Mikołaj Kowalczyk

Hey guys,

I wanted to share my project - I hope this forum topic will be a correct one.
I built TMDD - an open source CLI that keeps a version-controlled threat model (YAML format) inside your repo and generates security-aware prompts for AI coding agents.

So what is threat model? It is a simple document where you write down what you re building, how someone could abuse or break it, and how you ll stop that from happening. You usually also include data flows diagram inside of it. Some argue that it's the most efficient method of detecting security issues in early phases of development.

When you vibe code with AI, it usually focuses on does it work? , not on Can someone exploit this? .

Being consistent with content is harder than building features. Here me out.
Shipping a feature feels productive.
There s momentum. There s code.
There s progress you can measure.

Content? You show up. You write. You post.
And most days, nothing happens.

No clear feedback loop. No passing test case.
No deploy notification saying success.
Just impressions. Maybe.

Building product rewards logic.
Content rewards patience.