legacy-squad 1.0.0 β 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -21
- package/README.md +519 -431
- package/README.pt-br.md +524 -431
- package/dist/cli.mjs +194 -73
- package/dist/templates/claude-commands/architecture.md +2 -1
- package/dist/templates/claude-commands/business-rules.md +52 -52
- package/dist/templates/claude-commands/generate-mmp.md +3 -1
- package/dist/templates/claude-commands/generate-prs.md +2 -1
- package/dist/templates/claude-commands/generate-sdd.md +3 -1
- package/dist/templates/claude-commands/generate-specs.md +1 -1
- package/dist/templates/claude-commands/legacy-code.md +2 -1
- package/dist/templates/claude-commands/modernization.md +2 -1
- package/dist/templates/claude-commands/scan.md +1 -1
- package/dist/templates/claude-commands/security.md +2 -1
- package/package.json +4 -3
package/README.md
CHANGED
|
@@ -1,431 +1,519 @@
|
|
|
1
|
-
<p align="center">
|
|
2
|
-
<h1 align="center">Legacy Squad Framework</h1>
|
|
3
|
-
<p align="center"><strong>AI-Powered Legacy Modernization Platform</strong></p>
|
|
4
|
-
<p align="center"><em>Understand. Plan. Modernize.</em></p>
|
|
5
|
-
<p align="center">
|
|
6
|
-
<a href="README.pt-br.md">π§π· PortuguΓͺs</a> Β· <strong>πΊπΈ English</strong>
|
|
7
|
-
</p>
|
|
8
|
-
</p>
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
|
45
|
-
|
|
46
|
-
| **
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
```bash
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
```
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
```
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
```
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
**
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
**
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
-
|
|
351
|
-
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
357
|
-
|
|
358
|
-
|
|
359
|
-
|
|
360
|
-
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
403
|
-
|
|
404
|
-
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
-
|
|
415
|
-
-
|
|
416
|
-
-
|
|
417
|
-
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
1
|
+
<p align="center">
|
|
2
|
+
<h1 align="center">Legacy Squad Framework</h1>
|
|
3
|
+
<p align="center"><strong>AI-Powered Legacy Modernization Platform</strong></p>
|
|
4
|
+
<p align="center"><em>Understand. Plan. Modernize.</em></p>
|
|
5
|
+
<p align="center">
|
|
6
|
+
<a href="README.pt-br.md">π§π· PortuguΓͺs</a> Β· <strong>πΊπΈ English</strong>
|
|
7
|
+
</p>
|
|
8
|
+
</p>
|
|
9
|
+
|
|
10
|
+
<p align="center">
|
|
11
|
+
<a href="https://www.npmjs.com/package/legacy-squad"><img src="https://img.shields.io/npm/v/legacy-squad?color=cb3837&label=npm" alt="npm version"></a>
|
|
12
|
+
<a href="https://www.npmjs.com/package/legacy-squad"><img src="https://img.shields.io/npm/dm/legacy-squad?color=blue" alt="downloads"></a>
|
|
13
|
+
<a href="https://github.com/hrpimenta/legacy-squad/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green.svg" alt="license"></a>
|
|
14
|
+
<a href="https://github.com/hrpimenta/legacy-squad/stargazers"><img src="https://img.shields.io/github/stars/hrpimenta/legacy-squad?style=social" alt="stars"></a>
|
|
15
|
+
<img src="https://img.shields.io/badge/status-beta-orange" alt="beta">
|
|
16
|
+
<img src="https://img.shields.io/badge/node-%E2%89%A518-brightgreen" alt="node">
|
|
17
|
+
</p>
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
> **One command. Five AI agents in your IDE.**
|
|
22
|
+
> **50 findings, 4 engineering documents, and 37 execution specs** β without changing a single line of your code.
