feat: agent-friendly threat-model authoring end to end#19
Merged
Conversation
This was referenced Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: agent-friendly threat-model authoring end to end
What & why
TMForge could author
.tm7models verb-by-verb, but only by GUID and everyaddreturned afresh GUID that changed on every rebuild, so any non-trivial model had to be authored as a
GUID-capturing shell script, and no companion doc or report could cite a stable id. Authoring was
also imperative-only: the diagram diffed poorly and there was no reviewable source of truth. This
threads ergonomic, reviewable authoring through the CLI stable references, a declarative manifest,
logical boundaries, auto-layout, and better discoverability driven by real agent-authoring feedback.
Highlights
add --alias P1gives an element a durable handle and a deterministicid (the same alias → the same GUID across rebuilds, so docs/reports can cite it).
connect/set/remove/rename/shownow resolve GUID, alias, or unique name.tmforge apply <manifest.json>builds a whole model in memory and writesit atomically (all-or-nothing,
--dry-run, idempotent re-runs);tmforge exportemits adiffable JSON manifest from any model. A model becomes reviewable model-as-code in a PR.
add --boundary <ref>records trust-boundary membership and placesthe element inside it (so crossings are computed and membership round-trips through
export); newtmforge layoutapplies a deterministic layered auto-layout so authors never hand-place coordinates.AuthenticationSchemeproperty; TM1023 clearswhen an external declares a scheme (e.g. a token or public key), so the finding is resolvable in-model.
properties --explainmaps each property value → the rule + severity ittriggers (predict lint before running it); new
tmforge schemadocuments the--jsonenvelope andevery command's
datashape, so automation isn't written against probed output.report --format svgwrites a standalone diagram (all pages stacked) for PR review,distinct from the HTML report.
--help, andschemaare now generated from a singleCommandCatalog, so adding a verb updates all three at once and can't drift out of sync (test-guarded).