1338 Commits

Author SHA1 Message Date
github-actions[bot]
0bcd12a7d1
bump(ui5-typescript-conversion): 9b3d7d80 → 6d72751f (#2565)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:24:41 -05:00
github-actions[bot]
f2691c1439
bump(aws-amplify): d8243e5f → b13ce7f0 (#2547)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:24:13 -05:00
github-actions[bot]
330492c3d6
bump(aws-serverless): d8243e5f → b13ce7f0 (#2548)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:23:44 -05:00
github-actions[bot]
e7e1e791cb
bump(carta-crm): c39482a4 → 7b4e568d (#2550)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:23:14 -05:00
github-actions[bot]
0714e5b202
bump(carta-investors): c39482a4 → 7b4e568d (#2551)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:22:44 -05:00
github-actions[bot]
623b6704d3
bump(data-engineering): 7ce4a12d → 789b4544 (#2554)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:22:15 -05:00
github-actions[bot]
f5e552802c
bump(nvidia-skills): fd1e6fd1 → 24806dbd (#2559)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:21:46 -05:00
github-actions[bot]
e69b3a26ef
bump(quarkus-agent): 91c7986e → 9700cfee (#2561)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:21:15 -05:00
github-actions[bot]
475e5fe15f
bump(atlassian): 9b52fb18 → f4911dba (#2545)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:20:44 -05:00
github-actions[bot]
b61e11909c
bump(data): 7ce4a12d → 789b4544 (#2553)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:20:13 -05:00
github-actions[bot]
7eb80c4f5b
bump(sap-fiori-mcp-server): 604f2895 → b9127510 (#2531)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:20:05 -05:00
github-actions[bot]
1e0be923c5
bump(aws-startup-advisor): b3e5ee48 → 3c5d6a7d (#2512)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 20:02:11 -05:00
Morgan Westlee Lunt
8e61adb4c7
code-modernization: simplify README; give uplift its own modernized/ root
Adversarial re-audit of the current (post-uplift) state found the plugin
internally consistent (no blocker/high issues). Two follow-ups:

README rewrite for clarity (209 -> 122 lines, ~halved):
- Reorder so a newcomer goes what-it-is -> install -> quickstart -> command
  reference -> deeper notes, instead of hitting two dense design essays
  before the command list.
- Lead with what it produces; add a 3-command teaser.
- Collapse the 'Dynamic workflow orchestration' and 'Untrusted code &
  prompt injection' essays and the COCOMO note into short, plain sections at
  the bottom; drop the internal 'Bash isn't a tool-lock' hedging and
  per-defense enumeration (kept the load-bearing points: untrusted-code
  threat model, secrets quarantine, COCOMO-is-not-a-timeline).
- Remove cross-section redundancy (build methods, read-only caveat,
  scaffolder write-scope, dir convention each stated once now); gloss
  strangler-fig/JOBOL inline.

Path nit from the audit: uplift now writes to modernized/<system>-uplifted/
(mirroring reimagine's -reimagined/) so the three build paths occupy disjoint
roots and status can't mis-detect an uplift copy as transform modules.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 00:28:19 +00:00
Morgan Westlee Lunt
3b9df61600
code-modernization: fix findings from adversarial audit
Code/security:
- extract-rules.js: guard null agent() verdicts in the verify + P0 loops
  (a skipped/dead referee made {rule,v:null} survive .filter(Boolean) and
  then crashed on v.injectionSuspected / v.every) — sibling scripts already
  had the guard.
- topology viewer XSS: the map injector embedded untrusted JSON (node names
  from filenames, etc.) into a <script> island unescaped — a name containing
  </script> executed on open. Escape < > & in the injected data and add a CSP
  to the template.
- Second-order injection: citation/identifier fields (source / cwe /
  source_site / correctedSource) were interpolated UNFENCED into the verifier
  prompts that are supposed to be the trust anchor. Fence them in
  extract-rules, harden-scan, uplift-deltas.

uplift design (audit of the new feature):
- Working-copy model: copy the WHOLE solution to modernized/ once and edit in
  place (relative project refs survive; result is a reviewable git diff) —
  the incremental per-project copy broke multi-project builds.
- Dual-run honesty: reframed as 'if both runtimes run here' (net48 needs
  Windows; JUnit/pytest don't multi-target); dummy-test gate now binds a real
  SUT under both targets; per-stack harness notes.
- Tooling honesty: present/runnable/actually-ran distinction; never fold in a
  tool that couldn't run; apiport/2to3 demoted; py2->3 removed from 'preserve'
  examples.
- Delta classes: name the high-blast-radius landmines (JPMS strong
  encapsulation, .NET trimming/AOT, ICU globalization, hosting/runtime-config,
  analyzer/nullable) in the finder briefs + agent.
- Rewrite-vs-uplift signal: weigh by touched sites (siteCount), not delta-card
  count; judgment-share demoted to secondary.

