legacy-squad 1.0.0 β†’ 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,431 +1,519 @@
1
- <p align="center">
2
- <h1 align="center">Legacy Squad Framework</h1>
3
- <p align="center"><strong>AI-Powered Legacy Modernization Platform</strong></p>
4
- <p align="center"><em>Understand. Plan. Modernize.</em></p>
5
- <p align="center">
6
- <a href="README.pt-br.md">πŸ‡§πŸ‡· PortuguΓͺs</a> Β· <strong>πŸ‡ΊπŸ‡Έ English</strong>
7
- </p>
8
- </p>
9
-
10
- ---
11
-
12
- Legacy Squad is an open-source framework that installs inside your legacy project with a single command, automatically analyzes the codebase, and provides specialized AI agents in your IDE to produce a complete diagnostic β€” without changing a single line of code.
13
-
14
- ```bash
15
- npx legacy-squad install
16
- ```
17
-
18
- ---
19
-
20
- ## The Problem
21
-
22
- Legacy systems support critical processes, but frequently suffer from:
23
-
24
- - Missing or outdated documentation
25
- - Hardcoded credentials in source code
26
- - Business rules buried in conditionals no one documented
27
- - Coupling that makes any change risky
28
- - Fear of modifying production code
29
- - Dependency on 1-2 developers who "know the system"
30
-
31
- Traditional approaches (full rewrites, unstructured refactoring) are expensive, slow, and risky.
32
-
33
- ## The Solution
34
-
35
- Legacy Squad combines **deterministic analysis** (scanner + compliance engine with OWASP/CWE rules) with **specialized AI agents** that run in your IDE (Claude Code, Codex, Cursor) to produce:
36
-
37
- | Artifact | What it does |
38
- |----------|-------------|
39
- | **Repo Index** | Full inventory: stack, modules, dependencies, integrations, hotspots |
40
- | **Findings** | Security findings with evidence, impact, OWASP reference and recommendation |
41
- | **Security Assessment** | Deep analysis of auth, secrets, LGPD/GDPR, API security |
42
- | **Architecture Assessment** | C4 diagrams, coupling analysis, structural risks, target architecture |
43
- | **Legacy Code Assessment** | Hotspots, JS→TS migration, duplication, test coverage |
44
- | **Business Rules Assessment** | 60+ rules extracted from code, preservation checklist |
45
- | **Modernization Plan** | Incremental phased roadmap with rollback and scores |
46
- | **PRS** | Product Refactor Specification β€” consolidated report for decision makers |
47
-
48
- ---
49
-
50
- ## Quick Start
51
-
52
- ### Prerequisites
53
-
54
- - Node.js β‰₯ 18
55
- - An AI-enabled IDE: [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex CLI](https://github.com/openai/codex), or [Cursor](https://cursor.sh)
56
-
57
- ### Installation
58
-
59
- ```bash
60
- cd your-legacy-project
61
- npx legacy-squad install
62
- ```
63
-
64
- The command:
65
- 1. Detects the stack (React Native, PHP, .NET, Java, Node β€” via manifest)
66
- 2. Scans the repository and generates the inventory
67
- 3. Runs the Compliance Engine (OWASP/CWE rules)
68
- 4. Generates Context Packs per module
69
- 5. Installs agents as slash commands in your IDE
70
- 6. Verifies the installation (8 checks)
71
-
72
- ### Usage with Claude Code
73
-
74
- ```bash
75
- claude # Open Claude Code in the project
76
- /legacy-squad-security # Run Security Agent
77
- /legacy-squad-architecture # Run Architecture Agent
78
- /legacy-squad-legacy-code # Run Legacy Code Agent
79
- /legacy-squad-business-rules # Run Business Rules Agent
80
- /legacy-squad-modernization # Run Modernization Agent
81
- /legacy-squad-generate-prs # Consolidate everything into the final PRS
82
- ```
83
-
84
- ### Usage with Codex CLI
85
-
86
- ```bash
87
- codex # Open Codex in the project
88
- # AGENTS.md at the root defines available agents
89
- @legacy-squad-security # Activate Security Agent
90
- ```
91
-
92
- ### Other Commands
93
-
94
- ```bash
95
- npx legacy-squad scan # Re-scan without reinstalling agents
96
- npx legacy-squad doctor # Verify installation health
97
- ```
98
-
99
- ---
100
-
101
- ## How It Works
102
-
103
- ```
104
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
105
- β”‚ npx legacy-squad β”‚
106
- β”‚ install β”‚
107
- β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
108
- β”‚
109
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
110
- β–Ό β–Ό β–Ό
111
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
112
- β”‚ Scanner β”‚ β”‚ Compliance β”‚ β”‚ Context β”‚
113
- β”‚ (stack, β”‚ β”‚ Engine β”‚ β”‚ Manager β”‚
114
- β”‚ modules) β”‚ β”‚ (OWASP) β”‚ β”‚ (packs) β”‚
115
- β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜
116
- β”‚ β”‚ β”‚
117
- β–Ό β–Ό β–Ό
118
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
119
- β”‚ .legacy-squad/memory/ β”‚
120
- β”‚ repo-index.json | findings.json | β”‚
121
- β”‚ context-packs.json β”‚
122
- β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
123
- β”‚
124
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
125
- β–Ό β–Ό β–Ό
126
- β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
127
- β”‚ .claude/ β”‚ β”‚ AGENTS.mdβ”‚ β”‚ .cursor/ β”‚
128
- β”‚ commands/β”‚ β”‚ (Codex) β”‚ β”‚ rules/ β”‚
129
- β”‚ (Claude) β”‚ β”‚ β”‚ β”‚ (Cursor) β”‚
130
- β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
131
- β”‚ β”‚ β”‚
132
- β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
133
- β”‚
134
- β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
135
- β”‚ IDE + AI β”‚
136
- β”‚ (Claude Codeβ”‚
137
- β”‚ Codex, β”‚
138
- β”‚ Cursor) β”‚
139
- β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜
140
- β”‚
141
- β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
142
- β”‚ Assessments β”‚
143
- β”‚ + Final PRS β”‚
144
- β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
145
- ```
146
-
147
- **The framework prepares data and installs agents. AI runs in the dev's IDE.**
148
-
149
- Zero API keys required. Zero external server calls. Everything runs locally.
