davidmatousek
diff --git a/‎.claude/agents/tachi/orchestrator.md‎
Lines changed: 134 additions & 1 deletion b/‎.claude/agents/tachi/orchestrator.md‎
Lines changed: 134 additions & 1 deletion
diff --git a/‎.claude/agents/tachi/threat-report.md‎
Lines changed: 84 additions & 0 deletions b/‎.claude/agents/tachi/threat-report.md‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎.claude/skills/tachi-orchestration/references/dispatch-rules.md‎
Lines changed: 59 additions & 1 deletion b/‎.claude/skills/tachi-orchestration/references/dispatch-rules.md‎
Lines changed: 59 additions & 1 deletion
@@ -54,6 +54,7 @@ Load domain knowledge on-demand from the `tachi-threat-reporting` skill using th
 | Narrative Templates | `.claude/skills/tachi-threat-reporting/references/narrative-templates.md` | Generating Executive Summary (Section 1), Architecture Overview (Section 2), Threat Analysis (Section 3), Cross-Cutting Themes (Section 4), Section 5 delta annotations (from manifest `action` values), Remediation Roadmap (Section 7) |
 | Severity bands (shared) | `.claude/skills/tachi-shared/references/severity-bands-shared.md` | Executive summary / severity-based narrative ordering |
 | Attack chain patterns (shared) | `.claude/skills/tachi-shared/references/attack-chain-patterns-shared.md` | Generating Cross-Layer Attack Chains narrative (Section 6) — causal vocabulary, chain structure definitions |
+| Agentic patterns (shared) | `.claude/skills/tachi-shared/references/maestro-agentic-patterns-shared.md` | Generating Agentic Pattern Analysis narrative — six canonical CSA MAESTRO pattern definitions (Section 1 of the shared reference). Loaded on-demand only when `has-agentic-patterns` is true. |
 
 ---
 
@@ -141,6 +142,16 @@ Before finalizing the report, run the following checklist. Every check must pass
 - [ ] Each chain includes chain-breaking control recommendation with heuristic disclaimer
 - [ ] When `has-attack-chains` is false: Section 6 is entirely absent (no heading, no placeholder)
 
+#### Agentic Pattern Analysis (Conditional)
+
+- [ ] When `has-agentic-patterns` is true: the Agentic Pattern Analysis section is present with its section number grep-computed from the count of preceding sections (never hardcoded; never left as a `{grep-determined}` placeholder)
+- [ ] Each per-pattern subsection includes all four required elements in order: H3 heading with display name, 1-sentence definition sourced verbatim from `maestro-agentic-patterns-shared.md` Section 1, severity counts line (`Critical: N | High: N | Medium: N | Low: N`), 100-200 word architecture-specific narrative, and `Impacted findings:` line with comma-separated IDs
+- [ ] Zero-finding pattern subsections are omitted entirely (not rendered empty)
+- [ ] Per-pattern subsections are ordered by max severity desc → finding count desc → pattern enum order (agent_collusion < emergent_behavior < temporal_attack < trust_exploitation < communication_vulnerability < resource_competition)
+- [ ] If any finding carries `agentic_pattern: multiple`, a "Multi-Pattern Findings" subsection is rendered FIRST (before per-pattern subsections); multi-pattern findings ALSO appear under each matching per-pattern subsection
+- [ ] `attack-chains.md` is NOT modified by this section (FR-008 invariant); files under `examples/*/attack-trees/` are NOT modified; only prose cross-references to chain IDs are permitted in pattern narratives
+- [ ] When `has-agentic-patterns` is false: the Agentic Pattern Analysis section is entirely absent (no heading, no placeholder)
+
 #### Attack Tree Completeness
 
 - [ ] Every Critical finding has an attack tree with minimum 3 levels of decomposition
@@ -239,6 +250,79 @@ For each surfaced chain, generate:
 
 **Word count enforcement**: Each chain narrative MUST be 150-300 words. Focus on specific causal relationships between findings — avoid padding with generic security language.
 
