From greenfield
Provides a structured methodology for reverse engineering software via multi-source intelligence analysis, behavioral specification, and provenance tracking with a 7-layer pipeline and verification gates.
How this skill is triggered — by the user, by Claude, or both
Slash command
/greenfield:analysis-pipelineThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You analyze targets from multiple perspectives. You output behavioral specifications with provenance.
You analyze targets from multiple perspectives. You output behavioral specifications with provenance.
Analyze deeply. Output behaviorally. Track provenance. Analyze COMPLETELY.
<!-- cite: --> annotations.You MUST read every single line of code. You MUST identify every single routine.
digraph pipeline {
rankdir=TB;
"Start analysis" [shape=doublecircle];
"Layer 1: Gather intelligence" [shape=box];
"Layer 2: Synthesize and map modules" [shape=box];
"Layer 3: Write deep behavioral specs" [shape=box];
"Gate 1: Verification passed?" [shape=diamond];
"Gate 1b: Source-to-spec completeness" [shape=diamond];
"Layer 4: Generate test vectors and acceptance criteria" [shape=box];
"Gate 2: Spec review passed?" [shape=diamond];
"Layer 5: Sanitize raw specs to output/" [shape=box];
"Layer 6: Second-pass review passed?" [shape=diamond];
"Layer 7: Fidelity validation passed?" [shape=diamond];
"Analysis complete" [shape=doublecircle];
"Remediate Gate 1 findings" [shape=box];
"Remediate Gate 2 findings" [shape=box];
"Remediate Layer 6 findings" [shape=box];
"Remediate Layer 7 findings" [shape=box];
"STOP: Gate 1 failed after 3 attempts" [shape=octagon, style=filled, fillcolor=red, fontcolor=white];
"STOP: Gate 2 failed after 3 attempts" [shape=octagon, style=filled, fillcolor=red, fontcolor=white];
"STOP: Layer 6 failed after 3 attempts" [shape=octagon, style=filled, fillcolor=red, fontcolor=white];
"STOP: Layer 7 failed after 3 attempts" [shape=octagon, style=filled, fillcolor=red, fontcolor=white];
"Start analysis" -> "Layer 1: Gather intelligence";
"Layer 1: Gather intelligence" -> "Layer 2: Synthesize and map modules";
"Layer 2: Synthesize and map modules" -> "Layer 3: Write deep behavioral specs";
"Layer 3: Write deep behavioral specs" -> "Gate 1: Verification passed?";
"Gate 1: Verification passed?" -> "Gate 1b: Source-to-spec completeness" [label="yes"];
"Gate 1: Verification passed?" -> "Remediate Gate 1 findings" [label="no"];
"Remediate Gate 1 findings" -> "Gate 1: Verification passed?" [label="attempt < 3"];
"Remediate Gate 1 findings" -> "STOP: Gate 1 failed after 3 attempts" [label="attempt >= 3"];
"Gate 1b: Source-to-spec completeness" -> "Layer 4: Generate test vectors and acceptance criteria" [label="pass"];
"Gate 1b: Source-to-spec completeness" -> "Remediate Gate 1 findings" [label="gaps found"];
"Layer 4: Generate test vectors and acceptance criteria" -> "Gate 2: Spec review passed?";
"Gate 2: Spec review passed?" -> "Layer 5: Sanitize raw specs to output/" [label="yes"];
"Gate 2: Spec review passed?" -> "Remediate Gate 2 findings" [label="no"];
"Remediate Gate 2 findings" -> "Gate 2: Spec review passed?" [label="attempt < 3"];
