7.7 KiB
Threat Intelligence — Admin Guide
All admin operations require the
risk_assessment_adminrole, separate from regular admin. All admin actions are audited. Never log or share plaintext identifiers.
Accessing the Admin Interface
The admin interface is available at /risk-assessment in the platform-admin dashboard (Phase 5). Until the frontend is built, all operations use the internal API at POST/GET/PATCH /internal/risk-assessment/admin/....
Core Concepts
Threat Profiles
A threat profile represents a known dangerous individual. Profiles are identified by an admin-assigned codename (label) — never a real name.
Fields:
- Label: Admin codename (e.g., "FOXHOUND-7", "BRAVO-12")
- Severity:
low|medium|high|critical - Source: How the profile was created (
admin_flag,community_report,cross_reference,external_intel) - Threat Score: Computed from community reports (see Scoring below)
- Active: Whether identifiers on this profile trigger shadow onboarding
Flagged Identifiers
SHA-256 hashed identifiers linked to threat profiles. When someone registers with a matching identifier, shadow onboarding activates.
PII-based identifier types: email, phone, legal_name, card_hash, device_fp, ip_address, username, payment_app_id
Browser fingerprint types: canvas_fp, webgl_fp, audio_fp, webrtc_local_ip, screen_geometry, timezone_locale, font_set, hardware_profile
Behavioral biometric types: typing_cadence, mouse_dynamics
Confidence score (0.00–1.00): Admin-entered identifiers default to 1.0. Shadow-collected identifiers default to 0.8. Browser fingerprint matches default to 0.8. Behavioral biometric matches may be lower (typically 0.6–0.7) due to natural variation in typing and movement patterns across sessions.
Browser Fingerprints
Browser fingerprints are collected passively during shadow onboarding steps. They provide VPN-resistant, identity-change-resistant signals that persist even when a user creates a new identity with different PII. Canvas, WebGL, and audio fingerprints are GPU/OS-bound. Font detection reveals installed software. Hardware profiles expose device characteristics. WebRTC can leak the true local IP behind a VPN.
Behavioral Biometrics
Typing cadence and mouse dynamics are unique to individuals. The system captures keystroke timing patterns (inter-key intervals, key dwell times) and mouse movement characteristics (speed, acceleration, path straightness, click precision). Values are quantized into bins before hashing so that similar behavioral samples across sessions produce the same fingerprint hash.
Community Reports
Incident reports submitted by liveness-verified providers. Reports include severity, category, description, and evidence notes.
Categories: violence, assault, stealthing, non_payment, coercion, harassment, trafficking, other
Common Operations
Flagging a New Individual (Admin-Initiated)
-
Create a threat profile with a codename and severity:
POST /internal/risk-assessment/admin/profiles { "label": "FOXHOUND-7", "severity": "high", "source": "admin_flag" } -
Add known identifiers to the profile:
POST /internal/risk-assessment/admin/profiles/{id}/identifiers { "type": "phone", "value": "+15551234567" }The server normalizes and hashes the value. The plaintext is never stored.
-
The profile is immediately active — any registration attempt using a matching identifier will trigger shadow onboarding.
Reviewing Community Reports
Providers submit reports through the marketplace safety UI. Reports appear in the admin queue:
GET /internal/risk-assessment/admin/reports?page=1&limit=20
To verify a report (confirms legitimacy, influences severity):
PATCH /internal/risk-assessment/admin/reports/{id}/verify
{ "adminNotes": "Verified with reporter via secure channel. Consistent with other reports." }
Monitoring Shadow Sessions
Active shadow sessions show flagged individuals currently progressing through the shadow onboarding flow:
GET /internal/risk-assessment/admin/sessions?status=active
View a session's collection events (what identifiers were captured at each step):
GET /internal/risk-assessment/admin/sessions/{id}
To close a session (stops collection):
PATCH /internal/risk-assessment/admin/sessions/{id}/close
Merging Profiles
When two profiles are discovered to represent the same individual (e.g., identifier overlap detected during shadow collection):
POST /internal/risk-assessment/admin/profiles/{keepId}/merge/{mergeIntoId}
All identifiers, reports, sessions, and notes from the merged profile are transferred to the kept profile. The merged profile is deactivated.
Viewing a Profile Timeline
GET /internal/risk-assessment/admin/profiles/{id}/timeline
Returns chronological events: profile creation, identifier additions, shadow sessions, community reports, admin actions.
Dashboard Statistics
GET /internal/risk-assessment/admin/stats
Returns:
- Active profiles count
- Total/active shadow sessions
- Total/verified community reports
- Identifier type distribution (how many of each type)
Threat Scoring
The threat score for a profile is computed from its community reports:
| Severity | Weight |
|---|---|
| Low | 1 |
| Medium | 3 |
| High | 7 |
| Critical | 15 |
Score = SUM of all report severity weights
Shadow onboarding triggers when the score crosses the configurable threshold (default: 7). This means:
- 1 CRITICAL report → triggers immediately (15 >= 7)
- 1 HIGH report → triggers immediately (7 >= 7)
- 3 MEDIUM reports → triggers (9 >= 7)
- 7 LOW reports → triggers (7 >= 7)
Admin-flagged identifiers always trigger shadow onboarding regardless of score.
Security Protocols
What Admins Must Never Do
- Never log plaintext identifiers. When discussing a profile, reference the codename or profile ID only.
- Never share shadow session details outside the risk assessment team. Shadow status is the most sensitive operational detail.
- Never reveal to a shadow user that they are in shadow onboarding. The "under review" message is permanent and intentional.
- Never delete threat profiles without consensus. Deactivate instead (
isActive: false).
What Admins Should Do
- Verify community reports promptly. Unverified reports still contribute to scoring, but verification adds credibility.
- Monitor for profile overlaps. When shadow collection discovers an identifier already linked to a different profile, investigate for potential merge.
- Review shadow sessions periodically. Check collection event timelines for behavioral anomalies.
- Document decisions in profile notes. Use structured notes with categories (
behavioral,intelligence,legal,safety).
Identifier Privacy
- Identifiers are stored as SHA-256 hashes with a platform-wide pepper
- The pepper is stored in
vault/threat-intelligence/pepper— access requires vault credentials - Admins can add identifiers (the plaintext is hashed server-side and discarded)
- Admins cannot retrieve the original value from a hash
- The
matchCountandlastMatchedAtfields on identifiers show how many times an identifier has been matched, without revealing whose registration triggered the match
Environment Configuration
| Variable | Purpose | Default |
|---|---|---|
THREAT_INTEL_PEPPER |
Required. Pepper for identifier hashing. | — |
THREAT_SCORE_THRESHOLD |
Score at which shadow onboarding activates | 7 |
The pepper must be identical across all instances of the service. If rotated, existing hashes become unmatchable — do not rotate without migrating all existing hashes.