+### Section {grep-determined}: Agentic Pattern Analysis
+
+**Conditional**: Only generate this section when `has-agentic-patterns` is true (orchestrator Phase 3.6 sets this boolean when at least one finding carries a non-`none` `agentic_pattern`). When `has-agentic-patterns` is false, skip this section entirely — do not include the heading or any placeholder text. When the Cross-Layer Attack Chains section (Feature 141) is also absent, the report proceeds from Section 5 directly to the next populated section.
+
+**Section number — grep-determined, NOT hardcoded (per FR-011)**: Do NOT hardcode this section number. At report-generation time, count the sections you have already written (starting from Section 1: Executive Summary) and assign the next sequential integer. In the common case where Section 6 Cross-Layer Attack Chains is also rendered, this section becomes Section 7 and Remediation Roadmap shifts to Section 8, Appendix to Section 9. In the case where Cross-Layer Attack Chains is absent but Agentic Pattern Analysis is present, this section becomes Section 6. Always emit the section with the computed integer — never a placeholder like `{grep-determined}`.
+
+**Placement**: AFTER the Cross-Layer Attack Chains section (Feature 141 Section 6 when present) and BEFORE the Remediation Roadmap and Appendix (Finding Reference) sections.
+
+**MANDATORY**: Read `.claude/skills/tachi-shared/references/maestro-agentic-patterns-shared.md` on-demand for the six canonical pattern definitions (Section 1 of the shared reference). Each subsection's 1-sentence definition is sourced verbatim from the matching subsection (1.1 Agent Collusion, 1.2 Emergent Behavior, 1.3 Temporal Attacks, 1.4 Trust Exploitation, 1.5 Communication Vulnerabilities, 1.6 Resource Competition).
+
+**FR-008 Independence Invariant (CRITICAL)**: This section MUST NOT cause any modification to `attack-chains.md` (Feature 141 artifact) or any file under `examples/*/attack-trees/`. Only prose cross-references into those artifacts are permitted (e.g., mentioning a chain ID or attack tree finding ID in a narrative). Cross-Layer Attack Chains and Agentic Patterns are independent grouping mechanisms — a single finding MAY appear in both (consistent with ADR-026 and the Feature 141 / Section 4a independence invariant).
+
+**Section boilerplate** (insert verbatim at section open, using your computed section number):
+
+```markdown
+## Section {N}: Agentic Pattern Analysis
+
+This section enumerates threats by CSA MAESTRO canonical agentic pattern. Patterns are assigned during Phase 3.6 (Pattern Synthesis Engine) per [ADR-026](../../../../docs/architecture/02_ADRs/ADR-026-pattern-classification-mechanism.md) and surface cross-cutting agentic risks that emerge from multi-agent coordination, persistent state, or inter-agent communication — distinct from per-component STRIDE threats. Canonical pattern definitions are sourced from [`maestro-agentic-patterns-shared.md`](../../../../.claude/skills/tachi-shared/references/maestro-agentic-patterns-shared.md).
+```
+
+After the boilerplate, render subsections in this order:
+
+1. **Multi-Pattern Findings subsection FIRST** — if and only if at least one finding carries `agentic_pattern: multiple`. See "Multi-Pattern Findings Subsection" below.
+2. **Per-pattern subsections** — one per pattern with non-zero finding count, ordered per FR-013.
+
+#### Per-Pattern Subsection Structure
+
+For each pattern with ≥1 finding, render an H3 subsection containing four elements in this fixed order:
+
+1. **H3 heading**: `### {Pattern Display Name}` (e.g., `### Agent Collusion`, `### Emergent Behavior`, `### Temporal Attacks`, `### Trust Exploitation`, `### Communication Vulnerabilities`, `### Resource Competition`). Use the display name from Section 1 of the shared reference (title-cased form), NOT the enum value (which is lowercase snake_case).
+2. **Definition line (1 sentence)**: Verbatim 1-sentence canonical definition sourced from `maestro-agentic-patterns-shared.md` Section 1.{1-6}. Do NOT paraphrase — copy the first sentence of the pattern's Definition paragraph from the shared reference. This preserves the load-on-demand contract and keeps the canonical source authoritative.
+3. **Severity counts line**: Exactly this format: `Critical: N | High: N | Medium: N | Low: N` (four counts, pipe-separated, always all four severity levels shown even when a count is zero; Note-severity findings are excluded from this line per Feature 141 Section 6 precedent).
