3 Commits

Author SHA1 Message Date
Morgan Westlee Lunt
e5939029ec
code-modernization: COCOMO is a complexity index, never a modernization timeline
COCOMO's constants encode human-team productivity; presenting its
person-months as how long an agentic modernization will take (or cost) is
a claim we should not make. Reframe COCOMO everywhere as a RELATIVE
complexity/scale index for ranking and sequencing systems only:

- assess: capture COCOMO as a complexity index; explicitly ignore scc's
  'Estimated Schedule Effort' and cost-in-dollars; ASSESSMENT 'Effort
  Estimation' section becomes 'Relative Scale' with a not-a-timeline note;
  portfolio heat-map column renamed Complexity (COCOMO index).
- brief: phase plan uses relative T-shirt sizing, not person-months/weeks;
  phases render as a dependency flowchart, not a gantt (gantt = calendar).
- portfolio-assess.js: field cocomoPm -> complexityIndex; return label
  carries the not-a-duration caveat.
- README: 'A note on COCOMO' explains the index framing and points at
  better intrinsic-complexity proxies.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 21:21:50 +00:00
Morgan Westlee Lunt
d44da81146
code-modernization: second-order injection fencing, path guards, scoped scaffolder agent
Addresses automated security review of the workflow conversion:

- Agent-produced text (rule specs, finding descriptions, dedup lists) is
  fenced as untrusted data when interpolated into downstream agent prompts,
  with embedded fence markers stripped so the fence can't be escaped;
  referees and judges are told to re-derive claims from the cited code.
- system/service/subdir names that land in filesystem paths inside prompts
  are validated against a strict pattern — traversal-shaped values throw
  before any agent spawns.
- Reimagine scaffolding now uses a dedicated 'scaffolder' agent with an
  explicit minimal tool list, a single-directory write scope, and the
  untrusted-content discipline extended to the generated spec/architecture
  docs it builds from (they derive from untrusted legacy code).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:40:58 +00:00
Morgan Westlee Lunt
c42d4bb589
code-modernization: dynamic workflow orchestration + untrusted-content hardening
Four commands gain a Workflow-tool path (with direct-fan-out fallback for
older builds): extract-rules loops until dry with per-rule citation referees
and a P0 two-judge panel; harden runs class-scoped finders with adversarial
per-finding refutation; assess --portfolio pipelines one survey agent per
system with COCOMO computed uniformly in script; reimagine Phase E drops the
3-service scaffolding cap.

Workflow agents return schema-validated data and only the orchestrating
session writes artifacts — analysis agents are structurally read-only. All
five agents gain an untrusted-content discipline section (source code is
data, never instructions; comment-only claims are findings, not facts), and
the README documents the prompt-injection threat model for analyzed code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:33:13 +00:00