osprey-appraise

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

The Osprey 🦅

Osprey 🦅

The Osprey hovers above the river, wings outstretched, absolutely still. Below the surface, the fish — the work that needs doing. But the Osprey knows something most birds don't: the fish isn't where it appears to be. Light refracts through water, making everything look shallower than it is. Closer. Easier. The Osprey adjusts. It calculates the true position — the true scope — before it dives. That's why it has the highest success rate of any fishing raptor: 70-80%. It never over-promises. It never misses. Where the Raven investigates and produces the case file, the Osprey turns that case file into a contract. Technical findings become deliverables. Vulnerability counts become timelines. Severity grades become pricing. The bridge between "here's what's wrong" and "here's what it'll cost to fix it."

Osprey在河流上方盘旋，双翼展开，纹丝不动。水面之下的鱼，就是需要完成的工作。但Osprey知道大多数鸟类都不明白的道理：鱼的实际位置并不是它看起来的位置。光线穿过水面会发生折射，让所有东西看起来都比实际更浅、更近、更容易处理。Osprey会做出调整，在下潜前计算出真实位置——也就是真实的项目范围。这就是为什么它是所有捕鱼猛禽中成功率最高的：可达70-80%。它从不过度承诺，也从不会失手。 Raven负责调查并生成案例文件，而Osprey则负责将这些案例文件转化为合同：技术发现转化为交付物，漏洞数量转化为时间线，严重等级转化为定价。它是“问题说明”和“修复成本说明”之间的桥梁。

When to Activate

什么时候启用

Turning a Raven case file into a client proposal
Estimating scope and timeline for security remediation work
Producing a professional quote for code repair services
User says "quote this" or "how much would this cost" or "estimate the work"
User calls
```
/osprey-appraise
```
or mentions quoting, pricing, estimation, proposal
Scoping work for a new client engagement
Translating any technical assessment into business deliverables

IMPORTANT: The Osprey speaks in business language, not technical language. Clients receive deliverables, milestones, and investment figures — not CVE numbers and OWASP categories. The Osprey translates.

IMPORTANT: The 15% buffer is non-negotiable. It is applied to ALL time estimates. This is the light refraction adjustment — scope always looks shallower from above than it actually is.

Pair with:

raven-investigate

for the case file that feeds into estimation,

hawk-survey

for deep assessments that need pricing,

turtle-harden

raccoon-audit

for the actual remediation work being quoted

将Raven case file转化为客户提案
估算安全修复工作的范围和时间线
为代码修复服务生成专业报价
用户说出“报价”、“这个要花多少钱”或者“估算工作量”时
用户调用
```
/osprey-appraise
```
或者提及报价、定价、估算、提案时
为新客户合作做工作范围评估
将任意技术评估转化为商业交付物

重要提示： Osprey使用商务语言而非技术语言输出内容。客户收到的是交付物、里程碑和投入金额，而不是CVE编号和OWASP分类。Osprey会完成内容的转换。

重要提示： 15%的缓冲时间是硬性要求，所有时间估算都要加上这部分。这就是针对光线折射的调整——从上方看，工作范围永远比实际看起来更简单。

搭配使用： 用于输入估算数据源的

raven-investigate

案例文件，需要定价的深度评估使用

hawk-survey

，实际报价对应的修复工作使用

turtle-harden

raccoon-audit

The Appraisal

评估流程

HOVER → SIGHT → CALCULATE → DRAFT → DELIVER
  ↓        ↓         ↓          ↓        ↓
Intake   Catalog   Estimate   Write    Present
 Work    Items     Effort     Proposal  & Close

HOVER → SIGHT → CALCULATE → DRAFT → DELIVER
  ↓        ↓         ↓          ↓        ↓
Intake   Catalog   Estimate   Write    Present
 Work    Items     Effort     Proposal  & Close

Phase 1: HOVER

阶段1：HOVER（悬停）

The Osprey arrives at the river and rises to altitude. Wings spread, body still, eyes locked on the surface below. It reads the currents, maps the shallows, and identifies where the fish are hiding. Before anything else — observe.

Intake the work and understand the landscape.

1A. Ingest the Assessment

The Osprey works from an existing assessment whenever possible:

Source	How to Ingest
Raven case file	Read the security posture report directly — grades, findings, remediation priorities are already structured
Hawk survey report	Read the formal assessment — 14-domain findings with severity ratings
Client-provided audit	Read whatever format — PDF, markdown, email. Extract findings manually
No prior assessment	The Osprey can do a QUICK scope survey itself (see 1B)

If ingesting a Raven case file, extract:

Overall grade and narrative ("Bolted On", "Wishful Thinking", etc.)
The Security Scorecard (domain grades)
All CRITICAL and HIGH findings (these are the priority line items)
All MEDIUM findings (secondary line items)
LOW/INFO findings (nice-to-haves, bundle into "hardening pass")
Remediation Priority section (already ordered by urgency)

1B. Quick Scope Survey (No Prior Assessment)

If there's no existing case file, the Osprey does a lightweight assessment — NOT a full Raven investigation, just enough to scope the work:

Tech stack — What languages, frameworks, infrastructure?
Codebase size — Rough file/line count
Obvious gaps — Quick scan for: .gitignore health, pre-commit hooks, dependency lock files, security headers, auth patterns, secrets in code
Client's stated concerns — What do THEY think needs fixing?

This should take 5-10 minutes, not the Raven's full parallel investigation.

1C. Understand the Client Context

Before pricing, know who you're quoting:

Budget sensitivity — Startup vs enterprise vs indie dev?
Timeline pressure — "Fix this before launch" vs "whenever you can"?
Technical sophistication — Will they understand the deliverables or do they need hand-holding?
Ongoing relationship — One-time fix vs retainer potential?
Decision maker — Technical lead? CTO? Non-technical founder?

If unknown, note assumptions to state in the proposal.

Output: Complete understanding of the work, client context, and source assessment.

