M1: Complete all specification documents (kiro standards)

Completed comprehensive spec-driven documentation:
- SPEC.md (222 lines): Project scope, objectives, constraints
- ARCHITECTURE.md (290 lines): System design, components, data flow
- REQUIREMENTS.md (168 lines): Functional & non-functional requirements
- API_SPEC.md (556 lines): 15 API endpoints with schemas
- SECURITY.md (188 lines): STRIDE threat model, security controls
- ROADMAP.md (203 lines): 5 phases, 8 milestones, risk register

Total: 1,627 lines of specification documentation

Milestone M1 complete - Ready for Phase 0 (Rust scaffolding)

SECURITY.md

@@ -1,61 +1,189 @@
 # Linux_Patch_API - Security Specification Document
 
 ## Security Overview
-[Describe security philosophy and approach]
 
-## Threat Model
-### Identified Threats
-[List potential threats to the system]
+**Philosophy:** Defense in depth with zero-trust principles for internal network.
 
-### Attack Vectors
-[Describe potential attack vectors]
-
-## Authentication & Authorization
-### Authentication Requirements
-- Method: [TBD]
-- Multi-factor: [TBD]
-- Session Management: [TBD]
-
-### Authorization Model
-- RBAC/ABAC: [TBD]
-- Permission Levels: [TBD]
-
-## Data Security
-### Encryption at Rest
-[Encryption standards for stored data]
-
-### Encryption in Transit
-[TLS/SSL requirements]
-
-### Key Management
-[Key storage and rotation policies]
-
-## API Security
-### Input Validation
-[Input sanitization requirements]
-
-### Rate Limiting
-[DoS prevention measures]
-
-### CORS Policy
-[Cross-origin resource sharing rules]
-
-## Audit & Logging
-### Security Events to Log
-[List events requiring audit trails]
-
-### Log Protection
-[Log integrity and access controls]
-
-## Compliance Requirements
-[Regulatory compliance considerations]
-
-## Security Testing
-### Penetration Testing
-[Testing schedule and scope]
-
-### Vulnerability Management
-[Patch and update procedures]
+**Approach:** 
+- mTLS certificate-based authentication (required for all connections)
+- IP whitelist enforcement (deny by default, allow only listed)
+- Comprehensive audit logging for all operations
+- Systemd hardening and process isolation
+- Minimal attack surface (internal network only)
 
