Legacy Code Audit with AI

The problem with legacy codebases

Every engineering team eventually faces the same challenge: a codebase that has been growing for years, touched by dozens of developers, and carrying layers of decisions that nobody fully remembers. These legacy systems are often the most business-critical software an organisation runs, yet they are also the hardest to maintain, extend, and reason about.

The typical issues are well-known. Undocumented business logic is scattered across files with no clear ownership. Error handling is inconsistent - some modules swallow exceptions silently while others crash loudly. Security practices reflect the era the code was written in, not the threat landscape of today. Dead code accumulates because nobody is confident enough to remove it. Type safety is partial or absent. Logging is either excessive or missing entirely.

Manual audits of these codebases are expensive and slow. A senior developer reviewing a 200-file project might spend a full week just cataloguing issues, and their findings would still be shaped by their personal experience and the areas they happened to focus on. Important patterns get missed. Findings are often captured in spreadsheets or documents that quickly become stale.

How VibeRails approaches legacy code

VibeRails was designed for exactly this scenario. Rather than reviewing individual pull requests or running static analysis rules, it performs a full-codebase scan using frontier large language models. Every file in the project is analysed with AI that can reason about code semantics, not just match patterns.

The analysis covers 17 detection categories: security vulnerabilities, performance bottlenecks, bug risks, dead code, complexity hotspots, type safety gaps, error handling weaknesses, API design issues, accessibility problems, observability gaps, concurrency risks, data integrity concerns, internationalisation issues, dependency problems, documentation gaps, testing deficiencies, and maintainability smells.

Each finding is classified with a severity level (critical, high, medium, low), a specific category, the affected file and line range, and a clear description of the issue and its potential impact. This structured output turns an opaque codebase into an organised inventory of improvements.

VibeRails supports a dual-model approach. Claude Code can perform broad discovery across the entire codebase, identifying issues with its strong reasoning capabilities. Codex CLI can then run a verification pass, applying a different model architecture to confirm or challenge the initial findings. This cross-validation reduces false positives and increases confidence in the results.

Step-by-step: auditing a legacy codebase

The workflow for a legacy code audit in VibeRails follows five stages.

• 1. Add the project. Point VibeRails at the local directory containing the codebase. The app reads the file tree and prepares a review scope. No code is uploaded to any server - there is no VibeRails cloud backend. AI analysis is sent directly to the provider configured in Claude Code or Codex CLI.
• 2. Configure the review session. Select which detection categories matter most for your audit. For a legacy codebase, you might enable all 17 categories for a full sweep, or focus on security and bug risks if those are the immediate priority. Choose your AI backend (Claude Code, Codex CLI, or both in sequence).
• 3. Run discovery. VibeRails orchestrates the AI to review every file in the project. The AI reads each file, reasons about its purpose, identifies issues, and classifies them according to the detection taxonomy. Progress is visible in real time as files are processed.
• 4. Triage the findings. Once discovery completes, switch to triage mode. Findings are presented one at a time with full code context. Use keyboard shortcuts to accept, reject, or defer each finding. Accepted issues become candidates for automated fixes. Rejected issues are filtered out. This stage is where your engineering judgement shapes the remediation plan.
• 5. Dispatch AI fixes. For accepted findings, VibeRails can create a fix session that dispatches AI agents to implement the changes. Each fix is applied in the local repository where you can review the diff, test the change, and commit or revert as needed. The AI operates with human oversight throughout.

What you get at the end

After running a legacy code audit with VibeRails, you have a structured set of findings organised by category and severity. Every issue includes the file path, line range, description, and suggested approach for remediation.

Findings can be exported in multiple formats for reporting or handoff. Use the JSON export for programmatic integration with your issue tracker, or the markdown export for human-readable reports that can be shared with stakeholders.

The triage history provides a record of what was reviewed, what was accepted, and what was intentionally deferred. This audit trail is useful for compliance purposes and for tracking remediation progress over time. When new team members join, the triage history helps them understand which technical debt has been acknowledged and which has been addressed.

For teams working through a large backlog of legacy issues, the session-based workflow lets you run repeated audits as improvements are made. Each session captures the state of the codebase at that point in time, giving you a measurable way to track progress toward a healthier codebase.

When to use VibeRails for legacy audits

• Inheriting a codebase - joining a new team or acquiring a product and need to understand what you are working with
• Planning a modernisation - deciding where to invest refactoring effort based on structured, prioritised data
• Due diligence - evaluating code quality before an acquisition, partnership, or major investment
• Technical debt reduction - building a sprint-by-sprint plan for improving an existing system without rewriting it
• Onboarding - giving new engineers a structured overview of the codebase's strengths and weaknesses