The codemod ran.Your app is still broken.
Official codemods handle the mechanical 70% of a framework migration, then leave TODO markers where they give up. This pack is built for the other 30% — six Codex skills that finish the upgrade and refactor the fallout, plus a real script that returns SHIP or HOLD with file-and-line proof.
Codemods stop where the real work starts.
Every official upgrade guide says the same quiet thing: run the codemod, and your app will likely be broken. The codemod rewrites the patterns it recognizes and inserts a TODO comment wherever it can’t reason about your code. Those TODOs are not a footnote — they are the part of the migration that ships bugs.
A sync cookies() call in Next.js 15 compiles fine and silently returns a Promise at runtime. A react@18 still pinned under next@15 passes install and breaks in production. “It compiles” doesn’t mean “it migrated.”
The codemod does the mechanical 70%, then drops a TODO marker wherever it gives up. The remainder — the branches it couldn't reason about — is exactly where migrations actually go wrong.
A leftover sync cookies() or headers() call type-checks clean and returns a Promise at runtime. Static checks miss it; it only surfaces once it's serving real traffic.
next@15 still pinned to react@18 installs without complaint and fails in production. The dependency half of a migration is the half nobody re-checks.
Clear about the lane. No inflated promises.
- Six production-grade SKILL.md skills with NEVER/ALWAYS guardrails and worked examples.
- A real, runnable migration-verifier.py — stdlib Python, SHIP/HOLD, non-zero exit on HOLD for CI.
- An AGENTS.md companion for repo-wide Codex migration discipline, every session.
- Next.js 15 + React 19 rule sets, plus framework-agnostic refactor skills for any JS/TS codebase.
- Cross-tool by the Agent Skills open standard: Codex, Claude Code, Cursor, Gemini CLI, Copilot.
- Not a replacement for tsc or your test suite — it's the fast first pass they assume you already did.
- Not a universal codemod — it runs the official ones and handles what they can't.
- No auto-deletion or unattended rewrites — every destructive step is staged and approved.
- No SaaS, no monthly fee, no RedHub server — your code never leaves your environment.
- No fake benchmarks or invented before/after numbers. None on this page, by design.
Six skills + a verifier that runs.
Finish the upgrade, refactor the fallout, prove it shipped. Every skill is single-purpose and composes with the others — tight skills beat one bloated mega-skill.
“upgrade to Next 15,” “migrate to React 19,” “bump the framework”
Plans and runs an incremental version jump: green baseline, official codemod for the mechanical 70%, then resolves every TODO the codemod left, deps included. Never the all-or-nothing upgrade.
“check our dependencies,” “what's deprecated,” “audit packages”
Classifies dependencies from real npm outdated / audit / view output — vulnerable, deprecated, abandoned, or stale-but-fine — and sequences replacements one at a time, highest-risk first.
“extract into a module,” “break up the monolith,” “decouple this”
Carves a cohesive domain out behind a narrow interface, slice by slice, tests green between each. Behavior-preserving by construction — adds coverage first if the code has none.
“add tests for this,” “backfill tests,” “safety net before refactor”
Writes characterization tests that pin what legacy code actually does — quirks included — so a migration can't silently change behavior. Captures reality, not the behavior you wish it had.
“remove dead code,” “find unused code,” “what can we delete”
Finds truly unused exports, files, and deps with tool evidence, then rules out dynamic references before deleting. Returns CONFIRMED DEAD vs. HOLD — never cuts on a guess.
“verify the migration,” “did the upgrade finish,” runs in CI
A real, runnable script that scans the repo and returns SHIP or HOLD with file-and-line proof. Exits non-zero on HOLD so it gates CI. The honesty spine made executable.
The verifier actually runs. Here’s real output.
This is migration-verifier.py against a half-finished Next.js 15 migration — not a screenshot of a promise. It found four blocking issues, exited non-zero, and refused to bless the upgrade. That’s the honesty spine, executable.
$ python scripts/migration-verifier.py . --target next15
HOLD target=next15 files=2 critical=4 warning=2
------------------------------------------------------------------------
BLOCKING (must fix before ship) (4)
• [sync-cookies] app/dashboard/page.tsx:5
cookies() used without await — Next.js 15 made it async.
› const token = cookies().get('token')
• [sync-headers] app/dashboard/page.tsx:6
headers() used without await — async in Next.js 15.
• [codemod-todo] app/dashboard/page.tsx:7
Codemod left a TODO/manual-review marker — could not finish here.
• [version-skew-next-react] package.json
next@15.x expects React 19 but react@18.x is pinned.
WARNINGS (review, non-blocking) (2)
• [params-not-awaited] app/dashboard/page.tsx:4
• [types-react-stale] package.json
Verdict: HOLD. Resolve the blocking items above, then re-run.
$ echo $?
1Stdlib-only Python, no install. Targets next15, react19, and generic. JSON mode for CI pipelines. Rules are documented and extensible.
Two formats Codex reads — skills and AGENTS.md.
Codex skill support has been GA since December 2025. This pack ships in both formats Codex reads, so the discipline applies whether you invoke a skill or just open the repo.
Drop the folders in your Codex skills directory. Codex discovers them by description and loads the full instructions on demand, or you invoke one explicitly with /skills. The verifier's scripts/ folder runs natively.
Drop the included AGENTS.md in your repo root and Codex follows migration discipline on every session — codemod-preview-first, verify-before-done, matched react/react-dom majors — with no re-prompting.
The skills chain into complete jobs.
A generic AI tool is a one-shot. A skill is a step in a workflow. Here’s how the six run together across the three migrations dev teams actually do.
Navigator runs the codemod and resolves the manual remainder; verifier scans and returns SHIP/HOLD. You don't merge until the scan is green — the two skills are the whole upgrade, start to proof.
Establishes a green baseline, runs the official codemod for the mechanical 70%, then resolves every TODO it left behind — async request APIs, dependency bumps, the branches it couldn't reason about.
Scans the repo and returns SHIP or HOLD with file-and-line proof, exiting non-zero on HOLD. The merge gate: no green scan, no merge.
Behavior preserved because it's observable — pin reality first, then carve.
Writes characterization tests that pin what the legacy code actually does — quirks and all — so any change that alters behavior shows up red.
Carves the module out behind a narrow interface with those tests as the safety net, slice by slice, staying green between each step.
A leaner, current, shippable repo — with a green scan to prove it.
Triages the dependency tree from real npm output and sequences replacements highest-risk-first, one at a time.
Prunes the proven-dead exports, files, and deps — ruling out dynamic references before any deletion, HOLDing on anything ambiguous.
Final scan confirms nothing migration-related slipped through the cleanup. Green, and proven green.
This pack moves the codebase forward. Two siblings cover the rest.
Exactly what you get for $99, and what you don’t: six skills and a verifier that finish migrations and prove it — not a tool that hardens what you shipped or designs your agent patterns. Those are the jobs of the two products below.
Vibe-Coded App Hardening Kit
$79Secures an app that AI helped you build — auth, secrets, input validation, the LLM-API cost-ceiling blast radius. Harden what you shipped, then use this pack to keep it current without breaking it.
Agent Orchestration Cookbook
$79Five verified multi-agent patterns in Python + TypeScript for the systems you build next. Where this pack keeps your app current, the Cookbook is the reference for the agent workflows you add to it.
The questions developers actually ask before installing.
Codemods do the mechanical 70% — they rewrite the obvious patterns and then insert TODO comments or typecasts wherever they give up. The official Next.js and React guides say it plainly: after the codemod runs, your app is usually still broken. This pack is built for that remaining 30%: the sync cookies() call the codemod missed, the dependency it never bumped, the branch it couldn't reason about. The framework-upgrade-navigator runs the codemod for you, then resolves what it left behind, and the migration-verifier proves the job is actually finished.
A dependency-free Python script (stdlib only, no install) that scans your repo after a migration and returns SHIP or HOLD with file-and-line locations for every issue. It catches leftover sync cookies()/headers()/draftMode() calls, codemod TODO markers, removed React 19 APIs (ReactDOM.render, string refs, createFactory), and package.json version skew (next@15 still pinned to react@18). It exits non-zero on HOLD, so it drops straight into CI as a migration gate. It is genuinely executable — not a prompt that pretends to check.
Each skill is a standard SKILL.md folder. Codex loads skills from your skills directory (commonly ~/.agents/skills/ or ~/.codex/skills/) and discovers them automatically when your task matches the description — or you invoke one explicitly with /skills. The migration-verifier skill ships a scripts/ folder, which Codex runs natively. The pack also includes an AGENTS.md companion you drop in your repo root so Codex follows migration discipline on every session. Codex skill support has been GA since December 2025.
The skills follow the Agent Skills open standard, so the SKILL.md files also work in Claude Code, Cursor, Gemini CLI, and Copilot's agent mode. The AGENTS.md companion is Codex-and-Cursor-native. The verifier script is plain Python and runs anywhere — in a skill, in CI, or from your terminal. We built and named it for Codex because that's where its terminal-first, repo-editing workflow fits best, but nothing is locked to one tool.
No. The skills propose and explain; you approve. The dead-code-eliminator in particular refuses to delete on a static 'unused' signal alone — it actively rules out dynamic references (string-based access, framework conventions, public API surface) and returns HOLD on anything ambiguous rather than cutting it. The verifier only reads; it never writes. Every destructive step is staged in small, reviewable, revertible commits by design.
The framework-upgrade-navigator and verifier ship specialized rules for the two migrations dev teams hit most right now: Next.js 14→15 (async request APIs, caching changes, the React 19 dependency) and React 18→19 (removed APIs, string refs, types codemod). The dependency, extraction, test-backfill, and dead-code skills are framework-agnostic and work on any JS/TS codebase. The verifier's rules are documented and extensible — add your own stack's deprecations to the rule map.
Different stage of the same codebase's life. The Hardening Kit ($79) secures an app that AI helped you build — auth, secrets, input validation, the cost-ceiling blast radius. This pack moves an existing codebase forward — framework version jumps, dependency rot, monolith seams, dead code — and proves the move landed. Many teams want both: harden what you shipped, then keep it current without breaking it. They're cross-linked at the bottom of each page.
Thirty days, no questions. If the pack doesn't save your team real migration time or catch a single issue your codemod missed in the first 30 days, email us and we refund in full. Run the verifier against a repo you've already 'finished' migrating — if it comes back clean, you lost nothing; if it finds something, the pack just paid for itself.
Finish the migration.
Then prove it.
Run the verifier against a repo you’ve already “finished” upgrading. If it’s clean, you lost nothing. If it finds something, the pack just paid for itself. Thirty-day refund either way.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai