Skip to content

Bureau — Overview

Bureau Threat Model

The Pluck Bureau is a constellation of 11 transparency-log programs (Dragnet / Tripwire / Oath / Fingerprint / Nuclei / SBOM-AI / Rotate / Mole / Whistle / Bounty / Custody) that together publish signed observations about AI vendors to the public Sigstore Rekor log. The threat model below covers the program-class attacks an external researcher should be aware of when reviewing or running a Bureau deployment.

For a per-program operator runbook (compromise response, daily/weekly duties), see Operator Duties. The canonical copy of the threat model lives at pluck/SECURITY.md → "Pluck Bureau threat model".

Identity binding

  • Every Bureau artifact is signed with an operator Ed25519 key – no shared secrets, no central CA. The fingerprint is the lowercase 64-hex SPKI sha256.
  • Cassettes / dossiers / probe-packs / oaths / canaries / verdicts all carry the signer's full fingerprint inline so verifiers can cross-check against the Rekor entry's publicKey without a directory lookup.
  • Custody ties operator key + WebAuthn so an operator key compromise alone is not sufficient to forge chain-of-custody bundles for court-admissible AI conversation evidence. Bundles produced before WebAuthn binding lands emit fre902Compliant: false.

Rekor permanence + redaction obligation

  • Every Bureau-emitted Rekor entry is PUBLIC and PERMANENT. The log cannot be redacted. Operators acknowledge this with the acceptPublic: true gate at every notarize* call site.
  • The redactor runs on every program's emit step before Rekor – see redactBureauPayload() in Bureau Foundations. Default policy: secret-pattern scrub + JSON-key-name scrub. --strict-redact adds PII regex (email/phone/SSN). HIPAA / GDPR-class data MUST NOT ride a Bureau cassette unless the operator has independently confirmed the redactor catches every leak vector for their payload.

Probe-pack supply chain

  • Every probe-pack referenced by a Bureau verdict (Dragnet / Nuclei / Mole / Fingerprint) is signed by its publisher. Verifiers REJECT unsigned packs.
  • SBOM-AI's roster ties every Bureau program's runtime npm dependency surface to a signed fingerprint. A typosquat / dependency-confusion attack on a Bureau program is detectable via pluck bureau sbom-ai verify against the published SBOM at the program's release tag.

Sybil defense

  • Quorum verifiers (buildQuorumVote / verifyQuorumVote in Bureau Foundations) require N-of-M signatures from distinct operator fingerprints. A single attacker controlling N+1 keys can still forge consensus, so operators MUST deploy quorum-node identities across distinct trust boundaries – different orgs / clouds / human signers.
  • Quorum dedup happens by fingerprint string AND by SPKI public-key DER bytes. Two distinct fingerprints registered against the same Ed25519 public key are rejected by verifyQuorumVote (and by buildQuorumVote when an identities registry is supplied) – closing the Sybil-with-renamed-fingerprint attack.

Key compromise + race-window

  • Rotate publishes KeyRevocation/v1 for compromised keys. The revocation does NOT remove signed Rekor entries (impossible against a public Merkle tree); verifiers MUST consult the compromise ledger before trusting any historical signature from a revoked fingerprint.
  • Two-phase revoke. Between operator-detected compromise and the multi-second revocation publish, an attacker holding the same key can publish anything. Rotate's two-phase revoke closes the race: any quorum-node may publish a fast KeyFreeze/v1 immediately, then the operator publishes the slow KeyRevocation/v1. Verifiers classify entries during-freeze (between freeze and revoke since) as untrusted via classifyCompromiseWithFreeze.

Mole Rekor-clock gate

  • Mole canary sealedAt is operator-controlled. An attacker could backdate it to fake "memorization predates training cutoff." verifyCanaryAgainstRekor rejects a canary whose sealedAt is in the future relative to Rekor's integratedTime (physically impossible) and surfaces daysAheadOfRekor so journalists can spot suspicious legitimate gaps too.

Oath retraction protocol

  • A vendor that drops a claim from oath v2 (relative to v1) MUST publish an OathRetraction/v1 signed by the same fingerprint as the prior oath. Without a retraction, verifyOathHistory flags the silent removal AND contradictAgainstOath(..., {priorClaims}) keeps evaluating the dropped claim – the vendor cannot quietly escape a prior commitment. See Oath.

Kill-switch sentinel

A compromised probe-pack mid-hunt can be halted across every long-running Bureau daemon via:

Shell
pluck bureau pause            # writes ~/.pluck/bureau-paused
pluck bureau pause --program=dragnet
pluck bureau resume           # remove the sentinel

Programs poll isBureauPaused() once per iteration. This is the first verb operators reach for in a compromise-response runbook – see Operator Duties → Compromise response.

Operator key threat model

  • Operator keys are stored at ~/.pluck/operator.key with 0600 mode. Bureau verbs refuse to load a key with looser permissions.
  • A stolen operator key allows an attacker to publish ANYTHING under the operator's identity. Defense: Rotate + freeze + pause buy hours of containment; the Rekor record of the attacker's payloads remains permanent (transparency log integrity).
  • Operators publishing to the Sigstore public-good log MUST acknowledge acceptPublic: true on every Bureau notarize verb. Private deployments can override via --rekor-url.

Failure-mode summary

Attack classDefenseResidual risk
Stolen operator keyRotate freeze + revoke + re-witness; pause sentinel for sub-second daemon haltRekor entries signed during the compromise window remain public + permanent – trust is invalidated, data is not
Sybil quorum forgeverifyQuorumVote dedup by fingerprint string AND SPKI public-key DER bytes; cross-trust-boundary deploymentA single attacker controlling N+1 keys across distinct identities can forge consensus
Probe-pack supply-chain (typosquat / dependency confusion)SBOM-AI roster + trustTier === "verified" gate at every consumerTOFU on first-use; operators must obtain author keys out-of-band
Backdated Mole canaryRekor-clock gate; daysAheadOfRekor surfaced for journalist reviewMulti-day gap between seal + Rekor inclusion is legal but suspicious
Oath silent claim dropRetraction protocol; verifyOathHistory flags drops without OathRetraction/v1Vendors who never published v1 escape the protocol entirely
Compromised probe-pack mid-huntPause sentinel; pluck bureau pause halts every daemon sub-secondDaemons that ignore signal.aborted (third-party plugins) require a second Ctrl-C
Rekor outagenotarizeWithRetry + per-process circuit breaker; 409 idempotent recoverySustained outage halts notarisation but local dossier append continues
Cross-program output-dir corruptionacquireOutputDirLock filesystem mutexLock holder pid surfaced; cross-process safety is operator's responsibility

Reporting a Bureau-class vulnerability

Use the same address as the rest of Pluck: security@pluck.run. Include the program name (Dragnet / Oath / etc.) and the Rekor uuid the bug exposes (when applicable) so we can scope the response.

For the canonical threat-model text and version history, see pluck/SECURITY.md.

See also

  • Operator Duties – the covenant operators accept by signing.
  • Bureau Foundations – primitives, key ceremony, kill-switch, redactor, retry/breaker.
  • Rotate – full compromise-response runbook with the two-phase freeze + revoke flow.
  • Pluck Security – non-Bureau threat model: browser-agent gate, halt codes, EU AI Act applicability.
Edit this page on GitHub
Previous
Signing Key Handling
Next
Dragnet

Ready to build?

Install Pluck and follow the Quick Start guide to wire MCP-first data pipelines into your agents and fleets in minutes.

Get started →