diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad94076..d0c0d66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,23 @@
 # Changelog
 ---
+## [2.9.2] - 2026-04-30
+
+### Added 
+- Small HTML Docstring with project info
+
+### Changed
+- **CSV Formula Injection Mitigation**: Cells starting with formula characters are now prefixed with a tab character (\t) and wrapped in double quotes instead of just the single quote prefix that was used previously
+
+## [2.9.1] - 2026-02-28
+
+### Added
+- **Function index generator**: Added `scripts/generate-function-index.py` to auto-generate `docs/FUNCTION_INDEX.generated.md` from runtime source function declarations.
+- **Generated function inventory**: Added `docs/FUNCTION_INDEX.generated.md` as a machine-generated reference for maintainers.
+
+### Changed
+- **Updated Documentation**: `DOCUMENTATION.md` has been simplified & updated to v2.9.0.
+- **Documentation cross-linking**: Added references to curated and generated function indexes in `README.md` and `DOCUMENTATION.md`.
+- **Release regeneration workflow**: `scripts/regenerate-release.sh` now regenerates `docs/FUNCTION_INDEX.generated.md` before rebuilding `release/` artifacts.
 
 ## [2.9.0] - 2026-02-22
 
@@ -815,7 +833,7 @@ handleDrop(event, phaseKey)       // Performs assignment
 
 ---
 
-## Development Notes for AI Agents
+## Development Notes
 
 ### File Structure Understanding
 ```
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3419966..219e8bd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -26,6 +26,11 @@ Contributions are welcome. Please read the following guidelines before submittin
 - Follow existing code style and naming conventions
 - Keep functions focused and well-documented
 - Test drag-and-drop, import/export, and metadata editing
+- Keep docs in sync with shipped behavior:
+	- Update `CHANGELOG.md` for user-visible and security-relevant changes
+	- Update `README.md` when setup, usage, or feature surface changes
+	- Update `DOCUMENTATION.md` for architecture/runtime behavior changes
+	- Update `docs/FUNCTION_INDEX.md` and regenerate `docs/FUNCTION_INDEX.generated.md` when function surfaces change
 
 ## Data Updates
 
diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 81a16fb..0192cf8 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -1,8 +1,8 @@
 # AttackFlow — Monolithic API Reference
 
-> **Version:** 2.7.0  
-> **Scope:** Documents the current inline JavaScript implementation in `index.html` and the companion `config.js` + `stix-config.js`.  
-> **Purpose:** Serve as the definitive reference for the v3.0 modular refactoring (see `DETACH.md`).
+> **Version:** 2.9.0  
+> **Scope:** Documents the current inline JavaScript implementation in `index.html` and companion `config.js` + `stix-config.js` (plus embedded iframe IPC surface used by `explorer.html` and `stix-builder.html`).  
+> **Purpose:** Definitive implementation reference for ongoing hardening and v3 modularization planning.
 
 ---
 
@@ -10,1587 +10,560 @@
 
 1. [Architecture Overview](#1-architecture-overview)
 2. [File Map](#2-file-map)
-3. [config.js — Configuration & Theme Engine](#3-configjs--configuration--theme-engine)
-4. [stix-config.js — STIX 2.1 Object Definitions](#4-stix-configjs--stix-21-object-definitions)
-5. [Inline JS Sections (index.html)](#5-inline-js-sections-indexhtml)
-   - 5.1 [VERSION](#51-version)
-   - 5.2 [INPUT SECURITY](#52-input-security)
-   - 5.3 [METADATA HELPERS](#53-metadata-helpers)
-   - 5.4 [TYPE MAPPING CONSTANTS](#54-type-mapping-constants)
-   - 5.5 [ASSIGNMENT & PHASE LOGIC](#55-assignment--phase-logic)
-   - 5.6 [GROUP MANAGEMENT](#56-group-management)
-   - 5.7 [CONSTANTS & STATE](#57-constants--state)
-   - 5.8 [DATA LOADING](#58-data-loading)
-   - 5.9 [NAVIGATOR IMPORT](#59-navigator-import)
-   - 5.10 [VIEW & LAYER CONTROLS](#510-view--layer-controls)
-   - 5.11 [THEME RUNTIME](#511-theme-runtime)
-   - 5.12 [COMPACT MODE](#512-compact-mode)
-   - 5.13 [TAB & FILTER CONTROLS](#513-tab--filter-controls)
-   - 5.14 [ENTITY LIST RENDERING](#514-entity-list-rendering)
-   - 5.15 [STIX ITEM MANAGEMENT](#515-stix-item-management)
-   - 5.16 [STIX EDITOR MODAL](#516-stix-editor-modal)
-   - 5.17 [SELECTION & DETAIL PANEL](#517-selection--detail-panel)
-   - 5.18 [DRAG & DROP](#518-drag--drop)
-   - 5.19 [KILL CHAIN RENDERING](#519-kill-chain-rendering)
-   - 5.20 [RELATIONSHIP VIEW](#520-relationship-view)
-   - 5.21 [STATS & UTILITIES](#521-stats--utilities)
-   - 5.22 [EXPORT (JSON / CSV / STIX Bundle)](#522-export-json--csv--stix-bundle)
-   - 5.23 [IMPORT (Kill Chain)](#523-import-kill-chain)
-   - 5.24 [DROPDOWN UTILS](#524-dropdown-utils)
-   - 5.25 [METADATA EDITOR](#525-metadata-editor)
-   - 5.26 [MODALS (Usage Guide / Changelog)](#526-modals-usage-guide--changelog)
-   - 5.27 [TOAST NOTIFICATIONS](#527-toast-notifications)
-   - 5.28 [INITIALIZATION](#528-initialization)
-6. [Data Types & Shapes](#6-data-types--shapes)
-7. [Global Event Listeners](#7-global-event-listeners)
+3. [What Changed Since v2.7.0](#3-what-changed-since-v270)
+4. [config.js — Configuration & Theme Engine](#4-configjs--configuration--theme-engine)
+5. [stix-config.js — STIX 2.1 Object Definitions](#5-stix-configjs--stix-21-object-definitions)
+6. [Inline JS Sections (index.html)](#6-inline-js-sections-indexhtml)
+   - 6.1 [VERSION + INPUT SECURITY](#61-version--input-security)
+   - 6.2 [METADATA + TYPE MAPPING + ASSIGNMENT/GROUP LOGIC](#62-metadata--type-mapping--assignmentgroup-logic)
+   - 6.3 [STATE + PHASE MODEL + CORE HELPERS](#63-state--phase-model--core-helpers)
+   - 6.4 [DATA LOADING (SHARED CACHE + OFFLINE MODE)](#64-data-loading-shared-cache--offline-mode)
+   - 6.5 [LOCAL IFRAME IPC BRIDGE](#65-local-iframe-ipc-bridge)
+   - 6.6 [NAVIGATOR / TECHNIQUE IMPORTS](#66-navigator--technique-imports)
+   - 6.7 [VIEWS + THEME + COMPACT + COMMENTS](#67-views--theme--compact--comments)
+   - 6.8 [GLOBAL SEARCH + TAB/FILTER CONTROLS](#68-global-search--tabfilter-controls)
+   - 6.9 [ENTITY LIST, STIX LIBRARY, STIX EDITOR](#69-entity-list-stix-library-stix-editor)
+   - 6.10 [DETAIL VIEWS, DND, KILL CHAIN, RELATIONSHIPS](#610-detail-views-dnd-kill-chain-relationships)
+   - 6.11 [PHASE DETAILS MODAL + STATS](#611-phase-details-modal--stats)
+   - 6.12 [EXPORT / IMPORT (JSON, CSV, STIX)](#612-export--import-json-csv-stix)
+   - 6.13 [METADATA EDITOR + MODALS + INIT](#613-metadata-editor--modals--init)
+7. [Data Types & Shapes](#7-data-types--shapes)
 8. [Security Model](#8-security-model)
-9. [Module Mapping (Current → v3.0)](#9-module-mapping-current--v30)
+9. [Global Event Listeners](#9-global-event-listeners)
+10. [Module Mapping (Current → v3.0)](#10-module-mapping-current--v30)
 
 ---
 
 ## 1. Architecture Overview
 
-AttackFlow is a **single-page application** with all JavaScript inlined inside `index.html` (≈ 4,800 lines, starting at line ~2625). Two companion scripts — `config.js` and `stix-config.js` — are loaded via `<script>` tags before the inline block. There is no build step, no bundler, and no module system — every function and variable lives in the global scope.
+AttackFlow is a zero-build browser SPA with all core runtime logic inside inline JavaScript in `index.html`.
 
-```
-┌────────────────────────────────────────────────────────┐
-│  Browser (index.html)                                  │
-│                                                        │
-│  <script src="config.js">                              │
-│    CONFIG, resolveTheme(), applyConfigColors()          │
-│                                                        │
-│  <script src="stix-config.js">                         │
-│    STIX_COMMON_PROPERTIES, STIX_VOCABULARIES,           │
-│    STIX_OBJECTS, STIX_RELATIONSHIP_DEFAULTS,            │
-│    getStixFieldsForType(), getStixTypeKeys(), etc.      │
-│                                                        │
-│  <script> (inline, lines ~2625-7415)                   │
-│    VERSION → SECURITY → METADATA → TYPE-MAPPING →      │
-│    ASSIGNMENTS → GROUPS → STATE → DATA →               │
-│    NAVIGATOR → VIEWS → THEME → COMPACT → TABS →        │
-│    ENTITIES → STIX-MANAGEMENT → STIX-EDITOR →          │
-│    DETAIL → DND → RENDERING → RELATIONSHIPS →          │
-│    STATS → EXPORT → IMPORT → DROPDOWN →                │
-│    META-EDITOR → MODALS → TOAST → INIT                 │
-│  </script>                                             │
-│                                                        │
-│  Static resources/ (6 JSON files)                      │
-│  Static frameworks/ (ATTCK JSON, CAPEC/CWE XML)        │
-└────────────────────────────────────────────────────────┘
-```
-
-**Key characteristics:**
-
-- All state is held in a single mutable `state` object.
-- All DOM manipulation uses `innerHTML` string building and direct `classList` toggling.
-- Security is enforced by a front-loaded `InputSecurity` object and event-level input guards.
-- Drag & drop uses HTML5 native API with a global `dragData` object.
-- Persistence is limited to `localStorage` for theme mode and compact mode.
-- STIX 2.1 SDO types and field definitions are externalized in `stix-config.js` (19 types, 20+ vocabularies).
-- Four entity types are supported: ATT&CK techniques, CAPEC patterns, CWE weaknesses, and STIX objects.
+- No bundler, no module system, global-scope runtime.
+- Mutable app state lives in a single `state` object.
+- Rendering is template-string + `innerHTML` driven, protected by strict sanitization and validator guards.
+- Companion scripts:
+  - `config.js` (theme/config/import behavior/debug toggles)
+  - `stix-config.js` (STIX SDO schemas + vocabularies + helpers)
+- Embedded views:
+  - `explorer.html`
+  - `stix-builder.html`
+- Local `file://` mode supports a hardened MessageChannel-based iframe bridge and shared-data broadcast path.
 
 ---
 
 ## 2. File Map
 
-| File | Role | Lines |
-|------|------|-------|
-| `config.js` | CONFIG object, `resolveTheme()`, `applyConfigColors()` | 254 |
-| `stix-config.js` | STIX 2.1 SDO definitions, vocabularies, helpers | 576 |
-| `index.html` | HTML structure (1–~2624), CSS (embedded), inline JS (~2625–7415) | 7,415 |
-| `resources/attack-techniques.json` | ATT&CK technique library | Fetched at runtime |
-| `resources/capec-full.json` | CAPEC pattern library | Fetched at runtime |
-| `resources/cwe-full.json` | CWE weakness library | Fetched at runtime |
-| `resources/technique-to-capec.json` | ATT&CK → CAPEC mapping | Fetched at runtime |
-| `resources/capec-to-technique.json` | CAPEC → ATT&CK mapping | Fetched at runtime |
-| `resources/cwe-to-capec.json` | CWE → CAPEC mapping | Fetched at runtime |
-| `resources/Nav_Layer_*.json` | ATT&CK Navigator layers (ENTERPRISE, ICS, MOBILE) | Loaded on demand |
-| `examples/stix-demo.json` | Full-featured STIX demo (all 19 SDO types) | Example |
-| `examples/Operation-Midnight-Eclipse-stix-bundle.json` | Exported STIX 2.1 bundle (25 SDOs + 18 SROs) | Example |
+| File | Role |
+|------|------|
+| `index.html` | Main UI, CSS, and inline runtime (monolith, ~10.5k lines total) |
+| `config.js` | App config, theme presets, feature flags, IPC debug/rate/bootstrap tuning |
+| `stix-config.js` | STIX common fields, vocabularies, 19 SDO type definitions, helper APIs |
+| `explorer.html` | Relationship Explorer iframe view |
+| `stix-builder.html` | STIX Composer iframe view (theme + local IPC aware) |
+| `resources/*.json` | Generated runtime datasets (ATT&CK/CAPEC/CWE + mappings + Navigator layers) |
 
 ---
 
-## 3. config.js — Configuration & Theme Engine
-
-**Source:** `config.js` (254 lines)
-
-### 3.1 `CONFIG` Object
-
-Top-level configuration constant. Properties:
-
-| Property | Type | Description |
-|----------|------|-------------|
-| `version` | `string` | Application version (`'2.7.0'`) |
-| `changelogUrl` | `string` | Path to CHANGELOG.md |
-| `sources.capec` | `{domains, mechanisms}` | Paths to CAPEC XML source files |
-| `sources.cwe` | `{hardware, software, all}` | Paths to CWE XML source files |
-| `sources.attack` | `{version, enterprise, mobile, ics}` | ATT&CK STIX bundle paths & version |
-| `sanitize.paths` | `string[]` | Glob patterns for JSON sanitization |
-| `stixTypes` | `Array<{value, label}>` | 19 STIX 2.1 SDO type definitions for UI dropdowns |
-| `phases` | `{in, through, out}` | Hex colors for kill chain super-phases |
-| `frameworks` | `{attack, capec, cwe}` | Hex colors for framework entity types |
-| `ui` | `object` | UI fallback colors (bg, text, border, accent) |
-| `metaIcons` | `object` | Metadata icon colors (CVE, observable, link, comment, confidence) |
-| `themes` | `{dark: {default: ...}, light: {default: ...}}` | Theme presets with ui + metaIcons overrides |
-| `themeDefaults` | `{mode, scheme}` | Default theme mode (`'light'`) and scheme (`'default'`) |
-| `themeMode` | `string` | Initial mode: `'light'`, `'dark'`, or `'auto'` |
-| `display` | `object` | Max lengths for names, descriptions, mitigations, references, custom items, kill chain description |
-| `navigation` | `{confirmOnLeave}` | Whether to show leave-site confirmation |
-
-#### `CONFIG.stixTypes`
-
-19 entries mapping STIX 2.1 SDO type names to human-readable labels:
-
-`attack-pattern`, `campaign`, `course-of-action`, `grouping`, `identity`, `indicator`, `infrastructure`, `intrusion-set`, `location`, `malware`, `malware-analysis`, `note`, `observed-data`, `opinion`, `report`, `threat-actor`, `tool`, `vulnerability`, `x-custom`.
-
-Used by `populateStixTypeDropdown()` and `VALID_STIX_TYPES` to constrain type selection.
-
-### 3.2 Functions
+## 3. What Changed Since v2.7.0
 
-#### `resolveTheme(mode?, scheme?) → ThemeObject`
+Major additions reflected in v2.9.0 runtime:
 
-**Line:** config.js:187  
-Merges the selected theme scheme's overrides with global CONFIG defaults.
-
-| Param | Type | Default | Description |
-|-------|------|---------|-------------|
-| `mode` | `string` | `CONFIG.themeDefaults.mode` | `'light'` or `'dark'` |
-| `scheme` | `string` | `CONFIG.themeDefaults.scheme` | Scheme name within the mode |
-
-**Returns:** `{ phases, frameworks, ui, metaIcons }` — fully resolved theme.
-
-#### `applyConfigColors(theme?) → void`
-
-**Line:** config.js:198  
-Sets CSS custom properties on `document.documentElement` from the resolved theme.
-
-| Param | Type | Default | Description |
-|-------|------|---------|-------------|
-| `theme` | `ThemeObject` | `resolveTheme()` | Pre-resolved theme, or auto-resolves |
-
-**Side effects:** Sets 20+ CSS custom properties (e.g. `--phase-in`, `--attack-color`, `--bg-dark`, `--meta-cve-bg`).
+1. **Local iframe IPC hardening**
+   - Channel-only bootstrap (`AF_IPC_PORT_INIT`) with per-frame nonce binding.
+   - Allowlisted message types and payload keys.
+   - Request rate-limiting (token bucket) and bounded bootstrap retry/backoff.
+2. **Shared dataset runtime cache**
+   - `window.getAttackFlowSharedData()` snapshot API with deep-frozen payload.
+   - Dataset shape + count + byte-size enforcement before cross-frame sharing.
+3. **Offline `file://` data path**
+   - Local folder/file selector flow for required `resources/*.json` files.
+   - Graceful bypass path if user continues without data.
+4. **Prototype pollution defenses expanded**
+   - `DANGEROUS_OBJECT_KEYS`, safe reviver parsing (`parseJsonSafe`), null-prototype object creation.
+5. **UI/runtime features**
+   - Global search subsystem with ranking and sticky/expanded modes.
+   - Kill-chain comment visibility controls (`showComments`, toggles).
+   - Rich phase details modal with averages/CVE rollups/mitigation aggregation.
+   - Optional STIX Builder navigation toggle (`CONFIG.navigation.showStixBuilder`).
+6. **STIX export evolution**
+   - Deterministic UUIDv5 IDs for ATT&CK techniques and mitigations in STIX bundle export.
 
 ---
 
-## 4. stix-config.js — STIX 2.1 Object Definitions
-
-**Source:** `stix-config.js` (576 lines)
-
-Externalizes all STIX 2.1 specification knowledge. Loaded via `<script src="stix-config.js">` before the inline block.
-
-### 4.1 `STIX_COMMON_PROPERTIES` — Object
-
-Defines fields present on **every** SDO per STIX 2.1 §3.1:
-
-**Required:** `type`, `spec_version`, `id`, `created`, `modified`  
-**Optional:** `created_by_ref`, `revoked`, `labels`, `confidence`, `lang`, `external_references`, `object_marking_refs`, `granular_markings`
-
-Each field is a descriptor: `{ key, label, type, description }`.
-
-### 4.2 `STIX_VOCABULARIES` — Object
+## 4. config.js — Configuration & Theme Engine
 
-20+ Open Vocabulary definitions from STIX 2.1 §10. Keys include:
+### 4.1 `CONFIG` Highlights (v2.9.0)
 
-| Vocabulary Key | Used By |
-|---------------|---------|
-| `attack-motivation-ov` | Threat Actor, Intrusion Set |
-| `attack-resource-level-ov` | Threat Actor, Intrusion Set |
-| `identity-class-ov` | Identity |
-| `indicator-type-ov` | Indicator |
-| `infrastructure-type-ov` | Infrastructure |
-| `malware-type-ov` | Malware |
-| `malware-capabilities-ov` | Malware |
-| `malware-result-ov` | Malware Analysis |
-| `opinion-enum` | Opinion |
-| `pattern-type-ov` | Indicator |
-| `report-type-ov` | Report |
-| `threat-actor-type-ov` | Threat Actor |
-| `threat-actor-role-ov` | Threat Actor |
-| `threat-actor-sophistication-ov` | Threat Actor |
-| `tool-type-ov` | Tool |
-| `region-ov` | Location |
-| `sectors-ov` | Identity |
-| `implementation-language-ov` | Malware |
-| `processor-architecture-ov` | Malware |
-| `grouping-context-ov` | Grouping |
+- `version: '2.9.0'`
+- `sources.attack.version: '18.1'`
+- `imports.clearStixOnBundleImport`, `imports.clearStixOnKillChainImport`
+- `navigation.confirmOnLeave`, `navigation.showStixBuilder`
+- `visualizer.enabled`
+- `ConfigIframeIPC.enableLocalIframeIPC`
+- `debugging.traceLocalIframeIPCLogs`
+- `debugging.localIframeIPCRateLimit.{enabled,refillPerSecond,burst}`
+- `debugging.localIframeIPCBootstrap.{timeoutMs,maxRetries,retryBaseDelayMs,retryBackoffMultiplier,maxRetryDelayMs,graceMs}`
 
-### 4.3 `STIX_OBJECTS` — Object
+### 4.2 Theme APIs
 
-19 SDO type definitions, each with:
-
-```js
-{
-  label: 'Human Name',
-  description: 'Short summary',
-  stixSpec: 'https://docs.oasis-open.org/cti/stix/v2.1/...',
-  required: [{ key, label, type, description, vocabulary?, placeholder? }],
-  optional: [{ key, label, type, description, vocabulary?, placeholder? }]
-}
-```
-
-**SDO types defined:** `attack-pattern`, `campaign`, `course-of-action`, `grouping`, `identity`, `indicator`, `infrastructure`, `intrusion-set`, `location`, `malware`, `malware-analysis`, `note`, `observed-data`, `opinion`, `report`, `threat-actor`, `tool`, `vulnerability`, `x-custom`.
-
-**Field types:** `string`, `text`, `identifier`, `timestamp`, `enum`, `open-vocab`, `list`, `list:open-vocab`, `integer`, `boolean`, `kill-chain-phases`, `external-references`, `dictionary`.
-
-### 4.4 `STIX_RELATIONSHIP_DEFAULTS` — Object
-
-Maps each SDO type to its default SRO relationship verb (e.g. `'malware' → 'uses'`, `'indicator' → 'indicates'`, `'course-of-action' → 'mitigates'`).
-
-### 4.5 Helper Functions
-
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `getStixFieldsForType(stixType)` | `string → { required, optional }` | Returns field descriptors for a type |
-| `getStixTypeKeys()` | `→ string[]` | Returns all SDO type keys |
-| `getStixTypeLabel(stixType)` | `string → string` | Returns human-readable label |
-| `getStixVocabulary(vocabKey)` | `string → string[]` | Returns vocabulary values |
+- `resolveTheme(mode?, scheme?)`
+  - Merges scheme overrides into configured defaults (`phases`, `frameworks`, `ui`, `metaIcons`).
+- `applyConfigColors(theme?)`
+  - Applies resolved colors to CSS custom properties on `document.documentElement`.