+4. **Narrative (100-200 words)**: Describe this pattern's manifestation in THIS architecture. SYNTHESIZE the concrete architectural situation using (a) the component names and types of impacted findings, (b) the architectural context from Section 2 (trust boundaries, data flows), and (c) the finding descriptions themselves. Do NOT paste a canned template — the narrative must be architecture-specific. You MAY cross-reference a Cross-Layer Attack Chain membership in prose when relevant (e.g., "**AG-1** (Agent Collusion) also participates in CHAIN-002, where it enables the subsequent tampering pivot on the Specialist Agent"), but this is PROSE ONLY — do NOT modify `attack-chains.md` or any attack tree file. When the narrative would otherwise exceed 200 words, prefer tightening the architectural description over dropping the finding IDs.
+5. **Impacted findings line**: Exactly this format: `Impacted findings: {ID1}, {ID2}, {ID3}` (comma-space-separated, in the order they appear in Sections 3 and 4 of `threats.md`). Finding IDs are the raw identifiers (e.g., `F-12`, `AG-1`, `AGP-01`) and act as inline anchors into the Appendix: Finding Reference.
+
+#### Subsection Ordering (per FR-013)
+
+Order per-pattern subsections by:
+
+1. **Primary sort**: maximum severity descending (Critical > High > Medium > Low > Note). A subsection's max severity is the highest severity present among its tagged findings.
+2. **Secondary sort**: finding count descending (more findings render before fewer findings).
+3. **Tertiary sort**: pattern enum order (agent_collusion < emergent_behavior < temporal_attack < trust_exploitation < communication_vulnerability < resource_competition).
+
+Note on the tertiary tiebreaker: this deliberately diverges from Feature 141 Section 6's alphabetic `chain_id` tertiary tiebreaker because pattern enum order carries semantic meaning (CSA canonical ordering) while `chain_id` is an arbitrary uniqueness token. See `.claude/skills/tachi-threat-reporting/references/narrative-templates.md` for the full rationale.
+
+#### Zero-Finding Subsections Suppressed (FR-013)
+
+If a pattern has zero findings in this architecture, its subsection is OMITTED entirely — do not render an empty subsection, a "no findings" placeholder, or a struck-through heading. Only populated subsections appear.
+
+#### Multi-Pattern Findings Subsection
+
+If ANY finding has `agentic_pattern: multiple`, render a dedicated subsection titled exactly:
+
+```markdown
+### Multi-Pattern Findings
+
+{1-2 sentence intro explaining that these findings exemplify two or more patterns equally, drawn from the multi-pattern semantics in ADR-026 and `maestro-agentic-patterns-shared.md`.}
+
+{For each multi-pattern finding:}
+- **{FINDING-ID}** — {Brief 1-sentence description of the finding} Patterns: {Pattern A}, {Pattern B}{, Pattern C if applicable}.
+```
+
+Render the Multi-Pattern Findings subsection FIRST (before any per-pattern subsection) because the compound-pattern case carries the most architectural significance (per plan.md Open Questions Resolution). Multi-pattern findings ALSO appear under EACH of their matching pattern subsections below — do NOT exclude a multi-pattern finding from a per-pattern subsection's `Impacted findings:` line.
+
+#### Chain-Membership Cross-References (OPTIONAL)
+
+When a pattern-tagged finding is also a member of a Cross-Layer Attack Chain (Feature 141 Section 6), you MAY cross-reference the chain membership in the pattern subsection's narrative. Example phrasings:
+
+- "**AG-1** (Agent Collusion) participates in **CHAIN-002** — the collusion pattern here is the initial exploit that triggers the subsequent Privilege Escalation cascade."
+- "Two of the Emergent Behavior findings (**AGP-01**, **AGP-02**) are members of **CHAIN-001** and contribute the terminal impact."
+
+Keep cross-references concise (one clause per chain) and prefer narrative integration over footnote-style notation. Cross-referencing is OPTIONAL — omit when it would force the narrative over the 200-word cap or when the chain membership does not add architectural insight. The reverse reference (from Section 6 Cross-Layer Attack Chains back to the pattern subsection) is not required — chains and patterns are independent groupings, and double-linking is not a guarantee.
+
 ### Section 7: Remediation Roadmap
 
