Skip to content

feat: Add Data Flow Diagram support#125

Merged
mrwadams merged 3 commits into
masterfrom
feature/dfd-issue-56
Jun 15, 2026
Merged

feat: Add Data Flow Diagram support#125
mrwadams merged 3 commits into
masterfrom
feature/dfd-issue-56

Conversation

@mrwadams

Copy link
Copy Markdown
Owner

Summary

  • New Data Flow Diagram tab in the Streamlit web UI: generate DFDs from the application description or parse an uploaded DFD image (vision-capable models only), edit the Mermaid source live, preview it inline, and confirm with a checkbox to feed the diagram into subsequent Threat Model and Attack Tree runs as the authoritative system model.
  • CLI /analyze agent now emits a system-level DFD after synthesis (architect tier, wrapped so a bad diagram never fails a good report). Rendered as a Mermaid block in the markdown report, carried in the JSON data_flow_diagram field, and shown in the HTML view via a CDN-loaded Mermaid runtime.
  • Closes the description → DFD → review → refined threat model loop the issue describes.

Also fixes a latent NameError in the web UI: provider API keys were assigned function-local in load_env_variables() and never hoisted to module scope, so every existing tab (Threat Model, Attack Tree, Mitigations, DREAD, Test Cases, image analysis) would NameError on a fresh script run. Streamlit's hot-reload was masking this by leaking stale module locals. Now read from st.session_state into module scope once, after the sidebar has run.

Test plan

  • uv run pytest -q — full suite green (304 tests; 16 new DFD tests)
  • streamlit run apps/web/main.py — generate a DFD, edit the Mermaid, confirm, run Threat Model, verify threats reference DFD components (used CompassPay sample description during development)
  • Upload a DFD image (PNG/JPEG) on a vision-capable provider — confirm the editor populates from the parse
  • uv run stride-gpt analyze stride_gpt/agent --max-llm-calls 25 --yes — verify the markdown report contains ## Data Flow Diagram with a mermaid fenced block
  • Same run with -f json — verify data_flow_diagram field is non-null
  • Same run with -f html — open in browser, confirm the diagram renders

Closes #56

mrwadams and others added 2 commits June 15, 2026 19:32
Adds DFDs as a first-class threat-modelling artifact on both surfaces:

Web UI — new "Data Flow Diagram" tab that generates a DFD from the
application description or parses one from an uploaded image, with an
editable Mermaid editor + live preview. A "Use this DFD for the threat
model" checkbox stores the diagram in session state; subsequent Threat
Model and Attack Tree runs splice it into their prompts as the
authoritative system model.

CLI — agentic analysis now emits a system-level DFD after synthesis
(architect tier, wrapped so failures don't fail the report). Rendered
as a Mermaid block in the markdown report, carried through JSON, and
shown in the HTML report via a CDN-loaded Mermaid runtime.

Also: hoists provider API keys from session_state into module scope
once after the sidebar runs, fixing a latent NameError that affected
every tab on a fresh script run and was previously masked by Streamlit
hot-reload stale-namespace behaviour.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a Features bullet (positioned before attack trees — DFDs are
upstream scaffolding) and a new "Unreleased" changelog section so the
DFD work doesn't get mixed into the already-released 0.17 entries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comment thread tests/test_dfd.py Fixed
Comment thread tests/test_dfd.py Fixed
Removes `pytest` and `SubsystemFinding` imports — neither is referenced
in the file. Clears CodeQL alerts #355 and #356 on PR #125.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mrwadams mrwadams merged commit 43b1b8b into master Jun 15, 2026
8 checks passed
@mrwadams mrwadams deleted the feature/dfd-issue-56 branch June 15, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature request: Data Flow Diagrams

2 participants