threat-modellisted

# threat-model A threat model answers **"what could go wrong with this system, who would do it, and what should we do about it?"** independently of whether any specific bug has been found yet. It is the map; vulnerability discovery is the metal detector. A good threat model tells the pipeline where to look and tells triage which findings matter. **Litmus test:** If patching one line of code makes an entry disappear, it was a vulnerability, not a threat. A threat ("attacker achieves RCE via untrusted media parsing") still stands after every known bug is fixed; a vulnerability ("`dr_wav.h:412` doesn't bounds-check `chunk_size`") does not. This skill produces threats. Vulnerabilities appear only as **evidence** that raises a threat's likelihood score. **Invocation:** `/threat-model [bootstrap-then-interview|bootstrap|interview] <target-dir> [flags]` --- ## Step 0 — Safety preamble (always runs first) This skill performs **static analysis only**. It reads source, git history, and any vulnerability reports the user supplies, and writes a single output file (`<target-dir>/THREAT_MODEL.md`). It does not build, execute, fuzz, or modify the target, and does not make network requests against the target's infrastructure. Before proceeding, confirm and state in your first response: 1. The target directory exists and is a readable local checkout. 2. You will not execute any code from the target directory. 3. If `--vulns` points at a URL or you are asked to "fetch CVEs", you will