You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Cross-layer attack chain correlation engine extending MAESTRO from passive taxonomy overlay to active cross-layer analysis. Orchestrator Phase 3.5 identifies attack chains spanning multiple MAESTRO layers using a deterministic transition lookup table, producing conditional `attack-chains.md` artifact. Rule-based pattern matching uses (STRIDE category, MAESTRO layer) pairs mapped to valid successor pairs with causal vocabulary. Chains require structural evidence (component lineage or data flow dependency), filter to 2+ layers with Critical/High finding, and cap surfaced chains at top 5.
103
+
- New schema: `schemas/attack-chain.yaml` v1.0 — cross-finding aggregates separate from the finding IR. Each chain contains chain_id, title, ordered layer progression, member findings with roles, causal narrative, chain-breaking controls, and surfaced flag.
104
+
- New shared reference: `.claude/skills/tachi-shared/references/attack-chain-patterns-shared.md` — deterministic transition lookup table consumed by orchestrator Phase 3.5 for chain assembly.
105
+
- New parser: `parse_attack_chains()` in `scripts/tachi_parsers.py` — parses `attack-chains.md` into structured chain objects.
106
+
- New Typst template: `templates/tachi/security-report/attack-chain.typ` — chain diagram pages with vertical MAESTRO layer stack (Mermaid flowchart TD), conditionally included via `has-attack-chains` flag.
107
+
- Threat report Section 6 (Cross-Layer Attack Chains): 150-300 word narratives per surfaced chain, conditional on `has-attack-chains` boolean from orchestrator Phase 3.5.
108
+
-`extract-report-data.py` extended with attack chain extraction: parses `attack-chains.md`, emits `has-attack-chains` boolean and structured chain array for PDF report rendering.
109
+
- ADR-020 updated with Phase 2 section documenting correlation algorithm, chain schema, downstream propagation, and scope boundary (STRIDE categories only; AG/LLM findings excluded from chain formation).
110
+
- 2 new test files: `tests/scripts/test_attack_chains.py` (chain correlation logic), `tests/scripts/test_attack_chain_extraction.py` (report data extraction). Full pytest suite green. Backward-compatibility baselines byte-identical under `SOURCE_DATE_EPOCH=1700000000`.
111
+
-**Independence invariant**: Phase 3.5 cross-layer chains and Phase 3 Section 4a intra-component correlation groups are independent grouping mechanisms — a finding may appear in both without conflict.
112
+
-**Governance**: PM + Architect + Team-Lead sign-off. 34 tasks completed across implementation waves. PR #159 squash-merged to main 2026-04-12.
- All 11 threat agents (6 STRIDE + 5 AI) migrated from self-contained inline shape to lean + skill references pattern, completing the lean-agent architecture for all 17 tachi agents. Pre-refactor: STRIDE 113-141 lines, AI 167-201 lines (3 AI agents over the 180-line hard cap). Post-refactor: STRIDE 50-54 lines, AI 78-114 lines — every agent within FR-10 tier caps (STRIDE ≤120, AI ≤150, hard cap ≤180).
103
115
- 11 new companion skill directories created at `.claude/skills/tachi-<name>/references/` (spoofing, tampering, repudiation, info-disclosure, denial-of-service, privilege-escalation, prompt-injection, data-poisoning, model-theft, tool-abuse, agent-autonomy). Each hosts a `detection-patterns.md` reference file that is byte-preserved from the pre-refactor agent content plus enriched categories. Agent files load via a single `**MANDATORY**: Read` directive at detection start — no phase-gated loads (unlike the methodology variant used by control-analyzer), making this a new "detection variant" of the lean pattern.
**Problem**: Feature 141 (MAESTRO Phase 2 — Cross-Layer Attack Chain Analysis) required inserting a new correlation phase (Phase 3.5) between existing orchestrator phases, adding a new artifact type (`attack-chains.md`), extending the threat report with a new section, and adding new PDF pages — touching 38 files across schema, parser, orchestrator, report agent, Typst templates, and examples. The team-lead estimated 10-12.5 days for the 34-task, 7-wave build.
651
+
652
+
**Root Cause**: N/A — this is a positive pattern observation, not a problem report.
653
+
654
+
**Solution**: The data-driven pipeline architecture (agents reading shared references, schemas defining contracts, conditional gates on boolean flags like `has-attack-chains`) enabled the new phase to be inserted without modifying adjacent phases. The parser module (`tachi_parsers.py`) accepted a new `parse_attack_chains()` function following the same pattern as `parse_attack_trees()`. The Typst template system accepted a new `attack-chain.typ` with conditional inclusion via the same `has-attack-chains` flag pattern used by `has-attack-trees`. The threat report agent accepted a new Section 6 with conditional emission. No existing Python scripts required structural changes — only additive functions.
655
+
656
+
**Result**: 34/34 tasks completed in a single session. 5 PDF baselines byte-identical (backward compatible). All governance checkpoints passed (P0, P1, P2 APPROVED). The phase-insertion pattern — adding a new orchestrator phase between existing phases with its own schema, parser, conditional gate, and downstream propagation — is now a validated extensibility mechanism for the tachi pipeline.
657
+
658
+
**When to Apply**: Any time a new pipeline phase or artifact type needs to be added to the tachi pipeline. Follow the pattern: (1) define schema, (2) add parser function to `tachi_parsers.py`, (3) insert orchestrator phase with input/output contracts, (4) add conditional gate boolean, (5) extend downstream consumers (threat report, PDF) with conditional sections. The conditional gate pattern (`has-X` boolean) is the key enabler — it ensures backward compatibility by making new output entirely opt-in based on input detection.
0 commit comments