Osprey抵达河流上方，升至合适高度，双翼展开，身体平稳，双眼锁定下方水面。它读取水流，绘制浅滩地图，确定鱼的藏身之处。在采取任何行动之前，先观察。

接收工作并了解整体情况。

1A. 摄入评估结果

Osprey会尽可能基于已有的评估结果开展工作：

来源	摄入方式
Raven case file	直接读取安全状态报告——等级、发现、修复优先级都已经结构化整理完毕
Hawk survey report	读取正式评估报告——包含14个领域的发现及严重等级评分
Client-provided audit	读取任意格式内容：PDF、markdown、邮件，手动提取发现结果
No prior assessment	Osprey可以自行完成快速范围调查（见1B）

如果摄入Raven case file，提取以下内容：

整体等级和说明（如"Bolted On"、"Wishful Thinking"等）
安全评分卡（各领域等级）
所有CRITICAL和HIGH级别的发现（这些是优先级最高的条目）
所有MEDIUM级别的发现（次要条目）
LOW/INFO级别的发现（锦上添花的内容，打包到“安全加固环节”）
修复优先级部分（已经按紧急程度排序）

1B. 快速范围调查（无前置评估时）

如果没有现成的案例文件，Osprey会做一个轻量级评估——不是完整的Raven调查，只是刚好够做工作范围估算的程度：

技术栈 — 使用什么语言、框架、基础设施？
代码库规模 — 大致的文件/行数
明显的缺口 — 快速扫描：.gitignore健康度、pre-commit钩子、依赖锁文件、安全头、认证模式、代码中的密钥
客户明确提出的担忧 — 他们认为哪些地方需要修复？

这个步骤应该耗时5-10分钟，而不是Raven那样的完整并行调查。

1C. 了解客户背景

在定价之前，先明确你报价的对象：

预算敏感度 — 初创公司、企业还是独立开发者？
时间线压力 — “上线前必须修复”还是“有空的时候再修”？
技术成熟度 — 他们能理解交付物，还是需要手把手引导？
长期合作可能性 — 一次性修复还是有可能签长期服务？
决策人 — 技术负责人？CTO？非技术创始人？

如果信息不明确，在提案中注明假设条件。

输出： 对工作内容、客户背景、源评估的完整理解。

Phase 2: SIGHT

阶段2：SIGHT（观测）

The Osprey's eyes lock on. Through the water's surface, shapes move — some large, some small, some clustered together. The Osprey catalogs each one, noting its depth, its speed, its true position beneath the refraction. Nothing is as shallow as it appears.

Break down all findings into discrete, estimable work items.

2A. Categorize by Complexity Tier

Every remediation task falls into one of four tiers:

Tier	Label	Agent Hours (Raw)	Character	Examples
S	Quick Fix	0.5 – 2h	Configuration, single-file changes	Security headers, .gitignore fixes, pre-commit hooks, env var externalization, single dependency update
M	Targeted Fix	2 – 6h	Multi-file, focused changes	CSRF implementation, input validation on specific endpoints, CORS configuration, secrets rotation, error handling overhaul
L	System Change	6 – 16h	Cross-cutting, architectural	Auth system rebuild, rate limiting infrastructure, CI/CD security pipeline, multi-tenant isolation fixes, comprehensive dependency audit + updates
XL	Architecture	16 – 40h	Fundamental restructuring	Complete auth from scratch, defense-in-depth hardening pass, security-first rewrite of data layer, full OWASP compliance retrofit

2B. Map Findings to Work Items

For each finding from the assessment:

markdown

| #   | Finding                             | Severity | Tier | Raw Hours | Description                                                     |
| --- | ----------------------------------- | -------- | ---- | --------- | --------------------------------------------------------------- |
| 1   | Exposed AWS keys in git history     | CRITICAL | M    | 3h        | Rotate keys, clean git history (BFG), update env var loading    |
| 2   | SQL injection in reporting endpoint | CRITICAL | M    | 4h        | Parameterize query, add input validation, write regression test |
| 3   | CORS wildcard with credentials      | HIGH     | S    | 1h        | Configure explicit origin allowlist                             |
| 4   | No rate limiting on auth            | HIGH     | M    | 3h        | Add rate limiting middleware to auth endpoints                  |
| 5   | Missing CSP headers                 | MEDIUM   | S    | 1.5h      | Configure CSP with nonce-based approach                         |
| ... | ...                                 | ...      | ...  | ...       | ...                                                             |

2C. Identify Bundles

Some items are more efficient when done together:

"Security Headers Bundle" — CSP + HSTS + X-Frame + Referrer-Policy (faster as one task than four)
"Auth Hardening Bundle" — Session config + CSRF + cookie security + rate limiting
"CI/CD Security Bundle" — Pre-commit hooks + secrets scanning + dependency audit in CI + branch protection
"Input Validation Pass" — All injection fixes across endpoints (economies of scale)

Bundling reduces total hours vs individual fixes. Apply a bundling discount of 10-20% when items share context.

2D. Adjust for Refraction

This is the Osprey's signature move. For each work item, check for hidden depth:

Refraction Factor	Adjustment	When to Apply
Legacy code	+25-50%	Codebase has no tests, poor documentation, spaghetti architecture
No type safety	+15-25%	Plain JS (no TS), Python without type hints
Unfamiliar framework	+20-30%	Niche framework, poor docs, custom abstractions
Multi-tenant	+20-40%	Changes must be tenant-safe, require isolation testing
Client review cycles	+10-20%	Client wants to review/approve each change (adds communication overhead)
Deployment complexity	+10-25%	Multiple environments, complex CI/CD, manual deploy steps
No test infrastructure	+25-40%	Need to SET UP testing before writing security tests

Apply relevant factors to raw hour estimates.

Output: Complete work item catalog with tier, raw hours, and refraction adjustments.

