Future work only. Deterministic, graph-native codebase intelligence for TypeScript & JavaScript. Read-first, agent-native, architecture-aware. No invented findings: every claim is graph-backed evidence a human or agent can inspect.
Last updated: 2026-07-01
Two tracks:
- Parity track — close the static-analysis gaps TS/JS teams expect from a serious code-quality CLI.
- Differentiation track — ship graph-native analysis no token-only tool can offer: Highways, content drift, scope maps, and agent-ready context packs.
Guiding constraints for all future work:
- Read-only analyzer. The tool reports and advises; source changes are applied by humans or agents.
- Deterministic evidence. Findings come from AST, type, graph, git, config, and filesystem facts. No LLM-derived findings.
- Agent-native outputs. Every finding needs stable IDs, JSON, evidence, and
actions[]hints. - Graph-first, visual-second. 2D/3D views are derived from queryable graph data, never the product source of truth.
- CLI help is a product surface. LLMs will use shell commands; help, examples, errors, and
--jsonmust stay predictable. - Open-source naming hygiene. Competitor/product names belong only in documentation comparison sections. Source, tests, CLI help, MCP output, fixtures, and generated agent instructions use generic capability labels unless naming a real dependency, standard, or integration.
2.5.0 is a multi-PR canary release train, not a single PR. Everything in this roadmap is allowed to land under 2.5.0-canary.*; stable 2.5.0 is published only after the whole train has soaked in canary mode and the release gates pass.
Release goal: ship the full codebase-intelligence direction as one cohesive 2.5.0 stable: cache identity cleanup, analyzer foundations, parity gaps, Highways, map/drift intelligence, agent-ready outputs, CI/dev ergonomics, and ecosystem hardening.
In scope for 2.5.0:
- P0 Stabilization.
- P1 Analysis Foundations.
- P2 Product Parity + Flagship Intelligence.
- P3 Depth + Ergonomics.
- P4 Ecosystem Hardening.
Out of scope for 2.5.0:
- Auto-fix or source mutation.
- Production-runtime tracing or hosted cloud analysis.
- Visual-only graph product without structured graph outputs.
- Per-agent analyzer forks.
- Universal framework plugin catalog beyond targeted/configurable awareness.
Implementation order:
- Stabilization first — cache migration, docs/help alignment, targeted entry fixes, deterministic tests.
- Operation registry second — reduce CLI/MCP duplication before adding more surfaces.
- Analysis foundations third — Type/Shape, duplication, dead-code expansion, suppression hygiene.
- Flagship intelligence fourth — Highways, scope graph/map, content drift, health, boundaries.
- Agent/CI surfaces fifth — CI wrapper, doctor, output formats,
actions[], context packs. - Editor/depth sixth — cognitive complexity, ownership/cohorting, LSP, architecture recommendations.
- Ecosystem hardening seventh — watch, monorepo scope, migration, hooks, local history, production mode.
- Release hardening last — canary soak, docs sync, real-repo verification, stable publish gates.
Per-item acceptance contracts:
| Item | Dev-ready contract |
|---|---|
| Cache migration | All cache states are covered by tests: only legacy, only canonical, both same signature, both different signature, neither. Scanner excludes both folders. Writes go only to .codebase-intelligence/. init --gitignore is idempotent. JSON surfaces expose cacheDir, legacyCacheDir, migrated, gitignoreUpdated, and warnings[]. |
| Docs/help alignment | README, CLI help, docs/cli-reference.md, docs/mcp-tools.md, docs/data-model.md, llms.txt, and llms-full.txt describe .codebase-intelligence/ as canonical and .code-visualizer/ as legacy migration input. |
| Test-runner determinism | pnpm test exits 0 locally after assertions pass; the Vitest worker onTaskUpdate timeout is gone or the runner configuration is made deterministic. |
| Targeted framework fixes | Any remaining framework/config false positive has a minimal fixture proving the bug and a focused fix. No broad plugin framework lands in 2.5.0. |
| Analysis foundations | Operation registry, Type/Shape, duplication, dead-code expansion, and suppression hygiene each ship with CLI/MCP parity or an explicit documented exception. |
| Flagship intelligence | Highways, map, drift, health, and boundaries produce deterministic JSON with evidence and stable IDs before any visual or prose-only surface is treated as complete. |
| Agent/CI surfaces | CI, doctor, output formats, actions[], and context packs are usable by LLM-driven CLI workflows without scraping human prose. |
| Ecosystem hardening | Watch/monorepo/migration/hooks/history/production mode are gated by fixtures or real-repo verification, not demo-only behavior. |
2.5.0 release gates:
pnpm lint
pnpm typecheck
pnpm build
pnpm test
pnpm verify:cli-realEvery material PR publishes or validates a 2.5.0-canary.* build before it is considered integrated. pnpm test must exit 0 before stable publish. The prior Vitest fork-pool onTaskUpdate timeout was reproduced and the release gate now uses the thread pool; any future runner-level timeout after passing assertions still blocks stable publish.
