model_coherence_report
Detects coherence gaps in threat models: unknown components, mismatched repo bindings, and unreachable control-object paths, enabling resolution before audit.
Instructions
Static-analysis report on coherence between the model's component declarations, the code-binding strings on its controls and assertions, and the structural reachability of every CO.
Pass co_id to scope the report to findings carrying that CO id
(the co_* reachability findings + the attestation cross-link
findings). Component- and assertion-level findings without a CO
binding are excluded in single-CO mode. 404 if the CO doesn't
exist on the model.
The report carries up to twelve finding types, grouped below by
concern. Each finding includes the entity IDs it concerns
(co_id, asset_id, attacker_id, component_id, etc.)
so the agent can dispatch the resolution tool directly without
re-fetching the model.
Component / assertion bindings:
control_component_unknown— control references a component ID that no longer exists. Resolve:assign_control_to_components.asset_component_unknown— asset references a missing component. Resolve:edit_asset(with correctedcomponent_ids).assertion_repo_mismatch— an assertion'srepodoes not match therepo_urlof any component scoping its control. Resolve: rebind the assertion or rescope the control.assertion_repo_orphan— an assertion has arepobut its control is unscoped. Resolve:assign_control_to_componentsto scope the control, or correct the assertion's repo.control_unscoped_with_scoped_assertions— control is unscoped, but its assertions all carry a single component'srepo. Resolve:assign_control_to_componentsto that component.component_unbound— a component has norepo_url(speculative; LLM-proposed during generation, or operator- added without a binding yet). Resolve:edit_componentwith the real repo URL once the codebase exists. Speculative is a valid lifecycle state, not an error — surfaced so the gap is visible to auditors.
Reachability findings (deterministic composer; indeterminate verdicts surface as findings, never auto-decided by an LLM):
co_attacker_unpositioned— the CO's attacker has no positioned trust boundaries. Resolve:edit_attacker(settrust_boundary_ids), oradd_assumptionwith a structured exclusion predicate.co_asset_unbounded— the CO's asset has no component-derived trust boundaries. Resolve:assign_asset_to_components,edit_asset(withcomponent_ids), oradd_assumptionwith a structured exclusion.co_no_shared_boundary— attacker and asset boundaries do not intersect. Resolve: re-position the attacker viaedit_attacker, scope the asset to a shared component viaassign_asset_to_components, oradd_assumptionwith a structured exclusion.co_missing_entity— the CO references a missing asset/attacker; model state inconsistent. Resolve: restore the entity (restore_asset/restore_attacker) or remove the orphaned CO viarefine_threat_model.
Use this before relying on component-scoped control discovery,
when assertion verification fails for path/repo reasons, or to
enumerate structural-completeness gaps the operator should
address before treating the model as audit-ready. get_reachability_verdicts
exposes the underlying composer verdicts directly when the
finding-shape summary isn't enough.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| co_id | No | Optional CO id to scope the report to a single CO. | |
| model_id | Yes | ID of the threat model. | |
| server_version | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||