150
-
151
- ---
152
-
153
- ## Installed Structure
154
-
155
- After `npx legacy-squad install`:
156
-
157
- ```
158
- your-project/
159
- β”œβ”€β”€ .legacy-squad/
160
- β”‚ β”œβ”€β”€ config/
161
- β”‚ β”‚ └── project.yaml # Detected configuration
162
- β”‚ β”œβ”€β”€ memory/
163
- β”‚ β”‚ β”œβ”€β”€ repo-index.json # Repository inventory
164
- β”‚ β”‚ β”œβ”€β”€ findings.json # Compliance engine findings
165
- β”‚ β”‚ └── context-packs.json # Context per module
166
- β”‚ β”œβ”€β”€ outputs/
167
- β”‚ β”‚ β”œβ”€β”€ assessments/ # Agent assessments
168
- β”‚ β”‚ └── reports/ # Consolidated PRS
169
- β”‚ └── logs/
170
- β”‚ └── install.log
171
- β”œβ”€β”€ .claude/
172
- β”‚ └── commands/
173
- β”‚ └── legacy-squad/
174
- β”‚ β”œβ”€β”€ security.md # /legacy-squad-security
175
- β”‚ β”œβ”€β”€ architecture.md # /legacy-squad-architecture
176
- β”‚ β”œβ”€β”€ legacy-code.md # /legacy-squad-legacy-code
177
- β”‚ β”œβ”€β”€ business-rules.md # /legacy-squad-business-rules
178
- β”‚ β”œβ”€β”€ modernization.md # /legacy-squad-modernization
179
- β”‚ β”œβ”€β”€ generate-prs.md # /legacy-squad-generate-prs
180
- β”‚ └── scan.md # /legacy-squad-scan
181
- └── AGENTS.md # Codex compatibility
182
- ```
183
-
184
- ---
185
-
186
- ## Agents
187
-
188
- ### Security Agent (`/legacy-squad-security`)
189
-
190
- Analyzes authentication, secrets, insecure storage, PII exposure, and privacy compliance (LGPD, GDPR).
191
-
192
- **References:** OWASP MASVS V2, OWASP ASVS, CWE Top 25, LGPD, GDPR, NIST SSDF
193
-
194
- ### Architecture Agent (`/legacy-squad-architecture`)
195
-
196
- Maps current architecture with C4 diagrams, identifies coupling, structural risks, and proposes incremental target architecture.
197
-
198
- **References:** C4 Model, Clean Architecture, arc42, ADR
199
-
200
- ### Legacy Code Agent (`/legacy-squad-legacy-code`)
201
-
202
- Identifies hotspots, duplication, JS→TS migration progress, test coverage, and refactoring priorities.
203
-
204
- **References:** Clean Code, Sonar Rules, Cognitive Complexity
205
-
206
- ### Business Rules Agent (`/legacy-squad-business-rules`)
207
-
208
- Extracts business rules hidden in code β€” validations, permissions, flows, magic numbers, implicit rules in catch blocks.
209
-
210
- **References:** DDD, Event Storming
211
-
212
- ### Modernization Agent (`/legacy-squad-modernization`)
213
-
214
- Synthesizes all assessments into an incremental plan with phases, rollback, Deployability Score (1-10), and Execution Readiness Score (0-100).
215
-
216
- **References:** Strangler Fig, Branch by Abstraction, Progressive Delivery
217
-
218
- ### PRS Generator (`/legacy-squad-generate-prs`)
219
-
220
- Consolidates all assessments into the PRS (Product Refactor Specification) β€” the final document for decision makers.
221
-
222
- ---
223
-
224
- ## Supported Stacks
225
-
226
- ### Manifest Detection (Layer 1 β€” deterministic)
227
-
228
- | Manifest | Stack |
229
- |----------|-------|
230
- | `package.json` | Node.js, React, React Native, Expo, Next.js |
231
- | `composer.json` | PHP, Laravel |
232
- | `.csproj` | C#, .NET |
233
- | `pom.xml` | Java, Spring Boot |
234
-
235
- ### Extension Detection (Layer 2 β€” heuristic)
236
-
237
- TypeScript, JavaScript, PHP, C#, Java, Python, Dart
238
-
239
- ---
240
-
241
- ## Compliance Engine
242
-
243
- The scanner automatically runs deterministic rules based on OWASP and CWE:
244
-
245
- | Rule | Detects | Reference |
246
- |------|---------|-----------|
247
- | SEC-CRED-001 | Hardcoded credentials | OWASP MASVS, CWE-798 |
248
- | SEC-CRED-002 | Keystores/certificates in repository | OWASP MASVS, CWE-312 |
249
- | SEC-LOG-001 | Active console.log in production | CWE-532 |
250
- | SEC-LOG-002 | PII (CPF, SSN, IDs) in logs/external services | CWE-532, LGPD/GDPR |
251
- | SEC-ERR-001 | Empty catch blocks | CWE-390 |
252
- | SEC-STORE-001 | Token in AsyncStorage | OWASP MASVS |
253
- | CQ-MIX-001 | Mixed JS and TS files | Clean Code |
254
- | CQ-DEP-001 | Transitive dependencies | Clean Code |
255
-
256
- Every finding includes: evidence (file, line, snippet), impact, technical reference, and recommendation.
