Depwire MCP Server

Depwire

Your AI doesn't know your architecture. Depwire does.

What makes Depwire different

Depwire builds a DETERMINISTIC, NOT PROBABILISTIC dependency graph of your codebase. This is not RAG. There are no embeddings, no similarity scores, no vector databases, no guesses. Depwire uses tree-sitter — the same parser powering GitHub's code intelligence — to extract exact symbol-level facts from every file: every function, every class, every interface, every import and export relationship, across 11 programming languages. When you ask "what breaks if I delete encodeToken in auth/token.ts?", Depwire does not search for similar-looking code and estimate an answer. It traverses the exact dependency graph and returns the precise list of 14 files that import that symbol, which import chains break, and what your health score drops by. This is compiler-level precision applied to AI-assisted development — not a language model's best guess about your code.

Not a build graph either. Tools like Nx, Turborepo, and Grapher track package-level dependencies for build caching. Depwire tracks symbol-level dependencies — every function, class, and import relationship — which is what makes What If simulation, graph-aware security scanning, and exact blast radius analysis possible.

---

Depwire is the infrastructure layer between your AI coding assistant and your codebase. Before your AI touches a single file, Depwire has already mapped every connection, scored every risk, and simulated every change.

⭐ If Depwire saves you from a broken build, star the repo — it helps this project grow.

---

The problem

AI coding tools are getting smarter. But they still have a fundamental blind spot: they don't know your architecture before they touch it.

You ask Claude to delete a utility file. It deletes it cleanly. Confident. No warnings.

Then you run the build. 30 files broken.

Claude had no idea. It saw one file. It didn't see the 30 downstream consumers.

This isn't a model problem. It's a context problem. The AI is flying blind.

---

The infrastructure layer

Depwire is the context and safety layer for AI-generated code.

Depwire sits between your AI and your codebase. It builds a complete dependency graph using tree-sitter — deterministic, not probabilistic — and serves it to your AI through 17 MCP tools.

Four guarantees:

• Local — everything runs on your machine. No cloud parsing. No data sent anywhere.
• Secure — your code never leaves your machine. The security scanner requires no API key.
• Token-efficient — Depwire serves pre-computed graph data. Your AI gets surgical answers, not file dumps. 40% fewer tool calls. 56% fewer file reads.
• Deterministic — tree-sitter parses your code the same way every time. 100% accurate. Not a guess.

---

Start here

npm install -g depwire-cli

Three commands to understand any codebase:

depwire whatif     # know what breaks before you change anything
depwire security   # catch vulnerabilities before AI ships them
depwire viz        # see your entire architecture instantly

---

What If simulation

Know the blast radius before you touch anything.

depwire whatif . --simulate delete --target src/utils/encode.ts

Real output on honojs/hono — 352 files, 6,245 symbols:

Health Score:    41 → 41  (+0 → unchanged)
Affected Nodes:  29
Broken Imports:  30
• src/utils/jwt/jwt.ts imports decodeBase64Url
• src/adapter/aws-lambda/handler.ts imports encodeBase64
• src/utils/basic-auth.ts imports decodeBase64
[27 more...]
Removed Edges:   32

Before touching a single file. Zero file I/O. Pure in-memory simulation.

Five operations:

depwire whatif . --simulate delete --target src/utils/encode.ts
depwire whatif . --simulate move --target src/utils/encode.ts --destination src/core/encode.ts
depwire whatif . --simulate rename --target src/utils/encode.ts --destination src/utils/encoder.ts
depwire whatif . --simulate split --target src/services/auth.ts --symbols "validateToken,refreshToken"
depwire whatif . --simulate merge --target src/utils/helpers.ts --merge-target src/utils/formatters.ts

Run without --simulate to open the browser UI — side-by-side arc diagrams showing current vs simulated state.

---

Security scanner

AI will confidently ship vulnerable code. Depwire stops it before production.

depwire security .                        # full repo scan
depwire security . --target src/auth.ts   # single file
depwire security . --format sarif         # GitHub Security tab integration
depwire security . --fail-on high         # CI gate — exit 1 if HIGH or above
depwire security . --class injection      # specific check only

Real output on honojs/hono:

6 Critical  19 High  14 Medium  1 Low

10 check categories — dependency CVEs, shell injection, hardcoded secrets, path traversal, auth bypass, input validation, information disclosure, cryptography weaknesses, frontend XSS, and architecture-level risks.

Graph-aware severity: a medium shell injection reachable from an MCP tool or HTTP route is automatically elevated to critical. This is what no generic SAST tool can replicate — Depwire knows your architecture, so it knows what's actually reachable.

Available as MCP tool security_scan and via depwire-cli/sdk.

---

Visualization

depwire viz

Interactive arc diagram of your entire codebase. Every file, every connection, every dependency visible at once. Hover to inspect. Click to filter. Export as PNG or SVG.

---

Temporal graph

depwire temporal

Watch your architecture evolve over git history. Timeline slider scrubs through commits — the arc diagram morphs as your codebase grew, coupled, and refactored. Nobody else does this.

---

All commands

All commands auto-detect your project root. No path configuration needed.

---

MCP server — AI integration

Connect Depwire to any MCP-compatible AI tool. Your AI gets 17 tools it can call autonomously.

Claude Desktop — add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "depwire": {
      "command": "npx",
      "args": ["-y", "depwire-cli", "mcp"]
    }
  }
}

Cursor — Settings → Features → Experimental → Enable MCP → Add Server:

• Command: npx
• Args: -y depwire-cli mcp

17 MCP tools

---

Cross-language edge detection

Depwire detects connections between files written in different languages.

A TypeScript fetch('/api/users') call matched to a Python @app.get('/api/users') route definition — that's a cross-language edge. Delete the Python route and Depwire shows the TypeScript callers as broken.

Supported patterns:

• REST API edges — fetch/axios calls matched to Express, FastAPI, Flask, Gin route definitions
• Subprocess edges — execSync/subprocess.run calls matched to target files in the graph

These edges flow through every existing feature: What If simulation, impact analysis, security scanner, and arc diagram visualization.

---

Architecture health score

depwire health .

Overall: 68/100 (Grade: D)
Coupling              70   C
Cohesion              80   B
Circular Dependencies 100  A
God Files             40   F
Orphans & Dead Code   20   F
Dependency Depth      60   D

6 dimensions. Letter grades. Actionable recommendations. Trend tracking across runs.

---

SDK

Depwire exposes a stable public API for programmatic use and CI pipelines:

npm install depwire-cli

import {
  parseProject,
  buildGraph,
  calculateHealthScore,
  analyzeDeadCode,
  generateDocs,
  scanSecurity,
  SimulationEngine,
  detectCrossLanguageEdges,
  searchSymbols,
  getImpact,
  getArchitectureSummary,
  DepwireSDKVersion
} from 'depwire-cli/sdk';

The SDK is the stable public API surface. All integrations should import from depwire-cli/sdk — never from internal paths.

---

Why Depwire

---

Language support

TypeScript, JavaScript, Python, Go, Rust, C, C#, Java, C++, Kotlin, PHP — with cross-language edge detection between all supported languages.

Java / JVM — classes, interfaces, enums, records, annotations, inner classes, anonymous classes, lambda expressions, Maven pom.xml and Gradle build file dependency edges, Spring Boot cross-language edges (@GetMapping, @PostMapping, @RequestMapping), JAX-RS / Jakarta EE route detection, Spring WebFlux RouterFunction support.

C# / .NET — classes, interfaces, records, structs, enums, delegates, file-scoped namespaces, primary constructors, global usings, .csproj ProjectReference and PackageReference edges, ASP.NET Core cross-language edges (attribute routing + Minimal API).

C++ / Systems — classes, structs, unions, enums, namespaces, concepts, coroutines, C++20 modules, template support with parameter stripping. CMakeLists.txt, Conan, and vcpkg dependency edge parsing. Crow, Drogon, Pistache, and cpp-httplib cross-language route detection. Dead code detection with vtable and template exclusions. Health score checks: circular includes, missing header guards, god classes, raw pointer fields, missing virtual destructors. Security scanner: buffer overflow, format string vulnerability, use-after-free, command injection.

Kotlin / JVM — classes, data classes, sealed classes, objects, companion objects, value classes, type aliases, extension functions, enum classes, annotation classes. Coroutine awareness: suspend functions, GlobalScope detection, structured concurrency checks. build.gradle.kts, build.gradle, and settings.gradle.kts dependency parsing. Spring Boot, Ktor, Http4k, and Ktor Resources cross-language route detection. Android Retrofit outgoing edge detection. Dead code detection with Android lifecycle and Spring annotation exclusions. Security scanner: SQL injection via string templates, hardcoded credentials, insecure random, not-null assertion abuse, Ktor missing auth blocks.

PHP / Web — functions, classes, methods, interfaces, traits, enums, namespaces, use statements, require/include dependency edges. Both procedural and OOP styles. Laravel (Route::get/post/put/delete/patch, middleware), Symfony (#[Route(...)]), Slim Framework, and WordPress REST API (register_rest_route) cross-language route detection. Guzzle and file_get_contents HTTP client edge detection. Dead code detection with WordPress hooks, Laravel service providers, Symfony controllers, and magic method exclusions (__construct, __get, __set, _call). Security scanner: $wpdb->query SQL injection, eval(), system/exec/shell_exec/passthru command injection, preg_replace /e modifier, unserialize on user input, extract on superglobals, md5/sha1 for passwords, deprecated mcrypt*, rand/mt_rand in security contexts, hardcoded credentials.

---

GitHub Action — PR Impact Analysis

Depwire integrates into your CI/CD pipeline via the depwire-action GitHub Action.

On every pull request it automatically posts a dependency impact report — which symbols changed, what breaks, health score before and after. Code reviewers see the architectural blast radius before merging.

Add to .github/workflows/depwire.yml:

name: Depwire PR Impact
on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write

jobs:
  depwire:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - uses: depwire/depwire-action@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Block PRs that hurt your architecture:

- uses: depwire/depwire-action@v1
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    fail-on-score-drop: 5

GitHub Marketplace — depwire-action repo

---

Cloud dashboard

app.depwire.dev — full dependency graph, health score, dead code report, and AI codebase chat in the browser. No local setup required.

• Free for public repos
• Pro ($19/month) — unlimited repos, private repo support, AI codebase chat

---

Roadmap

Shipped

• Arc diagram visualization
• 17 MCP tools
• Multi-language support (TypeScript, JavaScript, Python, Go, Rust, C, C#, Java, C++, Kotlin, PHP)
• Architecture health score
• Dead code detection
• Temporal graph
• What If simulation — CLI + browser UI
• Security scanner — graph-aware severity elevation
• Cross-language edge detection — REST API + subprocess
• Public SDK — depwire-cli/sdk
• Cloud dashboard — app.depwire.dev
• PR Impact GitHub Action

Coming next

• AI-suggested refactors
• VSCode extension
• Natural language architecture queries

---

Security posture

Depwire is read-only. It never writes to, modifies, or executes your code.

• Parses with tree-sitter — the same parser used by VS Code and Zed
• Visualization server binds to localhost only
• No data leaves your machine
• Blocks access to sensitive system directories
• npm packages published with provenance verification

See SECURITY.md for full details.

---

Contributing

1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Submit a pull request
5. Sign the CLA (handled automatically on your first PR)

---

Author

Atef Ataya — AI architect, author, and creator of Depwire.

• YouTube — 600K+ subscribers covering AI agents, MCP, and LLMs
• The Architect's Playbook: 5 Pillars
• LinkedIn

---

License

Business Source License 1.1 — free for personal and internal company use. Converts to Apache 2.0 on February 25, 2029.

Commercial licensing: atef@depwire.dev

---

Built with tree-sitter, graphology, D3.js, and the Model Context Protocol.