tachi-control-analysis

Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.

9 stars

Best use case

tachi-control-analysis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.

Teams using tachi-control-analysis should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/tachi-control-analysis/SKILL.md --create-dirs "https://raw.githubusercontent.com/davidmatousek/tachi/main/.claude/skills/tachi-control-analysis/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/tachi-control-analysis/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How tachi-control-analysis Compares

Feature / Agenttachi-control-analysisStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Tachi Control Analysis Skill

This skill contains the domain knowledge extracted from the tachi control-analyzer agent. It provides the reference data needed to detect compensating controls in a target codebase, classify their effectiveness, calculate residual risk, and generate remediation recommendations.

## Domain Overview

The control analysis domain covers three areas:

1. **Control Categories and Detection Patterns** -- Definitions for the 8 compensating control categories (authentication, input-validation, rate-limiting, encryption, logging-audit, csrf-protection, csp-security-headers, access-control), their STRIDE-to-control mapping, pattern indicators for Phase A scanning, and common library/framework references.

2. **Evidence Criteria and Effectiveness Classification** -- Phase B semantic analysis criteria (context checks, enforcement checks, strength assessments), evidence collection rules (snippet selection, deduplication, file path format), confidence level definitions (High/Medium/Low), and Phase 4 classification rules (found/partial/missing with multi-control resolution and cross-component handling).

3. **Residual Risk Calculation and Recommendations** -- Recommendation generation rules for missing and partial controls (templates, effort calibration), residual score computation formula with the P0 binary reduction model (reduction factors by control status), severity band mapping for residual scores, and summary statistics calculations.

## NIST AI RMF Relationship

Tachi's compensating-controls analyzer operates in a STRIDE+AI idiom, not a NIST idiom. The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) and its companion Generative AI Profile (NIST AI 600-1) are the U.S. federal reference vocabulary for managing AI system risk — Functions (Govern, Map, Measure, Manage), Subcategories, and 12 GAI risk categories. Tachi's posture toward both documents is **documentation-only mapping** per [ADR-025](../../../docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md): no schema field, no agent, no pipeline phase, and no SARIF tag emits NIST-keyed output. The strongest direct semantic overlap is MEASURE 2.7 ("AI system security and resilience are evaluated and documented") — essentially what `compensating-controls.md` already produces without NIST labeling. Adopters who must cite NIST mappings during procurement, audit, or examination workflows should consult the companion reference `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md` and ADR-025 for the three-surface comparison (Functions × phases, Subcategories × control categories, GAI risks × STRIDE+AI), the full re-evaluation triggers, and the structural-fit rationale for choosing mapping over wired integration.

## Baseline-Aware Control Analysis Rules

### Carry-Forward Conditions

Control status is carried forward from baseline when ALL of the following are true:

1. Finding `delta_status` is `UNCHANGED`
2. Baseline `compensating-controls.md` exists and is parseable
3. Finding ID matches a baseline controlled finding (exact `findingId/v1` match)

### Carry-Forward Fields

For UNCHANGED findings, copy these fields verbatim from baseline:

| Field | Treatment |
|-------|-----------|
| `control_status` | Copy (found/partial/missing) |
| `control_evidence` | Copy all evidence entries |
| `control_category` | Copy |
| `control_effectiveness` | Copy |
| `reduction_factor` | Copy |
| `residual_score` | Copy |
| `residual_severity_band` | Copy |
| `recommendation` | Copy (if any) |
| `effort_estimate` | Copy (if any) |

Set `control_carry_forward: true` and `rescan_scope: "incremental"`.

### Incremental Re-Scan Scope

When baseline controls are available:

| Scenario | Re-Scan Scope | Rationale |
|----------|---------------|-----------|
| All findings UNCHANGED | `incremental` (nothing to scan) | Full inheritance |
| Mix of UNCHANGED + NEW/UPDATED | `incremental` (scan only changed) | Partial inheritance |
| All findings NEW (first run or no baseline controls) | `full` | No inheritance possible |

### Evidence Preservation

Carried-forward evidence entries retain their original file paths, line numbers, and snippets from the baseline run. These represent the control state as of the baseline — they are **not** re-validated against the current codebase for UNCHANGED findings.

