Skip to content

feat: Add threat-model-architect template#211

Open
Kushagra1122 wants to merge 1 commit into
Lamatic:mainfrom
Kushagra1122:threat-model-architect-kit
Open

feat: Add threat-model-architect template#211
Kushagra1122 wants to merge 1 commit into
Lamatic:mainfrom
Kushagra1122:threat-model-architect-kit

Conversation

@Kushagra1122

@Kushagra1122 Kushagra1122 commented Jul 10, 2026

Copy link
Copy Markdown

…files

PR Checklist

1. Select Contribution Type

  • Kit (kits/<category>/<kit-name>/)
  • Bundle (bundles/<bundle-name>/)
  • Template (templates/<template-name>/)

2. General Requirements

  • PR is for one project only (no unrelated changes)
  • No secrets, API keys, or real credentials are committed
  • Folder name uses kebab-case and matches the flow ID
  • All changes are documented in README.md (purpose, setup, usage)

3. File Structure (Check what applies)

  • config.json present with valid metadata (name, description, tags, steps, author, env keys)
  • All flows in flows/<flow-name>/ (where applicable) include:
    • config.json (Lamatic flow export)
    • inputs.json
    • meta.json
    • README.md
  • .env.example with placeholder values only (kits only)
  • No hand‑edited flow config.json node graphs (changes via Lamatic Studio export)

4. Validation

  • npm install && npm run dev works locally (kits: UI runs; bundles/templates: flows are valid)
  • PR title is clear (e.g., [kit] Add <name> for <use case>)
  • GitHub Actions workflows pass (all checks are green)
  • All CodeRabbit or other PR review comments are addressed and resolved
  • No unrelated files or projects are modified
  • Added the Threat Model Architect kit and Lamatic template configuration.
  • Added intake flow with:
    • API trigger node
    • Instructor/dynamic LLM generation node
    • Response node
    • Trigger → LLM → response wiring, including response mapping
  • Defined structured intake output for architecture context, including components, data assets, trust boundaries, roles, tech stack, compliance notes, completion status, and missing information.
  • Added system and user prompts for merging session state, extracting architecture details, asking clarifying questions, and requiring explicit completion confirmation.
  • Added constitution covering STRIDE, DREAD, honesty, mitigation quality, tone, and out-of-scope guidance.
  • Added README and agent documentation describing usage, API integration, testing, guardrails, and future extension flows.
  • Added .gitignore for environment files, dependencies, build output, and logs.
  • No flow.json file exists in the kit; flow behavior is defined in flows/intake.ts.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

Changes

The Threat Model Architect kit adds an API-triggered intake flow that extracts architecture context into structured session state, applies prompt and constitution rules, and packages the flow with metadata and documentation.

Threat Model Architect intake

Layer / File(s) Summary
Intake contract and agent rules
kits/threat-model-architect/flows/intake.ts, kits/threat-model-architect/prompts/*, kits/threat-model-architect/constitutions/default.md
Defines structured session-state output fields, prompt-driven merging and completion behavior, missing-information handling, and STRIDE/DREAD boundaries.
Intake flow orchestration
kits/threat-model-architect/flows/intake.ts
Configures the model input and references, then connects the API trigger, structured LLM generation, and API response nodes.
Template packaging and documentation
kits/threat-model-architect/lamatic.config.ts, kits/threat-model-architect/agent.md, kits/threat-model-architect/README.md, kits/threat-model-architect/.gitignore
Adds template metadata, integration and behavior documentation, usage examples, and repository ignore patterns.

Suggested reviewers: amanintech, d-pamneja

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is just an unfilled checklist template and lacks completed details about the contribution and validation. Fill in the checklist with the actual contribution type, documentation, validation results, and any required metadata.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly states the PR adds the Threat Model Architect kit/template, matching the main change set.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

:robot_face: AgentKit Structural Validation

New Contributions Detected

  • Template: kits/threat-model-architect

Check Results

Check Status
No edits to existing kits ✅ Pass
Required root files present ✅ Pass
Flow .ts files present ✅ Pass
lamatic.config.ts valid ✅ Pass
No changes outside kits/ ✅ Pass

🎉 All checks passed! This contribution follows the AgentKit structure.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
kits/threat-model-architect/prompts/intake_user.md (1)

