npm - depwire-cli - Versions diffs - 0.9.28 → 0.9.30 - Mend

depwire-cli 0.9.28 → 0.9.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +225 -668
package/dist/{chunk-VJLBOFCD.js → chunk-FUIZQCYB.js} +1 -1
package/dist/{chunk-ITEGMPF7.js → chunk-WUSXCZXA.js} +2 -4
package/dist/index.js +2 -2
package/dist/mcpb-entry.js +2 -2
package/dist/sdk.js +1 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,183 +1,93 @@
 # Depwire
+<div align="center">
 [![npm version](https://img.shields.io/npm/v/depwire-cli.svg?style=flat-square)](https://www.npmjs.com/package/depwire-cli)
 [![npm downloads](https://img.shields.io/npm/dm/depwire-cli.svg?style=flat-square)](https://www.npmjs.com/package/depwire-cli)
-[![depwire MCP server](https://glama.ai/mcp/servers/depwire/depwire/badges/score.svg)](https://glama.ai/mcp/servers/depwire/depwire)
-[![License](https://img.shields.io/badge/license-BUSL--1.1-blue.svg?style=flat-square)](LICENSE)
+[![MCP Registry](https://img.shields.io/badge/MCP-registry-blue?style=flat-square)](https://registry.modelcontextprotocol.io/servers/io.github.atef-ataya/depwire)
+[![Glama](https://glama.ai/mcp/servers/depwire/depwire/badges/score.svg)](https://glama.ai/mcp/servers/depwire/depwire)
+[![License](https://img.shields.io/badge/license-BUSL--1.1-orange.svg?style=flat-square)](LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/depwire/depwire.svg?style=flat-square)](https://github.com/depwire/depwire/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/depwire/depwire.svg?style=flat-square)](https://github.com/depwire/depwire/network/members)
-![Depwire - Arc diagram visualization of the Hono framework](./assets/depwire-hero.png)
-**The missing context layer for AI coding assistants.**
-Deterministic dependency graph. 17 MCP tools. Architecture health. What If simulation. Security scanner.
-The context layer that turns vibe coding into software engineering.
-⭐ **If Depwire helps you, please [star the repo](https://github.com/depwire/depwire)** — it helps this open-source project grow into an enterprise tool.
-Depwire analyzes codebases to build a cross-reference graph showing how every file, function, and import connects. It provides:
-- 🎨 **Beautiful arc diagram visualization** — Interactive Harrison Bible-style graphic
-- 🤖 **MCP server for AI tools** — Cursor, Claude Desktop get full dependency context
-- 📊 **Dependency health score** — 0-100 score across 6 dimensions (coupling, cohesion, circular deps, god files, orphans & dead code, depth)
-- 📄 **Auto-generated documentation** — 13 comprehensive documents: architecture, conventions, dependencies, onboarding, file catalog, API surface, error patterns, test coverage, git history, full snapshot, TODO/FIXME inventory, health report, and dead code analysis
-- 🔍 **Impact analysis** — "What breaks if I rename this function?" answered precisely
-- 🧹 **Dead code detection** — Find symbols that are defined but never referenced, categorized by confidence level
-- 👀 **Live updates** — Graph stays current as you edit code
-- 🌍 **Multi-language** — TypeScript, JavaScript, Python, Go, Rust, and C
-## Installation
-![Installation](./assets/installation.gif)
-```bash
-npm install -g depwire-cli
-```
+</div>
-Or use directly with `npx`:
-```bash
-npx depwire-cli --help
-```
+**Your AI doesn't know your architecture. Depwire does.**
-## Telemetry
+Depwire is the infrastructure layer between your AI coding assistant and your codebase. Before your AI touches a single file, Depwire has already mapped every connection, scored every risk, and simulated every change.
-Depwire collects **anonymous usage data** to help prioritize development.
+![Depwire CLI demo on honojs/hono](./assets/depwire-demo-cli.gif)
-**What we collect:** Command name, Depwire version, OS, Node.js version
+⭐ If Depwire saves you from a broken build, [star the repo](https://github.com/depwire/depwire) — it helps this project grow.
-**What we never collect:** File paths, code content, repo names, usernames, emails, or any personal data.
+---
-**To opt out:**
-```bash
-export DEPWIRE_NO_TELEMETRY=1
-```
+## The problem
-We also respect `DO_NOT_TRACK=1`. [Privacy Policy](https://depwire.dev/privacy)
+AI coding tools are getting smarter. But they still have a fundamental blind spot: they don't know your architecture before they touch it.
-## Quick Start
+You ask Claude to delete a utility file. It deletes it cleanly. Confident. No warnings.
-### CLI Usage
+Then you run the build. 30 files broken.
-```bash
-# Auto-detects project root from current directory
-depwire viz
-depwire parse
-depwire docs
-depwire health
-depwire dead-code
-depwire temporal
-depwire whatif
-depwire security
+Claude had no idea. It saw one file. It didn't see the 30 downstream consumers.
-# Or specify a directory explicitly
-npx depwire-cli viz ./my-project
-npx depwire-cli parse ./my-project
-npx depwire-cli dead-code ./my-project
-npx depwire-cli temporal ./my-project
+This isn't a model problem. It's a context problem. The AI is flying blind.
-# Temporal visualization options
-npx depwire-cli temporal --commits 20 --strategy monthly --verbose --stats
+---
-# Exclude test files and node_modules
-npx depwire-cli parse --exclude "**/*.test.*" "**/node_modules/**"
+## The infrastructure layer
-# Show detailed parsing progress
-npx depwire-cli parse --verbose
+![Depwire architecture](./assets/architecture.svg)
-# Export with pretty-printed JSON and statistics
-npx depwire-cli parse --pretty --stats
+Depwire sits between your AI and your codebase. It builds a complete dependency graph using tree-sitter — deterministic, not probabilistic — and serves it to your AI through 17 MCP tools.