 
 ---
 
-## 5. Inline JS Sections (index.html)
-
-All line numbers below refer to `index.html`.
+## 5. stix-config.js — STIX 2.1 Object Definitions
 
----
+### 5.1 Core exports
 
-### 5.1 VERSION
+- `STIX_COMMON_PROPERTIES`
+- `STIX_VOCABULARIES`
+- `STIX_OBJECTS` (19 SDO types)
+- `STIX_RELATIONSHIP_DEFAULTS`
 
-**Lines:** ~2625–2643
+### 5.2 Helper functions
 
-#### `APP_VERSION`
+- `getStixFieldsForType(stixType)`
+- `getStixTypeKeys()`
+- `getStixTypeLabel(stixType)`
+- `getStixVocabulary(vocabKey)`
 
-**Type:** `let string`  
-Fallback `'2.4.2'`. Overwritten by `loadVersion()`.
+### 5.3 Notes
 
-#### `loadVersion() → Promise<void>`
-
-Fetches `CHANGELOG.md`, extracts the first `## [x.y.z]` match via regex, and sets both `APP_VERSION` and the `#app-version` element's text.
+- Field descriptor model is used dynamically by the inline STIX editor.
+- Supported field kinds include primitive, list/open-vocab, timestamp/identifier, and complex JSON-backed structures (`kill-chain-phases`, `external-references`, `dictionary`).
 
 ---
 
-### 5.2 INPUT SECURITY
-
-**Lines:** ~2647–3430
-
-#### `InputSecurity` — Object
+## 6. Inline JS Sections (index.html)
 
-Central security module. All methods are pure functions (no side effects).
+### 6.1 VERSION + INPUT SECURITY
 
-| Method | Signature | Description |
-|--------|-----------|-------------|
-| `escapeHtml(str)` | `string → string` | Escapes `& < > " '` to HTML entities |
-| `encodeHtmlEntities(str)` | `string → string` | Encodes to `&#xHH;` for all non-alphanumeric chars |
-| `normalize(str, maxLen?)` | `string, number? → string` | Strips control chars, NUL bytes, trims, truncates to `maxLen` (default 10000) |
-| `sanitize(str, maxLen?)` | `string, number? → string` | `normalize()` + `escapeHtml()` |
-| `sanitizeAttr(str, maxLen?)` | `string, number? → string` | `normalize()` + `encodeHtmlEntities()` for safe attribute values |
+- `APP_VERSION` initialized fallback, updated by `loadVersion()` from `CHANGELOG.md`.
+- `InputSecurity` object provides:
+  - output encoding (`escapeHtml`, `sanitizeAttr`)
+  - normalization/sanitize helpers
+  - validators (CVE/CVSS/hash/IP/domain/url/filename)
+  - `validateObservable(type, value)` dispatch
+- Input guard stack (`applyInputGuards`) covers:
+  - `keydown`, `beforeinput`, `paste`, `drop`, `input`
+- Added sanitizer primitives:
+  - `normalizeUserInput(text, maxLength, allowNewlines)`
+  - `sanitizeUserInputText(text, allowNewlines)`
+  - `sanitizeForStorage(text, maxLength)`
+- Prototype pollution defenses:
+  - `DANGEROUS_OBJECT_KEYS`
+  - `isDangerousObjectKey`, `createSafeObject`, `hasOwn`, `parseJsonSafe`
+  - recursive loader sanitizer `stripAngleBracketsFromJson`
 
-#### `InputSecurity.validators` — Object
+### 6.2 METADATA + TYPE MAPPING + ASSIGNMENT/GROUP LOGIC
 
-Each validator returns `{ valid: boolean, error?: string }`.
+- Metadata normalization now handles `cveEntries`, legacy `cveId`/`cveIds`, and optional `cves` payloads.
+- Confidence buckets changed to:
+  - labels: `Unknown / Low / Medium / High`
+  - classes: `unknown / low / medium / high`
+- Assignment instance IDs now use `itm-...` format (`createAssignmentInstanceId`).
+- Type constants:
+  - `TYPE_KEYS`, `TAG_CLASSES`, `TYPE_LABELS`, `ALL_ENTITY_TYPES`
+  - `STIX_ID_PATTERN`, `VALID_STIX_TYPES`
+- STIX ID helpers:
+  - `generateUUID`, `generateStixId`
+  - deterministic UUIDv5 stack: `uuidv5`, `sha1Bytes`, `mitigationStixId`, `techniqueStixId`
+- Group/assignment utilities:
+  - `ensurePhaseLayout`, `extractAssignmentInstance`, `moveGroupBetweenPhases`, `findAssignment`, `updateAssignmentMetadata`
 
-| Validator | Pattern / Logic |
-|-----------|----------------|
-| `ipv4(v)` | `/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/` + octet 0–255 check |
-| `ipv6(v)` | `/^[0-9a-fA-F:]+$/` + length ≤ 45 |
-| `md5(v)` | `/^[a-fA-F0-9]{32}$/` |
-| `sha1(v)` | `/^[a-fA-F0-9]{40}$/` |
-| `sha256(v)` | `/^[a-fA-F0-9]{64}$/` |
-| `domain(v)` | `/^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/` + length ≤ 253 |
-| `url(v)` | `/^https?:\/\//` + `new URL()` check |
-| `cveId(v)` | `/^CVE-\d{4}-\d{4,}$/` |
-| `cvssVector(v)` | CVSS 3.0/3.1 vector pattern |
-| `filename(v)` | `/^[a-zA-Z0-9._-]+$/` + no `..` |
-| `text(v)` | Always valid (passthrough) |
+### 6.3 STATE + PHASE MODEL + CORE HELPERS
 
-#### `validateObservable(type, value) → ValidationResult`
+`state` now includes:
 
-**Line:** ~2790  
-Dispatches to the correct validator based on observable type string. Maps `'ipv4-addr'` → `ipv4`, `'file-hash-md5'` → `md5`, etc. Falls back to `text` for `'threat-actor'`, `'other'`, and `'email-addr'`.
+- `showComments`
+- `relationshipExpanded: Set`
+- global search flags: `globalSearch`, `globalSearchOpen`, `globalSearchExpanded`, `globalSearchSticky`
 
-#### Helper Aliases
+Kill chain model updates:
 
-| Name | Line | Value |
-|------|------|-------|
-| `esc(str)` | 2795 | Alias for `InputSecurity.escapeHtml` |
-| `escAttr(str)` | 2796 | Alias for `InputSecurity.sanitizeAttr` |
-| `BLOCKED_INPUT_CHARS` | 2797 | `Set` of 10 chars: `< > { } [ ] ; \` " '` |
+- IN super-phase uses `resource-development` (not weaponization).
+- IN command phase key is `command-control`.
+- `KILL_CHAIN` totals remain 18 phases.
 
-#### Input Guard Functions
+Title/description helpers:
 
-| Function | Line | Description |
-|----------|------|-------------|
-| `isTextInputElement(el)` | 2799 | Returns `true` if `el` is `<input>`, `<textarea>`, or `contentEditable` |
-| `sanitizeUserInputText(str, maxLen?)` | 2801 | Strips blocked chars, trims, truncates |
-| `sanitizeForStorage(str, maxLen?)` | 2808 | `sanitizeUserInputText` + `InputSecurity.normalize` |
-| `truncateAtBoundary(str, maxLen)` | 2814 | Truncates at word boundary if possible |
-| `applyInputGuards()` | 2818 | Attaches 5 event listeners to `document` (keydown, beforeinput, paste, drop, input) |
+- `commitKillChainTitle`, `syncTitleToDOM`
+- `commitKillChainDescription`, `syncDescriptionToDOM`
+- `toggleDescriptionPanel`, `updateDescriptionHint`, `updateDescriptionCounter`
 
-#### `stripAngleBracketsFromJson(obj) → object`
-
-**Line:** 2908  
-Recursively walks a parsed JSON object and replaces `<` → `&lt;`, `>` → `&gt;` in all string values. Used on every external data load.
-
----
+### 6.4 DATA LOADING (SHARED CACHE + OFFLINE MODE)
 
-### 5.3 METADATA HELPERS
+Core datasets are centralized via `SHARED_DATA_ENDPOINTS` and `loadSharedLibraryData(forceReload?)`.
 
-**Lines:** ~3432–3545
+Key APIs:
 
-#### `createDefaultMetadata() → Metadata`
+- `getSharedDataCache()`
+- `fetchJsonResource(resourcePath)`
+- `promptOfflineResourceFiles(requiredFileNames)`
+- `enableOfflineResourceSelectionUI(message)`
+- `hideLoadingOverlay()`
+- `window.getAttackFlowSharedData(options)`
 
-**Line:** 2928  
-Returns a fresh metadata object:
+Behavior:
 
-```js
-{ score: 'unclassified', confidence: null, comments: '',
-  cveEntries: [], cveId: '', cveIds: [], hyperlinks: [], observables: [] }
-```
+- HTTP context: standard `fetch` path.
+- `file://` context: local file selection and cloned JSON store.
+- shared dataset validated for schema + limits before reuse/broadcast.
 
-#### `getCveEntries(metadata) → CveEntry[]`
+### 6.5 LOCAL IFRAME IPC BRIDGE
 
-**Line:** 2946  
-Returns `metadata.cveEntries` if present, otherwise builds entries from legacy `cveIds`/`cveId` fields.
+IPC constants and constraints:
 
-#### `getCveList(metadata) → string[]`
+- inbound request types: `AF_REQUEST_THEME`, `AF_REQUEST_SHARED_DATA`
+- bootstrap type: `AF_IPC_PORT_INIT`
+- response types: `AF_THEME_SYNC`, `AF_SHARED_DATA`
+- allowlisted payload keys and per-frame nonce checks
 
-**Line:** 2960  
-Convenience wrapper: `getCveEntries(metadata).map(e => e.id)`.
+Main bridge functions:
 
-#### `normalizeCveMetadata(metadata) → void`
+- enable/trace/config:
+  - `isLocalIframeIPCEnabled`, `isLocalIframeIPCTraceEnabled`
+  - `getLocalIframeIPCRateLimitConfig`, `getLocalIframeIPCBootstrapConfig`
+- channel management:
+  - `createLocalIPCNonce`, `setupIPCChannelForFrame`, `clearIPCFrameChannel`
+  - `scheduleIPCChannelBootstrapRetry`, `sendIPCMessageViaChannel`
+- data safety:
+  - `buildImmutableSharedDataPayload`, `validateSharedDatasetShape`
+  - `enforceSharedDatasetLimits`, `estimateJsonByteSize`, `deepFreeze`
+- broadcasting:
+  - `broadcastThemeToEmbeddedViews`
+  - `broadcastSharedDataToExplorer`
+  - `initEmbeddedMessageBridge`
 
-**Line:** 2964  
-Mutates metadata to ensure `cveEntries`, `cveIds`, and `cveId` are all in sync (idempotent).
+### 6.6 NAVIGATOR / TECHNIQUE IMPORTS
 
-#### `getConfidenceLabel(value) → string`
+- `IMPORT_LIMITS` (25MB max, max techniques, strict ATT&CK ID regex)
+- Manual list and CSV-like quick import path:
+  - `parseTechniqueIdInput`, `applyTechniqueList`, `submitCsvImport`
+  - modal helpers `openCsvImportModal`, `closeCsvImportModal`
+- Navigator file import:
+  - `importNavigator(event)` with schema/ID validation
+  - base-library restoration helpers: `ensureBaseTechniquesLoaded`, `resetAttackTechniques`
 
-**Line:** 2984  
-Maps a 0–100 integer to a label: `'Low'` (1–25), `'Medium'` (26–50), `'High'` (51–75), `'Very High'` (76–100), `'Unknown'` (0 or null).
+### 6.7 VIEWS + THEME + COMPACT + COMMENTS
 
-#### `getConfidenceClass(value) → string`
+- View switching supports: `killchain`, `relationship`, `explorer`, `stix-builder`
+- STIX Builder visibility is config-gated via `isStixBuilderEnabled` + `applyNavigationConfig`.
+- Theme runtime:
+  - `getPreferredThemeMode`, `normalizeThemeMode`, `normalizeThemeScheme`
+  - `applyTheme`, `updateThemeControls`, `toggleThemeMode`, `initThemeControls`, `syncThemeFromStorage`
+- Compact/runtime controls:
+  - `setCompactMode`, `toggleCompactMode`, `toggleHideEmpty`, `applyCompactLayout`
+- Comment controls:
+  - `updateCommentsControls`, `toggleItemComment`, `toggleAllComments`
 
-**Line:** 2992  
-Maps a 0–100 integer to a CSS class: `'confidence-low'`, `'confidence-medium'`, `'confidence-high'`, `'confidence-very-high'`, or `''`.
+### 6.8 GLOBAL SEARCH + TAB/FILTER CONTROLS
 
-#### `assignmentInstanceCounter`
+Global search subsystem:
 
-**Line:** 3000  
-`let` counter, starts at 0. Monotonically incrementing.
+- `setGlobalSearch`, `openGlobalSearch`, `closeGlobalSearch`
+- `toggleGlobalSearchExpanded`, `setGlobalSearchSticky`, `updateGlobalSearchUI`, `initGlobalSearch`
+- ranking and results:
+  - `rankGlobalEntity`, `buildGlobalSearchResults`, `renderGlobalSearchResults`
+  - `openGlobalSearchResult`, `matchesGlobalSearch`
 
-#### `createAssignmentInstanceId() → string`
+Tab/filter helpers:
 
-**Line:** 3001  
-Returns `'inst-' + Date.now() + '-' + (++counter)`.
+- `switchTab(tab)`
+- `setFilter(type, filter)`
+- `parseCommaIdList(raw, pattern, prefix)`
 
-#### `migrateAssignment(a) → Assignment`
+### 6.9 ENTITY LIST, STIX LIBRARY, STIX EDITOR
 
-**Line:** 3003  
-Normalizes legacy (bare-string) assignments to `{ id, metadata, instanceId }` objects. Idempotent.
+Entity listing:
 
----
+- `filterEntities(type)` now integrates local search + global search + ID-list parsing.
+- `isEntityAssigned(type, id)` scans grouped and ungrouped phase allocations.
 
-### 5.4 TYPE MAPPING CONSTANTS
+STIX bundle import/library:
 
-**Lines:** ~3547–3620
+- `STIX_BUNDLE_IMPORT_LIMITS`
+- `importStixBundle(event)`
+- `sanitizeStixBundleObject(obj, stixType, stixId)`
+- `clearStixLibrary()`
 
-#### `TYPE_KEYS` — Object
+STIX create/edit flows:
 
-Canonical mapping from entity type string to assignment array key:
+- `populateStixTypeDropdown`, `toggleCustomTypeName`
+- `openCreateCustomModal`, `closeCreateCustomModal`, `createCustomItem`, `deleteCustomItem`
+- editor modal:
+  - `openStixEditor`, `closeStixEditor`, `saveStixEditor`
+  - field builders: `buildStixReadonlyField`, `buildStixTextField`, `buildStixTextareaField`, `buildStixFieldFromSpec`
 
-```js
-{ attack: 'techniques', capec: 'capecs', cwe: 'cwes', custom: 'customItems' }
-```
+### 6.10 DETAIL VIEWS, DND, KILL CHAIN, RELATIONSHIPS
 
-#### `TAG_CLASSES` — Object
+Detail and explorer integration:
+
+- `renderDescriptionWithBadges` converts ATT&CK markdown links to explorer badges.
+- `selectEntity`, `buildEntityDetail`, `buildStixPropertySummary`, `buildMetadataSummary`
+- `openEntityModal`, `closeEntityModal`, `showDetail`, `closeDetail`
+- `openMitigationExplorer`, `openEntityExplorer`
 
-CSS class mapping: `{ attack: 'technique-tag', capec: 'capec-tag', cwe: 'cwe-tag', custom: 'custom-tag' }`.
+DND:
 
-#### `TYPE_LABELS` — Object
+- `dragData` tracks source/type/instance/group context.
+- `handleDragStart`, `handleDragEnd`, `handleDragOver`, `handleDragLeave`, `handleDrop`
+- `handleAssignmentDragStart`, `handleGroupDragStart`, `handleGroupDrop`
 
-Display labels: `{ attack: 'ATT&CK', capec: 'CAPEC', cwe: 'CWE', custom: 'STIX' }`.
+Kill chain renderer:
 
-#### `ALL_ENTITY_TYPES` — Array
+- `renderKillChain` uses `phaseData.layout` for stable ordering.
+- `renderEntityTag` includes score + metadata icon cluster + optional inline comments panel.
 
-Computed: `['attack', 'capec', 'cwe', 'custom']`.
+Relationship renderer:
 
-#### `STIX_ID_PATTERN` — RegExp
+- `renderRelationshipView` builds CAPEC↔CWE↔ATT&CK↔Phase↔Mitigation rows.
+- `expandRelationshipMitigations(chainId)` supports incremental expansion.
 
-`/^[a-z][a-z0-9-]*--[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/`
+### 6.11 PHASE DETAILS MODAL + STATS
 
-Validates STIX 2.1 identifier format: `{type}--{UUIDv4}`.
+Phase details pipeline:
 
-#### `VALID_STIX_TYPES` — Set
+- `buildPhaseDetails(phaseKey)`
+- `getPhaseItemRelationships(type, id)`
+- `getPhaseAverages(itemsByType)`
+- `buildPhaseCveEntries(itemsByType)`
+- `buildPhaseMitigations(itemsByType)`
+- rendering helpers:
+  - `renderPhaseMitigationSection`
+  - `renderPhaseCveSection`
+  - `renderPhaseDetailsSection`
+- modal controls:
+  - `openPhaseDetails(phaseKey)`
+  - `closePhaseDetails(event)`
 
-Built from `CONFIG.stixTypes`: `Set(['attack-pattern', 'campaign', ..., 'x-custom'])` (19 entries).
+Stats and utility:
 
-#### `STIX_RELATIONSHIP_MAP` — Object
+- `renderStats`
+- `togglePhase`
+- `removeAssignment`
+- `expandAll`, `collapseAll`, `clearAssignments`
 
-Maps SDO type → default SRO relationship verb. Used by `buildSTIXBundle()` for auto-generating SROs.
+### 6.12 EXPORT / IMPORT (JSON, CSV, STIX)
 
-#### `generateUUID() → string`
+Export:
 
-Returns a UUIDv4 string using `Math.random()`.
+- `exportJSON()` emits `killchain-export-lite` + embedded `stixBundle` when present.
+- `buildSTIXBundle()` now includes:
+  - custom SDOs
+  - deterministic ATT&CK `attack-pattern` SDOs
+  - deterministic mitigation `course-of-action` SDOs
+  - generated `relationship` SROs (`mitigates` + co-location relations)
+- `addRelationship(...)`
+- `exportSTIXBundle()`
+- `exportCSV()` with formula-injection hardening (`sanitizeForCsv` prefix guard)
 
-#### `generateStixId(stixType) → string`
+Import:
 
-Returns `"{stixType}--{uuid}"` — a spec-compliant STIX identifier.
+- `KILLCHAIN_IMPORT_LIMITS`
+- `validateKillChainImport(data)`
+- `sanitizeImportedString`, `sanitizeAssignmentMetadata`
+- `sanitizeImportedAssignment`, `sanitizeImportedCustomAssignment`
+- `sanitizeImportedData(data)`
+- `ensureAssignmentShape`, `ensureLibraryFallbacks`
+- `importKillChain(event)`
 
----
+### 6.13 METADATA EDITOR + MODALS + INIT
 
-### 5.5 ASSIGNMENT & PHASE LOGIC
+Metadata editor:
 
-**Lines:** ~3620–3830
+- `openMetadataEditor`, `closeMetadataEditor`
+- `selectScore`, `updateConfidenceLabel`
+- `addCveRow`, `addHyperlinkRow`, `addObservableRow`
+- `saveMetadata()` validates CVE/CVSS/URL/observable formats before update
 
-#### `getAssignmentId(a) → string`
+Modals + app shell:
 
-Returns `a.id || a.entityId || a` (supports both new-format objects and legacy string IDs).
+- usage/changelog: `showUsageGuide`, `closeUsageGuide`, `showChangelog`, `closeChangelog`
+- dropdown helpers: `toggleDropdown`, `closeDropdowns`
+- `showToast`, `renderAll`, `enableLeaveSiteConfirmation`
 
-#### `getAssignmentMetadata(a) → Metadata`
+Initialization order:
 
-Returns `a.metadata` if present, otherwise `createDefaultMetadata()`.
-
-#### `getAssignmentInstanceId(a) → string|null`
-
-Returns `a.instanceId` or `null`.
-
-#### Phase Item Accessors
-
-| Function | Description |
-|----------|-------------|
-| `getPhaseUngroupedItems(phaseData, type)` | Returns `phaseData[key]` array (techniques/capecs/cwes) |
-| `getPhaseGroupedItems(phaseData, type)` | Returns items from `phaseData.groups[*].items` matching `type` |
-| `getAllPhaseItemsByType(phaseData, type)` | Union of ungrouped + grouped items for the given type |
-
-#### `ensurePhaseLayout(phaseKey, phaseData) → void`
-
-**Line:** ~3060  
-Synchronizes `phaseData.layout` with the actual items and groups. Adds missing layout entries, removes orphaned ones. Layout entries are `{ kind: 'item', type, instanceId }` or `{ kind: 'group', groupId }`.