 **MANDATORY**: Read `.claude/skills/tachi-threat-reporting/references/narrative-templates.md` for priority ordering, roadmap item format, section introduction structure, and effort estimation heuristics.
 
@@ -317,4 +317,62 @@ Signal 3 (layer adjacency) refines the transition type using the lookup table in
 - Patterns: `.claude/skills/tachi-shared/references/attack-chain-patterns-shared.md`
 - Layers: `.claude/skills/tachi-shared/references/maestro-layers-shared.md`
 
-After Phase 3.5 completes (or is skipped when no cross-layer chains exist), proceed to Phase 4: Assess.
+After Phase 3.5 completes (or is skipped when no cross-layer chains exist), proceed to Phase 3.6: Pattern Synthesis Engine.
+
+---
+
+## Phase 3.6: Pattern Synthesis Engine (Feature 142)
+
+Phase 3.6 runs after Phase 3.5 cross-layer chain correlation and before Phase 4 Assess. It synthesizes the `agentic_pattern` field on every deduplicated finding using a deterministic rule-based classification engine, and optionally emits net-new findings for previously-uncovered CSA MAESTRO patterns (Agent Collusion, Emergent Behavior, Temporal Attack). See [`ADR-026`](../../../docs/architecture/02_ADRs/ADR-026-pattern-classification-mechanism.md) for the authoritative mechanism decision and governance rule for future post-hoc synthesis phases.
+
+### Placement
+
+```
+Phase 3.5: Cross-Layer Attack Chain Correlation (Feature 141)
+  └── Emits attack-chains.md (conditional aggregate artifact)
+Phase 3.6: Pattern Synthesis Engine                 <-- NEW (Feature 142)
+  ├── Evaluate multi-agent gate predicate (FR-006)
+  ├── Apply classification rule table to each finding
+  ├── Generate net-new findings for uncovered patterns (id prefix AGP-)
+  └── Set has-agentic-patterns boolean
+Phase 4: Assess
+  ├── Coverage matrix
+  ├── Risk summary
+  └── SARIF output (with maestro-pattern:<name> tags)
+```
+
+### Input Contract
+
+Phase 3.6 consumes:
+1. **Deduplicated finding IR** (post-Phase 3.5): each finding has `component`, `maestro_layer`, `category`, `severity`, `description`
+2. **Phase 1 component inventory**: component names, DFD types, MAESTRO layer assignments, and agentic/llm category classification from existing dispatch keywords
+3. **Data flow graph**: source → target component relationships (for inter-agent channel detection)
+4. **Architecture description** (free-text source): consumed by the multi-agent gate predicate substring search
+5. **Classification rule table + multi-agent gate predicate spec**: loaded from `.claude/skills/tachi-shared/references/maestro-agentic-patterns-shared.md`
+
+### Output Contract
+
+Phase 3.6 produces:
+1. **Finding IR with `agentic_pattern` populated on every finding** — one of six canonical patterns (`agent_collusion`, `emergent_behavior`, `temporal_attack`, `trust_exploitation`, `communication_vulnerability`, `resource_competition`), or `none`, or `multiple`. This is a **write-back** to the finding IR (per ADR-026 governance rule for finding-level metadata synthesis).
+2. **Optional net-new findings** with id prefix `AGP-` (e.g., `AGP-01`, `AGP-02`) for previously-uncovered patterns when the architectural context matches a rule marked `generates_finding_when_no_match: true` AND no existing finding already carries that pattern label.
+3. **`has-agentic-patterns` boolean** (derived: true iff at least one finding has non-`none` pattern) — consumed by Phase 5 (threat-report agent Agentic Pattern Analysis section) and by the PDF pipeline for conditional section inclusion.
+
+### Independence Invariants
+
+Phase 3.6 preserves three independence invariants:
+
+1. **Does NOT modify or extend `attack-chains.md`** (FR-008) — the Phase 3.5 aggregate artifact is unchanged. Pattern data lives on the finding IR, not in the chain artifact. Pattern grouping and cross-layer chain grouping are independent mechanisms: a finding may participate in both without conflict.
+2. **Does NOT invoke or modify any of the 11 detection agents** (zero-edit invariant per ADR-026) — the 6 STRIDE agents and 5 AI agents remain byte-identical. Phase 3.6 reads the deduplicated finding IR but does not reopen the Feature 082 stabilization.
+3. **Independent from Phase 3 Section 4a intra-component correlation** — pattern field is finding-level metadata; Section 4a is a presentation-time grouping mechanism. They are orthogonal and a finding may appear in both without conflict.
+
+### Determinism
+
+Pattern classification is rule-based and deterministic per ADR-021: each rule's `match_conditions` is structurally evaluated (exact enum match, regex, boolean topology check, case-insensitive substring) with no LLM judgment. Same input (finding IR + architecture + rule table) → same output on every run. Matches Feature 141 Phase 3.5 transition lookup table determinism.
+
+### Reference
+
+- Decision: `docs/architecture/02_ADRs/ADR-026-pattern-classification-mechanism.md` (authoritative — records the write-back model governance rule and the four-option mechanism trade-off)
+- Patterns: `.claude/skills/tachi-shared/references/maestro-agentic-patterns-shared.md` (rule table, multi-agent gate predicate spec, six canonical pattern definitions, coverage mapping)
+- Schema: `schemas/finding.yaml` v1.4 (`agentic_pattern` enum field)
+
+After Phase 3.6 completes, proceed to Phase 4: Assess.