-# Generate codebase documentation
-npx depwire-cli docs --verbose --stats
+Four guarantees:
-# Custom output file
-npx depwire-cli parse -o my-graph.json
-```
+- **Local** — everything runs on your machine. No cloud parsing. No data sent anywhere.
+- **Secure** — your code never leaves your machine. The security scanner requires no API key.
+- **Token-efficient** — Depwire serves pre-computed graph data. Your AI gets surgical answers, not file dumps. 40% fewer tool calls. 56% fewer file reads.
+- **Deterministic** — tree-sitter parses your code the same way every time. 100% accurate. Not a guess.
-### Claude Desktop
+---
-Add to your Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json` on macOS):
+## Start here
-```json
-{
-  "mcpServers": {
-    "depwire": {
-      "command": "npx",
-      "args": ["-y", "depwire-cli", "mcp"]
-    }
-  }
-}
+```bash
+npm install -g depwire-cli
 ```
-**Depwire auto-detects your project root. No path configuration needed.**
+Three commands to understand any codebase:
-Then in chat:
-```
-Show me the architecture.
+```bash
+depwire viz        # open interactive arc diagram in browser
+depwire whatif     # simulate changes before touching code
+depwire security   # scan for vulnerabilities
 ```
-### Cursor
-Settings → Features → Experimental → Enable MCP → Add Server:
-- Command: `npx`
-- Args: `-y depwire-cli mcp`
-**Depwire auto-detects your project root from the current working directory.**
+---
-## Available MCP Tools
+## What If simulation
-| Tool | What It Does |
-|------|-------------|
-| `connect_repo` | Connect to any local project or GitHub repo |
-| `impact_analysis` | What breaks if you change a symbol? |
-| `get_file_context` | Full context — imports, exports, dependents |
-| `get_dependencies` | What does a symbol depend on? |
-| `get_dependents` | What depends on this symbol? |
-| `search_symbols` | Find symbols by name |
-| `get_architecture_summary` | High-level project overview |
-| `list_files` | List all files with stats |
-| `get_symbol_info` | Look up any symbol's details |
-| `visualize_graph` | Generate interactive arc diagram visualization |
-| `get_project_docs` | Retrieve auto-generated codebase documentation |
-| `update_project_docs` | Regenerate documentation on demand |
-| `get_health_score` | Get 0-100 dependency health score with recommendations |
-| `find_dead_code` | Find dead code — symbols defined but never referenced |
-| `get_temporal_graph` | Show how the graph evolved over git history |
-| `simulate_change` | Simulate a move/delete/rename/split/merge before touching code. Returns health score delta, broken imports, and affected nodes. Zero file I/O. |
-| `security_scan` | Scan for security vulnerabilities with graph-aware severity elevation. No API key required. |
-## SDK
-depwire-cli exposes a public SDK for programmatic use:
+Know the blast radius before you touch anything.
 ```bash
-npm install depwire-cli
+depwire whatif . --simulate delete --target src/utils/encode.ts
 ```
-```typescript
-import {
-  parseProject,
-  buildGraph,
-  calculateHealthScore,
-  analyzeDeadCode,
-  generateDocs,
-  scanSecurity,
-  SimulationEngine,
-  searchSymbols,
-  getImpact,
-  getArchitectureSummary,
-  DepwireSDKVersion
-} from 'depwire-cli/sdk';
-```
+Real output on [honojs/hono](https://github.com/honojs/hono) — 352 files, 6,245 symbols:
-The SDK is the stable public API surface. All cloud and tooling integrations
-should import from `depwire-cli/sdk` — never from internal paths.
+    Health Score:    41 → 41  (+0 → unchanged)
+    Affected Nodes:  29
+    Broken Imports:  30
+    • src/utils/jwt/jwt.ts imports decodeBase64Url
+    • src/adapter/aws-lambda/handler.ts imports encodeBase64
+    • src/utils/basic-auth.ts imports decodeBase64
+    [27 more...]
+    Removed Edges:   32
-## What If Simulation
+Before touching a single file. Zero file I/O. Pure in-memory simulation.
-Simulate architectural changes before touching any code:
+Five operations:
 ```bash
 depwire whatif . --simulate delete --target src/utils/encode.ts
@@ -187,633 +97,280 @@ depwire whatif . --simulate split --target src/services/auth.ts --symbols "valid
 depwire whatif . --simulate merge --target src/utils/helpers.ts --merge-target src/utils/formatters.ts
 ```
-Returns: health score delta, broken imports, affected nodes, circular deps introduced/resolved.
-Also available as MCP tool `simulate_change` for AI coding assistants.
+Run without `--simulate` to open the browser UI — side-by-side arc diagrams showing current vs simulated state.
+---
-## Security Scanner
+## Security scanner
-Scan your codebase for security vulnerabilities before AI-generated code ships to production:
+AI-generated code ships vulnerabilities. Depwire catches them before they reach production.