+1. `initThemeControls()`
+2. `logLocalIframeIPCSplash('index')`
+3. `updateLoadingContextInfo()`
+4. storage listener for theme sync
+5. leave-site confirmation (config-gated)
+6. `initEmbeddedMessageBridge()`
+7. `applyNavigationConfig()`
+8. `initAssignments()`
+9. `initCompactMode()`
+10. resize listener for compact layout
+11. `applyInputGuards()`
+12. `initGlobalSearch()`
+13. `populateStixTypeDropdown()`
+14. `loadVersion()`
+15. `loadData()`
 
 ---
 
-### 5.6 GROUP MANAGEMENT
-
-**Lines:** ~3640–3830
+## 7. Data Types & Shapes
 
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `generateGroupId()` | `→ string` | Returns `'grp-' + Date.now() + '-' + random` |
-| `createGroup(phaseKey)` | `string → void` | Creates an empty group in the phase, adds to layout, re-renders |
-| `toggleGroupCollapse(phaseKey, groupId)` | `string, string → void` | Toggles `group.collapsed`, re-renders |
-| `startRenameGroup(phaseKey, groupId)` | `string, string → void` | Sets `group.editing = true`, re-renders, auto-focuses input |
-| `commitRenameGroup(phaseKey, groupId, newLabel, cancelled?)` | `string, string, string, boolean? → void` | Sanitizes label, sets `group.editing = false`, re-renders |
-| `removeGroup(phaseKey, groupId)` | `string, string → void` | Confirms via `window.confirm`, moves group items back to ungrouped, removes group, re-renders |
-| `extractAssignmentInstance(phaseKey, type, instanceId)` | `string, string, string → Assignment\|null` | Removes an assignment from ungrouped or grouped items, cleans layout, returns removed item |
-| `moveGroupBetweenPhases(fromPhase, toPhase, groupId)` | `string, string, string → void` | Moves an entire group from one phase to another, updates layout in both |
-
----
-
-### 5.7 CONSTANTS & STATE
-
-**Lines:** ~3830–3980
-
-#### `SCORE_LEVELS` — Object
+### 7.1 Assignment
 
 ```js
 {
-  unclassified: { label: 'Unclassified', color: '#71717a', bgColor: 'rgba(113,113,122,0.15)' },
-  low:          { label: 'Low',          color: '#22c55e', bgColor: 'rgba(34,197,94,0.15)' },
-  medium:       { label: 'Medium',       color: '#eab308', bgColor: 'rgba(234,179,8,0.15)' },
-  high:         { label: 'High',         color: '#f97316', bgColor: 'rgba(249,115,22,0.15)' },
-  critical:     { label: 'Critical',     color: '#ef4444', bgColor: 'rgba(239,68,68,0.15)' }
-}
-```
-
-#### `OBSERVABLE_TYPES` — Array
-
-10 entries with `{ value, label }`:
-`ipv4-addr`, `ipv6-addr`, `domain-name`, `url`, `file-hash-md5`, `file-hash-sha1`, `file-hash-sha256`, `file-name`, `email-addr`, `threat-actor`.
-
-#### `state` — Object (Mutable Global State)
-
-| Property | Type | Initial Value | Description |
-|----------|------|---------------|-------------|
-| `view` | `string` | `'killchain'` | Active view: `'killchain'`, `'relationship'`, `'explorer'` |
-| `layers` | `object` | `{attack:true, capec:true, cwe:true, custom:true}` | Visibility toggles per entity type |
-| `hideEmpty` | `boolean` | `false` | Whether to hide empty phases |
-| `compactMode` | `boolean` | `false` | Whether compact layout is active |
-| `activeTab` | `string` | `'attack'` | Active sidebar tab |
-| `filters` | `object` | `{attack:'all', capec:'all', cwe:'all', custom:'all'}` | Filter selections per tab |
-| `library` | `object` | `{techniques:{}, capecs:{}, cwes:{}, custom:{}}` | Loaded entity libraries (keyed by ID) |
-| `techniqueToCapec` | `object` | `{}` | `T1234 → ['CAPEC-123', ...]` mapping |
-| `cweToCapec` | `object` | `{}` | `CWE-79 → ['CAPEC-86', ...]` mapping |
-| `capecToTechnique` | `object` | `{}` | `CAPEC-123 → ['T1234', ...]` mapping |
-| `assignments` | `object` | `{}` | Phase → PhaseData mapping (18 phases) |
-| `title` | `string` | `''` | Editable kill chain title (max 200 chars) |
-| `description` | `string` | `''` | Editable kill chain description (max 2000 chars, configurable) |
-| `selection` | `object` | `{type:null, id:null}` | Currently selected entity |
-
-`state.library.custom` stores STIX objects keyed by their STIX ID (e.g. `malware--uuid`). Each value is a `StixLibraryEntry`.
-
-#### `KILL_CHAIN` — Object
-
-Defines the Unified Kill Chain structure with 3 super-phases and 18 phases:
-
-| Super-Phase | Phases (8 + 6 + 4) |
-|-------------|---------------------|
-| `IN` | reconnaissance, weaponization, delivery, social-engineering, exploitation, persistence, defense-evasion, command-and-control |
-| `THROUGH` | pivoting, discovery, privilege-escalation, execution, credential-access, lateral-movement |
-| `OUT` | collection, exfiltration, impact, objectives |
-
-#### `ALL_PHASES` — Array
-
-**Line:** ~3356  
-Computed: `['IN:reconnaissance', 'IN:weaponization', ..., 'OUT:objectives']` — 18 entries.
-
-#### `formatPhaseName(phaseId) → string`
-
-Converts `'social-engineering'` → `'Social Engineering'`.
-
-#### `initAssignments() → void`
-
-Initializes `state.assignments` with empty `PhaseData` for each of the 18 phases. Each phase gets `{ techniques: [], capecs: [], cwes: [], customItems: [], groups: [], layout: [] }`. Also resets `state.title` and `state.description` to `''` and syncs the DOM.
-
-#### `commitKillChainTitle(el) → void`
-
-Sanitizes the title input value via `sanitizeForStorage()`, caps at `CONFIG.display.maxTitleLength`, and stores in `state.title`.
-
-#### `syncTitleToDOM() → void`
-
-Sets the `#kill-chain-title` input's value from `state.title`.
-
-#### `commitKillChainDescription(el) → void`
-
-Sanitizes the description textarea value via `sanitizeForStorage()`, caps at `CONFIG.display.maxKillChainDescLength` (default 2000), stores in `state.description`, and updates the hint + counter.
-
-#### `syncDescriptionToDOM() → void`
-
-Sets the `#kc-desc-textarea` value from `state.description`, updates the collapsed hint text and character counter, and collapses the panel.
-
-#### `toggleDescriptionPanel() → void`
-
-Toggles the `.open` class on `#kc-desc-bar`, triggering the CSS `max-height` transition.
-
-#### `updateDescriptionHint() → void`
-
-Updates the `#kc-desc-hint` element with a truncated preview (first 80 chars + ellipsis) or "— none" when empty. Only visible when the panel is collapsed.
-
-#### `updateDescriptionCounter() → void`
-
-Updates the `#kc-desc-counter` element with `{current} / {max}` character count.
-
----
-
-### 5.8 DATA LOADING
-
-**Lines:** ~3980–4000
-
-#### `loadData() → Promise<void>`
-
-Fetches 6 JSON resources in parallel:
-1. `resources/attack-techniques.json` → `state.library.techniques`
-2. `resources/capec-full.json` → `state.library.capecs`
-3. `resources/cwe-full.json` → `state.library.cwes`
-4. `resources/technique-to-capec.json` → `state.techniqueToCapec`
-5. `resources/capec-to-technique.json` → `state.capecToTechnique`
-6. `resources/cwe-to-capec.json` → `state.cweToCapec`
-
-All responses are passed through `stripAngleBracketsFromJson()` before assignment. Calls `renderAll()` on success. Shows toast on error.
-
-#### `loadNavigator(domain) → Promise<void>`
-
-**Line:** ~3397  
-Fetches `resources/Nav_Layer_${DOMAIN}.json`, adds techniques not already in library. Shows toast with counts.
-
----
-
-### 5.9 NAVIGATOR IMPORT
-
-**Lines:** ~4055–4160
-
-#### `IMPORT_LIMITS` — Object
-
-```js
-{ maxFileSize: 25*1024*1024, maxTechniques: 5000,
-  maxStringLength: 500, techniqueIdPattern: /^T\d{4}(\.\d{3})?$/ }
-```
-
-#### `importNavigator(event) → void`
-
-File input handler. Validates file size, parses JSON, validates each technique ID, adds valid techniques to library. Shows toast with stats. Tagged `KCE-SEC-003`.
-
-#### `detectDomain(techId) → string`
-
-Returns `'ics'` if starts with `T0`, `'mobile'` if numeric part 1398–1665, else `'enterprise'`.
-
-#### `getTechniqueName(techId) → string`
-
-Looks up name in `state.library.techniques`, falls back to `'Technique Txxxx'`.
-
----
-
-### 5.10 VIEW & LAYER CONTROLS
-
-**Lines:** ~4162–4210
-
-#### `setView(view) → void`
-
-Switches between `'killchain'`, `'relationship'`, and `'explorer'` views. Toggles visibility of containers, buttons, stats bar, legend. Calls `renderRelationshipView()` if entering relationship view. Updates compact/hide-empty controls.
-
-#### `toggleSidebar() → void`
-
-Toggles `sidebar-collapsed` class on `.app`.
-
-#### `toggleLayer(layer) → void`
-
-Toggles `state.layers[layer]` from checkbox state, re-renders kill chain and relationship view. Supports four layers: `attack`, `capec`, `cwe`, `custom` (STIX).
-
----
-
-### 5.11 THEME RUNTIME
-
-**Lines:** ~4210–4300
-
-#### Storage Constants
-
-| Name | Value |
-|------|-------|
-| `THEME_STORAGE_KEYS.mode` | `'af-theme-mode'` |
-| `COMPACT_STORAGE_KEY` | `'af-compact-mode'` |
-
-#### `currentTheme` — Object
-
-`{ mode: string, scheme: string }` — tracks the active theme state.
-
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `getPreferredThemeMode()` | `→ string` | Returns configured mode, or OS preference if `'auto'` |
-| `normalizeThemeMode(mode)` | `string → string` | Clamps to `'light'` or `'dark'` |
-| `normalizeThemeScheme(mode, scheme)` | `string, string → string` | Falls back to `'default'` if scheme doesn't exist |
-| `applyTheme(mode, scheme, persist?)` | `string, string, boolean → void` | Resolves theme, calls `applyConfigColors()`, sets `data-theme`, persists to localStorage |
-| `updateThemeControls()` | `→ void` | Updates toggle button text |
-| `toggleThemeMode()` | `→ void` | Flips light ↔ dark |
-| `initThemeControls()` | `→ void` | Reads localStorage, applies initial theme |
-| `syncThemeFromStorage()` | `→ void` | Syncs theme if another tab changed localStorage |
-
----
-
-### 5.12 COMPACT MODE
-
-**Lines:** ~4300–4410
-
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `updateHideEmptyControl()` | `→ void` | Toggles `.active` on btn, disables if compact |
-| `updateCompactControls()` | `→ void` | Toggles `.active`, updates button text |
-| `setCompactMode(enabled, persist?)` | `boolean, boolean? → void` | Sets state, forces `hideEmpty`, toggles classes, persists, re-renders |
-| `toggleCompactMode()` | `→ void` | Inverts `state.compactMode` |
-| `initCompactMode()` | `→ void` | Reads localStorage, sets initial state |
-| `applyCompactLayout()` | `→ void` | Adds `compact-scroll` class if kill chain overflows |
-| `toggleHideEmpty()` | `→ void` | Blocked if compact mode, else toggles `state.hideEmpty` and re-renders |
-
----
-
-### 5.13 TAB & FILTER CONTROLS
-
-**Lines:** ~4412–4430
-
-#### `switchTab(tab) → void`
-
-Sets `state.activeTab`, toggles `.active` on sidebar tabs and panels. Supports tabs: `attack`, `capec`, `cwe`, `custom`.
-
-#### `setFilter(type, filter) → void`
-
-Sets `state.filters[type]`, toggles `.active` on filter buttons, calls `filterEntities(type)`.
-
----
-
-### 5.14 ENTITY LIST RENDERING
-
-**Lines:** ~4431–4573
-
-#### `filterEntities(type) → void`
-
-Reads search input and filter state, filters the entity library (`techniques`, `capecs`, `cwes`, or `custom`), builds HTML for up to 100 results, sets `listEl.innerHTML`. Each entity item is `draggable` with inline `ondragstart` / `ondragend` / `onclick` handlers.
-
-**Filters by type:**
-- `attack`: search by id/name, filter by domain
-- `capec`: search by id/name, filter by abstraction level
-- `cwe`: search by id/name, filter by abstraction level
-- `custom` (STIX): search by id/name, filter by STIX SDO type dropdown
-
-#### `isEntityAssigned(type, id) → boolean`
-
-Iterates all phases checking whether entity is assigned anywhere. Supports all four entity types.
-
----
-
-### 5.15 STIX ITEM MANAGEMENT
-
-**Lines:** ~4573–4890
-
-Manages STIX 2.1 Domain Object (SDO) lifecycle: creation, deletion, bundle import.
-
-#### `STIX_BUNDLE_IMPORT_LIMITS` — Object
-
-```js
-{ maxFileSize: 25*1024*1024, maxObjects: 5000,
-  maxStringLength: 5000, maxListItems: 100,
-  maxNameLength: 200, maxDescLength: 10000 }
-```
-
-#### `importStixBundle(event) → void`
-
-File input handler for STIX 2.1 bundle JSON. Pipeline:
-1. Validate file size (≤25 MB)
-2. Parse JSON, pass through `stripAngleBracketsFromJson()`
-3. Validate top-level bundle structure (`type: 'bundle'`, `objects` array)
-4. Enforce object count limit (5,000)
-5. For each object: validate type is SDO (skip `relationship`, `sighting`, `marking-definition`), validate STIX ID format, verify ID prefix matches type, check for duplicates
-6. Sanitize via `sanitizeStixBundleObject()`
-7. Store in `state.library.custom`, show toast with import stats
-
-#### `sanitizeStixBundleObject(obj, stixType, stixId) → StixLibraryEntry|null`
-
-Sanitizes a single STIX bundle object:
-- Sanitizes `name`, `description`, `labels` (core fields)
-- Imports spec-defined fields by consulting `STIX_OBJECTS[stixType]` from `stix-config.js`
-- Field-type-aware sanitization: booleans, integers, lists, strings/text/timestamps
-- All strings pass through `sanitizeImportedString()`
-
-#### `populateStixTypeDropdown() → void`
-
-Populates `#custom-stix-type` select and `#filter-custom-type` filter from `CONFIG.stixTypes`.
-
-#### `toggleCustomTypeName() → void`
-
-Shows/hides the custom type name input when `x-custom` type is selected.
-
-#### `openCreateCustomModal() → void`
-
-Opens the Create STIX Item modal, initializes all form fields.
-
-#### `closeCreateCustomModal(event?) → void`
-
-Closes the modal (only if click is on overlay itself).
-
-#### `createCustomItem() → void`
-
-Creates a new STIX object. Validates STIX type against `VALID_STIX_TYPES`, sanitizes name/description/labels via `sanitizeForStorage()`, generates a STIX ID via `generateStixId()`, stores in `state.library.custom`.
-
-#### `deleteCustomItem(id) → void`
-
-Confirms via `window.confirm`, removes from `state.library.custom` and all phase assignments (ungrouped `customItems` + group items), re-renders.
-
----
-
-### 5.16 STIX EDITOR MODAL
-
-**Lines:** ~4890–5165
-
-Full-featured modal editor for STIX object properties, driven by `stix-config.js` type definitions.
-
-#### `currentStixEdit` — Object (Mutable)
-
-`{ id, phaseKey, instanceId }` — tracks which STIX item is being edited.
-
-#### `openStixEditor(id, phaseKey?, instanceId?) → void`
-
-Opens the Edit STIX Item modal. Dynamically builds form fields:
-1. **Identity section** (read-only): ID, Type, Created, Modified
-2. **Core Properties**: Name, Description, Labels, Custom Type Name (x-custom only)
-3. **Required Fields**: From `STIX_OBJECTS[type].required` (excluding core)
-4. **Optional Fields**: From `STIX_OBJECTS[type].optional` (excluding core)
-
-Field rendering is delegated to `buildStixFieldFromSpec()` which handles all STIX field types.
-
-#### `closeStixEditor(event?) → void`
-
-Closes modal, clears `currentStixEdit`.
-
-#### `saveStixEditor() → void`
-
-Reads all form fields, validates name (required), sanitizes all values with `sanitizeForStorage()`, updates `item.modified` timestamp, re-renders.
-
-Field types are handled per spec:
-- `boolean` → checkbox state
-- `integer` → `parseInt`, `NaN` → `undefined`
-- `list` / `list:open-vocab` → comma-split, sanitize each entry
-- All others → `sanitizeForStorage(rawVal, 2000)`
-
-#### STIX Editor Field Builders
-
-| Function | Description |
-|----------|-------------|
-| `buildStixReadonlyField(label, value)` | Read-only input with label |
-| `buildStixTextField(id, label, value, required, maxLen, placeholder)` | Text input |
-| `buildStixTextareaField(id, label, value, required, maxLen, placeholder)` | Textarea |
-| `buildStixFieldFromSpec(field, item, required)` | Dynamic field builder — handles all STIX field types: `string`, `text`, `enum`, `open-vocab`, `list`, `list:open-vocab`, `integer`, `boolean`, `timestamp`, `identifier`, `kill-chain-phases`, `external-references`, `dictionary` |
-
-#### `getEntityName(type, id) → string`
-
-Returns display name for any entity type. For `custom`, returns `state.library.custom[id]?.name`.
-
-#### `buildStixPropertySummary(id) → string`
-
-Builds HTML summary of STIX spec-defined properties (non-core) that have values. Used in the entity detail modal to display STIX-specific fields below the standard metadata.
-
----
-
-### 5.17 SELECTION & DETAIL PANEL
-
-**Lines:** ~5166–5540
-
-#### `selectEntity(type, id) → void`
-
-Sets `state.selection`, refreshes entity list, shows detail panel.
-
-#### `buildEntityDetail(type, id) → { id, name, html }`
-
-Builds HTML detail view for ATT&CK technique, CAPEC pattern, CWE weakness, or STIX object. Includes:
-- Description, attributes, related entities
-- Mitigations (ATT&CK only, max 8 shown)
-- References with safe URL validation (`https?://`)
-- Cross-entity navigation (`onclick` → `selectEntity`)
-- External links to MITRE websites
-
-#### `buildMetadataSummary(type, id, phaseKey?, instanceId?) → string`
-
-Builds HTML for metadata display: score, confidence, CVE entries, comments, hyperlinks, observables. For STIX items, also calls `buildStixPropertySummary()` to display spec-defined fields. Used inside entity modal.
-
-#### `openEntityModal(type, id, phaseKey?, instanceId?) → void`
-
-Populates and shows the entity detail modal. Combines `buildEntityDetail` + `buildMetadataSummary`.
-
-#### `closeEntityModal(event?) → void`
-
-Hides modal. Only closes if click is on overlay itself (not children).
-
-#### `showDetail(type, id) → void`
-
-Shows the side detail panel (not modal) with entity detail HTML.
-
-#### `closeDetail() → void`
-
-Hides detail panel, clears selection.
-
-#### `findEntityPhase(type, id) → string|null`
-
-Searches all phases to find which phase an entity is assigned to. Returns the phase key or `null`.
-
-#### `openMitigationExplorer(mitigationId) → void`
-
-**Line:** ~3760  
-Validates mitigation ID format, loads `explorer.html?mitigation=...` in the explorer iframe, switches to explorer view.
-
-#### `openEntityExplorer(type, id) → void`
-
-**Line:** ~3773  
-Similar to above but for `entity=type:id`.
-
----
-
-### 5.18 DRAG & DROP
-
-**Lines:** ~5538–5690
-
-#### `dragData` — Object (Mutable)
-
-```js
-{ kind: null, type: null, id: null, fromPhase: null,
-  instanceId: null, groupId: null, sourceGroupId: null }
-```
-
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `handleDragStart(event, type, id)` | Sidebar entity drag start. Sets `dragData.kind='item'`, highlights phases. Works for all 4 types including `custom`. |
-| `handleDragEnd(event)` | Removes drag styling and clears `dragData`. |
-| `handleDragOver(event)` | Prevents default, sets drop effect, adds background highlight. |
-| `handleDragLeave(event)` | Removes background highlight. |
-| `handleDrop(event, phaseKey)` | Phase drop handler. Routes to `moveGroupBetweenPhases` for groups, else adds/moves assignment. Creates new assignment with `createDefaultMetadata()` or preserves metadata from source. Re-renders. |
-| `handleAssignmentDragStart(event, type, id, phaseKey, instanceId, sourceGroupId)` | Drag start for already-assigned entities. Sets `dragData.fromPhase`. |
-| `handleGroupDragStart(event, phaseKey, groupId)` | Group drag start. Sets `dragData.kind='group'`. |
-| `handleGroupDrop(event, phaseKey, groupId)` | Drop into a group. Extracts from source, adds to target group. |
-
----
-
-### 5.19 KILL CHAIN RENDERING
-
-**Lines:** ~5687–5915
-
-#### `renderKillChain() → void`
-
-The main rendering function. Iterates `KILL_CHAIN` → super-phases → phases, builds the full HTML string for the kill chain view. For each phase:
-
-1. Counts visible items per layer
-2. Applies hide-empty / compact logic
-3. Iterates `phaseData.layout` for ordered rendering
-4. Calls `renderEntityTag()` for ungrouped items
-5. Builds group containers with drag/rename/delete controls
-6. Calls `renderEntityTag()` for grouped items
-7. Sets `container.innerHTML`, then calls `renderStats()` and `applyCompactLayout()`
-
-#### `renderEntityTag(type, id, name, metadata, phaseKey, instanceId, sourceGroupId?) → string`
-
-**Line:** ~4558  
-Builds HTML for a single entity tag (technique, CAPEC, CWE, or STIX object). Features:
-- Score-based `data-score` attribute for CSS styling
-- STIX type badge for custom items (e.g. `malware`, `threat-actor`)
-- Domain badge (ENT/MOB/ICS) for ATT&CK techniques
-- Metadata icons: CVE, observables, links, comments, confidence
-- Compact mode: hides name, shows metadata icons in header
-- Action buttons: remove, explore, edit metadata (or edit STIX for custom items)
-- Drag handlers for reassignment
-
----
-
-### 5.20 RELATIONSHIP VIEW
-
-**Lines:** ~5915–6097
-
-#### `renderRelationshipView() → void`
-
-Builds relationship chains from assigned CAPECs. For each phase:
-1. Finds assigned CAPECs and their related CWEs + techniques
-2. Finds assigned techniques without CAPECs (partial chains)
-3. Renders 4-column rows: CAPEC → CWE → ATT&CK → Phase
-
----
-
-### 5.21 STATS & UTILITIES
-
-**Lines:** ~6097–6170
-
-#### `renderStats() → void`
-
-Counts unique techniques, CAPECs, CWEs, STIX items, and phases used across all assignments. Updates `#stats-bar` innerHTML.
-
-#### `togglePhase(header) → void`
-
-Toggles `.minimized` class on the phase element (collapse/expand).
