README
¶
codeiq
Deterministic code-knowledge-graph CLI + stdio MCP server
Map a polyglot codebase into a queryable graph. 100 detectors. 35+ languages. Zero AI in the pipeline.
Note on SonarQube: codeiq deliberately uses an in-house OSS-CLI security stack (CodeQL, Semgrep, OSV-Scanner, Trivy, Gitleaks, jscpd, govulncheck) instead of Sonar — see
docs/07-integrations.md & security.yml.
Table of contents
- Why codeiq
- How it works
- Install
- Quickstart
- MCP integration
- CLI cheatsheet
- Architecture at a glance
- Verification
- Documentation
- Project status
- Contributing
- License
Why codeiq
DeterministicSame input → same output, byte-for-byte. Detector emissions are confidence-tagged ( |
Agent-readyStdio MCP server with 10 read-only tools wired for Claude Code / Cursor / Cline. Mode-driven surface ( |
Supply-chain hardenedGoreleaser + Cosign keyless via GitHub OIDC + Sigstore Rekor transparency log + Syft SPDX SBOMs + SLSA build provenance attestation + OpenSSF Scorecard + 6 OSS-CLI security scanners in CI. |
Polyglot100 detectors across 35+ languages: Java, Kotlin, Scala, Python, TypeScript, JavaScript, Go, Rust, C#, C++, plus IaC (Terraform, Bicep, Helm, Kubernetes, Docker, CloudFormation), config (YAML/JSON/TOML/INI), SQL, protobuf, shell, and more. |
No AI in the pipelineIndex + enrich + every MCP query is pure static analysis. The only LLM touch is the opt-in |
Single static binary~25 MB. CGO embeds Kuzu (graph) + SQLite (cache) + tree-sitter (parser). No daemons. No external services. Works behind corporate firewalls / air-gapped after the initial install. |
How it works
source ┌─────────────┐
tree ─► index ──────► ┌──────────┐ ──► enrich ──────► │ Kuzu │
FileDiscovery │ SQLite │ linkers + │ graph │
tree-sitter │ cache │ layer classify │ (FTS-idx) │
100 detectors │ │ intelligence │ │
dedup + sort └──────────┘ ServiceDetector └──────┬──────┘
bulk COPY → Kuzu │
▼
┌───────────────────────────────────────────────┐
│ Read-only consumers (all powered by Kuzu): │
│ stats, find, query, cypher, flow, graph, │
│ topology, review (+ Ollama LLM) │
│ mcp (stdio JSON-RPC, 10 tools) │
└───────────────────────────────────────────────┘
Three commands cover the lifecycle:
| Step | Command | What lands |
|---|---|---|
| 1. Index | codeiq index <path> |
<path>/.codeiq/cache/codeiq.sqlite (content-hash keyed; resumable) |
| 2. Enrich | codeiq enrich <path> |
<path>/.codeiq/graph/codeiq.kuzu/ + BM25 FTS indexes |
| 3. Query | codeiq mcp | stats | find | query | cypher | ... |
Read-only consumers of the Kuzu store |
See docs/04-main-flows.md for per-flow entry points + failure modes.
Install
Pre-built binary (Linux amd64 / arm64, macOS arm64)
# Pick your platform; replace if needed
curl -L https://github.com/RandomCodeSpace/codeiq/releases/latest/download/codeiq_$(uname -s | tr A-Z a-z)_$(uname -m | sed s/x86_64/amd64/).tar.gz | tar xz
sudo install codeiq /usr/local/bin/
codeiq --version
go install
CGO_ENABLED=1 go install github.com/randomcodespace/codeiq/cmd/codeiq@latest
Requires Go 1.25.0+ and a C/C++ toolchain (Kuzu, SQLite, and tree-sitter all need CGO).
Build from source
git clone https://github.com/RandomCodeSpace/codeiq.git
cd codeiq
CGO_ENABLED=1 go build -o /usr/local/bin/codeiq ./cmd/codeiq
codeiq --version
Full setup checklist in docs/01-local-setup.md.
Quickstart
# 1. Scan files → SQLite cache
codeiq index /path/to/repo
# 2. Load cache → Kuzu graph + FTS indexes
codeiq enrich /path/to/repo
# 3. Ask questions
codeiq stats /path/to/repo
codeiq find endpoints /path/to/repo
codeiq query consumers <node-id> /path/to/repo
codeiq topology /path/to/repo
codeiq flow overview /path/to/repo --format mermaid
# 4. Wire into your AI agent (Claude Code / Cursor / Cline)
codeiq mcp /path/to/repo
# 5. Get an LLM-driven PR review (local Ollama by default)
codeiq review /path/to/repo --base origin/main --head HEAD
MCP integration
Add to your MCP client config (.mcp.json at the repo root, or your editor's MCP settings):
{
"mcpServers": {
"codeiq": {
"command": "codeiq",
"args": ["mcp", "/path/to/repo"]
}
}
}
Ten user-facing tools
| Tool | Modes |
|---|---|
graph_summary |
overview / categories / capabilities / provenance |
find_in_graph |
nodes / edges / text / fuzzy / by_file / by_endpoint |
inspect_node |
neighbors / ego / evidence / source |
trace_relationships |
callers / consumers / producers / dependencies / dependents / shortest_path |
analyze_impact |
blast_radius / trace / cycles / circular_deps / dead_code / dead_services / bottlenecks |
topology_view |
summary / service / service_deps / service_dependents / flow |
run_cypher |
Read-only Cypher escape hatch; mutation gate enforced |
read_file |
Path-sandboxed source reader (full file or line range) |
generate_flow |
Architecture flow diagrams (mermaid / dot / yaml) — 5 views |
review_changes |
LLM-driven git-diff review against the graph (Ollama) |
CLI cheatsheet
Click to expand
| Command | Purpose |
|---|---|
index [path] |
Scan files → SQLite analysis cache |
enrich [path] |
Load cache → Kuzu graph + build FTS indexes |
mcp [path] |
Stdio MCP server for Claude Code / Cursor |
stats [path] |
Categorized statistics (graph / languages / frameworks / infra / connections / auth / architecture) |
query <kind> <id> [path] |
consumers / producers / callers / dependencies / dependents |
find <preset> [path] |
endpoints / guards / entities / topics / queues / services / databases / components |
cypher <query> [path] |
Read-only Cypher against Kuzu |
flow <view> [path] |
Architecture diagrams — overview / ci / deploy / runtime / auth |
graph [path] |
Export full graph as json / yaml / mermaid / dot |
topology <sub> [path] |
Service topology + service-detail / blast-radius / bottlenecks / circular / dead / path |
review [path] |
LLM-driven PR review (Ollama local by default; cloud via OLLAMA_API_KEY) |
cache <action> |
Inspect / list / inspect-row / clear the SQLite cache |
plugins <action> |
List + inspect registered detectors |
version |
Build info (version, commit, date, Go toolchain, platform, features) |
Run codeiq <cmd> --help for full flag listings. Full reference in docs/05-configuration.md.
Architecture at a glance
codeiq/
├── cmd/codeiq/main.go ── 5-line entry shim
├── internal/
│ ├── analyzer/ ── index + enrich pipelines + GraphBuilder + ServiceDetector
│ ├── cache/ ── SQLite cache (WAL, content-hash keyed, 5 tables)
│ ├── cli/ ── cobra subcommands + detectors_register.go (choke point)
│ ├── detector/ ── 100 detectors organized by family
│ │ ├── jvm/{java,kotlin,scala}/ python/ typescript/ golang/
│ │ ├── frontend/ csharp/ systems/{cpp,rust}/ iac/ structured/
│ │ ├── auth/ proto/ sql/ markup/ script/shell/ generic/
│ │ └── base/ ── shared helpers (NOT detectors)
│ ├── flow/ ── architecture-flow diagram engine
│ ├── graph/ ── Kuzu facade + FTS + mutation gate
│ ├── intelligence/ ── Lexical enricher + per-language extractors
│ ├── mcp/ ── 10 MCP tools (stdio JSON-RPC)
│ ├── model/ ── CodeNode / CodeEdge / NodeKind (34) / EdgeKind (28) / Confidence / Layer
│ ├── parser/ ── tree-sitter + structured parsers
│ ├── query/ ── service / topology / stats / dead-code Cypher templates
│ └── review/ ── PR-review pipeline (diff + Ollama)
├── parity/ ── parity harness (build tag `parity`)
├── testdata/ ── fixture-minimal + fixture-multi-lang
├── .github/workflows/ ── go-ci, perf-gate, release-go, release-darwin, security, scorecard
└── .goreleaser.yml ── Goreleaser v2 (CGO multi-arch + Cosign + Syft)
Deep dive in docs/02-architecture.md and docs/03-code-map.md.
Verification (supply chain)
Every release artifact is keyless-signed via Cosign + GitHub OIDC and recorded in the Sigstore Rekor transparency log. SLSA build provenance attestations land in GitHub's attestations store.
Verify the checksum manifest signature
cosign verify-blob \
--bundle checksums.sha256.cosign.bundle \
--certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.sha256
Verify the darwin tarball (signed separately)
cosign verify-blob \
--bundle codeiq_0.4.1_darwin_arm64.tar.gz.cosign.bundle \
--certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-darwin.yml@.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
codeiq_0.4.1_darwin_arm64.tar.gz
Verify the SLSA build provenance
gh attestation verify codeiq_0.4.1_linux_amd64.tar.gz --owner RandomCodeSpace
Documentation
| Starter pack | Reference | Operate |
|---|---|---|
|
Testing |
Architectural decisions: docs/adr/. Repo-specific Claude Code instructions: CLAUDE.md.
Project status
| Surface | State |
|---|---|
CLI core (index / enrich / stats / find / query / cypher) |
Production |
| MCP stdio server (10 tools) | Production |
| Kuzu 0.11.3 + native FTS (BM25) | Production |
| Goreleaser pipeline + Cosign keyless | Production |
| 884+ tests passing (race + vet + staticcheck + gosec + govulncheck on every PR) | Production |
codeiq review (LLM PR review) |
Beta — works end-to-end against local Ollama |
parity/ harness |
Idle (Java→Go port artifact; build-tag gated) |
Currently on v0.4.1. Release history was reset at v0.4.0 — see docs/00-project-overview.md for context.
Contributing
- Branch off
main. Conventional-commit subjects (feat:,fix:,chore:,refactor:,test:,docs:,perf:). - One logical change per commit. Squash-merge only.
- Tests + race + vet must pass.
CGO_ENABLED=1 go test ./... -race -count=1. - Determinism is non-negotiable. Every new detector ships positive / negative / determinism tests.
- Read-only MCP. Tool calls never mutate the graph. Index/enrich happen via the CLI.
- New detector? Don't forget to blank-import it in
internal/cli/detectors_register.go— seeCLAUDE.mdfor the full how-to.
Security: please report privately via GitHub Security Advisories.
License
Copyright © codeiq contributors. See LICENSE.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
codeiq
command
Binary codeiq is the codeiq CLI entry point.
|
Binary codeiq is the codeiq CLI entry point. |
|
extcheck
command
|
|
|
go
module
|
|
|
internal
|
|
|
analyzer/linker
Package linker contains cross-file enrichers that run after detectors during `codeiq enrich`.
|
Package linker contains cross-file enrichers that run after detectors during `codeiq enrich`. |
|
buildinfo
Package buildinfo exposes version/commit/date/dirty strings that the release pipeline injects via -ldflags -X. When ldflags are not set, an init() fallback reads `runtime/debug.BuildInfo` so `go install ...@v0.3.0` and local `go build` from a git checkout still produce a binary that reports its origin.
|
Package buildinfo exposes version/commit/date/dirty strings that the release pipeline injects via -ldflags -X. When ldflags are not set, an init() fallback reads `runtime/debug.BuildInfo` so `go install ...@v0.3.0` and local `go build` from a git checkout still produce a binary that reports its origin. |
|
cli
Package cli wires Cobra commands.
|
Package cli wires Cobra commands. |
|
detector/auth
Package auth holds cross-cutting authentication-related detectors.
|
Package auth holds cross-cutting authentication-related detectors. |
|
detector/base
Package base frontend.go provides shared helpers for frontend component detectors (Angular, React, Vue).
|
Package base frontend.go provides shared helpers for frontend component detectors (Angular, React, Vue). |
|
detector/csharp
Package csharp holds C#/.NET detectors.
|
Package csharp holds C#/.NET detectors. |
|
detector/golang
Package golang holds Go-language detectors.
|
Package golang holds Go-language detectors. |
|
detector/iac
Package iac holds Infrastructure-as-Code detectors (Terraform, Bicep, Dockerfile, ...).
|
Package iac holds Infrastructure-as-Code detectors (Terraform, Bicep, Dockerfile, ...). |
|
detector/jvm/jvmhelpers
Package jvmhelpers mirrors src/main/java/.../detector/StructuresDetectorHelper.java + AbstractJavaMessagingDetector helpers for JVM-family Go detectors.
|
Package jvmhelpers mirrors src/main/java/.../detector/StructuresDetectorHelper.java + AbstractJavaMessagingDetector helpers for JVM-family Go detectors. |
|
detector/markup
Package markup holds Markdown / other markup-language detectors.
|
Package markup holds Markdown / other markup-language detectors. |
|
detector/proto
Package proto holds Protocol Buffer detectors.
|
Package proto holds Protocol Buffer detectors. |
|
detector/script/shell
Package shell holds Bash and PowerShell detectors.
|
Package shell holds Bash and PowerShell detectors. |
|
detector/sql
Package sql holds raw-SQL and migration-file detectors.
|
Package sql holds raw-SQL and migration-file detectors. |
|
detector/systems/cpp
Package cpp holds C/C++ detectors.
|
Package cpp holds C/C++ detectors. |
|
detector/systems/rust
Package rust holds Rust-language detectors.
|
Package rust holds Rust-language detectors. |
|
detector/typescript
Package typescript ports the Java TypeScript detectors.
|
Package typescript ports the Java TypeScript detectors. |
|
flow
Package flow generates architecture flow diagrams from the codeiq graph.
|
Package flow generates architecture flow diagrams from the codeiq graph. |
|
graph
Package graph is the Go port's facade over Kuzu Embedded.
|
Package graph is the Go port's facade over Kuzu Embedded. |
|
intelligence/evidence
Package evidence ports the runtime-facing evidence pack and assembler from src/main/java/.../intelligence/evidence/.
|
Package evidence ports the runtime-facing evidence pack and assembler from src/main/java/.../intelligence/evidence/. |
|
intelligence/extractor
Package extractor defines the LanguageExtractor interface and the Enricher orchestrator that drives per-language extractors over a node list.
|
Package extractor defines the LanguageExtractor interface and the Enricher orchestrator that drives per-language extractors over a node list. |
|
intelligence/extractor/golang
Package golang implements the Go language extractor.
|
Package golang implements the Go language extractor. |
|
intelligence/extractor/java
Package java implements the Java language extractor.
|
Package java implements the Java language extractor. |
|
intelligence/extractor/python
Package python implements the Python language extractor.
|
Package python implements the Python language extractor. |
|
intelligence/extractor/typescript
Package typescript implements the TypeScript language extractor.
|
Package typescript implements the TypeScript language extractor. |
|
intelligence/lexical
Package lexical extracts doc comments and bounded source snippets from already-discovered files, populating CodeNode properties used by the lexical intelligence layer.
|
Package lexical extracts doc comments and bounded source snippets from already-discovered files, populating CodeNode properties used by the lexical intelligence layer. |
|
intelligence/query
Package query implements the intelligence-layer query planner.
|
Package query implements the intelligence-layer query planner. |
|
mcp
Package mcp implements the codeiq stdio MCP server.
|
Package mcp implements the codeiq stdio MCP server. |
|
query
Package query implements the codeiq Go port's query-side services.
|
Package query implements the codeiq Go port's query-side services. |
|
review
Package review implements the MR-review pipeline: git diff → graph evidence → LLM review.
|
Package review implements the MR-review pipeline: git diff → graph evidence → LLM review. |
|
Package parity contains the cross-binary diff harness.
|
Package parity contains the cross-binary diff harness. |
|
cmd/parity-normalize
command
Binary parity-normalize reads a codeiq SQLite cache and writes a normalized JSON dump to stdout.
|
Binary parity-normalize reads a codeiq SQLite cache and writes a normalized JSON dump to stdout. |
Click to show internal directories.
Click to hide internal directories.