Osprey的双眼锁定目标。透过水面，各种形状在移动：有的大，有的小，有的聚集在一起。Osprey将每个目标分类，记录它的深度、速度、折射下的真实位置。没有什么会像表面看起来那么简单。

将所有发现拆分为可独立估算的工作项。

2A. 按复杂度层级分类

每个修复任务都属于以下四个层级之一：

层级	标签	所需Agent时长（原始）	特征	示例
S	快速修复	0.5 – 2h	配置修改、单文件变化	安全头配置、.gitignore修复、pre-commit钩子配置、环境变量外置、单个依赖更新
M	定向修复	2 – 6h	多文件、聚焦修改	CSRF实现、特定接口的输入校验、CORS配置、密钥轮换、错误处理 overhaul
L	系统变更	6 – 16h	跨模块、架构级调整	认证系统重构、限流基础设施搭建、CI/CD安全流水线搭建、多租户隔离修复、全量依赖审计+更新
XL	架构改造	16 – 40h	基础架构重构	从零搭建完整认证体系、深度防御安全加固、数据层安全优先重写、全量OWASP合规改造

2B. 将发现映射到工作项

对评估中的每个发现：

markdown

| #   | Finding                             | Severity | Tier | Raw Hours | Description                                                     |
| --- | ----------------------------------- | -------- | ---- | --------- | --------------------------------------------------------------- |
| 1   | Exposed AWS keys in git history     | CRITICAL | M    | 3h        | Rotate keys, clean git history (BFG), update env var loading    |
| 2   | SQL injection in reporting endpoint | CRITICAL | M    | 4h        | Parameterize query, add input validation, write regression test |
| 3   | CORS wildcard with credentials      | HIGH     | S    | 1h        | Configure explicit origin allowlist                             |
| 4   | No rate limiting on auth            | HIGH     | M    | 3h        | Add rate limiting middleware to auth endpoints                  |
| 5   | Missing CSP headers                 | MEDIUM   | S    | 1.5h      | Configure CSP with nonce-based approach                         |
| ... | ...                                 | ...      | ...  | ...       | ...                                                             |

2C. 识别可打包任务

有些任务一起完成效率更高：

"安全头打包任务" — CSP + HSTS + X-Frame + Referrer-Policy（作为一个任务比四个分开做更快）
"认证加固打包任务" — Session配置 + CSRF + Cookie安全 + 限流
"CI/CD安全打包任务" — Pre-commit钩子 + 密钥扫描 + CI中依赖审计 + 分支保护
"输入校验批次处理" — 所有接口的注入漏洞修复（规模效应）

打包处理相比单独修复会减少总耗时，当任务上下文相关时可应用10-20%的打包折扣。

2D. 折射调整

这是Osprey的标志性功能。对每个工作项，检查是否存在隐藏复杂度：

折射因素	调整幅度	适用场景
遗留代码	+25-50%	代码库没有测试、文档缺失、架构混乱
无类型安全	+15-25%	原生JS（无TS）、Python没有类型提示
不熟悉的框架	+20-30%	小众框架、文档差、自定义抽象层
多租户	+20-40%	变更必须保证租户安全，需要隔离测试
客户审核周期	+10-20%	客户需要审核/批准每个变更（增加沟通成本）
部署复杂度	+10-25%	多环境、复杂CI/CD、手动部署步骤
无测试基础设施	+25-40%	需要先搭建测试环境才能编写安全测试

将相关调整系数应用到原始时长估算中。

输出： 完整的工作项目录，包含层级、原始时长和折射调整。

Phase 3: CALCULATE

阶段3：CALCULATE（计算）

The Osprey locks in the angle. Every variable accounted for: wind speed, water current, the refraction, the fish's trajectory. The math resolves. The number crystallizes. The Osprey knows exactly where to dive.

Turn the work catalog into final numbers.

3A. Apply Agent Acceleration

Agent-assisted development is substantially faster than traditional development. These are realistic multipliers based on actual agent workflow performance:

Task Type	Traditional Dev	Agent-Accelerated	Speed Factor
Configuration changes	2-4h	0.5-1h	3-4x faster
Targeted code fixes	4-8h	1.5-3h	2.5-3x faster
System-level changes	16-32h	6-14h	2-2.5x faster
Architecture work	40-80h	16-35h	2-2.5x faster
Test writing	4-8h per suite	1-3h per suite	3-4x faster
Documentation	4-8h	1-2h	4-5x faster

IMPORTANT: The raw hours in Phase 2 are ALREADY agent-accelerated estimates. The table above is for reference when a client asks "why is this so fast?" or when estimating from traditional benchmarks.

3B. Apply the 15% Buffer

This is non-negotiable. Every estimate gets a 15% margin:

Final Hours = Raw Hours × 1.15

This accounts for:

Unexpected edge cases (they ALWAYS exist)
Client communication overhead
Environment setup and context switching
Testing surprises
"One more thing" requests during remediation
The natural optimism bias in estimation

NEVER quote raw hours to a client. Always quote buffered hours. If you finish early, that's a delight. If you hit the buffer, that's professionalism.

3C. Sum and Structure

Calculate totals by phase and overall:

markdown

undefined

Osprey锁定下潜角度。所有变量都已考虑在内：风速、水流、折射、鱼的移动轨迹。计算完成，数字确定。Osprey精准知道下潜的目标位置。

将工作目录转化为最终数值。

3A. 应用Agent加速系数

Agent辅助开发比传统开发快得多。以下是基于实际Agent工作流性能的真实乘数：

任务类型	传统开发耗时	Agent加速后耗时	加速系数
配置变更	2-4h	0.5-1h	3-4x faster
定向代码修复	4-8h	1.5-3h	2.5-3x faster
系统级变更	16-32h	6-14h	2-2.5x faster
架构工作	40-80h	16-35h	2-2.5x faster
测试编写	4-8h per suite	1-3h per suite	3-4x faster
文档编写	4-8h	1-2h	4-5x faster

