Security Blast Radius Assessment

Matrix Homeserver (conduwuit)

Exposure: Full read/write access to all Matrix rooms, including those bridged to Slack. Attackers can impersonate any bridged or bot user and inject content that propagates back into Slack.
Secrets at Risk: sops-nix decrypted secrets (registration tokens, admin credentials) if compromised in-memory or via logs.
Recovery Actions: Rotate Matrix registration shared secrets and bot credentials, rebuild the homeserver from a known-good state, purge compromised accounts, revoke Slack tokens, audit room history.

Exposure: Remote code execution via malicious plugin or compromised management UI enables takeover of Maubot service, access to SQLite plugin state, and control of Matrix bot accounts. Impact extends to every bot-enabled room and associated Slack channels.
Secrets at Risk: Maubot admin credentials, plugin-specific API keys, Matrix access tokens stored in sops-nix.
Recovery Actions: Disable Maubot service, remove untrusted plugins, rotate admin password and Matrix tokens, redeploy trusted builds, review logs for malicious activity.

Exposure: Compromise of the Go bot binary or config lets attackers act as that Matrix user, echoing into Slack rooms via the bridge. Depending on service permissions, it may allow host-level pivot if the binary runs with elevated rights.
Secrets at Risk: Matrix access tokens and third-party API keys stored in sops-nix.
Recovery Actions: Stop service, rotate affected tokens, reissue signed binaries, inspect journald logs for exploit traces, redeploy with least-privilege systemd unit.

Exposure: Leaked Slack bot/app tokens grant broad Slack API control—impersonating users, reading channels, manipulating integrations. Matrix rooms mirrored into Slack may also be poisoned with fake messages.
Secrets at Risk: Slack bot token, app-level token, database contents (ghost user mappings) if storage compromised.
Recovery Actions: Revoke Slack tokens, reauthorize bridge, rotate Matrix appservice secrets, audit Slack workspace activity, redeploy bridge service.

Exposure: Attackers with root own the entire stack: homeserver, Maubot, Go bots, secrets, deployment tooling. They can exfiltrate age keys, tamper with Nix closures, or install persistence.
Secrets at Risk: All sops-encrypted secrets (Slack tokens, registration secrets, admin creds), SSH keys, age private keys.
Recovery Actions: Reprovision VPS from clean image, rotate every downstream secret, regenerate age key pair, re-encrypt sops files, re-run deployment, audit Git/worklogs for evidence of tampering.

Exposure: Loss of age private key or accidental commit of decrypted files reveals all managed secrets, cascading to every service.
Recovery Actions: Generate new age key pair, re-encrypt secrets, rotate dependent credentials across Matrix, Slack, and bot services.

Keep Maubot management UI bound to localhost with SSH tunneling; enforce strong passwords in sops-nix.
Run each service under dedicated, least-privilege systemd users; apply firewall rules to limit network exposure.
Monitor journald for WARN/ERROR across Maubot, Go bot, and bridge services; push critical alerts into the Matrix admin room.
Enforce git status/validation scripts to ensure decrypted secrets never persist; educate contributors on incident response procedures.

Cut Access: From the Slack admin console, immediately suspend or revoke the bridge app and Matrix bot users (Settings & administration → Manage apps → [App] → Revoke access).
Notify Users: Post in the designated incident channel (e.g., #general or #ops-alerts) that the bot has been disabled while the team investigates.
Contact Ops: Ping the ops/security on-call via the documented channel so token rotation and investigation can begin.

(Full remediation and recovery steps are handled by the ops team in coordination with the manager.)