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npx legacy-squad install
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
<p align="center">
|
|
29
|
+
<img src="docs/assets/demo.svg" alt="Legacy Squad install output" width="780">
|
|
30
|
+
</p>
|
|
31
|
+
|
|
32
|
+
<p align="center">
|
|
33
|
+
π <strong>Zero API keys</strong> Β·
|
|
34
|
+
βοΈ <strong>Zero external servers</strong> Β·
|
|
35
|
+
π» <strong>Runs in your own IDE</strong> (Claude Code, Codex, Cursor)
|
|
36
|
+
</p>
|
|
37
|
+
|
|
38
|
+
---
|
|
39
|
+
|
|
40
|
+
## π Validated in Production
|
|
41
|
+
|
|
42
|
+
Real production mobile app β **~18,000 LoC**, **98 dependencies**, real financial transactions:
|
|
43
|
+
|
|
44
|
+
| | |
|
|
45
|
+
|---|---|
|
|
46
|
+
| π **50 findings** (7 deterministic + 43 from AI agents) | π **63 business rules** extracted from code (11 implicit) |
|
|
47
|
+
| π **4 official documents** (PRS Β· SDD Β· MMP Β· Specs) | π― **37 execution specs**, atomic and deployable |
|
|
48
|
+
| π **Execution Readiness:** 38 β 88 / 100 | π **Deployability:** scored per phase |
|
|
49
|
+
|
|
50
|
+
From a single `npx legacy-squad install` followed by 9 slash commands in the IDE.
|
|
51
|
+
|
|
52
|
+
[**β Read the full case study**](docs/CASE_STUDY.md)
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
## π Quick Start
|
|
56
|
+
|
|
57
|
+
> From zero to your first AI-generated finding in minutes.
|
|
58
|
+
|
|
59
|
+
### Prerequisites
|
|
60
|
+
|
|
61
|
+
- **Node.js β₯ 18**
|
|
62
|
+
- **An AI-enabled IDE:** [Claude Code](https://docs.anthropic.com/en/docs/claude-code), [Codex CLI](https://github.com/openai/codex), or [Cursor](https://cursor.sh)
|
|
63
|
+
|
|
64
|
+
### 1. Install in your legacy project
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
cd your-legacy-project
|
|
68
|
+
npx legacy-squad install
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
Immediately after, you'll see the framework artifacts in `.legacy-squad/memory/`:
|
|
72
|
+
|
|
73
|
+
- `repo-index.json` β full inventory (stack, modules, dependencies, integrations)
|
|
74
|
+
- `findings.json` β deterministic security findings (OWASP / CWE)
|
|
75
|
+
- `context-packs.json` β context per module, prepared for the AI agents
|
|
76
|
+
|
|
77
|
+
<details>
|
|
78
|
+
<summary><strong>What the install command does internally</strong></summary>
|
|
79
|
+
|
|
80
|
+
1. Detects the stack via manifest (`package.json`, `composer.json`, `.csproj`, `pom.xml`)
|
|
81
|
+
2. Scans the repository and builds the inventory
|
|
82
|
+
3. Runs the Compliance Engine with OWASP / CWE rules
|
|
83
|
+
4. Generates Context Packs per module (token-efficient)
|
|
84
|
+
5. Installs the 9 agents as slash commands in your IDE
|
|
85
|
+
6. Verifies the installation (8 health checks)
|
|
86
|
+
|
|
87
|
+
</details>
|
|
88
|
+
|
|
89
|
+
### 2. Run your first AI agent
|
|
90
|
+
|
|
91
|
+
Open your IDE in the project and trigger the Security Agent.
|
|
92
|
+
|
|
93
|
+
**Claude Code**
|
|
94
|
+
```bash
|
|
95
|
+
claude
|
|
96
|
+
/legacy-squad-security
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
**Codex CLI**
|
|
100
|
+
```bash
|
|
101
|
+
codex
|
|
102
|
+
@legacy-squad-security
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
The assessment is written to:
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
.legacy-squad/outputs/assessments/security.md
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
Evidence-driven: every finding includes file:line references, OWASP / CWE mapping, impact, and recommendation β generated by AI running entirely inside your IDE.
|
|
112
|
+
|
|
113
|
+
### 3. Run the full diagnostic
|
|
114
|
+
|
|
115
|
+
Once you're satisfied with the first agent, run the remaining four and the four artifact generators.