重要提示： 阶段2中的原始时长已经是Agent加速后的估算值。当客户询问“为什么这么快？”或者需要从传统基准估算时，可参考上表。

3B. 应用15%缓冲

这是硬性要求。 所有估算都要加上15%的余量：

Final Hours = Raw Hours × 1.15

这部分用于覆盖：

意料之外的边界情况（永远存在）
客户沟通 overhead
环境搭建和上下文切换
测试中的意外问题
修复过程中“再加一个小功能”的需求
估算中天然的乐观偏差

永远不要向客户报原始时长。 总是报加了缓冲的时长。如果提前完成，会给客户带来惊喜；如果刚好到缓冲时长，也是专业的体现。

3C. 汇总和结构化

按阶段和整体计算总耗时：

markdown

undefined

Effort Summary

Phase	Items	Raw Hours	Buffered Hours
Phase 1: Critical Fixes	3	8h	9.2h
Phase 2: High Priority	5	14h	16.1h
Phase 3: Medium Priority	7	11h	12.7h
Phase 4: Hardening Pass	bundle	6h	6.9h
Total	15+	39h	44.9h


Round buffered hours to the nearest half-hour for clean presentation.

**3D. Apply Pricing**

The Osprey does NOT hardcode rates — those are the user's business decision. Instead, structure pricing flexibly:

**Option A: Hourly Rate Model**

Total Investment = Buffered Hours × Hourly Rate


**Option B: Phased Fixed Price**

Phase 1 (Critical): [hours] × rate = $X Phase 2 (High): [hours] × rate = $X Phase 3 (Medium): [hours] × rate = $X Phase 4 (Harden): [hours] × rate = $X Total: $X,XXX


**Option C: Tiered Packages**

Essential (Critical + High only): $X,XXX Complete (All findings): $X,XXX Premium (All + ongoing retainer): $X,XXX/mo


**Ask the user which pricing model they prefer** if not specified. Default to Option B (Phased Fixed Price) — it's the most transparent and client-friendly.

**3E. Define Milestones**

Break the timeline into clear delivery checkpoints:

| Milestone                 | Deliverables                                 | Timeline | Payment          |
| ------------------------- | -------------------------------------------- | -------- | ---------------- |
| Kickoff                   | Scope confirmation, environment access       | Day 0    | Deposit (25-50%) |
| Critical Fixes Complete   | All CRITICAL findings resolved, verified     | Day 2-3  | —                |
| High Priority Complete    | All HIGH findings resolved, verified         | Week 1   | Midpoint (25%)   |
| Full Remediation Complete | All findings resolved, final verification    | Week 2-3 | —                |
| Report & Handoff          | Final report, documentation, recommendations | Week 3-4 | Final (25-50%)   |

Adjust timeline based on total buffered hours and assumed availability.

**Output:** Complete pricing, timeline, and milestone structure.

---

Phase	Items	Raw Hours	Buffered Hours
Phase 1: Critical Fixes	3	8h	9.2h
Phase 2: High Priority	5	14h	16.1h
Phase 3: Medium Priority	7	11h	12.7h
Phase 4: Hardening Pass	bundle	6h	6.9h
Total	15+	39h	44.9h


将缓冲后的时长四舍五入到最近的半小时，方便展示。

**3D. 应用定价**

Osprey不会硬编码费率——这是用户的商业决策。相反，提供灵活的定价结构：

**选项A：小时费率模式**

Total Investment = Buffered Hours × Hourly Rate


**选项B：分阶段固定定价**

Phase 1 (Critical): [hours] × rate = $X Phase 2 (High): [hours] × rate = $X Phase 3 (Medium): [hours] × rate = $X Phase 4 (Harden): [hours] × rate = $X Total: $X,XXX


**选项C：分层套餐**

Essential (仅Critical + High修复): $X,XXX Complete (所有发现修复): $X,XXX Premium (全量修复+长期服务): $X,XXX/mo


**如果没有指定，询问用户偏好的定价模式。** 默认使用选项B（分阶段固定定价）——这是最透明、对客户最友好的模式。

**3E. 定义里程碑**

将时间线拆分为清晰的交付 checkpoint：

| 里程碑                 | 交付物                                 | 时间线 | 付款方式          |
| ------------------------- | -------------------------------------------- | -------- | ---------------- |
| 项目启动                   | 范围确认、环境访问权限       | Day 0    | 预付款(25-50%) |
| Critical问题修复完成   | 所有CRITICAL级发现已解决、验证通过     | Day 2-3  | —                |
| HIGH优先级修复完成    | 所有HIGH级发现已解决、验证通过         | Week 1   | 中期款(25%)   |
| 全量修复完成 | 所有发现已解决、最终验证通过    | Week 2-3 | —                |
| 报告和交接          | 最终报告、文档、建议 | Week 3-4 | 尾款(25-50%)   |

根据总缓冲时长和假设的可用时间调整时间线。

**输出：** 完整的定价、时间线和里程碑结构。

---

Phase 4: DRAFT

阶段4：DRAFT（起草）

The Osprey tucks its wings and begins the descent. Every calculation done. Every angle locked. The proposal takes shape — clean, precise, professional. No wasted words. No ambiguity.

Write the professional proposal document.

4A. Proposal Structure

Write a markdown document with this structure:

markdown

undefined

Osprey收拢双翼开始下降。所有计算已完成，所有角度已锁定。提案逐渐成型：清晰、精准、专业。没有废话，没有歧义。

编写专业的提案文档。

4A. 提案结构

编写包含以下结构的markdown文档：

markdown

undefined

Security Remediation Proposal


Prepared for	[Client name / organization]
Prepared by	[Your name / organization]
Date	[YYYY-MM-DD]
Valid until	[Date + 30 days]
Reference	[Raven case file or assessment source]


Prepared for	[Client name / organization]
Prepared by	[Your name / organization]
Date	[YYYY-MM-DD]
Valid until	[Date + 30 days]
Reference	[Raven case file or assessment source]

Executive Summary

[2-3 sentences maximum. What was found, what we'll do about it, and what the client gets at the end. Write for a non-technical decision maker.]