257
-
258
- ---
259
-
260
- ## Principles
261
-
262
- | Principle | Description |
263
- |-----------|-------------|
264
- | **Install-First** | One command installs everything. No manual setup. |
265
- | **IDE-Native** | Agents are IDE slash commands. AI comes from the dev's environment. |
266
- | **Evidence-Driven** | Every finding has concrete evidence (file, line, snippet). |
267
- | **Context-First** | No LLM receives the entire repository β€” only context packs. |
268
- | **Read-Only** | The framework does not modify code. It only reads and generates reports. |
269
- | **Production-First** | Every recommendation assumes the system is in production. |
270
- | **Incremental** | Every modernization step is incremental, reversible, and deployable. |
271
-
272
- ---
273
-
274
- ## Validated in Production
275
-
276
- The framework was validated against a **production mobile app** (~18k lines of code, 98 dependencies, real financial transactions):
277
-
278
- **Compliance Engine (deterministic):** 7 findings via pattern matching
279
-
280
- **AI Agents (via Claude Code):** +43 additional findings, including:
281
- - Service account credentials decoded from Base64 in source code
282
- - Remote config flag capable of bypassing all authentication in production
283
- - User passwords logged in plaintext to a cloud database
284
- - PII used as primary key in a cloud database (enumerable)
285
- - Session recording capturing sensitive data without user consent
286
- - 63 business rules extracted from code (11 implicit, never documented)
287
- - Potential bug in a date calculation affecting core business logic
288
-
289
- **Generated artifacts (4 official deliverables of V1):**
290
- - **PRS** β€” Product Refactor Specification consolidating the diagnostic
291
- - **SDD** β€” Software Design Document with current/target architecture and 8 ADRs
292
- - **MMP** β€” Modernization Master Plan with 4-phase roadmap (Emergency β†’ Foundation β†’ Core β†’ Evolution), Execution Readiness Score 38β†’88/100, Deployability scores per phase, and concrete rollback strategies
293
- - **37 Execution Specs** β€” atomic, individually deployable units of work with binary acceptance criteria, mandatory rollback, evidence traceability, and dependency graph
294
-
295
- **Total:** 50 findings + 4 consolidated artifacts + 37 executable specs from a single `npx legacy-squad install` followed by 9 slash command activations.
296
-
297
- ---
298
-
299
- ## Open Core
300
-
301
- ### Community Edition (V1) β€” Open Source
302
-
303
- Focus: **Understand + Plan**
304
-
305
- - Scanner with multi-stack detection (PHP/Laravel/Symfony, .NET/ASP.NET, Java/Spring, Node, React Native/Expo)
306
- - Compliance Engine with 14 deterministic rules (OWASP MASVS, ASVS, CWE Top 25)
307
- - Context Manager (basic)
308
- - **5 analysis agents** as slash commands: security, architecture, legacy-code, business-rules, modernization
309
- - **4 artifact generators** as slash commands: PRS, SDD, MMP, Execution Specs
310
- - Claude Code, Codex CLI support (Cursor / Gemini CLI on the roadmap)
311
-
312
- ### Enterprise Edition (V2) β€” In development
313
-
314
- Focus: **Modernize**
315
-
316
- - Execution Engine (AI-assisted refactoring)
317
- - Pull Request Engine
318
- - QA Gates
319
- - CI/CD Integration
320
- - Custom Rule Packs
321
- - Dashboard + Team Collaboration
322
-
323
- ---
324
-
325
- ## Roadmap
326
-
327
- ### V1 β€” Discovery Platform (Community Edition) βœ…
328
-
329
- - [x] Scanner + Compliance Engine
330
- - [x] Install command + IDE integration
331
- - [x] Context Manager (basic)
332
- - [x] End-to-end validation with real project (mobile, ~18k LoC)
333
- - [x] Multi-stack rule catalog (PHP, .NET, Java, Node, mobile)
334
- - [x] Language-agnostic agent templates (stack-aware analysis)
335
- - [x] 4 official artifacts (PRS, SDD, MMP, Execution Specs)
336
-
337
- ### V1 β€” Continuous improvements
338
-
339
- - [ ] Cursor + Gemini CLI support
340
- - [ ] Framework-specific rule packs (Eloquent raw queries, EF Core, Hibernate HQL)
341
- - [ ] AST-based scanner (current is regex-based)
342
-
343
- ### V2 β€” Execution Platform (Enterprise Edition) β€” In development
344
-
345
- - [ ] Execution Engine (AI-assisted refactoring from Execution Specs)
346
- - [ ] Pull Request Engine
347
- - [ ] QA Gates
348
- - [ ] CI/CD Integration
349
- - [ ] Custom Rule Packs
350
- - [ ] Dashboard + Team Collaboration
351
-
352
- ---
353
-
354
- ## Development
355
-
356
- ```bash
357
- git clone https://github.com/hrpimenta/legacy-squad.git
358
- cd legacy-squad
359
- pnpm install
360
- pnpm approve-builds esbuild
361
-
362
- # Tests
363
- npx vitest run
364
-
365
- # Dev mode (no build)
366
- npx tsx apps/cli/src/index.ts install -p /path/to/project
367
-
368
- # Build
369
- node build.mjs
370
-
371
- # Test bundled version
372
- node dist/cli.mjs install -p /path/to/project
373
- ```
374
-
375
- ### Monorepo Structure
376
-
377
- ```
378
- legacy-squad/
379
- β”œβ”€β”€ packages/
380
- β”‚ β”œβ”€β”€ core/ # Domain types, ports (Clean Architecture)
381
- β”‚ β”œβ”€β”€ scanner/ # Stack detection, repo index generation
382
- β”‚ β”œβ”€β”€ context/ # Context packs builder
383
- β”‚ β”œβ”€β”€ rules/ # Compliance engine, rule catalog
384
- β”‚ β”œβ”€β”€ agents/ # Agent definitions, installer, doctor
385
- β”‚ └── output/ # PRS generator
386
- β”œβ”€β”€ apps/
387
- β”‚ └── cli/ # CLI entry point (Commander.js)
388
- β”œβ”€β”€ templates/
389
- β”‚ └── claude-commands/ # Slash command templates
390
- └── docs/
391
- └── plans/ # Architecture decisions, plans
392
- ```
393
-
394
- ### Tests
395
-
396
- ```bash
397
- npx vitest run # 28 tests (domain, scanner, compliance, agents)
398
- npx vitest --watch # Watch mode
399
- ```
400
-
401
- ---
402
-
403
- ## Contributing
404
-
405
- 1. Fork the repository
406
- 2. Create a branch (`git checkout -b feature/my-feature`)
407
- 3. Follow the standards: TDD (Red→Green→Refactor), SOLID, Clean Architecture
408
- 4. Run tests (`npx vitest run`)
409
- 5. Open a PR
410
-
411
- ### Ways to contribute
412
-
413
- - New rules for the Compliance Engine (PHP, .NET, Java)
414
- - Agent template improvements
415
- - New IDE support
416
- - Documentation and translation
417
- - Tests and fixtures for other stacks
418
-
419
- ---
420
-
421
- ## License
422
-
423
- MIT β€” see [LICENSE](LICENSE) for details.