 ```bash
-depwire security .                          # Full repo scan
-depwire security . --target src/auth.ts    # Single file
-depwire security . --format sarif          # GitHub Security tab
-depwire security . --fail-on high          # CI gate — exit 1 if HIGH+
-depwire security . --class injection       # Specific check only
+depwire security .                        # full repo scan
+depwire security . --target src/auth.ts   # single file
+depwire security . --format sarif         # GitHub Security tab integration
+depwire security . --fail-on high         # CI gate — exit 1 if HIGH or above
+depwire security . --class injection      # specific check only
 ```
-10 vulnerability categories:
-- Dependency CVEs (npm/pip/cargo/go audit)
-- Shell injection + code injection
-- Hardcoded secrets (API keys, passwords, private keys)
-- Path traversal
-- Auth bypass patterns
-- Input validation gaps
-- Information disclosure
-- Cryptography weaknesses
-- Frontend XSS (dangerouslySetInnerHTML, localStorage tokens)
-- Architecture-level risks (graph-powered severity elevation)
-Graph-aware severity: vulnerabilities reachable from MCP tools or HTTP routes are automatically elevated. Available as MCP tool `security_scan` and via `depwire-cli/sdk`.
+Real output on honojs/hono:
-## Why Depwire
+    6 Critical  19 High  14 Medium  1 Low
-| Feature | Depwire | Standard RAG (Fuzzy Search) | LLM Native Scanning |
-|---------|---------|----------------------------|---------------------|
-| Logic | Deterministic Graph | Probabilistic Match | Brute Force Reading |
-| Precision | 100% (Tree-sitter AST) | ~70% (Embedding match) | Varies — hallucination prone |
-| Refactor Safety | High — traces full call chains | Low — misses indirect refs | Zero — blind edits |
-| Token Cost | Ultra-low — surgical reads | High — context stuffing | Extreme — scans everything |
-| Circular Detection | Built-in | Not possible | Occasional |
-| What If Simulation | Before touching code | Not possible | Not possible |
-| Architecture Health Score | 0-100 with dimensions | Not possible | Not possible |
-## GitHub Action — PR Impact Analysis
-Depwire integrates directly into your CI/CD pipeline via the [depwire-action](https://github.com/depwire/depwire-action) GitHub Action.
-On every pull request, it automatically:
-- Analyzes which symbols and files are affected by the changes
-- Posts a dependency impact report as a PR comment
-- Shows added, removed, and changed dependencies
-- Helps reviewers understand the architectural blast radius before merging
-### Usage
-Add this to `.github/workflows/depwire.yml`:
-```yaml
-name: Depwire PR Impact
-on:
-  pull_request:
-    branches: [main]
-jobs:
-  impact:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: depwire/depwire-action@v1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-```
+10 check categories — dependency CVEs, shell injection, hardcoded secrets, path traversal, auth bypass, input validation, information disclosure, cryptography weaknesses, frontend XSS, and architecture-level risks.
-### Links
-- [GitHub Marketplace](https://github.com/marketplace/actions/depwire-pr-impact)
-- [depwire-action repository](https://github.com/depwire/depwire-action)
+Graph-aware severity: a medium shell injection reachable from an MCP tool or HTTP route is automatically elevated to critical. This is what no generic SAST tool can replicate — Depwire knows your architecture, so it knows what's actually reachable.
-## Supported Languages
+Available as MCP tool `security_scan` and via `depwire-cli/sdk`.
-| Language | Extensions | Features |
-|----------|-----------|----------|
-| TypeScript | `.ts`, `.tsx` | Full support — imports, classes, interfaces, types |
-| JavaScript | `.js`, `.jsx`, `.mjs`, `.cjs` | ES modules, CommonJS require(), JSX components |
-| Python | `.py` | Imports, classes, decorators, inheritance |
-| Go | `.go` | go.mod resolution, structs, interfaces, methods |
-| Rust | `.rs` | Functions, structs, enums, traits, impl blocks, use declarations |
-| C | `.c`, `.h` | Functions, structs, enums, typedefs, macros, #include directives |
+---
 ## Visualization
-![Depwire CLI](./assets/viz-command.gif)
-![Interactive Arc Diagram](./assets/graph.gif)
+![Depwire arc diagram visualization](./assets/depwire-demo-viz.gif)
 ```bash
-# Auto-detects project root (run from anywhere in your project)
 depwire viz
-# Or specify a directory explicitly
-depwire viz ./my-project
-# Custom port
-depwire viz --port 8080
-# Exclude test files from visualization
-depwire viz --exclude "**/*.test.*"
-# Verbose mode with detailed parsing logs
-depwire viz --verbose
-# Don't auto-open browser
-depwire viz --no-open
 ```
-Opens an interactive arc diagram in your browser:
-- Rainbow-colored arcs showing cross-file dependencies
-- Hover to explore connections
-- Click to filter by file
-- Search by filename
-- **Live refresh when files change** — Edit code and see the graph update in real-time
-- Export as SVG or PNG
-- **Port collision handling** — Automatically finds an available port if default is in use
+Interactive arc diagram of your entire codebase. Every file, every connection, every dependency visible at once. Hover to inspect. Click to filter. Export as PNG or SVG.
-## Temporal Graph
+---
-Visualize how your codebase architecture evolved over git history. Scrub through time with an interactive timeline slider.