|
|
116
|
+
|
|
117
|
+
<details>
|
|
118
|
+
<summary><strong>Full workflow β 5 agents + 4 generators</strong></summary>
|
|
119
|
+
|
|
120
|
+
**Step 1 β Analysis (run in order)**
|
|
121
|
+
|
|
122
|
+
```bash
|
|
123
|
+
/legacy-squad-security # Security Agent
|
|
124
|
+
/legacy-squad-architecture # Architecture Agent
|
|
125
|
+
/legacy-squad-legacy-code # Legacy Code Agent
|
|
126
|
+
/legacy-squad-business-rules # Business Rules Agent
|
|
127
|
+
/legacy-squad-modernization # Modernization Agent
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
**Step 2 β Consolidated artifacts (run after analysis)**
|
|
131
|
+
|
|
132
|
+
```bash
|
|
133
|
+
/legacy-squad-generate-prs # Product Refactor Specification
|
|
134
|
+
/legacy-squad-generate-sdd # Software Design Document
|
|
135
|
+
/legacy-squad-generate-mmp # Modernization Master Plan
|
|
136
|
+
/legacy-squad-generate-specs # Execution Specs (one YAML per unit of work)
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
</details>
|
|
140
|
+
|
|
141
|
+
### Other commands
|
|
142
|
+
|
|
143
|
+
```bash
|
|
144
|
+
npx legacy-squad scan # Re-scan without reinstalling agents
|
|
145
|
+
npx legacy-squad doctor # Verify installation health
|
|
146
|
+
```
|
|
147
|
+
## Why Legacy Squad
|
|
148
|
+
|
|
149
|
+
Most existing tools cover one dimension of legacy modernization. Legacy Squad covers the full lifecycle β from inventory to executable plan β and treats AI agents as **methodology-bound contributors**, not free-form chat.
|
|
150
|
+
|
|
151
|
+
| Capability | Static Analyzers<br>(SonarQube) | SAST / SCA<br>(Snyk, Checkmarx) | AI Coding Assistants<br>(Copilot, Cursor) | **Legacy Squad** |
|
|
152
|
+
|---|:---:|:---:|:---:|:---:|
|
|
153
|
+
| Deterministic security rules (OWASP / CWE) | β
| β
| β | β
|
|
|
154
|
+
| CVE / dependency vulnerabilities | β | β
| β | β |
|
|
155
|
+
| Code smells & cognitive complexity | β
| partial | β | β
|
|
|
156
|
+
| Architecture mapping (C4, coupling) | β | β | β | β
|
|
|
157
|
+
| Business rules extraction from code | β | β | β | β
|
|
|
158
|
+
| Phased modernization plan (MMP) | β | β | β | β
|
|
|
159
|
+
| Atomic, deployable execution specs | β | β | β | β
|
|
|
160
|
+
| AI agents with evidence-bound output | β | β | free-form | β
|
|
|
161
|
+
| Runs in your own IDE (no server, no API key) | β | β | β
| β
|
|
|
162
|
+
| Repository never sent in full to an LLM | n/a | n/a | β | β
|
|
|
163
|
+
|
|
164
|
+
In one sentence: Legacy Squad pairs **deterministic scanning** with **methodology-bound AI agents** that produce **structured engineering artifacts** (PRS, SDD, MMP, Execution Specs) β not chat history.
|
|
165
|
+
|
|
166
|
+
### When Legacy Squad fits
|
|
167
|
+
|
|
168
|
+
- You have a legacy system in production and need a **structured diagnostic** before deciding what to modernize.
|
|
169
|
+
- You want every finding to carry **evidence, framework reference, impact, and recommendation** β not unjustified suggestions.
|
|
170
|
+
- You need a **phased modernization plan** that is reversible, deployable, and approvable by humans before execution.
|
|
171
|
+
- You want AI assistance **without sending your codebase to an external server** or paying for another seat.
|
|
172
|
+
|
|
173
|
+
### When it doesn't
|
|
174
|
+
|
|
175
|
+
- For pure CVE / dependency vulnerability scanning, use [Snyk](https://snyk.io), [Dependabot](https://github.com/dependabot), or equivalents β they specialize in this and Legacy Squad does not replace them.
|
|
176
|
+
- For continuous CI/CD code-quality gates, use [SonarQube](https://www.sonarsource.com/products/sonarqube/) β Legacy Squad is a **diagnostic and planning** framework, not a continuous quality monitor.
|
|
177
|
+
- For in-editor autocomplete or general coding chat, [GitHub Copilot](https://github.com/features/copilot) and [Cursor](https://cursor.sh) already serve that purpose β Legacy Squad starts where those stop.
