11.19

[rachellerathbone]

What

One-sentence summary of this PR.

Why

What problem this solves.

How

Brief technical approach.

Testing

What you tested and how to verify locally.

Checklist

• Follows the 7.04 open-source readiness checklist in project instructions
• No hardcoded secrets or internal-only references in user-facing content
• Lint, typecheck, and build pass locally
• Internal links and changed pages verified

What

Brief description of changes

Why

Why this change was needed

Testing

How to verify the changes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
multicorn-learn	Ready	Preview, Comment	Apr 14, 2026 5:03am

[github-actions]

multicorn-ops review

Persona	Role	Primary	Status	Summary
Jordan	Security Auditor	yes	Concern	Threat model page makes strong security claims (tamper-evident hash-linked chain) with no verifiable evidence in the diff, and the coverage table could create a false sense of security.
Priya	Open Source Contributor	yes	Passed	New page and tests are well-structured, self-contained, and easy to follow; the existing test file is cleanly extended.
Marcus	Design-Conscious Developer	yes	Concern	The CTA button layout fix is good, but the new secondary button's visual style needs review for dark-mode and hover contrast.
Sarah	Non-Technical Decision-Maker	yes	Concern	The threat model page is well-intentioned but contains technical jargon that will confuse a non-technical decision-maker evaluating the product.
The Team	Acquisition Due Diligence	yes	Concern	Hardcoded production URLs, unverifiable security claims, and no evidence of environment-aware config are the main acquisition-risk signals in this diff.
Alex	Accessibility Advocate	yes	Concern	Coverage cells use aria-label correctly but the table lacks a caption and the color-only green/grey distinction is a potential accessibility gap.
Yuki	International User	yes	Concern	The threat model prose is mostly clear but contains a few idiomatic English phrases and ambiguous sentences that may confuse non-native readers.

Concerns

Jordan (Security Auditor)

• app/shield/threat-model/page.tsx:272 - The page asserts 'entries are chained so a forged past record does not match the chain' as a factual guarantee, but no cryptographic implementation is visible in this diff. If this claim is inaccurate or incomplete, it constitutes a material misrepresentation to security-conscious buyers in regulated environments.
• app/shield/threat-model/page.tsx:90 - THREAT_ROWS marks 'Credential replay against recorded activity' as covered for hosted-proxy mode, but the prose later clarifies coverage only applies to actions Shield actually logged. The table icon alone (a checkmark) does not convey this critical nuance — a reader skimming the table will conclude full replay protection exists in proxy mode.
• app/shield/threat-model/page.tsx:1 - The page is entirely static marketing copy with no link to technical documentation, SDK source, or audit report to substantiate the security claims. For enterprise/regulated evaluation this is a trust gap — claims should be backed by verifiable artifacts.
• app/shield/threat-model/page.tsx:32 - OG_IMAGE_URL and CANONICAL_URL are hardcoded production strings. If this codebase is ever deployed to staging or preview environments, canonical tags and social sharing will point to production, which is a minor but real SEO/metadata integrity issue and signals lack of environment-aware config.

Marcus (Design-Conscious Developer)

• app/shield/page.tsx:688 - The secondary CTA uses 'border-border bg-surface hover:bg-surface-secondary' — in dark mode these token values may produce very low contrast between the button border and background, making it look invisible or broken. The primary CTA's solid fill avoids this; the secondary needs a check against all theme variants.
• app/shield/threat-model/page.tsx:160 - The coverage table uses 'text-green' for covered cells. If 'text-green' is a raw Tailwind color rather than a semantic design token, it may not adapt to dark mode and could appear harsh or inconsistent with the rest of the UI palette.

Sarah (Non-Technical Decision-Maker)

• app/shield/threat-model/page.tsx:198 - 'Hosted MCP proxy mode', 'MCP-shaped traffic', and 'hash-linked chain' are developer terms with no plain-language explanation. A CEO or procurement lead reading this page to assess trust will not understand what they are buying.
• app/shield/threat-model/page.tsx:120 - The table scenario 'Native shell, file, or system access outside MCP' uses abbreviations and architecture jargon. A non-technical buyer cannot assess whether this gap affects their team.
• app/shield/threat-model/page.tsx:145 - The intro paragraph ('Where it sits in your stack decides what it can govern') is abstract. There is no one-sentence plain-English summary of what Shield actually does before the technical content begins.

The Team (Acquisition Due Diligence)

• app/shield/threat-model/page.tsx:7 - CANONICAL_URL and OG_IMAGE_URL are hardcoded strings ('https://multicorn.ai/...'). A healthy codebase would derive these from a shared site config constant or environment variable, enabling preview deployments and reducing drift. This pattern repeated across pages is a maintainability debt signal.
• app/shield/threat-model/page.tsx:265 - The tamper-evident hash-linked audit trail is described as a shipped feature, but no corresponding implementation, test, or SDK reference is visible in this diff or linked from the page. If this is aspirational or partially implemented, it is a material misrepresentation that would surface in technical due diligence.
• __tests__/shield-threat-model-page.test.tsx:1 - Tests cover rendering and static content checks but there are no tests for the coverage data correctness (e.g. asserting the number of 'covered' vs 'not-covered' rows matches documented claims). As the threat model evolves, the table could silently diverge from reality with no test catching it.