Docs required before stable:
- README command list and examples.
docs/cli-reference.md.docs/mcp-tools.md.docs/data-model.mdfor cache migration output fields.llms.txtandllms-full.txt.- Migration note for
.code-visualizer/to.codebase-intelligence/. - New command docs for every shipped CLI/MCP surface.
- Upgrade notes for any JSON shape additions.
Blocked decisions for 2.5.0: open decisions below must be resolved before implementing the feature they affect; unresolved late-phase decisions do not block earlier canaries.
Purpose: prove the CLI, MCP server, library outputs, docs, CI behavior, and agent workflows work for every user type. Tests should exercise real code paths. Mock only true third-party edges; a mocked own-code seam is a gap.
Detected surfaces:
| Surface | Evidence | E2E meaning |
|---|---|---|
| CLI/tool | package.json bin, src/cli.ts, command docs |
Spawn the real built binary with real args, assert stdout/stderr/exit/files. |
| MCP server | src/mcp/, tool schemas, stdio lifecycle tests |
Start real stdio server, call tools with a real MCP client, assert schema/result/error envelopes. |
| Library/package surface | exports, types, bin, package-entrypoint metadata |
Import the built package from a tiny consumer fixture and assert public API/types. |
| CI/release | check, SARIF, canary publish flow, GitHub Actions |
Run the same commands CI runs and assert exit codes/artifacts. |
| Agent docs/instructions | llms.txt, llms-full.txt, generated agent instructions |
An AI-agent persona can discover commands, run them, and parse machine output without scraping prose. |
Personas:
| ID | Persona | Surface | Need |
|---|---|---|---|
| US-CLI-HUMAN | Human terminal user | CLI | Clear help, predictable commands, actionable errors. |
| US-CLI-CI | Script/CI runner | CLI/CI | Stable exit codes, non-interactive behavior, machine-readable output. |
| US-CLI-AGENT | AI coding agent | CLI/docs | Deterministic --json, small context, next-step hints, no noisy prose in JSON. |
| US-MCP-AGENT | MCP agent client | MCP | Valid tool schemas, stable envelopes, parity with CLI. |
| US-LIB-DEV | Consuming developer | Library/package | Public entrypoints, types, and docs match runtime behavior. |
| US-DOWNSTREAM | Downstream app/runtime | Library/package | Built package works when imported from outside the repo. |
| US-MAINTAINER | Maintainer/releaser | CI/release | Canary/stable gates fail only on real blockers and produce useful artifacts. |
| US-MIGRATOR | Existing user with legacy cache | CLI/filesystem | .code-visualizer/ migrates safely and never loses data silently. |
| US-ADVERSARY | Hostile input user | CLI/MCP/library | Bad paths, oversized args, malformed config, and hostile JSON fail safely. |
Surface x persona x layer matrix:
| Persona | Unit | Integration | E2E | UI | Chaining |
|---|---|---|---|---|---|
| US-CLI-HUMAN | Required | Required | Required | N/A - no TUI | Required |
| US-CLI-CI | Required | Required | Required | N/A - no TUI | Required |
| US-CLI-AGENT | Required | Required | Required | N/A - no TUI | Required |
| US-MCP-AGENT | Required | Required | Required | N/A - protocol surface | Required |
| US-LIB-DEV | Required | Required | Required consumer fixture | N/A - library | Required |
| US-DOWNSTREAM | Required | Required | Required consumer fixture | N/A - library | Required |
| US-MAINTAINER | Required | Required | Required CI command run | N/A - CI | Required |
| US-MIGRATOR | Required | Required filesystem fixture | Required CLI run | N/A - CLI | Required |
| US-ADVERSARY | Required | Required | Required negative CLI/MCP/library runs | N/A - no UI | Required |
Feature PR rule: every material PR must add or update at least one chained test below. A chain is complete only when it proves setup -> action -> machine output -> downstream use or recovery. Happy-path-only tests do not close a chain.