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
## How It Works
|
|
181
|
+
|
|
182
|
+
```
|
|
183
|
+
βββββββββββββββββββββββ
|
|
184
|
+
β npx legacy-squad β
|
|
185
|
+
β install β
|
|
186
|
+
βββββββββββ¬ββββββββββββ
|
|
187
|
+
β
|
|
188
|
+
βββββββββββββββββΌββββββββββββββββ
|
|
189
|
+
βΌ βΌ βΌ
|
|
190
|
+
ββββββββββββ ββββββββββββββ ββββββββββββββ
|
|
191
|
+
β Scanner β β Compliance β β Context β
|
|
192
|
+
β (stack, β β Engine β β Manager β
|
|
193
|
+
β modules) β β (OWASP) β β (packs) β
|
|
194
|
+
ββββββ¬ββββββ βββββββ¬βββββββ βββββββ¬βββββββ
|
|
195
|
+
β β β
|
|
196
|
+
βΌ βΌ βΌ
|
|
197
|
+
ββββββββββββββββββββββββββββββββββββββββββββ
|
|
198
|
+
β .legacy-squad/memory/ β
|
|
199
|
+
β repo-index.json | findings.json | β
|
|
200
|
+
β context-packs.json β
|
|
201
|
+
ββββββββββββββββββββ¬ββββββββββββββββββββββββ
|
|
202
|
+
β
|
|
203
|
+
ββββββββββββββΌβββββββββββββ
|
|
204
|
+
βΌ βΌ βΌ
|
|
205
|
+
ββββββββββββ ββββββββββββ ββββββββββββ
|
|
206
|
+
β .claude/ β β AGENTS.mdβ β .cursor/ β
|
|
207
|
+
β commands/β β (Codex) β β rules/ β
|
|
208
|
+
β (Claude) β β β β (Cursor) β
|
|
209
|
+
ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ
|
|
210
|
+
β β β
|
|
211
|
+
βββββββββββββββΌββββββββββββββ
|
|
212
|
+
β
|
|
213
|
+
ββββββββΌβββββββ
|
|
214
|
+
β IDE + AI β
|
|
215
|
+
β (Claude Codeβ
|
|
216
|
+
β Codex, β
|
|
217
|
+
β Cursor) β
|
|
218
|
+
ββββββββ¬βββββββ
|
|
219
|
+
β
|
|
220
|
+
ββββββββΌβββββββ
|
|
221
|
+
β Assessments β
|
|
222
|
+
β + Final PRS β
|
|
223
|
+
βββββββββββββββ
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
**The framework prepares data and installs agents. AI runs in the dev's IDE.**
|
|
227
|
+
|
|
228
|
+
Zero API keys required. Zero external server calls. Everything runs locally.
|
|
229
|
+
|
|
230
|
+
---
|
|
231
|
+
|
|
232
|
+
## Installed Structure
|
|
233
|
+
|
|
234
|
+
After `npx legacy-squad install`:
|
|
235
|
+
|
|
236
|
+
```
|
|
237
|
+
your-project/
|
|
238
|
+
βββ .legacy-squad/
|
|
239
|
+
β βββ config/
|
|
240
|
+
β β βββ project.yaml # Detected configuration
|
|
241
|
+
β βββ memory/
|
|
242
|
+
β β βββ repo-index.json # Repository inventory
|
|
243
|
+
β β βββ findings.json # Compliance engine findings
|
|
244
|
+
β β βββ context-packs.json # Context per module
|
|
245
|
+
β βββ outputs/
|
|
246
|
+
β β βββ assessments/ # Agent assessments (5 .md files)
|
|
247
|
+
β β βββ reports/ # PRS.md + PRS.json
|
|
248
|
+
β β βββ sdd/ # SDD.md + SDD.json
|
|
249
|
+
β β βββ mmp/ # MMP.md + MMP.json
|
|
250
|
+
β β βββ specs/ # SPEC-*.yaml + INDEX.md
|
|
251
|
+
β βββ logs/
|
|
252
|
+
β βββ install.log
|
|
253
|
+
βββ .claude/
|
|
254
|
+
β βββ commands/
|
|
255
|
+
β βββ legacy-squad/
|
|
256
|
+
β βββ security.md # /legacy-squad-security
|
|
257
|
+
β βββ architecture.md # /legacy-squad-architecture
|
|
258
|
+
β βββ legacy-code.md # /legacy-squad-legacy-code
|
|
259
|
+
β βββ business-rules.md # /legacy-squad-business-rules
|
|
260
|
+
β βββ modernization.md # /legacy-squad-modernization
|
|
261
|
+
β βββ generate-prs.md # /legacy-squad-generate-prs
|
|
262
|
+
β βββ generate-sdd.md # /legacy-squad-generate-sdd
|
|
263
|
+
β βββ generate-mmp.md # /legacy-squad-generate-mmp
|
|
264
|
+
β βββ generate-specs.md # /legacy-squad-generate-specs
|
|
265
|
+
β βββ scan.md # /legacy-squad-scan
|
|
266
|
+
βββ AGENTS.md # Codex compatibility
|
|
267
|
+
```
|
|
268
|
+
|
|
269
|
+
---
|
|
270
|
+
|
|
271
|
+
## Agents
|
|
272
|
+
|
|
273
|
+
### Security Agent (`/legacy-squad-security`)
|
|
274
|
+
|
|
275
|
+
Analyzes authentication, secrets, insecure storage, PII exposure, and privacy compliance (LGPD, GDPR).
