anthropics/claude-plugins-official
1
0
Fork 0
mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-06-14 06:36:18 -03:00
Code Issues Packages Projects Releases Wiki Activity
claude-plugins-official/plugins/code-modernization/commands/modernize-extract-rules.md
Morgan Lunt 9d49c4b135
code-modernization: close remaining credential-leak paths 
A red-team pass found four ways credential values still reached
shareable artifacts after the initial redaction:

- the remediation patch: a diff removing a hardcoded secret carries the
  raw value on its '-' lines by construction. harden now splits output:
  non-credential hunks in the shareable security_remediation.patch,
  credential hunks in a gitignored security_remediation.local.patch
  with comment-only placeholders in the shareable file
- the other four agents had no secret-handling rules. legacy-analyst
  (hardcoded-config evidence in tech-debt findings),
  business-rules-extractor (credentials recorded as rule parameters),
  test-engineer (legacy literals becoming committed test fixtures), and
  architecture-critic (quoted code in notes files) now all mask values
  and cite file:line; assess's tech-debt prompt and ASSESSMENT.md
  masking now cover every section, not just Security Findings
- non-git projects: a .gitignore protects nothing under SVN/Mercurial.
  Both commands now refuse --show-secrets without git and write the
  quarantine file to ~/.modernize/<system>/ outside the project tree
- the patch-apply instruction was wrong in both documented layouts
  (symlinked legacy/ broke relative paths). Patches are now written
  with project-root-relative paths and applied from the project root

Also: --show-secrets is now position-independent in both commands, and
the README documents the full model.
2026-06-09 08:47:34 -07:00

77 lines
3.3 KiB
Markdown
Raw Blame History

---
description: Mine business logic from legacy code into testable, human-readable rule specifications
argument-hint: <system-dir> [module-pattern]
---
Extract the **business rules** embedded in `legacy/$1` into a structured,
testable specification — the institutional knowledge that's currently locked
in code and in the heads of engineers who are about to retire.
Scope: if a module pattern was given (`$2`), focus there; otherwise cover the
entire system. Either way, prioritize calculation, validation, eligibility,
and state-transition logic over plumbing.
## Method
Spawn **three business-rules-extractor subagents in parallel**, each assigned
a different lens. If `$2` is non-empty, include "focusing on files matching
$2" in each prompt.
1. **Calculations** — "Find every formula, rate, threshold, and computed value
in legacy/$1. For each: what does it compute, what are the inputs, what is
the exact formula/algorithm, where is it implemented (file:line), and what
edge cases does the code handle?"
2. **Validations & eligibility** — "Find every business validation, eligibility
check, and guard condition in legacy/$1. For each: what is being checked,
what happens on pass/fail, where is it (file:line)?"
3. **State & lifecycle** — "Find every status field, state machine, and
lifecycle transition in legacy/$1. For each entity: what states exist,
what triggers transitions, what side-effects fire?"
## Synthesize
Merge the three result sets. Deduplicate. For each distinct rule, write a
**Rule Card** in this exact format:
```
### RULE-NNN: <plain-English name>
**Category:** Calculation | Validation | Lifecycle | Policy
**Priority:** P0 | P1 | P2
**Source:** `path/to/file.ext:line-line`
**Plain English:** One sentence a business analyst would recognize.
**Specification:**
Given <precondition>
When <trigger>
Then <outcome>
[And <additional outcome>]
**Parameters:** <constants, rates, thresholds with their current values — credentials masked: `<credential — masked, see file:line>`>
**Edge cases handled:** <list>
**Suspected defect:** <optional — legacy behavior that looks wrong; decide preserve-vs-fix during transform>
**Confidence:** High | Medium | Low — <why; if < High, state the exact SME question>
```
Priority heuristic — default to **P1**. Assign **P0** if the rule moves money,
enforces a regulatory/compliance requirement, or guards data integrity (and
flag P0 rules at <High confidence as SME-required). Assign **P2** for
display/formatting/convenience rules. The downstream `/modernize-brief`
behavior contract is built from the P0 rules, so assign deliberately.
Write all rule cards to `analysis/$1/BUSINESS_RULES.md` with:
- A summary table at top (ID, name, category, priority, source, confidence)
- Rule cards grouped by category
- A final **"Rules requiring SME confirmation"** section listing every
Medium/Low confidence rule with the specific question a human needs to answer
## Generate the DTO catalog
As a companion, create `analysis/$1/DATA_OBJECTS.md` cataloging the core
data transfer objects / records / entities: name, fields with types, which
rules consume/produce them, source location.
## Present
Report: total rules found, breakdown by category, count needing SME review.
Suggest: `glow -p analysis/$1/BUSINESS_RULES.md`
Reference in New Issue View Git Blame Copy Permalink