davidmatousek
diff --git a/‎.claude/agents/tachi/report-assembler.md‎
Lines changed: 10 additions & 0 deletions b/‎.claude/agents/tachi/report-assembler.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.claude/agents/tachi/threat-infographic.md‎
Lines changed: 42 additions & 3 deletions b/‎.claude/agents/tachi/threat-infographic.md‎
Lines changed: 42 additions & 3 deletions
diff --git a/‎.claude/commands/tachi.infographic.md‎
Lines changed: 11 additions & 5 deletions b/‎.claude/commands/tachi.infographic.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎.claude/skills/tachi-infographics/SKILL.md‎
Lines changed: 11 additions & 6 deletions b/‎.claude/skills/tachi-infographics/SKILL.md‎
Lines changed: 11 additions & 6 deletions
@@ -229,3 +229,13 @@ When the extraction script detects baseline data in `threats.md` frontmatter, `r
 2. **Active findings table**: Annotate findings with `delta_status: "NEW"` using a visual indicator (e.g., bold or badge) to highlight newly discovered threats.
 3. **Resolved findings section**: When `resolved-findings` is non-empty, render a separate "Resolved Findings" section after the active findings table. This section lists remediated threats for audit trail.
 4. **No-baseline behavior**: When `has-baseline` is false, render findings as before (no separation, no annotations, no resolved section). All delta variables default to zero/empty.
+
+### Executive Threat Architecture Page
+
+When the extraction script detects a `threat-executive-architecture.jpg` image in the target directory, `report-data.typ` includes an additional image flag and path for the executive architecture infographic page:
+
+| Artifact | Typst flag | Presence rule | Consumed by |
+|----------|-----------|---------------|-------------|
+| `threat-executive-architecture.jpg` | `has-executive-architecture` (boolean) | File exists in target directory AND file size > 0 | `infographic-page()` call in `main.typ`, positioned immediately after the Executive Summary page and immediately before the Attack Path Analysis conditional block |
+
+The Executive Threat Architecture infographic, when present, is rendered on a full-bleed portrait page immediately after the Executive Summary and before any Attack Path Analysis pages, placing the visual threat narrative within an executive reader's normal attention window. When the image is absent (for example, because no Critical or High findings qualified for callouts), the `has-executive-architecture` conditional is false and the page is omitted entirely, preserving byte-identical output against pre-existing baselines.
@@ -68,11 +68,25 @@ You must not require any other input -- you run in a fresh context with only the
 | `baseball-card` | `threat-baseball-card-spec.md` + `threat-baseball-card.jpg` | Compact risk summary dashboard: donut chart, STRIDE+AI heat map, critical finding cards, architecture overlay strip |
 | `system-architecture` | `threat-system-architecture-spec.md` + `threat-system-architecture.jpg` | Annotated architecture diagram: trust zones, components with attack surface badges, data flow arrows colored by severity, finding IDs overlaid |
 | `risk-funnel` | `threat-risk-funnel-spec.md` + `threat-risk-funnel.jpg` | 4-tier vertical funnel showing progressive risk reduction: threats identified, inherent risk scored, controls applied, residual risk |
-| `all` | All three sets of files | Generate all three templates (default) |
+| `executive-architecture` | `threat-executive-architecture-spec.md` + `threat-executive-architecture.jpg` | Executive-audience layered architecture diagram with narrative threat callouts for Critical/High findings, rendered in portrait orientation for the security report's early pages |
+| `all` | All sets of files | Generate all templates (default) |
 
-**Alias**: `corporate-white` maps to `baseball-card`.
+**Aliases**: `corporate-white` maps to `baseball-card`; `exec` maps to `executive-architecture`.
 
