integrate threat-model.md into Phase 1 workflow

[pruiz]

Implements the plan at .project/security-threat-model-phase1-plan.md.

Summary

• Adds templates/threat-model.md — structured operational threat model produced by Phase 1b
• Creates tools/phases/artifact_checks.py — shared phase artifact validator with strict H1 heading checks
• Renames Phase 1b to "Detailed Reconnaissance" (was "CodeQL-assisted Reconnaissance")
• Wires threat-model.md into Phase 2 and Phase 3 prompts, gates, and auto-repair
• Updates all docs, templates, gate logic, and the Makefile

Acceptance criteria

All 17 acceptance criteria from the plan are met. See .project/security-threat-model-phase1-plan.md#acceptance-criteria.

Verification

• 609 tests pass (48 new)
• make frontmatter passes
• check-phase-artifacts --phase all --allow-missing-generated-artifacts passes
• make check passes

Deferred

Phase 4/5/6 consumption of threat-model.md tracked by #35, #36, #37.

Summary by CodeRabbit

• New Features

  • Phase 1 now produces a structured threat-model.md artifact during detailed reconnaissance, documenting system model, assets, attacker model, controls, and attack path themes.
  • Phase 2 and Phase 3 now explicitly consume the threat model to prioritize hypotheses and validate findings.
  • Added check-phase-artifacts command to validate phase-generated artifacts.

• Documentation

  • Updated Phase 1 documentation to clarify substeps (Phase 1a: profile, Phase 1b: detailed reconnaissance, Phase 1c: sandbox).
  • Added threat-model template and security control references for reconnaissance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ff204e8a-ba6a-4ed8-a120-888ade8e8e79

📥 Commits

Reviewing files that changed from the base of the PR and between bda1d0a and 95af337.

📒 Files selected for processing (4)

• .project/security-threat-model-phase1-plan.md
• docs/workflow.md
• tools/phases/artifact_checks.py
• tools/phases/completion.py

✅ Files skipped from review due to trivial changes (1)

• .project/security-threat-model-phase1-plan.md

🚧 Files skipped from review as they are similar to previous changes (2)

• tools/phases/completion.py
• tools/phases/artifact_checks.py

---

📝 Walkthrough

Walkthrough

This PR integrates a mandatory threat-model.md artifact into CodeCome Phase 1b reconnaissance, refactors Phase 1 prompts into three focused subphases (profile, detailed recon, sandbox), and introduces centralized post-generation artifact validation with auto-repair. Threat-model outputs are required downstream in Phase 2/3 decision-making.

Changes

Threat-Model Integration for Phase 1

Layer / File(s)	Summary
Planning Document and Reference Materials .project/security-threat-model-phase1-plan.md, .opencode/skills/source-recon/SKILL.md, .opencode/skills/source-recon/references/threat-model-checklist.md, .opencode/skills/source-recon/references/security-controls-and-assets.md	WIP planning document details architecture decisions, validation model, and artifact/prompt updates; source-recon SKILL.md adds threat-model creation guidance; new reference documents provide checklists and control/asset categories for Phase 1b.
Artifact Templates and Structured Output templates/threat-model.md, templates/run-summary.md, templates/target-recon.md	Introduces threat-model.md template with required H1 headings (scope, system model, assets, attacker model, trust boundaries, controls, themes, calibration, questions); extends run-summary.md with open-questions section; updates target-recon.md with attack-surface and trust-boundary checklists cross-referencing threat-model.md.
README and Workflow Documentation README.md, docs/development.md, docs/target-setup.md, docs/workflow.md, prompts/README.md, AGENTS.md	Updates documentation to reflect Phase 1 split into three subphases; revises manual invocation examples to use make phase-1; lists phase-1a-profile, phase-1b-recon, phase-1c-sandbox prompts; adds threat-model.md to Phase 1 outputs and Phase 2 gate requirements.
Phase 1 Prompt Refactoring and Downstream Integration prompts/phase-1a-profile.md, prompts/phase-1b-recon.md, prompts/phase-1c-sandbox.md, prompts/phase-2-audit.md, prompts/phase-3-review.md	Splits consolidated phase-1-recon.md into three prompts: Phase 1a profiles target, Phase 1b produces threat-model.md with scope/system/attacker/controls/themes, Phase 1c bootstraps sandbox; Phase 2 audit explicitly requires threat-model.md for hypothesis prioritization; Phase 3 review uses threat-model.md for counter-analysis and finding validation against documented attacker capabilities and existing controls.
Artifact Validation Framework and Phase Gates tools/phases/artifact_checks.py, tools/phases/gates.py, tools/phases/phase_1_gates.py	Introduces centralized post-generation artifact validator with strict H1 heading parsing, per-phase checkers (1a/1b/1c), threat-model.md heading validation, and optional allow-missing-generated flag; Phase 2 gate requires threat-model.md; Phase 1b gate requires threat-model.md and uses "Detailed Reconnaissance" messaging.
Phase 1 Orchestration, Auto-Repair, and CLI Integration tools/codecome.py, tools/codecome/phase_1.py, tools/codecome/harness.py, tools/phases/completion.py, Makefile	Adds threat-model.md to workspace validation; introduces check-phase-artifacts CLI subcommand with --phase and --allow-missing-generated-artifacts; Phase 1b execution validates artifacts and attempts up to 2 auto-repairs using build_artifact_repair_resume_prompt; Makefile runs check-phase-artifacts post-test; phase completion module requires threat-model.md with H1 heading checklist.
Comprehensive Test Suite for Threat-Model Integration tests/test_phase_1_gates_threat_model.py, tests/test_phase_1_prompts_threat_model.py, tests/test_phase_1_threat_model_templates.py, tests/test_phase_artifacts_cli.py, tests/test_phase_completion_threat_model.py	Five test modules validate threat-model integration: gates tests verify threat-model presence in Phase 1b/2; prompts tests validate Phase 1b content and Phase 2/3 consumption; template tests check H1 headings and structure; CLI tests exercise validation and heading requirements; completion tests validate required artifacts and auto-repair prompt generation.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• pruiz/CodeCome#29: Directly related Phase 1 orchestration changes updating phase_1.py to use phase-1b-recon.md and add Phase 1b artifact validation.

🐰 A threat model rises from the recon notes,
Phase 1b now captures what security's sought,
With templates, tests, and gates all aligned,
The validation loop keeps chaos confined. 🛡️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.95% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: integrating threat-model.md into the Phase 1 workflow, which is the primary objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch wip/security-threat-model-plan

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Coverage Report

Metric	Value
Line Coverage	73.0%
Lines Covered	0 / 0

Download detailed HTML coverage reports per OS/Python from the workflow artifacts.

Generated by pytest-cov on 2026-06-04T17:49:47.324Z

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tools/phases/completion.py (1)

201-205: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Normalize Phase 1 subphase IDs before selecting checklist content.

At Line 205, the detailed Phase 1 checklist is gated by str(phase) == "1", but Phase 1b artifact auto-repair calls this path with phase="1b". That currently downgrades repair prompts to the generic fallback and omits the required threat-model heading checklist.

Proposed fix

 def phase_checklist_lines(phase: str, finding: str | None) -> list[str]:
-    if str(phase) == "1":
+    phase_key = str(phase)
+    if phase_key in ("1", "1a", "1b", "1c"):
         return [
             f"Ensure all required Phase 1 notes exist under {_ITEMDB_NOTES_DIR}.",
             f"Ensure {NOTES_ROOT.relative_to(ROOT)}/threat-model.md has all required H1 headings: # Threat Model Summary, # Scope, # System model, # Assets and security objectives, # Attacker model, # Trust boundary summary, # Existing controls, # Abuse-path themes for Phase 2, # Risk calibration for review focus, # Open questions for the user, # Re-run prompt hints.",
             f"Ensure {NOTES_ROOT.relative_to(ROOT)}/file-risk-index.yml is present and consistent with interesting-files.md.",
             f"Ensure {NOTES_ROOT.relative_to(ROOT)}/sandbox-plan.md documents the Phase 1b outcome.",
             "If sandbox bootstrap succeeded, ensure sandbox/CODECOME-GENERATED.md exists; otherwise document the halt clearly in sandbox-plan.md.",
         ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/phases/completion.py` around lines 201 - 205, The phase_checklist_lines
function currently checks phase with str(phase) == "1", which misses subphase
IDs like "1b"; update phase normalization inside phase_checklist_lines (or a
small helper called from it) to map any Phase 1 subphase (e.g., strings starting
with "1") to the base "1" before the selection logic so the detailed Phase 1
checklist (threat-model headings) is returned for "1", "1b", etc.; adjust the
comparison to use the normalized value (for example normalize_phase =
str(phase).strip().lower(); if normalize_phase.startswith("1"): normalize_phase
= "1") and then use normalize_phase in the existing checks.

🧹 Nitpick comments (1)

tools/phases/artifact_checks.py (1)

50-50: ⚡ Quick win

Remove unused regex constant.

_H1_RE is defined but never used in the code. Only _STRICT_H1_RE (line 53) is actually referenced.

♻️ Proposed cleanup

-_H1_RE = re.compile(r"^# (?!\s)", re.MULTILINE)
-
 # Equivalent strict H1 regex: starts with "# " and is NOT followed by whitespace
 _STRICT_H1_RE = re.compile(r"^# [^\s]", re.MULTILINE)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/phases/artifact_checks.py` at line 50, Remove the unused regex constant
_H1_RE from the module: delete the line defining _H1_RE = re.compile(r"^#
(?!\s)", re.MULTILINE) and verify no other code references it (only
_STRICT_H1_RE is used); keep imports intact and run tests/lint to ensure no
remaining references.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.project/security-threat-model-phase1-plan.md:
- Around line 3-5: The "Status" section is stale and contradicts the PR; update
the text under "## Status" to reflect that the plan has been implemented and
tests are passing instead of saying the PR intentionally does not implement
changes; remove or replace the sentence "This PR intentionally does not
implement the changes yet" with a concise status like "Implemented — PR includes
plan changes; 609 tests passing (48 new)" and ensure wording matches the PR
description.

