Addresses automated security review of the workflow conversion:
- Agent-produced text (rule specs, finding descriptions, dedup lists) is
fenced as untrusted data when interpolated into downstream agent prompts,
with embedded fence markers stripped so the fence can't be escaped;
referees and judges are told to re-derive claims from the cited code.
- system/service/subdir names that land in filesystem paths inside prompts
are validated against a strict pattern — traversal-shaped values throw
before any agent spawns.
- Reimagine scaffolding now uses a dedicated 'scaffolder' agent with an
explicit minimal tool list, a single-directory write scope, and the
untrusted-content discipline extended to the generated spec/architecture
docs it builds from (they derive from untrusted legacy code).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>