codebase-intelligence
mcp
Fail
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in package.json
- execSync — Synchronous shell command execution in src/cli.ts
- fs.rmSync — Destructive file system operation in src/cli.ts
- execSync — Synchronous shell command execution in src/core/index.ts
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool provides CLI-first TypeScript codebase analysis, computing architectural metrics, dependency impacts, and dead-export detection. It also includes an optional MCP server to expose these analytics to AI agents.
Security Assessment
Overall risk is rated as High. The scan flagged multiple severe operational concerns, including hardcoded `rm -rf` recursive deletion commands in the package configuration and direct `fs.rmSync` operations in the CLI script. Additionally, the tool utilizes synchronous shell command execution (`execSync`) in multiple core files. While no hardcoded secrets or explicit dangerous network permissions were found, the combination of arbitrary command execution and destructive file system operations poses a significant threat. If connected to an MCP interface or used in a CI pipeline, a malicious actor or compromised agent could leverage these capabilities to permanently delete critical project files or execute unintended system commands.
Quality Assessment
The project is actively maintained, with its most recent push happening today. It utilizes strict TypeScript practices and is properly licensed under the standard MIT license, making it legally clear for integration. However, community trust is minimal right now. The repository has only 5 GitHub stars, indicating that the codebase has not been broadly tested or reviewed by the wider developer community. Because of this low visibility, hidden vulnerabilities or unstable behaviors are much more likely to go unnoticed.
Verdict
Not recommended due to the presence of highly destructive file system commands and unsanitized shell execution capabilities.
This tool provides CLI-first TypeScript codebase analysis, computing architectural metrics, dependency impacts, and dead-export detection. It also includes an optional MCP server to expose these analytics to AI agents.
Security Assessment
Overall risk is rated as High. The scan flagged multiple severe operational concerns, including hardcoded `rm -rf` recursive deletion commands in the package configuration and direct `fs.rmSync` operations in the CLI script. Additionally, the tool utilizes synchronous shell command execution (`execSync`) in multiple core files. While no hardcoded secrets or explicit dangerous network permissions were found, the combination of arbitrary command execution and destructive file system operations poses a significant threat. If connected to an MCP interface or used in a CI pipeline, a malicious actor or compromised agent could leverage these capabilities to permanently delete critical project files or execute unintended system commands.
Quality Assessment
The project is actively maintained, with its most recent push happening today. It utilizes strict TypeScript practices and is properly licensed under the standard MIT license, making it legally clear for integration. However, community trust is minimal right now. The repository has only 5 GitHub stars, indicating that the codebase has not been broadly tested or reviewed by the wider developer community. Because of this low visibility, hidden vulnerabilities or unstable behaviors are much more likely to go unnoticed.
Verdict
Not recommended due to the presence of highly destructive file system commands and unsanitized shell execution capabilities.
CLI-first TypeScript codebase analysis with hotspots, impact, dead-export detection, and architecture metrics. Includes optional MCP server for AI agents.
README.md
codebase-intelligence
CLI-first codebase analysis for TypeScript projects.
Parse your codebase, build a dependency graph, compute architectural metrics, and query everything from your terminal/CI. MCP support is included as an optional secondary interface.
Quick Start
CLI (recommended)
npx codebase-intelligence overview ./src
Common workflows:
npx codebase-intelligence hotspots ./src --metric complexity --limit 10
npx codebase-intelligence impact ./src parseCodebase
npx codebase-intelligence dead-exports ./src --limit 20
npx codebase-intelligence changes ./src --json
MCP (optional)
claude mcp add -s user -t stdio codebase-intelligence -- npx -y codebase-intelligence@latest .
Table of Contents
- Features
- Installation
- CLI Usage
- MCP Integration (Secondary)
- Metrics
- Architecture
- Requirements
- Limitations
- Release
- Contributing
- License
Features
- 15 CLI commands for architecture analysis, dependency impact, dead code detection, and search
- Machine-readable JSON output (
--json) for automation and CI pipelines - Auto-cached index in
.code-visualizer/for fast repeat queries - 11 architectural metrics — PageRank, betweenness, coupling, cohesion, tension, churn, complexity, blast radius, dead exports, test coverage, escape velocity
- Symbol-level analysis — callers/callees, symbol importance, impact blast radius
- BM25 search — ranked keyword search across files and symbols
- Process tracing — detect entry points and execution flows through the call graph
- Community detection — Louvain clustering for natural file groupings
- MCP parity (secondary) — same analysis available as 15 MCP tools, 2 prompts, and 3 resources
Installation
Run directly with npx (no install):
npx codebase-intelligence overview ./src
Or install globally:
npm install -g codebase-intelligence
codebase-intelligence overview ./src
CLI Usage
codebase-intelligence <command> <path> [options]
Commands
| Command | What it does |
|---|---|
overview |
High-level codebase snapshot |
hotspots |
Rank files by metric (coupling, churn, complexity, blast radius, coverage, etc.) |
file |
Full context for one file |
search |
BM25 keyword search |
changes |
Git diff analysis with risk metrics |
dependents |
File-level blast radius |
modules |
Module architecture + cross-dependencies |
forces |
Cohesion/tension/escape-velocity analysis |
dead-exports |
Unused export detection |
groups |
Top-level directory groups + aggregate metrics |
symbol |
Callers/callees and symbol metrics |
impact |
Symbol-level blast radius |
rename |
Reference discovery for rename planning |
processes |
Entry-point execution flow tracing |
clusters |
Community-detected file clusters |
Useful flags
| Flag | Description |
|---|---|
--json |
Stable JSON output |
--force |
Rebuild index even if cache is valid |
--limit <n> |
Limit results on supported commands |
--metric <m> |
Select ranking metric for hotspots |
For full command details, see docs/cli-reference.md.
MCP Integration (Secondary)
Running without a subcommand starts the MCP stdio server (backward compatible):
npx codebase-intelligence ./src
Claude Code (manual)
Add to .mcp.json:
{
"mcpServers": {
"codebase-intelligence": {
"type": "stdio",
"command": "npx",
"args": ["-y", "codebase-intelligence@latest", "./src"],
"env": {}
}
}
}
Cursor / VS Code
Add to .cursor/mcp.json or .vscode/mcp.json:
{
"servers": {
"codebase-intelligence": {
"command": "npx",
"args": ["-y", "codebase-intelligence@latest", "./src"]
}
}
}
For MCP tool details, see docs/mcp-tools.md.
Metrics
| Metric | What it reveals |
|---|---|
| PageRank | Most-referenced files (importance) |
| Betweenness | Bridge files between disconnected modules |
| Coupling | How tangled a file is (fan-out / total connections) |
| Cohesion | Does a module belong together? (internal / total deps) |
| Tension | Is a file torn between modules? (entropy of cross-module pulls) |
| Escape Velocity | Should this module be its own package? |
| Churn | Git commit frequency |
| Complexity | Average cyclomatic complexity of exports |
| Blast Radius | Transitive dependents affected by a change |
| Dead Exports | Unused exports (safe to remove) |
| Test Coverage | Whether a test file exists for each source file |
Architecture
codebase-intelligence <command> <path>
|
v
+---------+ +---------+ +----------+
| Parser | --> | Graph | --> | Analyzer |
| TS AST | | grapho- | | metrics |
| | | logy | | |
+---------+ +---------+ +----------+
|
+--> CLI output (default)
+--> MCP stdio (optional mode)
- Parser — extracts files, functions, and imports via TypeScript Compiler API.
- Graph — builds dependency/call graphs with graphology.
- Analyzer — computes file/module/symbol metrics.
- Interfaces — CLI is primary; MCP is available for agent integrations.
Requirements
- Node.js >= 18
- TypeScript codebase (
.ts/.tsxfiles)
Limitations
- TypeScript-focused analysis
- Static analysis only (no runtime tracing)
- Call graph confidence varies by symbol resolution quality
Release
Publishing is automated through GitHub Actions.
Normal CI (before release)
CIworkflow runs on every PR and push tomain:- lint → typecheck → build → test
Canary publish
- Pushes to
maintrigger a canary publish. - The package is published to npm with the
canarytag. - Canary versions are derived from the current package version plus the short commit SHA.
Create a release
- Bump
package.jsonversion in a normal PR. - Merge that PR to
main. - Run the
Publishworkflow manually from GitHub Actions. - The workflow will:
- verify the tag does not already exist
- create and push
vX.Y.Z - publish to npm with provenance via OIDC
- create a GitHub Release with generated notes
No PAT is required for npm publish. The workflow uses GitHub repository permissions for tagging and OIDC for npm publishing.
Contributing
Contributions are welcome. Please open an issue first to discuss what you'd like to change.
git clone https://github.com/bntvllnt/codebase-intelligence.git
cd codebase-intelligence
pnpm install
pnpm dev # tsx watch mode
pnpm test # vitest
pnpm lint # eslint
pnpm typecheck # tsc --noEmit
pnpm build # production build
License
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found