-
-#### `removeAssignment(type, id, phaseKey, instanceId) → void`
-
-Confirms via `window.confirm`, removes from ungrouped array or group items, cleans layout, re-renders.
-
-#### `expandAll() / collapseAll() → void`
-
-Expands/collapses all `.phase` elements.
-
-#### `clearAssignments() → void`
-
-Calls `initAssignments()`, re-renders everything.
-
----
-
-### 5.22 EXPORT (JSON / CSV / STIX Bundle)
-
-**Lines:** ~6110–6260 (JSON/STIX), ~6790–6980 (CSV)
-
-#### `exportJSON() → void`
-
-Creates a JSON blob with: `version`, `schema: 'killchain-export-lite'`, `exportedAt`, `title`, `view`, `activeTab`, `filters`, `layers`, `hideEmpty`, `assignments`, `selection`, `customLibrary`. If STIX items exist, also embeds a `stixBundle` via `buildSTIXBundle()`. Downloads as `{title}-slug.json`.
-
-#### `buildSTIXBundle() → StixBundle`
-
-Generates a STIX 2.1 bundle object from the current state:
-1. Adds SDOs from `state.library.custom` (type, spec_version, id, created, modified, name, description, labels)
-2. Generates SRO relationships for co-located STIX items in the same phase or group
-3. Uses `STIX_RELATIONSHIP_MAP` for relationship type selection
-4. Deduplicates relationships via Set
-
-Returns: `{ type: 'bundle', id: 'bundle--uuid', spec_version: '2.1', objects: [...] }`
-
-#### `addRelationship(objects, seen, sourceId, targetId, phaseKey, timestamp) → void`
-
-Helper for `buildSTIXBundle()`. Creates an SRO relationship object between two SDOs, with deduplication.
-
-#### `exportSTIXBundle() → void`
-
-Standalone STIX bundle export (no kill chain state). Calls `buildSTIXBundle()`, downloads as `{title}-stix-bundle.json`.
-
-#### `exportCSV() → void`
-
-Builds a CSV with columns: Type, ID, Name, Score, Confidence, CVE(s), Comments, + one column per phase (X/blank). Includes STIX items. Applies CSV formula injection protection (prefixes `=+-@\t\r` with `'`). Downloads as `attack-chain-export.csv`.
-
----
-
-### 5.23 IMPORT (Kill Chain)
-
-**Lines:** ~6260–6980
-
-#### `triggerImportKillChain() → void`
-
-Clicks the hidden `#import-killchain-input` file input.
-
-#### `ensureAssignmentShape(assignments) → void`
-
-Post-import normalization. Ensures all phases have `groups`, `layout`, `customItems`, and migrated assignments. Calls `migrateAssignment()`, `ensurePhaseLayout()` for each phase.
-
-#### `ensureLibraryFallbacks(assignments) → void`
-
-For all assigned entity IDs not in the library, creates placeholder entries. Covers techniques, CAPECs, CWEs, and STIX custom items (creates `StixLibraryEntry` placeholders with type inferred from STIX ID prefix).
-
-#### `KILLCHAIN_IMPORT_LIMITS` — Object
-
-```js
-{ maxFileSize: 5*1024*1024, maxAssignmentsPerPhase: 500,
-  maxHyperlinks: 50, maxObservables: 100, maxStringLength: 5000 }
-```
-
-#### `validateKillChainImport(data) → { valid, error? }`
-
-Structural validation: checks object shape, `assignments` object, schema version format, phase key format, array types, count limits.
-
-#### `sanitizeImportedString(str, maxLength?) → string`
-
-Strips control chars, `<script>` tags, event handlers (`onX=`), blocked chars, SQL comments. Encodes angle brackets. Truncates.
-
-#### `sanitizeImportedAssignment(assignment) → Assignment|null`
-
-Deep sanitization of a single assignment. Validates ID format (`T\d{4}`, `CAPEC-\d+`, `CWE-\d+`). Sanitizes score (enum), confidence (0–100), CVE entries (format + CVSS vector validation), comments, hyperlinks (URL protocol check), observables (type whitelist). Returns `null` for invalid.
-
-#### `sanitizeImportedCustomAssignment(assignment) → Assignment|null`
-
-Deep sanitization of a STIX custom item assignment. Validates STIX ID format via `STIX_ID_PATTERN`, verifies STIX type prefix against `VALID_STIX_TYPES`. Sanitizes metadata via shared `sanitizeAssignmentMetadata()`. Returns `null` for invalid.
-
-#### `sanitizeAssignmentMetadata(assignment) → Metadata`
-
-Shared metadata sanitization for both standard and STIX assignments. Validates score enum, confidence range, CVE entries (format + CVSS vectors), comments, hyperlinks (URL protocol), observables (type whitelist).
-
-#### `sanitizeImportedData(data) → SanitizedData`
-
-Orchestrates full sanitization of imported JSON. Processes assignments (techniques, capecs, cwes, customItems), groups, custom library, and optional view state (layers including `custom`, hideEmpty, view, activeTab including `custom`).
-
-For `customLibrary`, validates each entry:
-- STIX ID format validation
-- STIX type against `VALID_STIX_TYPES`
-- Name, description, labels sanitized
-- Spec-defined properties preserved from `STIX_OBJECTS` definitions (boolean, integer, list, string types)
-- Max 500 custom items
-
-#### `importKillChain(event) → void`
-
-File input handler. Pipeline: parse JSON → `stripAngleBracketsFromJson` → `validateKillChainImport` → `sanitizeImportedData` → `initAssignments` → merge → restore custom library → `ensureAssignmentShape` → `ensureLibraryFallbacks` → restore UI state → `renderAll`.
-
----
-
-### 5.24 DROPDOWN UTILS
-
-**Lines:** ~6981–7003
-
-#### `toggleDropdown(id) → void`
-
-Closes all dropdowns, then opens the targeted one (toggle).
-
-#### `closeDropdowns() → void`
-
-Removes `.open` from all `.dropdown` elements.
-
-**Global listener:** `document.addEventListener('click', ...)` — closes dropdowns on outside click.
-
----
-
-### 5.25 METADATA EDITOR
-
-**Lines:** ~7004–7313
-
-#### `currentMetadataEdit` — Object (Mutable)
-
-`{ type, id, phaseKey, instanceId }` — tracks which assignment is being edited.
-
-| Function | Signature | Description |
-|----------|-----------|-------------|
-| `openMetadataEditor(type, id, phaseKey, instanceId)` | Opens the metadata editor modal, populates all fields from current metadata |
-| `closeMetadataEditor(event?)` | Hides modal, clears `currentMetadataEdit` |
-| `selectScore(value)` | Toggles `.selected` on score option buttons |
-| `updateConfidenceLabel(value)` | Updates confidence slider label text and CSS class |
-| `addCveRow(id?, score?, vector?)` | Appends a CVE input row to `#cve-list` |
-| `addHyperlinkRow(label?, url?)` | Appends a hyperlink input row to `#hyperlink-list` |
-| `addObservableRow(type?, value?)` | Appends an observable input row with type dropdown to `#observable-list` |
-| `saveMetadata()` | Reads all form fields, validates (CVEs, observables), calls `updateAssignmentMetadata()`, re-renders |
-
-**Validation in `saveMetadata()`:**
-- CVE IDs: validated via `InputSecurity.validators.cveId`
-- CVSS scores: 0–10 range check
-- CVSS vectors: validated via `InputSecurity.validators.cvssVector`
-- URLs: validated via `InputSecurity.validators.url`
-- Observables: validated via `InputSecurity.validateObservable`
-- All text fields sanitized via `sanitizeForStorage()`
-
----
-
-### 5.26 MODALS (Usage Guide / Changelog)
-
-**Lines:** ~7313–7374
-
-| Function | Description |
-|----------|-------------|
-| `showUsageGuide()` | Shows `#usage-guide-modal` |
-| `closeUsageGuide(event?)` | Hides if click is on overlay |
-| `showChangelog()` | Fetches `CHANGELOG.md`, shows content in `#changelog-modal` |
-| `closeChangelog(event?)` | Hides if click is on overlay |
-
-**Global listener:** `document.addEventListener('keydown', ...)` — Escape closes all modals.
-
----
-
-### 5.27 TOAST NOTIFICATIONS
-
-**Line:** ~7365
-
-#### `showToast(message) → void`
-
-Sets `#toast` text, adds `.show` class, removes after 2500ms via `setTimeout`.
-
----
-
-### 5.28 INITIALIZATION
-
-**Lines:** ~7385–7415
-
-Executed immediately (no DOMContentLoaded wrapper — script is at end of `<body>`):
-
-1. `initThemeControls()` — apply saved/default theme
-2. `window.addEventListener('storage', ...)` — cross-tab theme sync
-3. `enableLeaveSiteConfirmation()` — unless `CONFIG.navigation.confirmOnLeave === false`
-4. `initAssignments()` — create empty phase data for all 18 phases
-5. `initCompactMode()` — restore compact mode from localStorage
-6. `window.addEventListener('resize', ...)` — reapply compact layout on resize
-7. `applyInputGuards()` — attach security event listeners
-8. `populateStixTypeDropdown()` — populate STIX type selects from CONFIG
-9. `loadVersion()` — fetch version from CHANGELOG.md
-10. `loadData()` — fetch all 6 JSON resources, render UI
-
----
-
-## 6. Data Types & Shapes
-
-### Assignment (new format)
-
-```js
-{
-  id: 'T1566',                    // Entity ID
-  metadata: Metadata,             // See below
-  instanceId: 'inst-1706...-1'    // Unique per-assignment instance
+  id: 'T1566',
+  metadata: Metadata,
+  instanceId: 'itm-lk5u0h-12'
 }
 ```
 
-### Assignment (legacy format — handled by migrateAssignment)
-
-```js
-'T1566'   // Bare string, auto-migrated on load
-```
-
-### Metadata
+### 7.2 Metadata
 
 ```js
 {
-  score: 'unclassified',          // 'unclassified' | 'low' | 'medium' | 'high' | 'critical'
-  confidence: null,               // null | 0-100
-  comments: '',                   // Free text
-  cveEntries: [                   // Primary CVE storage (v2.5+)
-    { id: 'CVE-2024-12345', score: 7.8, vector: 'CVSS:3.1/...' }
-  ],
-  cveId: 'CVE-2024-12345',       // Legacy: first CVE ID
-  cveIds: ['CVE-2024-12345'],    // Legacy: all CVE IDs
-  hyperlinks: [                   // External links
-    { label: 'Advisory', url: 'https://...' }
-  ],
-  observables: [                  // IOCs / observables
-    { type: 'ipv4-addr', value: '10.0.0.1' }
-  ]
+  score: 'unclassified',            // unclassified|low|medium|high|critical
+  confidence: null,                 // null or 1..100
+  comments: '',
+  cveEntries: [{ id, score, vector }],
+  cveId: '',
+  cveIds: [],
+  hyperlinks: [{ label, url }],
+  observables: [{ type, value }]
 }
 ```
 
-### PhaseData
+### 7.3 PhaseData
 
 ```js
 {
-  techniques: [Assignment, ...],  // ATT&CK assignments
-  capecs: [Assignment, ...],      // CAPEC assignments
-  cwes: [Assignment, ...],        // CWE assignments
-  customItems: [Assignment, ...], // STIX object assignments
-  groups: [Group, ...],           // Named groups
-  layout: [LayoutEntry, ...]      // Render order
+  techniques: Assignment[],
+  capecs: Assignment[],
+  cwes: Assignment[],
+  customItems: Assignment[],
+  groups: Group[],
+  layout: LayoutEntry[]
 }
 ```
 
-### Group
+### 7.4 Group / GroupItem / LayoutEntry
 
 ```js
 {
-  groupId: 'grp-1706...-abc',
+  groupId: 'grp-lk5u0h-abc12',
   label: 'Initial Access',
   collapsed: false,
-  editing: false,                 // Transient: true during rename
-  items: [GroupItem, ...]         // Assignments with type
+  items: GroupItem[]
 }
-```
 
-### GroupItem (extends Assignment)
+// GroupItem = Assignment + type
+{ id, metadata, instanceId, type: 'attack'|'capec'|'cwe'|'custom' }
 
-```js
-{
-  id: 'T1566',
-  metadata: Metadata,
-  instanceId: 'inst-...',
-  type: 'attack'                  // 'attack' | 'capec' | 'cwe' | 'custom'
-}
-```
-
-### LayoutEntry
-
-```js
-// Item entry
-{ kind: 'item', type: 'attack', instanceId: 'inst-...' }
-
-// Group entry
+// Layout entries
+{ kind: 'item', type: 'attack', instanceId: 'itm-...' }
 { kind: 'group', groupId: 'grp-...' }
 ```
 
-### CveEntry
-
-```js
-{ id: 'CVE-2024-12345', score: 7.8, vector: 'CVSS:3.1/AV:N/AC:L/...' }
-```
-
-### Library Entities
-
-```js
-// ATT&CK Technique
-{
-  id: 'T1566', name: 'Phishing', domain: 'enterprise',
-  description: '...', tactics: ['initial-access'],
-  platforms: ['Windows', 'macOS'], isSubtechnique: false,
-  parentTechnique: null, version: '1.0',
-  mitigations: [{ id: 'M1054', name: '...', description: '...' }],
-  references: [{ name: '...', url: '...' }],
-  detection: '...'
-}
-
-// CAPEC Pattern
-{
-  id: 'CAPEC-98', name: 'Phishing', description: '...',
-  severity: 'High', likelihood: 'Medium', abstraction: 'Meta',
-  techniques: ['T1566'], cwes: ['CWE-451']
-}
-
-// CWE Weakness
-{
-  id: 'CWE-79', name: 'Cross-site Scripting', description: '...',
-  abstraction: 'Base', capecs: ['CAPEC-86']
-}
-```
-
-### StixLibraryEntry (STIX Domain Object)
+### 7.5 Shared Data Payload (IPC)
 
 ```js
 {
-  id: 'malware--a1b2c3d4-...',       // STIX 2.1 ID
-  stixType: 'malware',                // SDO type
-  name: 'Emotet',                     // Display name
-  description: 'Banking trojan...',   // Optional description
-  labels: ['trojan', 'botnet'],       // Optional labels
-  customTypeName: '',                 // Only for x-custom type
-  created: '2026-01-15T12:00:00Z',   // ISO 8601
-  modified: '2026-02-09T10:30:00Z',  // ISO 8601
-  // ... additional spec-defined fields per STIX_OBJECTS[stixType]
-  is_family: true,                    // Example: malware-specific field
-  malware_types: ['trojan'],          // Example: list:open-vocab field
-  first_seen: '2014-01-01T00:00:00Z' // Example: timestamp field
+  attack: { [techId]: Technique },
+  capecPatterns: { [capecId]: Capec },
+  cweWeaknesses: { [cweId]: Cwe },
+  techniqueToCapec: { [techId]: string[] },
+  capecToTechnique: { [capecId]: string[] },
+  cweToCapec: { [cweId]: string[] }
 }
 ```
 
-Spec-defined fields are dynamic — the set depends on `stixType` and is determined by `STIX_OBJECTS` in `stix-config.js`.
-
-### STIX Bundle (Export)
+### 7.6 Export Schema (`killchain-export-lite`)
 
 ```js
 {
-  type: 'bundle',
-  id: 'bundle--uuid',
-  spec_version: '2.1',
-  objects: [
-    { type: 'malware', spec_version: '2.1', id: 'malware--...', ... },
-    { type: 'threat-actor', spec_version: '2.1', id: 'threat-actor--...', ... },
-    { type: 'relationship', spec_version: '2.1', id: 'relationship--...',
-      relationship_type: 'uses', source_ref: '...', target_ref: '...',
-      description: 'Co-located in phase IN:exploitation' }
-  ]
-}
-```
-
-### Export Schema (`killchain-export-lite`)
-
-```js
-{
-  version: '2.7.0',
+  version: '2.9.0',
   schema: 'killchain-export-lite',
-  exportedAt: '2026-02-09T12:00:00.000Z',
-  title: 'APT29 Analysis',
-  description: 'Analysis of APT29 intrusion...',  // Optional, defaults to ''
-  view: 'killchain',
-  activeTab: 'attack',
-  filters: { attack: 'all', capec: 'all', cwe: 'all', custom: 'all' },
-  layers: { attack: true, capec: true, cwe: true, custom: true },
-  hideEmpty: false,
-  assignments: { 'IN:reconnaissance': PhaseData, ... },
-  selection: { type: null, id: null },
-  customLibrary: { 'malware--uuid': StixLibraryEntry, ... },
-  stixBundle: { type: 'bundle', id: 'bundle--...', ... }  // Embedded if custom items exist
+  exportedAt: 'ISO-8601',
+  title: '',
+  description: '',
+  view: 'killchain'|'relationship'|'explorer'|'stix-builder',
+  activeTab: 'attack'|'capec'|'cwe'|'custom',
+  filters: { attack, capec, cwe, custom },
+  layers: { attack, capec, cwe, custom },
+  hideEmpty: boolean,
+  assignments: { [phaseKey]: PhaseData },
+  selection: { type, id },
+  customLibrary: { [stixId]: StixLibraryEntry },
+  stixBundle?: StixBundle
 }
 ```
 
 ---
 
-## 7. Global Event Listeners
-
-| Event | Target | Handler | Description |
-|-------|--------|---------|-------------|
-| `click` | `document` | Inline closure | Closes dropdowns when clicking outside |
-| `keydown` | `document` | Inline closure | Escape key closes all modals (including STIX editor, create-custom) |
-| `storage` | `window` | Inline closure | Syncs theme from localStorage across tabs |
-| `resize` | `window` | Inline closure | Reapplies compact layout |
-| `beforeunload` | `window` | `enableLeaveSiteConfirmation` inner | Leave-site confirmation |
-| `keydown` | `document` | `applyInputGuards` inner | Blocks chars in `BLOCKED_INPUT_CHARS` for text inputs |
-| `beforeinput` | `document` | `applyInputGuards` inner | Secondary blocker for `insertText` events |
-| `paste` | `document` | `applyInputGuards` inner | Sanitizes pasted text, replacing blocked chars |
-| `drop` | `document` | `applyInputGuards` inner | Sanitizes dropped text |
-| `input` | `document` | `applyInputGuards` inner | Post-hoc enforcement, strips blocked chars from value |
-
-**Inline HTML event handlers** (used in rendered HTML strings):
-- `onclick` — entity selection, modal open, group toggle, score select, STIX editor open, custom item create/delete, etc.
-- `ondragstart` / `ondragend` / `ondragover` / `ondragleave` / `ondrop` — drag & drop (all 4 entity types)
-- `onblur` / `onkeydown` — group rename input
-- `oninput` — confidence slider
-- `onchange` — STIX type dropdown, custom type toggle
-
----
-
 ## 8. Security Model
 
-### Defense-in-Depth Layers
-
-1. **Output Encoding** (`InputSecurity.escapeHtml`, `InputSecurity.sanitizeAttr`)  
-   All dynamic values rendered into HTML pass through `esc()` or `escAttr()` before insertion into `innerHTML` strings. This includes STIX object names, descriptions, labels, and all spec-defined fields.
+Defense-in-depth implementation in v2.9.0:
 
-2. **Input Guards** (`applyInputGuards`)  
-   5 document-level event listeners block dangerous characters at keystroke, paste, and drop time for all text inputs, including STIX editor fields.
+1. **Input blocking + normalization** on all text-entry paths.
+2. **Output encoding** before template insertion (`esc`, `escAttr`, entity encoding).
+3. **Safe JSON parsing** using reviver to strip `__proto__` / `constructor` / `prototype`.
+4. **Null-prototype object construction** for untrusted accumulator objects.
+5. **Import validation + limit enforcement** (file size/count/shape/ID formats).
+6. **IPC allowlisting + nonce checks + channel-only messaging + throttling**.
+7. **Shared payload immutability** via deep clone + deep freeze before iframe handoff.
+8. **URL protocol allowlist** (`http`/`https`) for rendered external links.
+9. **CSV formula injection prevention** by prefixing risky leading characters.
 
-3. **Storage Sanitization** (`sanitizeForStorage`, `sanitizeUserInputText`)  
-   Text entering metadata is stripped of blocked chars and normalized before being stored in `state`.
-
-4. **Import Sanitization** (`sanitizeImportedAssignment`, `sanitizeImportedData`, `sanitizeImportedString`)  
-   All imported JSON data is recursively sanitized: ID format validation, score enum validation, URL protocol checks, string sanitization, count limits.
+---
 
-5. **STIX Bundle Import Sanitization** (`sanitizeStixBundleObject`, `importStixBundle`)  
-   Dedicated defense layer for STIX 2.1 bundle imports:
-   - `STIX_BUNDLE_IMPORT_LIMITS`: max 500 objects per bundle, max 50 000 char string length.
-   - STIX ID format validation via `STIX_ID_PATTERN` regex.
-   - Type validation against `VALID_STIX_TYPES` (19 SDO types).
-   - Per-object sanitization: all string values escaped, nested objects recursively cleaned.
-   - Relationship objects are silently skipped (only SDOs accepted).
-   - Custom assignment metadata (`sanitizeImportedCustomAssignment`) validates score, confidence, and sub-arrays.
+## 9. Global Event Listeners
 
-6. **Data Load Sanitization** (`stripAngleBracketsFromJson`)  
-   All fetched JSON resources have `<>` replaced with entities recursively.
+Primary listeners include:
 
-7. **File Size Limits** (`IMPORT_LIMITS`, `KILLCHAIN_IMPORT_LIMITS`)  
-   Navigator imports: 25 MB max. Kill chain imports: 5 MB max.
+- `window.storage` (theme sync)
+- `window.beforeunload` (optional leave confirmation)
+- `window.message` (channel bootstrap guard)
+- `window.resize` (compact layout)
+- `document.click` (dropdown close + global search close)
+- `document.keydown` (escape handling + input guard)
+- `document.beforeinput` / `paste` / `drop` / `input` (input hardening)
+- iframe `load` handlers for explorer and STIX builder channel setup
 
-8. **URL Validation**  
-   External links only render if they match `^https?:\/\/`. No `javascript:` or `data:` URLs.
+---
 
-9. **CSV Formula Injection** (`sanitizeForCsv` in `exportCSV`)  
-   Cells starting with `=+-@\t\r` are prefixed with `'`.
+## 10. Module Mapping (Current → v3.0)
 
-### Security Tags
+Suggested split of current monolith:
 
-Functions tagged with `KCE-SEC-XXX` comments:
-- `KCE-SEC-003` — Navigator import validation
-- `KCE-SEC-004` — CSV formula injection prevention
+- **`af-security.js`**
+  - InputSecurity validators/sanitizers, parse-safe JSON, import sanitizer helpers.
+- **`af-core.js`**
+  - State model, phase model, assignment/group helpers, metadata helpers.
+- **`af-data.js`**
+  - Shared-data loader/cache, offline file-mode loader, dataset limit enforcement.
+- **`af-ipc.js`**
+  - Local iframe bridge, channel bootstrap, nonce/rate-limit logic, broadcast helpers.
+- **`af-ui.js`**
+  - Rendering pipelines (killchain/relationships/details), DnD, global search, modals.
+- **`af-io.js`**
+  - JSON/CSV/STIX export+import, schema migration and sanitization.
 
 ---
 
-## 9. Module Mapping (Current → v3.0)
+## 11. Function Index Reference
 
-This table maps the current monolithic code to the planned 5-module structure defined in `DETACH.md`. Includes STIX additions.
+For a comprehensive, maintainable function inventory (grouped by file and subsystem), see:
 
-| Planned Module | Current Code (index.html lines) | Key Functions |
-|----------------|--------------------------------|---------------|
-| **stix-config.js** | Standalone file (576 lines) | `STIX_COMMON_PROPERTIES`, `STIX_VOCABULARIES`, `STIX_OBJECTS`, `STIX_RELATIONSHIP_DEFAULTS`, `getStixFieldsForType()`, `getStixTypeKeys()`, `getStixTypeLabel()`, `getStixVocabulary()` |
-| **af-security.js** | ~2647–2924 | `InputSecurity`, `esc()`, `escAttr()`, `BLOCKED_INPUT_CHARS`, `isTextInputElement()`, `sanitizeUserInputText()`, `sanitizeForStorage()`, `truncateAtBoundary()`, `applyInputGuards()`, `stripAngleBracketsFromJson()` |
-| **af-core.js** | ~2624–2643, ~2928–3620 | `APP_VERSION`, `loadVersion()`, `createDefaultMetadata()`, `getCveEntries()`, `getCveList()`, `normalizeCveMetadata()`, `getConfidenceLabel()`, `getConfidenceClass()`, `createAssignmentInstanceId()`, `migrateAssignment()`, `getAssignmentId()`, `getAssignmentMetadata()`, `getAssignmentInstanceId()`, phase item accessors, `ensurePhaseLayout()`, group management, `findAssignment()`, `updateAssignmentMetadata()`, `SCORE_LEVELS`, `OBSERVABLE_TYPES`, `state`, `KILL_CHAIN`, `ALL_PHASES`, `formatPhaseName()`, `initAssignments()`, `loadData()`, `loadNavigator()`, `detectDomain()`, `getTechniqueName()`, `TYPE_KEYS`, `TAG_CLASSES`, `TYPE_LABELS`, `ALL_ENTITY_TYPES`, `STIX_ID_PATTERN`, `VALID_STIX_TYPES`, `STIX_RELATIONSHIP_MAP`, `generateUUID()`, `generateStixId()` |
-| **af-ui.js** | ~3625–5165 | `setView()`, `toggleSidebar()`, `toggleLayer()`, theme functions, compact mode functions, `switchTab()`, `setFilter()`, `filterEntities()`, `selectEntity()`, `buildEntityDetail()`, `buildMetadataSummary()`, `buildStixPropertySummary()`, `openEntityModal()`, `showDetail()`, `closeDetail()`, `findEntityPhase()`, `openMitigationExplorer()`, `openEntityExplorer()`, all drag handlers, `renderKillChain()`, `renderEntityTag()`, `renderRelationshipView()`, `renderStats()`, `togglePhase()`, `removeAssignment()`, `expandAll()`, `collapseAll()`, `clearAssignments()`, `openStixEditor()`, `closeStixEditor()`, `saveStixEditor()`, `buildStixFieldFromSpec()`, `buildStixTextField()`, `buildStixTextareaField()`, `buildStixReadonlyField()`, `getEntityName()`, `populateStixTypeDropdown()`, `toggleCustomTypeName()`, `openCreateCustomModal()`, `closeCreateCustomModal()`, `createCustomItem()`, `deleteCustomItem()` |
-| **af-io.js** | ~5165–5600 | `exportJSON()`, `exportCSV()`, `buildSTIXBundle()`, `addRelationship()`, `exportSTIXBundle()`, `triggerImportKillChain()`, `ensureAssignmentShape()`, `ensureLibraryFallbacks()`, `KILLCHAIN_IMPORT_LIMITS`, `validateKillChainImport()`, `sanitizeImportedString()`, `sanitizeImportedAssignment()`, `sanitizeImportedCustomAssignment()`, `sanitizeAssignmentMetadata()`, `sanitizeImportedData()`, `importKillChain()`, `importStixBundle()`, `sanitizeStixBundleObject()`, `STIX_BUNDLE_IMPORT_LIMITS`, `IMPORT_LIMITS`, `importNavigator()` |
-| **af-app.js** | ~5600–7415 | `toggleDropdown()`, `closeDropdowns()`, `currentMetadataEdit`, `currentStixEdit`, `openMetadataEditor()`, `closeMetadataEditor()`, `selectScore()`, `updateConfidenceLabel()`, `addCveRow()`, `addHyperlinkRow()`, `addObservableRow()`, `saveMetadata()`, `showUsageGuide()`, `closeUsageGuide()`, `showChangelog()`, `closeChangelog()`, `showToast()`, `renderAll()`, `enableLeaveSiteConfirmation()`, initialization block |
+- **`docs/FUNCTION_INDEX.md`**
+- **`docs/FUNCTION_INDEX.generated.md`** (auto-generated inventory)
 
----
+This index is intentionally line-agnostic to reduce churn while remaining onboarding-friendly for maintainers.
+
+Refresh generated index with:
 
-## Function Index (Alphabetical)
-
-| Function | Section | Line (approx.) |
-|----------|---------|-----------------|
-| `addCveRow` | Metadata Editor | ~5465 |
-| `addHyperlinkRow` | Metadata Editor | ~5500 |
-| `addObservableRow` | Metadata Editor | ~5520 |
-| `addRelationship` | Export (STIX Bundle) | ~5250 |
-| `applyCompactLayout` | Compact Mode | ~3740 |
-| `applyConfigColors` | config.js | 198 |
-| `applyInputGuards` | Input Security | ~2818 |
-| `applyTheme` | Theme Runtime | ~3570 |
-| `buildEntityDetail` | Selection & Detail | ~3955 |
-| `buildMetadataSummary` | Selection & Detail | ~4100 |
-| `buildSTIXBundle` | Export (STIX Bundle) | ~5200 |
-| `buildStixFieldFromSpec` | STIX Editor Modal | ~4950 |
-| `buildStixPropertySummary` | STIX Editor Modal | ~5140 |
-| `buildStixReadonlyField` | STIX Editor Modal | ~5020 |
-| `buildStixTextareaField` | STIX Editor Modal | ~5000 |
-| `buildStixTextField` | STIX Editor Modal | ~4980 |
-| `clearAssignments` | Utilities | ~4780 |
-| `closeChangelog` | Modals | ~5738 |
-| `closeCreateCustomModal` | STIX Item Management | ~4650 |
-| `closeDetail` | Selection & Detail | ~4185 |
-| `closeDropdowns` | Dropdown Utils | ~5400 |
-| `closeEntityModal` | Selection & Detail | ~4150 |
-| `closeMetadataEditor` | Metadata Editor | ~5435 |
-| `closeStixEditor` | STIX Editor Modal | ~4920 |
-| `closeUsageGuide` | Modals | ~5715 |
-| `collapseAll` | Utilities | ~4776 |
-| `commitKillChainDescription` | State | ~4100 |
-| `commitKillChainTitle` | State | ~3985 |
-| `commitRenameGroup` | Group Management | ~3155 |
-| `createAssignmentInstanceId` | Metadata Helpers | ~3001 |
-| `createCustomItem` | STIX Item Management | ~4670 |
-| `createDefaultMetadata` | Metadata Helpers | ~2928 |
-| `createGroup` | Group Management | ~3110 |
-| `deleteCustomItem` | STIX Item Management | ~4850 |
-| `detectDomain` | Navigator | ~3518 |
-| `enableLeaveSiteConfirmation` | Initialization | ~5753 |
-| `ensureAssignmentShape` | Import | ~4820 |
-| `ensureLibraryFallbacks` | Import | ~4850 |
-| `ensurePhaseLayout` | Assignment Logic | ~3060 |
-| `esc` | Helper Alias | ~2795 |
-| `escAttr` | Helper Alias | ~2796 |
-| `expandAll` | Utilities | ~4772 |
-| `exportCSV` | Export | ~5350 |
-| `exportJSON` | Export | ~5165 |
-| `exportSTIXBundle` | Export (STIX Bundle) | ~5300 |
-| `extractAssignmentInstance` | Group Management | ~3185 |
-| `filterEntities` | Entity Rendering | ~3800 |
-| `findAssignment` | Assignment Logic | ~3210 |
-| `findEntityPhase` | Selection & Detail | ~4190 |
-| `formatPhaseName` | State | ~3370 |
-| `generateGroupId` | Group Management | ~3100 |
-| `generateStixId` | Type Mapping Constants | ~3610 |
-| `generateUUID` | Type Mapping Constants | ~3600 |
-| `getAllPhaseItemsByType` | Assignment Logic | ~3050 |
-| `getAssignmentId` | Assignment Logic | ~3010 |
-| `getAssignmentInstanceId` | Assignment Logic | ~3030 |
-| `getAssignmentMetadata` | Assignment Logic | ~3020 |
-| `getConfidenceClass` | Metadata Helpers | ~2992 |
-| `getConfidenceLabel` | Metadata Helpers | ~2984 |
-| `getCveEntries` | Metadata Helpers | ~2946 |
-| `getCveList` | Metadata Helpers | ~2960 |
-| `getEntityName` | STIX Editor Modal | ~5110 |
-| `getPhaseGroupedItems` | Assignment Logic | ~3045 |
-| `getPhaseUngroupedItems` | Assignment Logic | ~3040 |
-| `getPreferredThemeMode` | Theme Runtime | ~3548 |
-| `getStixFieldsForType` | stix-config.js | — |
-| `getStixTypeKeys` | stix-config.js | — |
-| `getStixTypeLabel` | stix-config.js | — |
-| `getStixVocabulary` | stix-config.js | — |
-| `getTechniqueName` | Navigator | ~3525 |
-| `handleAssignmentDragStart` | Drag & Drop | ~4310 |
-| `handleDragEnd` | Drag & Drop | ~4225 |
-| `handleDragLeave` | Drag & Drop | ~4238 |
-| `handleDragOver` | Drag & Drop | ~4233 |
-| `handleDragStart` | Drag & Drop | ~4210 |
-| `handleDrop` | Drag & Drop | ~4242 |
-| `handleGroupDragStart` | Drag & Drop | ~4325 |
-| `handleGroupDrop` | Drag & Drop | ~4340 |
-| `importKillChain` | Import | ~5155 |
-| `importNavigator` | Navigator | ~3440 |
-| `importStixBundle` | STIX Item Management | ~4580 |
-| `initAssignments` | State | ~3375 |
-| `initCompactMode` | Compact Mode | ~3720 |
-| `initThemeControls` | Theme Runtime | ~3598 |
-| `isEntityAssigned` | Entity Rendering | ~3920 |
-| `isTextInputElement` | Input Security | ~2799 |
-| `loadData` | Data Loading | ~3380 |
-| `loadNavigator` | Data Loading | ~3397 |
-| `loadVersion` | Version | ~2630 |
-| `migrateAssignment` | Metadata Helpers | ~3003 |
-| `moveGroupBetweenPhases` | Group Management | ~3200 |
-| `normalizeCveMetadata` | Metadata Helpers | ~2964 |
-| `normalizeThemeMode` | Theme Runtime | ~3558 |
-| `normalizeThemeScheme` | Theme Runtime | ~3563 |
-| `openCreateCustomModal` | STIX Item Management | ~4640 |
-| `openEntityExplorer` | Selection & Detail | ~3773 |
-| `openEntityModal` | Selection & Detail | ~4140 |
-| `openMetadataEditor` | Metadata Editor | ~5420 |
-| `openMitigationExplorer` | Selection & Detail | ~3760 |
-| `openStixEditor` | STIX Editor Modal | ~4895 |
-| `populateStixTypeDropdown` | STIX Item Management | ~4610 |
-| `removeAssignment` | Utilities | ~4745 |
-| `removeGroup` | Group Management | ~3170 |
-| `renderAll` | Initialization | ~5750 |
-| `renderEntityTag` | Kill Chain Rendering | ~4558 |
-| `renderKillChain` | Kill Chain Rendering | ~4383 |
-| `renderRelationshipView` | Relationship View | ~4590 |
-| `renderStats` | Stats | ~4720 |
-| `resolveTheme` | config.js | 187 |
-| `sanitizeAssignmentMetadata` | Import | ~5050 |
-| `sanitizeForCsv` | Export (inline) | ~5370 |
-| `sanitizeForStorage` | Input Security | ~2808 |
-| `sanitizeImportedAssignment` | Import | ~4920 |
-| `sanitizeImportedCustomAssignment` | Import | ~5030 |
-| `sanitizeImportedData` | Import | ~5065 |
-| `sanitizeImportedString` | Import | ~4895 |
-| `sanitizeStixBundleObject` | STIX Item Management | ~4590 |
-| `sanitizeUserInputText` | Input Security | ~2801 |
-| `saveMetadata` | Metadata Editor | ~5555 |
-| `saveStixEditor` | STIX Editor Modal | ~4935 |
-| `selectEntity` | Selection & Detail | ~3935 |
-| `selectScore` | Metadata Editor | ~5440 |
-| `setCompactMode` | Compact Mode | ~3690 |
-| `setFilter` | Tab & Filter | ~3795 |
-| `setView` | View Controls | ~3625 |
-| `showChangelog` | Modals | ~5725 |
-| `showDetail` | Selection & Detail | ~4160 |
-| `showToast` | Toast | ~5748 |
-| `showUsageGuide` | Modals | ~5710 |
-| `startRenameGroup` | Group Management | ~3145 |
-| `syncDescriptionToDOM` | State | ~4110 |
-| `syncTitleToDOM` | State | ~3995 |
-| `toggleCustomTypeName` | STIX Item Management | ~4625 |
-| `toggleDescriptionPanel` | State | ~4128 |
-| `toggleDropdown` | Dropdown Utils | ~5395 |
-| `toggleLayer` | Layer Toggle | ~3660 |
-| `togglePhase` | Kill Chain Rendering | ~4500 |
-| `toggleSidebar` | View Controls | ~3640 |
-| `stripAngleBracketsFromJson` | Input Security | 2908 |
-| `switchTab` | Tab & Filter | 3785 |
-| `syncThemeFromStorage` | Theme Runtime | 3610 |
-| `toggleCompactMode` | Compact Mode | 3715 |
-| `toggleDropdown` | Dropdown Utils | 5395 |
-| `toggleGroupCollapse` | Group Management | 3135 |
-| `toggleHideEmpty` | Compact Mode | 3755 |
-| `toggleLayer` | View Controls | 3660 |
-| `togglePhase` | Utilities | 4740 |
-| `toggleSidebar` | View Controls | 3650 |
-| `toggleThemeMode` | Theme Runtime | 3593 |
-| `triggerImportKillChain` | Import | 4815 |
-| `truncateAtBoundary` | Input Security | 2814 |
-| `updateAssignmentMetadata` | Assignment Logic | 3240 |
-| `updateCompactControls` | Compact Mode | 3680 |
-| `updateConfidenceLabel` | Metadata Editor | 5450 |
-| `updateDescriptionCounter` | State | ~4148 |
-| `updateDescriptionHint` | State | ~4135 |
-| `updateHideEmptyControl` | Compact Mode | 3670 |
-| `updateThemeControls` | Theme Runtime | 3588 |
-| `validateKillChainImport` | Import | 4880 |
-| `validateObservable` | Input Security | 2790 |
+```bash
+python3 scripts/generate-function-index.py
+```
 
 ---
 
-*Generated for AttackFlow v2.7.0. This document describes the monolithic implementation as it exists today, including STIX 2.1 support. For the planned v3.0 modular architecture, see [DETACH.md](DETACH.md), [API_DOCS.md](API_DOCS.md), and [tests/TEST_PLAN.md](tests/TEST_PLAN.md).*
+*Generated for AttackFlow v2.9.0 from current workspace sources (`index.html`, `config.js`, `stix-config.js`, `docs/IPC_API-DOCS.md`).*
diff --git a/README.md b/README.md
index 53dc9c1..c07051c 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
 # ![](favicon.ico) AttackFlow - Kill Chain Editor & Visualizer
 
-An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE ATT&CK, CAPEC, CWE & STIX 2.1 objects to the Unified Kill Chain framework and enriching phase parts with additional data. Visualize and assess complex attack scenarios easily by combining flexible TTPs with atomic IOCs and forensic data.
+An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE ATT&CK, CAPEC, CWE, and STIX 2.1 objects to the Unified Kill Chain framework, and enriching phase entries with additional metadata. Visualize and assess complex attack scenarios by combining flexible TTP mappings with atomic observables, CVE/CVSS context, and STIX intelligence objects.
 
 ### Work in progress 
 
-![Version](https://img.shields.io/badge/version-2.9.0-blue)
+![Version](https://img.shields.io/badge/version-2.9.2-blue)
 [![MITRE ATT&CK® 18](https://img.shields.io/badge/MITRE%20ATT%26CK®-v18-red)](https://attack.mitre.org/versions/v18/)
 ![License](https://img.shields.io/badge/license-Apache%202.0-green)
 ![Dependencies](https://img.shields.io/badge/dependencies-none-brightgreen)
@@ -18,8 +18,8 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 - **Offline Operation** 
     - No CDN or remote runtime requests; module dependencies are vendored locally and modules can be disabled.
     - Can be used offline in a browser by opening the `index.html` file. 
-    - Offline module communication is achieved via hardened IPC channels only allowed in `file://` protocol context. Disabled by default in `config.js`. See [Local iframe IPC](#Local-iframe-IPC) for detailed information.
-    - In case the IPC Bridge is disabled or fails to initialise the application falls back to manual import of the `resources` directory
+    - Offline module communication uses a hardened iframe IPC bridge (`MessageChannel`, nonce binding, allowlisted payloads) in `file://` mode. Disabled by default in `config.js`. See [Local iframe IPC](#local-iframe-ipc).
+    - If the IPC bridge is disabled or unavailable, AttackFlow falls back to local resource selection for required JSON datasets.
 - **STIX Visualizer Module** — Modular Visualization of STIX Bundles
     - Visualizer Module can be disabled via `config.js` flag. See [STIX Visualizer Toggle](#STIX-Visualizer-Toggle)
     - For a list of bundled runtime dependencies used by the visualizer see: [STIX Visualizer Dependencies](#Bundled-STIX-Visualizer-Dependencies)
@@ -30,7 +30,7 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 - **Unified Kill Chain** — Map entities to IN → THROUGH → OUT phases
 - **Multi-Domain ATT&CK** — 898 techniques across Enterprise, Mobile, and ICS
 - **CAPEC/CWE Integration** — Link attack patterns and weaknesses
-- **STIX 2.1 Objects** — Create and manage all 18 SDO types plus custom objects
+- **STIX 2.1 Objects** — Create and manage all 19 configured SDO types (including `x-custom`)
 
 ### Import & Sharing
 - **Import/Export** — JSON sharing, CSV exports (with mitigation rows), and STIX 2.1 bundle exports (with mitigations and relationships)
@@ -54,7 +54,7 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 ![Relations View](/docs/images/relations.png)
 
 ### Relationship Explorer 
-- **Integrated Resource Corpus Explorer** Explore & search the complete corpus of related ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigations patterns
+- **Integrated Resource Corpus Explorer** — Explore and search the complete ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigation corpus
 - **Technique Cross-References** — Item relationships & techniques referenced by ID in descriptions link to the Relationship Explorer
 
 ![Explorer View](/docs/images/explorer.png)
@@ -79,7 +79,13 @@ The Relationship Explorer is a second main view that lets you investigate ATT&CK
 10. Enable compact mode for dense layouts when needed
 11. Export your attack chain as JSON, CSV, or STIX Bundle
 
-## Usecases
+### Quick Start (Local `file://` mode)
+
+1. Optionally enable local iframe IPC via `CONFIG.ConfigIframeIPC.enableLocalIframeIPC = true`.
+2. Open `index.html` directly in a browser.
+3. If prompted, select your local `resources/*.json` files (or the full resources directory) to populate the corpus.
+
+## Use Cases
 
 See the usecases [README](docs/Usecases/README.md) for details.
 
@@ -180,7 +186,7 @@ Please do not hesitate to create an issue / pull request or contact me directly
 
 - **Input Blocking** — Dangerous characters (`` < > [ ] { } " ' ; -- ` ``) blocked at input level
 - **Output Encoding** — All user-supplied values HTML-encoded before rendering
-- **DOM-Safe Rendering** — Uses `textContent` and DOM APIs instead of `innerHTML`
+- **Defensive Rendering** — Dynamic template rendering is output-encoded and sanitized before insertion
 - **Import Validation** — File size, item count, and pattern validation on imports
 - **Sanitized Data** — Source data cleaned of embedded markup during extraction
 - **XXE Protection** — Secure XML parsing with entity expansion disabled
@@ -227,6 +233,10 @@ Configuration in `config.js`:
 
 See [IPC API DOCS](docs/IPC_API-DOCS.md) for concise architecture and threat-model documentation.
 
+For a complete maintainer-oriented function inventory across runtime files, see [Function Index](docs/FUNCTION_INDEX.md).
+
+For the auto-generated declaration inventory, see [Generated Function Index](docs/FUNCTION_INDEX.generated.md).
+
 ### STIX Visualizer Toggle
 
 The integrated STIX visualizer can be fully disabled via config:
@@ -280,8 +290,8 @@ python3 scripts/extract-data.py      # Parse CAPEC/CWE
 - Just drop the files on a webserver, (optionally) set CSP headers and navigate to index.html.
 
 ### For local use (in a browser):
-1. Set `CONFIG.ConfigIframeIPC.enableLocalIframeIPC` to `true` and open the `index.html` file in a web browser.
-2. Upload the `resources/` directory as instructed to populate the framework database and use all application features.
+1. Optionally set `CONFIG.ConfigIframeIPC.enableLocalIframeIPC` to `true` and open `index.html` in a browser.
+2. When prompted in `file://` mode, select local `resources/*.json` files (or the full resources directory) to populate the framework dataset.
 
 ## Contributing & Reporting Issues
 
diff --git a/config.js b/config.js
index fd32371..86e7c4f 100644
--- a/config.js
+++ b/config.js
@@ -7,7 +7,7 @@
 
 const CONFIG = {
     // Application info
-    version: '2.9.0',
+    version: '2.9.2',
     changelogUrl: 'CHANGELOG.md',
     
     // Framework source files (for extraction scripts)
diff --git a/docs/FUNCTION_INDEX.generated.md b/docs/FUNCTION_INDEX.generated.md
new file mode 100644
index 0000000..dd38f17
--- /dev/null
+++ b/docs/FUNCTION_INDEX.generated.md
@@ -0,0 +1,441 @@
+# AttackFlow — Generated Function Index
+
+This file is auto-generated by `scripts/generate-function-index.py`. Do not edit manually.
+
+Generated: 2026-02-28 00:24:47 UTC
+
+## Coverage
+
+- `index.html`: 247 functions
+- `explorer.html`: 63 functions
+- `stix-builder.html`: 94 functions
+- `config.js`: 2 functions
+- `stix-config.js`: 4 functions
+- **Total**: 410 functions
+
+---
+
+## `index.html`
+
+- `L4057` `loadVersion` (async-declaration) — `async function loadVersion() {`
+- `L4200` `esc` (arrow-function) — `const esc = (str) => InputSecurity.escapeHtml(str);`
+- `L4201` `escAttr` (arrow-function) — `const escAttr = (str) => InputSecurity.sanitizeAttr(str);`
+- `L4205` `isTextInputElement` (declaration) — `function isTextInputElement(el) {`
+- `L4209` `normalizeUserInput` (declaration) — `function normalizeUserInput(text, maxLength = 10000, allowNewlines = false) {`
+- `L4219` `sanitizeUserInputText` (declaration) — `function sanitizeUserInputText(text, allowNewlines = false) {`
+- `L4226` `sanitizeForStorage` (declaration) — `function sanitizeForStorage(text, maxLength = 1000) {`
+- `L4233` `truncateAtBoundary` (declaration) — `function truncateAtBoundary(text, maxLen = 500) {`
+- `L4246` `applyInputGuards` (declaration) — `function applyInputGuards() {`
+- `L4344` `isDangerousObjectKey` (declaration) — `function isDangerousObjectKey(key) {`
+- `L4348` `createSafeObject` (declaration) — `function createSafeObject() {`
+- `L4352` `hasOwn` (declaration) — `function hasOwn(obj, key) {`
+- `L4356` `parseJsonSafe` (declaration) — `function parseJsonSafe(text) {`
+- `L4363` `stripAngleBracketsFromJson` (declaration) — `function stripAngleBracketsFromJson(value) {`
+- `L4385` `createDefaultMetadata` (declaration) — `function createDefaultMetadata() {`
+- `L4398` `getCveEntries` (declaration) — `function getCveEntries(metadata) {`
+- `L4400` `pushEntry` (arrow-function) — `const pushEntry = (entry) => {`
+- `L4433` `getCveList` (declaration) — `function getCveList(metadata) {`
+- `L4439` `normalizeCveMetadata` (declaration) — `function normalizeCveMetadata(metadata) {`
+- `L4449` `getConfidenceLabel` (declaration) — `function getConfidenceLabel(value) {`
+- `L4457` `getConfidenceClass` (declaration) — `function getConfidenceClass(value) {`
+- `L4466` `createAssignmentInstanceId` (declaration) — `function createAssignmentInstanceId() {`
+- `L4472` `migrateAssignment` (declaration) — `function migrateAssignment(idOrObj) {`
+- `L4488` `getAssignmentId` (declaration) — `function getAssignmentId(assignment) {`
+- `L4493` `getAssignmentMetadata` (declaration) — `function getAssignmentMetadata(assignment) {`
+- `L4498` `getAssignmentInstanceId` (declaration) — `function getAssignmentInstanceId(assignment) {`
+- `L4562` `generateUUID` (declaration) — `function generateUUID() {`
+- `L4570` `generateStixId` (declaration) — `function generateStixId(stixType) {`
+- `L4579` `uuidv5` (declaration) — `function uuidv5(namespace, name) {`
+- `L4594` `sha1Bytes` (declaration) — `function sha1Bytes(msgBytes) {`
+- `L4625` `mitigationStixId` (declaration) — `function mitigationStixId(mitreId) {`
+- `L4629` `techniqueStixId` (declaration) — `function techniqueStixId(techId) {`
+- `L4633` `getPhaseUngroupedItems` (declaration) — `function getPhaseUngroupedItems(phaseData, type) {`
+- `L4639` `getPhaseGroupedItems` (declaration) — `function getPhaseGroupedItems(phaseData, type) {`
+- `L4644` `getAllPhaseItemsByType` (declaration) — `function getAllPhaseItemsByType(phaseData, type) {`
+- `L4648` `ensurePhaseLayout` (declaration) — `function ensurePhaseLayout(phaseKey, phaseData) {`
+- `L4691` `generateGroupId` (declaration) — `function generateGroupId() {`
+- `L4695` `createGroup` (declaration) — `function createGroup(phaseKey) {`
+- `L4711` `toggleGroupCollapse` (declaration) — `function toggleGroupCollapse(phaseKey, groupId) {`
+- `L4726` `startRenameGroup` (declaration) — `function startRenameGroup(phaseKey, groupId) {`
+- `L4742` `commitRenameGroup` (declaration) — `function commitRenameGroup(phaseKey, groupId, value, cancel = false) {`
+- `L4755` `removeGroup` (declaration) — `function removeGroup(phaseKey, groupId) {`
+- `L4780` `extractAssignmentInstance` (declaration) — `function extractAssignmentInstance(phaseKey, type, instanceId) {`
+- `L4805` `moveGroupBetweenPhases` (declaration) — `function moveGroupBetweenPhases(fromPhase, toPhase, groupId) {`
+- `L4822` `findAssignment` (declaration) — `function findAssignment(phaseKey, entityType, id, instanceId = null) {`
+- `L4847` `updateAssignmentMetadata` (declaration) — `function updateAssignmentMetadata(phaseKey, entityType, id, newMetadata, instanceId = null) {`
+- `L4966` `formatPhaseName` (declaration) — `function formatPhaseName(id) {`
+- `L4971` `initAssignments` (declaration) — `function initAssignments() {`
+- `L4989` `commitKillChainTitle` (declaration) — `function commitKillChainTitle(el) {`
+- `L4997` `syncTitleToDOM` (declaration) — `function syncTitleToDOM() {`
+- `L5003` `commitKillChainDescription` (declaration) — `function commitKillChainDescription(el) {`
+- `L5013` `syncDescriptionToDOM` (declaration) — `function syncDescriptionToDOM() {`
+- `L5023` `toggleDescriptionPanel` (declaration) — `function toggleDescriptionPanel() {`
+- `L5028` `updateDescriptionHint` (declaration) — `function updateDescriptionHint() {`
+- `L5040` `updateDescriptionCounter` (declaration) — `function updateDescriptionCounter() {`
+- `L5067` `isFileProtocolRuntime` (declaration) — `function isFileProtocolRuntime() {`
+- `L5071` `getFileNameFromPath` (declaration) — `function getFileNameFromPath(path) {`
+- `L5077` `cloneJsonData` (declaration) — `function cloneJsonData(data) {`
+- `L5084` `readLocalFileText` (declaration) — `function readLocalFileText(file) {`
+- `L5093` `promptOfflineResourceFiles` (async-declaration) — `async function promptOfflineResourceFiles(requiredFileNames = []) {`
+- `L5108` `cleanup` (arrow-function) — `const cleanup = () => {`
+- `L5154` `fetchJsonResource` (async-declaration) — `async function fetchJsonResource(resourcePath) {`
+- `L5176` `enableOfflineResourceSelectionUI` (declaration) — `function enableOfflineResourceSelectionUI(message) {`
+- `L5214` `hideLoadingOverlay` (declaration) — `function hideLoadingOverlay() {`
+- `L5220` `getSharedDataCache` (declaration) — `function getSharedDataCache() {`
+- `L5231` `isLocalIframeIPCEnabled` (declaration) — `function isLocalIframeIPCEnabled() {`
+- `L5236` `updateLoadingContextInfo` (declaration) — `function updateLoadingContextInfo() {`
+- `L5251` `isLocalIframeIPCTraceEnabled` (declaration) — `function isLocalIframeIPCTraceEnabled() {`
+- `L5308` `logLocalIframeIPCSplash` (declaration) — `function logLocalIframeIPCSplash(context) {`
+- `L5321` `logLocalIframeIPCTrace` (declaration) — `function logLocalIframeIPCTrace(context, message, details) {`
+- `L5330` `getLocalIframeIPCRateLimitConfig` (declaration) — `function getLocalIframeIPCRateLimitConfig() {`
+- `L5348` `getLocalIframeIPCBootstrapConfig` (declaration) — `function getLocalIframeIPCBootstrapConfig() {`
+- `L5376` `isIPCRequestRateAllowed` (declaration) — `function isIPCRequestRateAllowed(frameKey, messageType, transport) {`
+- `L5422` `isPlainObject` (declaration) — `function isPlainObject(value) {`
+- `L5426` `hasOnlyAllowedKeys` (declaration) — `function hasOnlyAllowedKeys(value, allowedKeys, contextLabel) {`
+- `L5441` `deepFreeze` (declaration) — `function deepFreeze(value) {`
+- `L5450` `createLocalIPCNonce` (declaration) — `function createLocalIPCNonce() {`
+- `L5455` `randomPart` (arrow-function) — `const randomPart = (() => {`
+- `L5474` `isKnownIPCSourceWindow` (declaration) — `function isKnownIPCSourceWindow(sourceWindow) {`
+- `L5481` `getIPCFrameState` (declaration) — `function getIPCFrameState(frameKey) {`
+- `L5485` `clearIPCFrameBootstrapTimer` (declaration) — `function clearIPCFrameBootstrapTimer(frameState) {`
+- `L5491` `clearIPCFrameChannel` (declaration) — `function clearIPCFrameChannel(frameKey, options = {}) {`
+- `L5513` `scheduleIPCChannelBootstrapRetry` (declaration) — `function scheduleIPCChannelBootstrapRetry(frameKey, reason) {`
+- `L5548` `sendIPCMessageViaChannel` (declaration) — `function sendIPCMessageViaChannel(frameKey, message) {`
+- `L5561` `setupIPCChannelForFrame` (declaration) — `function setupIPCChannelForFrame(frameKey, options = {}) {`
+- `L5687` `buildImmutableSharedDataPayload` (declaration) — `function buildImmutableSharedDataPayload(rawData) {`
+- `L5710` `validateSharedDatasetShape` (declaration) — `function validateSharedDatasetShape(rawData) {`
+- `L5727` `estimateJsonByteSize` (declaration) — `function estimateJsonByteSize(value) {`
+- `L5741` `enforceSharedDatasetLimits` (declaration) — `function enforceSharedDatasetLimits(rawData) {`
+- `L5785` `getExplorerFrameEl` (declaration) — `function getExplorerFrameEl() {`
+- `L5789` `getStixBuilderFrameEl` (declaration) — `function getStixBuilderFrameEl() {`
+- `L5793` `broadcastSharedDataToExplorer` (declaration) — `function broadcastSharedDataToExplorer() {`
+- `L5818` `broadcastThemeToEmbeddedViews` (declaration) — `function broadcastThemeToEmbeddedViews() {`
+- `L5838` `initEmbeddedMessageBridge` (declaration) — `function initEmbeddedMessageBridge() {`
+- `L5877` `loadSharedLibraryData` (async-declaration) — `async function loadSharedLibraryData(forceReload = false) {`
+- `L5946` `loadData` (async-declaration) — `async function loadData() {`
+- `L5995` `loadNavigator` (async-declaration) — `async function loadNavigator(domain) {`
+- `L6033` `ensureBaseTechniquesLoaded` (async-declaration) — `async function ensureBaseTechniquesLoaded() {`
+- `L6042` `parseTechniqueIdInput` (declaration) — `function parseTechniqueIdInput(raw) {`
+- `L6058` `applyTechniqueList` (async-declaration) — `async function applyTechniqueList(ids) {`
+- `L6075` `openCsvImportModal` (declaration) — `function openCsvImportModal() {`
+- `L6083` `closeCsvImportModal` (declaration) — `function closeCsvImportModal(event) {`
+- `L6088` `submitCsvImport` (async-declaration) — `async function submitCsvImport() {`
+- `L6111` `resetAttackTechniques` (async-declaration) — `async function resetAttackTechniques() {`
+- `L6123` `importNavigator` (declaration) — `function importNavigator(event) {`
+- `L6200` `detectDomain` (declaration) — `function detectDomain(techId) {`
+- `L6208` `getTechniqueName` (declaration) — `function getTechniqueName(techId) {`
+- `L6231` `getPreferredThemeMode` (declaration) — `function getPreferredThemeMode() {`
+- `L6241` `normalizeThemeMode` (declaration) — `function normalizeThemeMode(mode) {`
+- `L6245` `normalizeThemeScheme` (declaration) — `function normalizeThemeScheme(mode, scheme) {`
+- `L6253` `applyTheme` (declaration) — `function applyTheme(mode, scheme, persist = true) {`
+- `L6275` `updateThemeControls` (declaration) — `function updateThemeControls() {`
+- `L6284` `toggleThemeMode` (declaration) — `function toggleThemeMode() {`
+- `L6290` `initThemeControls` (declaration) — `function initThemeControls() {`
+- `L6302` `syncThemeFromStorage` (declaration) — `function syncThemeFromStorage() {`
+- `L6316` `isStixBuilderEnabled` (declaration) — `function isStixBuilderEnabled() {`
+- `L6320` `setView` (declaration) — `function setView(view) {`
+- `L6374` `applyNavigationConfig` (declaration) — `function applyNavigationConfig() {`
+- `L6399` `toggleSidebar` (declaration) — `function toggleSidebar() {`
+- `L6406` `toggleLayer` (declaration) — `function toggleLayer(layer) {`
+- `L6414` `updateHideEmptyControl` (declaration) — `function updateHideEmptyControl() {`
+- `L6421` `updateCompactControls` (declaration) — `function updateCompactControls() {`
+- `L6428` `setCompactMode` (declaration) — `function setCompactMode(enabled, persist = true) {`
+- `L6457` `toggleCompactMode` (declaration) — `function toggleCompactMode() {`
+- `L6461` `updateCommentsControls` (declaration) — `function updateCommentsControls() {`
+- `L6468` `toggleItemComment` (declaration) — `function toggleItemComment(el) {`
+- `L6474` `toggleAllComments` (declaration) — `function toggleAllComments() {`
+- `L6487` `initCompactMode` (declaration) — `function initCompactMode() {`
+- `L6505` `applyCompactLayout` (declaration) — `function applyCompactLayout() {`
+- `L6520` `toggleHideEmpty` (declaration) — `function toggleHideEmpty() {`
+- `L6530` `openMitigationExplorer` (declaration) — `function openMitigationExplorer(mitigationId) {`
+- `L6546` `openEntityExplorer` (declaration) — `function openEntityExplorer(type, id) {`
+- `L6560` `switchTab` (declaration) — `function switchTab(tab) {`
+- `L6568` `setFilter` (declaration) — `function setFilter(type, filter) {`
+- `L6576` `setGlobalSearch` (declaration) — `function setGlobalSearch(value) {`
+- `L6587` `openGlobalSearch` (declaration) — `function openGlobalSearch() {`
+- `L6593` `closeGlobalSearch` (declaration) — `function closeGlobalSearch(force = false) {`
+- `L6602` `toggleGlobalSearchExpanded` (declaration) — `function toggleGlobalSearchExpanded(event) {`
+- `L6617` `setGlobalSearchSticky` (declaration) — `function setGlobalSearchSticky(enabled) {`
+- `L6622` `updateGlobalSearchUI` (declaration) — `function updateGlobalSearchUI() {`
+- `L6638` `initGlobalSearch` (declaration) — `function initGlobalSearch() {`
+- `L6659` `rankGlobalEntity` (declaration) — `function rankGlobalEntity(entity, type, term, tokens) {`
+- `L6693` `buildGlobalSearchResults` (declaration) — `function buildGlobalSearchResults(term) {`
+- `L6715` `renderGlobalSearchResults` (declaration) — `function renderGlobalSearchResults() {`
+- `L6751` `openGlobalSearchResult` (declaration) — `function openGlobalSearchResult(type, id) {`
+- `L6760` `matchesGlobalSearch` (declaration) — `function matchesGlobalSearch(entity, type, term) {`
+- `L6771` `parseCommaIdList` (declaration) — `function parseCommaIdList(raw, pattern, prefix = '') {`
+- `L6794` `filterEntities` (declaration) — `function filterEntities(type) {`
+- `L6946` `isEntityAssigned` (declaration) — `function isEntityAssigned(type, id) {`
+- `L6968` `importStixBundle` (declaration) — `function importStixBundle(event) {`
+- `L7088` `clearStixLibrary` (declaration) — `function clearStixLibrary() {`
+- `L7114` `sanitizeStixBundleObject` (declaration) — `function sanitizeStixBundleObject(obj, stixType, stixId) {`
+- `L7185` `populateStixTypeDropdown` (declaration) — `function populateStixTypeDropdown() {`
+- `L7206` `toggleCustomTypeName` (declaration) — `function toggleCustomTypeName() {`
+- `L7212` `openCreateCustomModal` (declaration) — `function openCreateCustomModal() {`
+- `L7223` `closeCreateCustomModal` (declaration) — `function closeCreateCustomModal(event) {`
+- `L7228` `createCustomItem` (declaration) — `function createCustomItem() {`
+- `L7291` `deleteCustomItem` (declaration) — `function deleteCustomItem(id) {`
+- `L7317` `openStixEditor` (declaration) — `function openStixEditor(id, phaseKey, instanceId) {`
+- `L7378` `closeStixEditor` (declaration) — `function closeStixEditor(event) {`
+- `L7384` `saveStixEditor` (declaration) — `function saveStixEditor() {`
+- `L7451` `buildStixReadonlyField` (declaration) — `function buildStixReadonlyField(label, value) {`
+- `L7458` `buildStixTextField` (declaration) — `function buildStixTextField(id, label, value, required, maxLen, placeholder) {`
+- `L7466` `buildStixTextareaField` (declaration) — `function buildStixTextareaField(id, label, value, required, maxLen, placeholder) {`
+- `L7474` `buildStixFieldFromSpec` (declaration) — `function buildStixFieldFromSpec(field, item, required) {`
+- `L7580` `getEntityName` (declaration) — `function getEntityName(type, id) {`
+- `L7598` `renderDescriptionWithBadges` (declaration) — `function renderDescriptionWithBadges(escapedText) {`
+- `L7611` `selectEntity` (declaration) — `function selectEntity(type, id) {`
+- `L7621` `isSafeHttpUrl` (declaration) — `function isSafeHttpUrl(url) {`
+- `L7634` `isValidEntityId` (declaration) — `function isValidEntityId(type, id) {`
+- `L7647` `buildEntityDetail` (declaration) — `function buildEntityDetail(type, id) {`
+- `L7862` `buildStixPropertySummary` (declaration) — `function buildStixPropertySummary(id) {`
+- `L7903` `buildMetadataSummary` (declaration) — `function buildMetadataSummary(type, id, phaseKey, instanceId) {`
+- `L7972` `openEntityModal` (declaration) — `function openEntityModal(type, id, phaseKey, instanceId) {`
+- `L7990` `closeEntityModal` (declaration) — `function closeEntityModal(event) {`
+- `L7995` `showDetail` (declaration) — `function showDetail(type, id) {`
+- `L8012` `closeDetail` (declaration) — `function closeDetail() {`
+- `L8018` `findEntityPhase` (declaration) — `function findEntityPhase(type, id) {`
+- `L8031` `handleDragStart` (declaration) — `function handleDragStart(event, type, id) {`
+- `L8043` `handleDragEnd` (declaration) — `function handleDragEnd(event) {`
+- `L8053` `handleDragOver` (declaration) — `function handleDragOver(event) {`
+- `L8059` `handleDragLeave` (declaration) — `function handleDragLeave(event) {`
+- `L8063` `handleDrop` (declaration) — `function handleDrop(event, phaseKey) {`
+- `L8116` `handleAssignmentDragStart` (declaration) — `function handleAssignmentDragStart(event, type, id, phaseKey, instanceId, sourceGroupId) {`
+- `L8127` `handleGroupDragStart` (declaration) — `function handleGroupDragStart(event, phaseKey, groupId) {`
+- `L8138` `handleGroupDrop` (declaration) — `function handleGroupDrop(event, phaseKey, groupId) {`
+- `L8178` `renderKillChain` (declaration) — `function renderKillChain() {`
+- `L8309` `renderEntityTag` (declaration) — `function renderEntityTag(type, id, name, metadata, phaseKey, instanceId, sourceGroupId = null) {`
+- `L8450` `getRelationshipChainId` (declaration) — `function getRelationshipChainId(chain) {`
+- `L8457` `renderRelationshipView` (declaration) — `function renderRelationshipView() {`
+- `L8463` `collectMitigations` (arrow-function) — `const collectMitigations = (techIds) => {`
+- `L8605` `expandRelationshipMitigations` (declaration) — `function expandRelationshipMitigations(chainId) {`
+- `L8619` `getAverageScoreLabel` (declaration) — `function getAverageScoreLabel(avg) {`
+- `L8627` `buildPhaseDetails` (declaration) — `function buildPhaseDetails(phaseKey) {`
+- `L8639` `collectItems` (arrow-function) — `const collectItems = (type) => getAllPhaseItemsByType(phaseData, type).map((assignment) => {`
+- `L8663` `getPhaseItemRelationships` (declaration) — `function getPhaseItemRelationships(type, id) {`
+- `L8696` `getPhaseAverages` (declaration) — `function getPhaseAverages(itemsByType) {`
+- `L8726` `buildPhaseCveEntries` (declaration) — `function buildPhaseCveEntries(itemsByType) {`
+- `L8743` `buildPhaseMitigations` (declaration) — `function buildPhaseMitigations(itemsByType) {`
