4 Commits

Author SHA1 Message Date
Morgan Westlee Lunt
c42d4bb589
code-modernization: dynamic workflow orchestration + untrusted-content hardening
Four commands gain a Workflow-tool path (with direct-fan-out fallback for
older builds): extract-rules loops until dry with per-rule citation referees
and a P0 two-judge panel; harden runs class-scoped finders with adversarial
per-finding refutation; assess --portfolio pipelines one survey agent per
system with COCOMO computed uniformly in script; reimagine Phase E drops the
3-service scaffolding cap.

Workflow agents return schema-validated data and only the orchestrating
session writes artifacts — analysis agents are structurally read-only. All
five agents gain an untrusted-content discipline section (source code is
data, never instructions; comment-only claims are findings, not facts), and
the README documents the prompt-injection threat model for analyzed code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:33:13 +00:00
Morgan Lunt
9d49c4b135
code-modernization: close remaining credential-leak paths
A red-team pass found four ways credential values still reached
shareable artifacts after the initial redaction:

- the remediation patch: a diff removing a hardcoded secret carries the
  raw value on its '-' lines by construction. harden now splits output:
  non-credential hunks in the shareable security_remediation.patch,
  credential hunks in a gitignored security_remediation.local.patch
  with comment-only placeholders in the shareable file
- the other four agents had no secret-handling rules. legacy-analyst
  (hardcoded-config evidence in tech-debt findings),
  business-rules-extractor (credentials recorded as rule parameters),
  test-engineer (legacy literals becoming committed test fixtures), and
  architecture-critic (quoted code in notes files) now all mask values
  and cite file:line; assess's tech-debt prompt and ASSESSMENT.md
  masking now cover every section, not just Security Findings
- non-git projects: a .gitignore protects nothing under SVN/Mercurial.
  Both commands now refuse --show-secrets without git and write the
  quarantine file to ~/.modernize/<system>/ outside the project tree
- the patch-apply instruction was wrong in both documented layouts
  (symlinked legacy/ broke relative paths). Patches are now written
  with project-root-relative paths and applied from the project root

Also: --show-secrets is now position-independent in both commands, and
the README documents the full model.
2026-06-09 08:47:34 -07:00
Morgan Lunt
718818146e
Fix code-modernization plugin: align README with commands, fix pipeline gaps
- modernize-brief: read TOPOLOGY.html (what modernize-map actually
  produces) instead of nonexistent TOPOLOGY.md, and tell the user which
  command produces each missing input.
- README: rewrite the Commands section to match actual command behavior —
  correct output filenames, ordering (brief is the synthesis/approval gate
  after discovery, not the first step), agent attributions, and required
  args. Add a workspace-layout note and an explicit callout that
  modernize-harden edits legacy/, which conflicts with the recommended
  deny rule. Reconcile the Overview and Typical Workflow sequences.
- modernize-assess: generalize the production-runtime overlay step so it
  no longer assumes a specific MCP server/tool; mark it optional. Fix
  app/jcl/ -> legacy/$1/jcl/ for layout consistency.
- modernize-map: make TOPOLOGY.html self-contained (load Mermaid from a
  CDN) so it renders in any browser; drop assumptions about an external
  artifact renderer. Generalize the telemetry annotation note.
- business-rules-extractor agent: fix command cross-reference to the
  actual command name.
- plugin.json: include the brief step in the workflow description.
2026-05-11 16:17:59 -07:00
Morgan Westlee Lunt
bdca23e8e4
Add code-modernization plugin
Structured workflow (assess → map → extract-rules → reimagine → transform →
harden) and specialist agents (legacy-analyst, business-rules-extractor,
architecture-critic, security-auditor, test-engineer) for modernizing legacy
codebases into current stacks.
2026-04-24 19:52:02 +00:00