| Chain | User story | Required actions |
|---|---|---|
| CH-P0-01 cache migration | As US-MIGRATOR, I can upgrade without losing or duplicating cache state. | Create fixture with only .code-visualizer/ -> run real CLI command -> assert .codebase-intelligence/ exists -> assert JSON cache.migrated -> rerun command -> assert canonical cache is used -> run --status -> run --clean. |
| CH-P0-02 new cache gitignore | As US-CLI-HUMAN, I can initialize ignore rules safely. | Run init/gitignore command in temp repo -> assert .gitignore gets .codebase-intelligence/ once -> rerun -> assert idempotent -> assert legacy folder is documented as migration input only. |
| CH-P0-03 docs/help alignment | As US-CLI-AGENT, I can learn the canonical cache path from every surface. | Build CLI -> capture --help and command help -> scan README/docs/LLM docs -> assert .codebase-intelligence/ canonical wording -> assert .code-visualizer/ appears only in legacy migration context. |
| CH-P0-04 deterministic test runner | As US-MAINTAINER, I can trust release gates. | Run pnpm test -> assert exit 0 -> assert no Vitest onTaskUpdate timeout -> rerun focused long E2E suite -> assert no open-handle/worker timeout. |
| CH-P0-05 targeted entry fix | As US-LIB-DEV, I do not get false dead-code findings for supported entrypoints. | Add real fixture for proven false positive -> run dead-exports/check JSON -> assert entrypoint confidence/reason -> assert unsupported patterns remain configurable, not hardcoded magic. |
| Chain | User story | Required actions |
|---|---|---|
| CH-P1-01 operation parity | As US-MCP-AGENT and US-CLI-AGENT, I get equivalent facts from CLI and MCP. | Run one operation through descriptor registry -> invoke matching CLI command -> invoke matching MCP tool -> compare normalized JSON -> assert shared validation errors and hints. |
| CH-P1-02 graph-load pipeline | As US-MAINTAINER, new operations do not duplicate load/cache/error logic. | Trigger success, invalid input, parse failure, and cache reuse through registry adapter -> assert CLI/MCP adapters differ only in presentation envelope. |
| CH-P1-03 type/shape facts | As US-LIB-DEV, I can inspect producers/consumers of a type shape. | Parse fixture with aliases/generics/default exports/unresolved types -> assert symbol parameter/return facts -> query file/symbol/MCP surfaces -> assert additive JSON compatibility. |
| CH-P1-04 duplication families | As US-CLI-HUMAN, I can find duplicate logic with deterministic IDs. | Fixture exact clone + renamed clone + near-miss + below-threshold noise -> run CLI/MCP -> assert family IDs, thresholds, trace output, stable ordering, and no local-skip false positive. |
| CH-P1-05 dead code expansion | As US-CLI-CI, I can gate unused files/types/members/deps without framework false positives. | Fixture unused file/type/member/dependency plus supported entrypoint -> run check JSON/SARIF -> assert real findings, confidence, and ignored entrypoint evidence. |
| CH-P1-06 suppression hygiene | As US-MAINTAINER, suppressions do not hide stale debt forever. | Add active suppression -> assert finding suppressed and reported -> remove underlying finding -> assert stale suppression warning -> assert JSDoc @public/@internal/@expected-unused behavior. |
| CH-P1-07 workspace dependency policy | As US-MONOREPO-MAINTAINER, dependency findings point at the package that owns the import. | Multi-package fixture -> run check JSON -> assert root/package manifests are scoped separately -> assert unlisted workspace imports, test-only deps, type-only deps, runtime devDeps, and unused deps with package evidence. |
| Chain | User story | Required actions |
|---|---|---|
| CH-P2-01 highways reroute | As US-CLI-AGENT, I can identify divergent routes and get a safe reroute proposal. | Fixture with 3 entrypoints converging on one sink -> run highways --json -> assert cowpath/bypass findings, route chains, evidence, blast radius, proposed canonical node -> call MCP analyze_highways and compare. |
| CH-P2-02 highway synthesis | As US-CLI-HUMAN, I can understand the proposed canonical path before coding. | Fixture with no existing canonical node -> run highways --propose --trace -> assert synthesized name/location/signature/skeleton/reroute plan and cycle-safety check. |
| CH-P2-03 codebase map context pack | As US-MCP-AGENT, I can request only the files needed for one task. | Run map --focus <symbol> --context-budget <n> --json -> assert nodes/edges/evidence IDs -> request MCP context pack -> assert token-bounded ranked files/symbols/tests. |
| CH-P2-04 content drift | As US-MAINTAINER, I can find files whose names lie about behavior. | Fixture name/scope/side-effect/test mismatch -> run drift --json -> assert drift score, deterministic evidence, recommendation, baseline report-only first run. |
| CH-P2-05 health/boundaries | As US-CLI-CI, I can gate new architecture debt. | Health subchain: fixture complexity/churn hotspot -> run health + hotspots --metric risk -> assert score, maintainability, CRAP, coverage source, stable exit codes, and MCP parity. Boundary subchain: fixture boundary violation -> run boundary commands -> assert rule evidence, baseline/new-only behavior, and stable exit codes. |
