feat(141): MAESTRO Phase 2 — Cross-Layer Attack Chain Analysis#159
Merged
davidmatousek merged 11 commits intomainfrom Apr 12, 2026
Merged
feat(141): MAESTRO Phase 2 — Cross-Layer Attack Chain Analysis#159davidmatousek merged 11 commits intomainfrom
davidmatousek merged 11 commits intomainfrom
Conversation
…gent Insert conditional Section 6 after Attack Trees (Section 5) in the threat-report agent workflow. Renumber Remediation Roadmap (6→7), Appendix (7→8), Delta Summary (8→9) across agent, template, and schema. Add Attack Chain quality validation checklist items. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update frontmatter description, Core Mission, Metadata, Skill References, Input Contract, and Input Validation to document attack-chains.md as conditional input consumed by Section 6. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Design validation confirms Section 6 instructions produce valid output for the agentic-app example: 6/7 MAESTRO layers covered, at least one 3-layer chain (L2→L1→L3) structurally possible, all causal vocabulary referenced, 150-300 word constraint specified, CSA canonical structure (initial exploit → intermediate cascades → business impact) aligned. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…threat report narrative Wave 1: Create attack-chain.yaml schema, correlation pattern lookup table, and orchestration documentation (T001-T004). Wave 2: Add parse_attack_chains() to tachi_parsers.py with detect_artifacts support, insert Phase 3.5 skeleton into orchestrator (T005-T006). Wave 3: Full correlation engine — cross-layer detection, chain assembly, chain-breaking heuristic, artifact generation, 26 unit tests (T007-T012). Wave 4: Threat report Section 6 with conditional chain narratives using canonical CSA MAESTRO vocabulary (T013-T015). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add cross-layer attack chain rendering to the PDF security report: - Chain parsing + Mermaid flowchart TD generation in extract-report-data.py with vertical MAESTRO layer stack (L1 top → L7 bottom), colored nodes, and causal edge labels (T016, T016a) - New attack-chain.typ Typst template with severity badge, layer progression tag, diagram section, narrative, and finding IDs footer (T017) - main.typ: import + has-attack-chains default + conditional page sequencing after Attack Path Analysis section (T018) - mmdc preflight gate extended for attack-chains.md (T019) - 27 integration tests: parser, Mermaid syntax, Typst data, conditional gate (T020) - Validated: template compiles, 5/5 backward compat PDFs byte-identical (T021) 100/100 tests pass (27 new + 73 existing, zero regressions). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Waves 1-5 complete (22/34 tasks, 65%). P0+P1 checkpoints passed. Next: Wave 6 example regeneration (pipeline execution). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… (T022-T028) - T022: Architecture assessment — 6 MAESTRO layers sufficient for 3+ layer chains - T023: Created attack-chains.md with 5 chains (4 surfaced), updated threat-report.md with Section 6 (Attack Chains), regenerated PDF with chain diagram pages - T023 fix: Normalize long-form MAESTRO layer values (e.g., "L1 — Foundation Model") to short-form codes (L1) in generate_chain_mermaid() for valid Mermaid node IDs - T024-T028: 5 non-chain examples verified byte-identical (5/5 backward compat pass) - Full test suite: 100/100 pass Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- T029: ADR-020 updated with Phase 2 cross-layer correlation section documenting pipeline placement, correlation algorithm, chain schema, and downstream propagation - T030: Backward-compat baselines verified (5/5 byte-identical) - T031: Full pytest suite 100/100 pass - T032: README.md updated with attack-chains.md artifact, chain diagram pages, and mmdc prerequisite clarification - T033: All 7 success criteria (SC-001 through SC-007) validated Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- MEDIUM-001: Normalize MAESTRO layer names in Mermaid diagram labels from "&" shorthand to canonical "and" (L5 "Evaluation and Observability", L6 "Security and Compliance") matching Feature 136 canonical CSA names - MEDIUM-002: Replace branded "OWASP 3x3" reference in attack-chain.yaml with "risk matrix in severity-bands-shared.md" per Feature 082 SC-004 100/100 pytest pass after fixes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SAST: 4 files scanned, 0 findings (PASSED) SCA: skipped (no manifests changed) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
attack-chains.mdartifact with chain detection, impact amplification scoring, and mitigation sequencingchain_id,chain_role,amplification_factorfieldsparse_attack_chains()intachi_parsers.py; 800+ lines of new test coverageCommits
Governance
Test plan
pytest tests/scripts/test_attack_chain*.pypassespytest tests/scripts/test_backward_compatibility.pypasses (5 baselines byte-identical)attack-chains.mdwith valid chain data🤖 Generated with Claude Code