424
-
425
- ---
426
-
427
- <p align="center">
428
- <strong>Understand. Plan. Modernize.</strong>
429
- <br>
430
- <em>Legacy Squad Framework</em>
431
- </p>
1
+ <p align="center">
2
+ <h1 align="center">Legacy Squad Framework</h1>
3
+ <p align="center"><strong>AI-Powered Legacy Modernization Platform</strong></p>
4
+ <p align="center"><em>Understand. Plan. Modernize.</em></p>
5
+ <p align="center">
6
+ <a href="README.pt-br.md">πŸ‡§πŸ‡· PortuguΓͺs</a> Β· <strong>πŸ‡ΊπŸ‡Έ English</strong>
7
+ </p>
8
+ </p>
9
+
10
+ <p align="center">
11
+ <a href="https://www.npmjs.com/package/legacy-squad"><img src="https://img.shields.io/npm/v/legacy-squad?color=cb3837&label=npm" alt="npm version"></a>
12
+ <a href="https://www.npmjs.com/package/legacy-squad"><img src="https://img.shields.io/npm/dm/legacy-squad?color=blue" alt="downloads"></a>
13
+ <a href="https://github.com/hrpimenta/legacy-squad/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green.svg" alt="license"></a>
14
+ <a href="https://github.com/hrpimenta/legacy-squad/stargazers"><img src="https://img.shields.io/github/stars/hrpimenta/legacy-squad?style=social" alt="stars"></a>
15
+ <img src="https://img.shields.io/badge/status-beta-orange" alt="beta">
16
+ <img src="https://img.shields.io/badge/node-%E2%89%A518-brightgreen" alt="node">
17
+ </p>
18
+
19
+ ---
20
+
21
+ > **One command. Five AI agents in your IDE.**
22
+ > **50 findings, 4 engineering documents, and 37 execution specs** β€” without changing a single line of your code.
23
+
24
+ ```bash
25
+ npx legacy-squad install
26
+ ```
27
+
28
+ <p align="center">
29
+ <img src="docs/assets/demo.svg" alt="Legacy Squad install output" width="780">
30
+ </p>
31
+
32
+ <p align="center">
33
+ πŸ”‘ <strong>Zero API keys</strong> &nbsp;Β·&nbsp;
34
+ ☁️ <strong>Zero external servers</strong> &nbsp;·&nbsp;
35
+ πŸ’» <strong>Runs in your own IDE</strong> (Claude Code, Codex, Cursor)
36
+ </p>
37
+
38
+ ---
39
+
40
+ ## πŸ“Š Validated in Production
41
+
42
+ Real production mobile app β€” **~18,000 LoC**, **98 dependencies**, real financial transactions:
43
+
44
+ | | |
45
+ |---|---|
46
+ | πŸ” **50 findings** (7 deterministic + 43 from AI agents) | πŸ“ **63 business rules** extracted from code (11 implicit) |
47
+ | πŸ“„ **4 official documents** (PRS Β· SDD Β· MMP Β· Specs) | 🎯 **37 execution specs**, atomic and deployable |
48
+ | πŸ“ˆ **Execution Readiness:** 38 β†’ 88 / 100 | πŸš€ **Deployability:** scored per phase |
49
+
50
+ From a single `npx legacy-squad install` followed by 9 slash commands in the IDE.
51
+
52
+ [**β†’ Read the full case study**](docs/CASE_STUDY.md)
53
+
54
+ ---
55
+ ## πŸš€ Quick Start
56
+
57
+ > From zero to your first AI-generated finding in minutes.
58
+
59
+ ### Prerequisites
60
+
61
+ - **Node.js β‰₯ 18**
62
+ - **An AI-enabled IDE:** [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex CLI](https://github.com/openai/codex), or [Cursor](https://cursor.sh)
63
+
64
+ ### 1. Install in your legacy project
65
+
66
+ ```bash
67
+ cd your-legacy-project
68
+ npx legacy-squad install
69
+ ```
70
+
71
+ Immediately after, you'll see the framework artifacts in `.legacy-squad/memory/`:
72
+
73
+ - `repo-index.json` β€” full inventory (stack, modules, dependencies, integrations)
74
+ - `findings.json` β€” deterministic security findings (OWASP / CWE)
75
+ - `context-packs.json` β€” context per module, prepared for the AI agents
76
+
77
+ <details>
78
+ <summary><strong>What the install command does internally</strong></summary>
79
+
80
+ 1. Detects the stack via manifest (`package.json`, `composer.json`, `.csproj`, `pom.xml`)
81
+ 2. Scans the repository and builds the inventory
82
+ 3. Runs the Compliance Engine with OWASP / CWE rules
83
+ 4. Generates Context Packs per module (token-efficient)
84
+ 5. Installs the 9 agents as slash commands in your IDE
85
+ 6. Verifies the installation (8 health checks)
86
+
87
+ </details>
88
+
89
+ ### 2. Run your first AI agent
90
+
91
+ Open your IDE in the project and trigger the Security Agent.