|
|
276
|
+
|
|
277
|
+
**References:** OWASP MASVS V2, OWASP ASVS, CWE Top 25, LGPD, GDPR, NIST SSDF
|
|
278
|
+
|
|
279
|
+
### Architecture Agent (`/legacy-squad-architecture`)
|
|
280
|
+
|
|
281
|
+
Maps current architecture with C4 diagrams, identifies coupling, structural risks, and proposes incremental target architecture.
|
|
282
|
+
|
|
283
|
+
**References:** C4 Model, Clean Architecture, arc42, ADR
|
|
284
|
+
|
|
285
|
+
### Legacy Code Agent (`/legacy-squad-legacy-code`)
|
|
286
|
+
|
|
287
|
+
Identifies hotspots, duplication, JSβTS migration progress, test coverage, and refactoring priorities.
|
|
288
|
+
|
|
289
|
+
**References:** Clean Code, Sonar Rules, Cognitive Complexity
|
|
290
|
+
|
|
291
|
+
### Business Rules Agent (`/legacy-squad-business-rules`)
|
|
292
|
+
|
|
293
|
+
Extracts business rules hidden in code β validations, permissions, flows, magic numbers, implicit rules in catch blocks.
|
|
294
|
+
|
|
295
|
+
**References:** DDD, Event Storming
|
|
296
|
+
|
|
297
|
+
### Modernization Agent (`/legacy-squad-modernization`)
|
|
298
|
+
|
|
299
|
+
Synthesizes all assessments into an incremental plan with phases, rollback, Deployability Score (1-10), and Execution Readiness Score (0-100).
|
|
300
|
+
|
|
301
|
+
**References:** Strangler Fig, Branch by Abstraction, Progressive Delivery
|
|
302
|
+
|
|
303
|
+
### PRS Generator (`/legacy-squad-generate-prs`)
|
|
304
|
+
|
|
305
|
+
Consolidates all assessments into the PRS (Product Refactor Specification) β the diagnostic report for decision makers.
|
|
306
|
+
|
|
307
|
+
### SDD Generator (`/legacy-squad-generate-sdd`)
|
|
308
|
+
|
|
309
|
+
Produces the Software Design Document with current and target architecture (Mermaid C4 diagrams), component inventory, integrations, cross-cutting concerns (security, observability, error handling, configuration), constraints, and Architecture Decision Records (ADRs) with alternatives considered.
|
|
310
|
+
|
|
311
|
+
**References:** C4 Model, arc42, ADR, Clean Architecture
|
|
312
|
+
|
|
313
|
+
### MMP Generator (`/legacy-squad-generate-mmp`)
|
|
314
|
+
|
|
315
|
+
Produces the Modernization Master Plan with phase roadmap (Foundation β Core β Evolution, with optional Emergency phase when critical findings exist), stack upgrade plan, risk matrix, rollback strategy per phase, Execution Readiness Score (0-100) justified dimension by dimension, Deployability Score per phase, and success metrics across security, code quality, test coverage, and architecture.