-When template is `all`, produce all three templates sequentially -- first Baseball Card, then System Architecture, then Risk Funnel. Each produces its own spec + image.
+When template is `all`, produce all templates sequentially -- Baseball Card, System Architecture, Risk Funnel, Executive Architecture. Each produces its own spec + image.
+
+### executive-architecture Template Specification
+
+The spec file `threat-executive-architecture-spec.md` is rendered from the JSON payload emitted by `scripts/extract-infographic-data.py --template executive-architecture`. The payload shape is defined in `specs/128-prd-128-executive/data-model.md` (`ExecutiveArchitecturePayload`).
+
+The spec MUST contain six sections matching the schema enumeration in `schemas/infographic.yaml`:
+
+1. **Metadata** -- Rendered from `metadata`: template_name, tier_source, source_file, generation_timestamp, qualifying_layer_count, total_filtered_count, skip_image, fallback_used.
+2. **Architecture Layers** -- Rendered from `layers[]`: each layer's name, position, components list, component_count, source_kind. Layers are already ordered with the most-exposed (untrusted or lowest-trust zone) at position 0 when `source_kind == "trust_zone"`.
+3. **Threat Callouts** -- Rendered from `callouts[]`: each callout's layer_name, finding_id, severity, raw_description, composite_score, affected_component. The raw_description is the unmodified source text; the Gemini prompt is responsible for rewriting it to ≤25 words of plain English.
+4. **Severity Distribution** -- Rendered from `severity_distribution`: Critical and High counts only (Medium/Low/Note are not shown in this template).
+5. **Visual Layout Directives** -- Portrait orientation, pastel layer bands untrusted-first, red dashed-border callouts. Derived from `visual_directives` in `schemas/infographic.yaml`.
+6. **Gemini Prompt Construction Notes** -- Embedded prompt text for the optional JPEG rendering step.
 
 ### Output
 
@@ -199,6 +213,31 @@ The output `threat-{template-name}-spec.md` contains YAML frontmatter and 6 requ
 
 ---
 
+## Executive-Architecture Gemini Prompt Construction
+
+When generating the `threat-executive-architecture.jpg` image via Gemini API, the prompt MUST instruct Gemini to:
+
+- **Render in portrait orientation** with an 8.5x11 aspect ratio suitable for embedding as a full-bleed page in the security report PDF.
+- **Arrange architectural layers as horizontal bands** stacked vertically, with the most exposed layer (position 0) at the TOP of the diagram and the most trusted layer at the BOTTOM. Untrusted zones and public-facing components belong at the top.
+- **Use pastel fills** for each layer band, cycling from the color palette defined in `schemas/infographic.yaml` under `visual_directives`: `#F0F4FF`, `#FFF4F0`, `#F0FFF4`, `#FFF0F8`, `#F8F0FF`. Cycle through the palette if there are more layers than colors.
+- **Place red dashed-border callout boxes** (2pt border weight, color `#DC2626`) with warning triangle icons next to each layer. Each callout box is connected to its associated `affected_component` within the layer via a leader line.
+- **Rewrite each callout's `raw_description`** to ≤25 words in plain English with no technical jargon. The goal is an executive audience who reads one sentence per callout in under 5 seconds. Avoid terms like "endpoint," "payload," "injection," "JWT," or "RBAC" without explanation. Prefer verbs like "attacker could steal," "system could leak," "user could impersonate."
+- **Use large readable typography** for layer names (24pt+) and callout text (14pt+); the infographic must be legible when printed on a letter-size page.
+- **Reference the `visual_directives` block** from `schemas/infographic.yaml` for the exact color palette, border weights, and orientation constraints.
+
+The prompt must be constructed from the JSON payload fields, not hardcoded. Layer names, component lists, and callout text all come from the emitted payload.
+
+### Skip Image Edge Case
+
+When the payload's `metadata.skip_image == True` (i.e., the threat model contains zero Critical and zero High severity findings), the agent MUST:
+
+1. **Render the spec file** with a clear explanatory note in the Threat Callouts section: "No Critical or High severity findings were identified in this threat model; the executive architecture diagram is omitted for this report run. Layer composition is preserved below for reference."
+2. **NOT invoke the Gemini API** for this run. No JPEG file is produced. Downstream PDF compilation will omit the executive architecture page entirely because the `threat-executive-architecture.jpg` file does not exist.
+
+This graceful degradation preserves the report structure while avoiding a misleading "no-threats" diagram.
+
+---
+
 ## Quality Standards
 
 ### Output Structural Validation Checklist
 
@@ -14,14 +14,15 @@ Consider user input before proceeding (if not empty).
 