92
+
93
+ **Claude Code**
94
+ ```bash
95
+ claude
96
+ /legacy-squad-security
97
+ ```
98
+
99
+ **Codex CLI**
100
+ ```bash
101
+ codex
102
+ @legacy-squad-security
103
+ ```
104
+
105
+ The assessment is written to:
106
+
107
+ ```
108
+ .legacy-squad/outputs/assessments/security.md
109
+ ```
110
+
111
+ Evidence-driven: every finding includes file:line references, OWASP / CWE mapping, impact, and recommendation β€” generated by AI running entirely inside your IDE.
112
+
113
+ ### 3. Run the full diagnostic
114
+
115
+ Once you're satisfied with the first agent, run the remaining four and the four artifact generators.
116
+
117
+ <details>
118
+ <summary><strong>Full workflow β€” 5 agents + 4 generators</strong></summary>
119
+
120
+ **Step 1 β€” Analysis (run in order)**
121
+
122
+ ```bash
123
+ /legacy-squad-security # Security Agent
124
+ /legacy-squad-architecture # Architecture Agent
125
+ /legacy-squad-legacy-code # Legacy Code Agent
126
+ /legacy-squad-business-rules # Business Rules Agent
127
+ /legacy-squad-modernization # Modernization Agent
128
+ ```
129
+
130
+ **Step 2 β€” Consolidated artifacts (run after analysis)**
131
+
132
+ ```bash
133
+ /legacy-squad-generate-prs # Product Refactor Specification
134
+ /legacy-squad-generate-sdd # Software Design Document
135
+ /legacy-squad-generate-mmp # Modernization Master Plan
136
+ /legacy-squad-generate-specs # Execution Specs (one YAML per unit of work)
137
+ ```
138
+
139
+ </details>
140
+
141
+ ### Other commands
142
+
143
+ ```bash
144
+ npx legacy-squad scan # Re-scan without reinstalling agents
145
+ npx legacy-squad doctor # Verify installation health
146
+ ```
147
+ ## Why Legacy Squad
148
+
149
+ Most existing tools cover one dimension of legacy modernization. Legacy Squad covers the full lifecycle β€” from inventory to executable plan β€” and treats AI agents as **methodology-bound contributors**, not free-form chat.
150
+
151
+ | Capability | Static Analyzers<br>(SonarQube) | SAST / SCA<br>(Snyk, Checkmarx) | AI Coding Assistants<br>(Copilot, Cursor) | **Legacy Squad** |
152
+ |---|:---:|:---:|:---:|:---:|
153
+ | Deterministic security rules (OWASP / CWE) | βœ… | βœ… | β€” | βœ… |
154
+ | CVE / dependency vulnerabilities | β€” | βœ… | β€” | β€” |
155
+ | Code smells & cognitive complexity | βœ… | partial | β€” | βœ… |
156
+ | Architecture mapping (C4, coupling) | β€” | β€” | β€” | βœ… |
157
+ | Business rules extraction from code | β€” | β€” | β€” | βœ… |
158
+ | Phased modernization plan (MMP) | β€” | β€” | β€” | βœ… |
159
+ | Atomic, deployable execution specs | β€” | β€” | β€” | βœ… |
160
+ | AI agents with evidence-bound output | β€” | β€” | free-form | βœ… |
161
+ | Runs in your own IDE (no server, no API key) | β€” | β€” | βœ… | βœ… |
162
+ | Repository never sent in full to an LLM | n/a | n/a | β€” | βœ… |
163
+
164
+ In one sentence: Legacy Squad pairs **deterministic scanning** with **methodology-bound AI agents** that produce **structured engineering artifacts** (PRS, SDD, MMP, Execution Specs) β€” not chat history.
165
+
166
+ ### When Legacy Squad fits
167
+
168
+ - You have a legacy system in production and need a **structured diagnostic** before deciding what to modernize.
169
+ - You want every finding to carry **evidence, framework reference, impact, and recommendation** β€” not unjustified suggestions.
170
+ - You need a **phased modernization plan** that is reversible, deployable, and approvable by humans before execution.
171
+ - You want AI assistance **without sending your codebase to an external server** or paying for another seat.
172
+
173
+ ### When it doesn't
174
+
175
+ - For pure CVE / dependency vulnerability scanning, use [Snyk](https://snyk.io), [Dependabot](https://github.com/dependabot), or equivalents β€” they specialize in this and Legacy Squad does not replace them.
176
+ - For continuous CI/CD code-quality gates, use [SonarQube](https://www.sonarsource.com/products/sonarqube/) β€” Legacy Squad is a **diagnostic and planning** framework, not a continuous quality monitor.
177
+ - For in-editor autocomplete or general coding chat, [GitHub Copilot](https://github.com/features/copilot) and [Cursor](https://cursor.sh) already serve that purpose β€” Legacy Squad starts where those stop.
178
+
179
+ ---
180
+ ## How It Works
181
+
182
+ ```
183
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
184
+ β”‚ npx legacy-squad β”‚
185
+ β”‚ install β”‚
186
+ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
187
+ β”‚
188
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
189
+ β–Ό β–Ό β–Ό
190
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
191
+ β”‚ Scanner β”‚ β”‚ Compliance β”‚ β”‚ Context β”‚
192
+ β”‚ (stack, β”‚ β”‚ Engine β”‚ β”‚ Manager β”‚
193
+ β”‚ modules) β”‚ β”‚ (OWASP) β”‚ β”‚ (packs) β”‚
194
+ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜
195
+ β”‚ β”‚ β”‚
196
+ β–Ό β–Ό β–Ό
197
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
198
+ β”‚ .legacy-squad/memory/ β”‚
199
+ β”‚ repo-index.json | findings.json | β”‚
200
+ β”‚ context-packs.json β”‚
201
+ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
202
+ β”‚
203
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
204
+ β–Ό β–Ό β–Ό
205
+ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
206
+ β”‚ .claude/ β”‚ β”‚ AGENTS.mdβ”‚ β”‚ .cursor/ β”‚
207
+ β”‚ commands/β”‚ β”‚ (Codex) β”‚ β”‚ rules/ β”‚
208
+ β”‚ (Claude) β”‚ β”‚ β”‚ β”‚ (Cursor) β”‚
209
+ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
210
+ β”‚ β”‚ β”‚
211
+ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
212
+ β”‚
213
+ β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
214
+ β”‚ IDE + AI β”‚
215
+ β”‚ (Claude Codeβ”‚
216
+ β”‚ Codex, β”‚
217
+ β”‚ Cursor) β”‚
218
+ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜
219
+ β”‚
220
+ β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
221
+ β”‚ Assessments β”‚
222
+ β”‚ + Final PRS β”‚
223
+ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
224
+ ```
225
+
226
+ **The framework prepares data and installs agents. AI runs in the dev's IDE.**
227
+
228
+ Zero API keys required. Zero external server calls. Everything runs locally.
229
+
230
+ ---
231
+
232
+ ## Installed Structure
233
+
234
+ After `npx legacy-squad install`:
235
+
236
+ ```
237
+ your-project/
238
+ β”œβ”€β”€ .legacy-squad/
239
+ β”‚ β”œβ”€β”€ config/
240
+ β”‚ β”‚ └── project.yaml # Detected configuration
241
+ β”‚ β”œβ”€β”€ memory/
242
+ β”‚ β”‚ β”œβ”€β”€ repo-index.json # Repository inventory
243
+ β”‚ β”‚ β”œβ”€β”€ findings.json # Compliance engine findings
244
+ β”‚ β”‚ └── context-packs.json # Context per module
245
+ β”‚ β”œβ”€β”€ outputs/
246
+ β”‚ β”‚ β”œβ”€β”€ assessments/ # Agent assessments (5 .md files)
247
+ β”‚ β”‚ β”œβ”€β”€ reports/ # PRS.md + PRS.json
248
+ β”‚ β”‚ β”œβ”€β”€ sdd/ # SDD.md + SDD.json
249
+ β”‚ β”‚ β”œβ”€β”€ mmp/ # MMP.md + MMP.json
250
+ β”‚ β”‚ └── specs/ # SPEC-*.yaml + INDEX.md
251
+ β”‚ └── logs/
252
+ β”‚ └── install.log
253
+ β”œβ”€β”€ .claude/
254
+ β”‚ └── commands/
255
+ β”‚ └── legacy-squad/
256
+ β”‚ β”œβ”€β”€ security.md # /legacy-squad-security
257
+ β”‚ β”œβ”€β”€ architecture.md # /legacy-squad-architecture
258
+ β”‚ β”œβ”€β”€ legacy-code.md # /legacy-squad-legacy-code
259
+ β”‚ β”œβ”€β”€ business-rules.md # /legacy-squad-business-rules
260
+ β”‚ β”œβ”€β”€ modernization.md # /legacy-squad-modernization
261
+ β”‚ β”œβ”€β”€ generate-prs.md # /legacy-squad-generate-prs
262
+ β”‚ β”œβ”€β”€ generate-sdd.md # /legacy-squad-generate-sdd
263
+ β”‚ β”œβ”€β”€ generate-mmp.md # /legacy-squad-generate-mmp
264
+ β”‚ β”œβ”€β”€ generate-specs.md # /legacy-squad-generate-specs
265
+ β”‚ └── scan.md # /legacy-squad-scan
266
+ └── AGENTS.md # Codex compatibility
267
+ ```
268
+
269
+ ---
270
+
271
+ ## Agents
272
+
273
+ ### Security Agent (`/legacy-squad-security`)
274
+
275
+ Analyzes authentication, secrets, insecure storage, PII exposure, and privacy compliance (LGPD, GDPR).
276
+
277
+ **References:** OWASP MASVS V2, OWASP ASVS, CWE Top 25, LGPD, GDPR, NIST SSDF
278
+
279
+ ### Architecture Agent (`/legacy-squad-architecture`)
280
+
281
+ Maps current architecture with C4 diagrams, identifies coupling, structural risks, and proposes incremental target architecture.
282
+
283
+ **References:** C4 Model, Clean Architecture, arc42, ADR
284
+
285
+ ### Legacy Code Agent (`/legacy-squad-legacy-code`)
286
+
287
+ Identifies hotspots, duplication, JS→TS migration progress, test coverage, and refactoring priorities.
288
+
289
+ **References:** Clean Code, Sonar Rules, Cognitive Complexity
290
+
291
+ ### Business Rules Agent (`/legacy-squad-business-rules`)
292
+
293
+ Extracts business rules hidden in code β€” validations, permissions, flows, magic numbers, implicit rules in catch blocks.
294
+
295
+ **References:** DDD, Event Storming
296
+
297
+ ### Modernization Agent (`/legacy-squad-modernization`)
298
+
299
+ Synthesizes all assessments into an incremental plan with phases, rollback, Deployability Score (1-10), and Execution Readiness Score (0-100).
300
+
301
+ **References:** Strangler Fig, Branch by Abstraction, Progressive Delivery
302
+
303
+ ### PRS Generator (`/legacy-squad-generate-prs`)
304
+
305
+ Consolidates all assessments into the PRS (Product Refactor Specification) β€” the diagnostic report for decision makers.
306
+
307
+ ### SDD Generator (`/legacy-squad-generate-sdd`)
308
+
309
+ Produces the Software Design Document with current and target architecture (Mermaid C4 diagrams), component inventory, integrations, cross-cutting concerns (security, observability, error handling, configuration), constraints, and Architecture Decision Records (ADRs) with alternatives considered.
310
+
311
+ **References:** C4 Model, arc42, ADR, Clean Architecture
312
+
313
+ ### MMP Generator (`/legacy-squad-generate-mmp`)
314
+
315
+ Produces the Modernization Master Plan with phase roadmap (Foundation β†’ Core β†’ Evolution, with optional Emergency phase when critical findings exist), stack upgrade plan, risk matrix, rollback strategy per phase, Execution Readiness Score (0-100) justified dimension by dimension, Deployability Score per phase, and success metrics across security, code quality, test coverage, and architecture.
316
+
317
+ **References:** Strangler Fig, Branch by Abstraction, Progressive Delivery
318
+
319
+ ### Execution Specs Generator (`/legacy-squad-generate-specs`)
320
+
321
+ Decomposes the MMP into atomic Execution Specs β€” one YAML file per unit of work, each individually deployable, with binary acceptance criteria, mandatory rollback strategy, evidence traceability (compliance finding IDs + assessment references), dependency graph between specs, and explicit `human_approval_required` flag for high-risk changes.
322
+
323
+ **References:** FRAMEWORK_SPECIFICATION Section 8 (Execution Spec schema)
324
+
325
+ ---
326
+
327
+ ## Supported Stacks
328
+
329
+ ### Manifest Detection (Layer 1 β€” deterministic)
330
+
331
+ | Manifest | Stack |
332
+ |----------|-------|
333
+ | `package.json` | Node.js, React, React Native, Expo, Next.js |
334
+ | `composer.json` | PHP, Laravel |
335
+ | `.csproj` | C#, .NET |
336
+ | `pom.xml` | Java, Spring Boot |
337
+
338
+ ### Extension Detection (Layer 2 β€” heuristic)
339
+
340
+ TypeScript, JavaScript, PHP, C#, Java, Python, Dart
341
+
342
+ ---
343
+
344
+ ## Compliance Engine
345
+
346
+ The scanner automatically runs deterministic rules based on OWASP and CWE:
347
+
348
+ | Rule | Detects | Stacks | Reference |
349
+ |------|---------|--------|-----------|
350
+ | SEC-CRED-001 | Hardcoded credentials (passwords, API keys, tokens) | all | OWASP MASVS, CWE-798 |
351
+ | SEC-CRED-002 | Keystores/certificates committed to repository | mobile, all | OWASP MASVS, CWE-312 |
352
+ | SEC-SQL-001 | SQL injection (string concatenation in queries) | PHP, .NET, Java, Node | OWASP A03, CWE-89 |
353
+ | SEC-CRYPTO-001 | Weak cryptography (MD5, SHA1) | PHP, .NET, Java, Node | OWASP A02, CWE-327 |
354
+ | SEC-DESER-001 | Insecure deserialization (BinaryFormatter, `unserialize`, `readObject`) | .NET, PHP, Java | OWASP A08, CWE-502 |
355
+ | SEC-CMD-001 | Command injection (`exec`, `Runtime.exec`, `shell_exec` with user input) | PHP, .NET, Java, Node | OWASP A03, CWE-78 |
356
+ | SEC-PATH-001 | Path traversal (unvalidated file paths) | PHP, .NET, Java, Node | OWASP A01, CWE-22 |
357
+ | SEC-XSS-001 | XSS via unescaped output (`echo $_GET`, `Html.Raw`) | PHP, .NET | OWASP A03, CWE-79 |
358
+ | SEC-LOG-001 | Active `console.log` in production | JS/TS, mobile | CWE-532 |
359
+ | SEC-LOG-002 | PII (CPF, SSN, IDs) in logs/external services | all | CWE-532, LGPD/GDPR |
360
+ | SEC-ERR-001 | Empty catch blocks | all | CWE-390 |
361
+ | SEC-STORE-001 | Token in AsyncStorage (insecure storage) | mobile | OWASP MASVS |
362
+ | CQ-MIX-001 | Mixed JS and TS files (incomplete TS migration) | JS/TS | Clean Code |
363
+ | CQ-DEPRECATED-001 | Deprecated APIs (`mysql_*`, `ereg`, `Vector`) | PHP, Java | CVE-classified |
364
+
365
+ Every finding includes: evidence (file, line, snippet), impact, technical reference, and recommendation.
366
+
367
+ ---
368
+
369
+ ## Principles
370
+
371
+ | Principle | Description |
372
+ |-----------|-------------|
373
+ | **Install-First** | One command installs everything. No manual setup. |
374
+ | **IDE-Native** | Agents are IDE slash commands. AI comes from the dev's environment. |
375
+ | **Evidence-Driven** | Every finding has concrete evidence (file, line, snippet). |
376
+ | **Context-First** | No LLM receives the entire repository β€” only context packs. |
377
+ | **Read-Only** | The framework does not modify code. It only reads and generates reports. |
378
+ | **Production-First** | Every recommendation assumes the system is in production. |
379
+ | **Incremental** | Every modernization step is incremental, reversible, and deployable. |
380
+
381
+ ---
382
+
383
+ ## Validated in Production
384
+
385
+ The framework was validated against a **production mobile app** (~18k lines of code, 98 dependencies, real financial transactions):
386
+
387
+ **Compliance Engine (deterministic):** 7 findings via pattern matching
388
+
389
+ **AI Agents (via Claude Code):** +43 additional findings, including:
390
+ - Service account credentials decoded from Base64 in source code
391
+ - Remote config flag capable of bypassing all authentication in production
392
+ - User passwords logged in plaintext to a cloud database
393
+ - PII used as primary key in a cloud database (enumerable)
394
+ - Session recording capturing sensitive data without user consent
395
+ - 63 business rules extracted from code (11 implicit, never documented)
396
+ - Potential bug in a date calculation affecting core business logic
397
+
398
+ **Generated artifacts (4 official deliverables of V1):**
399
+ - **PRS** β€” Product Refactor Specification consolidating the diagnostic
400
+ - **SDD** β€” Software Design Document with current/target architecture and 8 ADRs
401
+ - **MMP** β€” Modernization Master Plan with 4-phase roadmap (Emergency β†’ Foundation β†’ Core β†’ Evolution), Execution Readiness Score 38β†’88/100, Deployability scores per phase, and concrete rollback strategies
402
+ - **37 Execution Specs** β€” atomic, individually deployable units of work with binary acceptance criteria, mandatory rollback, evidence traceability, and dependency graph
403
+
404
+ **Total:** 50 findings + 4 consolidated artifacts + 37 executable specs from a single `npx legacy-squad install` followed by 9 slash command activations.
405
+
406
+ ---
407
+
408
+ ## Open Core
409
+
410
+ ### Community Edition (V1) β€” Open Source
411
+
412
+ Focus: **Understand + Plan**
413
+
414
+ - Scanner with multi-stack detection (PHP/Laravel/Symfony, .NET/ASP.NET, Java/Spring, Node, React Native/Expo)
415
+ - Compliance Engine with 14 deterministic rules (OWASP MASVS, ASVS, CWE Top 25)
416
+ - Context Manager (basic)
417
+ - **5 analysis agents** as slash commands: security, architecture, legacy-code, business-rules, modernization
418
+ - **4 artifact generators** as slash commands: PRS, SDD, MMP, Execution Specs
419
+ - Claude Code, Codex CLI support (Cursor / Gemini CLI on the roadmap)
420
+
421
+ ### Enterprise Edition (V2) β€” In development
422
+
423
+ Focus: **Modernize**
424
+
425
+ - Execution Engine (AI-assisted refactoring)
426
+ - Pull Request Engine
427
+ - QA Gates
428
+ - CI/CD Integration
429
+ - Custom Rule Packs
430
+ - Dashboard + Team Collaboration
431
+
432
+ ---
433
+
434
+ ## Roadmap
435
+
436
+ | Horizon | Phase | Status |
437
+ |---|---|---|
438
+ | **Now** | V1 Community β€” continuous improvements | πŸ”΅ Active |
439
+ | **Next** | V2 Enterprise β€” execution, refactoring, PRs | 🟑 In design |
440
+ | **Later** | V3 Autonomous β€” continuous modernization | βšͺ Vision |
441
+
442
+ [**β†’ Full roadmap**](ROADMAP.md)
443
+
444
+ ---
445
+
446
+ ## Development
447
+
448
+ ```bash
449
+ git clone https://github.com/hrpimenta/legacy-squad.git
450
+ cd legacy-squad
451
+ pnpm install
452
+ pnpm approve-builds esbuild
453
+
454
+ # Tests
455
+ npx vitest run
456
+
457
+ # Dev mode (no build)
458
+ npx tsx apps/cli/src/index.ts install -p /path/to/project
459
+
460
+ # Build
461
+ node build.mjs
462
+
463
+ # Test bundled version
464
+ node dist/cli.mjs install -p /path/to/project
465
+ ```
466
+
467
+ ### Monorepo Structure
468
+
469
+ ```
470
+ legacy-squad/
471
+ β”œβ”€β”€ packages/
472
+ β”‚ β”œβ”€β”€ core/ # Domain types, ports (Clean Architecture)
473
+ β”‚ β”œβ”€β”€ scanner/ # Stack detection, repo index generation
474
+ β”‚ β”œβ”€β”€ context/ # Context packs builder
475
+ β”‚ β”œβ”€β”€ rules/ # Compliance engine, rule catalog
476
+ β”‚ β”œβ”€β”€ agents/ # Agent definitions, installer, doctor
477
+ β”‚ └── output/ # PRS generator
478
+ β”œβ”€β”€ apps/
479
+ β”‚ └── cli/ # CLI entry point (Commander.js)
480
+ β”œβ”€β”€ templates/
481
+ β”‚ └── claude-commands/ # Slash command templates
482
+ └── docs/
483
+ └── plans/ # Architecture decisions, plans
484
+ ```
485
+
486
+ ### Tests
487
+
488
+ ```bash
489
+ npx vitest run # 93 tests (domain, scanner, compliance, agents, installer)
490
+ npx vitest --watch # Watch mode
491
+ ```
492
+
493
+ ---
494
+
495
+ ## Contributing
496
+
497
+ We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for:
498
+
499
+ - How to add a Compliance Engine rule
500
+ - How to improve agent templates
501
+ - How to add IDE support
502
+ - Engineering standards (TDD, SOLID, security)
503
+ - Commit conventions and PR process
504
+
505
+ For questions and proposals, [open a discussion](https://github.com/hrpimenta/legacy-squad/discussions).
506
+
507
+ ---
508
+
509
+ ## License
510
+
511
+ MIT β€” see [LICENSE](LICENSE) for details.
512
+
513
+ ---
514
+
515
+ <p align="center">
516
+ <strong>Understand. Plan. Modernize.</strong>
517
+ <br>
518
+ <em>Legacy Squad Framework</em>
519
+ </p>