4 Commits

Author SHA1 Message Date
Morgan Westlee Lunt
4a8250babf
code-modernization: add /modernize-uplift for same-stack version migrations
Adds a third build method alongside transform (cross-stack rewrite) and
reimagine (greenfield): uplift, for same-stack version bumps (.NET Framework
4.8 -> .NET 8, Spring Boot 2->3, Python 2->3) where the right move is to
PRESERVE the code and fix only the version deltas, not extract intent and
rewrite.

- commands/modernize-uplift.md: delta-catalog-driven, dual-target test harness
  (one suite on both runtimes; baseline-on-old is the oracle), leaf-first build
  graph ordering, minimal-diff discipline (architecture-critic flags gratuitous
  divergence), and a 'this is a rewrite, use transform' escape hatch.
- agents/version-delta-analyst.md: finds the source->target breaking changes
  that THIS code hits; drives the ecosystem migration tool (upgrade-assistant /
  OpenRewrite / pyupgrade / ng update) and owns the residue; read-only.
- workflows/uplift-deltas.js: parallel finder per delta category, each verified
  against the cited code so deltas that don't apply here are dropped.
- Wired into assess (recommended-pattern routing), brief (per-phase command +
  leaf-first ordering), preflight (dual-run + tool readiness), status, README.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:12:16 +00:00
Morgan Westlee Lunt
e5939029ec
code-modernization: COCOMO is a complexity index, never a modernization timeline
COCOMO's constants encode human-team productivity; presenting its
person-months as how long an agentic modernization will take (or cost) is
a claim we should not make. Reframe COCOMO everywhere as a RELATIVE
complexity/scale index for ranking and sequencing systems only:

- assess: capture COCOMO as a complexity index; explicitly ignore scc's
  'Estimated Schedule Effort' and cost-in-dollars; ASSESSMENT 'Effort
  Estimation' section becomes 'Relative Scale' with a not-a-timeline note;
  portfolio heat-map column renamed Complexity (COCOMO index).
- brief: phase plan uses relative T-shirt sizing, not person-months/weeks;
  phases render as a dependency flowchart, not a gantt (gantt = calendar).
- portfolio-assess.js: field cocomoPm -> complexityIndex; return label
  carries the not-a-duration caveat.
- README: 'A note on COCOMO' explains the index framing and points at
  better intrinsic-complexity proxies.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 21:21:50 +00:00
Morgan Westlee Lunt
d44da81146
code-modernization: second-order injection fencing, path guards, scoped scaffolder agent
Addresses automated security review of the workflow conversion:

- Agent-produced text (rule specs, finding descriptions, dedup lists) is
  fenced as untrusted data when interpolated into downstream agent prompts,
  with embedded fence markers stripped so the fence can't be escaped;
  referees and judges are told to re-derive claims from the cited code.
- system/service/subdir names that land in filesystem paths inside prompts
  are validated against a strict pattern — traversal-shaped values throw
  before any agent spawns.
- Reimagine scaffolding now uses a dedicated 'scaffolder' agent with an
  explicit minimal tool list, a single-directory write scope, and the
  untrusted-content discipline extended to the generated spec/architecture
  docs it builds from (they derive from untrusted legacy code).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:40:58 +00:00
Morgan Westlee Lunt
c42d4bb589
code-modernization: dynamic workflow orchestration + untrusted-content hardening
Four commands gain a Workflow-tool path (with direct-fan-out fallback for
older builds): extract-rules loops until dry with per-rule citation referees
and a P0 two-judge panel; harden runs class-scoped finders with adversarial
per-finding refutation; assess --portfolio pipelines one survey agent per
system with COCOMO computed uniformly in script; reimagine Phase E drops the
3-service scaffolding cap.

Workflow agents return schema-validated data and only the orchestrating
session writes artifacts — analysis agents are structurally read-only. All
five agents gain an untrusted-content discipline section (source code is
data, never instructions; comment-only claims are findings, not facts), and
the README documents the prompt-injection threat model for analyzed code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:33:13 +00:00