 1. If `$ARGUMENTS` contains `--template <value>`:
    - Set `template` to the specified value
-   - Valid values: `baseball-card`, `system-architecture`, `risk-funnel`, `maestro-stack`, `maestro-heatmap`, `all`, `maestro`, `corporate-white`
+   - Valid values: `baseball-card`, `system-architecture`, `risk-funnel`, `maestro-stack`, `maestro-heatmap`, `executive-architecture`, `all`, `maestro`, `corporate-white`, `exec`
    - If value is `corporate-white`: resolve alias to `baseball-card`
+   - If value is `exec`: resolve alias to `executive-architecture`
    - If value is `maestro`: expand shorthand to `["maestro-stack", "maestro-heatmap"]` — generate both sequentially
    - If value is not in the valid list, display:
      ```
      INVALID TEMPLATE: {value}
-     Valid templates: baseball-card, system-architecture, risk-funnel, maestro-stack, maestro-heatmap, all, maestro
-     Aliases: corporate-white → baseball-card, maestro → maestro-stack + maestro-heatmap
+     Valid templates: baseball-card, system-architecture, risk-funnel, maestro-stack, maestro-heatmap, executive-architecture, all, maestro
+     Aliases: corporate-white → baseball-card, exec → executive-architecture, maestro → maestro-stack + maestro-heatmap
      ```
    - Halt if invalid.
    - Strip `--template <value>` from `$ARGUMENTS` (trim extra whitespace)
@@ -160,9 +161,10 @@ Single-command entry point for tachi threat infographic generation — the visua
        --output /tmp/infographic-{template_name}.json
 
    Template expansion:
-   - "all" expands to: baseball-card, system-architecture, risk-funnel. Then check if data source contains MAESTRO layer data (grep for "MAESTRO Layer" or "maestro_layer" in the data source file) — if present, also append maestro-stack and maestro-heatmap (up to 5 runs total).
+   - "all" expands to: baseball-card, system-architecture, risk-funnel, executive-architecture. Then check if data source contains MAESTRO layer data (grep for "MAESTRO Layer" or "maestro_layer" in the data source file) — if present, also append maestro-stack and maestro-heatmap (up to 6 runs total).
    - "maestro" expands to: maestro-stack, maestro-heatmap (2 runs, sequential)
-   - Individual templates (baseball-card, system-architecture, risk-funnel, maestro-stack, maestro-heatmap): 1 run
+   - "exec" resolves to: executive-architecture (alias, 1 run)
+   - Individual templates (baseball-card, system-architecture, risk-funnel, maestro-stack, maestro-heatmap, executive-architecture): 1 run
 
    Step 2: Read the JSON output and generate the spec file per your methodology.
      - If the JSON contains a "delta" object (has_baseline: true), include delta context
@@ -235,6 +237,10 @@ Where:
 /infographic --template baseball-card
 /infographic --template system-architecture
 
+# Executive architecture template (Feature 128 — placed after Executive Summary in PDF)
+/infographic --template executive-architecture
+/infographic --template exec              # alias: resolves to executive-architecture
+
 # MAESTRO templates (require MAESTRO layer data from Feature 084)
 /infographic --template maestro-stack
 /infographic --template maestro-heatmap
 
@@ -14,7 +14,7 @@ The infographic generation pipeline transforms structured threat model output in
 1. **Infographic Specification** (`threat-{template-name}-spec.md`) -- A 6-section structured document containing all data points, color coding, layout instructions, and text content needed to render a presentation-ready infographic. This is the primary deliverable.
 2. **Infographic Image** (`threat-{template-name}.jpg`) -- A JPEG image rendered from the specification via Gemini API. This is a best-effort deliverable, conditional on API key availability.
 
