After 50+ engagements I’ve settled on a pretty consistent week-one process for legacy Rails apps. Start with stakeholder interviews (not the code), read three files before running any tools, then use SimpleCov zero-coverage files as a “fear map” for where the real risk lives. The post walks through the full sequence: Gemfile/schema/routes review, security scans, complexity analysis, and how to deliver a triage that actually gets acted on instead of filed away.