"Remediate Gate 2 findings" -> "STOP: Gate 2 failed after 3 attempts" [label="attempt >= 3"];
"Layer 5: Sanitize raw specs to output/" -> "Layer 6: Second-pass review passed?";
"Layer 6: Second-pass review passed?" -> "Layer 7: Fidelity validation passed?" [label="yes"];
"Layer 6: Second-pass review passed?" -> "Remediate Layer 6 findings" [label="no"];
"Remediate Layer 6 findings" -> "Layer 6: Second-pass review passed?" [label="attempt < 3"];
"Remediate Layer 6 findings" -> "STOP: Layer 6 failed after 3 attempts" [label="attempt >= 3"];
"Layer 7: Fidelity validation passed?" -> "Analysis complete" [label="yes"];
"Layer 7: Fidelity validation passed?" -> "Remediate Layer 7 findings" [label="no"];
"Remediate Layer 7 findings" -> "Layer 7: Fidelity validation passed?" [label="attempt < 3"];
"Remediate Layer 7 findings" -> "STOP: Layer 7 failed after 3 attempts" [label="attempt >= 3"];
}
Layer 1 auto-discovers available intelligence sources and consumes all of them by default:
| Source Type | Agent Roles | Output Location | Origin |
|---|---|---|---|
| Source Code | bundle-splitter, chunk-analyzer, function-analyzer | workspace/raw/source/ | RAW |
| Decompiled Binaries | decompiler → chunk-analyzer | workspace/raw/source/decompiled/ | RAW |
| Public Docs | doc-researcher | workspace/public/docs/ | PUBLIC |
| SDK/Ecosystem | sdk-analyzer, integration-test-miner | workspace/public/ecosystem/ | PUBLIC |
| Community | community-analyst | workspace/public/community/ | PUBLIC |
| Runtime Observation | cli-explorer, web-ui-explorer, behavior-observer, ux-documenter | workspace/raw/runtime/ | RAW |
| Visual Exploration | visual-explorer | workspace/raw/runtime/visual/ | RAW |
| Binary Analysis | binary-surveyor, binary-deep-analyzer | workspace/raw/binary/ | RAW |
| Git History | git-archaeologist | workspace/raw/project-history/ | RAW |
| Test Suites | test-reader, test-runner | workspace/raw/test-evidence/ | RAW |
| Machine-Readable Contracts | contract-parser | workspace/public/contracts/ | PUBLIC |
Sources are auto-discovered. Use --exclude to skip specific source types.
Sources are excluded only by --exclude flag or user request during discovery negotiation.
More independent source types covering the same behaviors = higher-confidence specs.
Minimum for high-confidence: 2+ independent source types covering the same behaviors. When a behavioral claim is supported by only one source, it gets confidence=inferred at best. When 2+ independent sources agree, it gets confidence=confirmed.
Every behavioral claim MUST have a provenance citation:
Sessions expire after 30 minutes of inactivity.
<!-- cite: source=source-code, ref=workspace/raw/source/analysis/chunk-0046.md:23, confidence=confirmed, agent=deep-dive-analyzer, corroborated_by=runtime-observation -->
Confidence levels:
confirmed — 2+ independent sources agreeinferred — single source, direct evidenceassumed — reasoning from indirect evidenceReference the provenance-methodology skill for complete format details.
Layer 4 (test vector generation) is NOT optional. Test vectors are the bridge between "spec describes it" and "implementer actually builds it."
digraph test_vectors {
rankdir=TB;
"Layer 3 specs complete" [shape=doublecircle];
"Generate test vectors for P0 claims" [shape=box];
"Generate edge case vectors" [shape=box];
"Generate dependency contract vectors" [shape=box];
"All P0 behaviors have vectors?" [shape=diamond];
"Gate 1.5 PASS" [shape=doublecircle];
"STOP: Add missing vectors" [shape=octagon, style=filled, fillcolor=red, fontcolor=white];
"Layer 3 specs complete" -> "Generate test vectors for P0 claims";
"Generate test vectors for P0 claims" -> "Generate edge case vectors";
"Generate edge case vectors" -> "Generate dependency contract vectors";
"Generate dependency contract vectors" -> "All P0 behaviors have vectors?";
"All P0 behaviors have vectors?" -> "Gate 1.5 PASS" [label="yes"];
"All P0 behaviors have vectors?" -> "STOP: Add missing vectors" [label="no"];
}
Each vector follows Given/When/Then:
### TV-LOADER-001: TypeScript file execution
GIVEN: A file `test.ts` containing `interface Foo { x: number }; console.log("ok")`
WHEN: Run through tsx
THEN: Output is "ok", exit code 0
### TV-LOADER-002: JSON import without explicit attribute
GIVEN: A file importing `./data.json` without `with { type: 'json' }`
WHEN: Run through tsx on Node >= 18.19
THEN: Import succeeds (hook auto-adds the attribute)
### TV-LOADER-003: Invalid custom tsconfig
GIVEN: `--tsconfig nonexistent.json` flag specified
WHEN: Run through tsx
THEN: Error reported, non-zero exit code
workspace/
├── public/ # Public origin
│ ├── docs/ # doc-researcher output
│ ├── ecosystem/ # sdk-analyzer output
│ └── contracts/ # contract-parser output
├── raw/ # RAW - requires sanitization
│ ├── source/ # Source code analysis
│ │ ├── chunks/
│ │ ├── analysis/
│ │ ├── functions/
│ │ ├── manifests/
│ │ └── exploration/
│ ├── runtime/ # Runtime observation
│ │ ├── cli/
│ │ ├── web/
│ │ ├── behaviors/
│ │ ├── ux-flows/
│ │ └── visual/ # visual-explorer output
│ ├── binary/ # Binary analysis
│ ├── project-history/ # git-archaeologist output
│ ├── test-evidence/ # test-reader, test-runner output
│ ├── synthesis/ # Layer 2 output
│ │ ├── features/
│ │ ├── architecture/
│ │ ├── api/
│ │ ├── behavioral-summaries/
│ │ └── module-map.md
│ └── specs/ # Layer 3/4 output
│ ├── modules/
│ ├── journeys/
│ ├── contracts/
│ ├── test-vectors/
│ └── validation/
├── output/ # Sanitized specs
│ └── specs/
├── provenance/ # Session logs
│ └── sessions/
└── workspace.json # Metadata
| Type | Examples | Why |
|---|---|---|
| Environment variables | DATABASE_URL, DEBUG | External API |
| CLI flags | --format, --workers | External API |
| Config keys | upstreams, log_level | External API |
| API fields | request_id, batch_size | Protocol spec |
| User-facing paths | ~/.app/config.toml | Behavioral contract |
| Protocol names | SSE, gRPC, OAuth | Behavioral contract |
| Error messages | Exact text | UX contract |
| Type | Examples | Why |
|---|---|---|
| Function names | parseArgs(), handleRequest() | Internal code |
| Variable names | requestId, configMap | Internal code |
| Minified identifiers | sp, r0, Ab2() | Internal code |
| Line numbers | "Line 1234" | Internal code |
| Source file paths | "in src/cli.ts" | Internal code |
| Code structure | "calls X then Y" | Internal code |
/analyze [path] # Discover and consume everything
/analyze [path] --exclude source # Black-box analysis
/analyze [path] --exclude git-history # Skip commit mining
/sanitize workspace/ to produce output specsThe output specs in workspace/output/ are the input for implementation. Greenfield stops here. The implementation team reads:
workspace/output/specs/ — per-domain behavioral specsworkspace/output/test-vectors/ — concrete input/output pairs to drive TDDworkspace/output/validation/acceptance-criteria/ — Given/When/Then acceptance criteriaThe test vectors and acceptance criteria give the implementation pipeline a head start on proof obligations. How the implementation is carried out — walking skeletons, iteration planning, TDD cadence, review protocols — is outside Greenfield's scope.
Greenfield's job is to produce specs good enough to implement from. Implementation is a separate concern with its own methodology.
2plugins reuse this skill
First indexed Jul 8, 2026
npx claudepluginhub earchibald/prime-radiant-marketplace --plugin greenfieldMerges findings from source code, docs, SDK, runtime, binary, and community intelligence into structured synthesis documents with explicit conflict resolution and citation.
Reverse-engineers authorized repos, binaries, or products into a verifiable feature inventory, spec set, and actionable steal-map for adoption or build-native decisions.
Reverse-engineers legacy or undocumented codebases: scopes boundaries, explores with Glob/Grep/Read/Bash, traces data flows, documents in EARS format, flags uncertainties. For archaeology, onboarding, requirements extraction.