+## Temporal graph
-![Depwire Temporal Graph](assets/depwire-temporal-hono.gif)
+![Depwire temporal graph on honojs/hono](./assets/depwire-temporal-hono.gif)
 ```bash
-# Auto-detects project root
 depwire temporal
-# Sample 20 commits with monthly snapshots
-depwire temporal --commits 20 --strategy monthly
-# Verbose mode with detailed progress
-depwire temporal --verbose --stats
-# Custom port
-depwire temporal --port 3335
-```
-**Options:**
-- `--commits <number>` — Number of commits to sample (default: 20)
-- `--strategy <type>` — Sampling strategy: `even`, `weekly`, `monthly` (default: `even`)
-- `-p, --port <number>` — Server port (default: 3334)
-- `--output <path>` — Save snapshots to custom path (default: `.depwire/temporal/`)
-- `--verbose` — Show progress for each commit being parsed
-- `--stats` — Show summary statistics at end
-Opens an interactive temporal visualization in your browser:
-- Timeline slider showing all sampled commits
-- Arc diagram morphing between snapshots
-- Play/pause animation with speed controls (0.5×, 1×, 2×)
-- Statistics panel with growth deltas
-- Evolution chart tracking files/symbols/edges over time
-- Auto-zoom to fit all arcs on snapshot change
-- Search to highlight specific files across time
-## 🪦 Dead Code Detection
-Find unused symbols across your codebase before they become technical debt.
-- Detects symbols with zero incoming references (never called, never imported)
-- Confidence scoring: **high** (definitely dead), **medium** (probably dead), **low** (might be dead)
-- Smart exclusion rules — ignores entry points, test files, barrel files, and config files to reduce false positives
-- Filter by confidence level, export as JSON for CI pipelines
-- Integrated into the health score (orphans dimension)
-- New MCP tool: `find_dead_code` — AI assistants can query dead code directly
-- New document generator: `DEAD_CODE.md` — auto-generated dead code report
-```bash
-depwire dead-code
-depwire dead-code --confidence high
-depwire dead-code --stats
-depwire dead-code --json
-```
-**Confidence Levels:**
-- 🔴 **High confidence (definitely dead)**: Not exported with zero references, or exported but never used
-- 🟡 **Medium confidence (probably dead)**: Exported from barrel files with zero dependents, or only used in test files
-- ⚪ **Low confidence (might be dead)**: Exported from package entry points, types with zero dependents, or in dynamic-use directories (routes, middleware, etc.)
-The dead code detector automatically excludes:
-- Entry point files (index.ts, main.ts, server.ts, etc.)
-- Test files (*.test.*, *.spec.*, __tests__/)
-- Config files (*.config.*)
-- Type declarations (*.d.ts)
-- Framework auto-loaded directories (pages/, routes/, middleware/, commands/)
-## How It Works
-1. **Parser** — tree-sitter extracts every symbol and reference
-2. **Graph** — graphology builds an in-memory dependency graph
-3. **MCP** — AI tools query the graph for context-aware answers
-4. **Viz** — D3.js renders the graph as an interactive arc diagram
-## CLI Reference
-### `depwire parse [directory]`
-Parse a project and export the dependency graph as JSON.
-**Directory argument is optional** — Depwire auto-detects your project root by looking for `package.json`, `tsconfig.json`, `go.mod`, `pyproject.toml`, `setup.py`, or `.git`.
-**Options:**
-- `-o, --output <path>` — Output file path (default: `depwire-output.json`)
-- `--exclude <patterns...>` — Glob patterns to exclude (e.g., `"**/*.test.*" "dist/**"`)
-- `--verbose` — Show detailed parsing progress (logs each file as it's parsed)
-- `--pretty` — Pretty-print JSON output with indentation
-- `--stats` — Print summary statistics (file count, symbol count, edges, timing)
-**Examples:**
-```bash
-# Auto-detect project root
-depwire parse
-# Explicit directory
-depwire parse ./src
-# Exclude test files and build outputs
-depwire parse --exclude "**/*.test.*" "**/*.spec.*" "dist/**" "build/**"
-# Full verbosity with stats
-depwire parse --verbose --stats --pretty -o graph.json
 ```
-### `depwire viz [directory]`
-Start visualization server and open arc diagram in browser.
-**Directory argument is optional** — Auto-detects project root.
+Watch your architecture evolve over git history. Timeline slider scrubs through commits — the arc diagram morphs as your codebase grew, coupled, and refactored. Nobody else does this.
-**Options:**
-- `--port <number>` — Port number (default: 3456, auto-increments if in use)
-- `--exclude <patterns...>` — Glob patterns to exclude
-- `--verbose` — Show detailed parsing progress
-- `--no-open` — Don't automatically open browser
-**Examples:**
-```bash
-# Auto-detect and visualize
-depwire viz
+---
-# Explicit directory
-depwire viz ./src
+## All commands
-# Custom port without auto-open
-depwire viz --port 8080 --no-open
+| Command | Description |
+|---------|-------------|
+| `depwire viz` | Interactive arc diagram in browser |
+| `depwire whatif` | Simulate changes before touching code |
+| `depwire security` | Scan for vulnerabilities — graph-aware severity |
+| `depwire health` | 0-100 architecture health score across 6 dimensions |
+| `depwire dead-code` | Find unused symbols with confidence scoring |
+| `depwire docs` | Generate 13 architecture documents |
+| `depwire temporal` | Visualize architecture evolution over git history |
+| `depwire parse` | Parse and export dependency graph as JSON |
+| `depwire mcp` | Start MCP server for AI coding assistants |
-# Exclude test files with verbose logging
-depwire viz --exclude "**/*.test.*" --verbose
-```
+All commands auto-detect your project root. No path configuration needed.
-### `depwire mcp [directory]`
+---
-Start MCP server for AI tool integration (Cursor, Claude Desktop).
+## MCP server — AI integration
-**Directory argument is optional** — Auto-detects project root and connects automatically.
+Connect Depwire to any MCP-compatible AI tool. Your AI gets 17 tools it can call autonomously.
-**Examples:**
-```bash
-# Auto-detect and connect (recommended)
-depwire mcp
+**Claude Desktop** — add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
-# Explicit directory
-depwire mcp /path/to/project
+```json
+{
+  "mcpServers": {
+    "depwire": {
+      "command": "npx",
+      "args": ["-y", "depwire-cli", "mcp"]
+    }
+  }
+}
 ```
-### `depwire docs [directory]`
-Generate comprehensive codebase documentation from your dependency graph.
-**Directory argument is optional** — Auto-detects project root.
-**Options:**
-- `--output <path>` — Output directory (default: `.depwire/` inside project)
-- `--format <type>` — Output format: `markdown` or `json` (default: `markdown`)
-- `--include <docs...>` — Comma-separated list of docs to generate (default: `all`)
-  - Values: `architecture`, `conventions`, `dependencies`, `onboarding`, `files`, `api_surface`, `errors`, `tests`, `history`, `current`, `status`, `health`, `all`
-- `--update` — Regenerate existing documentation
-- `--only <docs...>` — Used with `--update`, regenerate only specific docs
-- `--verbose` — Show generation progress
-- `--stats` — Show generation statistics
-- `--gitignore` — Add `.depwire/` to `.gitignore` automatically
-- `--no-gitignore` — Don't modify `.gitignore`
-**Examples:**
-```bash
-# Auto-detect and generate all docs
-depwire docs
-# Explicit directory
-depwire docs ./my-project
-# Show generation progress and stats
-depwire docs --verbose --stats
-# Regenerate existing docs
-depwire docs --update
-# Generate specific docs only
-depwire docs --include architecture,dependencies
-# Custom output directory
-depwire docs --output ./docs
-# Regenerate only conventions doc
-depwire docs --update --only conventions
-```
+**Cursor** — Settings → Features → Experimental → Enable MCP → Add Server:
+- Command: `npx`
+- Args: `-y depwire-cli mcp`
-**Generated Documents (13 total):**
-| Document | What It Contains |
-|----------|------------------|
-| `ARCHITECTURE.md` | Module structure, entry points, hub files, layer analysis, circular dependencies |
-| `CONVENTIONS.md` | Naming patterns, import/export style, detected design patterns |
-| `DEPENDENCIES.md` | Module dependency matrix, high-impact symbols, longest dependency chains |
-| `ONBOARDING.md` | Reading order (Foundation/Core/Entry Points), module map, key concepts, high-impact file warnings |
-| `FILES.md` | Complete file catalog with stats, orphan files, hub files |
-| `API_SURFACE.md` | All exported symbols (public API), most-used exports, unused exports |
-| `ERRORS.md` | Error handling patterns, error-prone files, custom error classes |
-| `TESTS.md` | Test file inventory, test-to-source mapping, untested files |
-| `HISTORY.md` | Git history + graph analysis, file churn, feature timeline |
-| `CURRENT.md` | Complete codebase snapshot (every file, symbol, connection) |
-| `STATUS.md` | TODO/FIXME/HACK inventory with priority matrix |
-| `HEALTH.md` | Dependency health score (0-100) across 6 dimensions with recommendations |
-| `DEAD_CODE.md` | Unused symbols by confidence level (high/medium/low) with smart exclusions |
-Documents are stored in `.depwire/` with `metadata.json` tracking generation timestamps for staleness detection.
-### `depwire health [directory]`
-Analyze dependency architecture health and get a 0-100 score across 6 quality dimensions.
-**Directory argument is optional** — Auto-detects project root.
-**Options:**
-- `--json` — Output as JSON (for CI/automation)
-- `--verbose` — Show detailed per-dimension breakdown
-**Dimensions Measured:**
-1. **Coupling (25%)** — How tightly connected are modules? Lower coupling = easier changes
-2. **Cohesion (20%)** — Do files in the same directory relate? Higher cohesion = better organization
-3. **Circular Dependencies (20%)** — Files depending on each other in cycles
-4. **God Files (15%)** — Files with abnormally high connection counts
-5. **Orphan Files (10%)** — Files with zero connections (dead code?)
-6. **Dependency Depth (10%)** — How deep are the dependency chains?
-**Examples:**
-```bash
-# Auto-detect and analyze
-depwire health
+![Claude Desktop with Depwire MCP](./assets/claude.gif)
-# Explicit directory
-depwire health ./my-project
+### 17 MCP tools
-# Detailed breakdown
-depwire health --verbose
+| Tool | Description |
+|------|-------------|
+| `connect_repo` | Connect to any local project or GitHub repo |
+| `get_architecture_summary` | High-level project overview |
+| `get_file_context` | Full context — imports, exports, dependents. Includes cross-language connections. |
+| `get_dependencies` | What does a symbol depend on? |
+| `get_dependents` | What depends on this symbol? |
+| `get_symbol_info` | Look up any symbol's details |
+| `search_symbols` | Find symbols by name across the codebase |
+| `list_files` | List all files with stats |
+| `impact_analysis` | What breaks if you change a symbol? Cross-language edges included. |
+| `visualize_graph` | Generate interactive arc diagram |
+| `get_health_score` | 0-100 health score with recommendations |
+| `find_dead_code` | Symbols defined but never referenced |
+| `get_project_docs` | Retrieve auto-generated codebase documentation |
+| `update_project_docs` | Regenerate documentation on demand |
+| `get_temporal_graph` | Architecture evolution over git history |
+| `simulate_change` | Simulate move/delete/rename/split/merge before touching code. Returns health delta, broken imports, affected nodes. Cross-language edges included. |
+| `security_scan` | Scan for vulnerabilities with graph-aware severity elevation. No API key required. |
-# JSON output for CI
-depwire health --json
-```
+---
-**Output:**
-- Overall score (0-100) with letter grade (A-F)
-- Per-dimension scores and grades
-- Actionable recommendations
-- Trend indicator (↑/↓ from last check)
+## Cross-language edge detection
-Health history is stored in `.depwire/health-history.json` (last 50 checks).
