mirror of
https://github.com/lucas-labs/claude-plugins.git
synced 2026-07-17 06:26:49 -03:00
Code/security:
- extract-rules.js: guard null agent() verdicts in the verify + P0 loops
(a skipped/dead referee made {rule,v:null} survive .filter(Boolean) and
then crashed on v.injectionSuspected / v.every) — sibling scripts already
had the guard.
- topology viewer XSS: the map injector embedded untrusted JSON (node names
from filenames, etc.) into a <script> island unescaped — a name containing
</script> executed on open. Escape < > & in the injected data and add a CSP
to the template.
- Second-order injection: citation/identifier fields (source / cwe /
source_site / correctedSource) were interpolated UNFENCED into the verifier
prompts that are supposed to be the trust anchor. Fence them in
extract-rules, harden-scan, uplift-deltas.
uplift design (audit of the new feature):
- Working-copy model: copy the WHOLE solution to modernized/ once and edit in
place (relative project refs survive; result is a reviewable git diff) —
the incremental per-project copy broke multi-project builds.
- Dual-run honesty: reframed as 'if both runtimes run here' (net48 needs
Windows; JUnit/pytest don't multi-target); dummy-test gate now binds a real
SUT under both targets; per-stack harness notes.
- Tooling honesty: present/runnable/actually-ran distinction; never fold in a
tool that couldn't run; apiport/2to3 demoted; py2->3 removed from 'preserve'
examples.
- Delta classes: name the high-blast-radius landmines (JPMS strong
encapsulation, .NET trimming/AOT, ICU globalization, hosting/runtime-config,
analyzer/nullable) in the finder briefs + agent.
- Rewrite-vs-uplift signal: weigh by touched sites (siteCount), not delta-card
count; judgment-share demoted to secondary.
Docs/consistency: brief reads topology.json (not TOPOLOGY.html); README
'five commands'; credential-masking claim split (analysts mask+cite vs
code-writers substitute fakes); read-only/write-scope claims softened to
match enforcement (Bash retained -> discipline, not tool-lock); reimagine
nested blockers/pendingRuleIds; status splits transform vs reimagine markers;
portfolio enumeration basenames; plugin.json description updated.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
57 lines
2.5 KiB
Markdown
57 lines
2.5 KiB
Markdown
---
|
|
description: Where am I in the modernization workflow — artifact inventory, staleness, secrets hygiene, next step
|
|
argument-hint: <system-dir>
|
|
---
|
|
|
|
Report where the modernization of `$1` stands, in one screen. This is a
|
|
read-only command — inspect, never modify.
|
|
|
|
## 1 — Artifact inventory
|
|
|
|
Check `analysis/$1/` and `modernized/$1*/` and build a table — one row per
|
|
workflow stage, with the artifact's presence and modification time:
|
|
|
|
| Stage | Artifacts |
|
|
|---|---|
|
|
| preflight | `PREFLIGHT.md` |
|
|
| assess | `ASSESSMENT.md`, `ARCHITECTURE.mmd` |
|
|
| map | `topology.json`, `TOPOLOGY.html`, `*.mmd`, `extract_topology.*` |
|
|
| extract-rules | `BUSINESS_RULES.md`, `DATA_OBJECTS.md` |
|
|
| brief | `MODERNIZATION_BRIEF.md` (note whether the approval block is signed) |
|
|
| harden | `SECURITY_FINDINGS.md`, `security_remediation.patch` |
|
|
| uplift | `DELTA_CATALOG.md`; `modernized/$1/UPLIFT_NOTES.md` (note per-project: builds on target? baseline reproduced?) |
|
|
| transform | each `modernized/$1/<module>/` dir — note test presence and whether `TRANSFORMATION_NOTES.md` exists |
|
|
| reimagine | `modernized/$1-reimagined/` — note per-service acceptance tests and the `CLAUDE.md` handoff (reimagine's completion markers; it does NOT write `TRANSFORMATION_NOTES.md`) |
|
|
|
|
## 2 — Staleness
|
|
|
|
Flag any artifact older than an upstream artifact it derives from:
|
|
|
|
- `MODERNIZATION_BRIEF.md` older than `ASSESSMENT.md`, `topology.json`,
|
|
or `BUSINESS_RULES.md` → the brief no longer reflects discovery;
|
|
recommend re-running `/modernize-brief`.
|
|
- `TOPOLOGY.html` older than `topology.json` → re-run the injection step
|
|
from `/modernize-map`.
|
|
- Any `TRANSFORMATION_NOTES.md` older than `BUSINESS_RULES.md` → the
|
|
module may not implement the latest rule set; list which.
|
|
|
|
## 3 — Secrets hygiene
|
|
|
|
- Does `analysis/.gitignore` exist and cover `SECRETS.local.md` /
|
|
`*.local.patch`? (`git check-ignore` when in a git repo.)
|
|
- If `SECRETS.local.md` exists: confirm it is NOT tracked
|
|
(`git ls-files --error-unmatch`, expect failure) and has never been
|
|
committed (`git log --all --oneline -- <path>`, expect empty). If
|
|
either check fails, say so prominently and recommend rotation plus
|
|
history scrubbing.
|
|
|
|
## 4 — Verdict
|
|
|
|
End with three lines:
|
|
- **Where you are** — the furthest completed stage and roughly how much
|
|
of the system it covers (e.g. "mapped 100%, 2 of 14 modules
|
|
transformed").
|
|
- **What's stale** — or "nothing".
|
|
- **Next command** — the single most useful next step, with a one-line
|
|
reason.
|