Docs/consistency: brief reads topology.json (not TOPOLOGY.html); README
'five commands'; credential-masking claim split (analysts mask+cite vs
code-writers substitute fakes); read-only/write-scope claims softened to
match enforcement (Bash retained -> discipline, not tool-lock); reimagine
nested blockers/pendingRuleIds; status splits transform vs reimagine markers;
portfolio enumeration basenames; plugin.json description updated.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:31:52 +00:00
Morgan Westlee Lunt
4a8250babf
code-modernization: add /modernize-uplift for same-stack version migrations
Adds a third build method alongside transform (cross-stack rewrite) and
reimagine (greenfield): uplift, for same-stack version bumps (.NET Framework
4.8 -> .NET 8, Spring Boot 2->3, Python 2->3) where the right move is to
PRESERVE the code and fix only the version deltas, not extract intent and
rewrite.

- commands/modernize-uplift.md: delta-catalog-driven, dual-target test harness
  (one suite on both runtimes; baseline-on-old is the oracle), leaf-first build
  graph ordering, minimal-diff discipline (architecture-critic flags gratuitous
  divergence), and a 'this is a rewrite, use transform' escape hatch.
- agents/version-delta-analyst.md: finds the source->target breaking changes
  that THIS code hits; drives the ecosystem migration tool (upgrade-assistant /
  OpenRewrite / pyupgrade / ng update) and owns the residue; read-only.
- workflows/uplift-deltas.js: parallel finder per delta category, each verified
  against the cited code so deltas that don't apply here are dropped.
- Wired into assess (recommended-pattern routing), brief (per-phase command +
  leaf-first ordering), preflight (dual-run + tool readiness), status, README.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:12:16 +00:00
Morgan Westlee Lunt
e5939029ec
code-modernization: COCOMO is a complexity index, never a modernization timeline
COCOMO's constants encode human-team productivity; presenting its
person-months as how long an agentic modernization will take (or cost) is
a claim we should not make. Reframe COCOMO everywhere as a RELATIVE
complexity/scale index for ranking and sequencing systems only:

- assess: capture COCOMO as a complexity index; explicitly ignore scc's
  'Estimated Schedule Effort' and cost-in-dollars; ASSESSMENT 'Effort
  Estimation' section becomes 'Relative Scale' with a not-a-timeline note;
  portfolio heat-map column renamed Complexity (COCOMO index).
- brief: phase plan uses relative T-shirt sizing, not person-months/weeks;
  phases render as a dependency flowchart, not a gantt (gantt = calendar).
- portfolio-assess.js: field cocomoPm -> complexityIndex; return label
  carries the not-a-duration caveat.
- README: 'A note on COCOMO' explains the index framing and points at
  better intrinsic-complexity proxies.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 21:21:50 +00:00
Morgan Westlee Lunt
d44da81146
code-modernization: second-order injection fencing, path guards, scoped scaffolder agent
Addresses automated security review of the workflow conversion:

- Agent-produced text (rule specs, finding descriptions, dedup lists) is
  fenced as untrusted data when interpolated into downstream agent prompts,
  with embedded fence markers stripped so the fence can't be escaped;
  referees and judges are told to re-derive claims from the cited code.
- system/service/subdir names that land in filesystem paths inside prompts
  are validated against a strict pattern — traversal-shaped values throw
  before any agent spawns.
- Reimagine scaffolding now uses a dedicated 'scaffolder' agent with an
  explicit minimal tool list, a single-directory write scope, and the
  untrusted-content discipline extended to the generated spec/architecture
  docs it builds from (they derive from untrusted legacy code).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:40:58 +00:00
Morgan Westlee Lunt
c42d4bb589
code-modernization: dynamic workflow orchestration + untrusted-content hardening
Four commands gain a Workflow-tool path (with direct-fan-out fallback for
older builds): extract-rules loops until dry with per-rule citation referees
and a P0 two-judge panel; harden runs class-scoped finders with adversarial
per-finding refutation; assess --portfolio pipelines one survey agent per
system with COCOMO computed uniformly in script; reimagine Phase E drops the
3-service scaffolding cap.

