tachi-control-analysislisted

# Tachi Control Analysis Skill This skill contains the domain knowledge extracted from the tachi control-analyzer agent. It provides the reference data needed to detect compensating controls in a target codebase, classify their effectiveness, calculate residual risk, and generate remediation recommendations. ## Domain Overview The control analysis domain covers three areas: 1. **Control Categories and Detection Patterns** -- Definitions for the 8 compensating control categories (authentication, input-validation, rate-limiting, encryption, logging-audit, csrf-protection, csp-security-headers, access-control), their STRIDE-to-control mapping, pattern indicators for Phase A scanning, and common library/framework references. 2. **Evidence Criteria and Effectiveness Classification** -- Phase B semantic analysis criteria (context checks, enforcement checks, strength assessments), evidence collection rules (snippet selection, deduplication, file path format), confidence level definitions (High/Medium/Low), and Phase 4 classification rules (found/partial/missing with multi-control resolution and cross-component handling). 3. **Residual Risk Calculation and Recommendations** -- Recommendation generation rules for missing and partial controls (templates, effort calibration), residual score computation formula with the P0 binary reduction model (reduction factors by control status), severity band mapping for residual scores, and summary statistics calculations. ## NIST AI RMF Rel