+- `L8779` `renderPhaseMitigationSection` (declaration) — `function renderPhaseMitigationSection(itemsByType) {`
+- `L8819` `renderPhaseCveSection` (declaration) — `function renderPhaseCveSection(itemsByType) {`
+- `L8851` `renderPhaseDetailsSection` (declaration) — `function renderPhaseDetailsSection(title, items, phaseKey) {`
+- `L8878` `addRelation` (arrow-function) — `const addRelation = (label, values) => {`
+- `L8891` `encodeInlineJsArg` (arrow-function) — `const encodeInlineJsArg = (value) => InputSecurity.encodeHtmlEntities(JSON.stringify(String(value ?? '')));`
+- `L8920` `openPhaseDetails` (declaration) — `function openPhaseDetails(phaseKey) {`
+- `L8958` `closePhaseDetails` (declaration) — `function closePhaseDetails(event) {`
+- `L8963` `renderStats` (declaration) — `function renderStats() {`
+- `L8991` `togglePhase` (declaration) — `function togglePhase(header) {`
+- `L8995` `removeAssignment` (declaration) — `function removeAssignment(type, id, phaseKey, instanceId) {`
+- `L9035` `expandAll` (declaration) — `function expandAll() {`
+- `L9039` `collapseAll` (declaration) — `function collapseAll() {`
+- `L9043` `clearAssignments` (declaration) — `function clearAssignments() {`
+- `L9054` `exportJSON` (declaration) — `function exportJSON() {`
+- `L9089` `buildSTIXBundle` (declaration) — `function buildSTIXBundle() {`
+- `L9239` `addRelationship` (declaration) — `function addRelationship(objects, seen, sourceId, targetId, phaseKey, timestamp) {`
+- `L9264` `exportSTIXBundle` (declaration) — `function exportSTIXBundle() {`
+- `L9285` `triggerImportKillChain` (declaration) — `function triggerImportKillChain() {`
+- `L9290` `ensureAssignmentShape` (declaration) — `function ensureAssignmentShape(assignments) {`
+- `L9319` `ensureLibraryFallbacks` (declaration) — `function ensureLibraryFallbacks(assignments) {`
+- `L9374` `validateKillChainImport` (declaration) — `function validateKillChainImport(data) {`
+- `L9427` `sanitizeImportedString` (declaration) — `function sanitizeImportedString(str, maxLength = KILLCHAIN_IMPORT_LIMITS.maxStringLength) {`
+- `L9440` `sanitizeImportedAssignment` (declaration) — `function sanitizeImportedAssignment(assignment) {`
+- `L9458` `sanitizeImportedCustomAssignment` (declaration) — `function sanitizeImportedCustomAssignment(assignment) {`
+- `L9477` `sanitizeAssignmentMetadata` (declaration) — `function sanitizeAssignmentMetadata(assignment) {`
+- `L9595` `sanitizeImportedData` (declaration) — `function sanitizeImportedData(data) {`
+- `L9760` `importKillChain` (declaration) — `function importKillChain(event) {`
+- `L9846` `exportCSV` (declaration) — `function exportCSV() {`
+- `L9899` `formatConfidence` (arrow-function) — `const formatConfidence = (meta) => {`
+- `L9904` `formatCveList` (arrow-function) — `const formatCveList = (meta) => {`
+- `L10027` `sanitizeForCsv` (arrow-function) — `const sanitizeForCsv = (value) => {`
+- `L10061` `toggleDropdown` (declaration) — `function toggleDropdown(id) {`
+- `L10070` `closeDropdowns` (declaration) — `function closeDropdowns() {`
+- `L10096` `openMetadataEditor` (declaration) — `function openMetadataEditor(type, id, phaseKey, instanceId) {`
+- `L10149` `closeMetadataEditor` (declaration) — `function closeMetadataEditor(event) {`
+- `L10155` `selectScore` (declaration) — `function selectScore(value) {`
+- `L10161` `updateConfidenceLabel` (declaration) — `function updateConfidenceLabel(value) {`
+- `L10169` `addCveRow` (declaration) — `function addCveRow(id = '', score = '', vector = '') {`
+- `L10204` `addHyperlinkRow` (declaration) — `function addHyperlinkRow(label = '', url = '') {`
+- `L10231` `addObservableRow` (declaration) — `function addObservableRow(type = 'ipv4-addr', value = '') {`
+- `L10262` `saveMetadata` (declaration) — `function saveMetadata() {`
+- `L10403` `showUsageGuide` (declaration) — `function showUsageGuide() {`
+- `L10407` `closeUsageGuide` (declaration) — `function closeUsageGuide(event) {`
+- `L10416` `showChangelog` (async-declaration) — `async function showChangelog() {`
+- `L10434` `closeChangelog` (declaration) — `function closeChangelog(event) {`
+- `L10449` `showToast` (declaration) — `function showToast(message) {`
+- `L10456` `renderAll` (declaration) — `function renderAll() {`
+- `L10469` `enableLeaveSiteConfirmation` (declaration) — `function enableLeaveSiteConfirmation() {`
+
+## `explorer.html`
+
+- `L499` `getPreferredThemeMode` (declaration) — `function getPreferredThemeMode() {`
+- `L509` `normalizeThemeMode` (declaration) — `function normalizeThemeMode(mode) {`
+- `L513` `normalizeThemeScheme` (declaration) — `function normalizeThemeScheme(mode, scheme) {`
+- `L521` `applyTheme` (declaration) — `function applyTheme(mode, scheme, persist = true) {`
+- `L542` `updateThemeControls` (declaration) — `function updateThemeControls() {`
+- `L551` `toggleThemeMode` (declaration) — `function toggleThemeMode() {`
+- `L557` `initThemeControls` (declaration) — `function initThemeControls() {`
+- `L569` `syncThemeFromStorage` (declaration) — `function syncThemeFromStorage() {`
+- `L583` `isLocalIframeIPCEnabled` (declaration) — `function isLocalIframeIPCEnabled() {`
+- `L588` `isLocalIframeIPCTraceEnabled` (declaration) — `function isLocalIframeIPCTraceEnabled() {`
+- `L613` `logLocalIframeIPCSplash` (declaration) — `function logLocalIframeIPCSplash(context) {`
+- `L625` `logLocalIframeIPCTrace` (declaration) — `function logLocalIframeIPCTrace(context, message, details) {`
+- `L634` `isPlainObject` (declaration) — `function isPlainObject(value) {`
+- `L638` `hasOnlyAllowedKeys` (declaration) — `function hasOnlyAllowedKeys(value, allowedKeys, contextLabel) {`
+- `L653` `deepFreeze` (declaration) — `function deepFreeze(value) {`
+- `L669` `hasActiveParentIPCChannel` (declaration) — `function hasActiveParentIPCChannel() {`
+- `L673` `setParentIPCChannel` (declaration) — `function setParentIPCChannel(port, nonce) {`
+- `L686` `clearParentIPCWaitTimer` (declaration) — `function clearParentIPCWaitTimer() {`
+- `L692` `getLocalIframeIPCBootstrapConfig` (declaration) — `function getLocalIframeIPCBootstrapConfig() {`
+- `L724` `estimateBootstrapFailureWindowMs` (declaration) — `function estimateBootstrapFailureWindowMs() {`
+- `L735` `scheduleParentIPCBootstrapFailureWatch` (declaration) — `function scheduleParentIPCBootstrapFailureWatch() {`
+- `L755` `sendParentIPCRequest` (declaration) — `function sendParentIPCRequest(type) {`
+- `L769` `validateAndFreezeSharedDataPayload` (declaration) — `function validateAndFreezeSharedDataPayload(rawData) {`
+- `L789` `requestParentBridgeData` (declaration) — `function requestParentBridgeData() {`
+- `L804` `initParentBridgeHandlers` (declaration) — `function initParentBridgeHandlers() {`
+- `L811` `handleChannelMessage` (arrow-function) — `const handleChannelMessage = (event) => {`
+- `L920` `isFileProtocolRuntime` (declaration) — `function isFileProtocolRuntime() {`
+- `L924` `cloneJsonData` (declaration) — `function cloneJsonData(data) {`
+- `L931` `parseJsonSafe` (declaration) — `function parseJsonSafe(text) {`
+- `L938` `readLocalFileText` (declaration) — `function readLocalFileText(file) {`
+- `L947` `promptOfflineResourceFiles` (async-declaration) — `async function promptOfflineResourceFiles(requiredFileNames = OFFLINE_RESOURCE_FILES) {`
+- `L962` `cleanup` (arrow-function) — `const cleanup = () => {`
+- `L1001` `enableOfflineSelectionUI` (declaration) — `function enableOfflineSelectionUI() {`
+- `L1031` `setStatus` (declaration) — `function setStatus(text) {`
+- `L1035` `normalize` (declaration) — `function normalize(text) {`
+- `L1047` `escapeHtml` (declaration) — `function escapeHtml(str) {`
+- `L1053` `escapeAttr` (declaration) — `function escapeAttr(str) {`
+- `L1058` `isSafeHttpUrl` (declaration) — `function isSafeHttpUrl(url) {`
+- `L1076` `renderDescriptionWithBadges` (declaration) — `function renderDescriptionWithBadges(escapedText) {`
+- `L1090` `unique` (declaration) — `function unique(arr) {`
+- `L1094` `buildSearchIndex` (declaration) — `function buildSearchIndex() {`
+- `L1139` `getBadgeClass` (declaration) — `function getBadgeClass(type) {`
+- `L1143` `renderSuggestions` (declaration) — `function renderSuggestions(query) {`
+- `L1192` `buildIndices` (declaration) — `function buildIndices() {`
+- `L1242` `createTabs` (declaration) — `function createTabs() {`
+- `L1258` `renderTabs` (declaration) — `function renderTabs() {`
+- `L1262` `renderList` (declaration) — `function renderList() {`
+- `L1307` `selectEntity` (declaration) — `function selectEntity(type, id) {`
+- `L1314` `getMitreTechniqueUrl` (declaration) — `function getMitreTechniqueUrl(tech) {`
+- `L1324` `getCapecUrl` (declaration) — `function getCapecUrl(id) {`
+- `L1330` `getCweUrl` (declaration) — `function getCweUrl(id) {`
+- `L1336` `getMitigationUrl` (declaration) — `function getMitigationUrl(id) {`
+- `L1341` `buildRelatedForAttack` (declaration) — `function buildRelatedForAttack(techId) {`
+- `L1348` `buildRelatedForCapec` (declaration) — `function buildRelatedForCapec(capecId) {`
+- `L1356` `buildRelatedForCwe` (declaration) — `function buildRelatedForCwe(cweId) {`
+- `L1363` `buildRelatedForMitigation` (declaration) — `function buildRelatedForMitigation(mitId) {`
+- `L1370` `renderGraphColumn` (declaration) — `function renderGraphColumn(title, items, type) {`
+- `L1412` `renderGraph` (declaration) — `function renderGraph() {`
+- `L1447` `renderDetails` (declaration) — `function renderDetails() {`
+- `L1603` `initEvents` (declaration) — `function initEvents() {`
+- `L1641` `getParentSharedDataLoader` (declaration) — `function getParentSharedDataLoader() {`
+- `L1647` `enableLeaveSiteConfirmation` (declaration) — `function enableLeaveSiteConfirmation() {`
+- `L1655` `loadData` (async-declaration) — `async function loadData() {`
+
+## `stix-builder.html`
+
+- `L931` `esc` (arrow-function) — `const esc = (str) => InputSecurity.escapeHtml(str);`
+- `L932` `escAttr` (arrow-function) — `const escAttr = (str) => InputSecurity.sanitizeAttr(str);`
+- `L936` `showToast` (declaration) — `function showToast(message) {`
+- `L943` `getPreferredThemeMode` (declaration) — `function getPreferredThemeMode() {`
+- `L951` `normalizeThemeMode` (declaration) — `function normalizeThemeMode(mode) {`
+- `L955` `normalizeThemeScheme` (declaration) — `function normalizeThemeScheme(mode, scheme) {`
+- `L963` `applyTheme` (declaration) — `function applyTheme(mode, scheme, persist = true) {`
+- `L979` `updateThemeControls` (declaration) — `function updateThemeControls() {`
+- `L988` `toggleThemeMode` (declaration) — `function toggleThemeMode() {`
+- `L994` `initThemeControls` (declaration) — `function initThemeControls() {`
+- `L1001` `syncThemeFromStorage` (declaration) — `function syncThemeFromStorage() {`
+- `L1010` `isLocalIframeIPCEnabled` (declaration) — `function isLocalIframeIPCEnabled() {`
+- `L1015` `isLocalIframeIPCTraceEnabled` (declaration) — `function isLocalIframeIPCTraceEnabled() {`
+- `L1034` `logLocalIframeIPCSplash` (declaration) — `function logLocalIframeIPCSplash(context) {`
+- `L1046` `logLocalIframeIPCTrace` (declaration) — `function logLocalIframeIPCTrace(context, message, details) {`
+- `L1055` `isPlainObject` (declaration) — `function isPlainObject(value) {`
+- `L1059` `hasOnlyAllowedKeys` (declaration) — `function hasOnlyAllowedKeys(value, allowedKeys, contextLabel) {`
+- `L1080` `hasActiveParentIPCChannel` (declaration) — `function hasActiveParentIPCChannel() {`
+- `L1084` `setParentIPCChannel` (declaration) — `function setParentIPCChannel(port, nonce) {`
+- `L1097` `clearParentIPCWaitTimer` (declaration) — `function clearParentIPCWaitTimer() {`
+- `L1103` `getLocalIframeIPCBootstrapConfig` (declaration) — `function getLocalIframeIPCBootstrapConfig() {`
+- `L1135` `estimateBootstrapFailureWindowMs` (declaration) — `function estimateBootstrapFailureWindowMs() {`
+- `L1146` `scheduleParentIPCBootstrapFailureWatch` (declaration) — `function scheduleParentIPCBootstrapFailureWatch() {`
+- `L1159` `requestParentTheme` (declaration) — `function requestParentTheme() {`
+- `L1178` `initParentThemeBridge` (declaration) — `function initParentThemeBridge() {`
+- `L1185` `handleChannelMessage` (arrow-function) — `const handleChannelMessage = (event) => {`
+- `L1248` `generateUUID` (declaration) — `function generateUUID() {`
+- `L1258` `isDangerousObjectKey` (declaration) — `function isDangerousObjectKey(key) {`
+- `L1262` `createSafeObject` (declaration) — `function createSafeObject() {`
+- `L1266` `hasOwn` (declaration) — `function hasOwn(obj, key) {`
+- `L1270` `parseJsonSafe` (declaration) — `function parseJsonSafe(text) {`
+- `L1277` `stripAngleBracketsFromJson` (declaration) — `function stripAngleBracketsFromJson(obj) {`
+- `L1291` `sanitizeUserInputText` (declaration) — `function sanitizeUserInputText(text) {`
+- `L1297` `sanitizeImportedString` (declaration) — `function sanitizeImportedString(str, maxLength = INPUT_LIMITS.maxStringLength) {`
+- `L1308` `applyInputGuards` (declaration) — `function applyInputGuards() {`
+- `L1334` `isTextInputElement` (declaration) — `function isTextInputElement(el) {`
+- `L1338` `isSafeHttpUrl` (declaration) — `function isSafeHttpUrl(url) {`
+- `L1425` `getObjectCategory` (declaration) — `function getObjectCategory(type) {`
+- `L1430` `getObjectDisplayName` (declaration) — `function getObjectDisplayName(obj) {`
+- `L1434` `buildAddTypeOptions` (declaration) — `function buildAddTypeOptions() {`
+- `L1446` `setActiveTab` (declaration) — `function setActiveTab(tabKey) {`
+- `L1452` `renderTabs` (declaration) — `function renderTabs() {`
+- `L1464` `renderObjectList` (declaration) — `function renderObjectList() {`
+- `L1511` `selectObject` (declaration) — `function selectObject(id) {`
+- `L1520` `getActiveObject` (declaration) — `function getActiveObject() {`
+- `L1524` `createDefaultObject` (declaration) — `function createDefaultObject(type) {`
+- `L1545` `getDefaultForField` (declaration) — `function getDefaultForField(field) {`
+- `L1569` `addObject` (declaration) — `function addObject(type) {`
+- `L1587` `deleteActiveObject` (declaration) — `function deleteActiveObject() {`
+- `L1599` `renderEditor` (declaration) — `function renderEditor() {`
+- `L1630` `setCenterMode` (declaration) — `function setCenterMode(mode) {`
+- `L1641` `renderCenterMode` (declaration) — `function renderCenterMode() {`
+- `L1666` `isRequiredField` (declaration) — `function isRequiredField(field, def, isCommon) {`
+- `L1671` `renderField` (declaration) — `function renderField(obj, field, required) {`
+- `L1686` `renderFieldInput` (declaration) — `function renderFieldInput(obj, field, value) {`
+- `L1735` `renderEnumField` (declaration) — `function renderEnumField(field, key, value) {`
+- `L1745` `renderOpenVocabField` (declaration) — `function renderOpenVocabField(field, key, value) {`
+- `L1756` `renderListField` (declaration) — `function renderListField(field, key, values) {`
+- `L1780` `renderObjectRefsField` (declaration) — `function renderObjectRefsField(field, key, values) {`
+- `L1800` `renderKillChainField` (declaration) — `function renderKillChainField(key, values) {`
+- `L1826` `renderExternalReferencesField` (declaration) — `function renderExternalReferencesField(key, values) {`
+- `L1847` `renderReferenceHashesField` (declaration) — `function renderReferenceHashesField(refKey, index, hashes) {`
+- `L1867` `renderGranularMarkingsField` (declaration) — `function renderGranularMarkingsField(key, values) {`
+- `L1890` `renderDictionaryField` (declaration) — `function renderDictionaryField(key, values, prefix = 'dict', meta = {}) {`
+- `L1909` `renderHashesField` (declaration) — `function renderHashesField(key, values, inline, prefix = 'hash') {`
+- `L1929` `renderExtensionsField` (declaration) — `function renderExtensionsField(key, values) {`
+- `L1948` `renderMarkingDefinitionField` (declaration) — `function renderMarkingDefinitionField(obj, key, value) {`
+- `L1965` `updateBundlePreview` (declaration) — `function updateBundlePreview() {`
+- `L1969` `renderBundleSummary` (declaration) — `function renderBundleSummary() {`
+- `L1978` `renderBundlePreview` (declaration) — `function renderBundlePreview() {`
+- `L1984` `setVisualizerButtonState` (declaration) — `function setVisualizerButtonState() {`
+- `L1991` `updateStatus` (declaration) — `function updateStatus(ok, message) {`
+- `L2006` `openBundleIssues` (declaration) — `function openBundleIssues() {`
+- `L2033` `closeBundleIssues` (declaration) — `function closeBundleIssues(event) {`
+- `L2038` `clearBundle` (declaration) — `function clearBundle() {`
+- `L2064` `sanitizeDictionary` (declaration) — `function sanitizeDictionary(raw, maxItems = INPUT_LIMITS.maxListItems) {`
+- `L2076` `sanitizeExtensions` (declaration) — `function sanitizeExtensions(raw, maxItems = INPUT_LIMITS.maxListItems) {`
+- `L2088` `sanitizeImportedFieldValue` (declaration) — `function sanitizeImportedFieldValue(field, raw) {`
+- `L2147` `sanitizeImportedObject` (declaration) — `function sanitizeImportedObject(obj) {`
+- `L2181` `sanitizeBundleForVisualizer` (declaration) — `function sanitizeBundleForVisualizer(bundle) {`
+- `L2196` `renderVisualizer` (declaration) — `function renderVisualizer() {`
+- `L2230` `validateBundle` (declaration) — `function validateBundle() {`
+- `L2275` `hasValue` (declaration) — `function hasValue(value, type) {`
+- `L2283` `validateObjectFields` (declaration) — `function validateObjectFields(obj, def, issues) {`
+- `L2354` `sanitizeValue` (declaration) — `function sanitizeValue(value) {`
+- `L2359` `handleEditorInput` (declaration) — `function handleEditorInput(event) {`
+- `L2477` `collectDictionary` (declaration) — `function collectDictionary(fieldKey, prefix) {`
+- `L2489` `collectExtensions` (declaration) — `function collectExtensions(fieldKey) {`
+- `L2501` `handleEditorClick` (declaration) — `function handleEditorClick(event) {`
+- `L2682` `exportBundle` (declaration) — `function exportBundle() {`
+- `L2696` `importBundle` (declaration) — `function importBundle(file) {`
+- `L2749` `copyActiveJson` (declaration) — `function copyActiveJson() {`
+- `L2756` `initEvents` (declaration) — `function initEvents() {`
+- `L2797` `enableLeaveSiteConfirmation` (declaration) — `function enableLeaveSiteConfirmation() {`
+
+## `config.js`
+
+- `L233` `resolveTheme` (declaration) — `function resolveTheme(mode = CONFIG.themeDefaults?.mode, scheme = CONFIG.themeDefaults?.scheme) {`
+- `L246` `applyConfigColors` (declaration) — `function applyConfigColors(theme) {`
+
+## `stix-config.js`
+
+- `L548` `getStixFieldsForType` (declaration) — `function getStixFieldsForType(stixType) {`
+- `L558` `getStixTypeKeys` (declaration) — `function getStixTypeKeys() {`
+- `L563` `getStixTypeLabel` (declaration) — `function getStixTypeLabel(stixType) {`
+- `L568` `getStixVocabulary` (declaration) — `function getStixVocabulary(vocabKey) {`
diff --git a/docs/FUNCTION_INDEX.md b/docs/FUNCTION_INDEX.md
new file mode 100644
index 0000000..1c385cb
--- /dev/null
+++ b/docs/FUNCTION_INDEX.md
@@ -0,0 +1,531 @@
+# AttackFlow — Function Index (Maintainer-Oriented)
+
+## Purpose
+
+This index is designed for fast onboarding by maintainers:
+
+- Comprehensive function inventory across primary runtime files.
+- Organized by file + subsystem
+
+---
+
+## Scope
+
+Indexed files:
+
+- `index.html`
+- `explorer.html`
+- `stix-builder.html`
+- `config.js`
+- `stix-config.js`
+
+Out of scope for this index:
+
+- Generated data in `resources/`
+- Legacy snapshots in `old/`
+- Python extraction scripts
+
+---
+
+## Fast Navigation Playbook
+
+When implementing changes, use this order:
+
+1. Read subsystem summary in `DOCUMENTATION.md`.
