium | medium |
| TM-007 | Supply-chain attacker or compromised dependency ecosystem | Ability to influence dependency source or CI execution path. | Introduce malicious package/action behavior to alter build outputs. | Platform-wide integrity compromise and downstream tenant impact. | Build artifacts, deployed SPA/function bundles, secrets in CI context. | CI enforces format/type/lint/tests/RLS/build smoke (.github/workflows/build.yml); dependency install uses lockfile (npm ci). | Workflow actions are pinned to version tags, not immutable SHAs; provenance/attestation checks are not explicit. | Pin GitHub Actions by commit SHA, enable dependency provenance verification, and require CODEOWNERS approval for workflow/lockfile changes. | Alert on workflow-file modifications, unexpected lockfile churn, and unusual CI network egress during install/build. | Medium | High | high |
| TM-008 | External botnet / opportunistic DoS actor | Public endpoint discoverability and no effective upstream rate limiting. | Flood public edge functions and expensive verification/API paths. | Reduced availability, delayed workflows, retry storms from providers. | Edge compute budget, queue throughput, operational SLAs. | Some functions fail fast on signature/auth errors and return early; CI and docs mention rate-limiting recommendations (docs/security/AUTOMATION_SECURITY.md). | Explicit global per-endpoint rate limiting and backpressure controls are not evident in repo-level runtime code. | Apply gateway-level rate limits + per-provider quotas + circuit breakers on downstream API calls; add bounded queues for webhook processing. | Monitor 4xx/5xx ratio, latency percentiles, and retry storm indicators per function/provider. | Medium | Medium | medium |