Skip to content

Add tm7-threat-model skill for valid TM7 file generation#2280

Merged
aaronpowell merged 6 commits into
github:mainfrom
prasadgd9022:add-tm7-threat-model-skill
Jul 14, 2026
Merged

Add tm7-threat-model skill for valid TM7 file generation#2280
aaronpowell merged 6 commits into
github:mainfrom
prasadgd9022:add-tm7-threat-model-skill

Conversation

@prasadgd9022

Copy link
Copy Markdown
Contributor

Description

Adds a new tm7-threat-model skill that generates valid Microsoft Threat Modeling Tool (.tm7) files.

.tm7 files use the WCF DataContractSerializer format (not generic XML); the Threat Modeling Tool refuses to open files that use a plain-XML structure. This skill documents the exact root element, namespace prefixes, stencil/data-flow/threat serialization, and a checklist of common mistakes that corrupt .tm7 files. It bundles a validated example-minimal.tm7 reference (well-formed, no <?xml?> declaration).

This is a clean re-submission of #1660 (which was closed only because it targeted main and had a polluted, auto-regenerated diff). This PR targets staged and changes only the new skill folder plus its single generated row in docs/README.skills.md.

Type of Contribution

  • New skill file.

Additional Notes

  • npm run skill:validate✅ tm7-threat-model is valid.
  • npm run build regenerated docs/README.skills.md (single added row).
  • Targeting the staged branch as required.

Adds a skill that generates valid Microsoft Threat Modeling Tool (.tm7)
files using the correct WCF DataContractSerializer format, with a minimal
reference file. Includes STRIDE threat generation workflow and a checklist
of common serialization mistakes that corrupt .tm7 files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 12, 2026 17:44
@github-actions github-actions Bot added new-submission PR adds at least one new contribution skills PR touches skills labels Jul 12, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a skill for generating Microsoft Threat Modeling Tool .tm7 files.

Changes:

  • Documents TM7 serialization and STRIDE modeling.
  • Adds a bundled TM7 reference model.
  • Registers the skill in generated documentation.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File Description
skills/tm7-threat-model/SKILL.md Defines generation instructions and serialization examples.
skills/tm7-threat-model/example-minimal.tm7 Provides the reference TM7 model.
docs/README.skills.md Adds the skill catalog entry.

Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/example-minimal.tm7 Outdated
Comment thread skills/tm7-threat-model/example-minimal.tm7 Outdated

@aaronpowell aaronpowell left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor change to match required structure

Comment thread skills/tm7-threat-model/example-minimal.tm7 Outdated
…to assets

- Move example-minimal.tm7 into assets/ per repo convention (aaronpowell).
- Remove personal/corporate metadata from the reference model (Owner,
  Contributors, ChangedBy domain account, project names).
- Make the reference model self-contained: add a second stencil so the data
  flow and threat SourceGuid/TargetGuid/FlowGuid all resolve to real elements.
- Fix SKILL.md threat contract (KeyValueOfstringThreatpc_P0_PhOB with
  b:-prefixed KnowledgeBase fields) to match the bundled reference.
- Reconcile guidance: MetaInformation/Notes/KnowledgeBase are valid schema
  elements and must be preserved; only SecurityGaps/Mitigations are invalid.
- Regenerate docs/README.skills.md and normalize line endings to LF.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@prasadgd9022

Copy link
Copy Markdown
Contributor Author

Thanks for the review! Pushed 7a93150 addressing all comments:

@aaronpowell — Moved the reference model to skills/tm7-threat-model/assets/example-minimal.tm7 per the spec, and re-ran npm run build so the catalog entry points at the new path.

Copilot review comments:

  1. Threat contract mismatch (PhBB vs PhOB). Rewrote the Threat instances section to the exact contract the bundled file uses: a:KeyValueOfstringThreatpc_P0_PhOB with b:-prefixed KnowledgeBase fields and the TH<id>+Source+Flow+Target key format.
  2. MetaInformation contradiction. Reconciled the guidance: MetaInformation, Notes and KnowledgeBase are valid schema elements and must be preserved; only SecurityGaps/Mitigations are non-schema. Updated the "NEVER use" list, the file-structure section, and the common-mistakes list to match the asset.
  3. PII / source-model metadata. Sanitized the reference: removed owner/contributor names, the FAREAST\... domain account in ChangedBy, and project names — all replaced with synthetic/empty values.
  4. Dangling diagram/threat references. Made the model self-contained — added a second stencil (cloned from the validated one) so the data flow and the threat's SourceGuid/TargetGuid/FlowGuid now all resolve to included elements. Verified the file is well-formed XML and every reference resolves.

