Back to MCP Servers

Depwire

Dependency graph + 15 MCP tools for AI coding assistants. Parses TypeScript, JavaScript, Python, Go, Rust, and C. Arc diagram visualization, health scoring, dead code detection, and temporal graph.

aggregatorspythontypescriptjavascriptrustgoai
By depwire
505Updated 2 days agoTypeScriptNOASSERTION

Installation

npx -y depwire

Configuration

{
  "mcpServers": {
    "depwire": {
      "command": "npx",
      "args": ["-y", "depwire"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes

Depwire

<div align="center">

npm version npm downloads GitHub stars License MCP Compatible

Languages TypeScript Python Go Rust Java PHP Ruby Dart R +7 more

YouTube CLI Tutorial YouTube Cloud Tutorial Cloud

</div>

Your AI doesn't know your architecture. Depwire does.

What makes Depwire different

<p align="center"> <img src="./assets/deterministic_vs_rag_diagram.svg" alt="Depwire deterministic graph vs RAG probabilistic approach" width="680" /> </p>

Depwire builds a DETERMINISTIC, NOT PROBABILISTIC dependency graph of your codebase. This is not RAG. There are no embeddings, no similarity scores, no vector databases, no guesses. Depwire uses tree-sitter — the same parser powering GitHub's code intelligence — to extract exact symbol-level facts from every file: every function, every class, every interface, every import and export relationship, across 16 programming languages. When you ask "what breaks if I delete encodeToken in auth/token.ts?", Depwire does not search for similar-looking code and estimate an answer. It traverses the exact dependency graph and returns the precise list of 14 files that import that symbol, which import chains break, and what your health score drops by. This is compiler-level precision applied to AI-assisted development — not a language model's best guess about your code.

Not a build graph either. Tools like Nx, Turborepo, and Grapher track package-level dependencies for build caching. Depwire tracks symbol-level dependencies — every function, class, and import relationship — which is what makes What If simulation, graph-aware security scanning, and exact blast radius analysis possible.

Contents


Depwire is the infrastructure layer between your AI coding assistant and your codebase. Before your AI touches a single file, Depwire has already mapped every connection, scored every risk, and simulated every change.

Depwire CLI demo on honojs/hono

⭐ If Depwire saves you from a broken build, star the repo — it helps this project grow.


The problem

AI coding tools are getting smarter. But they still have a fundamental blind spot: they don't know your architecture before they touch it.

You ask Claude to delete a utility file. It deletes it cleanly. Confident. No warnings.

Then you run the build. 30 files broken.

Claude had no idea. It saw one file. It didn't see the 30 downstream consumers.

This isn't a model problem. It's a context problem. The AI is flying blind.


The infrastructure layer

Depwire infrastructure layer

Powered by DAT — open standard for AI agent action audit

Depwire is the context and safety layer for AI-generated code.

Depwire sits between your AI and your codebase. It builds a complete dependency graph using tree-sitter — deterministic, not probabilistic — and serves it to your AI through 23 MCP tools.

Four guarantees:

  • Local — everything runs on your machine. No cloud parsing. No data sent anywhere.
  • Secure — your code never leaves your machine. The security scanner requires no API key.
  • Token-efficient — Depwire serves pre-computed graph data. Your AI gets surgical answers, not file dumps. 40% fewer tool calls. 56% fewer file reads.
  • Deterministic — tree-sitter parses your code the same way every time. 100% accurate. Not a guess.

Start here

npm install -g depwire-cli

Three commands to understand any codebase:

depwire whatif     # know what breaks before you change anything
depwire security   # catch vulnerabilities before AI ships them
depwire viz        # see your entire architecture instantly

Tested on real-world projects

ProjectLanguageFilesSymbolsEdgesHealth
google/guiceJava (multi-module, 13 modules)64730,59210,08131/100
honojs/honoTypeScript3526,4622,19441/100
apache/commons-langJava (single-module)62429,7239,037
pallets/flaskPython792,005851
dart-lang/shelfDart1081,639219
rstudio/plumberR1971,194219

Numbers from real depwire parse runs on public repositories. Last validated: v1.7.1 (June 2026).


What If simulation

Know the blast radius before you touch anything.

depwire whatif . --simulate delete --target src/utils/encode.ts

Real output on honojs/hono — 352 files, 6,245 symbols:

Health Score:    41 → 41  (+0 → unchanged)
Affected Nodes:  29
Broken Imports:  30
• src/utils/jwt/jwt.ts imports decodeBase64Url
• src/adapter/aws-lambda/handler.ts imports encodeBase64
• src/utils/basic-auth.ts imports decodeBase64
[27 more...]
Removed Edges:   32

Before touching a single file. Zero file I/O. Pure in-memory simulation.

Five operations:

depwire whatif . --simulate delete --target src/utils/encode.ts
depwire whatif . --simulate move --target src/utils/encode.ts --destination src/core/encode.ts
depwire whatif . --simulate rename --target src/utils/encode.ts --destination src/utils/encoder.ts
depwire whatif . --simulate split --target src/services/auth.ts --symbols "validateToken,refreshToken"
depwire whatif . --simulate merge --target src/utils/helpers.ts --merge-target src/utils/formatters.ts

Run without --simulate to open the browser UI — side-by-side arc diagrams showing current vs simulated state.


Cross-module dependency intelligence

For multi-module Maven and Gradle projects, Depwire resolves imports across module boundaries — not just within a single module.

Example: simulating deletion of Injector.java in google/guice (a 13-module Java DI framework):

$ depwire whatif . --simulate delete --target core/src/com/google/inject/Injector.java

Action:          DELETE core/src/com/google/inject/Injector.java
Affected Nodes:  128
Broken Imports:  124  (cross-module: 106 across 10 extension modules)

Without this, your AI agent has no visibility into cross-module blast radius. With it, dangerous changes are caught before they happen.

Supported build systems:

  • Maven (pom.xml with <modules> declarations, recursive nested modules)
  • Gradle (settings.gradle / settings.gradle.kts with include() declarations)

Both standard (src/main/java) and non-standard (src/) source layouts are supported.


Security scanner

AI will confidently ship vulnerable code. Depwire stops it before production.

depwire security .                        # full repo scan
depwire security . --target src/auth.ts   # single file
depwire security . --format sarif         # GitHub Security tab integration
depwire security . --fail-on high         # CI gate — exit 1 if HIGH or above
depwire security . --class secrets         # specific check only

Real output on honojs/hono:

6 Critical  19 High  14 Medium  1 Low

10 check categories — dependency CVEs, process safety, credential management, path safety, authentication safety, input validation, information disclosure, cryptography weaknesses, output encoding safety, and architecture-level risks.

Graph-aware severity: a medium-severity finding reachable from an MCP tool or HTTP route is automatically elevated to critical. This is what no generic SAST tool can replicate — Depwire knows your architecture, so it knows what's actually reachable.

Available as MCP tool security_scan and via depwire-cli/sdk.


Pre-action verification

Verify a proposed change is safe before applying it. Checks broken imports, new circular dependencies, health score regression, and security findings in one pass.

depwire verify-change --file src/auth.ts --content-from new-auth.ts
depwire verify-change --diff changes.patch
depwire verify-change --file src/auth.ts --content-from new-auth.ts --json
cat new-auth.ts | depwire verify-change --file src/auth.ts

Example output:

Verify Change Report
──────────────────────────────────────────────────
✗ UNSAFE — risk: high
──────────────────────────────────────────────────
Health Score:  62 → 59  (-3)
Broken Imports: 2
  • src/index.ts — missing trackCommand
  • src/server.ts — missing handleAuth
New Circular Deps: 0
Security Findings: 1
  • [HIGH] Hardcoded secret detected (src/auth.ts:14)
Blast Radius:    8 files affected
──────────────────────────────────────────────────

CI integration:

depwire verify-change --diff pr.patch --fail-on-warnings --quiet
# exits 1 for medium risk, 2 for high risk

Available as MCP tool verify_change

View source on GitHub