Context
The Phase 1 threat-modeling integration plan adds itemdb/notes/threat-model.md as a required Phase 1b artifact. The initial implementation will explicitly wire this artifact into Phase 2 and Phase 3, but Phase 6 consumption is intentionally deferred.
Phase 6 reporting may benefit from a concise threat-model methodology/risk-context reference, especially when explaining scope, attacker assumptions, affected assets, and trust boundaries.
Proposal
Update Phase 6 reporting prompts/templates, where appropriate, so reports can use the threat model for:
- methodology and scope context,
- attacker model assumptions,
- affected assets and security objectives,
- trust-boundary explanations,
- limitations and assumptions that affect severity or exploitability.
Acceptance criteria
- Phase 6 prompt explicitly references
itemdb/notes/threat-model.md when present.
- Reports may summarize relevant threat-model context without duplicating the whole artifact.
- Severity/context language remains tied to confirmed findings and evidence, not speculative abuse-path themes.
- Existing Phase 6 behavior remains compatible with projects that do not yet have threat-model artifacts.
Context
The Phase 1 threat-modeling integration plan adds
itemdb/notes/threat-model.mdas a required Phase 1b artifact. The initial implementation will explicitly wire this artifact into Phase 2 and Phase 3, but Phase 6 consumption is intentionally deferred.Phase 6 reporting may benefit from a concise threat-model methodology/risk-context reference, especially when explaining scope, attacker assumptions, affected assets, and trust boundaries.
Proposal
Update Phase 6 reporting prompts/templates, where appropriate, so reports can use the threat model for:
Acceptance criteria
itemdb/notes/threat-model.mdwhen present.