STRIDE analysis of Crawdad's zero-knowledge sidecar architecture.
Crawdad is a local sidecar process that sits between AI agents and AI APIs as a transparent proxy. Content is processed in memory and never transmitted. Trust boundaries: the user's machine (trusted), the network (untrusted), external AI APIs (untrusted), retrieved documents and tool outputs (untrusted).
Threat: An attacker impersonates an authorized agent or spoofs the identity of the Crawdad sidecar itself.
Control: Agent identity via Ed25519 key pairs. Each agent registers with a unique ID and public key. API keys are SHA-256 hashed before storage — raw keys never stored on server. Device identity bound to Ed25519 certificate renewed every 24 hours.
Residual risk: If the host machine is compromised, the attacker can read the local Ed25519 key. Crawdad trusts the host it runs on.
Threat: An attacker modifies the audit log, memory entries, or detection results after the fact.
Control: SHA-256 Merkle-chained audit log. Each entry's hash includes the previous entry's hash, forming a tamper-evident chain. Ed25519 signatures on each entry provide non-repudiation. Memory entries use the same Merkle chain.
Residual risk: An attacker with root access on the host could replace the entire audit database. The chain detects modification of existing entries but not wholesale replacement.
Threat: An agent or user denies that a security-relevant action occurred.
Control: Every firewall decision, policy evaluation, and PII detection is recorded in the immutable audit log with Ed25519 signatures. The /v1/verify endpoint returns a cryptographic attestation of chain integrity. Signed compliance reports can be generated for auditors.
Residual risk: Audit log contains hashes of content, not content itself (by design). An investigator can verify that a decision was made but cannot reconstruct the original input from the hash alone.
Threat: Sensitive data (PII, credentials, internal URLs) leaks through agent responses.
Control: Layer 5 PII exfiltration detector scans every outbound response. Detects 15 PII categories and 10 credential types (AWS, GitHub, Stripe, OpenAI, Anthropic, JWT, SSH keys, database URLs). Automatic redaction before response reaches the client.
Control: Zero-knowledge architecture — content never leaves the local process. Only signed operation counts transmitted to cloud. Verified via /v1/verify.
Residual risk: Novel PII formats not in the detector's pattern set may pass undetected. Signature updates every 4 hours mitigate but do not eliminate this.
Threat: An attacker overwhelms the proxy, preventing legitimate agent traffic.
Control: Proxy has a 10MB request body limit. Detection pipeline runs in <1ms (no network calls). Fail-open design: if the sidecar crashes, traffic can be routed directly to the API.
Residual risk: No per-client rate limiting in the sidecar currently. A local process sending high-volume requests could consume CPU.
Threat: Prompt injection causes the agent to execute unauthorized actions with elevated permissions.
Control: Multi-layer detection pipeline: Layer 1 (pattern matching), Layer 2 (semantic heuristics — boundary dissolution, role hijacking, authority impersonation), Layer 3 (indirect injection from documents), Layer 4 (session context — escalation tracking), Layer 5 (data exfiltration), Layer 6 (content analysis), and optional Layer 7 (LLM Judge). Policy engine restricts actions by trust level.
Residual risk: Novel injection techniques not yet in the pattern set may bypass detection. The 4-hour signature update cycle means there is a window between a new technique being published and Crawdad adding detection.