tachi-control-analysis
Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.
Best use case
tachi-control-analysis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.
Teams using tachi-control-analysis should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/tachi-control-analysis/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How tachi-control-analysis Compares
| Feature / Agent | tachi-control-analysis | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Tachi Control Analysis Skill
This skill contains the domain knowledge extracted from the tachi control-analyzer agent. It provides the reference data needed to detect compensating controls in a target codebase, classify their effectiveness, calculate residual risk, and generate remediation recommendations.
## Domain Overview
The control analysis domain covers three areas:
1. **Control Categories and Detection Patterns** -- Definitions for the 8 compensating control categories (authentication, input-validation, rate-limiting, encryption, logging-audit, csrf-protection, csp-security-headers, access-control), their STRIDE-to-control mapping, pattern indicators for Phase A scanning, and common library/framework references.
2. **Evidence Criteria and Effectiveness Classification** -- Phase B semantic analysis criteria (context checks, enforcement checks, strength assessments), evidence collection rules (snippet selection, deduplication, file path format), confidence level definitions (High/Medium/Low), and Phase 4 classification rules (found/partial/missing with multi-control resolution and cross-component handling).
3. **Residual Risk Calculation and Recommendations** -- Recommendation generation rules for missing and partial controls (templates, effort calibration), residual score computation formula with the P0 binary reduction model (reduction factors by control status), severity band mapping for residual scores, and summary statistics calculations.
## NIST AI RMF Relationship
Tachi's compensating-controls analyzer operates in a STRIDE+AI idiom, not a NIST idiom. The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) and its companion Generative AI Profile (NIST AI 600-1) are the U.S. federal reference vocabulary for managing AI system risk — Functions (Govern, Map, Measure, Manage), Subcategories, and 12 GAI risk categories. Tachi's posture toward both documents is **documentation-only mapping** per [ADR-025](../../../docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md): no schema field, no agent, no pipeline phase, and no SARIF tag emits NIST-keyed output. The strongest direct semantic overlap is MEASURE 2.7 ("AI system security and resilience are evaluated and documented") — essentially what `compensating-controls.md` already produces without NIST labeling. Adopters who must cite NIST mappings during procurement, audit, or examination workflows should consult the companion reference `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md` and ADR-025 for the three-surface comparison (Functions × phases, Subcategories × control categories, GAI risks × STRIDE+AI), the full re-evaluation triggers, and the structural-fit rationale for choosing mapping over wired integration.
## Baseline-Aware Control Analysis Rules
### Carry-Forward Conditions
Control status is carried forward from baseline when ALL of the following are true:
1. Finding `delta_status` is `UNCHANGED`
2. Baseline `compensating-controls.md` exists and is parseable
3. Finding ID matches a baseline controlled finding (exact `findingId/v1` match)
### Carry-Forward Fields
For UNCHANGED findings, copy these fields verbatim from baseline:
| Field | Treatment |
|-------|-----------|
| `control_status` | Copy (found/partial/missing) |
| `control_evidence` | Copy all evidence entries |
| `control_category` | Copy |
| `control_effectiveness` | Copy |
| `reduction_factor` | Copy |
| `residual_score` | Copy |
| `residual_severity_band` | Copy |
| `recommendation` | Copy (if any) |
| `effort_estimate` | Copy (if any) |
Set `control_carry_forward: true` and `rescan_scope: "incremental"`.
### Incremental Re-Scan Scope
When baseline controls are available:
| Scenario | Re-Scan Scope | Rationale |
|----------|---------------|-----------|
| All findings UNCHANGED | `incremental` (nothing to scan) | Full inheritance |
| Mix of UNCHANGED + NEW/UPDATED | `incremental` (scan only changed) | Partial inheritance |
| All findings NEW (first run or no baseline controls) | `full` | No inheritance possible |
### Evidence Preservation
Carried-forward evidence entries retain their original file paths, line numbers, and snippets from the baseline run. These represent the control state as of the baseline — they are **not** re-validated against the current codebase for UNCHANGED findings.
### First Run Behavior
When no baseline `compensating-controls.md` exists, all findings are scanned with `rescan_scope: "full"` and `control_carry_forward: false`. No behavioral change from pre-baseline pipeline.
## Reference Loading Table
Load reference files on-demand using the Read tool at the workflow phase where they are needed. Do not load all references at pipeline start.
| Reference File | Load When | Content |
|----------------|-----------|---------|
| `references/control-categories.md` | Phase 3 (Detect Controls) | 8 control category definitions, STRIDE-to-control mapping, pattern indicators, common libraries |
| `references/evidence-criteria.md` | Phase 3 (Detect Controls), Phase 4 (Map & Classify) | Evidence collection rules, confidence levels, classification rules (found/partial/missing), multi-control resolution |
| `references/residual-risk.md` | Phase 5 (Recommend & Calculate Residual Risk) | Recommendation templates, effort calibration, residual score formula, reduction factors, severity band mapping, summary statistics |Related Skills
tachi-threat-reporting
Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction rules with Mermaid syntax, and reference attack tree examples. Consumed by the threat-report agent during report generation.
tachi-shared
Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.
tachi-risk-scoring
Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score formulas, severity band thresholds, and governance field derivation rules. Consumed by the risk-scorer agent during scoring pipeline execution.
tachi-report-assembly
Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path resolution, and brand asset handling with logo location and fallback rules. Consumed by the report-assembler agent during report generation.
tachi-orchestration
Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements per component type, coverage matrix model, SARIF 2.1.0 generation specification, output schema tables for threats.md, baseline correlation, structural validation checklist, and error handling templates. Loaded on-demand by the orchestrator during specific pipeline phases.
tachi-infographics
Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.
~aod-status
On-demand backlog snapshot and lifecycle stage summary. Regenerates BACKLOG.md from GitHub Issues and displays item counts per stage. Use this skill when you need to check backlog status, view stage counts, regenerate BACKLOG.md, or get a lifecycle overview.
~aod-spec
Validates specification completeness and quality by checking for mandatory sections, [NEEDS CLARIFICATION] markers, testable criteria, and clear scope boundaries. Use this skill when you need to check if spec is complete, validate specifications, review spec.md, or check specification quality. Ensures specifications are ready for architecture and implementation phases.
~aod-score
Re-score an existing idea's ICE rating when circumstances change. Use this skill when you need to re-evaluate ideas, update ICE scores, change idea priority, or re-assess deferred ideas.
~aod-run
Full lifecycle orchestrator that chains all 6 AOD stages (Discover, Define, Plan, Build, Deliver, Document) with disk-persisted state for session resilience and governance gates at every boundary. Use this skill when you need to run the full lifecycle, orchestrate stages, resume orchestration, or check orchestration status.
~aod-project-plan
Validates architecture documentation completeness by checking for technology stack, API specifications, database schema, security architecture, and alignment with feature specification. Use this skill when you need to check if plan.md is complete before implementation, validate architecture documentation, or review technical plans for completeness.
~aod-plan
Plan stage orchestrator that runs all three Plan sub-steps (spec → project-plan → tasks) in sequence with governance gates. Stops on rejection, continues through approvals. Use this skill when you need to run the full Plan stage, navigate planning sub-steps, or resume after a rejection.