3 Commits

Author SHA1 Message Date
Morgan Westlee Lunt
8e61adb4c7
code-modernization: simplify README; give uplift its own modernized/ root
Adversarial re-audit of the current (post-uplift) state found the plugin
internally consistent (no blocker/high issues). Two follow-ups:

README rewrite for clarity (209 -> 122 lines, ~halved):
- Reorder so a newcomer goes what-it-is -> install -> quickstart -> command
  reference -> deeper notes, instead of hitting two dense design essays
  before the command list.
- Lead with what it produces; add a 3-command teaser.
- Collapse the 'Dynamic workflow orchestration' and 'Untrusted code &
  prompt injection' essays and the COCOMO note into short, plain sections at
  the bottom; drop the internal 'Bash isn't a tool-lock' hedging and
  per-defense enumeration (kept the load-bearing points: untrusted-code
  threat model, secrets quarantine, COCOMO-is-not-a-timeline).
- Remove cross-section redundancy (build methods, read-only caveat,
  scaffolder write-scope, dir convention each stated once now); gloss
  strangler-fig/JOBOL inline.

Path nit from the audit: uplift now writes to modernized/<system>-uplifted/
(mirroring reimagine's -reimagined/) so the three build paths occupy disjoint
roots and status can't mis-detect an uplift copy as transform modules.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 00:28:19 +00:00
Morgan Westlee Lunt
3b9df61600
code-modernization: fix findings from adversarial audit
Code/security:
- extract-rules.js: guard null agent() verdicts in the verify + P0 loops
  (a skipped/dead referee made {rule,v:null} survive .filter(Boolean) and
  then crashed on v.injectionSuspected / v.every) — sibling scripts already
  had the guard.
- topology viewer XSS: the map injector embedded untrusted JSON (node names
  from filenames, etc.) into a <script> island unescaped — a name containing
  </script> executed on open. Escape < > & in the injected data and add a CSP
  to the template.
- Second-order injection: citation/identifier fields (source / cwe /
  source_site / correctedSource) were interpolated UNFENCED into the verifier
  prompts that are supposed to be the trust anchor. Fence them in
  extract-rules, harden-scan, uplift-deltas.

uplift design (audit of the new feature):
- Working-copy model: copy the WHOLE solution to modernized/ once and edit in
  place (relative project refs survive; result is a reviewable git diff) —
  the incremental per-project copy broke multi-project builds.
- Dual-run honesty: reframed as 'if both runtimes run here' (net48 needs
  Windows; JUnit/pytest don't multi-target); dummy-test gate now binds a real
  SUT under both targets; per-stack harness notes.
- Tooling honesty: present/runnable/actually-ran distinction; never fold in a
  tool that couldn't run; apiport/2to3 demoted; py2->3 removed from 'preserve'
  examples.
- Delta classes: name the high-blast-radius landmines (JPMS strong
  encapsulation, .NET trimming/AOT, ICU globalization, hosting/runtime-config,
  analyzer/nullable) in the finder briefs + agent.
- Rewrite-vs-uplift signal: weigh by touched sites (siteCount), not delta-card
  count; judgment-share demoted to secondary.

Docs/consistency: brief reads topology.json (not TOPOLOGY.html); README
'five commands'; credential-masking claim split (analysts mask+cite vs
code-writers substitute fakes); read-only/write-scope claims softened to
match enforcement (Bash retained -> discipline, not tool-lock); reimagine
nested blockers/pendingRuleIds; status splits transform vs reimagine markers;
portfolio enumeration basenames; plugin.json description updated.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:31:52 +00:00
Morgan Westlee Lunt
4a8250babf
code-modernization: add /modernize-uplift for same-stack version migrations
Adds a third build method alongside transform (cross-stack rewrite) and
reimagine (greenfield): uplift, for same-stack version bumps (.NET Framework
4.8 -> .NET 8, Spring Boot 2->3, Python 2->3) where the right move is to
PRESERVE the code and fix only the version deltas, not extract intent and
rewrite.

- commands/modernize-uplift.md: delta-catalog-driven, dual-target test harness
  (one suite on both runtimes; baseline-on-old is the oracle), leaf-first build
  graph ordering, minimal-diff discipline (architecture-critic flags gratuitous
  divergence), and a 'this is a rewrite, use transform' escape hatch.
- agents/version-delta-analyst.md: finds the source->target breaking changes
  that THIS code hits; drives the ecosystem migration tool (upgrade-assistant /
  OpenRewrite / pyupgrade / ng update) and owns the residue; read-only.
- workflows/uplift-deltas.js: parallel finder per delta category, each verified
  against the cited code so deltas that don't apply here are dropped.
- Wired into assess (recommended-pattern routing), brief (per-phase command +
  leaf-first ordering), preflight (dual-run + tool readiness), status, README.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:12:16 +00:00