### First Run Behavior

When no baseline `compensating-controls.md` exists, all findings are scanned with `rescan_scope: "full"` and `control_carry_forward: false`. No behavioral change from pre-baseline pipeline.

## Reference Loading Table

Load reference files on-demand using the Read tool at the workflow phase where they are needed. Do not load all references at pipeline start.

| Reference File | Load When | Content |
|----------------|-----------|---------|
| `references/control-categories.md` | Phase 3 (Detect Controls) | 8 control category definitions, STRIDE-to-control mapping, pattern indicators, common libraries |
| `references/evidence-criteria.md` | Phase 3 (Detect Controls), Phase 4 (Map & Classify) | Evidence collection rules, confidence levels, classification rules (found/partial/missing), multi-control resolution |
| `references/residual-risk.md` | Phase 5 (Recommend & Calculate Residual Risk) | Recommendation templates, effort calibration, residual score formula, reduction factors, severity band mapping, summary statistics |

Related Skills

tachi-threat-reporting

9
from davidmatousek/tachi

Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction rules with Mermaid syntax, and reference attack tree examples. Consumed by the threat-report agent during report generation.

tachi-shared

9
from davidmatousek/tachi

Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.

tachi-risk-scoring

9
from davidmatousek/tachi

Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score formulas, severity band thresholds, and governance field derivation rules. Consumed by the risk-scorer agent during scoring pipeline execution.

tachi-report-assembly

9
from davidmatousek/tachi

Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path resolution, and brand asset handling with logo location and fallback rules. Consumed by the report-assembler agent during report generation.

tachi-orchestration

9
from davidmatousek/tachi

Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements per component type, coverage matrix model, SARIF 2.1.0 generation specification, output schema tables for threats.md, baseline correlation, structural validation checklist, and error handling templates. Loaded on-demand by the orchestrator during specific pipeline phases.

tachi-infographics

9
from davidmatousek/tachi

Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.

~aod-status

9
from davidmatousek/tachi

On-demand backlog snapshot and lifecycle stage summary. Regenerates BACKLOG.md from GitHub Issues and displays item counts per stage. Use this skill when you need to check backlog status, view stage counts, regenerate BACKLOG.md, or get a lifecycle overview.

~aod-spec

9
from davidmatousek/tachi

Validates specification completeness and quality by checking for mandatory sections, [NEEDS CLARIFICATION] markers, testable criteria, and clear scope boundaries. Use this skill when you need to check if spec is complete, validate specifications, review spec.md, or check specification quality. Ensures specifications are ready for architecture and implementation phases.

~aod-score

9
from davidmatousek/tachi

Re-score an existing idea's ICE rating when circumstances change. Use this skill when you need to re-evaluate ideas, update ICE scores, change idea priority, or re-assess deferred ideas.

~aod-run

9
from davidmatousek/tachi

Full lifecycle orchestrator that chains all 6 AOD stages (Discover, Define, Plan, Build, Deliver, Document) with disk-persisted state for session resilience and governance gates at every boundary. Use this skill when you need to run the full lifecycle, orchestrate stages, resume orchestration, or check orchestration status.

~aod-project-plan

9
from davidmatousek/tachi

Validates architecture documentation completeness by checking for technology stack, API specifications, database schema, security architecture, and alignment with feature specification. Use this skill when you need to check if plan.md is complete before implementation, validate architecture documentation, or review technical plans for completeness.

~aod-plan

9
from davidmatousek/tachi

Plan stage orchestrator that runs all three Plan sub-steps (spec → project-plan → tasks) in sequence with governance gates. Stops on rejection, continues through approvals. Use this skill when you need to run the full Plan stage, navigate planning sub-steps, or resume after a rejection.