Alex (Accessibility Advocate)

• app/shield/threat-model/page.tsx:155 - The coverage table has no element or aria-labelledby pointing to its section heading. Screen readers will announce the table without context about what it represents.
• app/shield/threat-model/page.tsx:160 - 'text-green' for covered and 'text-text-tertiary' for not-covered conveys status partially through color. The aria-label ('Covered' / 'Not covered') on the span is good, but if a screen reader user's browser ignores the aria-label on a non-interactive inline element, the icon's aria-hidden='true' means the cell content is fully invisible to them. Consider placing the aria-label on a visually-hidden sibling instead of on the icon wrapper.
• app/shield/page.tsx:688 - The new secondary CTA button uses focus:ring-primary/20 — a 20% opacity ring may fail WCAG 2.1 focus indicator contrast requirements (minimum 3:1 against adjacent colors). The primary button has the same issue but it is pre-existing; the new button introduces another instance.

Yuki (International User)

• app/shield/threat-model/page.tsx:198 - 'so you are not surprised after you connect a host' — the idiom 'not surprised' is informal and unclear in this context. A direct phrasing like 'so you understand the boundary before connecting a host application' is easier to parse.
• app/shield/threat-model/page.tsx:270 - 'An attacker who wants to pretend an action already happened, or to substitute a different past, breaks that chain.' — 'substitute a different past' is a figurative phrase that may be confusing. Prefer: 'An attacker who modifies or replaces a past activity record will cause a chain verification failure.'
• app/about/page.tsx:57 - 'compliance theatre' changed to 'compliance theater' — the American spelling is now consistent, which is good. No issue here, just confirming the spelling unification is the right direction.

Open-Source Readiness Checklist

Code Quality

• All functions have clear, descriptive names — Components and functions like CoverageCell, ShieldThreatModelPage, and constants like THREAT_ROWS are clearly named.
• No hardcoded secrets, API keys, internal URLs, or employee names in code or comments — Only public-facing URLs (multicorn.ai) are present; no secrets or internal URLs detected.
• No // TODO without a public issue reference — Test explicitly checks for absence of 'TODO' strings in rendered output; no TODO comments visible in the diff.
• No commented-out code blocks — No commented-out code blocks observed in the diff.
• No debug logging (console.log, println) left in — No debug logging statements found in the diff.
• All any types eliminated (TypeScript) — Types used are explicit: Coverage union type, Metadata, readonly typed arrays. No 'any' types visible.
• [~] Error handling is complete — no swallowed exceptions, no empty catch blocks — This is a static rendering page with no async operations or try/catch in the visible diff.
• No Atlassian-internal references, no proprietary patterns or terminology — No Atlassian-internal references found.

Testing

• All new code has tests — New threat-model page has a dedicated test file covering heading, table columns, links, roadmap text, and metadata.
• [~] Coverage meets or exceeds repo minimum — Cannot verify coverage thresholds from the diff alone; requires CI report.
• [~] Tests pass locally and in CI — Cannot verify CI status from the diff alone.
• Edge cases and error paths are tested — Tests cover happy-path rendering scenarios but no edge cases (e.g. missing props, SSR hydration, broken links) are tested.
• [~] No flaky tests — Cannot determine flakiness from the diff alone; requires CI run history.

Security

• No secrets in code, comments, config files, or git history — No secrets detected in the diff.
• [~] All user input is validated — The new page is purely static/read-only with no user input fields.
• [~] Dependencies audited — no known vulnerabilities — No dependency changes in this diff.
• HTTPS enforced for all external communication — Canonical and OG image URLs use https://multicorn.ai.
• [~] API keys/tokens never logged — No API calls or logging in the visible diff.

Documentation

• [~] README.md is accurate and up to date — No README changes in the diff; cannot confirm accuracy.
• [~] CONTRIBUTING.md is accurate and up to date — Not touched in this diff.
• CHANGELOG.md updated with this change — No CHANGELOG update is visible in the diff for the new /shield/threat-model page addition.
• [~] New public APIs have JSDoc/KDoc with examples — No new public APIs; this is a UI page addition.
• [~] Any new config options are documented — No new config options introduced.
• [~] Architecture decisions documented in ADR if significant — The change adds a content page; no architectural decisions requiring an ADR are apparent.

Open Source Hygiene

• [~] Licence header present in source files (if required by licence) — Cannot determine licence header requirements from this diff alone; none of the existing files in the diff show headers, suggesting they may not be required.
• [~] CODE_OF_CONDUCT.md present — Not verifiable from the diff alone.
• [~] Issue templates are current — Not touched in this diff.
• [~] PR template is current — Not touched in this diff.
• No internal company references or links — Only public multicorn.ai references present.
• [~] Package name and description are correct in package.json — package.json not modified in this diff.
• [~] Repository topics/tags are set on GitHub — Cannot verify GitHub repository settings from the diff.

UX & Accessibility

• Works at 375px viewport width (mobile) — Responsive classes used throughout: sm: breakpoints, overflow-x-auto on table, min-w on table for scroll. Layout appears mobile-considerate.
• Keyboard navigable — Links use standard anchor elements via Next.js Link and TrackedCtaLink with visible focus:ring styles applied.
• [~] Colour contrast meets WCAG AA — Cannot verify actual colour values of CSS variables (text-text-primary, text-green, etc.) from the diff alone.
• [~] Loading states for async operations — Page is statically rendered; no async operations visible.
• [~] Error states are user-friendly (not raw error messages) — No error states introduced in this static page.
• Animations respect prefers-reduced-motion — transition-colors classes are used on CTA links but no prefers-reduced-motion media query or Tailwind motion-safe/motion-reduce utilities are applied.

---

Advisory only. Does not block merge. Actions logged to Shield as pr_review and oss_check.