1-10: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Treat interpolated request fields as untrusted data.

message and session_state are user-controlled and are inserted directly into the prompt. An attacker can include instructions that attempt to override the system rules, skip confirmation, or inject fabricated architecture into the returned state. Delimit each value and add a system-level instruction that these blocks are data, not instructions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/prompts/intake_user.md` around lines 1 - 10,
Update the intake prompt to treat the interpolated
`triggerNode_1.output.message` and `triggerNode_1.output.session_state` values
as untrusted data: clearly delimit each block and add an explicit instruction
that their contents are data only, not instructions, and must not override
system rules or confirmation requirements. Preserve the existing
merge-and-respond behavior while ensuring fabricated instructions inside either
value are not followed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/threat-model-architect/flows/intake.ts`:
- Around line 56-116: Add required arrays to outputSchema for assistant_message,
is_complete, session_state, and missing_info at the top level, and for the
expected session_state fields. Keep the existing property definitions unchanged
so validation rejects responses missing any required intake contract fields.

In `@kits/threat-model-architect/prompts/intake_system.md`:
- Line 1: Add a top-level Markdown heading at the beginning of the intake
prompt, and ensure blank lines appear immediately before and after the fenced
JSON block referenced in the document (including lines 44–49), resolving MD041
and MD031 without changing the prompt’s content.
- Around line 21-35: The deployment context required by the completion gate is
missing from the documented session state and output schema. Add a
deployment_context field to the session_state fields and outputSchema, defining
its expected value and default cloud SaaS assumption, so consumers can verify
the is_complete requirement.

In `@kits/threat-model-architect/prompts/intake_user.md`:
- Line 1: Add a top-level Markdown heading before the existing “Today's date”
content in the intake prompt so the file begins with an H1 and satisfies MD041.

In `@kits/threat-model-architect/README.md`:
- Around line 37-54: Correct the sample JSON so the captured stack is
represented consistently: populate session_state.components and tech_stack with
the Next.js frontend, Node API, Postgres, Stripe billing, Clerk auth, and S3
file storage referenced by assistant_message, following the system-prompt
example.

---

Outside diff comments:
In `@kits/threat-model-architect/prompts/intake_user.md`:
- Around line 1-10: Update the intake prompt to treat the interpolated
`triggerNode_1.output.message` and `triggerNode_1.output.session_state` values
as untrusted data: clearly delimit each block and add an explicit instruction
that their contents are data only, not instructions, and must not override
system rules or confirmation requirements. Preserve the existing
merge-and-respond behavior while ensuring fabricated instructions inside either
value are not followed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 31703ff5-c2c6-4972-b167-45979058c1ac

📥 Commits

Reviewing files that changed from the base of the PR and between dafde4c and 36444e7.

📒 Files selected for processing (8)
  • kits/threat-model-architect/.gitignore
  • kits/threat-model-architect/README.md
  • kits/threat-model-architect/agent.md
  • kits/threat-model-architect/constitutions/default.md
  • kits/threat-model-architect/flows/intake.ts
  • kits/threat-model-architect/lamatic.config.ts
  • kits/threat-model-architect/prompts/intake_system.md
  • kits/threat-model-architect/prompts/intake_user.md

Comment on lines +56 to +116
const outputSchema = {
type: "object",
properties: {
language: { type: "string" },
assistant_message: { type: "string" },
is_complete: { type: "boolean" },
session_state: {
type: "object",
properties: {
system_name: { type: "string" },
purpose: { type: "string" },
components: {
type: "array",
items: {
type: "object",
properties: {
id: { type: "string" },
name: { type: "string" },
type: { type: "string" },
description: { type: "string" },
technologies: { type: "array", items: { type: "string" } },
},
additionalProperties: true,
},
},
data_assets: {
type: "array",
items: {
type: "object",
properties: {
id: { type: "string" },
name: { type: "string" },
sensitivity: { type: "string" },
description: { type: "string" },
},
additionalProperties: true,
},
},
trust_boundaries: {
type: "array",
items: {
type: "object",
properties: {
id: { type: "string" },
from_component_id: { type: "string" },
to_component_id: { type: "string" },
data_flows: { type: "array", items: { type: "string" } },
protocol: { type: "string" },
},
additionalProperties: true,
},
},
user_roles: { type: "array", items: { type: "string" } },
compliance_notes: { type: "array", items: { type: "string" } },
tech_stack: { type: "array", items: { type: "string" } },
},
additionalProperties: true,
},
missing_info: { type: "array", items: { type: "string" } },
},
};

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Make the intake output contract required.