+Depwire detects connections between files written in different languages.
-### `depwire dead-code [directory]`
+A TypeScript `fetch('/api/users')` call matched to a Python `@app.get('/api/users')` route definition — that's a cross-language edge. Delete the Python route and Depwire shows the TypeScript callers as broken.
-Detect unused symbols across your codebase with confidence-based classification.
+Supported patterns:
+- REST API edges — fetch/axios calls matched to Express, FastAPI, Flask, Gin route definitions
+- Subprocess edges — execSync/subprocess.run calls matched to target files in the graph
-**Directory argument is optional** — Auto-detects project root.
+These edges flow through every existing feature: What If simulation, impact analysis, security scanner, and arc diagram visualization.
-**Options:**
-- `--confidence <level>` — Minimum confidence level to show: `high`, `medium`, `low` (default: `medium`)
-- `--include-low` — Shortcut for `--confidence low`
-- `--verbose` — Show detailed info for each dead symbol (file, line, kind, reason)
-- `--stats` — Show summary statistics
-- `--include-tests` — Include test files in analysis (excluded by default)
-- `--json` — Output as JSON for CI/automation
+---
-**Confidence Levels:**
-- 🔴 **High confidence (definitely dead)**: Not exported with zero references, or exported but never used
-- 🟡 **Medium confidence (probably dead)**: Exported from barrel files with zero dependents, or only used in test files
-- ⚪ **Low confidence (might be dead)**: Exported from package entry points, types with zero dependents, or in dynamic-use directories (routes, middleware, etc.)
+## Architecture health score
-**Examples:**
 ```bash
-# Analyze dead code (default: medium confidence and above)
-depwire dead-code
-# Show only high-confidence dead code
-depwire dead-code --confidence high
-# Show all potential dead code (including low confidence)
-depwire dead-code --confidence low
-# Or use shortcut
-depwire dead-code --include-low
-# Detailed analysis with reasons and statistics
-depwire dead-code --verbose --stats
-# Include test files in analysis (excluded by default)
-depwire dead-code --include-tests
-# JSON output for CI/automation
-depwire dead-code --json
+depwire health .
 ```
-**Automatic Exclusions:**
-The dead code detector automatically excludes:
-- Entry point files (index.ts, main.ts, server.ts, etc.)
-- Test files (*.test.*, *.spec.*, __tests__/)
-- Config files (*.config.*)
-- Type declarations (*.d.ts)
-- Framework auto-loaded directories (pages/, routes/, middleware/, commands/)
+    Overall: 68/100 (Grade: D)
+    Coupling              70   C
+    Cohesion              80   B
+    Circular Dependencies 100  A
+    God Files             40   F
+    Orphans & Dead Code   20   F
+    Dependency Depth      60   D
-### `depwire temporal [directory]`
+6 dimensions. Letter grades. Actionable recommendations. Trend tracking across runs.
-Visualize how the dependency graph evolved over git history.
+---
-**Directory argument is optional** — Auto-detects project root.
+## SDK
-**Options:**
-- `--commits <number>` — Number of commits to sample (default: 20)
-- `--strategy <type>` — Sampling strategy: `even` (every Nth), `weekly`, `monthly` (default: `even`)
-- `-p, --port <number>` — Server port (default: 3334)
-- `--output <path>` — Save snapshots to custom path (default: `.depwire/temporal/`)
-- `--verbose` — Show progress for each commit being parsed
-- `--stats` — Show summary statistics at end
+Depwire exposes a stable public API for programmatic use and CI pipelines:
-**Examples:**
 ```bash
-# Auto-detect and analyze 20 commits
-depwire temporal
-# Sample 50 commits with monthly snapshots
-depwire temporal --commits 50 --strategy monthly
-# Verbose mode with stats
-depwire temporal --verbose --stats
-# Custom output directory
-depwire temporal --output ./temp-snapshots
+npm install depwire-cli
 ```
-**Output:**
-- Interactive browser visualization at `http://127.0.0.1:3334`
-- Timeline slider to scrub through git history
-- Arc diagram morphing between snapshots
-- Growth statistics showing files/symbols/edges evolution
-- Auto-zoom to fit full diagram on each snapshot change
-Snapshots are cached in `.depwire/temporal/` for fast re-rendering.
-### `depwire whatif [directory]`
-Simulate architectural changes before touching code.
-**Directory argument is optional** — Auto-detects project root.
-**Options:**
-- `--simulate <action>` — Action to simulate: `move`, `delete`, `rename`, `split`, `merge`
-- `--target <file>` — File to apply the action to
-- `--destination <file>` — Destination path (for move action)
-- `--new-name <name>` — New name (for rename action)
-- `--source <file>` — Source file (for merge action)
-- `--new-file <file>` — New file path (for split action)
-- `--symbols <symbols>` — Comma-separated symbol names (for split action)
-**Examples:**
-```bash
-# What breaks if I delete this file?
-depwire whatif --simulate delete --target src/auth/service.ts
-# What happens if I move this module?