-The pipeline supports five templates:
+The pipeline supports six templates:
 
 | Template | Purpose | Audience |
 |----------|---------|----------|
@@ -23,19 +23,23 @@ The pipeline supports five templates:
 | Risk Funnel | 4-tier vertical funnel showing progressive risk reduction through the pipeline | Risk management |
 | MAESTRO Stack | Vertical seven-layer stack diagram showing finding counts and highest severities per MAESTRO layer (L1-L7) | CISO / security management |
 | MAESTRO Heatmap | Component-by-layer grid with severity coloring at each intersection | Security engineers |
+| Executive Architecture | Portrait layered architecture diagram with Critical/High threat callouts, positioned immediately after the Executive Summary in the compiled PDF | CISO / board / executive sponsors |
 
-Each template shares the same Sections 1-4 format (metadata, risk distribution, coverage heat map, top findings) but has a unique Section 5 (Architecture Threat Overlay) layout.
+The first five templates share the same Sections 1-4 format (metadata, risk distribution, coverage heat map, top findings) but have a unique Section 5 (Architecture Threat Overlay) layout. Executive Architecture uses a distinct six-section structure (Metadata, Architecture Layers, Threat Callouts, Severity Distribution, Visual Layout Directives, Gemini Prompt Construction Notes) and is the only template rendered in portrait orientation — see `references/executive-architecture.md` for the full specification.
 
 ### Template Shorthands
 
 | Shorthand | Expands To | Description |
 |-----------|-----------|-------------|
-| `all` | `baseball-card`, `system-architecture`, `risk-funnel` | Generate all three core templates |
+| `all` | `baseball-card`, `system-architecture`, `risk-funnel`, `executive-architecture` | Generate all four core templates (conditionally extends with MAESTRO templates when MAESTRO data is present) |
 | `maestro` | `maestro-stack`, `maestro-heatmap` | Generate both MAESTRO templates sequentially |
+| `exec` | `executive-architecture` | Single-template alias (not a compound expansion) |
 | `corporate-white` | `baseball-card` | Legacy alias |
 
 When the infographic command receives `maestro` as the template value, it expands to `["maestro-stack", "maestro-heatmap"]` and generates both sequentially. The MAESTRO templates require MAESTRO layer data in threats.md (Feature 084); when MAESTRO data is absent, a graceful empty state is rendered.
 
+The `executive-architecture` template (and its `exec` alias) is distinct from the other templates in two ways: it is rendered in portrait orientation rather than 16:9 landscape, and it uses a six-section structure instead of the shared Sections 1-5 format. When no Critical or High severity findings exist in the threat model, the spec file is still produced but the image is not — see `references/executive-architecture.md` for the full skip behavior specification.
+
 ## Data Source Types
 
 The infographic agent consumes one of three data source types, auto-detected by richness:
@@ -52,7 +56,8 @@ Reference files are loaded on-demand by the threat-infographic agent at specific
 
 | Reference | File | Load When |
 |-----------|------|-----------|
-| Infographic Specifications | `references/infographic-specifications.md` | Generating Sections 1-4 of any template specification |
-| Template-Specific Formats | `references/template-specific-formats.md` | Generating Section 5 for any template (Baseball Card, System Architecture, or Risk Funnel) |
+| Infographic Specifications | `references/infographic-specifications.md` | Generating Sections 1-4 of any shared-format template (Baseball Card, System Architecture, Risk Funnel, MAESTRO Stack, MAESTRO Heatmap) |
+| Template-Specific Formats | `references/template-specific-formats.md` | Generating Section 5 for any shared-format template |
+| Executive Architecture | `references/executive-architecture.md` | Generating the full six-section spec for the `executive-architecture` template (or its `exec` alias) — distinct section structure, portrait orientation, and PDF positioning rules |
 | Gemini Prompt Construction | `references/gemini-prompt-construction.md` | Constructing the Gemini API image generation prompt after specification is complete |
-| Visual Design System | `references/visual-design-system.md` | Generating Section 6 (Visual Design Directives) and populating template styling |
+| Visual Design System | `references/visual-design-system.md` | Generating Section 6 (Visual Design Directives) and populating template styling for the shared-format templates |