 ---
+
+## Threat Model
+
+### Threat Actor Profile
+
+| Attribute | Description |
+|-----------|-------------|
+| **Origin** | Internal network only |
+| **Skill Level** | Moderate to High |
+| **Resources** | Limited (not nation-state) |
+| **Motivation** | Unauthorized system access, privilege escalation |
+| **Access** | Must bypass mTLS + IP whitelist |
+
+### STRIDE Threat Analysis
+
+| Threat Category | Potential Threat | Mitigation | Status |
+|-----------------|------------------|------------|--------|
+| **Spoofing** | Attacker impersonates valid client | mTLS certificate validation, unique certs per client | ✅ Mitigated |
+| **Spoofing** | Attacker uses expired/revoked cert | Certificate expiry validation (1-year max) | ✅ Mitigated |
+| **Tampering** | API requests modified in transit | TLS 1.3 encryption | ✅ Mitigated |
+| **Tampering** | Config files modified unauthorized | File permissions (600/644), config validation before reload | ✅ Mitigated |
+| **Repudiation** | Client denies making request | Audit logging with request_id, client cert ID | ✅ Mitigated |
+| **Repudiation** | Server denies response | Comprehensive audit trail (systemd journal) | ✅ Mitigated |
+| **Information Disclosure** | Package/data info leaked to unauthorized | Silent drop for non-mTLS, IP whitelist | ✅ Mitigated |
+| **Information Disclosure** | Error messages leak system info | Detailed errors only for authenticated clients | ✅ Mitigated |
+| **Denial of Service** | Resource exhaustion via many requests | Internal network only, IP whitelist limits exposure | ⚠️ Partial |
+| **Denial of Service** | Job queue flooding | Configurable concurrent job limit (default: 5) | ✅ Mitigated |
+| **Denial of Service** | Long-running job starvation | 30-minute job timeout enforcement | ✅ Mitigated |
+| **Elevation of Privilege** | Unauthorized package installation | Root required, but mTLS + IP whitelist required | ✅ Mitigated |
+| **Elevation of Privilege** | Subprocess escape | SystemCallFilter, ProtectSystem=strict | ✅ Mitigated |
+
+### Attack Vectors & Mitigations
+
+| Attack Vector | Likelihood | Impact | Mitigation |
+|---------------|------------|--------|------------|
+| Network interception | Low | Critical | TLS 1.3 only, mTLS required |
+| Certificate theft | Medium | Critical | Cert permissions (600), internal CA only |
+| IP spoofing | Low | High | IP whitelist + mTLS (both required) |
+| Config file tampering | Medium | High | File permissions, validation before reload |
+| Package manager injection | Low | Critical | Pluggable backend with input validation |
+| Job manipulation | Low | High | Job storage isolation, exclusive rollback mode |
+| Log tampering | Medium | High | systemd journal (immutable), optional remote syslog |
+
+---
+
+## Authentication & Authorization
+
+### Authentication Requirements
+
+- **Method:** mTLS certificate-based authentication
+- **Certificate Type:** Unique client certificate per client (1-year validity)
+- **CA:** Internal self-hosted Certificate Authority
+- **TLS Version:** TLS 1.3 only
+- **Multi-factor:** Certificate + IP whitelist (dual requirement)
+- **Session Management:** Stateless (no sessions)
+
+### Authorization Model
+
+- **Model:** Binary authorization (all-or-nothing)
+- **Permission Levels:** Single level (full access if authenticated)
+- **Requirements:**
+  - Valid mTLS certificate (not expired, signed by internal CA)
+  - Source IP in whitelist (YAML config, instant apply)
+- **No RBAC:** All authenticated clients have full API access
+
+---
+
+## Data Security
+
+### Encryption at Rest
+
+- **Certificates:** File permissions 600 for private keys
+- **Job Storage:** `/var/lib/linux_patch_api/jobs/` (cleared on restart)
+- **Config Files:** `/etc/linux_patch_api/` (644 for config, 600 for keys)
+- **Audit Logs:** systemd journal (immutable by default)
+
+### Encryption in Transit
+
+- **Protocol:** TLS 1.3 only
+- **Port:** 12443
+- **Cipher Suites:** TLS 1.3 default (no legacy cipher support)
+- **Certificate Validation:** Mutual TLS (server + client cert required)
+
+### Key Management
+
+- **CA Private Key:** Stored securely on CA host only
+- **Server Certificates:** `/etc/linux_patch_api/certs/server.key` (600)
+- **Client Certificates:** Distributed manually to authorized clients
+- **Rotation:** 1-year certificate expiry, manual renewal process
+- **Revocation:** Not implemented (rely on expiry + physical cert retrieval)
+
+---
+
+## API Security
+
+### Input Validation
+
+- **Package Names:** Alphanumeric + standard package chars only
+- **Versions:** Semantic versioning validation
+- **IP Addresses:** IPv4 + CIDR validation for whitelist
+- **JSON Schema:** Strict schema validation for all request bodies
+- **Path Traversal:** Blocked (no `..` in paths)
+
+### Rate Limiting
+
+- **Not Required:** Internal network only with strict IP whitelist
+- **Job Concurrency:** Configurable limit (default: 5 concurrent jobs)
+- **Job Timeout:** 30-minute maximum per job
+
+### CORS Policy
+
+- **Not Applicable:** API is not browser-accessible
+- **Origin:** mTLS clients only (no browser CORS concerns)
+
+---
+
+## Audit & Logging
+
+### Security Events to Log
+
+- All API requests (endpoint, method, timestamp, client cert ID, source IP)
+- Authentication events (success/failure, cert validation result)
+- Authorization events (IP whitelist match/failure)
+- Package operations (package name, version, action, result)
+- Configuration changes (config reload, whitelist updates)
+- Job lifecycle events (create, start, complete, fail, timeout, rollback)
+- Service events (start, stop, restart, config validation failures)
+
+### Log Protection
+
+- **Primary Storage:** systemd journal (immutable, access-controlled)
+- **Secondary Storage:** Optional remote syslog
+- **Fallback:** Local file `/var/log/linux_patch_api/audit.log` (640)
+- **Retention:** 30 days with daily rotation and compression
+- **Access:** Root only, audit group read access
+- **Integrity:** systemd journal provides tamper evidence
+
+---
+
+## Compliance Requirements
+
+- **Internal Standards:** Follows organizational security policies
+- **No External Compliance:** Not designed for PCI-DSS, HIPAA, SOC2 (can be extended)
+- **Audit Trail:** Comprehensive logging supports internal audit requirements
+- **Access Control:** mTLS + IP whitelist provides strong access control
+
+---
+
+## Security Testing
+
+### Penetration Testing
+
+- **Schedule:** Required before production deployment
+- **Scope:**
+  - mTLS authentication bypass attempts
+  - IP whitelist enforcement testing
+  - API endpoint fuzzing
+  - Certificate validation testing
+  - Config file tampering attempts
+  - Privilege escalation attempts
+- **Tester:** Internal security team or external contractor
+- **Frequency:** Annual or after major changes
+
+### Vulnerability Management
+
+- **Dependency Scanning:** Rust crate security advisories monitored
+- **System Patches:** Host system patched via API itself (dogfooding)
+- **Certificate Updates:** Annual renewal process
+- **Config Audits:** Quarterly review of whitelist and security settings
+- **Incident Response:** Log analysis for security event investigation
+
+---
+
+*Following kiro spec-driven development standards*
 *Following kiro spec-driven development standards*