AttackFlow 2.9.0

Added

• STIX Composer: New STIX 2.1 editor interface for creating & sharing STIX 2.1 objects and bundles. Uses interactive JSON validator reporting to inspect and resolve Object <-> STIX specification mismatches.
• STIX Visualizer: Composer-Integrated optional STIX visualizer module
• Visualizer kill-switch config: Added CONFIG.visualizer.enabled to fully disable STIX visualizer loading/execution paths.
• Mitigation Relationships: Mitigation column added to the relationship view, sourced from techniques in each chain.
• Phase Details Modal: New modal for phase rollups (click phase in relationship view or use the Phase Details button on phase headers). Designed as high level phase overview for contained items, attached metadata & CVEs, related mitigations and average severity/confidence scores.
• CSV Technique Import: Paste technique IDs via CSV or newline into a modal to replace the ATT&CK library; includes a Reset ATT&CK action to restore base data.
• Global Search: Expanded global search panel with ranked mixed-type results (ATT&CK/CAPEC/CWE), Sticky mode, and drag-and-drop from results.
• CSV ID Search: Comma-separated ID search for ATT&CK, CAPEC, and CWE (supports numeric-only CAPEC/CWE entries).
• Local iframe IPC bridge (local-mode only): Parent/iframe communication path between index.html, explorer.html, and stix-builder.html for theme sync and shared data handoff.
• IPC debug controls: Added CONFIG.debugging.traceLocalIframeIPCLogs and CONFIG.debugging.localIframeIPCRateLimit for traceability and request throttling.
• IPC API docs: Added dedicated short technical documentation in IPC_API-DOCS.md.

Changed

UI Improvements: Redesigned Navigation & other UI Elements, consolidated all Theme toggles into one

• Phase item Explore/Edit actions now reveal on hover like Delete.
• Resource loading behavior (visualizer disabled mode): STIX Composer and standalone STIX visualizer now avoid loading visualizer-owned and bundled third-party resources when CONFIG.visualizer.enabled is false.

Security

• Iframe containment: Embedded explorer/composer iframes now use sandbox containment (allow-scripts allow-same-origin allow-modals).
• Prototype pollution hardening: Import parsing/sanitization now blocks dangerous keys (__proto__, constructor, prototype), uses safe JSON reviver parsing, null-prototype object collectors, and own-property checks in dynamic import field mapping.

Shared Loader Hardening

• Pre-cache schema enforcement: Parent shared dataset now validates required top-level shape before writing to cache.data.
• Size/count guardrails: Shared dataset now enforces per-bucket entry limits and serialized size limits before cache write.
• IPC parity on limits: AF_SHARED_DATA payload building now enforces the same shared-data limits at send-time, not only at ingest-time.
• Immutable loader snapshots: window.getAttackFlowSharedData() now returns validated clone+freeze snapshots instead of exposing mutable cache references.
• Explorer fallback diagnostics: Direct parent shared-loader errors/invalid payloads now emit debug trace diagnostics and safely fall back to alternate data sources.

Local IPC Hardening

• Source pinning: IPC messages are accepted only from expected frame windows.
• Strict schema enforcement: IPC message types and keys are allowlisted; unknown keys/types are rejected and traced.
• Immutable shared payload: AF_SHARED_DATA is shape-validated, cloned, and deep-frozen before IPC send/use.
• Rate limiting: Token-bucket throttling (configurable) for incoming IPC requests per frame and request type.
• Data loading behavior: Explorer can consume validated shared data from parent in local iframe mode to reduce redundant fetch/load paths.
• IPC transport hardening: Channel-only MessageChannel transport with session nonce binding; legacy window request/response fallback path removed.
• Bootstrap resilience: Parent channel bootstrap now uses bounded timeout/retry/backoff; explorer and stix-builder expose explicit terminal bootstrap-failure recovery behavior without legacy transport.

v2.8.0

[2.8.0] - 2026-02-14

Added

1. Mitigation CSV Export: Mitigations linked to assigned ATT&CK techniques now appear as separate rows in CSV exports with Type: "Mitigation". Phase coverage is inherited from linked techniques. Comments column lists the technique IDs each mitigation covers for traceability. Mitigations are deduplicated — shared mitigations appear once regardless of how many techniques reference them.
2. Technique & Mitigation STIX Export: STIX bundle export now includes assigned ATT&CK techniques as attack-pattern SDOs with deterministic UUIDv5 IDs, external_references (MITRE source), and kill_chain_phases (UKC phase mapping). Mitigations from assigned techniques are emitted as course-of-action SDOs with mitigates relationship SROs linking to the correct attack-pattern. Techniques assigned to multiple phases aggregate all phases. Export now works with any assigned techniques, not just custom STIX objects.
3. Clear STIX Data: New "Clear STIX Data" button in the STIX sidebar tab removes all STIX items from the library and from all kill chain phase assignments, with a confirmation prompt showing the item count.
4. Auto-Clear STIX on Import: Two config flags in CONFIG.imports control whether existing STIX data is automatically cleared before importing: clearStixOnBundleImport (before STIX bundle import) and clearStixOnKillChainImport (before kill chain import). Both default to false.
5. Collapsible Inline Comments & Descriptions: Phase item cards in the kill chain now show a collapsible text area below the entity name (non-compact mode only). ATT&CK/CAPEC/CWE cards display metadata comments; STIX/custom cards display the item description. Chevron SVG toggle with smooth CSS height transition. Area is vertically resizable. Global "Comments" toolbar button toggles all collapsibles at once. Hidden automatically in compact mode.