In `@docs/workflow.md`:
- Line 39: Update the parenthetical in docs/workflow.md to avoid calling `make
phase-1` "manually": rephrase to indicate `make phase-1` is the
automatic/recommended way to run Phase 1 and show the true manual alternative by
mentioning the individual opencode commands (e.g., `opencode run --agent recon
"$(cat prompts/phase-1a-profile.md)"`, `opencode run --agent recon "$(cat
prompts/phase-1b-recon.md)"`, `opencode run --agent recon "$(cat
prompts/phase-1c-sandbox.md)"`) and the prompt file names
(`prompts/phase-1a-profile.md`, `prompts/phase-1b-recon.md`,
`prompts/phase-1c-sandbox.md`) so readers clearly see which is automatic (`make
phase-1`) versus the manual invocation.

In `@tools/phases/artifact_checks.py`:
- Around line 301-349: check_phase_artifacts accepts phase_1a_start_time but
never forwards it to the per-phase checkers, so check_phase_1a_artifacts (and
its leak-detection cutoff) never receives the timestamp; update the dispatcher
loop that calls func = _CHECKERS[p] so it passes phase_1a_start_time through
(e.g., errors = func(allow_missing_generated=allow_missing_generated,
phase_1a_start_time=phase_1a_start_time)) and ensure the checker wrapper in
_CHECKERS and the target function check_phase_1a_artifacts accept that kwarg, or
if you prefer the alternate approach remove the unused phase_1a_start_time
parameter from check_phase_artifacts and document that check_phase_1a_artifacts
must be called directly when a cutoff is required.

---

Outside diff comments:
In `@tools/phases/completion.py`:
- Around line 201-205: The phase_checklist_lines function currently checks phase
with str(phase) == "1", which misses subphase IDs like "1b"; update phase
normalization inside phase_checklist_lines (or a small helper called from it) to
map any Phase 1 subphase (e.g., strings starting with "1") to the base "1"
before the selection logic so the detailed Phase 1 checklist (threat-model
headings) is returned for "1", "1b", etc.; adjust the comparison to use the
normalized value (for example normalize_phase = str(phase).strip().lower(); if
normalize_phase.startswith("1"): normalize_phase = "1") and then use
normalize_phase in the existing checks.

---

Nitpick comments:
In `@tools/phases/artifact_checks.py`:
- Line 50: Remove the unused regex constant _H1_RE from the module: delete the
line defining _H1_RE = re.compile(r"^# (?!\s)", re.MULTILINE) and verify no
other code references it (only _STRICT_H1_RE is used); keep imports intact and
run tests/lint to ensure no remaining references.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 01011bd5-d330-4581-88e3-125d7922b63f

📥 Commits

Reviewing files that changed from the base of the PR and between 2365428 and bda1d0a.

📒 Files selected for processing (32)

• .opencode/skills/source-recon/SKILL.md
• .opencode/skills/source-recon/references/security-controls-and-assets.md
• .opencode/skills/source-recon/references/threat-model-checklist.md
• .project/security-threat-model-phase1-plan.md
• AGENTS.md
• Makefile
• README.md
• docs/development.md
• docs/target-setup.md
• docs/workflow.md
• prompts/README.md
• prompts/phase-1-recon.md
• prompts/phase-1a-profile.md
• prompts/phase-1b-recon.md
• prompts/phase-1c-sandbox.md
• prompts/phase-2-audit.md
• prompts/phase-3-review.md
• templates/run-summary.md
• templates/target-recon.md
• templates/threat-model.md
• tests/test_phase_1_gates_threat_model.py
• tests/test_phase_1_prompts_threat_model.py
• tests/test_phase_1_threat_model_templates.py
• tests/test_phase_artifacts_cli.py
• tests/test_phase_completion_threat_model.py
• tools/codecome.py
• tools/codecome/harness.py
• tools/codecome/phase_1.py
• tools/phases/artifact_checks.py
• tools/phases/completion.py
• tools/phases/gates.py
• tools/phases/phase_1_gates.py

💤 Files with no reviewable changes (1)

• prompts/phase-1-recon.md

[pruiz]

[coderabbitai] Fixed all findings:

1. phase_checklist_lines subphase matching — Added normalization: "1a", "1b", "1c" now map to "1" before checklist selection, matching the existing pattern in check_phase_graceful_completion. Fix at tools/phases/completion.py:201-203.

2. Unused _H1_RE regex — Removed dead constant from tools/phases/artifact_checks.py.

3. phase_1a_start_time not forwarded — Updated _check_phase_1a_with_ct wrapper and dispatcher loop to pass phase_1a_start_time through so leak detection can receive timestamps.

4. Stale plan status — Updated .project/security-threat-model-phase1-plan.md from "WIP, not implemented" to "Implemented — 609 tests passing (48 new)".

5. docs/workflow.md phrasing — Rewrote to distinguish automatic make phase-1 from manual opencode subphase invocations.

609 tests pass.