tachi-shared
Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.
Best use case
tachi-shared is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.
Teams using tachi-shared should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/tachi-shared/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How tachi-shared Compares
| Feature / Agent | tachi-shared | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Shared reference files consumed by multiple tachi agents. Contains canonical definitions for severity bands, STRIDE+AI categories, and finding format that serve as the single source of truth across the pipeline. Agents Read individual reference files on-demand rather than maintaining inline copies.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Tachi Shared References Cross-cutting domain knowledge consumed by multiple tachi agents. These reference files are the canonical source of truth for definitions that appear across the pipeline -- severity bands, STRIDE+AI threat categories, and finding format conventions. Individual agents load specific references on-demand using the Read tool rather than duplicating definitions inline. ## Domain Coverage This skill contains four shared reference files: 1. **Severity Bands** -- Composite score thresholds, severity band boundaries, color codes, SLA mappings, disposition defaults, and review date calculations. Used everywhere severity classification drives decisions. 2. **STRIDE+AI Categories** -- All 11 threat categories (6 STRIDE + 5 AI) with descriptions, ID prefixes, OWASP references, and the DFD element-to-category applicability matrix that determines which categories apply to which component types. 3. **Finding Format** -- The finding intermediate representation (IR) specification: required fields, optional fields, ID format conventions, validation rules, and table output format. Defines the contract between threat agents (producers) and downstream consumers. 4. **MAESTRO Layers** -- CSA MAESTRO seven-layer taxonomy definitions for agentic AI architectures: layer identifiers (L1-L7), descriptions, keyword-to-layer mappings, and the classification algorithm (first-match-wins, "Unclassified" default). Used during Phase 1 to classify components by architectural layer. ## Loading Table | Reference File | Consumers | Load When | |----------------|-----------|-----------| | `references/severity-bands-shared.md` | orchestrator, risk-scorer, control-analyzer, threat-report, threat-infographic, report-assembler | When severity classification, SLA computation, governance field derivation, or severity-based formatting is needed | | `references/stride-categories-shared.md` | orchestrator, spoofing, tampering, repudiation, info-disclosure, denial-of-service, privilege-escalation, prompt-injection, data-poisoning, model-theft, agent-autonomy, tool-abuse | When category definitions, DFD applicability rules, or category-to-agent mapping is needed | | `references/finding-format-shared.md` | orchestrator, spoofing, tampering, repudiation, info-disclosure, denial-of-service, privilege-escalation, prompt-injection, data-poisoning, model-theft, agent-autonomy, tool-abuse, risk-scorer | When producing or consuming finding records, validating finding structure, or assembling output tables | | `references/maestro-layers-shared.md` | orchestrator, risk-scorer, control-analyzer, threat-report | When classifying components by MAESTRO layer (Phase 1), propagating layer tags through findings, or including layer metadata in output | ## Loading Mechanism Agents use the Read tool to load individual reference files on-demand at the workflow phase where the content is needed. Each reference file is self-contained and can be loaded independently. Content is evictable from context after the relevant phase completes. ```markdown # Example loading instruction in an agent body: Read `.claude/skills/tachi-shared/references/severity-bands-shared.md` when entering severity classification or governance field generation. ```
Related Skills
tachi-threat-reporting
Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction rules with Mermaid syntax, and reference attack tree examples. Consumed by the threat-report agent during report generation.
tachi-risk-scoring
Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score formulas, severity band thresholds, and governance field derivation rules. Consumed by the risk-scorer agent during scoring pipeline execution.
tachi-report-assembly
Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path resolution, and brand asset handling with logo location and fallback rules. Consumed by the report-assembler agent during report generation.
tachi-orchestration
Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements per component type, coverage matrix model, SARIF 2.1.0 generation specification, output schema tables for threats.md, baseline correlation, structural validation checklist, and error handling templates. Loaded on-demand by the orchestrator during specific pipeline phases.
tachi-infographics
Domain knowledge for threat infographic generation — infographic specification formats, template-specific section layouts (Baseball Card, System Architecture, Risk Funnel), Gemini API prompt construction rules, and visual design system tokens. Consumed by the threat-infographic agent during specification and image generation.
tachi-control-analysis
Domain knowledge for compensating controls analysis — control category definitions with detection patterns, evidence criteria with effectiveness classification, and residual risk calculation with recommendation generation. Loaded on-demand by the control-analyzer agent during codebase scanning and risk assessment phases.
~aod-status
On-demand backlog snapshot and lifecycle stage summary. Regenerates BACKLOG.md from GitHub Issues and displays item counts per stage. Use this skill when you need to check backlog status, view stage counts, regenerate BACKLOG.md, or get a lifecycle overview.
~aod-spec
Validates specification completeness and quality by checking for mandatory sections, [NEEDS CLARIFICATION] markers, testable criteria, and clear scope boundaries. Use this skill when you need to check if spec is complete, validate specifications, review spec.md, or check specification quality. Ensures specifications are ready for architecture and implementation phases.
~aod-score
Re-score an existing idea's ICE rating when circumstances change. Use this skill when you need to re-evaluate ideas, update ICE scores, change idea priority, or re-assess deferred ideas.
~aod-run
Full lifecycle orchestrator that chains all 6 AOD stages (Discover, Define, Plan, Build, Deliver, Document) with disk-persisted state for session resilience and governance gates at every boundary. Use this skill when you need to run the full lifecycle, orchestrate stages, resume orchestration, or check orchestration status.
~aod-project-plan
Validates architecture documentation completeness by checking for technology stack, API specifications, database schema, security architecture, and alignment with feature specification. Use this skill when you need to check if plan.md is complete before implementation, validate architecture documentation, or review technical plans for completeness.
~aod-plan
Plan stage orchestrator that runs all three Plan sub-steps (spec → project-plan → tasks) in sequence with governance gates. Stops on rejection, continues through approvals. Use this skill when you need to run the full Plan stage, navigate planning sub-steps, or resume after a rejection.