-depwire whatif --simulate move --target src/utils.ts --destination src/core/utils.ts
-# Rename a file
-depwire whatif --simulate rename --target src/router.ts --new-name routes.ts
-# Split symbols into a new file
-depwire whatif --simulate split --target src/utils.ts --new-file src/helpers.ts --symbols "formatDate,parseUrl"
-# Merge two files
-depwire whatif --simulate merge --target src/auth.ts --source src/login.ts
+```typescript
+import {
+  parseProject,
+  buildGraph,
+  calculateHealthScore,
+  analyzeDeadCode,
+  generateDocs,
+  scanSecurity,
+  SimulationEngine,
+  detectCrossLanguageEdges,
+  searchSymbols,
+  getImpact,
+  getArchitectureSummary,
+  DepwireSDKVersion
+} from 'depwire-cli/sdk';
 ```
-**Output:**
-- Health score delta (before/after with improvement indicator)
-- Broken imports with file and symbol details
-- Affected nodes count
-- Circular dependencies introduced or resolved
-- Added and removed edge counts
-### Error Handling
+The SDK is the stable public API surface. All integrations should import from `depwire-cli/sdk` — never from internal paths.
-Depwire gracefully handles parse errors:
-- **Malformed files** — Skipped with warning, parsing continues
-- **Large files** — Files over 1MB are automatically skipped
-- **Port collisions** — Auto-increments to next available port (3456 → 3457 → 3458...)
-- **Protected paths** — Blocks access to sensitive directories (.ssh, .aws, /etc)
+---
+## Why Depwire
-## Example Workflows
+| | Depwire | RAG-based tools | LLM scanning |
+|--|---------|-----------------|--------------|
+| Approach | Deterministic graph | Probabilistic match | Brute force |
+| Accuracy | 100% — tree-sitter AST | ~70% — embedding match | Varies |
+| Refactor safety | Full call chain tracing | Misses indirect refs | Blind edits |
+| Token cost | Ultra-low — surgical reads | High — context stuffing | Extreme |
+| Cross-language | REST + subprocess edges | None | None |
+| Security scanner | Graph-aware severity | None | None |
+| What If simulation | Before touching code | None | None |
+| Runs locally | Always | Varies | Never |
-### Refactoring with AI
+---
-![Claude Desktop with Depwire MCP](./assets/claude.gif)
+## Language support
-```
-# In Claude Desktop or Cursor with Depwire MCP:
+TypeScript, JavaScript, Python, Go, Rust, C — with cross-language edge detection between all supported languages.
-"Analyze the impact of renaming UserService to UserRepository"
+C# / .NET support coming in v1.1.
-# Depwire responds with:
-# - All files that import UserService
-# - All call sites
-# - All type references
-# - Suggested find-and-replace strategy
-```
+---
-### Understanding a New Codebase
+## Cloud dashboard
-```
-"Show me the architecture summary"
+[app.depwire.dev](https://app.depwire.dev) — full dependency graph, health score, dead code report, and AI codebase chat in the browser. No local setup required.
-# Depwire responds with:
-# - Language breakdown
-# - Module/package structure
-# - Most-connected files (architectural hubs)
-# - Entry points
-```
+- Free for public repos
+- Pro ($19/month) — unlimited repos, private repo support, AI codebase chat
-### Pre-Commit Impact Check
+---
-```bash
-# Check what your changes affect before committing
-depwire viz
-# Review the arc diagram — red arcs show files you touched
-```
-## Security
-Depwire is **read-only** — it never writes to, modifies, or executes your code.
+## Roadmap
-- Parses source files with tree-sitter (the same parser used by VS Code and Zed)
+**Shipped**
+- Arc diagram visualization
+- 17 MCP tools
+- Multi-language support (TypeScript, JavaScript, Python, Go, Rust, C)
+- Architecture health score
+- Dead code detection
+- Temporal graph
+- What If simulation — CLI + browser UI
+- Security scanner — graph-aware severity elevation
+- Cross-language edge detection — REST API + subprocess
+- Public SDK — `depwire-cli/sdk`
+- Cloud dashboard — app.depwire.dev
+- PR Impact GitHub Action
+**Coming next**
+- C# / .NET language support
+- AI-suggested refactors
+- VSCode extension
+- Natural language architecture queries
+---
+## Security posture
+Depwire is read-only. It never writes to, modifies, or executes your code.
+- Parses with tree-sitter — the same parser used by VS Code and Zed
 - Visualization server binds to localhost only
-- No data leaves your machine — everything runs locally
-- Blocks access to sensitive system directories (.ssh, .aws, /etc)
+- No data leaves your machine
+- Blocks access to sensitive system directories
 - npm packages published with provenance verification
 See [SECURITY.md](SECURITY.md) for full details.
-## Roadmap
-### ✅ Shipped
-- [x] Arc diagram visualization
-- [x] MCP server (17 tools)
-- [x] Multi-language support (TypeScript, JavaScript, Python, Go, Rust, C)
-- [x] File watching + live refresh
-- [x] Auto-generated documentation (13 documents)
-- [x] Dependency health score (0-100)
-- [x] Dead code detection with confidence scoring
-- [x] Temporal graph — watch your architecture evolve over git history
-- [x] PR Impact GitHub Action (depwire-action v1.0.0)
-- [x] Auto-detect project root (no path needed)
-- [x] WASM migration (Windows support)
-- [x] Cloud dashboard — [app.depwire.dev](https://app.depwire.dev)
-- [x] What If simulation — simulate refactors before touching code
-- [x] Security scanner — deterministic vulnerability detection with graph-aware severity
-### Coming Next
-- [ ] New language support (Java, C++, Ruby — community requested)
-- [ ] Cross-language edge detection (API routes ↔ frontend calls)
-- [ ] AI-suggested refactors
-- [ ] Natural language architecture queries
-- [ ] VSCode extension
-## Cloud Dashboard
-Prefer a browser interface? [app.depwire.dev](https://app.depwire.dev) gives you the full dependency graph, health score, dead code report, and AI codebase chat — without any local setup. Free tier available.