+2. Jump to the relevant file section in this index.
+3. Use function families (security, import/export, render, IPC) to scope edits.
+4. Validate side effects (`renderAll()`, `renderKillChain()`, cache/IPC broadcasts) before finalizing.
+
+---
+
+## Maintenance Model (Low Rewrite Overhead)
+
+This index intentionally avoids fixed line ranges. It is curated and should be kept in sync with the generated inventory.
+
+Generate the machine index:
+
+```bash
+python3 scripts/generate-function-index.py
+```
+
+Generated output:
+
+- `docs/FUNCTION_INDEX.generated.md`
+
+To refresh function discovery manually after major refactors:
+
+```bash
+grep -nE "^[[:space:]]*function[[:space:]]+[A-Za-z0-9_]+[[:space:]]*\(" index.html
+grep -nE "^[[:space:]]*function[[:space:]]+[A-Za-z0-9_]+[[:space:]]*\(" explorer.html
+grep -nE "^[[:space:]]*function[[:space:]]+[A-Za-z0-9_]+[[:space:]]*\(" stix-builder.html
+grep -nE "^[[:space:]]*function[[:space:]]+[A-Za-z0-9_]+[[:space:]]*\(" config.js
+grep -nE "^[[:space:]]*function[[:space:]]+[A-Za-z0-9_]+[[:space:]]*\(" stix-config.js
+```
+
+Update strategy:
+
+- Regenerate `docs/FUNCTION_INDEX.generated.md` first.
+- Add/remove only changed function names in the relevant subsection.
+- Keep subsystem grouping stable; avoid churn from small reordering.
+
+---
+
+## `config.js` Function Index
+
+- Theme resolution and application:
+  - `resolveTheme`, `applyConfigColors`
+
+## `stix-config.js` Function Index
+
+- STIX definition helpers:
+  - `getStixFieldsForType`, `getStixTypeKeys`, `getStixTypeLabel`, `getStixVocabulary`
+
+---
+
+## `index.html` Function Index
+
+### Version / Security / Sanitization
+
+- `isTextInputElement`
+- `normalizeUserInput`
+- `sanitizeUserInputText`
+- `sanitizeForStorage`
+- `truncateAtBoundary`
+- `applyInputGuards`
+- `isDangerousObjectKey`
+- `createSafeObject`
+- `hasOwn`
+- `parseJsonSafe`
+- `stripAngleBracketsFromJson`
+
+### Metadata / Assignment / Type Utilities
+
+- `createDefaultMetadata`
+- `getCveEntries`
+- `getCveList`
+- `normalizeCveMetadata`
+- `getConfidenceLabel`
+- `getConfidenceClass`
+- `createAssignmentInstanceId`
+- `migrateAssignment`
+- `getAssignmentId`
+- `getAssignmentMetadata`
+- `getAssignmentInstanceId`
+- `generateUUID`
+- `generateStixId`
+- `uuidv5`
+- `sha1Bytes`
+- `mitigationStixId`
+- `techniqueStixId`
+- `getPhaseUngroupedItems`
+- `getPhaseGroupedItems`
+- `getAllPhaseItemsByType`
+- `ensurePhaseLayout`
+
+### Group Management / Assignment Mutations
+
+- `generateGroupId`
+- `createGroup`
+- `toggleGroupCollapse`
+- `startRenameGroup`
+- `commitRenameGroup`
+- `removeGroup`
+- `extractAssignmentInstance`
+- `moveGroupBetweenPhases`
+- `findAssignment`
+- `updateAssignmentMetadata`
+
+### State / Kill Chain / Description Helpers
+
+- `formatPhaseName`
+- `initAssignments`
+- `commitKillChainTitle`
+- `syncTitleToDOM`
+- `commitKillChainDescription`
+- `syncDescriptionToDOM`
+- `toggleDescriptionPanel`
+- `updateDescriptionHint`
+- `updateDescriptionCounter`
+
+### Data Loading / Offline Resource Flow
+
+- `isFileProtocolRuntime`
+- `getFileNameFromPath`
+- `cloneJsonData`
+- `readLocalFileText`
+- `enableOfflineResourceSelectionUI`
+- `hideLoadingOverlay`
+- `getSharedDataCache`
+
+### Local Iframe IPC / Shared Data Controls
+
+- `isLocalIframeIPCEnabled`
+- `updateLoadingContextInfo`
+- `isLocalIframeIPCTraceEnabled`
+- `logLocalIframeIPCSplash`
+- `logLocalIframeIPCTrace`
+- `getLocalIframeIPCRateLimitConfig`
+- `getLocalIframeIPCBootstrapConfig`
+- `isIPCRequestRateAllowed`
+- `isPlainObject`
+- `hasOnlyAllowedKeys`
+- `deepFreeze`
+- `createLocalIPCNonce`
+- `isKnownIPCSourceWindow`
+- `getIPCFrameState`
+- `clearIPCFrameBootstrapTimer`
+- `clearIPCFrameChannel`
+- `scheduleIPCChannelBootstrapRetry`
+- `sendIPCMessageViaChannel`
+- `setupIPCChannelForFrame`
+- `buildImmutableSharedDataPayload`
+- `validateSharedDatasetShape`
+- `estimateJsonByteSize`
+- `enforceSharedDatasetLimits`
+- `getExplorerFrameEl`
+- `getStixBuilderFrameEl`
+- `broadcastSharedDataToExplorer`
+- `broadcastThemeToEmbeddedViews`
+- `initEmbeddedMessageBridge`
+
+### Navigator / Technique Import
+
+- `parseTechniqueIdInput`
+- `openCsvImportModal`
+- `closeCsvImportModal`
+- `importNavigator`
+- `detectDomain`
+- `getTechniqueName`
+
+### Theme / View / Layout / Sidebar Controls
+
+- `getPreferredThemeMode`
+- `normalizeThemeMode`
+- `normalizeThemeScheme`
+- `applyTheme`
+- `updateThemeControls`
+- `toggleThemeMode`
+- `initThemeControls`
+- `syncThemeFromStorage`
+- `isStixBuilderEnabled`
+- `setView`
+- `applyNavigationConfig`
+- `toggleSidebar`
+- `toggleLayer`
+- `updateHideEmptyControl`
+- `updateCompactControls`
+- `setCompactMode`
+- `toggleCompactMode`
+- `updateCommentsControls`
+- `toggleItemComment`
+- `toggleAllComments`
+- `initCompactMode`
+- `applyCompactLayout`
+- `toggleHideEmpty`
+- `openMitigationExplorer`
+- `openEntityExplorer`
+
+### Search / Tabs / Filters
+
+- `switchTab`
+- `setFilter`
+- `setGlobalSearch`
+- `openGlobalSearch`
+- `closeGlobalSearch`
+- `toggleGlobalSearchExpanded`
+- `setGlobalSearchSticky`
+- `updateGlobalSearchUI`
+- `initGlobalSearch`
+- `rankGlobalEntity`
+- `buildGlobalSearchResults`
+- `renderGlobalSearchResults`
+- `openGlobalSearchResult`
+- `matchesGlobalSearch`
+- `parseCommaIdList`
+- `filterEntities`
+- `isEntityAssigned`
+
+### STIX Library / STIX Editing
+
+- `importStixBundle`
+- `clearStixLibrary`
+- `sanitizeStixBundleObject`
+- `populateStixTypeDropdown`
+- `toggleCustomTypeName`
+- `openCreateCustomModal`
+- `closeCreateCustomModal`
+- `createCustomItem`
+- `deleteCustomItem`
+- `openStixEditor`
+- `closeStixEditor`
+- `saveStixEditor`
+- `buildStixReadonlyField`
+- `buildStixTextField`
+- `buildStixTextareaField`
+- `buildStixFieldFromSpec`
+- `getEntityName`
+
+### Detail Views / Modals / Entity Validation
+
+- `renderDescriptionWithBadges`
+- `selectEntity`
+- `isSafeHttpUrl`
+- `isValidEntityId`
+- `buildEntityDetail`
+- `buildStixPropertySummary`
+- `buildMetadataSummary`
+- `openEntityModal`
+- `closeEntityModal`
+- `showDetail`
+- `closeDetail`
+- `findEntityPhase`
+
+### Drag and Drop
+
+- `handleDragStart`
+- `handleDragEnd`
+- `handleDragOver`
+- `handleDragLeave`
+- `handleDrop`
+- `handleAssignmentDragStart`
+- `handleGroupDragStart`
+- `handleGroupDrop`
+
+### Rendering / Relationships / Phase Detail Analytics
+
+- `renderKillChain`
+- `renderEntityTag`
+- `getRelationshipChainId`
+- `renderRelationshipView`
+- `expandRelationshipMitigations`
+- `getAverageScoreLabel`
+- `buildPhaseDetails`
+- `getPhaseItemRelationships`
+- `getPhaseAverages`
+- `buildPhaseCveEntries`
+- `buildPhaseMitigations`
+- `renderPhaseMitigationSection`
+- `renderPhaseCveSection`
+- `renderPhaseDetailsSection`
+- `openPhaseDetails`
+- `closePhaseDetails`
+- `renderStats`
+- `togglePhase`
+- `removeAssignment`
+- `expandAll`
+- `collapseAll`
+- `clearAssignments`
+
+### Import / Export / Serialization / Validation
+
+- `exportJSON`
+- `buildSTIXBundle`
+- `addRelationship`
+- `exportSTIXBundle`
+- `triggerImportKillChain`
+- `ensureAssignmentShape`
+- `ensureLibraryFallbacks`
+- `validateKillChainImport`
+- `sanitizeImportedString`
+- `sanitizeImportedAssignment`
+- `sanitizeImportedCustomAssignment`
+- `sanitizeAssignmentMetadata`
+- `sanitizeImportedData`
+- `importKillChain`
+- `exportCSV`
+
+### Dropdowns / Metadata Editor / Utility Modals / Init
+
+- `toggleDropdown`
+- `closeDropdowns`
+- `openMetadataEditor`
+- `closeMetadataEditor`
+- `selectScore`
+- `updateConfidenceLabel`
+- `addCveRow`
+- `addHyperlinkRow`
+- `addObservableRow`
+- `saveMetadata`
+- `showUsageGuide`
+- `closeUsageGuide`
+- `closeChangelog`
+- `showToast`
+- `renderAll`
+- `enableLeaveSiteConfirmation`
+
+---
+
+## `explorer.html` Function Index
+
+### Theme / IPC / Bootstrapping
+
+- `getPreferredThemeMode`
+- `normalizeThemeMode`
+- `normalizeThemeScheme`
+- `applyTheme`
+- `updateThemeControls`
+- `toggleThemeMode`
+- `initThemeControls`
+- `syncThemeFromStorage`
+- `isLocalIframeIPCEnabled`
+- `isLocalIframeIPCTraceEnabled`
+- `logLocalIframeIPCSplash`
+- `logLocalIframeIPCTrace`
+- `isPlainObject`
+- `hasOnlyAllowedKeys`
+- `deepFreeze`
+- `hasActiveParentIPCChannel`
+- `setParentIPCChannel`
+- `clearParentIPCWaitTimer`
+- `getLocalIframeIPCBootstrapConfig`
+- `estimateBootstrapFailureWindowMs`
+- `scheduleParentIPCBootstrapFailureWatch`
+- `sendParentIPCRequest`
+- `validateAndFreezeSharedDataPayload`
+- `requestParentBridgeData`
+- `initParentBridgeHandlers`
+
+### Offline / Data / Rendering
+
+- `isFileProtocolRuntime`
+- `cloneJsonData`
+- `parseJsonSafe`
+- `readLocalFileText`
+- `enableOfflineSelectionUI`
+- `setStatus`
+- `normalize`
+- `escapeHtml`
+- `escapeAttr`
+- `isSafeHttpUrl`
+- `renderDescriptionWithBadges`
+- `unique`
+- `buildSearchIndex`
+- `getBadgeClass`
+- `renderSuggestions`
+- `buildIndices`
+- `createTabs`
+- `renderTabs`
+- `renderList`
+- `selectEntity`
+- `getMitreTechniqueUrl`
+- `getCapecUrl`
+- `getCweUrl`
+- `getMitigationUrl`
+- `buildRelatedForAttack`
+- `buildRelatedForCapec`
+- `buildRelatedForCwe`
+- `buildRelatedForMitigation`
+- `renderGraphColumn`
+- `renderGraph`
+- `renderDetails`
+- `initEvents`
+- `getParentSharedDataLoader`
+- `enableLeaveSiteConfirmation`
+
+---
+
+## `stix-builder.html` Function Index
+
+### Theme / IPC / Security Basics
+
+- `showToast`
+- `getPreferredThemeMode`
+- `normalizeThemeMode`
+- `normalizeThemeScheme`
+- `applyTheme`
+- `updateThemeControls`
+- `toggleThemeMode`
+- `initThemeControls`
+- `syncThemeFromStorage`
+- `isLocalIframeIPCEnabled`
+- `isLocalIframeIPCTraceEnabled`
+- `logLocalIframeIPCSplash`
+- `logLocalIframeIPCTrace`
+- `isPlainObject`
+- `hasOnlyAllowedKeys`
+- `hasActiveParentIPCChannel`
+- `setParentIPCChannel`
+- `clearParentIPCWaitTimer`
+- `getLocalIframeIPCBootstrapConfig`
+- `estimateBootstrapFailureWindowMs`
+- `scheduleParentIPCBootstrapFailureWatch`
+- `requestParentTheme`
+- `initParentThemeBridge`
+- `generateUUID`
+- `isDangerousObjectKey`
+- `createSafeObject`
+- `hasOwn`
+- `parseJsonSafe`
+- `stripAngleBracketsFromJson`
+- `sanitizeUserInputText`
+- `sanitizeImportedString`
+- `applyInputGuards`
+- `isTextInputElement`
+- `isSafeHttpUrl`
+
+### Object Model / Editor / Renderers
+
+- `getObjectCategory`
+- `getObjectDisplayName`
+- `buildAddTypeOptions`
+- `setActiveTab`
+- `renderTabs`
+- `renderObjectList`
+- `selectObject`
+- `getActiveObject`
+- `createDefaultObject`
+- `getDefaultForField`
+- `addObject`
+- `deleteActiveObject`
+- `renderEditor`
+- `setCenterMode`
+- `renderCenterMode`
+- `isRequiredField`
+- `renderField`
+- `renderFieldInput`
+- `renderEnumField`
+- `renderOpenVocabField`
+- `renderListField`
+- `renderObjectRefsField`
+- `renderKillChainField`
+- `renderExternalReferencesField`
+- `renderReferenceHashesField`
+- `renderGranularMarkingsField`
+- `renderDictionaryField`
+- `renderHashesField`
+- `renderExtensionsField`
+- `renderMarkingDefinitionField`
+
+### Bundle / Validation / Import-Export
+
+- `updateBundlePreview`
+- `renderBundleSummary`
+- `renderBundlePreview`
+- `setVisualizerButtonState`
+- `updateStatus`
+- `openBundleIssues`
+- `closeBundleIssues`
+- `clearBundle`
+- `sanitizeDictionary`
+- `sanitizeExtensions`
+- `sanitizeImportedFieldValue`
+- `sanitizeImportedObject`
+- `sanitizeBundleForVisualizer`
+- `renderVisualizer`
+- `validateBundle`
+- `hasValue`
+- `validateObjectFields`
+- `sanitizeValue`
+- `handleEditorInput`
+- `collectDictionary`
+- `collectExtensions`
+- `handleEditorClick`
+- `exportBundle`
+- `importBundle`
+- `copyActiveJson`
+- `initEvents`
+- `enableLeaveSiteConfirmation`
+
+---
+
+*Last refreshed for v2.9.0 code layout. This file is intentionally line-agnostic to reduce churn while preserving maintainability.*
\ No newline at end of file
diff --git a/index.html b/index.html
index 3bafa4d..0b7dccd 100644
--- a/index.html
+++ b/index.html
@@ -1,5 +1,8 @@
 <!DOCTYPE html>
 <html lang="en">
+    <!-- AttackFlow - An editor for creating enriched Cyber Kill Chain assessments
+        Project Page: https://github.com/Pr0cella/AttackFlow
+    -->
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -4052,7 +4055,7 @@ <h4>Tips</h4>
         // ============================================================
         // VERSION - Loaded dynamically from changelog
         // ============================================================
-        let APP_VERSION = '2.9.0';  // Fallback version
+        let APP_VERSION = '2.9.2';  // Fallback version
         
         async function loadVersion() {
             try {
@@ -10023,12 +10026,12 @@ <h4>Observables</h4>
             }
             
             // Convert to CSV string
-            // KCE-SEC-004: Prefix cells starting with formula characters to prevent injection
+            // Prefix cells containing formula characters with a tab character and wraps the cell content in double quotes
             const sanitizeForCsv = (value) => {
                 const str = String(value);
-                // Prefix with single quote if starts with formula characters
+                // prefix with tab and wrap in quotes
                 if (/^[=+\-@\t\r]/.test(str)) {
-                    return "'" + str;
+                    return '"' + "\t" + str + '"';
                 }
                 return str;
             };
diff --git a/scripts/generate-function-index.py b/scripts/generate-function-index.py
new file mode 100644
index 0000000..3631eda
--- /dev/null
+++ b/scripts/generate-function-index.py
@@ -0,0 +1,147 @@
+#!/usr/bin/env python3
+"""
+Generate docs/FUNCTION_INDEX.generated.md from runtime source files.
+
+Usage:
+  python3 scripts/generate-function-index.py
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+import re
+
+
+@dataclass
+class FunctionHit:
+    name: str
+    line: int
+    signature: str
+    kind: str
+
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+OUTPUT_FILE = PROJECT_ROOT / "docs" / "FUNCTION_INDEX.generated.md"
+
+TARGET_FILES = [
+    "index.html",
+    "explorer.html",
+    "stix-builder.html",
+    "config.js",
+    "stix-config.js",
+]
+
+DECLARATION_PATTERNS = [
+    ("declaration", re.compile(r"^\s*function\s+([A-Za-z_][A-Za-z0-9_]*)\s*\(")),
+    ("async-declaration", re.compile(r"^\s*async\s+function\s+([A-Za-z_][A-Za-z0-9_]*)\s*\(")),
+    (
+        "const-function",
+        re.compile(
+            r"^\s*(?:const|let|var)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(?:async\s+)?function\s*\("
+        ),
+    ),
+    (
+        "arrow-function",
+        re.compile(
+            r"^\s*(?:const|let|var)\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(?:async\s+)?(?:\([^\)]*\)|[A-Za-z_][A-Za-z0-9_]*)\s*=>"
+        ),
+    ),
+]
+
+
+def extract_functions(file_path: Path) -> list[FunctionHit]:
+    lines = file_path.read_text(encoding="utf-8", errors="replace").splitlines()
+    seen: set[tuple[str, int]] = set()
+    hits: list[FunctionHit] = []
+
+    for index, line in enumerate(lines, start=1):
+        for kind, pattern in DECLARATION_PATTERNS:
+            match = pattern.match(line)
+            if not match:
+                continue
+
+            name = match.group(1)
+            key = (name, index)
+            if key in seen:
+                break
+
+            seen.add(key)
+            hits.append(
+                FunctionHit(
+                    name=name,
+                    line=index,
+                    signature=line.strip(),
+                    kind=kind,
+                )
+            )
+            break
+
+    hits.sort(key=lambda item: (item.line, item.name.lower()))
+    return hits
+
+
+def render_markdown(function_map: dict[str, list[FunctionHit]]) -> str:
+    timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
+
+    lines: list[str] = []
+    lines.append("# AttackFlow — Generated Function Index")
+    lines.append("")
+    lines.append(
+        "This file is auto-generated by `scripts/generate-function-index.py`. Do not edit manually."
+    )
+    lines.append("")
+    lines.append(f"Generated: {timestamp}")
+    lines.append("")
+    lines.append("## Coverage")
+    lines.append("")
+
+    total = 0
+    for rel_path in TARGET_FILES:
+        count = len(function_map.get(rel_path, []))
+        total += count
+        lines.append(f"- `{rel_path}`: {count} functions")
+
+    lines.append(f"- **Total**: {total} functions")
+    lines.append("")
+    lines.append("---")
+    lines.append("")
+
+    for rel_path in TARGET_FILES:
+        functions = function_map.get(rel_path, [])
+        lines.append(f"## `{rel_path}`")
+        lines.append("")
+
+        if not functions:
+            lines.append("_No function declarations detected._")
+            lines.append("")
+            continue
+
+        for hit in functions:
+            lines.append(
+                f"- `L{hit.line}` `{hit.name}` ({hit.kind}) — `{hit.signature}`"
+            )
+
+        lines.append("")
+
+    return "\n".join(lines)
+
+
+def main() -> None:
+    function_map: dict[str, list[FunctionHit]] = {}
+
+    for rel_path in TARGET_FILES:
+        abs_path = PROJECT_ROOT / rel_path
+        if not abs_path.exists():
+            function_map[rel_path] = []
+            continue
+
+        function_map[rel_path] = extract_functions(abs_path)
+
+    OUTPUT_FILE.write_text(render_markdown(function_map), encoding="utf-8")
+    print(f"Generated {OUTPUT_FILE.relative_to(PROJECT_ROOT)}")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/regenerate-release.sh b/scripts/regenerate-release.sh
index 1ff5831..3e31d64 100755
--- a/scripts/regenerate-release.sh
+++ b/scripts/regenerate-release.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 # Rebuild release artifacts in release/
-# Copies root-level .html and .js files, plus resources/ and stix-visualization/
+# Regenerates documentation artifacts, then copies root-level .html and .js files,
+# plus resources/ and stix-visualization/
 
 set -euo pipefail
 
@@ -33,6 +34,16 @@ echo ""
 echo "Clearing release directory..."
 find "$RELEASE_DIR" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
 
+echo "Regenerating generated function index..."
+PYTHON_BIN="${PYTHON_BIN:-python3}"
+if ! command -v "$PYTHON_BIN" >/dev/null 2>&1; then
+    echo "Error: $PYTHON_BIN not found. Set PYTHON_BIN or install python3."
+    exit 1
+fi
+
+"$PYTHON_BIN" "$SRC/scripts/generate-function-index.py"
+echo "  docs/FUNCTION_INDEX.generated.md"
+
 echo "Copying root HTML/JS files..."
 found_root_files=false
 while IFS= read -r file; do