|
|
316
|
+
|
|
317
|
+
**References:** Strangler Fig, Branch by Abstraction, Progressive Delivery
|
|
318
|
+
|
|
319
|
+
### Execution Specs Generator (`/legacy-squad-generate-specs`)
|
|
320
|
+
|
|
321
|
+
Decomposes the MMP into atomic Execution Specs β one YAML file per unit of work, each individually deployable, with binary acceptance criteria, mandatory rollback strategy, evidence traceability (compliance finding IDs + assessment references), dependency graph between specs, and explicit `human_approval_required` flag for high-risk changes.
|
|
322
|
+
|
|
323
|
+
**References:** FRAMEWORK_SPECIFICATION Section 8 (Execution Spec schema)
|
|
324
|
+
|
|
325
|
+
---
|
|
326
|
+
|
|
327
|
+
## Supported Stacks
|
|
328
|
+
|
|
329
|
+
### Manifest Detection (Layer 1 β deterministic)
|
|
330
|
+
|
|
331
|
+
| Manifest | Stack |
|
|
332
|
+
|----------|-------|
|
|
333
|
+
| `package.json` | Node.js, React, React Native, Expo, Next.js |
|
|
334
|
+
| `composer.json` | PHP, Laravel |
|
|
335
|
+
| `.csproj` | C#, .NET |
|
|
336
|
+
| `pom.xml` | Java, Spring Boot |
|
|
337
|
+
|
|
338
|
+
### Extension Detection (Layer 2 β heuristic)
|
|
339
|
+
|
|
340
|
+
TypeScript, JavaScript, PHP, C#, Java, Python, Dart
|
|
341
|
+
|
|
342
|
+
---
|
|
343
|
+
|
|
344
|
+
## Compliance Engine
|
|
345
|
+
|
|
346
|
+
The scanner automatically runs deterministic rules based on OWASP and CWE:
|
|
347
|
+
|
|
348
|
+
| Rule | Detects | Stacks | Reference |
|
|
349
|
+
|------|---------|--------|-----------|
|
|
350
|
+
| SEC-CRED-001 | Hardcoded credentials (passwords, API keys, tokens) | all | OWASP MASVS, CWE-798 |
|
|
351
|
+
| SEC-CRED-002 | Keystores/certificates committed to repository | mobile, all | OWASP MASVS, CWE-312 |
|
|
352
|
+
| SEC-SQL-001 | SQL injection (string concatenation in queries) | PHP, .NET, Java, Node | OWASP A03, CWE-89 |
|
|
353
|
+
| SEC-CRYPTO-001 | Weak cryptography (MD5, SHA1) | PHP, .NET, Java, Node | OWASP A02, CWE-327 |
|
|
354
|
+
| SEC-DESER-001 | Insecure deserialization (BinaryFormatter, `unserialize`, `readObject`) | .NET, PHP, Java | OWASP A08, CWE-502 |
|
|
355
|
+
| SEC-CMD-001 | Command injection (`exec`, `Runtime.exec`, `shell_exec` with user input) | PHP, .NET, Java, Node | OWASP A03, CWE-78 |
|
|
356
|
+
| SEC-PATH-001 | Path traversal (unvalidated file paths) | PHP, .NET, Java, Node | OWASP A01, CWE-22 |
|
|
357
|
+
| SEC-XSS-001 | XSS via unescaped output (`echo $_GET`, `Html.Raw`) | PHP, .NET | OWASP A03, CWE-79 |
|
|
358
|
+
| SEC-LOG-001 | Active `console.log` in production | JS/TS, mobile | CWE-532 |
|
|
359
|
+
| SEC-LOG-002 | PII (CPF, SSN, IDs) in logs/external services | all | CWE-532, LGPD/GDPR |
|
|
360
|
+
| SEC-ERR-001 | Empty catch blocks | all | CWE-390 |
|
|
361
|
+
| SEC-STORE-001 | Token in AsyncStorage (insecure storage) | mobile | OWASP MASVS |
|
|
362
|
+
| CQ-MIX-001 | Mixed JS and TS files (incomplete TS migration) | JS/TS | Clean Code |
|
|
363
|
+
| CQ-DEPRECATED-001 | Deprecated APIs (`mysql_*`, `ereg`, `Vector`) | PHP, Java | CVE-classified |
|
|
364
|
+
|
|
365
|
+
Every finding includes: evidence (file, line, snippet), impact, technical reference, and recommendation.