Example: "Our security assessment identified [N] findings across your [framework] application, including [N] critical issues requiring immediate attention. This proposal covers complete remediation of all findings, delivering a hardened codebase with verified security controls and a clean assessment report within [timeline]."

[2-3 sentences maximum. What was found, what we'll do about it, and what the client gets at the end. Write for a non-technical decision maker.]

Current State

Security Posture: [Grade] — "[Narrative]"

[1-2 sentence summary of the assessment findings. Reference the Raven case file or source assessment.]

Domain	Grade	Findings
[Domain 1]	[A-F]	[N critical, N high, N medium]
[Domain 2]	[A-F]	[N critical, N high, N medium]
...	...	...

Security Posture: [Grade] — "[Narrative]"

[1-2 sentence summary of the assessment findings. Reference the Raven case file or source assessment.]

Domain	Grade	Findings
[Domain 1]	[A-F]	[N critical, N high, N medium]
[Domain 2]	[A-F]	[N critical, N high, N medium]
...	...	...

Scope of Work

Phase 1: Critical Fixes — [Timeline]

These items present immediate security risk and are addressed first.

#	Deliverable	Description
1.1	[Clear deliverable name]	[What we'll do, in client-friendly language]
1.2	[Clear deliverable name]	[Description]

These items present immediate security risk and are addressed first.

#	Deliverable	Description
1.1	[Clear deliverable name]	[What we'll do, in client-friendly language]
1.2	[Clear deliverable name]	[Description]

Phase 2: High Priority — [Timeline]

Significant vulnerabilities addressed in the second wave.

#	Deliverable	Description
2.1	[Deliverable]	[Description]
...	...	...

Significant vulnerabilities addressed in the second wave.

#	Deliverable	Description
2.1	[Deliverable]	[Description]
...	...	...

Phase 3: Medium Priority — [Timeline]

[Continue pattern]

Phase 4: Hardening & Best Practices — [Timeline]

Establishing ongoing security practices and closing remaining gaps.

#	Deliverable	Description
4.1	Pre-commit security hooks	Automated secrets scanning on every commit
4.2	CI/CD security pipeline	Dependency auditing and security checks in CI
4.3	Security documentation	Runbook for ongoing security maintenance

Establishing ongoing security practices and closing remaining gaps.

#	Deliverable	Description
4.1	Pre-commit security hooks	Automated secrets scanning on every commit
4.2	CI/CD security pipeline	Dependency auditing and security checks in CI
4.3	Security documentation	Runbook for ongoing security maintenance

Timeline

Milestone	Target Date	Deliverable
Kickoff	[Date]	Scope confirmation, environment access
Critical Fixes	[Date]	All critical findings resolved & verified
High Priority Complete	[Date]	All high findings resolved & verified
Full Remediation	[Date]	All findings resolved
Final Report & Handoff	[Date]	Clean assessment, documentation, handoff

Total Duration: [N weeks]

Milestone	Target Date	Deliverable
Kickoff	[Date]	Scope confirmation, environment access
Critical Fixes	[Date]	All critical findings resolved & verified
High Priority Complete	[Date]	All high findings resolved & verified
Full Remediation	[Date]	All findings resolved
Final Report & Handoff	[Date]	Clean assessment, documentation, handoff

Total Duration: [N weeks]

Investment

Phase	Effort	Investment
Phase 1: Critical Fixes	[N]h	$[amount]
Phase 2: High Priority	[N]h	$[amount]
Phase 3: Medium Priority	[N]h	$[amount]
Phase 4: Hardening	[N]h	$[amount]
Total	[N]h	$[total]

Phase	Effort	Investment
Phase 1: Critical Fixes	[N]h	$[amount]
Phase 2: High Priority	[N]h	$[amount]
Phase 3: Medium Priority	[N]h	$[amount]
Phase 4: Hardening	[N]h	$[amount]
Total	[N]h	$[total]

Payment Schedule

Milestone	Amount	When
Deposit	[%] ($[amount])	On acceptance
Midpoint	[%] ($[amount])	After Phase 2 completion
Final	[%] ($[amount])	On handoff

Milestone	Amount	When
Deposit	[%] ($[amount])	On acceptance
Midpoint	[%] ($[amount])	After Phase 2 completion
Final	[%] ($[amount])	On handoff

What's Included

Complete remediation of all [N] findings listed in scope
Verification testing for each fix
Re-assessment scan upon completion
Final security posture report (before/after comparison)
Security documentation and maintenance runbook
[N] days of post-delivery support for questions

Complete remediation of all [N] findings listed in scope
Verification testing for each fix
Re-assessment scan upon completion
Final security posture report (before/after comparison)
Security documentation and maintenance runbook
[N] days of post-delivery support for questions

What's Not Included

New feature development
Performance optimization (unless security-related)
UI/UX changes
Infrastructure migration
Ongoing security monitoring (available as retainer — see below)
Findings discovered AFTER initial assessment (quoted separately)

New feature development
Performance optimization (unless security-related)
UI/UX changes
Infrastructure migration
Ongoing security monitoring (available as retainer — see below)
Findings discovered AFTER initial assessment (quoted separately)

Optional: Ongoing Security Retainer

After remediation, maintain your security posture with:

Monthly dependency audits and updates
Quarterly security posture re-assessment
Priority response for new vulnerabilities
Pre-commit hooks and CI/CD maintenance

Monthly retainer: $[amount]/month

After remediation, maintain your security posture with:

Monthly dependency audits and updates
Quarterly security posture re-assessment
Priority response for new vulnerabilities
Pre-commit hooks and CI/CD maintenance

Monthly retainer: $[amount]/month

Terms

This proposal is valid for 30 days from the date above
Work begins upon signed acceptance and deposit receipt
Timeline assumes prompt environment access and reasonable client response times (within 24-48h for questions)
Scope changes after acceptance are quoted separately
All work is performed on a dedicated branch with full git history

This proposal is valid for 30 days from the date above
Work begins upon signed acceptance and deposit receipt
Timeline assumes prompt environment access and reasonable client response times (within 24-48h for questions)
Scope changes after acceptance are quoted separately
All work is performed on a dedicated branch with full git history

Next Steps

Review this proposal
Reply with any questions or adjustments
Sign and return with deposit to begin
We'll schedule the kickoff call

Prepared with precision. Delivered with confidence.


**4B. Adapt Language to Client**

| Client Type              | Language Style                                               |
| ------------------------ | ------------------------------------------------------------ |
| Technical lead / CTO     | Use specific technical terms, reference CVEs, mention tools  |
| Non-technical founder    | Plain language, focus on business impact, avoid jargon       |
| Enterprise security team | Formal, reference compliance frameworks, include methodology |
| Indie dev / solo founder | Warm, conversational, focus on practical outcomes            |

**4C. Review the Draft**

Before finalizing, check:

- [ ] All findings from the assessment are accounted for
- [ ] Hours are buffered (×1.15)
- [ ] Pricing is clear and unambiguous
- [ ] Timeline is realistic with the buffer built in
- [ ] Scope exclusions are explicit (prevents scope creep)
- [ ] Payment terms are defined
- [ ] Language matches the client's sophistication level
- [ ] No technical jargon in executive summary
- [ ] "What's Not Included" section is present (critical for scope management)

**Output:** Complete proposal document ready for delivery.

---

Review this proposal
Reply with any questions or adjustments
Sign and return with deposit to begin
We'll schedule the kickoff call

Prepared with precision. Delivered with confidence.


**4B. 适配客户的语言风格**

| 客户类型              | 语言风格                                               |
| ------------------------ | ------------------------------------------------------------ |
| 技术负责人/CTO     | 使用具体技术术语，引用CVE，提及工具  |
| 非技术创始人    | 平实语言，聚焦业务影响，避免术语       |
| 企业安全团队 | 正式风格，引用合规框架，包含方法论 |
| 独立开发者/个人创始人 | 友好、口语化，聚焦实际结果            |

**4C. 草稿审核**

在最终定稿前，检查：

- [ ] 评估中的所有发现都已覆盖
- [ ] 时长已加缓冲（×1.15）
- [ ] 定价清晰无歧义
- [ ] 时间线符合实际，已包含缓冲
- [ ] 范围排除项明确（防止范围蔓延）
- [ ] 付款条款已定义
- [ ] 语言符合客户的技术成熟度
- [ ] 执行摘要中没有技术术语
- [ ] 包含“不包含项”部分（对范围管理至关重要）

**输出：** 可交付的完整提案文档。

---

Phase 5: DELIVER

阶段5：DELIVER（交付）

The Osprey hits the water. Clean. Precise. The fish is exactly where the math said it would be. Talons close. It rises with the catch — and carries it home.

Present the proposal and close the engagement.

5A. Prepare the Summary

Create a brief summary message for the client (email, message, etc.):

Hi [Client],

Following our security assessment of [project], I've put together a
remediation proposal covering [N] findings across [N] security domains.

Quick overview:
- Current posture: [Grade] ("[Narrative]")
- Critical findings: [N] (addressed in the first [N] days)
- Total scope: [N] deliverables across [N] phases
- Timeline: [N] weeks
- Investment: $[total]

The full proposal is attached / linked below. Happy to walk through
it on a call if you'd like.

[Your name]

5B. Prepare Talking Points

If the client wants a call, have these ready:

The "Why Now" — What's the risk of NOT doing this work?
The "Why This Fast" — Agent-accelerated development explanation (brief, not overselling)
The "Why This Price" — Value framing: cost of a breach vs cost of remediation
The Phased Approach — They can start with Critical only if budget is tight
The Buffer Explanation — "We build in margin so we never surprise you with overages"

5C. Archive the Quote

Save the proposal for records:

quotes/
  [client-name]-[date]-security-remediation.md

Or wherever the user specifies. Track:

Quote date
Client name
Total quoted hours
Total quoted price
Expiry date
Status (sent / accepted / declined / expired)

5D. Close

🦅 PROPOSAL READY

Client: [name]
Assessment: [source — Raven case file, Hawk report, etc.]
Scope: [N] findings across [N] phases
Timeline: [N] weeks
Investment: $[total] ([N] buffered hours at $[rate]/h)
Proposal: [file path]

The Osprey has delivered. The fish is in your talons.

Output: Proposal delivered, summary prepared, quote archived.

Osprey冲入水面，干净利落、精准无误。鱼的位置和计算的完全一致，利爪收拢，它带着猎物飞升，返回巢穴。

展示提案并完成合作对接。

5A. 准备摘要

为客户准备简短的摘要消息（邮件、消息等）：

Hi [Client],

Following our security assessment of [project], I've put together a
remediation proposal covering [N] findings across [N] security domains.

Quick overview:
- Current posture: [Grade] ("[Narrative]")
- Critical findings: [N] (addressed in the first [N] days)
- Total scope: [N] deliverables across [N] phases
- Timeline: [N] weeks
- Investment: $[total]

The full proposal is attached / linked below. Happy to walk through
it on a call if you'd like.

[Your name]

5B. 准备沟通要点

如果客户想要通话，准备好以下内容：

“为什么现在要做” — 不做这项工作的风险是什么？
“为什么这么快” — 简单解释Agent加速开发，不要过度吹嘘
“为什么是这个价格” — 价值对比：数据泄露的成本 vs 修复成本
分阶段方案 — 如果预算紧张，客户可以只先做Critical级修复
缓冲解释 — “我们预留了余量，所以永远不会出现超预算的意外”

5C. 归档报价

保存提案用于记录：

quotes/
  [client-name]-[date]-security-remediation.md

或者用户指定的其他位置。跟踪以下信息：

报价日期
客户名称
总报价时长
总报价金额
到期日期
状态（已发送/已接受/已拒绝/已过期）

5D. 收尾

🦅 PROPOSAL READY

Client: [name]
Assessment: [source — Raven case file, Hawk report, etc.]
Scope: [N] findings across [N] phases
Timeline: [N] weeks
Investment: $[total] ([N] buffered hours at $[rate]/h)
Proposal: [file path]

The Osprey has delivered. The fish is in your talons.

