bureau — agentic threat model
Bureau acts as a governance and auditing layer for Claude Code, reducing risk through append-only logging and trust-gated dossier promotion. However, its security relies heavily on the integrity of its local storage and the robustness of its consistency-checking mechanisms against adversarial session inputs.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.80 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin runs on top of Claude (via Claude Code). Threats include model poisoning or indirect prompt injection where adversarial session content bypasses the consistency checker or tricks the promotion logic.
Manages session logbooks and cabinet dossiers. Threats include data poisoning of the logbooks, unauthorized promotion of dossiers, and lineage gaps if the append-only integrity is bypassed or tampered with directly on disk.
Integrates directly as a Claude Code plugin. Threats include framework-level vulnerabilities where Claude Code might be manipulated to bypass the plugin's governance workflow entirely or write directly to dossiers.
Not certain from the listing — Likely runs locally within the user's CLI environment. Threats include local file system compromise, allowing unauthorized modification of the 'append-only' log files or dossiers.
Serves as an observability and guardrail tool. Threats include evasion of consistency checks, blind spots in session capture, and the potential for sophisticated adversarial inputs to game the automated consistency verification.
Enforces a review/trust workflow (proposed to verified). Threats include weak authorization controls for dossier promotion and lack of cryptographic signatures to verify the identity of the reviewer.
Governs the output of Claude Code (an agentic CLI). Threats include A2A trust abuse if other plugins or agents can write directly to the dossiers without going through Bureau's verification workflow.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).