docs(relay): threat-model.md per-process surface (#11)

[ilmoniemi]

What

Adds docs/threat-model.md cataloguing the relay's operational attack surface — distinct from the wire-protocol threats already in the protocol spec's Security model. Seven sections, each with severity / v1 mitigation / residual risk / future hardening: deploy security, supply chain, DoS resistance, log hygiene, cert & key handling, TLS configuration, error response leakage. Closes with "Triggers for re-review" and an explicit out-of-scope list.

Updates docs/architecture.md's "Threat model" section from "to be written" to a one-paragraph pointer at the new doc.

Issue

Closes #11.

Testing

Documentation only; no Go changes. Verified:

• go vet ./... — clean.
• go test -race ./... — clean (internal/relay 1.4s).

Architecture compliance

Follows the spec at docs/specs/architecture/11-threat-model.md:

• Opening paragraph distinguishes this doc from the protocol spec's Security model and links to it.
• Seven threat sections rendered in the architect's preferred order (deploy → supply chain → DoS → logs → certs → TLS → errors), each with the four-field structure.
• v1 mitigations cite file:line anchors (cmd/pyrycode-relay/main.go:53-95, internal/relay/tls.go:16-55, internal/relay/tls.go:80-88, etc.) — every code-grounded claim is anchored.
• Frames v1-deferred work (per-IP rate limits, connection caps, SBOM, WS library) as deferred-with-trigger, not as missing controls.
• Names 0700 in operator-facing prose; does not pre-pick a future WebSocket library.
• "Triggers for re-review" lists the five triggers from the spec verbatim.
• Out-of-scope items (pen-test, compliance frameworks, per-CVE runbook) explicitly preserved.

🤖 Generated with Claude Code

[ilmoniemi]

Code Review: #11

Decision: PASS

Findings

• [NIT] docs/threat-model.md — cmd/pyrycode-relay/main.go:39 is cited as the slog handler location, but slog.New(slog.NewTextHandler(...)) is actually at line 37 (line 39 is blank). Off-by-2. Inherited from the spec, low priority.
• [NIT] docs/threat-model.md — cmd/pyrycode-relay/main.go:111-116 is cited for defaultCertCache; the function actually spans lines 112-117. Off-by-one. Also inherited from the spec.

Summary

Markdown-only deliverable; ticket is not security-sensitive so the architect security-review pass does not apply.

The doc matches the spec one-for-one: all seven threat domains are present (Deploy security, Supply chain, DoS resistance, Log hygiene, Cert & key handling, TLS configuration, Error response leakage), each with the four required fields (severity / v1 mitigation / residual risk / future hardening). The "Triggers for re-review" section is present and exhaustive. docs/architecture.md's "Threat model" section is replaced with a one-paragraph pointer per the spec, heading preserved.

Technical claims verified against the codebase:

• http.Server timeouts (10s/60s/60s/120s) applied to all three listeners — the doc's "applied identically to the autocert HTTP listener and the TLS listener" framing is accurate.
• mode&0o077 != 0 check in internal/relay/tls.go:46 matches the doc's 0700 framing; using 0700 in prose with the bitmask in code is the right call per architect's open question feat(relay): routing-envelope wrapper type (#1) #2.
• go.mod enumeration is exact: golang.org/x/crypto v0.50.0 + indirect x/net, x/text. WS library deliberately not named (architect's open question relay: connection registry — server-id → binary + server-id → [phone] thread-safe maps #3 honoured).
• govulncheck is in make lint at Makefile:24, gating merge as claimed.
• 421 with no body in EnforceHost matches internal/relay/tls.go:66-78.

Prose voice matches the protocol spec's Security model (short paragraphs, not bullet salad, code anchors on every grounded claim) per the spec's instruction. v1-deferred is consistently framed as a first-class status rather than a gap. The line-number nits above are the only blemishes and don't block merge.