| CH-P2-06 CI wrapper | As US-MAINTAINER, I can add one PR gate. | Run ci --base origin/main --new-only --format sarif in temp git repo -> assert exit code, SARIF artifact, PR markdown, compact summary, and no failure on pre-existing debt. |
| CH-P2-07 doctor onboarding | As US-CLI-AGENT, I can self-diagnose setup. | Run doctor --json in repo missing config/cache/agent docs -> assert checks, levels, exact fix commands, docs links, read-only behavior. |
| CH-P2-08 output actions | As US-CLI-AGENT, every finding gives safe next steps. | For each analyzer finding kind -> assert stable ID, evidence, actions[], no source mutation, and JSON schema compatibility. |
| Chain | User story | Required actions |
|---|---|---|
| CH-P3-01 cognitive complexity | As US-CLI-HUMAN, I can distinguish branchy code from simple long code. | Fixture nested branches + flat long function -> run metrics surfaces -> assert cognitive vs cyclomatic values and hotspot ranking. |
| CH-P3-02 ownership/cohorting | As US-MAINTAINER, I can see risky owner concentration. | Temp git history + CODEOWNERS fixture -> run owner grouping -> assert bus-factor, owner hotspots, and effort filters. |
| CH-P3-03 LSP diagnostics | As US-LIB-DEV, editor diagnostics match batch analysis. | Start LSP against fixture -> open file -> assert diagnostics/hover facts match CLI JSON for same graph -> assert code actions are advisory only. |
| CH-P3-04 architecture recommendations | As US-CLI-AGENT, I can act on extraction recommendations. | Fixture bridge/tension/seam -> run architecture recommendations -> assert effort, evidence, affected files, and context pack. |
| Chain | User story | Required actions |
|---|---|---|
| CH-P4-01 watch mode | As US-CLI-HUMAN, I can keep analysis fresh while editing. | Start watch on fixture -> change file -> assert incremental re-analysis -> assert debounce, cache update, and clean shutdown. |
| CH-P4-02 monorepo scope | As US-CLI-CI, I can analyze only changed workspaces. | Multi-package fixture -> change one package -> run --changed-workspaces -> assert scoped graph, cross-package cycle detection, stable summary. |
| CH-P4-03 config migration | As US-CLI-HUMAN, I can migrate analyzer config safely. | Fixture with supported external config -> run migrate dry-run -> assert generated config, warnings, no source mutation, idempotency. |
| CH-P4-04 hooks install | As US-MAINTAINER, local hooks run the same gate as CI. | Temp git repo -> install hooks -> stage bad file -> assert hook blocks with same finding ID as check -> uninstall/cleanup. |
| CH-P4-05 local finding history | As US-MAINTAINER, I can see trend changes without cloud. | Run analysis twice with changed findings -> assert local history file, trend summary, gitignored storage, no sensitive source capture. |
| CH-P4-06 production mode | As US-CLI-CI, I can exclude test/dev files from production risk. | Fixture with prod + test-only files -> run --production -> assert test/dev exclusions, prod findings retained, docs state behavior. |
Chain closeout rule: stable 2.5.0 cannot ship until every chain for shipped features is green in CI or explicitly marked deferred with reason, owner, and follow-up issue.
Rename the legacy index/cache folder from .code-visualizer/ to .codebase-intelligence/ without breaking existing users.
Status: Shipped across P0 canary PRs.
Shipped:
- Auto-migrate legacy-only
.code-visualizer/to.codebase-intelligence/when safe. - Prefer
.codebase-intelligence/when both folders exist, including same-signature and different-signature states. - Keep both folders excluded from scanning and cache fingerprints during the migration window.
- Write new cache files only to
.codebase-intelligence/. - Add
init --gitignoreto append.codebase-intelligence/idempotently. - Add
--cleanbehavior that removes canonical and legacy cache directories. - Update docs, README, CLI help, tests, and fixtures to mention legacy auto-migration.
- Expose migration facts in JSON on analysis commands and
init --json:cacheDir,legacyCacheDir,migrated,gitignoreUpdated,warnings[].
Make every user-facing instruction reflect the canonical cache name.
Status: Shipped in the P0 canary PR.
- Replace canonical
.code-visualizer/references with.codebase-intelligence/. - Mention
.code-visualizer/only as legacy migration input. - Update
--index,--status, and--cleanhelp text. - Update README, docs,
llms.txt, andllms-full.txt. - Keep competitor/product names out of runtime help and generated agent instructions.
Fix the repeated Vitest runner timeout so release gates are deterministic.
Status: Shipped in the P0 canary PR.
- Reproduce
Timeout calling "onTaskUpdate"after all tests pass. - Isolate the issue to the Vitest fork worker pool used by the release gate.
- Switch
pnpm testto--pool threads --no-file-parallelism. - Keep
429assertions passing and makepnpm testexit 0 locally. - Bound non-blocking CI coverage collection so coverage hangs cannot block the release gate.
- Bound
pnpm testto one Vitest worker and disabled Vitest duration cache so host-level memory pressure and stale file ordering do not terminate the release gate.
Package public entrypoints already have coverage. Only fix remaining framework/config false positives with proof.