-- **Free** for public repos
-- **Pro** ($19/month) — unlimited repos + private repo support
+---
 ## Contributing
-Contributions welcome! Please note:
 1. Fork the repository
 2. Create a feature branch
 3. Add tests for new functionality
 4. Submit a pull request
 5. Sign the CLA (handled automatically on your first PR)
-All contributors must sign the Contributor License Agreement before their PR can be merged.
+---
 ## Author
 **Atef Ataya** — AI architect, author, and creator of Depwire.
-- 🎥 [YouTube](https://www.youtube.com/@atefataya) — 600K+ subscribers covering AI agents, MCP, and LLMs
-- 📖 [The Architect's Playbook: 5 Pillars](https://www.amazon.com/dp/B0GCHNW2W8) — Best practices for AI agent architecture
-- 💼 [LinkedIn](https://www.linkedin.com/in/atefataya/)
+- [YouTube](https://www.youtube.com/@atefataya) — 600K+ subscribers covering AI agents, MCP, and LLMs
+- [The Architect's Playbook: 5 Pillars](https://www.amazon.com/dp/B0GCHNW2W8)
+- [LinkedIn](https://www.linkedin.com/in/atefataya/)
-## License
+---
-Depwire is licensed under the [Business Source License 1.1](LICENSE).
-- **Use it freely** for personal projects, internal company use, and development
-- **Cannot** be offered as a hosted/managed service to third parties
-- **Converts** to Apache 2.0 on February 25, 2029
+## License
-For commercial licensing inquiries: atef@depwire.dev
+[Business Source License 1.1](LICENSE) — free for personal and internal company use. Converts to Apache 2.0 on February 25, 2029.
-## Credits
+Commercial licensing: atef@depwire.dev
-Built by [ATEF ATAYA LLC](https://depwire.dev)
+---
-Powered by:
-- [tree-sitter](https://tree-sitter.github.io/tree-sitter/) — Fast, reliable parsing
-- [graphology](https://graphology.github.io/) — Powerful graph data structure
-- [D3.js](https://d3js.org/) — Data visualization
-- [Model Context Protocol](https://modelcontextprotocol.io/) — AI tool integration
+Built with [tree-sitter](https://tree-sitter.github.io/tree-sitter/), [graphology](https://graphology.github.io/), [D3.js](https://d3js.org/), and the [Model Context Protocol](https://modelcontextprotocol.io/).

package/dist/{chunk-VJLBOFCD.js → chunk-FUIZQCYB.js} RENAMED Viewed

@@ -16,7 +16,7 @@ import {
   parseTypeScriptFile,
   scanSecurity,
   searchSymbols
-} from "./chunk-ITEGMPF7.js";
+} from "./chunk-WUSXCZXA.js";
 // src/viz/data.ts
 import { basename } from "path";

package/dist/{chunk-ITEGMPF7.js → chunk-WUSXCZXA.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 // src/utils/files.ts
-import { readdirSync, statSync, existsSync, lstatSync } from "fs";
+import { readdirSync, statSync, existsSync, lstatSync, realpathSync } from "fs";
 import { join, relative } from "path";
 import os from "os";
 function scanDirectory(rootDir, baseDir = rootDir) {
@@ -50,6 +50,7 @@ function fileExists(filePath) {
   }
 }
 function findProjectRoot(startDir = process.cwd()) {
+  startDir = realpathSync(startDir);
   const projectMarkers = [
     "package.json",
     // Node.js
@@ -79,9 +80,6 @@ function findProjectRoot(startDir = process.cwd()) {
   let depth = 0;
   const home = os.homedir();
   while (currentDir !== rootDir && depth < maxDepth) {
-    if (currentDir === home || !currentDir.startsWith(home)) {
-      break;
-    }
     const dirName = currentDir.split("/").pop();
     if (dirName && blocklist.includes(dirName)) {
       console.warn(`\u26A0\uFE0F  Skipping blocked directory: ${dirName}`);

package/dist/index.js CHANGED Viewed

@@ -17,7 +17,7 @@ import {
   stashChanges,
   updateFileInGraph,
   watchProject
-} from "./chunk-VJLBOFCD.js";
+} from "./chunk-FUIZQCYB.js";
 import {
   SimulationEngine,
   analyzeDeadCode,
@@ -31,7 +31,7 @@ import {
   parseProject,
   scanSecurity,
   searchSymbols
-} from "./chunk-ITEGMPF7.js";
+} from "./chunk-WUSXCZXA.js";
 // src/index.ts
 import { Command } from "commander";

package/dist/mcpb-entry.js CHANGED Viewed

@@ -4,11 +4,11 @@ import {
   startMcpServer,
   updateFileInGraph,
   watchProject
-} from "./chunk-VJLBOFCD.js";
+} from "./chunk-FUIZQCYB.js";
 import {
   buildGraph,
   parseProject
-} from "./chunk-ITEGMPF7.js";
+} from "./chunk-WUSXCZXA.js";
 // src/mcpb-entry.ts
 import { resolve } from "path";

package/dist/sdk.js CHANGED Viewed

@@ -10,7 +10,7 @@ import {
   parseProject,
   scanSecurity,
   searchSymbols
-} from "./chunk-ITEGMPF7.js";
+} from "./chunk-WUSXCZXA.js";
 // src/sdk.ts
 import { readFileSync } from "fs";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "depwire-cli",
-  "version": "0.9.28",
+  "version": "0.9.30",
   "description": "Dependency graph + 17 MCP tools for AI coding assistants. Impact analysis, health scoring, security scanner.",
   "type": "module",
   "bin": {