Workflow agents return schema-validated data and only the orchestrating
session writes artifacts — analysis agents are structurally read-only. All
five agents gain an untrusted-content discipline section (source code is
data, never instructions; comment-only claims are findings, not facts), and
the README documents the prompt-injection threat model for analyzed code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:33:13 +00:00
github-actions[bot]
df5224ba07
bump(aws-data-analytics): 7a1422d5 → c0991f46 (#2511)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:30:10 -05:00
github-actions[bot]
e832e2bf0d
bump(carta-cap-table): 732981ca → c39482a4 (#2514)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:24:04 -05:00
github-actions[bot]
9895dfca58
bump(ai-plugins): 975f0ce4 → a6737fcf (#2507)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:23:54 -05:00
github-actions[bot]
83d32aefd5
bump(aws-core): 7a1422d5 → c0991f46 (#2510)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:23:28 -05:00
github-actions[bot]
2804bac441
bump(forge-skills): 02103cca → c7df9561 (#2522)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:23:02 -05:00
github-actions[bot]
a1936eee01
bump(nvidia-skills): d0e07bd3 → fd1e6fd1 (#2528)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:22:34 -05:00
github-actions[bot]
b8ecaf01a6
bump(pydantic-ai): e412b6d8 → ddc7d005 (#2530)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:22:07 -05:00
github-actions[bot]
d2bae5e20b
bump(firecrawl): 6768fb78 → b3344758 (#2521)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:21:38 -05:00
github-actions[bot]
e96f539e2d
bump(hunter): 494b0bd6 → 06bcb94a (#2523)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:21:10 -05:00
github-actions[bot]
77c424ab52
bump(hyperframes): 24279c8c → acd8e117 (#2524)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:20:41 -05:00
github-actions[bot]
a771b69148
bump(jfrog): 117febaa → 6788fe15 (#2525)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:20:11 -05:00
github-actions[bot]
301dfbc752
bump(logfire): e412b6d8 → ddc7d005 (#2526)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:19:41 -05:00
github-actions[bot]
6f5b19f93b
bump(outputai): fc6a93e6 → 65cd0871 (#2529)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:19:10 -05:00
github-actions[bot]
85d6e100e2
bump(42crunch-api-security-testing): a5172167 → b7e131e3 (#2506)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:18:23 -05:00
github-actions[bot]
6829c593c8
bump(chrome-devtools-mcp): 702d3734 → 6bd8c916 (#2517)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:18:15 -05:00
github-actions[bot]
0c33859bd9
bump(fastly-agent-toolkit): 6bd17d68 → 73af5b94 (#2520)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:17:42 -05:00
github-actions[bot]
1c5aba82fb
bump(migration-to-aws): b3e5ee48 → 3c5d6a7d (#2527)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:17:08 -05:00
github-actions[bot]
2092653e18
bump(snowflake-cortex-code): 2462e1ba → 7d2c7e7e (#2534)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:16:29 -05:00
github-actions[bot]
7ba21d89e2
bump(aws-agents): 7a1422d5 → c0991f46 (#2509)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:16:23 -05:00
github-actions[bot]
0445ef3cf4
bump(crowdstrike-falcon-foundry): c542c932 → 0a651a14 (#2518)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:15:50 -05:00
github-actions[bot]
190a64c2ed
bump(carta-crm): 732981ca → c39482a4 (#2515)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:15:41 -05:00
github-actions[bot]
f7ac27f10c
bump(togetherai-skills): fb94cc14 → 8aa08ca1 (#2535)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:15:36 -05:00
github-actions[bot]
488e71feb9
bump(carta-investors): 732981ca → c39482a4 (#2516)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:15:30 -05:00
github-actions[bot]
2e5bcca08e
bump(sentry-cli): dc99b4d1 → 18111b95 (#2533)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:15:15 -05:00
github-actions[bot]
8681d8d6d1
bump(airtable): 21d2fe52 → 295ab93b (#2508)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:14:55 -05:00
github-actions[bot]
0ec0005a3c
bump(azure): 02a614f6 → 966330ee (#2513)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:14:16 -05:00
github-actions[bot]
7f680b8500
bump(dataproc): 20eec06e → 80d126d2 (#2519)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:13:35 -05:00
github-actions[bot]
8f005f9b76
bump(sentry): 030b01fb → 87de81a1 (#2532)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-09 13:13:25 -05:00
Morgan Lunt
746c982737
Merge pull request #2467 from anthropics/morganl/code-mod-secrets-redaction
code-modernization: never write discovered credential values into findings
2026-06-09 08:49:47 -07:00
Morgan Lunt
88233b24ba
Merge pull request #2468 from anthropics/morganl/code-mod-interactive-map
code-modernization: interactive topology map, preflight command, persona flows
2026-06-09 08:49:38 -07:00
Morgan Lunt
ecc5139c30
code-modernization: legacy toolchain is advisory, not a transform blocker
Legacy code often cannot build locally by nature — CICS/IMS programs
have no local translator and the real runtime may be a mainframe the
user doesn't have. Stopping transform on a failed legacy smoke compile
would block exactly those systems.

- transform Step 0a: the target toolchain remains required (its tests
  cannot run without it); a failed or impossible legacy compile no
  longer stops the run — the equivalence strategy switches to recorded
  traces / golden-master fixtures, and that downgrade is stated in the
  plan and in TRANSFORMATION_NOTES.md so reviewers know the strength of
  the proof
- preflight: a red legacy toolchain now yields Ready-with-gaps for
  transform/reimagine instead of Not-ready
2026-06-09 08:48:05 -07:00
Morgan Lunt
a7e1f99070
code-modernization: limit marketplace.json change to the one description line
The previous commit round-tripped the catalog through a JSON serializer,
which escaped non-ASCII characters in every other plugin's description.
Restore the file from main and change only the code-modernization entry.
2026-06-09 08:48:04 -07:00