Every property is currently optional, so the model can omit assistant_message, is_complete, session_state, or missing_info. The downstream intake contract expects these fields on every response; add top-level and session-state required arrays so incomplete generations fail validation instead of silently producing partial state.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/flows/intake.ts` around lines 56 - 116, Add
required arrays to outputSchema for assistant_message, is_complete,
session_state, and missing_info at the top level, and for the expected
session_state fields. Keep the existing property definitions unchanged so
validation rejects responses missing any required intake contract fields.

@@ -0,0 +1,75 @@
You are **Threat Model Architect**, an AI security agent. You help users threat-model **their software system** — NOT yourself.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the reported Markdown lint violations.

Add a top-level heading and blank lines around the fenced JSON block so this file passes the reported MD041 and MD031 checks.

Also applies to: 44-49

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/prompts/intake_system.md` at line 1, Add a
top-level Markdown heading at the beginning of the intake prompt, and ensure
blank lines appear immediately before and after the fenced JSON block referenced
in the document (including lines 44–49), resolving MD041 and MD031 without
changing the prompt’s content.

Source: Linters/SAST tools

Comment on lines +21 to +35
## Required before is_complete: true

- System purpose (what the user's product does)
- At least 2 components extracted from their message
- Data sensitivity (ask if not stated)
- Deployment context (default to "cloud SaaS" if unstated, mention the assumption)

## session_state fields

- `system_name` — user's product name or short label (e.g. "B2B SaaS")
- `purpose` — what the user's product does (from their words)
- `components[]` — `{ id, name, type, description, technologies[] }`
- Types: frontend, backend, database, auth, storage, third_party
- `data_assets[]` — `{ id, name, sensitivity, description }`
- `trust_boundaries[]`, `user_roles[]`, `compliance_notes[]`, `tech_stack[]`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Add deployment context to the session-state contract.

The prompt requires deployment context before is_complete: true, but deployment_context is absent from the documented fields and outputSchema. Add it to both contracts, or remove it from the completion gate; otherwise consumers cannot reliably determine whether the gate was satisfied.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/prompts/intake_system.md` around lines 21 - 35,
The deployment context required by the completion gate is missing from the
documented session state and output schema. Add a deployment_context field to
the session_state fields and outputSchema, defining its expected value and
default cloud SaaS assumption, so consumers can verify the is_complete
requirement.

@@ -0,0 +1,9 @@
Today's date: {{triggerNode_1.output.today}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add the required top-level Markdown heading.

This file currently starts with prose, triggering the reported MD041 lint violation.

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/prompts/intake_user.md` at line 1, Add a
top-level Markdown heading before the existing “Today's date” content in the
intake prompt so the file begins with an H1 and satisfies MD041.

Source: Linters/SAST tools

Comment on lines +37 to +54
```json
{
"language": "English",
"assistant_message": "I captured your stack: Next.js frontend, Node API, Postgres, Stripe billing, Clerk auth, and S3 file storage. What sensitive data does your app handle?",
"is_complete": false,
"session_state": {
"system_name": "B2B SaaS",
"purpose": "B2B SaaS application",
"components": [],
"data_assets": [],
"trust_boundaries": [],
"user_roles": [],
"compliance_notes": [],
"tech_stack": []
},
"missing_info": ["data sensitivity"]
}
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Correct the contradictory sample output.

The response says the stack was captured, but components and tech_stack are empty. Populate those arrays as shown in the system-prompt example, or change the assistant message; the current example misdocuments the flow contract.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kits/threat-model-architect/README.md` around lines 37 - 54, Correct the
sample JSON so the captured stack is represented consistently: populate
session_state.components and tech_stack with the Next.js frontend, Node API,
Postgres, Stripe billing, Clerk auth, and S3 file storage referenced by
assistant_message, following the system-prompt example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant