diff --git a/generated/competitive/COMPETITIVE_ANALYSIS.md b/generated/competitive/COMPETITIVE_ANALYSIS.md index a103df1a..3b03e1b9 100644 --- a/generated/competitive/COMPETITIVE_ANALYSIS.md +++ b/generated/competitive/COMPETITIVE_ANALYSIS.md @@ -1,7 +1,7 @@ # Competitive Analysis — Code Graph / Code Intelligence Tools -**Date:** 2026-02-25 -**Scope:** 137+ code analysis tools evaluated, 82+ ranked against `@optave/codegraph` +**Date:** 2026-03-21 (updated from 2026-02-25) +**Scope:** 140+ code analysis tools evaluated, 85+ ranked against `@optave/codegraph` --- @@ -13,41 +13,41 @@ Ranked by weighted score across 6 dimensions (each 1–5): | # | Score | Project | Stars | Lang | License | Summary | |---|-------|---------|-------|------|---------|---------| -| 1 | 4.5 | [joernio/joern](https://github.com/joernio/joern) | 2,956 | Scala | Apache-2.0 | Full CPG analysis platform for vulnerability discovery, Scala query DSL, multi-language, daily releases | -| 2 | 4.5 | [postrv/narsil-mcp](https://github.com/postrv/narsil-mcp) | 101 | Rust | Apache-2.0 | 90 MCP tools, 32 languages, taint analysis, SBOM, dead code, neural semantic search, single ~30MB binary | -| 3 | 4.5 | [vitali87/code-graph-rag](https://github.com/vitali87/code-graph-rag) | 1,916 | Python | MIT | Graph RAG with Memgraph, multi-provider AI, code editing, semantic search, MCP | -| 4 | 4.2 | [Fraunhofer-AISEC/cpg](https://github.com/Fraunhofer-AISEC/cpg) | 411 | Kotlin | Apache-2.0 | CPG library for 8+ languages with MCP module, Neo4j visualization, formal specs, LLVM IR support | -| 5 | 4.2 | [seatedro/glimpse](https://github.com/seatedro/glimpse) | 349 | Rust | MIT | Clipboard-first codebase-to-LLM tool with call graphs, token counting, LSP resolution | -| 6 | 4.0 | [SimplyLiz/CodeMCP (CKB)](https://github.com/SimplyLiz/CodeMCP) | 59 | Go | Custom | SCIP-based indexing, compound operations (83% token savings), CODEOWNERS, secret scanning | -| 7 | 4.0 | [abhigyanpatwari/GitNexus](https://github.com/abhigyanpatwari/GitNexus) | — | TS/JS | PolyForm NC | Knowledge graph with precomputed structural intelligence, 7 MCP tools, hybrid BM25+semantic search, clustering, process tracing, KuzuDB. **Non-commercial only** | -| **8** | **4.0** | **[@optave/codegraph](https://github.com/optave/codegraph)** | — | **JS/Rust** | **Apache-2.0** | **Sub-second incremental rebuilds, dual engine (native Rust + WASM), 11 languages, 18-tool MCP, qualified call resolution, `context`/`explain`/`where` AI-optimized commands, structure/hotspot analysis, node role classification (entry/core/utility/adapter/dead/leaf), dead code detection, zero-cost core + optional LLM enhancement** | -| 9 | 3.9 | [harshkedia177/axon](https://github.com/harshkedia177/axon) | 421 | Python | MIT | 11-phase pipeline, KuzuDB, Leiden community detection, dead code, change coupling, 7 MCP tools | -| 10 | 3.8 | [anrgct/autodev-codebase](https://github.com/anrgct/autodev-codebase) | 111 | TypeScript | None | 40+ languages, 7 embedding providers, Cytoscape.js visualization, LLM reranking | -| 11 | 3.8 | [ShiftLeftSecurity/codepropertygraph](https://github.com/ShiftLeftSecurity/codepropertygraph) | 564 | Scala | Apache-2.0 | CPG specification + Tinkergraph library, Scala query DSL, protobuf serialization (Joern foundation) | -| 12 | 3.8 | [Jakedismo/codegraph-rust](https://github.com/Jakedismo/codegraph-rust) | 142 | Rust | None | 100% Rust GraphRAG, SurrealDB, LSP-powered dataflow analysis, architecture boundary enforcement | -| 13 | 3.7 | [Anandb71/arbor](https://github.com/Anandb71/arbor) | 85 | Rust | MIT | Native GUI, confidence scoring, architectural role classification, fuzzy search, MCP | +| 1 | 4.5 | [abhigyanpatwari/GitNexus](https://github.com/abhigyanpatwari/GitNexus) | 18,453 | TS/JS | PolyForm NC | Zero-server knowledge graph engine with Graph RAG Agent, CLI + MCP + Web UI, tree-sitter native + WASM, LadybugDB (custom graph DB), multi-editor support (Claude Code hooks, Cursor, Codex, Windsurf, OpenCode), auto-generated AGENTS.md/CLAUDE.md. **Non-commercial license. Viral growth (18k stars in ~8 months)** | +| 2 | 4.5 | [joernio/joern](https://github.com/joernio/joern) | 3,021 | Scala | Apache-2.0 | Full CPG analysis platform for vulnerability discovery, Scala query DSL, multi-language, daily releases (v4.0.508), 75 contributors | +| 3 | 4.5 | [postrv/narsil-mcp](https://github.com/postrv/narsil-mcp) | 129 | Rust | Apache-2.0 | 90 MCP tools, 32 languages, taint analysis, SBOM, dead code, neural semantic search, single ~30MB binary, SPA web frontend (added v1.6.0, current v1.6.1) | +| **4** | **4.5** | **[@optave/codegraph](https://github.com/optave/codegraph)** | **32** | **JS/Rust** | **Apache-2.0** | **Sub-second incremental rebuilds (3-tier change detection), dual engine (native Rust + WASM), 11 languages, 32-tool MCP, 41 CLI commands, qualified call resolution with receiver type tracking, `context`/`audit`/`where` AI-optimized commands, dataflow + CFG + stored AST across all languages, sequence diagrams, structure/hotspot analysis, node role classification, dead code/export detection, architecture boundary enforcement, unified graph model with qualified names/scope/visibility, zero-cost core + optional LLM enhancement** | +| 5 | 4.3 | [DeusData/codebase-memory-mcp](https://github.com/DeusData/codebase-memory-mcp) | 793 | C | MIT | Single static C binary, 64 languages (tree-sitter), 14 MCP tools, Cypher-like query language, persistent SQLite knowledge graph, 10-agent auto-installer, 3D graph visualization, HTTP route analysis. **25 days old — fastest-growing new entrant** | +| 6 | 4.2 | [vitali87/code-graph-rag](https://github.com/vitali87/code-graph-rag) | 2,168 | Python | MIT | Graph RAG with Memgraph, multi-provider AI, code editing, semantic search, MCP server (added 2026) | +| 7 | 4.2 | [Fraunhofer-AISEC/cpg](https://github.com/Fraunhofer-AISEC/cpg) | 424 | Kotlin | Apache-2.0 | CPG library for 8+ languages with MCP module, Neo4j visualization, formal specs, LLVM IR support | +| 8 | 4.2 | [Anandb71/arbor](https://github.com/Anandb71/arbor) | 85 | Rust | MIT | Native GUI, confidence scoring, architectural role classification, fuzzy search, MCP | +| 9 | 4.0 | [SimplyLiz/CodeMCP (CKB)](https://github.com/SimplyLiz/CodeMCP) | 77 | Go | Custom | SCIP-based indexing, compound operations (83% token savings), CODEOWNERS, secret scanning, impact analysis, architecture mapping (v8.1.0) | +| 10 | 3.8 | [harshkedia177/axon](https://github.com/harshkedia177/axon) | 577 | Python | MIT | 11-phase pipeline, KuzuDB, Leiden community detection, dead code, change coupling, MCP + CLI, hit v1.0 milestone | +| 11 | 3.8 | [seatedro/glimpse](https://github.com/seatedro/glimpse) | 349 | Rust | MIT | Clipboard-first codebase-to-LLM tool with call graphs, token counting, LSP resolution. **Stagnant since Jan 2026** | +| 12 | 3.8 | [ShiftLeftSecurity/codepropertygraph](https://github.com/ShiftLeftSecurity/codepropertygraph) | 564 | Scala | Apache-2.0 | CPG specification + Tinkergraph library, Scala query DSL, protobuf serialization (Joern foundation) | +| 13 | 3.8 | [Jakedismo/codegraph-rust](https://github.com/Jakedismo/codegraph-rust) | 142 | Rust | None | 100% Rust GraphRAG, SurrealDB, LSP-powered dataflow analysis, architecture boundary enforcement | | 14 | 3.7 | [JudiniLabs/mcp-code-graph](https://github.com/JudiniLabs/mcp-code-graph) | 380 | JavaScript | MIT | Cloud-hosted MCP server by CodeGPT, semantic search, dependency links (requires account) | -| 15 | 3.7 | [entrepeneur4lyf/code-graph-mcp](https://github.com/entrepeneur4lyf/code-graph-mcp) | 80 | Python | MIT | ast-grep for 25+ languages, complexity metrics, code smells, circular dependency detection | -| 16 | 3.7 | [cs-au-dk/jelly](https://github.com/cs-au-dk/jelly) | 417 | TypeScript | BSD-3 | Academic-grade JS/TS points-to analysis, call graphs, vulnerability exposure, 5 published papers | -| 17 | 3.5 | [er77/code-graph-rag-mcp](https://github.com/er77/code-graph-rag-mcp) | 89 | TypeScript | MIT | 26 MCP methods, 11 languages, tree-sitter, semantic search, hotspot analysis, clone detection | -| 18 | 3.5 | [MikeRecognex/mcp-codebase-index](https://github.com/MikeRecognex/mcp-codebase-index) | 25 | Python | AGPL-3.0 | 18 MCP tools, zero runtime deps, auto-incremental reindexing via git diff | -| 19 | 3.5 | [nahisaho/CodeGraphMCPServer](https://github.com/nahisaho/CodeGraphMCPServer) | 7 | Python | MIT | GraphRAG with Louvain community detection, 16 languages, 14 MCP tools, 334 tests | -| 20 | 3.5 | [colbymchenry/codegraph](https://github.com/colbymchenry/codegraph) | 165 | TypeScript | MIT | tree-sitter + SQLite + MCP, Claude Code token reduction benchmarks, npx installer | +| 15 | 3.7 | [entrepeneur4lyf/code-graph-mcp](https://github.com/entrepeneur4lyf/code-graph-mcp) | 83 | Python | MIT | ast-grep for 25+ languages, complexity metrics, code smells, circular dependency detection. **Stagnant since Jul 2025** | +| 16 | 3.7 | [cs-au-dk/jelly](https://github.com/cs-au-dk/jelly) | 423 | TypeScript | BSD-3 | Academic-grade JS/TS points-to analysis, call graphs, vulnerability exposure, 5 published papers | +| 17 | 3.7 | [colbymchenry/codegraph](https://github.com/colbymchenry/codegraph) | 308 | TypeScript | MIT | tree-sitter + SQLite + MCP, Claude Code token reduction benchmarks, npx installer. **Nearly doubled since Feb — naming competitor** | +| 18 | 3.5 | [er77/code-graph-rag-mcp](https://github.com/er77/code-graph-rag-mcp) | 89 | TypeScript | MIT | 26 MCP methods, 11 languages, tree-sitter, semantic search, hotspot analysis, clone detection | +| 19 | 3.5 | [MikeRecognex/mcp-codebase-index](https://github.com/MikeRecognex/mcp-codebase-index) | 25 | Python | AGPL-3.0 | 18 MCP tools, zero runtime deps, auto-incremental reindexing via git diff | +| 20 | 3.5 | [nahisaho/CodeGraphMCPServer](https://github.com/nahisaho/CodeGraphMCPServer) | 7 | Python | MIT | GraphRAG with Louvain community detection, 16 languages, 14 MCP tools, 334 tests | | 21 | 3.5 | [dundalek/stratify](https://github.com/dundalek/stratify) | 102 | Clojure | MIT | Multi-backend extraction (LSP/SCIP/Joern), 10 languages, DGML/CodeCharta output, architecture linting | | 22 | 3.5 | [kraklabs/cie](https://github.com/kraklabs/cie) | 9 | Go | AGPL-3.0 | Code Intelligence Engine: 20+ MCP tools, tree-sitter, semantic search (Ollama), Homebrew, single Go binary | -| 23 | 3.4 | [Durafen/Claude-code-memory](https://github.com/Durafen/Claude-code-memory) | 72 | Python | None | Memory Guard quality gate, persistent codebase memory, Voyage AI + Qdrant | -| 24 | 3.3 | [NeuralRays/codexray](https://github.com/NeuralRays/codexray) | 2 | TypeScript | MIT | 16 MCP tools, TF-IDF semantic search (~50MB), dead code, complexity, path finding | +| 23 | 3.5 | [NeuralRays/codexray](https://github.com/NeuralRays/codexray) | 2 | TypeScript | MIT | 16 MCP tools, TF-IDF semantic search (~50MB), dead code, complexity, path finding | +| 24 | 3.3 | [anrgct/autodev-codebase](https://github.com/anrgct/autodev-codebase) | 111 | TypeScript | None | 40+ languages, 7 embedding providers, Cytoscape.js visualization, LLM reranking. **Stagnant since Jan 2026** | | 25 | 3.3 | [DucPhamNgoc08/CodeVisualizer](https://github.com/DucPhamNgoc08/CodeVisualizer) | 475 | TypeScript | MIT | VS Code extension, tree-sitter WASM, flowcharts + dependency graphs, 5 AI providers, 9 themes | | 26 | 3.3 | [helabenkhalfallah/code-health-meter](https://github.com/helabenkhalfallah/code-health-meter) | 34 | JavaScript | MIT | Formal health metrics (MI, CC, Louvain modularity), published in ACM TOSEM 2025 | | 27 | 3.3 | [JohT/code-graph-analysis-pipeline](https://github.com/JohT/code-graph-analysis-pipeline) | 27 | Cypher | GPL-3.0 | 200+ CSV reports, ML anomaly detection, Leiden/HashGNN, jQAssistant + Neo4j for Java | | 28 | 3.3 | [Lekssays/codebadger](https://github.com/Lekssays/codebadger) | 43 | Python | GPL-3.0 | Containerized MCP server using Joern CPG, 12+ languages | -| 29 | 3.2 | [al1-nasir/codegraph-cli](https://github.com/al1-nasir/codegraph-cli) | 11 | Python | MIT | CrewAI multi-agent system, 6 LLM providers, browser explorer, DOCX export | -| 30 | 3.1 | [anasdayeh/claude-context-local](https://github.com/anasdayeh/claude-context-local) | 0 | Python | None | 100% local, Merkle DAG incremental indexing, sharded FAISS, hybrid BM25+vector, GPU accel | -| 31 | 3.0 | [Vasu014/loregrep](https://github.com/Vasu014/loregrep) | 12 | Rust | Apache-2.0 | In-memory index library, Rust + Python bindings, AI-tool-ready schemas | -| 32 | 3.0 | [xnuinside/codegraph](https://github.com/xnuinside/codegraph) | 438 | Python | MIT | Python-only interactive HTML dependency diagrams with zoom/pan/search | -| 33 | 3.0 | [Adrninistrator/java-all-call-graph](https://github.com/Adrninistrator/java-all-call-graph) | 551 | Java | Apache-2.0 | Complete Java bytecode call graphs, Spring/MyBatis-aware, SQL-queryable DB | -| 34 | 3.0 | [Technologicat/pyan](https://github.com/Technologicat/pyan) | 395 | Python | GPL-2.0 | Python 3 call graph generator, module import analysis, cycle detection, interactive HTML | -| 35 | 3.0 | [GaloisInc/MATE](https://github.com/GaloisInc/MATE) | 194 | Python | BSD-3 | DARPA-funded interactive CPG-based bug hunting for C/C++ via LLVM | +| 29 | 3.3 | [Vasu014/loregrep](https://github.com/Vasu014/loregrep) | 12 | Rust | Apache-2.0 | In-memory index library, Rust + Python bindings, AI-tool-ready schemas | +| 30 | 3.3 | [Durafen/Claude-code-memory](https://github.com/Durafen/Claude-code-memory) | 72 | Python | None | Memory Guard quality gate, persistent codebase memory, Voyage AI + Qdrant | +| 31 | 3.2 | [anasdayeh/claude-context-local](https://github.com/anasdayeh/claude-context-local) | 0 | Python | None | 100% local, Merkle DAG incremental indexing, sharded FAISS, hybrid BM25+vector, GPU accel | +| 32 | 3.0 | [al1-nasir/codegraph-cli](https://github.com/al1-nasir/codegraph-cli) | 11 | Python | MIT | CrewAI multi-agent system, 6 LLM providers, browser explorer, DOCX export | +| 33 | 3.0 | [xnuinside/codegraph](https://github.com/xnuinside/codegraph) | 438 | Python | MIT | Python-only interactive HTML dependency diagrams with zoom/pan/search | +| 34 | 3.0 | [Adrninistrator/java-all-call-graph](https://github.com/Adrninistrator/java-all-call-graph) | 551 | Java | Apache-2.0 | Complete Java bytecode call graphs, Spring/MyBatis-aware, SQL-queryable DB | +| 35 | 3.0 | [Technologicat/pyan](https://github.com/Technologicat/pyan) | 395 | Python | GPL-2.0 | Python 3 call graph generator, module import analysis, cycle detection, interactive HTML | | 36 | 3.0 | [clouditor/cloud-property-graph](https://github.com/clouditor/cloud-property-graph) | 28 | Kotlin | Apache-2.0 | Connects code property graphs with cloud runtime security assessment | ### Tier 2: Niche & Single-Language Tools (score 2.0–2.9) @@ -55,53 +55,55 @@ Ranked by weighted score across 6 dimensions (each 1–5): | # | Score | Project | Stars | Lang | License | Summary | |---|-------|---------|-------|------|---------|---------| | 37 | 2.9 | [rahulvgmail/CodeInteliMCP](https://github.com/rahulvgmail/CodeInteliMCP) | 8 | Python | None | DuckDB + ChromaDB (zero Docker), multi-repo, lightweight embedded DBs | -| 38 | 2.8 | [paul-gauthier/aider](https://github.com/paul-gauthier/aider) | 41,664 | Python | Apache-2.0 | AI pair programming CLI; tree-sitter repo map with PageRank-style graph ranking for LLM context selection, 100+ languages, multi-provider LLM support, git-integrated auto-commits | +| 38 | 2.8 | [Aider-AI/aider](https://github.com/Aider-AI/aider) | 42,198 | Python | Apache-2.0 | AI pair programming CLI; tree-sitter repo map with PageRank-style graph ranking for LLM context selection, 100+ languages, multi-provider LLM support, git-integrated auto-commits. Moved to Aider-AI org | | 39 | 2.8 | [scottrogowski/code2flow](https://github.com/scottrogowski/code2flow) | 4,528 | Python | MIT | Call graphs for Python/JS/Ruby/PHP via AST, DOT output, 100% test coverage | | 40 | 2.8 | [ysk8hori/typescript-graph](https://github.com/ysk8hori/typescript-graph) | 200 | TypeScript | None | TypeScript file-level dependency Mermaid diagrams, code metrics (MI, CC), watch mode | | 41 | 2.8 | [nuanced-dev/nuanced-py](https://github.com/nuanced-dev/nuanced-py) | 126 | Python | MIT | Python call graph enrichment designed for AI agent consumption | -| 42 | 2.8 | [Bikach/codeGraph](https://github.com/Bikach/codeGraph) | 6 | TypeScript | MIT | Neo4j graph, Claude Code slash commands, Kotlin support, 40-50% cost reduction | -| 43 | 2.8 | [ChrisRoyse/CodeGraph](https://github.com/ChrisRoyse/CodeGraph) | 65 | TypeScript | None | Neo4j + MCP, multi-language, framework detection (React, Tailwind, Supabase) | -| 44 | 2.8 | [Symbolk/Code2Graph](https://github.com/Symbolk/Code2Graph) | 48 | Java | None | Multilingual code → language-agnostic graph representation | -| 45 | 2.7 | [yumeiriowl/repo-graphrag-mcp](https://github.com/yumeiriowl/repo-graphrag-mcp) | 3 | Python | MIT | LightRAG + tree-sitter, entity merge (code ↔ docs), implementation planning tool | -| 46 | 2.7 | [davidfraser/pyan](https://github.com/davidfraser/pyan) | 712 | Python | GPL-2.0 | Python call graph generator (stable fork), DOT/SVG/HTML output, Sphinx integration | -| 47 | 2.7 | [mamuz/PhpDependencyAnalysis](https://github.com/mamuz/PhpDependencyAnalysis) | 572 | PHP | MIT | PHP dependency graphs, cycle detection, architecture verification against defined layers | -| 48 | 2.7 | [faraazahmad/graphsense](https://github.com/faraazahmad/graphsense) | 35 | TypeScript | MIT | MCP server providing code intelligence via static analysis | -| 49 | 2.7 | [JonnoC/CodeRAG](https://github.com/JonnoC/CodeRAG) | 14 | TypeScript | MIT | Enterprise code intelligence with CK metrics, Neo4j, 23 analysis tools, MCP server | -| 50 | 2.6 | [0xjcf/MCP_CodeAnalysis](https://github.com/0xjcf/MCP_CodeAnalysis) | 7 | Python/TS | None | Stateful tools (XState), Redis sessions, socio-technical analysis, dual language impl | -| 51 | 2.5 | [koknat/callGraph](https://github.com/koknat/callGraph) | 325 | Perl | GPL-3.0 | Multi-language (22+) call graph generator via regex, GraphViz output | -| 52 | 2.5 | [RaheesAhmed/code-context-mcp](https://github.com/RaheesAhmed/code-context-mcp) | 0 | Python | MIT | Security pattern detection, auto architecture diagrams, code flow tracing | -| 53 | 2.5 | [league1991/CodeAtlasVsix](https://github.com/league1991/CodeAtlasVsix) | 265 | C# | GPL-2.0 | Visual Studio plugin, Doxygen-based call graph navigation (VS 2010-2015 era) | -| 54 | 2.5 | [beicause/call-graph](https://github.com/beicause/call-graph) | 105 | TypeScript | Apache-2.0 | VS Code extension generating call graphs via LSP call hierarchy API | -| 55 | 2.5 | [Thibault-Knobloch/codebase-intelligence](https://github.com/Thibault-Knobloch/codebase-intelligence) | 44 | Python | None | Code indexing + call graph + vector DB + natural language queries (requires OpenAI) | -| 56 | 2.5 | [darkmacheken/wasmati](https://github.com/darkmacheken/wasmati) | 31 | C++ | Apache-2.0 | CPG infrastructure for scanning vulnerabilities in WebAssembly | -| 57 | 2.5 | [sutragraph/sutracli](https://github.com/sutragraph/sutracli) | 28 | Python | GPL-3.0 | AI-powered cross-repo dependency graphs for coding agents | -| 58 | 2.5 | [julianjensen/ast-flow-graph](https://github.com/julianjensen/ast-flow-graph) | 69 | JavaScript | Other | JavaScript control flow graphs from AST analysis | -| 59 | 2.5 | [yoanbernabeu/grepai-skills](https://github.com/yoanbernabeu/grepai-skills) | 14 | — | MIT | 27 AI agent skills for semantic code search and call graph analysis | -| 60 | 2.4 | [shantham/codegraph](https://github.com/shantham/codegraph) | 0 | TypeScript | MIT | Polished `npx` one-command installer, sqlite-vss, 7 MCP tools | -| 61 | 2.3 | [ozyyshr/RepoGraph](https://github.com/ozyyshr/RepoGraph) | 251 | Python | Apache-2.0 | SWE-bench code graph research (ctags + networkx for LLM context) | -| 62 | 2.3 | [emad-elsaid/rubrowser](https://github.com/emad-elsaid/rubrowser) | 644 | Ruby | MIT | Ruby-only interactive D3 force-directed dependency graph | -| 63 | 2.3 | [Chentai-Kao/call-graph-plugin](https://github.com/Chentai-Kao/call-graph-plugin) | 87 | Kotlin | None | IntelliJ plugin for visualizing call graphs in IDE | -| 64 | 2.3 | [ehabterra/apispec](https://github.com/ehabterra/apispec) | 72 | Go | Apache-2.0 | OpenAPI 3.1 spec generator from Go code via call graph analysis | -| 65 | 2.3 | [huoyo/ko-time](https://github.com/huoyo/ko-time) | 61 | Java | LGPL-2.1 | Spring Boot call graph with runtime durations | -| 66 | 2.3 | [Fraunhofer-AISEC/codyze](https://github.com/Fraunhofer-AISEC/codyze) | 91 | Kotlin | None | CPG-based analyzer for cryptographic API misuse (archived, merged into cpg repo) | -| 67 | 2.3 | [CartographAI/mcp-server-codegraph](https://github.com/CartographAI/mcp-server-codegraph) | 17 | JavaScript | MIT | Lightweight MCP code graph (3 tools only, Python/JS/Rust) | -| 68 | 2.3 | [YounesBensafia/DevLens](https://github.com/YounesBensafia/DevLens) | 21 | Python | None | Repo scanner with AI summaries, dead code detection (dep graph not yet implemented) | -| 69 | 2.3 | [0xd219b/codegraph](https://github.com/0xd219b/codegraph) | 0 | Rust | None | Pure Rust, HTTP server mode, Java + Go support | -| 70 | 2.3 | [aryx/codegraph](https://github.com/aryx/codegraph) | 6 | OCaml | Other | Multi-language source code dependency visualizer (the original "codegraph" name) | -| 71 | 2.2 | [jmarkowski/codeviz](https://github.com/jmarkowski/codeviz) | 144 | Python | MIT | C/C++ `#include` header dependency graph visualization | -| 72 | 2.2 | [juanallo/vscode-dependency-cruiser](https://github.com/juanallo/vscode-dependency-cruiser) | 76 | JavaScript | MIT | VS Code wrapper for dependency-cruiser (JS/TS) | -| 73 | 2.2 | [hidva/as2cfg](https://github.com/hidva/as2cfg) | 63 | Rust | GPL-3.0 | Intel assembly → control flow graph | -| 74 | 2.2 | [microsoft/cmd-call-graph](https://github.com/microsoft/cmd-call-graph) | 55 | Python | MIT | Call graphs for Windows CMD batch files | -| 75 | 2.2 | [siggy/gographs](https://github.com/siggy/gographs) | 52 | Go | MIT | Go package dependency graph generator | -| 76 | 2.2 | [henryhale/depgraph](https://github.com/henryhale/depgraph) | 33 | Go | MIT | Go-focused codebase dependency analysis | -| 77 | 2.2 | [2015xli/clangd-graph-rag](https://github.com/2015xli/clangd-graph-rag) | 28 | Python | Apache-2.0 | C/C++ Neo4j GraphRAG via clangd (scales to Linux kernel) | -| 78 | 2.1 | [floydw1234/badger-graph](https://github.com/floydw1234/badger-graph) | 0 | Python | None | Dgraph backend (Docker), C struct field access tracking | -| 79 | 2.0 | [crubier/code-to-graph](https://github.com/crubier/code-to-graph) | 382 | JavaScript | None | JS code → Mermaid flowchart (single-function, web demo) | -| 80 | 2.0 | [khushil/code-graph-rag](https://github.com/khushil/code-graph-rag) | 0 | Python | MIT | Fork of vitali87/code-graph-rag with no modifications | -| 81 | 2.0 | [FalkorDB/code-graph-backend](https://github.com/FalkorDB/code-graph-backend) | 26 | Python | MIT | FalkorDB (Redis-based graph) code analysis demo | -| 82 | 2.0 | [jillesvangurp/spring-depend](https://github.com/jillesvangurp/spring-depend) | 46 | Java | MIT | Spring bean dependency graph extraction | -| 83 | 2.0 | [ivan-m/SourceGraph](https://github.com/ivan-m/SourceGraph) | 27 | Haskell | GPL-3.0 | Haskell graph-theoretic code analysis (last updated 2022) | -| 84 | 2.0 | [brutski/go-code-graph](https://github.com/brutski/go-code-graph) | 13 | Go | MIT | Go codebase analyzer with MCP integration | +| 42 | 2.8 | [sdsrss/code-graph-mcp](https://github.com/sdsrss/code-graph-mcp) | 16 | TypeScript | MIT | AST knowledge graph MCP server with tree-sitter, 10 languages. New entrant | +| 43 | 2.8 | [Bikach/codeGraph](https://github.com/Bikach/codeGraph) | 6 | TypeScript | MIT | Neo4j graph, Claude Code slash commands, Kotlin support, 40-50% cost reduction | +| 44 | 2.8 | [ChrisRoyse/CodeGraph](https://github.com/ChrisRoyse/CodeGraph) | 65 | TypeScript | None | Neo4j + MCP, multi-language, framework detection (React, Tailwind, Supabase) | +| 45 | 2.8 | [Symbolk/Code2Graph](https://github.com/Symbolk/Code2Graph) | 48 | Java | None | Multilingual code → language-agnostic graph representation | +| 46 | 2.7 | [yumeiriowl/repo-graphrag-mcp](https://github.com/yumeiriowl/repo-graphrag-mcp) | 3 | Python | MIT | LightRAG + tree-sitter, entity merge (code ↔ docs), implementation planning tool | +| 47 | 2.7 | [davidfraser/pyan](https://github.com/davidfraser/pyan) | 712 | Python | GPL-2.0 | Python call graph generator (stable fork), DOT/SVG/HTML output, Sphinx integration | +| 48 | 2.7 | [mamuz/PhpDependencyAnalysis](https://github.com/mamuz/PhpDependencyAnalysis) | 572 | PHP | MIT | PHP dependency graphs, cycle detection, architecture verification against defined layers | +| 49 | 2.7 | [faraazahmad/graphsense](https://github.com/faraazahmad/graphsense) | 35 | TypeScript | MIT | MCP server providing code intelligence via static analysis | +| 50 | 2.7 | [JonnoC/CodeRAG](https://github.com/JonnoC/CodeRAG) | 14 | TypeScript | MIT | Enterprise code intelligence with CK metrics, Neo4j, 23 analysis tools, MCP server | +| 51 | 2.6 | [0xjcf/MCP_CodeAnalysis](https://github.com/0xjcf/MCP_CodeAnalysis) | 7 | Python/TS | None | Stateful tools (XState), Redis sessions, socio-technical analysis, dual language impl | +| 52 | 2.5 | [koknat/callGraph](https://github.com/koknat/callGraph) | 325 | Perl | GPL-3.0 | Multi-language (22+) call graph generator via regex, GraphViz output | +| 53 | 2.5 | [RaheesAhmed/code-context-mcp](https://github.com/RaheesAhmed/code-context-mcp) | 0 | Python | MIT | Security pattern detection, auto architecture diagrams, code flow tracing | +| 54 | 2.5 | [league1991/CodeAtlasVsix](https://github.com/league1991/CodeAtlasVsix) | 265 | C# | GPL-2.0 | Visual Studio plugin, Doxygen-based call graph navigation (VS 2010-2015 era) | +| 55 | 2.5 | [beicause/call-graph](https://github.com/beicause/call-graph) | 105 | TypeScript | Apache-2.0 | VS Code extension generating call graphs via LSP call hierarchy API | +| 56 | 2.5 | [Thibault-Knobloch/codebase-intelligence](https://github.com/Thibault-Knobloch/codebase-intelligence) | 44 | Python | None | Code indexing + call graph + vector DB + natural language queries (requires OpenAI) | +| 57 | 2.5 | [darkmacheken/wasmati](https://github.com/darkmacheken/wasmati) | 31 | C++ | Apache-2.0 | CPG infrastructure for scanning vulnerabilities in WebAssembly | +| 58 | 2.5 | [sutragraph/sutracli](https://github.com/sutragraph/sutracli) | 28 | Python | GPL-3.0 | AI-powered cross-repo dependency graphs for coding agents | +| 59 | 2.5 | [julianjensen/ast-flow-graph](https://github.com/julianjensen/ast-flow-graph) | 69 | JavaScript | Other | JavaScript control flow graphs from AST analysis | +| 60 | 2.5 | [yoanbernabeu/grepai-skills](https://github.com/yoanbernabeu/grepai-skills) | 14 | — | MIT | 27 AI agent skills for semantic code search and call graph analysis | +| 61 | 2.5 | [GaloisInc/MATE](https://github.com/GaloisInc/MATE) | 194 | Python | BSD-3 | DARPA-funded interactive CPG-based bug hunting for C/C++ via LLVM | +| 62 | 2.4 | [shantham/codegraph](https://github.com/shantham/codegraph) | 0 | TypeScript | MIT | Polished `npx` one-command installer, sqlite-vss, 7 MCP tools | +| 63 | 2.3 | [ozyyshr/RepoGraph](https://github.com/ozyyshr/RepoGraph) | 251 | Python | Apache-2.0 | SWE-bench code graph research (ctags + networkx for LLM context) | +| 64 | 2.3 | [emad-elsaid/rubrowser](https://github.com/emad-elsaid/rubrowser) | 644 | Ruby | MIT | Ruby-only interactive D3 force-directed dependency graph | +| 65 | 2.3 | [Chentai-Kao/call-graph-plugin](https://github.com/Chentai-Kao/call-graph-plugin) | 87 | Kotlin | None | IntelliJ plugin for visualizing call graphs in IDE | +| 66 | 2.3 | [ehabterra/apispec](https://github.com/ehabterra/apispec) | 72 | Go | Apache-2.0 | OpenAPI 3.1 spec generator from Go code via call graph analysis | +| 67 | 2.3 | [huoyo/ko-time](https://github.com/huoyo/ko-time) | 61 | Java | LGPL-2.1 | Spring Boot call graph with runtime durations | +| 68 | 2.3 | [Fraunhofer-AISEC/codyze](https://github.com/Fraunhofer-AISEC/codyze) | 91 | Kotlin | None | CPG-based analyzer for cryptographic API misuse (archived, merged into cpg repo) | +| 69 | 2.3 | [CartographAI/mcp-server-codegraph](https://github.com/CartographAI/mcp-server-codegraph) | 17 | JavaScript | MIT | Lightweight MCP code graph (3 tools only, Python/JS/Rust) | +| 70 | 2.3 | [YounesBensafia/DevLens](https://github.com/YounesBensafia/DevLens) | 21 | Python | None | Repo scanner with AI summaries, dead code detection (dep graph not yet implemented) | +| 71 | 2.3 | [0xd219b/codegraph](https://github.com/0xd219b/codegraph) | 0 | Rust | None | Pure Rust, HTTP server mode, Java + Go support | +| 72 | 2.3 | [aryx/codegraph](https://github.com/aryx/codegraph) | 6 | OCaml | Other | Multi-language source code dependency visualizer (the original "codegraph" name) | +| 73 | 2.2 | [jmarkowski/codeviz](https://github.com/jmarkowski/codeviz) | 144 | Python | MIT | C/C++ `#include` header dependency graph visualization | +| 74 | 2.2 | [juanallo/vscode-dependency-cruiser](https://github.com/juanallo/vscode-dependency-cruiser) | 76 | JavaScript | MIT | VS Code wrapper for dependency-cruiser (JS/TS) | +| 75 | 2.2 | [hidva/as2cfg](https://github.com/hidva/as2cfg) | 63 | Rust | GPL-3.0 | Intel assembly → control flow graph | +| 76 | 2.2 | [microsoft/cmd-call-graph](https://github.com/microsoft/cmd-call-graph) | 55 | Python | MIT | Call graphs for Windows CMD batch files | +| 77 | 2.2 | [siggy/gographs](https://github.com/siggy/gographs) | 52 | Go | MIT | Go package dependency graph generator | +| 78 | 2.2 | [henryhale/depgraph](https://github.com/henryhale/depgraph) | 33 | Go | MIT | Go-focused codebase dependency analysis | +| 79 | 2.2 | [2015xli/clangd-graph-rag](https://github.com/2015xli/clangd-graph-rag) | 28 | Python | Apache-2.0 | C/C++ Neo4j GraphRAG via clangd (scales to Linux kernel) | +| 80 | 2.1 | [floydw1234/badger-graph](https://github.com/floydw1234/badger-graph) | 0 | Python | None | Dgraph backend (Docker), C struct field access tracking | +| 81 | 2.0 | [crubier/code-to-graph](https://github.com/crubier/code-to-graph) | 382 | JavaScript | None | JS code → Mermaid flowchart (single-function, web demo) | +| 82 | 2.0 | [khushil/code-graph-rag](https://github.com/khushil/code-graph-rag) | 0 | Python | MIT | Fork of vitali87/code-graph-rag with no modifications | +| 83 | 2.0 | [FalkorDB/code-graph-backend](https://github.com/FalkorDB/code-graph-backend) | 26 | Python | MIT | FalkorDB (Redis-based graph) code analysis demo | +| 84 | 2.0 | [jillesvangurp/spring-depend](https://github.com/jillesvangurp/spring-depend) | 46 | Java | MIT | Spring bean dependency graph extraction | +| 85 | 2.0 | [ivan-m/SourceGraph](https://github.com/ivan-m/SourceGraph) | 27 | Haskell | GPL-3.0 | Haskell graph-theoretic code analysis (last updated 2022) | +| 86 | 2.0 | [brutski/go-code-graph](https://github.com/brutski/go-code-graph) | 13 | Go | MIT | Go codebase analyzer with MCP integration | ### Tier 3: Minimal or Inactive (score < 2.0) @@ -130,41 +132,41 @@ Ranked by weighted score across 6 dimensions (each 1–5): | # | Project | Features | Analysis Depth | Deploy Simplicity | Lang Support | Code Quality | Community | |---|---------|----------|---------------|-------------------|-------------|-------------|-----------| -| 1 | joern | 5 | 5 | 3 | 4 | 5 | 5 | -| 2 | narsil-mcp | 5 | 5 | 5 | 5 | 4 | 3 | -| 3 | code-graph-rag | 5 | 4 | 3 | 4 | 4 | 5 | -| 4 | cpg | 5 | 5 | 2 | 5 | 5 | 3 | -| 5 | glimpse | 4 | 4 | 5 | 3 | 5 | 5 | -| 6 | CKB | 5 | 5 | 4 | 3 | 4 | 3 | -| 7 | GitNexus | 5 | 5 | 4 | 4 | 4 | 2 | -| **8** | **codegraph (us)** | **5** | **4** | **5** | **4** | **4** | **2** | -| 9 | axon | 5 | 5 | 4 | 2 | 4 | 2 | -| 10 | autodev-codebase | 5 | 3 | 3 | 5 | 3 | 4 | -| 11 | codepropertygraph | 4 | 5 | 2 | 4 | 5 | 3 | -| 12 | codegraph-rust | 5 | 5 | 2 | 4 | 4 | 3 | -| 13 | arbor | 4 | 4 | 5 | 4 | 5 | 3 | +| 1 | GitNexus | 5 | 5 | 4 | 4 | 4 | 5 | +| 2 | joern | 5 | 5 | 3 | 4 | 5 | 5 | +| 3 | narsil-mcp | 5 | 5 | 5 | 5 | 4 | 3 | +| **4** | **codegraph (us)** | **5** | **5** | **5** | **4** | **5** | **3** | +| 5 | codebase-memory-mcp | 4 | 4 | 5 | 5 | 4 | 4 | +| 6 | code-graph-rag | 5 | 4 | 3 | 4 | 4 | 5 | +| 7 | cpg | 5 | 5 | 2 | 5 | 5 | 3 | +| 8 | arbor | 4 | 4 | 5 | 4 | 5 | 3 | +| 9 | CKB | 5 | 5 | 4 | 3 | 4 | 3 | +| 10 | axon | 5 | 5 | 4 | 2 | 4 | 3 | +| 11 | glimpse | 4 | 4 | 5 | 3 | 5 | 2 | +| 12 | codepropertygraph | 4 | 5 | 2 | 4 | 5 | 3 | +| 13 | codegraph-rust | 5 | 5 | 2 | 4 | 4 | 3 | | 14 | mcp-code-graph | 4 | 3 | 4 | 4 | 3 | 4 | | 15 | code-graph-mcp | 4 | 4 | 4 | 5 | 3 | 2 | | 16 | jelly | 4 | 5 | 4 | 1 | 5 | 3 | -| 17 | code-graph-rag-mcp | 5 | 4 | 3 | 4 | 3 | 2 | -| 18 | mcp-codebase-index | 4 | 3 | 5 | 3 | 4 | 2 | -| 19 | CodeGraphMCPServer | 4 | 4 | 4 | 5 | 3 | 1 | -| 20 | colbymchenry/codegraph | 4 | 3 | 5 | 3 | 3 | 3 | +| 17 | colbymchenry/codegraph | 4 | 3 | 5 | 3 | 3 | 4 | +| 18 | code-graph-rag-mcp | 5 | 4 | 3 | 4 | 3 | 2 | +| 19 | mcp-codebase-index | 4 | 3 | 5 | 3 | 4 | 2 | +| 20 | CodeGraphMCPServer | 4 | 4 | 4 | 5 | 3 | 1 | | 21 | stratify | 4 | 4 | 2 | 5 | 4 | 2 | | 22 | cie | 5 | 4 | 4 | 3 | 4 | 1 | -| 23 | Claude-code-memory | 4 | 3 | 3 | 3 | 4 | 3 | -| 24 | codexray | 5 | 4 | 4 | 4 | 3 | 1 | +| 23 | codexray | 5 | 4 | 4 | 4 | 3 | 1 | +| 24 | autodev-codebase | 5 | 3 | 3 | 5 | 3 | 1 | | 25 | CodeVisualizer | 4 | 3 | 5 | 3 | 3 | 2 | | 26 | code-health-meter | 3 | 5 | 5 | 1 | 4 | 2 | | 27 | code-graph-analysis-pipeline | 5 | 5 | 1 | 2 | 5 | 2 | | 28 | codebadger | 4 | 4 | 3 | 5 | 3 | 1 | -| 29 | codegraph-cli | 5 | 3 | 3 | 2 | 3 | 2 | -| 30 | claude-context-local | 4 | 3 | 3 | 4 | 4 | 1 | -| 31 | loregrep | 3 | 3 | 4 | 3 | 5 | 2 | -| 32 | xnuinside/codegraph | 3 | 2 | 5 | 1 | 3 | 4 | -| 33 | java-all-call-graph | 4 | 4 | 3 | 1 | 3 | 3 | -| 34 | pyan | 3 | 3 | 5 | 1 | 4 | 2 | -| 35 | MATE | 3 | 5 | 1 | 1 | 3 | 2 | +| 29 | loregrep | 3 | 3 | 4 | 3 | 5 | 2 | +| 30 | Claude-code-memory | 4 | 3 | 3 | 3 | 4 | 3 | +| 31 | claude-context-local | 4 | 3 | 3 | 4 | 4 | 1 | +| 32 | codegraph-cli | 5 | 3 | 3 | 2 | 3 | 2 | +| 33 | xnuinside/codegraph | 3 | 2 | 5 | 1 | 3 | 4 | +| 34 | java-all-call-graph | 4 | 4 | 3 | 1 | 3 | 3 | +| 35 | pyan | 3 | 3 | 5 | 1 | 4 | 2 | | 36 | cloud-property-graph | 4 | 4 | 2 | 2 | 4 | 2 | **Scoring criteria:** @@ -181,13 +183,13 @@ Ranked by weighted score across 6 dimensions (each 1–5): | Strength | Details | |----------|---------| -| **Always-fresh graph (incremental rebuilds)** | Three-tier change detection (journal → mtime+size → hash) means only changed files are re-parsed. Change 1 file in a 3,000-file project → rebuild in under a second. No other tool in this space offers this. Competitors re-index everything from scratch — making them unusable in commit hooks, watch mode, or agent-driven loops | +| **Always-fresh graph (incremental rebuilds)** | Three-tier change detection (journal → mtime+size → hash) means only changed files are re-parsed. Change 1 file in a 3,000-file project → rebuild in under a second. No other tool in this space offers true incremental rebuilds. Competitors re-index everything from scratch — making them unusable in commit hooks, watch mode, or agent-driven loops. Native Rust engine achieves ~4-6 ms/file on cold builds | | **Qualified call resolution** | Import-aware resolution distinguishes method calls (`obj.method()`) from standalone function calls, filters 28+ built-in receivers (`console`, `Math`, `JSON`, `Array`, `Promise`, etc.), deduplicates edges, and respects import scope. A call to `foo()` only resolves to functions actually imported or in-scope — eliminating the false positives that plague tree-sitter-based tools. Confidence scoring (1.0 → 0.5) on every edge lets agents trust the graph | | **AI-optimized compound commands** | `context` returns source + deps + callers + signature + related tests for a function in one call. `explain` gives structural summaries of files (public API, internals, data flow) or functions without reading the source. These save AI agents 50-80% of the token budget they'd otherwise spend navigating code. No competitor offers purpose-built compound context commands | | **Zero-cost core, LLM-enhanced when you choose** | The full graph pipeline (parse, resolve, query, impact analysis) runs with no API keys, no cloud, no cost. LLM features (richer embeddings, semantic search) are an optional layer on top — using whichever provider the user already works with. Competitors either require cloud APIs for core features (code-graph-rag, autodev-codebase, mcp-code-graph) or offer no AI enhancement at all (CKB, axon). Nobody else offers both modes in one tool | | **Data goes only where you send it** | Your code reaches exactly one place: the AI agent you already chose (via MCP). No additional third-party services, no surprise cloud calls. Competitors like code-graph-rag, autodev-codebase, mcp-code-graph, and Claude-code-memory send your code to additional AI providers beyond the agent you're using | -| **Dual engine architecture** | Only project with native Rust (napi-rs) + automatic WASM fallback. Others are pure Rust (narsil-mcp, codegraph-rust) OR pure JS/Python — never both | -| **Standalone CLI + MCP** | Full CLI experience (`context`, `explain`, `where`, `fn`, `diff-impact`, `map`, `deps`, `search`, `structure`, `hotspots`, `roles`) alongside 18-tool MCP server. Many competitors are MCP-only (narsil-mcp, code-graph-mcp, CodeGraphMCPServer) with no standalone query interface | +| **Dual engine architecture** | Only project with native Rust (napi-rs) + automatic WASM fallback. Others are pure Rust (narsil-mcp, codegraph-rust, codebase-memory-mcp) OR pure JS/Python — never both | +| **Standalone CLI + MCP** | Full 41-command CLI experience (`context`, `audit`, `where`, `fn-impact`, `diff-impact`, `map`, `deps`, `search`, `structure`, `sequence`, `roles`, `dataflow`, `cfg`, `ast`) alongside 32-tool MCP server. Many competitors are MCP-only (narsil-mcp, codebase-memory-mcp, code-graph-mcp, CodeGraphMCPServer) with no standalone query interface | | **Single-repo MCP isolation** | Security-conscious default: tools have no `repo` property unless `--multi-repo` is explicitly enabled. Most competitors default to exposing everything | | **Zero-dependency deployment** | `npm install` and done. No Docker, no external databases, no Python, no SCIP toolchains, no JVM. Published platform-specific binaries (`@optave/codegraph-{platform}-{arch}`) resolve automatically. Joern requires JDK 21, cpg requires Gradle + language-specific deps, codegraph-rust requires SurrealDB + LSP servers | | **Structure & quality analysis** | `structure` shows directory cohesion scores, `hotspots` finds files with extreme fan-in/fan-out/density, `stats` includes a graph quality score (0-100) with false-positive warnings. These give agents architectural awareness without requiring external tools | @@ -198,79 +200,99 @@ Ranked by weighted score across 6 dimensions (each 1–5): ## Where Codegraph Loses -### vs joern (#1, 2,956 stars) -- **Full Code Property Graph**: AST + CFG + PDG combined for deep vulnerability analysis; our tree-sitter extraction captures structure but not control/data flow -- **Scala query DSL**: purpose-built query language for arbitrary graph traversals vs our fixed SQL queries +### vs GitNexus (#1, 18,453 stars) +- **Viral growth**: 18,453 stars in ~8 months — orders of magnitude more traction. Discord community, TrendShift badge, npm package (`gitnexus`) +- **Multi-editor integration**: Auto-configures Claude Code (with hooks), Cursor, Codex, Windsurf, OpenCode via `gitnexus setup`. We only support Claude Code MCP config +- **Auto-generated context files**: Creates AGENTS.md/CLAUDE.md from the knowledge graph — agents get codebase context automatically +- **Web UI + CLI + MCP**: Three access modes including a hosted web explorer at gitnexus.vercel.app. We have CLI + MCP + interactive HTML viewer but no hosted web UI +- **Bridge mode**: `gitnexus serve` connects CLI-indexed repos to the web UI — seamless local-to-browser workflow +- **Where we win**: Non-commercial license (PolyForm NC) blocks enterprise adoption. No incremental rebuilds (full re-index). LadybugDB is custom/unproven vs our SQLite. We have deeper analysis (complexity, dataflow, CFG, architecture boundaries, manifesto rules, CI gates) and confidence-scored edges. Their graph is broader but shallower + +### vs joern (#2, 3,021 stars) +- **Full Code Property Graph**: AST + CFG + PDG combined for deep vulnerability analysis; our tree-sitter extraction captures structure but not interprocedural control/data flow +- **Scala query DSL**: purpose-built query language for arbitrary graph traversals vs our fixed CLI commands - **Binary analysis**: Ghidra frontend can analyze compiled binaries — we're source-only -- **Enterprise backing**: ShiftLeft/Fraunhofer support, daily automated releases, Discord community, professional documentation at joern.io -- **Community**: 2,956 stars, 389 forks — massive traction +- **Enterprise backing**: ShiftLeft/Fraunhofer support, daily automated releases (v4.0.508), 75 contributors, professional documentation at joern.io +- **Community**: 3,021 stars, 400 forks — massive traction. 4 community MCP wrappers now available -### vs narsil-mcp (#2, 101 stars) -- **Feature breadth**: 90 MCP tools vs our 17; covers taint analysis, SBOM, license compliance, control flow graphs, data flow analysis +### vs narsil-mcp (#3, 129 stars) +- **Feature breadth**: 90 MCP tools vs our 32; covers taint analysis, SBOM, license compliance, control flow graphs, data flow analysis - **Language count**: 32 languages (including Verilog, Fortran, PowerShell, Nix) vs our 11 -- **Security analysis**: vulnerability scanning with OWASP/CWE coverage — we have no security features -- **Dead code detection**: built-in — *(Gap closed: our `roles --role dead` now surfaces unreferenced non-exported symbols)* +- **Security analysis**: vulnerability scanning with OWASP/CWE coverage, 147+ rules (added 36 Rust/Elixir rules in v1.6.0) — we have no security features +- **SPA web frontend**: Full web UI with file tree sidebar, syntax-highlighted code viewer, dashboard, per-repo overview, CFG visualization (added v1.6.0) - **Single-binary deployment**: ~30MB Rust binary via brew/scoop/cargo/npm — as easy as ours - -### vs code-graph-rag (#3, 1,916 stars) -- **Graph query expressiveness**: Memgraph + Cypher enables arbitrary graph traversals; our SQL queries are more rigid +- **Note**: No activity since Feb 25 (24+ day gap) — development may have paused + +### vs codebase-memory-mcp (#5, 793 stars — NEW) +- **Explosive growth**: 793 stars in 25 days — fastest-growing new entrant in the space. Single-developer C project +- **Zero-dependency binary**: Single static C binary (~30MB), no Node.js/JVM/runtime. Auto-installer configures 10 different AI agents in one command +- **64 languages**: 3x our language coverage via vendored tree-sitter grammars compiled into the binary +- **Cypher-like query language**: Hand-built Cypher subset in C for arbitrary graph traversals — we have no query DSL +- **HTTP route analysis**: First-class Route nodes and cross-service HTTP call linking with confidence scoring — unique capability +- **3D graph visualization**: Built-in web-based 3D graph viewer +- **Where we win**: MCP-only (no standalone CLI), no semantic search/embeddings, no complexity metrics, no cycle detection, no export formats (DOT/Mermaid/GraphML), no architecture boundaries, no CI gates, no programmatic API, limited Cypher subset (no WITH/COLLECT/OPTIONAL MATCH). Very immature (v0.5.x, 25 days old, solo developer). Our analysis depth is significantly greater + +### vs code-graph-rag (#6, 2,168 stars) +- **Graph query expressiveness**: Memgraph + Cypher enables arbitrary graph traversals; our CLI commands are more rigid - **AI-powered code editing**: they can surgically edit functions via AST targeting with visual diffs - **Provider flexibility**: they support Gemini/OpenAI/Claude/Ollama and can mix providers per task -- **Community**: 1,916 stars — orders of magnitude more traction +- **MCP server**: now added MCP support, expanding from pure RAG into the AI agent ecosystem +- **Community**: 2,168 stars — significant traction -### vs cpg (#4, 411 stars) +### vs cpg (#7, 424 stars) - **Formal CPG specification**: academic-grade graph representation (AST + CFG + PDG + DFG) with published specs - **MCP module**: built-in MCP support now, matching our integration - **LLVM IR support**: extends language coverage to any LLVM-compiled language (Rust, Swift, etc.) - **Type inference**: can analyze incomplete/partial code — our tree-sitter requires syntactically valid input -### vs glimpse (#5, 349 stars) +### vs arbor (#8, 85 stars) +- **Native Rust GUI**: Built-in desktop interface for interactive graph exploration — we have HTML viewer but no native GUI +- **Fuzzy symbol search**: Levenshtein-scored symbol matching tolerates typos and partial names — our search requires exact or substring matches +- **Built-in confidence scoring**: Graph edges carry confidence weights out of the box — we have confidence scoring on import resolution but not surfaced on all edge types +- **Architectural role classification**: Automatic labeling of nodes by architectural role (controller, service, repository, etc.) — *(Gap closed: our `roles` command now classifies nodes as entry, core, utility, adapter, dead, leaf)* + +### vs CKB (#9, 77 stars) +- **Indexing accuracy**: SCIP provides compiler-grade cross-file references (type-aware), fundamentally more accurate than tree-sitter for supported languages +- **Compound operations**: `explore`/`understand`/`prepareChange` batch multiple queries into one call — 83% token reduction. *(Gap closed: our `context`, `audit`, and `batch` commands now serve the same purpose)* +- **Now claims impact analysis and architecture mapping**: Feature convergence with v8.1.0 — they're moving into our territory +- **Secret scanning**: enterprise feature we lack + +### vs axon (#10, 577 stars) +- **Hit v1.0 milestone**: Now a stable release with tree-sitter + KuzuDB + CLI + MCP. Growing fast (+156 stars since Feb) +- **Leiden community detection**: More sophisticated clustering than our Louvain +- **KuzuDB with native Cypher**: More expressive for complex graph queries than our SQLite +- **Git change coupling**: Co-change analysis — *(Gap closed: we now have `co-change` command)* +- **Branch structural diff**: *(Gap closed: we now have `branch-compare`)* + +### vs glimpse (#11, 349 stars — stagnant) - **LLM workflow optimization**: clipboard-first output + token counting + XML output mode — purpose-built for "code → LLM context" - **LSP-based call resolution**: compiler-grade accuracy vs our tree-sitter heuristic approach - **Web content processing**: can fetch URLs and convert HTML to markdown for context -### vs CKB (#6, 59 stars) -- **Indexing accuracy**: SCIP provides compiler-grade cross-file references (type-aware), fundamentally more accurate than tree-sitter for supported languages -- **Compound operations**: `explore`/`understand`/`prepareChange` batch multiple queries into one call — 83% token reduction. *(Gap narrowed: our `context` and `explain` commands now serve the same purpose, returning full function context or file summaries in one call)* -- **CODEOWNERS + secret scanning**: enterprise features we lack entirely - -### vs GitNexus (#7) -- **Precomputed structural intelligence**: 6-phase pipeline (structure, parsing, resolution, clustering, processes, search) precomputes everything at index time — queries return complete context in a single call. Our queries traverse the graph at query time -- **Clustering and process tracing**: Leiden-style community detection groups related symbols into functional clusters; execution flow tracing from entry points. We have neither -- **Hybrid search**: BM25 + semantic + RRF with process-grouped results — our semantic search lacks the BM25/process grouping layer -- **Multi-file coordinated rename**: validated against graph structure and text — we have no refactoring tools -- **Auto-generated context files**: LLM-powered wiki and AGENTS.md/CLAUDE.md generation from the knowledge graph -- **Tradeoff**: Full pipeline re-run on changes (no incremental builds), KuzuDB graph DB (heavier than SQLite), browser mode limited to ~5,000 files - -### vs axon (#9, 29 stars) -- **Analysis depth**: their 11-phase pipeline includes community detection (Leiden), execution flow tracing, git change coupling, dead code detection — *(Gap narrowed: we now have dead code detection via node role classification)* -- **Graph database**: KuzuDB with native Cypher is more expressive for complex graph queries than our SQLite -- **Branch structural diff**: compares code structure between branches using git worktrees - -### vs codegraph-rust (#12, 142 stars) +### vs codegraph-rust (#13, 142 stars) - **LSP-powered analysis**: compiler-grade cross-file references via rust-analyzer, pyright, gopls vs our tree-sitter heuristics -- **Dataflow edges**: defines/uses/flows_to/returns/mutates relationships we don't capture -- **Architecture boundary enforcement**: configurable rules for detecting violations — we have no architectural awareness +- **Dataflow edges**: defines/uses/flows_to/returns/mutates relationships — *(Gap closed: we now have `flows_to`/`returns`/`mutates` across all 11 languages)* +- **Architecture boundary enforcement**: *(Gap closed: we now have `boundaries` command with onion/hexagonal/layered/clean presets)* - **Tiered indexing**: fast/balanced/full modes for different use cases — we have one mode -### vs jelly (#16, 417 stars) +### vs jelly (#16, 423 stars) - **Points-to analysis**: flow-insensitive analysis with access paths for JS/TS — fundamentally more precise than our tree-sitter-based call resolution - **Academic rigor**: 5 published papers backing the methodology (Aarhus University) - **Vulnerability exposure analysis**: library usage pattern matching specific to the JS/TS ecosystem -### vs aider (#38, 41,664 stars) +### vs aider (#38, 42,198 stars — now Aider-AI/aider) - **Different product category**: Aider is an AI pair programming CLI, not a code graph tool — but its tree-sitter repo map with PageRank-style graph ranking is a lightweight alternative to our full graph for LLM context selection -- **Massive community**: 41,664 stars, 3,984 forks — orders of magnitude more traction than any tool in this space. Aider *is* the category leader for AI-assisted coding in the terminal +- **Massive community**: 42,198 stars, 4,054 forks — orders of magnitude more traction than any tool in this space. Aider *is* the category leader for AI-assisted coding in the terminal. Moved to Aider-AI org - **100+ languages**: tree-sitter parsing covers far more languages than our 11, though only for identifier extraction (not full symbol/call resolution) - **Multi-provider LLM**: works with Claude, GPT-4, Gemini, DeepSeek, Ollama, and virtually any LLM out of the box - **Built-in code editing**: Aider's core loop is "understand code → edit code → commit." We provide the understanding layer but don't edit - **Where we win**: Aider's repo map is shallow — file-level dependency graph with identifier ranking, no function-level call resolution, no impact analysis, no dead code detection, no complexity metrics, no MCP server, no standalone queryable graph. It answers "what's relevant?" but not "what breaks if I change this?" Our graph is deeper and persistent; Aider rebuilds its map per-request -### vs colbymchenry/codegraph (#20, 165 stars) -- **No role classification**: they lack node role classification or dead code detection — we now have both -- **Naming competitor**: same name, same tech stack (tree-sitter + SQLite + MCP + Node.js) — marketplace confusion risk -- **Published benchmarks**: 67% fewer tool calls and measurable Claude Code token reduction — compelling marketing angle we lack. *(Gap narrowed: our `context` and `explain` compound commands now provide similar token savings by batching multiple queries into one call)* +### vs colbymchenry/codegraph (#17, 308 stars — nearly doubled) +- **Fastest-growing naming competitor**: 165 → 308 stars since Feb. Same name, same tech stack (tree-sitter + SQLite + MCP + Node.js) — marketplace confusion is increasing +- **Published benchmarks**: 67% fewer tool calls and measurable Claude Code token reduction — compelling marketing. *(Gap closed: our `context`, `audit`, and `batch` compound commands provide equivalent or better token savings)* - **One-liner setup**: `npx @colbymchenry/codegraph` with interactive installer auto-configures Claude Code +- **Where we win**: We have 41 CLI commands vs their MCP-only approach, confidence-scored edges, dataflow/CFG/AST analysis, complexity metrics, architecture boundaries, cycle detection, dead code/export detection, community detection, sequence diagrams, and CI gates. Their tool is a lightweight MCP wrapper; ours is a full code intelligence platform --- @@ -282,7 +304,7 @@ Ranked by weighted score across 6 dimensions (each 1–5): | ~~**Dead code detection**~~ | narsil-mcp, axon, codexray, CKB | ~~We have the graph — find nodes with zero incoming edges (minus entry points/exports). Agents constantly ask "is this used?"~~ | **DONE** — Delivered via node classification. `roles --role dead` lists all unreferenced, non-exported symbols | | ~~**Fuzzy symbol search**~~ | arbor | ~~Add Levenshtein/Jaro-Winkler to `fn` command. Currently requires exact match~~ | **DONE** — `fn` now has relevance scoring (exact > prefix > word-boundary > substring) with fan-in tiebreaker, plus `--file` and `--kind` filters | | ~~**Expose confidence scores**~~ | arbor | ~~Already computed internally in import resolution — just surface them~~ | **DONE** — confidence scores stored on every call edge, surfaced in `stats` graph quality score | -| **Shortest path A→B** | codexray, arbor | BFS on existing edges table. We have `fn` for single chains but no A→B pathfinding | TODO | +| ~~**Shortest path A→B**~~ | codexray, arbor | ~~BFS on existing edges table~~ | **DONE** — `codegraph path ` with BFS on call graph edges | ### Tier 2: High impact, medium effort | Feature | Inspired by | Why | Status | @@ -290,20 +312,20 @@ Ranked by weighted score across 6 dimensions (each 1–5): | **Optional LLM provider integration** | code-graph-rag, autodev-codebase | Bring-your-own provider (OpenAI, etc.) for richer embeddings and AI-powered search. Enhancement layer only — core graph never depends on it. No other tool offers both zero-cost local and LLM-enhanced modes in one package | TODO | | ~~**Compound MCP tools**~~ | CKB, colbymchenry/codegraph | ~~`explore`/`understand` meta-tools that batch deps + fn + map into single responses~~ | **DONE** — `context` returns source + deps + callers + signature + tests in one call; `explain` returns structural summaries of files or functions | | **Token counting on responses** | glimpse, arbor | tiktoken-based counts so agents know context budget consumed | TODO | -| ~~**Node classification**~~ | arbor | ~~Auto-tag Entry Point / Core / Utility / Adapter from in-degree/out-degree patterns~~ | **DONE** — `classifyNodeRoles()` tags every symbol as `entry`/`core`/`utility`/`adapter`/`dead`/`leaf`. New `roles` CLI command, `node_roles` MCP tool (18 tools), `--role`/`--file` filters. Roles surfaced in `where`/`explain`/`context`/`stats`/`list-functions` | +| ~~**Node classification**~~ | arbor | ~~Auto-tag Entry Point / Core / Utility / Adapter from in-degree/out-degree patterns~~ | **DONE** — `classifyNodeRoles()` tags every symbol as `entry`/`core`/`utility`/`adapter`/`dead`/`leaf`. New `roles` CLI command, `node_roles` MCP tool, `--role`/`--file` filters. Roles surfaced in `where`/`context`/`stats`/`list-functions` | | **TF-IDF lightweight search** | codexray | SQLite FTS5 + TF-IDF as a middle tier (~50MB) between "no search" and full transformers (~500MB) | TODO | | **OWASP/CWE pattern detection** | narsil-mcp, CKB | Security pattern scanning on the existing AST — hardcoded secrets, SQL injection patterns, XSS | TODO | -| **Formal code health metrics** | code-health-meter | Cyclomatic complexity, Maintainability Index, Halstead metrics per function — we already parse the AST | TODO | +| ~~**Formal code health metrics**~~ | code-health-meter | ~~Cyclomatic complexity, Maintainability Index, Halstead metrics per function~~ | **DONE** — `codegraph complexity` delivers cognitive, cyclomatic (CFG-derived), Halstead, MI, nesting depth per function across all 11 languages | ### Tier 3: High impact, high effort | Feature | Inspired by | Why | Status | |---------|------------|-----|--------| -| **Interactive HTML visualization** | autodev-codebase, CodeVisualizer | `codegraph viz` → opens interactive vis.js/Cytoscape.js graph in browser | TODO | -| **Git change coupling** | axon | Analyze git history for files that always change together — enhances `diff-impact` | TODO | -| **Community detection** | axon, GitNexus, CodeGraphMCPServer | Leiden/Louvain algorithm to discover natural module boundaries vs actual file organization | TODO | -| **Execution flow tracing** | axon, GitNexus, code-context-mcp | Framework-aware entry point detection + BFS flow tracing | TODO | -| **Dataflow analysis** | codegraph-rust | Define/use chains and flows_to/returns/mutates edges — major analysis depth increase | TODO | -| **Architecture boundary rules** | codegraph-rust, stratify | User-defined rules for allowed/forbidden dependencies between modules | TODO | +| ~~**Interactive HTML visualization**~~ | autodev-codebase, CodeVisualizer | ~~`codegraph viz` → opens interactive graph in browser~~ | **DONE** — `codegraph plot` opens interactive vis-network HTML viewer with physics, clustering, drill-down | +| ~~**Git change coupling**~~ | axon | ~~Analyze git history for files that always change together~~ | **DONE** — `codegraph co-change` analyzes git history for temporal file coupling | +| ~~**Community detection**~~ | axon, GitNexus, CodeGraphMCPServer | ~~Louvain algorithm to discover natural module boundaries~~ | **DONE** — `codegraph communities` with Louvain clustering and drift analysis | +| ~~**Execution flow tracing**~~ | axon, GitNexus, code-context-mcp | ~~Framework-aware entry point detection + BFS flow tracing~~ | **DONE** — `codegraph flow` traces from entry points (routes, commands, events) through callees to leaves | +| ~~**Dataflow analysis**~~ | codegraph-rust | ~~Define/use chains and flows_to/returns/mutates edges~~ | **DONE** — `codegraph dataflow` with `flows_to`/`returns`/`mutates` edges across all 11 languages | +| ~~**Architecture boundary rules**~~ | codegraph-rust, stratify | ~~User-defined rules for allowed/forbidden dependencies between modules~~ | **DONE** — `codegraph check` with configurable boundary rules and onion/hexagonal/layered/clean presets | ### Paid Solutions @@ -322,7 +344,7 @@ Ranked by weighted score across 6 dimensions (each 1–5): | **Code Ownership** | CODEOWNERS as a first-class search dimension: `file:has.owner()`, `select:file.owners`, owner-scoped queries. Resolves CODEOWNERS entries against user profiles | `codegraph owners` with `--owner`, `--boundary` filters. Integrated into `diff-impact` (affected owners + suggested reviewers). `code_owners` MCP tool | **No gap** — feature parity. We parse CODEOWNERS, match patterns, integrate into impact analysis, and expose via CLI + MCP. They have richer owner-as-search-filter syntax; our backlog ID 79 (advanced query language) would close this | | **Code Insights** | Track any search query as a time-series metric on dashboards. Automatic historical backfill from git history — years of data immediately. Migration progress, tech debt trends, codebase composition over time | `codegraph stats` (point-in-time), `codegraph snapshot` (manual checkpoints) | **Yes** — we have point-in-time metrics and manual snapshots but no automated historical trend tracking. Backlog ID 77 | | **Batch Changes** | Declarative YAML spec → automated code changes across hundreds of repos. Creates PRs on all affected repos, tracks merge status, CI checks, review approvals. Burndown charts for migration progress | None — codegraph is read-only by design (Foundation P8: we don't edit code or make decisions) | **By design** — we're a graph query tool, not a code modification tool. This is out of scope per Foundation principles | -| **CLI (`src`)** | Terminal search, batch change creation, SBOM generation, repo/user/team admin, code intelligence ops, CODEOWNERS management | `codegraph` CLI with 25+ commands, MCP server | **Partial** — our CLI is richer for graph queries; theirs is richer for admin/batch/SBOM operations. Different focus areas | +| **CLI (`src`)** | Terminal search, batch change creation, SBOM generation, repo/user/team admin, code intelligence ops, CODEOWNERS management | `codegraph` CLI with 41 commands, 32-tool MCP server | **Partial** — our CLI is richer for graph queries; theirs is richer for admin/batch/SBOM operations. Different focus areas | **Where Sourcegraph wins over codegraph:** @@ -345,17 +367,18 @@ Ranked by weighted score across 6 dimensions (each 1–5): | **Impact analysis** | `diff-impact`, `fn-impact`, `branch-compare` trace transitive blast radius through the call graph. Sourcegraph's `find-references` shows direct references but not transitive impact chains | | **Complexity & health metrics** | Cognitive, cyclomatic, Halstead, MI per function with CI gates. Sourcegraph has no built-in code health metrics | | **Community detection & drift** | Louvain clustering reveals architectural drift between directory structure and actual dependencies. Sourcegraph has no equivalent | -| **Dataflow analysis** | `flows_to`/`returns`/`mutates` edges track how data moves through functions. Sourcegraph doesn't do dataflow analysis | -| **Control flow graphs** | Per-function CFG with basic blocks stored in the graph. Sourcegraph doesn't build CFGs | +| **Dataflow analysis** | `flows_to`/`returns`/`mutates` edges track how data moves through functions across all 11 languages. Sourcegraph doesn't do dataflow analysis | +| **Control flow graphs** | Per-function CFG with basic blocks stored in the graph; cyclomatic complexity derived from CFG structure (E - N + 2). Sourcegraph doesn't build CFGs | +| **Sequence diagrams** | `sequence ` generates Mermaid sequence diagrams from call graph edges. Sourcegraph has no diagram generation | | **Node role classification** | Every symbol auto-tagged as entry/core/utility/adapter/dead/leaf. Sourcegraph has no architectural role concept | | **Cost** | Completely free and open source (Apache-2.0). Sourcegraph's paid plans start at $49/user/month for enterprise features | | **Privacy** | Your code never leaves your machine (unless you choose to connect an LLM). Sourcegraph Cloud processes your code on their infrastructure; self-hosted requires significant ops investment | -| **AI-optimized output** | `context`, `audit`, `triage`, `batch` commands are purpose-built for AI agent consumption with structured JSON. Sourcegraph's output is designed for human developers in a web UI | +| **AI-optimized output** | `context`, `audit`, `triage`, `batch`, `sequence` commands are purpose-built for AI agent consumption with structured JSON. Sourcegraph's output is designed for human developers in a web UI | ### Not worth copying | Feature | Why skip | |---------|----------| -| Memgraph/Neo4j/KuzuDB/SurrealDB | Our SQLite = zero Docker, simpler deployment. Query gap matters less than simplicity. codegraph-rust's SurrealDB requirement is its biggest weakness | +| Memgraph/Neo4j/KuzuDB/SurrealDB/LadybugDB | Our SQLite = zero Docker, simpler deployment. Query gap matters less than simplicity. codegraph-rust's SurrealDB requirement is its biggest weakness. GitNexus's LadybugDB is custom/unproven | | SCIP indexing | Would require maintaining SCIP toolchains per language. Tree-sitter + native Rust is the right bet | | Full CPG (AST+CFG+PDG) | Joern/cpg's approach requires fundamentally different parsing — we'd be rebuilding Joern. Tree-sitter gives us AST-level graphs; adding lightweight dataflow on top is the pragmatic path | | Points-to analysis | Academic-grade JS analysis (jelly) — overkill for our use case and limited to JS/TS | diff --git a/generated/competitive/joern.md b/generated/competitive/joern.md index 403cab75..fcd3f041 100644 --- a/generated/competitive/joern.md +++ b/generated/competitive/joern.md @@ -1,8 +1,8 @@ # Competitive Deep-Dive: Codegraph vs Joern -**Date:** 2026-03-02 -**Competitors:** `@optave/codegraph` v3.0.0 (Apache-2.0) vs `joernio/joern` v4.x (Apache-2.0) -**Context:** Both are Apache-2.0-licensed code analysis tools with CLI interfaces. Joern is ranked #1 in our [competitive analysis](./COMPETITIVE_ANALYSIS.md) with a score of 4.5 vs codegraph's 4.0 at #8. +**Date:** 2026-03-21 +**Competitors:** `@optave/codegraph` v3.2.0 (Apache-2.0) vs `joernio/joern` v4.x (Apache-2.0) +**Context:** Both are Apache-2.0-licensed code analysis tools with CLI interfaces. Joern is ranked #2 in our [competitive analysis](./COMPETITIVE_ANALYSIS.md) with a score of 4.5 vs codegraph's 4.5 at #4. --- @@ -14,7 +14,7 @@ Joern and codegraph solve fundamentally **different problems** using code graphs |-----------|-------|-----------| | **Primary mission** | Vulnerability discovery & security research | Always-current structural code intelligence for developers and AI agents | | **Target user** | Security researchers, pentesters, auditors | Developers, AI coding agents, CI pipelines | -| **Graph model** | Code Property Graph (AST + CFG + PDG + DDG) | Structural dependency graph (symbols + call/import/dataflow/CFG edges + stored AST) | +| **Graph model** | Code Property Graph (AST + CFG + PDG + DDG) | Structural dependency graph (symbols + call/import/dataflow/CFG edges + stored AST + qualified names/scope/visibility) | | **Core question answered** | "Can attacker-controlled data reach this dangerous sink?" | "What breaks if I change this function?" | | **Rebuild model** | Full re-import on every change (minutes) | Incremental sub-second rebuilds (milliseconds) | | **Runtime** | JVM (Scala) — 4-100 GB heap | Node.js — <100 MB typical | @@ -31,11 +31,11 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | # | Principle | Codegraph | Joern | Verdict | |---|-----------|-----------|-------|---------| -| 1 | **The graph is always current** — rebuild on every commit/save/agent loop | File-level MD5 hashing. Change 1 file in 3,000 → <500ms rebuild. Watch mode, commit hooks, agent loops all practical | Full re-import always. Small project: 19-30s. Linux kernel: 6+ hours. No incremental mode. Unusable in tight feedback loops | **Codegraph wins decisively.** This is the single most important differentiator. Joern cannot participate in commit hooks or agent-driven loops | +| 1 | **The graph is always current** — rebuild on every commit/save/agent loop | 3-tier change detection (journal → mtime+size → hash). Change 1 file in 3,000 → <500ms rebuild. Watch mode, commit hooks, agent loops all practical | Full re-import always. Small project: 19-30s. Linux kernel: 6+ hours. No incremental mode. Unusable in tight feedback loops | **Codegraph wins decisively.** This is the single most important differentiator. Joern cannot participate in commit hooks or agent-driven loops | | 2 | **Native speed, universal reach** — dual engine (Rust + WASM) | Native napi-rs with rayon parallelism + automatic WASM fallback. `npm install` on any platform | JVM/Scala. Requires JDK 19+. Pre-built binaries or Docker. No cross-platform auto-detection | **Codegraph wins.** Automatic platform detection with native performance + universal fallback vs. manual JVM setup | | 3 | **Confidence over noise** — scored results | 6-level import resolution with 0.0-1.0 confidence on every edge. False-positive filtering. Graph quality score | Overapproximation by default (assumes full taint propagation for unresolved methods). Requires manual semantic definitions to reduce false positives | **Codegraph wins.** Scored results by default vs. noise-by-default requiring manual tuning | | 4 | **Zero-cost core, LLM-enhanced when you choose** | Full pipeline local, zero API keys. Optional embeddings with user's LLM provider | Fully local, zero API keys. No LLM enhancement path | **Codegraph wins.** Both are local-first, but codegraph adds optional AI enhancement that Joern lacks entirely | -| 5 | **Functional CLI, embeddable API** | 39 CLI commands + 30-tool MCP server + full programmatic JS API | Interactive Scala REPL + server mode + script execution. No MCP. Python client library | **Codegraph wins.** Purpose-built MCP for AI agents + embeddable npm package vs. Scala REPL that requires JVM expertise | +| 5 | **Functional CLI, embeddable API** | 41 CLI commands + 32-tool MCP server + full programmatic JS API | Interactive Scala REPL + server mode + script execution. No MCP. Python client library | **Codegraph wins.** Purpose-built MCP for AI agents + embeddable npm package vs. Scala REPL that requires JVM expertise | | 6 | **One registry, one schema, no magic** | `LANGUAGE_REGISTRY` — add a language in <100 lines, 2 files | Each language has a separate frontend (Eclipse CDT, JavaParser, GraalVM, etc.) — fundamentally different parsers per language | **Codegraph wins.** Uniform tree-sitter extraction vs. heterogeneous parser zoo | | 7 | **Security-conscious defaults** — multi-repo opt-in | Single-repo MCP default. `apiKeyCommand` for secrets. `--multi-repo` opt-in | Server mode has no sandboxing (docs explicitly warn: "raw interpreter access"). No MCP isolation concept | **Codegraph wins.** Security-by-default vs. "trust the user" | | 8 | **Honest about what we're not** | Code intelligence engine. Not an app, not a coding tool, not an agent | Code analysis platform for security research. Not a CI tool, not a developer productivity tool | **Tie.** Both are honest about scope. Different scopes | @@ -70,7 +70,7 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Language count** | 11 source languages | 13 source + 3 binary/bytecode/IR | **Joern** (16 vs 11) | | **Adding a new language** | 1 registry entry + 1 extractor (<100 lines, 2 files) | New frontend module (thousands of lines, custom parser integration) | **Codegraph** — dramatically lower barrier | | **Incomplete/non-compilable code** | Requires syntactically valid input (tree-sitter) | Fuzzy parsing handles partial/broken code | **Joern** — critical for security audits of partial codebases | -| **Incremental parsing** | File-level hash tracking — only changed files re-parsed | Full re-import always | **Codegraph** — orders of magnitude faster for iterative work | +| **Incremental parsing** | 3-tier change detection (journal → mtime+size → hash) — only changed files re-parsed | Full re-import always | **Codegraph** — orders of magnitude faster for iterative work | **Summary:** Joern covers more languages and handles edge cases (binaries, bytecode, broken code) that codegraph cannot. Codegraph is faster, simpler to extend, and has better support for modern web languages (TSX, Terraform). For codegraph's target users (developers, AI agents), codegraph's coverage is sufficient. For security researchers auditing compiled artifacts, Joern is essential. @@ -81,11 +81,11 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Joern | Best Approach | |---------|-----------|-------|---------------| | **Graph type** | Structural dependency graph (symbols + edges) | Code Property Graph (AST + CFG + PDG merged) | **Joern** for depth; **Codegraph** for speed | -| **Node types** | 13 kinds: `function`, `method`, `class`, `interface`, `type`, `struct`, `enum`, `trait`, `record`, `module`, `parameter`, `property`, `constant` | 45+ node types across 18 layers (METHOD, CALL, IDENTIFIER, LITERAL, CONTROL_STRUCTURE, BLOCK, LOCAL, etc.) | **Joern** — still more granular, but gap narrowed from 4x to ~3x | -| **Edge types** | `calls`, `imports`, `contains`, `parameter_of`, `receiver`, `flows_to`, `returns`, `mutates` (with confidence scores on call/import edges) | 20+ types: AST, CFG, CDG, REACHING_DEF, CALL, ARGUMENT, RECEIVER, CONTAINS, EVAL_TYPE, REF, BINDS, DOMINATE, POST_DOMINATE, etc. | **Joern** — still more edge types, but codegraph now covers structural containment, dataflow, and receiver relationships | +| **Node types** | 13 kinds: `function`, `method`, `class`, `interface`, `type`, `struct`, `enum`, `trait`, `record`, `module`, `parameter`, `property`, `constant` + `qualified_name`, `scope`, `visibility` metadata columns | 45+ node types across 18 layers (METHOD, CALL, IDENTIFIER, LITERAL, CONTROL_STRUCTURE, BLOCK, LOCAL, etc.) | **Joern** — still more granular, but gap narrowed from 4x to ~3x | +| **Edge types** | 10 structural: `calls`, `imports`, `imports-type`, `dynamic-imports`, `reexports`, `extends`, `implements`, `contains`, `parameter_of`, `receiver` + 3 dataflow: `flows_to`, `returns`, `mutates` (with confidence scores on call/import edges) | 20+ types: AST, CFG, CDG, REACHING_DEF, CALL, ARGUMENT, RECEIVER, CONTAINS, EVAL_TYPE, REF, BINDS, DOMINATE, POST_DOMINATE, etc. | **Joern** — still more edge types, but codegraph now covers structural containment, dataflow, and receiver relationships | | **Abstract Syntax Tree** | Stored AST nodes (calls, new, string, regex, throw, await) queryable via `ast` command/`ast_query` MCP tool | Full AST stored and queryable | **Joern** for completeness; **Codegraph** now has stored AST for the most useful node kinds | -| **Control Flow Graph** | Intraprocedural CFG for all 11 languages via `cfg` command/MCP tool. Basic blocks + branches. No dominator trees | Full CFG with dominator/post-dominator trees | **Joern** for depth (dominator trees); **Codegraph** now has basic CFG | -| **Data Dependence Graph** | Intraprocedural dataflow: `flows_to`, `returns`, `mutates` edges via `dataflow` command/MCP tool (JS/TS only) | Reaching definitions (def-use chains) across procedures | **Joern** — interprocedural vs. codegraph's intraprocedural. But codegraph now has lightweight dataflow | +| **Control Flow Graph** | Intraprocedural CFG for all 11 languages via `cfg` command/MCP tool. Basic blocks + branches. Cyclomatic complexity derived from CFG structure (E - N + 2). No dominator trees | Full CFG with dominator/post-dominator trees | **Joern** for depth (dominator trees); **Codegraph** now has basic CFG with complexity metrics | +| **Data Dependence Graph** | Intraprocedural dataflow: `flows_to`, `returns`, `mutates` edges via `dataflow` command/MCP tool (all 11 languages) | Reaching definitions (def-use chains) across procedures | **Joern** — interprocedural vs. codegraph's intraprocedural. But codegraph now has lightweight dataflow across all supported languages | | **Program Dependence Graph** | Not available | Combined control + data dependence | **Joern** | | **Taint analysis** | Not available | Full interprocedural taint tracking (sources → sinks) | **Joern** — Joern's killer feature | | **Call graph** | Import-aware resolution with 6-level confidence scoring, qualified call filtering | Pre-computed CALL edges, caller/callee traversal | **Codegraph** for precision (confidence scoring, false-positive filtering); **Joern** for completeness (type-aware resolution) | @@ -99,6 +99,7 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Custom data-flow semantics** | Not applicable | User-defined taint propagation rules for external methods | **Joern** | | **Binary analysis** | Not available | Ghidra frontend: disassembly → CPG | **Joern** | | **Execution flow tracing** | `flow` — traces from entry points (routes, commands, events) through callees to leaves | Achievable via CFG + call graph traversals | **Codegraph** — purpose-built command; **Joern** — more precise with CFG | +| **Sequence diagrams** | `sequence ` — Mermaid sequence diagram generation from call graph | Not purpose-built (achievable via manual CFG/call graph traversal) | **Codegraph** — built-in command for visualizing call sequences | **Summary:** Joern's CPG is fundamentally deeper — it captures control flow, data dependence, and taint propagation that codegraph's structural graph cannot represent. Codegraph compensates with purpose-built commands (impact analysis, complexity, roles, communities) that would require expert CPG query writing in Joern. For vulnerability discovery, Joern is irreplaceable. For developer productivity and AI agent consumption, codegraph's pre-built commands are more accessible. @@ -111,8 +112,8 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Query interface** | Fixed CLI commands with flags + SQL under the hood | Interactive Scala REPL with tab completion + arbitrary graph traversals | **Depends on user.** Codegraph for instant answers; Joern for exploratory research | | **Query language** | CLI flags (`--kind`, `--file`, `--role`, `--json`) | CPGQL (Scala-based DSL): `cpg.method.name("foo").callee.name.l` | **Joern** for expressiveness; **Codegraph** for accessibility | | **Learning curve** | Zero — standard CLI with `--help` | Steep — requires Scala/FP knowledge + graph theory | **Codegraph** | -| **AI agent interface** | 30-tool MCP server with structured JSON responses | Community MCP server (mcp-joern). REST/WebSocket server mode | **Codegraph** — first-party MCP vs. community add-on | -| **Compound queries** | `context` (source + deps + callers + tests in 1 call), `explain` (structural summary), `audit` (explain + impact + health) | Must compose via CPGQL chaining | **Codegraph** — purpose-built for agent token efficiency | +| **AI agent interface** | 32-tool MCP server with structured JSON responses | Community MCP server (mcp-joern). REST/WebSocket server mode | **Codegraph** — first-party MCP vs. community add-on | +| **Compound queries** | `context` (source + deps + callers + tests in 1 call), `explain` (structural summary), `audit` (explain + impact + health in one call) | Must compose via CPGQL chaining | **Codegraph** — purpose-built for agent token efficiency | | **Batch queries** | `batch` command for multi-target dispatch | Script mode (`--script`) for batch execution | **Tie** — different approaches, both work | | **JSON output** | `--json` flag on every command | `.toJsonPretty` method on query results | **Tie** | | **Syntax-highlighted output** | Colored terminal output | `.dump` for syntax-highlighted code display | **Tie** | @@ -172,8 +173,8 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Joern | Best Approach | |---------|-----------|-------|---------------| -| **MCP server** | First-party, 30 tools, single-repo default, `--multi-repo` opt-in | Community-built (mcp-joern), Python wrapper around Joern | **Codegraph** — first-party, security-conscious, production-ready | -| **MCP tools count** | 30 purpose-built tools | ~10 tools (community MCP) | **Codegraph** | +| **MCP server** | First-party, 32 tools, single-repo default, `--multi-repo` opt-in | 4 community MCP wrappers (sfncat/mcp-joern, caohaotiantian/joern_mcp, BlockSecCA/joern-mcp, effortlessdevsec/joern-mcp-server). No first-party MCP | **Codegraph** — first-party, security-conscious, production-ready | +| **MCP tools count** | 32 purpose-built tools | ~10 tools (community MCP) | **Codegraph** | | **Token efficiency** | `context`/`explain`/`audit` compound commands reduce agent round-trips by 50-80% | Raw query results, no compound optimization | **Codegraph** | | **Structured JSON output** | Every command supports `--json` | `.toJsonPretty` on query results | **Tie** | | **Pagination** | Built-in pagination helpers with configurable limits | Not built-in | **Codegraph** | @@ -192,7 +193,7 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi |---------|-----------|-------|---------------| | **Taint analysis** | Not available | Full interprocedural source-to-sink tracking | **Joern** — this is Joern's raison d'etre | | **Vulnerability scanning** | Not available | `joern-scan` with predefined query bundles, tag-based selection | **Joern** | -| **Data-flow tracking** | Intraprocedural dataflow (`flows_to`/`returns`/`mutates`), JS/TS only | Reaching definitions, def-use chains across procedures | **Joern** — interprocedural vs. intraprocedural | +| **Data-flow tracking** | Intraprocedural dataflow (`flows_to`/`returns`/`mutates`), all 11 languages | Reaching definitions, def-use chains across procedures | **Joern** — interprocedural vs. intraprocedural | | **Control-flow analysis** | Intraprocedural CFG (basic blocks + branches, all 11 languages) | Full CFG with dominator trees | **Joern** — dominator trees and post-dominators; codegraph has basic CFG | | **Custom security rules** | Not available | CPGQL-based custom queries + data-flow semantics | **Joern** | | **Binary vulnerability analysis** | Not available | Ghidra integration for x86/x64 | **Joern** | @@ -225,9 +226,11 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Execution flow tracing** | `flow` — traces from entry points through callees | Achievable via CFG traversals (more precise) | **Codegraph** for convenience; **Joern** for precision | | **Module overview** | `map` — high-level module map with most-connected nodes | Not purpose-built | **Codegraph** | | **Cycle detection** | `cycles` — circular dependency detection | Achievable via CPGQL | **Codegraph** — built-in command | -| **Export formats** | DOT, Mermaid, JSON, GraphML, GraphSON, Neo4j CSV + interactive HTML viewer | DOT, GraphML, GraphSON, Neo4j CSV | **Codegraph** — now matches Joern's formats plus Mermaid and interactive viewer | +| **Sequence diagrams** | `sequence ` — Mermaid sequence diagrams from call graph | Not purpose-built | **Codegraph** | +| **Dead export detection** | `exports --unused` — identifies unused exports across the codebase | Not purpose-built (achievable via CPGQL) | **Codegraph** — built-in flag | +| **Export formats** | DOT, Mermaid, Mermaid sequence diagrams, JSON, GraphML, GraphSON, Neo4j CSV + interactive HTML viewer | DOT, GraphML, GraphSON, Neo4j CSV | **Codegraph** — now matches Joern's formats plus Mermaid (flowchart + sequence) and interactive viewer | -**Summary:** Codegraph has 15+ purpose-built developer productivity commands that Joern either lacks entirely or requires expert CPGQL queries to achieve. This is where codegraph's value proposition is strongest for its target audience. +**Summary:** Codegraph has 17+ purpose-built developer productivity commands that Joern either lacks entirely or requires expert CPGQL queries to achieve. This is where codegraph's value proposition is strongest for its target audience. --- @@ -235,8 +238,8 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Joern | Best Approach | |---------|-----------|-------|---------------| -| **GitHub stars** | New project (growing) | ~2,968 | **Joern** | -| **Contributors** | Small team | 64 | **Joern** | +| **GitHub stars** | Growing | ~3,021 | **Joern** | +| **Contributors** | Small team | 75 | **Joern** | | **Release cadence** | As needed | **Daily automated releases** | **Joern** — impressive automation | | **Academic backing** | None | IEEE S&P 2014 paper (Test-of-Time Award 2024), TU Braunschweig, Stellenbosch University | **Joern** | | **Commercial backing** | Optave AI Solutions Inc. | Qwiet AI (formerly ShiftLeft), Privado, Whirly Labs | **Joern** — multiple sponsors | @@ -327,11 +330,11 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Install complexity | `npm install` | JDK + shell script | Codegraph | | Analysis depth (structural) | High | Very High | Joern | | Analysis depth (security) | None | Best in class | Joern | -| AI agent integration | 30-tool MCP (first-party) | Community MCP wrapper | Codegraph | -| Developer productivity commands | 39 built-in | ~5 built-in + custom CPGQL | Codegraph | +| AI agent integration | 32-tool MCP (first-party) | Community MCP wrappers (4) | Codegraph | +| Developer productivity commands | 41 built-in | ~5 built-in + custom CPGQL | Codegraph | | Language support | 11 | 16 (incl. binary/bytecode) | Joern | | Query expressiveness | Fixed commands | Arbitrary graph traversals | Joern | -| Community & maturity | New | 7 years, IEEE award, 2,968 stars | Joern | +| Community & maturity | Growing | 7 years, IEEE award, 3,021 stars, 75 contributors | Joern | | CI/CD readiness | Yes (`check --staged`) | Limited | Codegraph | **Final score against FOUNDATION.md principles: Codegraph 6, Joern 0, Tie 2.** @@ -350,7 +353,7 @@ Non-breaking, ordered by problem-fit: | ID | Title | Description | Category | Benefit | Zero-dep | Foundation-aligned | Problem-fit (1-5) | Breaking | |----|-------|-------------|----------|---------|----------|-------------------|-------------------|----------| | J1 | Lightweight call-chain slicing | Extract a bounded subgraph around a function (callers + callees to depth N) as standalone JSON/DOT/Mermaid. Not full PDG slicing — structural BFS on existing edges, exported as a self-contained artifact. Inspired by Joern's `joern-slice`. | Navigation | Agents get precisely-scoped subgraphs that fit context windows instead of full graph dumps — directly reduces token waste | ✓ | ✓ | 4 | No | -| J2 | Type-informed call resolution | Extract type annotations from tree-sitter AST (TypeScript types, Java types, Go types, Python type hints) and use them to disambiguate call targets during import resolution. Improves edge accuracy without full type inference. Inspired by Joern's type-aware language frontends. | Analysis | Call graphs become more precise — fewer false edges means less noise in `fn-impact` and agents don't chase phantom dependencies | ✓ | ✓ | 4 | No | +| J2 | Type-informed call resolution | **PARTIALLY DONE (v3.2.0):** `qualified_name`, `scope`, `visibility` metadata columns and receiver type tracking with graded confidence (Phase 4.2). Remaining: full type annotation extraction from tree-sitter AST (TypeScript types, Java types, Go types, Python type hints) to disambiguate call targets during import resolution. Inspired by Joern's type-aware language frontends. | Analysis | Call graphs become more precise — fewer false edges means less noise in `fn-impact` and agents don't chase phantom dependencies | ✓ | ✓ | 4 | No | | J3 | Error-tolerant partial parsing | Leverage tree-sitter's built-in error recovery to extract symbols from syntactically incomplete or broken files instead of skipping them entirely. Surface partial results with a quality indicator per file. Currently codegraph requires syntactically valid input; Joern's fuzzy parsing handles partial/broken code. | Parsing | Agents can analyze WIP branches, partial checkouts, and code mid-refactor — essential for real-world AI-agent loops where code is often in a broken state | ✓ | ✓ | 3 | No | | J4 | Kotlin language support | Add tree-sitter-kotlin to `LANGUAGE_REGISTRY`. 1 registry entry + 1 extractor function (<100 lines, 2 files). Covers functions, classes, interfaces, objects, data classes, companion objects, call sites. Kotlin is one of Joern's strongest languages (via IntelliJ PSI). | Parsing | Extends coverage to Android/KMP ecosystem — one of the most-requested missing languages and a gap vs. Joern | ✓ | ✓ | 2 | No | | J5 | Swift language support | Add tree-sitter-swift to `LANGUAGE_REGISTRY`. 1 registry entry + 1 extractor function (<100 lines, 2 files). Covers functions, classes, structs, protocols, enums, extensions, call sites. Joern supports Swift via SwiftSyntax. | Parsing | Extends coverage to Apple/iOS ecosystem — currently a gap vs. Joern. tree-sitter-swift is mature enough for production use | ✓ | ✓ | 2 | No | @@ -388,5 +391,5 @@ These Joern-inspired capabilities are already tracked in [BACKLOG.md](../../docs | BACKLOG ID | Title | Joern Equivalent | Relationship | |------------|-------|------------------|--------------| -| 14 | Dataflow analysis | Data Dependence Graph (def-use chains) | **DONE v3.0.0.** Lightweight intraprocedural dataflow with `flows_to`/`returns`/`mutates` edges. JS/TS only. CLI: `codegraph dataflow`. MCP: `dataflow` tool. | +| 14 | Dataflow analysis | Data Dependence Graph (def-use chains) | **DONE v3.0.0, expanded v3.2.0.** Lightweight intraprocedural dataflow with `flows_to`/`returns`/`mutates` edges. Now all 11 languages (was JS/TS only). CLI: `codegraph dataflow`. MCP: `dataflow` tool. | | 7 | OWASP/CWE pattern detection | Vulnerability scanning (`joern-scan`) | Lightweight AST-based security checks — the codegraph-appropriate alternative to Joern's taint-based vulnerability scanning. Still Tier 3. J9 (stored AST) is now complete — this is unblocked. | diff --git a/generated/competitive/narsil-mcp.md b/generated/competitive/narsil-mcp.md index ae47af0a..fa5e4526 100644 --- a/generated/competitive/narsil-mcp.md +++ b/generated/competitive/narsil-mcp.md @@ -1,8 +1,8 @@ # Competitive Deep-Dive: Codegraph vs Narsil-MCP -**Date:** 2026-03-02 -**Competitors:** `@optave/codegraph` v3.0.0 (Apache-2.0) vs `postrv/narsil-mcp` v1.6 (Apache-2.0 OR MIT) -**Context:** Both are Apache-2.0-licensed code analysis tools with MCP interfaces. Narsil-MCP is ranked #2 in our [competitive analysis](./COMPETITIVE_ANALYSIS.md) with a score of 4.5 vs codegraph's 4.0 at #8. +**Date:** 2026-03-21 +**Competitors:** `@optave/codegraph` v3.2.0 (Apache-2.0) vs `postrv/narsil-mcp` v1.6.1 (Apache-2.0 OR MIT) +**Context:** Both are Apache-2.0-licensed code analysis tools with MCP interfaces. Narsil-MCP is ranked #3 in our [competitive analysis](./COMPETITIVE_ANALYSIS.md) with a score of 4.5 vs codegraph's 4.5 at #4. --- @@ -12,14 +12,14 @@ Narsil-MCP and codegraph share more DNA than any other pair in the competitive l | Dimension | Narsil-MCP | Codegraph | |-----------|------------|-----------| -| **Primary mission** | Maximum-breadth code intelligence in a single binary | Always-current structural intelligence with sub-second rebuilds | +| **Primary mission** | Maximum-breadth code intelligence in a single binary | Always-current structural intelligence with qualified names/scope/visibility graph model and sub-second rebuilds | | **Target user** | AI agents needing comprehensive analysis (security, types, dataflow) | Developers, AI coding agents, CI pipelines needing fast feedback | | **Architecture** | MCP-first, no standalone CLI queries | Full CLI + MCP server + programmatic JS API | -| **Core question answered** | "Tell me everything about this code" (90 tools) | "What breaks if I change this function?" (39 commands, 30 MCP tools) | +| **Core question answered** | "Tell me everything about this code" (90 tools) | "What breaks if I change this function?" (41 commands, 32 MCP tools) | | **Rebuild model** | In-memory index, opt-in persistence, file watcher | SQLite-persisted, incremental hash-based rebuilds | | **Runtime** | Single Rust binary (~30 MB) | Node.js + optional native Rust addon | -**Bottom line:** Narsil-MCP is broader (90 tools, 32 languages, security scanning, taint analysis, SBOM, type inference). Codegraph is deeper on developer productivity (impact analysis, complexity metrics, community detection, architecture boundaries, manifesto rules) and faster for iterative workflows (incremental rebuilds, CI gates). Where they overlap (call graphs, dead code, search, MCP), narsil has more tools while codegraph has more purpose-built commands. They are the closest competitors in the landscape. +**Bottom line:** Narsil-MCP is broader (90 tools, 32 languages, security scanning, taint analysis, SBOM, type inference). Codegraph is deeper on developer productivity (impact analysis, complexity metrics, community detection, architecture boundaries, manifesto rules, sequence diagrams) and faster for iterative workflows (incremental rebuilds, CI gates). Where they overlap (call graphs, dead code, search, MCP), narsil has more tools while codegraph has more purpose-built commands. They are the closest competitors in the landscape. --- @@ -31,11 +31,11 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | # | Principle | Codegraph | Narsil-MCP | Verdict | |---|-----------|-----------|------------|---------| -| 1 | **The graph is always current** — rebuild on every commit/save/agent loop | File-level MD5 hashing, SQLite persistence. Change 1 file → <500ms rebuild. Watch mode, commit hooks, agent loops all practical | In-memory by default. `--watch` flag for auto-reindex. `--persist` for disk saves. Indexing is fast (2.1s for 50K symbols) but full re-index, not incremental | **Codegraph wins.** Narsil is fast but re-indexes everything. Codegraph only re-parses changed files — orders of magnitude faster for single-file changes in large repos | +| 1 | **The graph is always current** — rebuild on every commit/save/agent loop | 3-tier change detection (journal → mtime+size → hash), SQLite persistence. Change 1 file → <500ms rebuild. Watch mode, commit hooks, agent loops all practical | In-memory by default. `--watch` flag for auto-reindex. `--persist` for disk saves. Indexing is fast (2.1s for 50K symbols) but full re-index, not incremental | **Codegraph wins.** Narsil is fast but re-indexes everything. Codegraph only re-parses changed files — orders of magnitude faster for single-file changes in large repos | | 2 | **Native speed, universal reach** — dual engine (Rust + WASM) | Native napi-rs with rayon parallelism + automatic WASM fallback. `npm install` on any platform | Pure Rust binary. Prebuilt for macOS/Linux/Windows. Also has WASM build (~3 MB) for browsers | **Tie.** Different approaches, both effective. Narsil is a single binary; codegraph is an npm package with native addon. Both have WASM stories | | 3 | **Confidence over noise** — scored results | 6-level import resolution with 0.0-1.0 confidence on every edge. Graph quality score. Relevance-ranked search | BM25 ranking on search. No confidence scores on call graph edges. No graph quality metric | **Codegraph wins.** Every edge has a trust score; narsil's call graph edges are unscored | | 4 | **Zero-cost core, LLM-enhanced when you choose** | Full pipeline local, zero API keys. Optional embeddings with user's LLM provider | Core is local. Neural search requires `--neural` flag + API key (Voyage AI/OpenAI) or local ONNX model | **Tie.** Both are local-first with optional AI enhancement. Narsil offers more backend choices (Voyage AI, OpenAI, ONNX); codegraph uses HuggingFace Transformers locally | -| 5 | **Functional CLI, embeddable API** | 39 CLI commands + 30-tool MCP server + full programmatic JS API | MCP-first with 90 tools. `narsil-mcp config/tools` management commands but no standalone query CLI. No programmatic library API | **Codegraph wins.** Full CLI experience + embeddable API. Narsil is MCP-only for queries — useless without an MCP client | +| 5 | **Functional CLI, embeddable API** | 41 CLI commands + 32-tool MCP server + full programmatic JS API | MCP-first with 90 tools. `narsil-mcp config/tools` management commands but no standalone query CLI. No programmatic library API | **Codegraph wins.** Full CLI experience + embeddable API. Narsil is MCP-only for queries — useless without an MCP client | | 6 | **One registry, one schema, no magic** | `LANGUAGE_REGISTRY` — add a language in <100 lines, 2 files | Tree-sitter for all 32 languages. Unified parser, but extractors are in compiled Rust — harder to contribute | **Codegraph wins slightly.** Both use tree-sitter uniformly. Codegraph's JS extractors are more accessible to contributors than narsil's compiled Rust | | 7 | **Security-conscious defaults** — multi-repo opt-in | Single-repo MCP default. `apiKeyCommand` for secrets. `--multi-repo` opt-in | Multi-repo by default (`--repos` accepts multiple paths). `discover_repos` auto-finds repos. No sandboxing concept | **Codegraph wins.** Single-repo isolation by default vs. multi-repo by default | | 8 | **Honest about what we're not** | Code intelligence engine. Not an app, not a coding tool, not an agent | Code intelligence MCP server. Also not an agent — but the open-core model adds commercial cloud features (narsil-cloud) | **Tie.** Both are honest about scope. Narsil's commercial layer is a legitimate business model | @@ -75,7 +75,7 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Bash** | Not supported | tree-sitter | **Narsil** | | **Language count** | 11 | 32 | **Narsil** (3x more languages) | | **Adding a new language** | 1 registry entry + 1 JS extractor (<100 lines, 2 files) | Rust code + recompile binary | **Codegraph** — dramatically lower barrier for contributors | -| **Incremental parsing** | File-level hash tracking — only changed files re-parsed | Full re-index (fast but complete) | **Codegraph** — orders of magnitude faster for single-file changes | +| **Incremental parsing** | 3-tier change detection (journal → mtime+size → hash) — only changed files re-parsed | Full re-index (fast but complete) | **Codegraph** — orders of magnitude faster for single-file changes | | **Callback pattern extraction** | Commander `.command().action()`, Express routes, event handlers | Not documented | **Codegraph** — framework-aware symbol extraction | **Summary:** Narsil covers 3x more languages (32 vs 11) using the same parser technology (tree-sitter). Codegraph has better incremental parsing, easier extensibility, and unique framework callback extraction. For codegraph's target users (JS/TS/Python/Go developers), codegraph's coverage is sufficient. Narsil's breadth matters for polyglot enterprises. @@ -87,22 +87,23 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Narsil-MCP | Best Approach | |---------|-----------|------------|---------------| | **Graph type** | Structural dependency graph (symbols + edges) in SQLite | In-memory symbol/file caches (DashMap) + optional RDF knowledge graph | **Codegraph** for persistence; **Narsil** for RDF expressiveness | -| **Node types** | 13 kinds: `function`, `method`, `class`, `interface`, `type`, `struct`, `enum`, `trait`, `record`, `module`, `parameter`, `property`, `constant` | Functions, classes, methods, variables, imports, exports + more | **Narsil** — still more granular, but gap narrowed | -| **Edge types** | `calls`, `imports`, `contains`, `parameter_of`, `receiver`, `flows_to`, `returns`, `mutates` (with confidence scores on call/import edges) | Calls, imports, data flow, control flow, type relationships | **Tie** — both now cover structural + dataflow relationships | +| **Node types** | 13 kinds: `function`, `method`, `class`, `interface`, `type`, `struct`, `enum`, `trait`, `record`, `module`, `parameter`, `property`, `constant` — each with `qualified_name`, `scope`, `visibility` metadata | Functions, classes, methods, variables, imports, exports + more | **Narsil** — still more granular, but gap narrowed with codegraph's richer per-node metadata | +| **Edge types** | 10 structural edge types (`calls`, `imports`, `contains`, `parameter_of`, `receiver`, `type_of`, `implements`, `decorates`, `overloads`, `exports`) + 3 dataflow edge types (`flows_to`, `returns`, `mutates`), with confidence scores on call/import edges | Calls, imports, data flow, control flow, type relationships | **Codegraph** — 13 total edge types with confidence scoring vs. narsil's unscored edges | | **Call graph** | Import-aware resolution with 6-level confidence scoring, qualified call filtering | `get_call_graph`, `get_callers`, `get_callees`, `find_call_path` | **Codegraph** for precision (confidence scoring); **Narsil** for completeness | | **Control flow graph** | Intraprocedural CFG for all 11 languages via `cfg` command / `cfg` MCP tool | `get_control_flow` — basic blocks + branch conditions | **Tie** — both have intraprocedural CFG | -| **Data flow analysis** | `flows_to`/`returns`/`mutates` edges via `dataflow` command / `dataflow` MCP tool (JS/TS only) | `get_data_flow`, `get_reaching_definitions`, `find_uninitialized`, `find_dead_stores` | **Narsil** — more mature with 4 dedicated tools; codegraph is JS/TS only | -| **Type inference** | Not available | `infer_types`, `check_type_errors` for Python/JS/TS | **Narsil** | +| **Data flow analysis** | `flows_to`/`returns`/`mutates` edges via `dataflow` command / `dataflow` MCP tool (all 11 languages) | `get_data_flow`, `get_reaching_definitions`, `find_uninitialized`, `find_dead_stores` | **Tie** — narsil has 4 dedicated tools (reaching defs, dead stores); codegraph covers all 11 languages with unified dataflow edges | +| **Type inference** | No full type inference, but `qualified_name`, `scope`, `visibility` metadata on all symbols + receiver type tracking with graded confidence | `infer_types`, `check_type_errors` for Python/JS/TS | **Narsil** — full type inference vs. codegraph's metadata-level type tracking. Gap narrowed | | **Dead code detection** | `roles --role dead` — unreferenced non-exported symbols | `find_dead_code` — unreachable code paths via CFG | **Both** — complementary approaches (structural vs. control-flow) | | **Complexity metrics** | Cognitive, cyclomatic, Halstead, MI, nesting depth per function | Cyclomatic complexity only | **Codegraph** — 5 metrics vs 1 | | **Node role classification** | Auto-tags: `entry`/`core`/`utility`/`adapter`/`dead`/`leaf` | Not available | **Codegraph** | | **Community detection** | Louvain algorithm with drift analysis | Not available | **Codegraph** | | **Impact analysis** | `fn-impact`, `diff-impact` (git-aware), `impact` (file-level) | Not purpose-built | **Codegraph** — first-class impact commands | +| **Sequence diagrams** | `sequence` command — generates Mermaid sequence diagrams from call chains | Not available | **Codegraph** | | **Shortest path** | `path ` — BFS between symbols | `find_call_path` — between functions | **Tie** | | **SPARQL / Knowledge graph** | Not available | RDF graph via Oxigraph, SPARQL queries, predefined templates | **Narsil** — unique capability | | **Code Context Graph (CCG)** | Not available | 4-layer hierarchical context (L0-L3) with JSON-LD/N-Quads export | **Narsil** — unique capability | -**Summary:** Narsil has broader analysis (CFG, dataflow, type inference, SPARQL, CCG). Codegraph is deeper on developer-facing metrics (5 complexity metrics, node roles, community detection, Louvain drift) and has unique impact analysis commands. Narsil's knowledge graph and CCG layering are genuinely novel features with no codegraph equivalent. +**Summary:** Narsil has broader analysis (type inference, SPARQL, CCG). Codegraph now matches on dataflow (all 11 languages) and is deeper on developer-facing metrics (5 complexity metrics, node roles, community detection, Louvain drift, sequence diagrams) with unique impact analysis commands and 13 edge types with confidence scoring. Narsil's knowledge graph and CCG layering are genuinely novel features with no codegraph equivalent. --- @@ -139,9 +140,9 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Vulnerability explanation** | Not available | `explain_vulnerability`, `suggest_fix` | **Narsil** | | **Crypto misuse detection** | Not available | Rules in `crypto.yaml` | **Narsil** | | **IaC security** | Not available | Rules in `iac.yaml` | **Narsil** | -| **Language-specific rules** | Not available | Rust, Elixir, Go, Java, C#, Kotlin, Bash rule files | **Narsil** | +| **Language-specific rules** | Not available | Rust, Elixir, Go, Java, C#, Kotlin, Bash rule files (+36 rules: 18 Rust + 18 Elixir) | **Narsil** | -**Summary:** Narsil dominates security analysis completely with 147 rules across 12+ rule files. Codegraph has zero security features today — by design (FOUNDATION.md P8). OWASP pattern detection is on the roadmap as lightweight AST-based checks (BACKLOG ID 7), not taint analysis. +**Summary:** Narsil dominates security analysis completely with 147+ rules across 12+ rule files (including +36 language-specific rules for Rust and Elixir). Codegraph has zero security features today — by design (FOUNDATION.md P8). OWASP pattern detection is on the roadmap as lightweight AST-based checks (BACKLOG ID 7), not taint analysis. --- @@ -149,20 +150,20 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Narsil-MCP | Best Approach | |---------|-----------|------------|---------------| -| **Primary interface** | Full CLI with 39 commands + MCP server | MCP server (primary) + config management CLI | **Codegraph** — usable without MCP client | +| **Primary interface** | Full CLI with 41 commands + MCP server | MCP server (primary) + config management CLI | **Codegraph** — usable without MCP client | | **Standalone CLI queries** | `where`, `query`, `audit --quick`, `context`, `deps`, `exports`, `impact`, `map`, `dataflow`, `cfg`, `ast`, etc. | Not available — all queries via MCP tools | **Codegraph** — narsil requires an MCP client for any query | -| **MCP tools count** | 30 purpose-built tools | 90 tools across 14 categories | **Narsil** — 3x more tools | +| **MCP tools count** | 32 purpose-built tools | 90 tools across 14 categories | **Narsil** — ~3x more tools | | **Compound queries** | `context` (source + deps + callers + tests), `explain`, `audit` | No compound tools — each tool is atomic | **Codegraph** — purpose-built for agent token efficiency | | **Batch queries** | `batch` command for multi-target dispatch | No batch mechanism | **Codegraph** | | **JSON output** | `--json` flag on every command | MCP JSON responses | **Tie** | | **NDJSON streaming** | `--ndjson` with `--limit`/`--offset` on ~14 commands | `--streaming` flag for large results | **Tie** | -| **Pagination** | Universal `limit`/`offset` on all 30 MCP tools with per-tool defaults | Not documented | **Codegraph** | +| **Pagination** | Universal `limit`/`offset` on all 32 MCP tools with per-tool defaults | Not documented | **Codegraph** | | **SPARQL queries** | Not available | `sparql_query`, predefined templates | **Narsil** — unique expressiveness | | **Configuration presets** | Not available | Minimal (~26 tools), Balanced (~51), Full (75+), Security-focused | **Narsil** — manages token cost per preset | -| **Visualization** | DOT, Mermaid, JSON, GraphML, GraphSON, Neo4j CSV export + interactive HTML viewer (`codegraph plot`) | Built-in web UI (Cytoscape.js) with interactive graphs | **Tie** — both have interactive visualization and rich export formats | +| **Visualization** | DOT, Mermaid, JSON, GraphML, GraphSON, Neo4j CSV export + interactive HTML viewer (`codegraph plot`) | Built-in web UI (Cytoscape.js) with interactive graphs + full SPA frontend (v1.6.0): file tree sidebar, syntax-highlighted code viewer, dashboard, per-repo overview, CFG visualization | **Narsil** — SPA frontend with file browser and dashboard is significantly richer than codegraph's interactive HTML viewer | | **Programmatic API** | Full JS API: `import { buildGraph, queryNameData } from '@optave/codegraph'` | No library API | **Codegraph** — embeddable in JS/TS projects | -**Summary:** Codegraph is more accessible (full CLI + API + MCP). Narsil has more MCP tools (90 vs 21) but no standalone query interface — completely dependent on MCP clients. Codegraph's compound commands (`context`, `explain`, `audit`) reduce agent round-trips; narsil requires multiple atomic tool calls for equivalent context. Narsil's configuration presets are a smart approach to managing MCP tool token costs. +**Summary:** Codegraph is more accessible (full CLI + API + MCP). Narsil has more MCP tools (90 vs 32) but no standalone query interface — completely dependent on MCP clients. Narsil's new SPA frontend (v1.6.0) with file tree, syntax viewer, and dashboard is a significant UI advantage. Codegraph's compound commands (`context`, `explain`, `audit`) reduce agent round-trips; narsil requires multiple atomic tool calls for equivalent context. Narsil's configuration presets are a smart approach to managing MCP tool token costs. --- @@ -210,17 +211,17 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Narsil-MCP | Best Approach | |---------|-----------|------------|---------------| -| **MCP tools** | 30 purpose-built tools | 90 tools across 14 categories | **Narsil** (3x more tools) | +| **MCP tools** | 32 purpose-built tools | 90 tools across 14 categories | **Narsil** (~3x more tools) | | **Token efficiency** | `context`/`explain`/`audit` compound commands reduce round-trips 50-80% | Atomic tools only. Forgemax integration collapses 90 → 2 tools (~1,000 vs ~12,000 tokens) | **Codegraph** natively; **Narsil** via Forgemax | -| **Tool token cost** | ~5,500 tokens for 30 tool definitions | ~12,000 tokens for full set. Presets: Minimal ~4,600, Balanced ~8,900 | **Codegraph** — lower base cost. Narsil presets help | -| **Pagination** | Universal `limit`/`offset` on all 30 tools with per-tool defaults, hard cap 1,000 | `--streaming` for large results | **Codegraph** — structured pagination metadata | +| **Tool token cost** | ~6,000 tokens for 32 tool definitions | ~12,000 tokens for full set. Presets: Minimal ~4,600, Balanced ~8,900 | **Codegraph** — lower base cost. Narsil presets help | +| **Pagination** | Universal `limit`/`offset` on all 32 tools with per-tool defaults, hard cap 1,000 | `--streaming` for large results | **Codegraph** — structured pagination metadata | | **Multi-repo support** | Registry-based, opt-in via `--multi-repo` or `--repos` | Multi-repo by default, `discover_repos` auto-detection | **Narsil** for convenience; **Codegraph** for security | | **Single-repo isolation** | Default — tools have no `repo` property unless `--multi-repo` | Not default — multi-repo access is always available | **Codegraph** — security-conscious default | | **Programmatic embedding** | Full JS API for VS Code extensions, CI pipelines, other MCP servers | No library API | **Codegraph** | | **CCG context layers** | Not available | L0-L3 hierarchical context for progressive disclosure | **Narsil** — novel approach to context management | | **Remote repo indexing** | Not available | `add_remote_repo` clones and indexes GitHub repos | **Narsil** | -**Summary:** Narsil has 4x more MCP tools but higher token overhead. Codegraph's compound commands are more token-efficient per query. Narsil's CCG layering and configuration presets are innovative approaches to managing AI agent context budgets. Codegraph's programmatic API enables embedding scenarios narsil cannot serve. +**Summary:** Narsil has ~3x more MCP tools but higher token overhead. Codegraph's compound commands are more token-efficient per query. Narsil's CCG layering and configuration presets are innovative approaches to managing AI agent context budgets. Codegraph's programmatic API enables embedding scenarios narsil cannot serve. --- @@ -246,12 +247,14 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | **Module overview** | `map` — high-level module map with most-connected nodes | Not purpose-built | **Codegraph** | | **Cycle detection** | `cycles` — circular dependency detection | `find_circular_imports` — circular import chains | **Tie** | | **Architecture boundaries** | Configurable rules with onion preset | Not available | **Codegraph** | +| **Sequence diagrams** | `sequence` command — Mermaid sequence diagrams from call chains | Not available | **Codegraph** | +| **Dead export detection** | `exports --unused` — finds exported symbols with no consumers | Not available | **Codegraph** | | **Node role classification** | `entry`/`core`/`utility`/`adapter`/`dead`/`leaf` per symbol | Not available | **Codegraph** | | **Audit command** | `audit` — explain + impact + health in one call | Not available | **Codegraph** | | **Git integration** | `diff-impact`, `co-change`, `branch-compare` | `get_blame`, `get_file_history`, `get_recent_changes`, `get_symbol_history`, `get_contributors`, `get_hotspots` | **Narsil** for git data breadth; **Codegraph** for git-aware analysis | | **Export formats** | DOT, Mermaid, JSON, GraphML, GraphSON, Neo4j CSV + interactive HTML viewer | Cytoscape.js interactive UI, JSON-LD, N-Quads, RDF | **Tie** — both have interactive visualization and rich export formats | -**Summary:** Codegraph has 15+ purpose-built developer productivity commands that narsil lacks (impact analysis, manifesto, triage, boundaries, co-change, branch-compare, audit, structure, CODEOWNERS). Narsil has richer git integration tools (blame, contributors, symbol history) and interactive visualization. For the "what breaks if I change this?" workflow, codegraph is the clear choice. +**Summary:** Codegraph has 17+ purpose-built developer productivity commands that narsil lacks (impact analysis, manifesto, triage, boundaries, co-change, branch-compare, audit, structure, CODEOWNERS). Narsil has richer git integration tools (blame, contributors, symbol history) and interactive visualization. For the "what breaks if I change this?" workflow, codegraph is the clear choice. --- @@ -259,17 +262,19 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Feature | Codegraph | Narsil-MCP | Best Approach | |---------|-----------|------------|---------------| -| **GitHub stars** | Growing | 120 | **Narsil** (slightly) | +| **GitHub stars** | Growing | 129 | **Narsil** (slightly) | | **License** | Apache-2.0 | Apache-2.0 OR MIT (dual) | **Narsil** — dual license is more permissive | -| **Release cadence** | As needed | Regular (v1.6.1 latest, Feb 2026) | **Tie** | +| **Release cadence** | As needed | v1.6.1 (Feb 2026); no activity since Feb 25 (24+ day gap) | **Codegraph** — narsil's development appears stalled | | **Test suite** | Vitest | 1,763+ tests + criterion benchmarks | **Narsil** — more tests, published benchmarks | | **Documentation** | CLAUDE.md + CLI `--help` | narsilmcp.com + README + editor configs | **Narsil** — dedicated docs site | | **Commercial backing** | Optave AI Solutions Inc. | Open-core model (narsil-cloud private repo) | **Both** — different business models | | **Integration ecosystem** | MCP + programmatic API | Forgemax, Ralph, Claude Code plugin | **Narsil** — more third-party integrations | | **Browser story** | Not available | WASM package for browser-based analysis | **Narsil** | +| **SPA frontend** | Not available | Full SPA (v1.6.0): file tree sidebar, syntax-highlighted code viewer, dashboard, per-repo overview, CFG visualization | **Narsil** — full web application vs. codegraph's interactive HTML viewer | +| **Security rules** | Not available | 147+ built-in YAML rules including +36 language-specific rules (18 Rust + 18 Elixir) | **Narsil** | | **CCG standard** | Not available | Code Context Graph — a proposed standard for AI code context | **Narsil** — potential industry standard | -**Summary:** Narsil has a more developed ecosystem (docs site, editor configs, third-party integrations, browser build, CCG standard). Both are commercially backed. Narsil's open-core model (commercial cloud features in private repo) is a viable business approach. +**Summary:** Narsil has a more developed ecosystem (docs site, editor configs, third-party integrations, browser build, SPA frontend, CCG standard). Both are commercially backed. Narsil's open-core model (commercial cloud features in private repo) is a viable business approach. However, narsil has had no activity since Feb 25 (24+ day gap as of this writing), which raises questions about development momentum. --- @@ -290,7 +295,7 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi 1. **You need security analysis** — taint tracking, OWASP/CWE compliance, SBOM, license scanning, 147 built-in rules. Codegraph has zero security features. 2. **You need broad language coverage** — 32 languages vs 11. Critical for polyglot enterprises. -3. **You need mature control flow or data flow analysis** — reaching definitions, dead stores, uninitialized variables. Codegraph now has basic CFG and intraprocedural dataflow (JS/TS), but narsil's analysis is more mature. +3. **You need advanced data flow analysis** — reaching definitions, dead stores, uninitialized variables. Codegraph now has dataflow across all 11 languages, but narsil has 4 specialized tools (reaching defs, dead stores, uninitialized, taint). 4. **You need type inference** — infer types for untyped Python/JS/TS code. Codegraph has no type analysis. 5. **You want richer interactive visualization** — built-in Cytoscape.js web UI with drill-down, overlays, and clustering. Codegraph now has `codegraph plot` with interactive HTML, but narsil's UI is more feature-rich. 6. **You need a single binary with no runtime deps** — `brew install narsil-mcp` and done. No Node.js required. @@ -317,12 +322,12 @@ Codegraph's foundation document defines the problem as: *"Fast local analysis wi | Install complexity | `npm install` (requires Node.js) | Single binary (brew/scoop/cargo) | Narsil | | Analysis depth (structural) | High (impact, complexity, roles, CFG, dataflow) | High (CFG, DFG, type inference) | Tie | | Analysis depth (security) | None | Best in class (147 rules, taint) | Narsil | -| AI agent integration | 30-tool MCP + compound commands | 90-tool MCP + presets + CCG | Narsil for breadth; Codegraph for efficiency | -| Developer productivity | 20+ purpose-built commands | Git tools only | Codegraph | +| AI agent integration | 32-tool MCP + compound commands | 90-tool MCP + presets + CCG | Narsil for breadth; Codegraph for efficiency | +| Developer productivity | 41+ commands | Git tools only | Codegraph | | Language support | 11 | 32 | Narsil | -| Standalone CLI | Full CLI experience | Config/tools management only | Codegraph | +| Standalone CLI | 41 commands | Config/tools management only | Codegraph | | Programmatic API | Full JS API | None | Codegraph | -| Community & maturity | New | Newer (Dec 2025), growing fast | Tie | +| Community & maturity | New | Newer (Dec 2025); no activity since Feb 25 | Codegraph | | CI/CD readiness | Yes (`check --staged`) | No CI tooling | Codegraph | | Visualization | DOT/Mermaid/JSON/GraphML/GraphSON/Neo4j CSV + interactive HTML | Interactive Cytoscape.js web UI | Tie | | Search backends | FTS5 + HuggingFace local | Tantivy + TF-IDF + Voyage/OpenAI/ONNX | Narsil | @@ -386,9 +391,9 @@ These narsil-mcp features were evaluated and deliberately excluded: | **SPARQL / RDF knowledge graph** | B, E | Requires Oxigraph dependency. SQLite + existing query commands serve our use case. RDF/SPARQL is overkill for structural code intelligence — powerful but orthogonal to our goals | | **Code Context Graph (CCG) standard** | B, H | Interesting concept but tightly coupled to narsil's architecture and commercial model. Our MCP pagination + compound commands solve the progressive-disclosure problem differently | | **In-memory-first architecture** | F | Violates P1 (graph must survive restarts to stay always-current). SQLite persistence is a deliberate choice — narsil's opt-in persistence means state loss on every restart by default | -| **90-tool MCP surface** | E, H | More tools = more token overhead per agent session. Our 30 purpose-built tools + compound commands are more token-efficient. Narsil compensates with presets; we compensate with fewer, smarter tools | +| **90-tool MCP surface** | E, H | More tools = more token overhead per agent session. Our 32 purpose-built tools + compound commands are more token-efficient. Narsil compensates with presets; we compensate with fewer, smarter tools | | **Browser WASM build** | G, J | Different product category. We're a CLI/MCP engine, not a browser tool (P8). Narsil's WASM build is a legitimate capability, but building a browser runtime is outside our scope | -| **Forgemax-style tool collapsing** | H | Collapses 90 tools to 2 (`search`/`execute`). We don't need this because we already have ~21 tools — small enough that collapsing adds complexity without meaningful savings | +| **Forgemax-style tool collapsing** | H | Collapses 90 tools to 2 (`search`/`execute`). We don't need this because we already have 32 tools — small enough that collapsing adds complexity without meaningful savings | | **LSP integration** | B | Requires running language servers alongside codegraph. Violates zero-dependency goal. Tree-sitter + confidence scoring is our approach; LSP is a different architectural bet | | **License compliance scanning** | D | Tangential to code intelligence. Better served by dedicated tools (FOSSA, Snyk, etc.) | @@ -401,7 +406,7 @@ These narsil-inspired capabilities are already tracked in [BACKLOG.md](../../doc | 7 | OWASP/CWE pattern detection | `scan_security` with 147 rules | Lightweight AST-based alternative to narsil's full rule engine. N14 above. Still Tier 3. Unblocked by stored AST (v3.0.0). | | 8 | Optional LLM provider integration | `--neural-backend api\|onnx` | Multiple embedding providers. N13 above. Still Tier 2. | | 10 | Interactive HTML visualization | Built-in Cytoscape.js frontend | **DONE v3.0.0.** `codegraph plot` opens interactive HTML viewer. N12 above. | -| 14 | Dataflow analysis | `get_data_flow`, `get_reaching_definitions` | **DONE v3.0.0.** Intraprocedural dataflow with `flows_to`/`returns`/`mutates` edges. JS/TS only. CLI: `codegraph dataflow`. MCP: `dataflow` tool. | +| 14 | Dataflow analysis | `get_data_flow`, `get_reaching_definitions` | **DONE v3.2.0.** Intraprocedural dataflow with `flows_to`/`returns`/`mutates` edges. All 11 languages. CLI: `codegraph dataflow`. MCP: `dataflow` tool. | ### Cross-references to Joern-inspired candidates