|
|
366
|
+
|
|
367
|
+
---
|
|
368
|
+
|
|
369
|
+
## Principles
|
|
370
|
+
|
|
371
|
+
| Principle | Description |
|
|
372
|
+
|-----------|-------------|
|
|
373
|
+
| **Install-First** | One command installs everything. No manual setup. |
|
|
374
|
+
| **IDE-Native** | Agents are IDE slash commands. AI comes from the dev's environment. |
|
|
375
|
+
| **Evidence-Driven** | Every finding has concrete evidence (file, line, snippet). |
|
|
376
|
+
| **Context-First** | No LLM receives the entire repository β only context packs. |
|
|
377
|
+
| **Read-Only** | The framework does not modify code. It only reads and generates reports. |
|
|
378
|
+
| **Production-First** | Every recommendation assumes the system is in production. |
|
|
379
|
+
| **Incremental** | Every modernization step is incremental, reversible, and deployable. |
|
|
380
|
+
|
|
381
|
+
---
|
|
382
|
+
|
|
383
|
+
## Validated in Production
|
|
384
|
+
|
|
385
|
+
The framework was validated against a **production mobile app** (~18k lines of code, 98 dependencies, real financial transactions):
|
|
386
|
+
|
|
387
|
+
**Compliance Engine (deterministic):** 7 findings via pattern matching
|
|
388
|
+
|
|
389
|
+
**AI Agents (via Claude Code):** +43 additional findings, including:
|
|
390
|
+
- Service account credentials decoded from Base64 in source code
|
|
391
|
+
- Remote config flag capable of bypassing all authentication in production
|
|
392
|
+
- User passwords logged in plaintext to a cloud database
|
|
393
|
+
- PII used as primary key in a cloud database (enumerable)
|
|
394
|
+
- Session recording capturing sensitive data without user consent
|
|
395
|
+
- 63 business rules extracted from code (11 implicit, never documented)
|
|
396
|
+
- Potential bug in a date calculation affecting core business logic
|
|
397
|
+
|
|
398
|
+
**Generated artifacts (4 official deliverables of V1):**
|
|
399
|
+
- **PRS** β Product Refactor Specification consolidating the diagnostic
|
|
400
|
+
- **SDD** β Software Design Document with current/target architecture and 8 ADRs
|
|
401
|
+
- **MMP** β Modernization Master Plan with 4-phase roadmap (Emergency β Foundation β Core β Evolution), Execution Readiness Score 38β88/100, Deployability scores per phase, and concrete rollback strategies
|
|
402
|
+
- **37 Execution Specs** β atomic, individually deployable units of work with binary acceptance criteria, mandatory rollback, evidence traceability, and dependency graph
|
|
403
|
+
|
|
404
|
+
**Total:** 50 findings + 4 consolidated artifacts + 37 executable specs from a single `npx legacy-squad install` followed by 9 slash command activations.
|
|
405
|
+
|
|
406
|
+
---
|
|
407
|
+
|
|
408
|
+
## Open Core
|
|
409
|
+
|
|
410
|
+
### Community Edition (V1) β Open Source
|
|
411
|
+
|
|
412
|
+
Focus: **Understand + Plan**
|
|
413
|
+
|
|
414
|
+
- Scanner with multi-stack detection (PHP/Laravel/Symfony, .NET/ASP.NET, Java/Spring, Node, React Native/Expo)
|
|
415
|
+
- Compliance Engine with 14 deterministic rules (OWASP MASVS, ASVS, CWE Top 25)
|
|
416
|
+
- Context Manager (basic)
|
|
417
|
+
- **5 analysis agents** as slash commands: security, architecture, legacy-code, business-rules, modernization
|
|
418
|
+
- **4 artifact generators** as slash commands: PRS, SDD, MMP, Execution Specs