Status: No verified remaining false positive is open for the current 2.5.0 canary train.
Guardrail:
- Add minimal fixtures only if a remaining false positive is reproduced.
- Prefer config-driven entrypoint declarations over hardcoded broad framework plugins.
- Do not ship a universal framework plugin system in
2.5.0.
Collapse CLI + MCP operation duplication into one descriptor registry before adding more analyzers.
Foundation slice:
- Add
Operation<TInput, TResult>descriptors per analysis operation. - Add typed operation names, CLI command names, MCP tool names, and input schemas.
- Add
runOperation(...)discriminated result/error wrapper for descriptor-level tests. - Type MCP next-step hint keys against the operation-name union.
- Add CH-P1-01 coverage for registry -> CLI JSON -> MCP JSON overview parity.
- Reuse registry descriptors and input shapes in MCP tool registration.
- Route MCP operation success/error envelopes through
runOperation(...)while preserving existingnextStepsandisErrorcontracts. - Add MCP registry parity coverage for representative operation descriptor runs.
- Reuse registry schemas in CLI coercion.
- Move CLI failures over descriptor-level validation errors.
- Add CLI registry parity coverage for representative descriptor runs and invalid input.
- Expand CH-P1-01 coverage from overview/representative CLI/MCP operations to every operation.
- Expand CH-P1-02 coverage for descriptor validation, CLI parse failure, and cache reuse through registry-adapted commands.
- Use one graph-load pipeline with progress callbacks.
- Extend CH-P1-02 coverage to MCP/stdio graph-load behavior.
- Move operation text formatting over result objects into descriptor-backed formatters.
Status:
- None for the operation-registry foundation. Future non-text output variants remain tracked under P2 Output Formats + Actionability.
Capture resolved parameter and return types per symbol.
Foundation slice:
- Store compact type signatures on parsed symbols.
- Carry type facts into graph
SymbolNodedata. - Expose additive
typeFactsinfile,symbol, andsearchJSON. - Index consumed/produced type names in search so shape queries find producer/consumer symbols.
- Add CH-P1-03 coverage for aliases, generics, default exports, unresolved types, file/symbol/search JSON, CLI, and MCP parity.
Status: Shipped into downstream analyzers.
Integrated:
- Type facts feed Highways shape filters.
- Type facts feed synthesized highway proposal signatures.
- Type facts remain additive in JSON to preserve backward compatibility.
Add deterministic clone detection on the existing parser path.
Foundation slice:
- Implement
strict,mild, andweakclone modes. - Emit clone families, not isolated pair findings.
- Support
--min-tokens,--skip-local,--trace <id>, and--json. - Add CH-P1-04 coverage for exact clones, renamed clones, near-miss clones, below-threshold noise, trace output, stable IDs/order, CLI/MCP parity, and local-only skipping.
- Expose deterministic similarity scores for later Highways routing.
Status: Shipped into Highways H2 support.
Integrated:
- Highways synthesis reports duplicated intermediate callees when repeated routes share implementation steps.
- Semantic/shape-based duplication remains post-2.5.0 research because current
2.5.0scope is deterministic AST/type/graph evidence only.
Extend deletion intelligence beyond exported symbols.
Foundation slice:
- Add opt-in
checkrules:no-dead-files,no-unused-types,no-unused-members,no-unused-deps. - Detect unimported non-entrypoint files with confidence/evidence.
- Detect local unused type/interface declarations and exported dead types outside supported entrypoints.
- Detect unused private class members and non-exported enum members.
- Detect unused, unlisted, type-only, and test-only package dependencies.
- Scope dependency hygiene to the nearest
package.json/ workspace manifest. - Detect runtime imports declared only in
devDependencies. - Emit
kind,confidence, andevidence[]in JSON and SARIF findings. - Add CH-P1-05 coverage for JSON/SARIF, supported package entrypoint ignore, and all four dead-code categories.
- Add CH-P1-07 coverage for root/package manifest scoping, unlisted package imports, test-only deps, type-only deps, runtime devDeps, and package evidence.
Status: Deferred beyond 2.5.0.
Reason: doctor now reports supported setup surfaces, but broad CSS/template/framework plugin coverage is intentionally out of scope for 2.5.0.
Finish suppression management without hiding stale debt.
Already exists: ci-ignore-next-line and ci-ignore-file.
Foundation slice:
- Report active and stale
ci-ignore-file,ci-ignore-next-line, and JSDoc@expected-unusedsuppressions in JSON. - Add
no-stale-suppressionswarnings so stale suppressions can fail CI with--fail-on warn. - Include
suppressedandstaleSuppressionsin check summaries and--summaryoutput when relevant. - Add JSDoc
@publicand@internalsemantics for cleanup declarations: public exported types are protected, internal exported types remain checkable. - Add CH-P1-06 coverage for active suppression, stale suppression drift, JSDoc cleanup semantics, JSON summary, CLI summary, and SARIF properties.
Status:
- No open CH-P1-06 work on the current TypeScript cleanup surface.
Detect repeated data routes that should converge on one canonical path.
Mental model:
synapse = one edge
highway = reusable multi-step route
entry ─► transform ─► validate ─► sink
▲ canonical node agents should reuse
Vocabulary:
| Term | Meaning |
|---|---|
route |
Ordered call chain from an entry point toward a sink |
sink |
Terminal side effect or canonical boundary: DB write, API call, queue publish, store mutation, file write |
shape |
Type/DTO/domain object moving through the route |
canonical node |
Shared function/module most routes should pass through for one operation |
cowpath |
Ad-hoc route that recreates a canonical operation outside the shared path |
bypass |
Route that reaches a sink while skipping an existing canonical node |
highway |
Approved canonical route for one (operation, shape, sink) inside a bounded scope |
H1 slice:
- H1 shipped: classify operation verbs, enumerate entry-to-sink routes, detect cowpaths and bypasses.
- H1 shipped: propose reroutes to existing canonical nodes with route chains, blast radius, evidence, and context packs.
- MCP shipped: add
analyze_highways. - CLI shipped: add
highways <path>with--operation,--shape,--min-routes,--propose,--trace,--json. - H1 shipped: every opportunity emits a token-budgeted context pack: summary, affected routes, evidence, blast radius, proposed canonical node, next safe command.
Status: H1/H2 shipped in the canary train.
Shipped:
- Add type-shape grouping and
--shapefilters backed by symbol type facts. - Synthesize new highway proposals: name, location, signature, skeleton, and cycle-safe reroute plan.
- Detect near-duplicate intermediate steps as shared duplicated callees inside route groups.
Deferred beyond stable 2.5.0:
- Reuse hotspot metrics cross-linked into
forces/hotspots.
Represent the codebase as a compound graph agents can query, not just a folder tree or screenshot.
codebase graph
├─ files
├─ symbols
├─ types
├─ scopes
├─ routes
├─ sinks
├─ tests
└─ owners
Organization concepts to integrate:
| Concept | Finding/query it unlocks |
|---|---|
| Bounded contexts | "Who owns this shape, and which files bypass that context?" |
| Canonical data model | shape-drift, unsafe DTO leakage |
| Anti-corruption layer | External type crossing an internal boundary |
| Ports & adapters | Route reaches side effect without gateway |
| Dependency direction | Boundary violation, layering inversion |
| Public vs internal API | Forbidden deep import, bypass route |
| Scope cohesion | Junk-drawer module, extraction candidate |
| Escape velocity | File/module pulled by too many scopes |
| Ownership/bus factor | Orphaned critical path |
| Test proximity | Important route has no proof nearby |
| Runtime surface | User-facing entrypoint route maps |
Status: CH-P2-03 shipped in the canary train.
Shipped:
- CLI: add
map <path>with--focus,--scope,--depth,--format json|dot|graphml|markdown,--context-budget,--json. - MCP: add
get_codebase_map,get_scope_graph,get_context_pack. - Emit deterministic
overview,focus,nodes,edges,contextPack,evidence, and stable evidence/edge IDs. - Add chained CLI + real stdio MCP coverage for focused symbol maps and token-bounded ranked files/symbols/tests.
Status: Structured graph output is shipped; visual-first products remain derived surfaces.
Shipped:
- Focused map/context-pack output includes stable file, symbol, scope, and test graph nodes.
- Ownership and route analyzers now expose structured facts separately, so future viewers can compose them without scraping prose.
Deferred beyond stable 2.5.0:
- Optional first-party 2D/3D viewer.
Detect mismatch between file/folder labels and actual behavior.
declared intent = path + filename + exports + docs
actual behavior = imports + calls + types + side effects + tests + churn
drift score = mismatch(declared intent, actual behavior)
Status: CH-P2-04 shipped in the canary train.
Shipped:
- Emit
name-drift,scope-drift,mixed-responsibility,hidden-side-effect,shape-drift,orphan-scope, andmisplaced-test. - CLI: add
drift <path>with--focus,--scope,--min-score,--json. - MCP: add
detect_content_drift. - Make first run report-only with baseline status in JSON.
- Keep implementation deterministic: tokenized names, resolved symbols/types, imports/calls, side-effect signals, tests, stable finding IDs, and stable evidence IDs.
- Add CH-P2-04 chained CLI + real stdio MCP coverage for drift score, deterministic evidence, recommendations, and report-only baseline behavior.
Status: Report-only drift shipped for 2.5.0.
Deferred beyond stable 2.5.0:
- Drift baselines and CI gating after teams have canary data.
Provide one CI-gateable quality score plus file-level risk metrics.
Status: Health foundation shipped in the canary train.
Shipped:
- CLI: add
health <path>with--score,--min-score,--json, and stable exit1when score falls below the threshold. - MCP: add
get_health_score. - Add per-file
maintainabilityIndex,crapScore,riskScore, evidence, hotspots, and actions. - Use static test reachability by default and root-local Istanbul
coverage/coverage-final.jsonorcoverage/coverage.jsonwhen present. - Extend
hotspotswith--metric riskusing complexity x churn x coupling x size x blast radius/test reachability. - Add CH-P2-05 health subchain coverage for CLI JSON/text, exit codes, risk hotspots, Istanbul coverage, and real stdio MCP parity.
Status: Shipped in the ci wrapper.
Integrated:
cicomputes health and gates on--min-score.- Badge output exists for machine-readable PR/status surfaces.
Evaluate repo dependency boundaries using the existing graph.
Status: CH-P2-05 boundary subchain shipped in the canary train.
Shipped:
- CLI: add
boundaries <path>with--preset,--list,--config,--json, and stable exit1when violations exist. - MCP: add
check_boundaries. - Add presets: bulletproof, layered, hexagonal, feature-sliced.
- Add custom
boundaries.zones[]withpatterns[]andautoDiscover. - Add directed
boundaries.rules[]withfrom -> allow/forbid. - Emit stable boundary violation IDs with
forbidden-edge,disallowed-edge, andrisky-re-export-chainkinds. - Add
no-boundary-violationstocheck, includingnew-onlybaseline behavior for PR gates. - Add CH-P2-05 boundary subchain coverage for CLI JSON/text, exit codes, custom config, preset override, real stdio MCP parity, and
check --gate new-only.
Status: Shipped through check + ci.
Integrated:
cirunscheck, so configuredno-boundary-violationsparticipates in PR gates.- PR annotation/markdown formats are available through
checkandci.
Make PR enforcement easy and local-first.
Status: Shipped in the 2.5.0 completion canary PR.
Commands:
codebase-intelligence ci .
codebase-intelligence ci . --base origin/main --new-only
codebase-intelligence ci . --format sarif --output codebase-intelligence.sarif
codebase-intelligence ci . --comment markdown --summary
codebase-intelligence ci . --baseline .codebase-intelligence/baseline.jsonShipped:
- Add first-class
ciwrapper aroundcheck,changes, health, baselines, local history, and changed workspace facts. - Default to new findings only on PRs.
- Support
--fail-on error|warn|never,--min-score <n>,--max-new <n>, and--baseline <path>. - Keep SARIF output and add annotations, PR markdown, JSON, badge, CodeClimate, and compact terminal summaries.
- Stable exit codes:
0 pass,1 gate failed,2 invalid config/runtime,3 analyzer error. - Add
doctor --profile cichecks for workflow wiring and setup visibility.
Deferred beyond stable 2.5.0:
- Generated external CI template scaffolding. The repo already ships real CI/publish workflows, and
doctornow reports workflow wiring.
Add a read-only setup auditor for humans, CI, MCP, and coding agents.
Status: Shipped in the 2.5.0 completion canary PR.
codebase-intelligence doctor
codebase-intelligence doctor --agent codex
codebase-intelligence doctor --agent claude
codebase-intelligence doctor --profile ci
codebase-intelligence doctor --json- Check runtime, package manager, project roots, config schema, graph build, cache path, CLI help, MCP registry, CI workflow, and agent instructions.
- Emit JSON with
status,checks[],fix, anddocs. - Support local, CI, agent, and MCP profiles plus Codex, Claude, Cursor, and generic agent modes.
- Keep doctor read-only: exact commands, no automatic mutation.
Make findings portable across CI, review, and agents.
Status: Shipped in the 2.5.0 completion canary PR.
- Add missing formatters: CodeClimate, PR-comment, inline review envelopes, CI annotations, badge, markdown, compact.
- Add line-level filtering via
--diff-file <path>/--changed-since <ref>. - Add typed
actions[]to every finding. - Keep
actions[]advisory only.
Status: Shipped in the 2.5.0 completion canary PR.
- Add cognitive complexity alongside cyclomatic complexity.
- Expose it in
hotspots,file,health, and CI outputs.
Status: Shipped in the 2.5.0 completion canary PR.
- Add
owners <path>with--group-by owner|package|directory. - Use CODEOWNERS + git history for ownership and bus-factor signals.
- Add static coverage-gap detection.
- Add refactor target filtering with
--effort.
Status: Shipped as an advisory foundation in the 2.5.0 completion canary PR.
- Ship
lsp <path>for stdio LSP mode andlsp --diagnostics --jsonfor batch snapshots. - Surface diagnostics for risk hotspots, dead exports, and circular dependencies.
- Add hover facts: blast radius, fan-in/out, PageRank, dead export count, and duplicate status.
- Keep code actions navigational/advisory only.
Status: Shipped in the 2.5.0 completion canary PR.
- Add ranked extraction/consolidation recommendations.
- Add effort estimates.
- Add locality/tension recommendations from graph force analysis.
- Add seam proposals tied to fan-in/fan-out evidence.
Status: Shipped in the 2.5.0 completion canary PR.
- Watch mode.
- Monorepo workspace scoping.
- Cross-package circular dependency checks.
--changed-workspaces.- Config migration from common analyzer configs.
explain <rule>.- Opt-in secret-leak scan.
hooks install.- Local finding history for trends.
--productionmode that excludes test/dev files.
Competitor names stay in docs only. This section exists to preserve comparison context without leaking names into runtime surfaces.
| Tool | Strong surface | Gap/opportunity for us |
|---|---|---|
| Knip | Unused files, dependencies, exports, monorepo/workspace awareness | Match unused/dependency parity, then beat it with graph evidence, context packs, and route/scope ownership. |
| dependency-cruiser | Dependency rule validation, circular dependency checks, visualization, baselines | Match declarative boundaries and baselines; beat it with symbol/type graph, Highways, and prescriptive reroute proposals. |
| Madge | Quick dependency graphs and circular dependency discovery | Make graph export/view UX easy; keep graph richer than file imports. |
| jscpd | Copy/paste and duplicate-code thresholds | Match strict/near clone detection; beat it with semantic shape/route duplication via Highways. |
| Biome | ci command ergonomics and fast terminal UX |
Add first-class ci; keep help/examples predictable for agents. |
| SonarQube/SonarCloud | Quality gates, PR analysis, new-code policy, hosted dashboards | Add local-first gates, baseline/new-only PR behavior, SARIF/annotations, no hosted dependency. |
| ESLint boundaries plugin | Import boundary enforcement in lint pipelines | Offer repo-level graph rules beyond imports: symbols, types, scopes, routes, sinks. |
| Expo/React Native/npm doctor | Setup diagnostics | Make doctor product-grade, read-only, JSON-capable, and agent-aware. |
| publint / Are The Types Wrong | Package public-surface validation | Add package-entrypoint/public API health checks for libraries. |
- Commit to CSS / utility-class unused analysis, or leave deferred?
- Commit to template-aware dead code for Vue/Svelte/Angular, or leave deferred?
- Expose a stable Node.js programmatic API, or stay CLI + MCP?
- Generate
schema.jsonfrom zod or hand-maintain it with a drift test? - Keep
codebase-intelligence.json, or choose a shorter config name? - Rank context packs by graph metrics first, or by task intent?
- Generate agent docs only, or publish first-party Codex/Claude Code skills/plugins from this repo?
- Keep
.code-visualizer/ignored forever, or remove it from generated.gitignoreafter one stable release?
- 2026-07-01: Content drift ships as
drift/detect_content_drift; first run is report-only, and CI gating waits for a baseline feature. - 2026-07-01: Highways name stays; H2 emits proposal metadata plus a code skeleton.
- 2026-07-01: Deterministic semantic duplication is deferred beyond stable
2.5.0;2.5.0ships strict/mild/weak clone families plus Highways shared-callee evidence. - 2026-07-01:
mapships JSON plus DOT/GraphML/markdown export; first-party 2D/3D viewer is deferred until structured graph output has canary usage. - 2026-07-01: Doctor profiles ship as
local,ci,agent, andmcp. - 2026-07-01: CI ships as first-class
ci, notcheck --ci. - 2026-07-01: PR output ships as generated markdown/annotations, not direct hosting-platform API mutation.
- 2026-07-01: Baselines use an explicit configurable path, with
.codebase-intelligence/baseline.jsonas the documented convention. - 2026-07-01: Quality scoring ships as one global health score first; per-scope scores remain future work.
- Parity: dead-code, duplication, circular-dependency, boundary, and PR-gate behavior meets expected TS/JS analyzer baseline with fewer framework false positives.
- Highways: the tool finds at least one accepted consolidation opportunity on a mature repo and proposes a canonical path a team can build.
- Map: an agent can answer "what owns this shape?", "what routes reach this sink?", and "what files do I need for this task?" from structured graph output.
- Drift: the tool flags real file/folder/content mismatch with evidence from names, imports, calls, types, side effects, tests, and churn.
- Doctor: a fresh repo gets a complete read-only setup report with exact fix commands for config, graph build, MCP, CI, and agent instructions.
- Migration:
.code-visualizer/migrates to.codebase-intelligence/without data loss; new repos can add.codebase-intelligence/to.gitignore. - CI: maintainers can run one local/CI command and fail PRs only on new severe findings, with SARIF/annotations/summary and stable exit codes.
- Determinism: identical inputs produce identical outputs; every finding traces to graph evidence.