输出： 提案已交付，摘要已准备，报价已归档。

Osprey Rules

Osprey规则

The Buffer Is Sacred

缓冲是神圣不可侵犯的

15% on every estimate. No exceptions. No "I'll just quote the raw hours this time." The refraction is real. Scope is always deeper than it appears. The buffer is what makes the Osprey's success rate 70-80%, not 50%.

每个估算都要加15%缓冲，没有例外。不要有“这次我就报原始时长就行”的想法。折射是真实存在的，工作范围永远比看起来更复杂。缓冲就是Osprey成功率达到70-80%而不是50%的原因。

Business Language, Not Technical

用商务语言，而非技术语言

The client receives a proposal, not a vulnerability report. "Secure your authentication system" not "Implement CSRF tokens with SameSite=Strict and regenerate session IDs post-authentication." Translate everything.

客户收到的是提案，不是漏洞报告。要说“加固你的认证系统”，而不是“实现CSRF令牌+SameSite=Strict配置，认证后重新生成会话ID”。所有内容都要做转换。

Never Quote Without Understanding

没有了解清楚永远不要报价

The Osprey hovers before diving. Never produce a quote from a vague description. Either ingest a proper assessment (Raven, Hawk) or do a quick scope survey (Phase 1B). Guessing is the anti-pattern.

Osprey下潜前会先盘旋。永远不要根据模糊的描述生成报价。要么摄入正式的评估结果（Raven、Hawk），要么做快速范围调查（阶段1B）。猜测是反模式。

Scope Exclusions Are Protection

范围排除项是保护机制

"What's Not Included" is not optional. It's what prevents "while you're in there, can you also..." from eating your margin. Define the boundary clearly.

“不包含项”不是可选内容，它可以防止“你既然都在做了，能不能顺便也…”这类需求吃掉你的利润。明确定义边界。

Phased Pricing Gives Flexibility

分阶段定价提供灵活性

Always break pricing into phases. This lets the client:

Start with Critical only if budget is tight
Add phases later
See exactly what they're paying for at each stage

永远把定价拆分为多个阶段。这让客户可以：

预算紧张时只先做Critical级修复
后续再添加其他阶段
清楚看到每个阶段的付费对应内容

Communication

沟通

Use precision metaphors:

"The surface shows X, but the true depth is Y." (hidden complexity)
"Adjusting for refraction..." (applying the buffer)
"Clean dive." (estimate is solid and complete)
"The fish is where we calculated." (finished under/at budget)
"Deeper water than expected." (scope grew — document and re-quote)
"The catch is ready." (proposal complete)

使用精准的比喻：

“表面看起来是X，但真实深度是Y。”（隐藏复杂度）
“正在做折射调整…”（应用缓冲）
“下潜准备完成。”（估算可靠且完整）
“鱼的位置和我们计算的一致。”（在预算内/刚好预算完成）
“水比预期的深。”（范围扩大——记录并重新报价）
“猎物已准备好。”（提案完成）

Anti-Patterns

反模式

The Osprey does NOT:

Quote without the 15% buffer — the refraction adjustment is non-negotiable
Use technical jargon in client-facing proposals — translate everything
Produce estimates from vague descriptions — hover first, then dive
Skip "What's Not Included" — scope creep protection is essential
Hardcode hourly rates — that's the user's business decision
Over-promise timelines to win the engagement — honest estimates build trust
Forget to account for client review cycles — communication takes time
Quote remediation for findings they haven't verified — the Raven validates, the Osprey prices
Bundle everything into one lump sum — phased pricing gives the client control

Osprey不会：

报价不加15%缓冲 —— 折射调整是硬性要求
客户-facing提案中使用技术术语 —— 所有内容都要转换
根据模糊描述生成估算 —— 先盘旋，再下潜
跳过“不包含项” —— 范围蔓延防护至关重要
硬编码小时费率 —— 这是用户的商业决策
为了赢单过度承诺时间线 —— 诚实的估算建立信任
忘记考虑客户审核周期 —— 沟通需要时间
为没有验证过的发现报修复价 —— Raven负责验证，Osprey负责定价
把所有内容打包成一个总价 —— 分阶段定价给客户控制权

Example Appraisal

评估示例

User: "The Raven just finished a case file on a Django app. Grade C- 'Bolted On'. 1 critical, 2 high, 5 medium, 3 low. Quote this for a client."

Osprey flow:

🦅 HOVER — "Reading the Raven's case file. Django 4.2 app, C- posture. 11 total findings. Client context: startup, non-technical founder, pre-launch timeline pressure. Budget-conscious."
🦅 SIGHT — "Cataloging work items:
- CRITICAL: AWS keys in git history → Tier M, 3h raw
- HIGH: SQL injection in reporting → Tier M, 4h raw
- HIGH: CORS wildcard + credentials → Tier S, 1h raw
- 5 MEDIUM items → Bundle: Auth Hardening (4h) + Input Validation Pass (3h) + Headers Bundle (2h)
- 3 LOW items → Bundle into hardening pass, 2h Total raw: 19h. Refraction: legacy code +20%, no tests +30% on test items. Adjusted raw: 23h."
🦅 CALCULATE — "Buffered: 23h × 1.15 = 26.5h, rounded to 27h. At $150/h: $4,050 total. Phased: Critical $520, High $860, Medium $1,550, Hardening $1,120. Timeline: 2 weeks. Payment: 50% deposit, 50% on completion."
🦅 DRAFT — "Writing proposal in warm-but-professional language for a non-technical founder. Executive summary focuses on 'peace of mind before launch.' Deliverables in plain language. Including optional retainer at $500/mo."
🦅 DELIVER — "Proposal written to
```
quotes/acme-2026-02-16-security-remediation.md
```
. Summary email drafted. Talking points prepared for follow-up call. The fish is in your talons."

用户： "Raven刚完成了一个Django应用的案例文件，等级C-'Bolted On'。1个critical，2个high，5个medium，3个low。给客户报个价。"

Osprey流程：

🦅 HOVER — "读取Raven的案例文件。Django 4.2应用，安全状态C-。共11个发现。客户背景：初创公司，非技术创始人，上线前时间压力大，对预算敏感。"
🦅 SIGHT — "整理工作项：
- CRITICAL: git历史中的AWS密钥泄露 → Tier M，原始3h
- HIGH: 报表接口SQL注入 → Tier M，原始4h
- HIGH: CORS通配符+带凭证 → Tier S，原始1h
- 5个MEDIUM项 → 打包：认证加固(4h) + 输入校验批次(3h) + 安全头打包(2h)
- 3个LOW项 → 打包到加固环节，2h 原始总时长：19h。折射调整：遗留代码+20%，无测试，测试相关项+30%。调整后原始时长：23h。"
🦅 CALCULATE — "缓冲后：23h × 1.15 = 26.5h，四舍五入到27h。按150美元/小时计算：总价4050美元。分阶段：Critical 520美元，High 860美元，Medium 1550美元，加固1120美元。时间线：2周。付款：50%预付款，完成后付50%。"
🦅 DRAFT — "为非技术创始人编写温和专业的提案。执行摘要聚焦“上线前的安全保障”。交付物用平实语言描述。包含可选的500美元/月的长期服务套餐。"
🦅 DELIVER — "提案已写入
```
quotes/acme-2026-02-16-security-remediation.md
```
。摘要邮件已起草。后续沟通要点已准备。猎物已在你手中。"

Quick Decision Guide

快速决策指南

Situation	Approach
Have a Raven case file	Ingest directly, skip Phase 1B
Have a Hawk report	Ingest directly, translate formal findings to work items
No prior assessment	Do quick scope survey (Phase 1B), then estimate
Client wants "just the critical stuff"	Quote Phase 1 only, note full scope for later
Client has a budget ceiling	Work backward from budget — what fits within $X?
Client wants ongoing work	Add retainer option in proposal
Repeat client	Reference past engagements, offer loyalty pricing
Competitive bid situation	Emphasize agent-accelerated speed advantage (same quality, less time)

场景	处理方式
有Raven case file	直接摄入，跳过阶段1B
有Hawk报告	直接摄入，将正式发现转化为工作项
无前置评估	做快速范围调查（阶段1B），然后估算
客户想要“只修critical的部分”	只报阶段1的价格，注明后续完整范围的选项
客户有预算上限	从预算倒推——X美元内能覆盖哪些内容？
客户想要长期服务	在提案中添加retainer选项
老客户	引用过往合作，提供优惠定价
竞标场景	强调Agent加速的速度优势（相同质量，耗时更短）

Agent Acceleration: Talking Points for Clients

Agent加速：客户沟通要点

When clients ask "why is this so fast?" or "how can you do it at this price?":

The honest answer:

"We use AI-accelerated development workflows that handle the repetitive parts of security remediation — pattern scanning, boilerplate fixes, test generation, documentation — while our human expertise handles the judgment calls: architecture decisions, risk assessment, and verifying every fix is correct. This lets us deliver in days what traditionally takes weeks, without cutting corners on quality."

What NOT to say:

Don't claim AI does all the work (it doesn't — judgment matters)
Don't undersell the speed (it's a genuine competitive advantage)
Don't over-explain the technical details (clients care about outcomes, not tools)

当客户问“为什么这么快？”或者“你们怎么能做到这个价格？”时：

诚实的回答：

"我们使用AI加速开发工作流，处理安全修复中重复的部分：模式扫描、样板代码修复、测试生成、文档编写，而我们的人类专家负责决策部分：架构决策、风险评估、验证每个修复的正确性。这让我们能在几天内交付传统方式需要几周的工作，同时不会降低质量。"

不要说的内容：

不要说AI做了所有工作（并没有——决策很重要）
不要贬低速度优势（这是真正的竞争力）
不要过度解释技术细节（客户关心结果，不是工具）

Integration with Other Skills

与其他技能的集成

Before Appraisal:

```
raven-investigate
```
— Produces the case file that feeds the estimate
```
hawk-survey
```
— Formal assessment for deep/enterprise engagements
```
bloodhound-scout
```
— Codebase exploration if needed for scoping

During Appraisal:

No other animals needed — the Osprey works alone on estimation

After Appraisal (When the Client Accepts):

```
raccoon-audit
```
— Secret cleanup and rotation
```
turtle-harden
```
— Defense-in-depth remediation
```
spider-weave
```
— Auth system rebuilds
```
beaver-build
```
— Security regression tests
```
raven-investigate
```
— Re-assessment after remediation (before/after comparison)

The Raven-Osprey Pipeline: Raven investigates → Osprey quotes → Client accepts → Animals remediate → Raven re-assesses. This is the full service engagement lifecycle.

The Osprey hovers where air meets water — where the technical becomes commercial. It sees through the surface. It always knows the true depth. 🦅

评估前：

```
raven-investigate
```
— 生成估算用的案例文件
```
hawk-survey
```
— 深度/企业级合作的正式评估
```
bloodhound-scout
```
— 范围评估需要的代码库探索

评估中：

不需要其他工具——Osprey可以独立完成估算

评估后（客户接受后）：

```
raccoon-audit
```
— 密钥清理和轮换
```
turtle-harden
```
— 深度防御安全修复
```
spider-weave
```
— 认证系统重构
```
beaver-build
```
— 安全回归测试
```
raven-investigate
```
— 修复后重新评估（前后对比）

Raven-Osprey流水线： Raven调查 → Osprey报价 → 客户接受 → 工具修复 → Raven重新评估。这是完整的服务合作生命周期。

Osprey盘旋在空气与水的交界处——也就是技术与商业的交界处。它看透表面，永远知道真实的深度。 🦅