feat: Add Data Flow Diagram support#125
Merged
Merged
Conversation
Adds DFDs as a first-class threat-modelling artifact on both surfaces: Web UI — new "Data Flow Diagram" tab that generates a DFD from the application description or parses one from an uploaded image, with an editable Mermaid editor + live preview. A "Use this DFD for the threat model" checkbox stores the diagram in session state; subsequent Threat Model and Attack Tree runs splice it into their prompts as the authoritative system model. CLI — agentic analysis now emits a system-level DFD after synthesis (architect tier, wrapped so failures don't fail the report). Rendered as a Mermaid block in the markdown report, carried through JSON, and shown in the HTML report via a CDN-loaded Mermaid runtime. Also: hoists provider API keys from session_state into module scope once after the sidebar runs, fixing a latent NameError that affected every tab on a fresh script run and was previously masked by Streamlit hot-reload stale-namespace behaviour. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a Features bullet (positioned before attack trees — DFDs are upstream scaffolding) and a new "Unreleased" changelog section so the DFD work doesn't get mixed into the already-released 0.17 entries. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Removes `pytest` and `SubsystemFinding` imports — neither is referenced in the file. Clears CodeQL alerts #355 and #356 on PR #125. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/analyzeagent now emits a system-level DFD after synthesis (architect tier, wrapped so a bad diagram never fails a good report). Rendered as a Mermaid block in the markdown report, carried in the JSONdata_flow_diagramfield, and shown in the HTML view via a CDN-loaded Mermaid runtime.Also fixes a latent
NameErrorin the web UI: provider API keys were assigned function-local inload_env_variables()and never hoisted to module scope, so every existing tab (Threat Model, Attack Tree, Mitigations, DREAD, Test Cases, image analysis) wouldNameErroron a fresh script run. Streamlit's hot-reload was masking this by leaking stale module locals. Now read fromst.session_stateinto module scope once, after the sidebar has run.Test plan
uv run pytest -q— full suite green (304 tests; 16 new DFD tests)streamlit run apps/web/main.py— generate a DFD, edit the Mermaid, confirm, run Threat Model, verify threats reference DFD components (usedCompassPaysample description during development)uv run stride-gpt analyze stride_gpt/agent --max-llm-calls 25 --yes— verify the markdown report contains## Data Flow Diagramwith amermaidfenced block-f json— verifydata_flow_diagramfield is non-null-f html— open in browser, confirm the diagram rendersCloses #56