Create THREAT_MODEL.md

THREAT_MODEL.md

@@ -0,0 +1,79 @@
+# Threat Model Appendix
+
+## Threat Modeling Framework
+
+This application follows a **STRIDE-informed but scope-limited** threat model,
+focused on misuse prevention rather than adversarial exploitation.
+
+---
+
+## Identified Threats & Mitigations
+
+### 1. Unauthorized Data Collection
+**Threat:** Automated scraping or bulk harvesting  
+**Mitigation:**  
+- Link-out only architecture  
+- No crawlers or schedulers  
+- No background tasks  
+
+---
+
+### 2. AI Hallucination or Misuse
+**Threat:** AI outputs mistaken for evidence  
+**Mitigation:**  
+- AI disabled by default  
+- Mandatory disclosure footer  
+- Citation-anchored prompts  
+- Integrity hashing  
+
+---
+
+### 3. Surveillance or Profiling
+**Threat:** Use for tracking individuals  
+**Mitigation:**  
+- Public records only  
+- No personal data ingestion  
+- No identity resolution features  
+
+---
+
+### 4. Data Persistence Risk
+**Threat:** Long-term storage of sensitive material  
+**Mitigation:**  
+- In-memory session state only  
+- No databases required  
+- No logs of user queries  
+
+---
+
+### 5. Agency Policy Circumvention
+**Threat:** Bypassing FOIA site controls  
+**Mitigation:**  
+- No automated access  
+- No authentication bypass  
+- User-initiated navigation only  
+
+---
+
+## Out-of-Scope Threats
+
+- Nation-state cyber attacks
+- FOIA content authenticity disputes
+- Agency data completeness or redaction
+
+---
+
+## Residual Risk Assessment
+
+Overall residual risk is **LOW**, given:
+- Public data only
+- No automation
+- No persistence
+- No privileged access
+
+---
+
+## Conclusion
+
+This tool presents materially lower risk than traditional search engines
+or document crawlers due to its intentionally constrained design.