9d49c4b135
A red-team pass found four ways credential values still reached shareable artifacts after the initial redaction: - the remediation patch: a diff removing a hardcoded secret carries the raw value on its '-' lines by construction. harden now splits output: non-credential hunks in the shareable security_remediation.patch, credential hunks in a gitignored security_remediation.local.patch with comment-only placeholders in the shareable file - the other four agents had no secret-handling rules. legacy-analyst (hardcoded-config evidence in tech-debt findings), business-rules-extractor (credentials recorded as rule parameters), test-engineer (legacy literals becoming committed test fixtures), and architecture-critic (quoted code in notes files) now all mask values and cite file:line; assess's tech-debt prompt and ASSESSMENT.md masking now cover every section, not just Security Findings - non-git projects: a .gitignore protects nothing under SVN/Mercurial. Both commands now refuse --show-secrets without git and write the quarantine file to ~/.modernize/<system>/ outside the project tree - the patch-apply instruction was wrong in both documented layouts (symlinked legacy/ broke relative paths). Patches are now written with project-root-relative paths and applied from the project root Also: --show-secrets is now position-independent in both commands, and the README documents the full model.
3.3 KiB
description, argument-hint
| description | argument-hint |
|---|---|
| Mine business logic from legacy code into testable, human-readable rule specifications | <system-dir> [module-pattern] |
Extract the business rules embedded in legacy/$1 into a structured,
testable specification — the institutional knowledge that's currently locked
in code and in the heads of engineers who are about to retire.
Scope: if a module pattern was given ($2), focus there; otherwise cover the
entire system. Either way, prioritize calculation, validation, eligibility,
and state-transition logic over plumbing.
Method
Spawn three business-rules-extractor subagents in parallel, each assigned
a different lens. If $2 is non-empty, include "focusing on files matching
$2" in each prompt.
-
Calculations — "Find every formula, rate, threshold, and computed value in legacy/$1. For each: what does it compute, what are the inputs, what is the exact formula/algorithm, where is it implemented (file:line), and what edge cases does the code handle?"
-
Validations & eligibility — "Find every business validation, eligibility check, and guard condition in legacy/$1. For each: what is being checked, what happens on pass/fail, where is it (file:line)?"
-
State & lifecycle — "Find every status field, state machine, and lifecycle transition in legacy/$1. For each entity: what states exist, what triggers transitions, what side-effects fire?"
Synthesize
Merge the three result sets. Deduplicate. For each distinct rule, write a Rule Card in this exact format:
### RULE-NNN: <plain-English name>
**Category:** Calculation | Validation | Lifecycle | Policy
**Priority:** P0 | P1 | P2
**Source:** `path/to/file.ext:line-line`
**Plain English:** One sentence a business analyst would recognize.
**Specification:**
Given <precondition>
When <trigger>
Then <outcome>
[And <additional outcome>]
**Parameters:** <constants, rates, thresholds with their current values — credentials masked: `<credential — masked, see file:line>`>
**Edge cases handled:** <list>
**Suspected defect:** <optional — legacy behavior that looks wrong; decide preserve-vs-fix during transform>
**Confidence:** High | Medium | Low — <why; if < High, state the exact SME question>
Priority heuristic — default to P1. Assign P0 if the rule moves money,
enforces a regulatory/compliance requirement, or guards data integrity (and
flag P0 rules at <High confidence as SME-required). Assign P2 for
display/formatting/convenience rules. The downstream /modernize-brief
behavior contract is built from the P0 rules, so assign deliberately.
Write all rule cards to analysis/$1/BUSINESS_RULES.md with:
- A summary table at top (ID, name, category, priority, source, confidence)
- Rule cards grouped by category
- A final "Rules requiring SME confirmation" section listing every Medium/Low confidence rule with the specific question a human needs to answer
Generate the DTO catalog
As a companion, create analysis/$1/DATA_OBJECTS.md cataloging the core
data transfer objects / records / entities: name, fields with types, which
rules consume/produce them, source location.
Present
Report: total rules found, breakdown by category, count needing SME review.
Suggest: glow -p analysis/$1/BUSINESS_RULES.md