|
|
419
|
+
- Claude Code, Codex CLI support (Cursor / Gemini CLI on the roadmap)
|
|
420
|
+
|
|
421
|
+
### Enterprise Edition (V2) β In development
|
|
422
|
+
|
|
423
|
+
Focus: **Modernize**
|
|
424
|
+
|
|
425
|
+
- Execution Engine (AI-assisted refactoring)
|
|
426
|
+
- Pull Request Engine
|
|
427
|
+
- QA Gates
|
|
428
|
+
- CI/CD Integration
|
|
429
|
+
- Custom Rule Packs
|
|
430
|
+
- Dashboard + Team Collaboration
|
|
431
|
+
|
|
432
|
+
---
|
|
433
|
+
|
|
434
|
+
## Roadmap
|
|
435
|
+
|
|
436
|
+
| Horizon | Phase | Status |
|
|
437
|
+
|---|---|---|
|
|
438
|
+
| **Now** | V1 Community β continuous improvements | π΅ Active |
|
|
439
|
+
| **Next** | V2 Enterprise β execution, refactoring, PRs | π‘ In design |
|
|
440
|
+
| **Later** | V3 Autonomous β continuous modernization | βͺ Vision |
|
|
441
|
+
|
|
442
|
+
[**β Full roadmap**](ROADMAP.md)
|
|
443
|
+
|
|
444
|
+
---
|
|
445
|
+
|
|
446
|
+
## Development
|
|
447
|
+
|
|
448
|
+
```bash
|
|
449
|
+
git clone https://github.com/hrpimenta/legacy-squad.git
|
|
450
|
+
cd legacy-squad
|
|
451
|
+
pnpm install
|
|
452
|
+
pnpm approve-builds esbuild
|
|
453
|
+
|
|
454
|
+
# Tests
|
|
455
|
+
npx vitest run
|
|
456
|
+
|
|
457
|
+
# Dev mode (no build)
|
|
458
|
+
npx tsx apps/cli/src/index.ts install -p /path/to/project
|
|
459
|
+
|
|
460
|
+
# Build
|
|
461
|
+
node build.mjs
|
|
462
|
+
|
|
463
|
+
# Test bundled version
|
|
464
|
+
node dist/cli.mjs install -p /path/to/project
|
|
465
|
+
```
|
|
466
|
+
|
|
467
|
+
### Monorepo Structure
|
|
468
|
+
|
|
469
|
+
```
|
|
470
|
+
legacy-squad/
|
|
471
|
+
βββ packages/
|
|
472
|
+
β βββ core/ # Domain types, ports (Clean Architecture)
|
|
473
|
+
β βββ scanner/ # Stack detection, repo index generation
|
|
474
|
+
β βββ context/ # Context packs builder
|
|
475
|
+
β βββ rules/ # Compliance engine, rule catalog
|
|
476
|
+
β βββ agents/ # Agent definitions, installer, doctor
|
|
477
|
+
β βββ output/ # PRS generator
|
|
478
|
+
βββ apps/
|
|
479
|
+
β βββ cli/ # CLI entry point (Commander.js)
|
|
480
|
+
βββ templates/
|
|
481
|
+
β βββ claude-commands/ # Slash command templates
|
|
482
|
+
βββ docs/
|
|
483
|
+
βββ plans/ # Architecture decisions, plans
|
|
484
|
+
```
|
|
485
|
+
|
|
486
|
+
### Tests
|
|
487
|
+
|
|
488
|
+
```bash
|
|
489
|
+
npx vitest run # 93 tests (domain, scanner, compliance, agents, installer)
|
|
490
|
+
npx vitest --watch # Watch mode
|
|
491
|
+
```
|
|
492
|
+
|
|
493
|
+
---
|
|
494
|
+
|
|
495
|
+
## Contributing
|
|
496
|
+
|
|
497
|
+
We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for:
|
|
498
|
+
|
|
499
|
+
- How to add a Compliance Engine rule
|
|
500
|
+
- How to improve agent templates
|
|
501
|
+
- How to add IDE support
|
|
502
|
+
- Engineering standards (TDD, SOLID, security)
|
|
503
|
+
- Commit conventions and PR process
|
|
504
|
+
|
|
505
|
+
For questions and proposals, [open a discussion](https://github.com/hrpimenta/legacy-squad/discussions).
|
|
506
|
+
|
|
507
|
+
---
|
|
508
|
+
|
|
509
|
+
## License
|
|
510
|
+
|
|
511
|
+
MIT β see [LICENSE](LICENSE) for details.
|
|
512
|
+
|
|
513
|
+
---
|
|
514
|
+
|
|
515
|
+
<p align="center">
|
|
516
|
+
<strong>Understand. Plan. Modernize.</strong>
|
|
517
|
+
<br>
|
|
518
|
+
<em>Legacy Squad Framework</em>
|
|
519
|
+
</p>
|