Also normalized line endings to LF. npm run skill:validate✅ tm7-threat-model is valid.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.

Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
Comment thread skills/tm7-threat-model/SKILL.md Outdated
…:Id uniqueness

- Document KnowledgeBase as a top-level sibling after ThreatMetaData (not embedded)
- Update skeleton to show <ThreatMetaData/>, sibling <KnowledgeBase>, and <Profile>
- Replace TypeIds absent from the bundled KB: AzureCosmosDB -> AzureSQLDB,
  HumanUser -> Mobile, GenericDataFlow -> Request
- Require z:Id uniqueness across the file in the common-mistakes checklist

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@prasadgd9022

Copy link
Copy Markdown
Contributor Author

@reply.txt

aaronpowell
aaronpowell previously approved these changes Jul 14, 2026
@aaronpowell aaronpowell changed the base branch from staged to main July 14, 2026 00:53
@aaronpowell aaronpowell dismissed their stale review July 14, 2026 00:53

The base branch was changed.

@aaronpowell aaronpowell enabled auto-merge (squash) July 14, 2026 00:54
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🔒 PR Risk Scan Results

Scanned 3 changed file(s).

Severity Count
🔴 High 0
🟠 Medium 1
ℹ️ Info 0
Severity Rule File Line Match
🟠 package-exec-command docs/README.skills.md 31 | [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)&lt;br /&gt;`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the curre
Skipped non-text or missing files
  • skills/tm7-threat-model/assets/example-minimal.tm7 (skipped: file too large)

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

@aaronpowell aaronpowell disabled auto-merge July 14, 2026 00:55
@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vally Lint Results

✅ All checks passed

Scope Checked
Skills 1
Agents 0
Total 1
Severity Count
❌ Errors 0
⚠️ Warnings 0
ℹ️ Advisories 0

Summary

Level Finding
ℹ️ npm warn EBADENGINE Unsupported engine {
ℹ️ npm warn EBADENGINE package: 'commander@15.0.0',
ℹ️ npm warn EBADENGINE required: { node: '>=22.12.0' },
ℹ️ npm warn EBADENGINE current: { node: 'v20.20.2', npm: '10.8.2' }
ℹ️ npm warn EBADENGINE }
ℹ️ npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
ℹ️ ✅ tm7-threat-model (2/2 checks passed)
ℹ️ ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
ℹ️ ✓ spec-compliance: All spec checks passed.
ℹ️ ✓ [valid-refs] All file references across 1 skill(s) are valid.
Full linter output
### Linting skills/tm7-threat-model
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'commander@15.0.0',
npm warn EBADENGINE   required: { node: '>=22.12.0' },
npm warn EBADENGINE   current: { node: 'v20.20.2', npm: '10.8.2' }
npm warn EBADENGINE }
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
✅ tm7-threat-model (2/2 checks passed)
    ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
        ✓ spec-compliance: All spec checks passed.
    ✓ [valid-refs] All file references across 1 skill(s) are valid.
        ✓ valid-refs: All file references resolve to existing files within the skill directory.

1 skill(s) linted, 1 passed

@aaronpowell

Copy link
Copy Markdown
Contributor

I think the tm7 file should be added to the exclude list for codespell - https://github.com/github/awesome-copilot/actions/runs/29297181766/job/86973147200?pr=2280

Copilot AI review requested due to automatic review settings July 14, 2026 16:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

Comment thread skills/tm7-threat-model/SKILL.md
Comment thread skills/tm7-threat-model/SKILL.md
MTM DataContract .tm7 exports embed base64 icon blobs whose substrings
(oT, bu, wth, mKe, ...) trigger codespell false positives. Skip *.tm7,
matching the existing convention for binary/asset files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 16:40
@prasadgd9022 prasadgd9022 requested a review from aaronpowell July 14, 2026 16:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

Comment thread skills/tm7-threat-model/assets/example-minimal.tm7
Comment thread skills/tm7-threat-model/SKILL.md
Comment thread skills/tm7-threat-model/SKILL.md
@aaronpowell aaronpowell merged commit 36b30eb into github:main Jul 14, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

new-submission PR adds at least one new contribution skills PR touches skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants