Depwire
<div align="center"> </div>Your AI doesn't know your architecture. Depwire does.
What makes Depwire different
<p align="center"> <img src="./assets/deterministic_vs_rag_diagram.svg" alt="Depwire deterministic graph vs RAG probabilistic approach" width="680" /> </p>Depwire builds a DETERMINISTIC, NOT PROBABILISTIC dependency graph of your codebase. This is not RAG. There are no embeddings, no similarity scores, no vector databases, no guesses. Depwire uses tree-sitter — the same parser powering GitHub's code intelligence — to extract exact symbol-level facts from every file: every function, every class, every interface, every import and export relationship, across 16 programming languages. When you ask "what breaks if I delete encodeToken in auth/token.ts?", Depwire does not search for similar-looking code and estimate an answer. It traverses the exact dependency graph and returns the precise list of 14 files that import that symbol, which import chains break, and what your health score drops by. This is compiler-level precision applied to AI-assisted development — not a language model's best guess about your code.
Not a build graph either. Tools like Nx, Turborepo, and Grapher track package-level dependencies for build caching. Depwire tracks symbol-level dependencies — every function, class, and import relationship — which is what makes What If simulation, graph-aware security scanning, and exact blast radius analysis possible.
Contents
- What makes Depwire different
- Start here
- The infrastructure layer
- What If simulation
- Security scanner
- Pre-action verification
- Structural diff between commits
- MCP server — AI integration
- Cross-language edge detection
- Architecture health score
- Language support
- SDK
- Cloud dashboard
- GitHub Action — PR Impact Analysis
- Depwire Action Token (DAT)
- Roadmap
Depwire is the infrastructure layer between your AI coding assistant and your codebase. Before your AI touches a single file, Depwire has already mapped every connection, scored every risk, and simulated every change.

⭐ If Depwire saves you from a broken build, star the repo — it helps this project grow.
The problem
AI coding tools are getting smarter. But they still have a fundamental blind spot: they don't know your architecture before they touch it.
You ask Claude to delete a utility file. It deletes it cleanly. Confident. No warnings.
Then you run the build. 30 files broken.
Claude had no idea. It saw one file. It didn't see the 30 downstream consumers.
This isn't a model problem. It's a context problem. The AI is flying blind.
The infrastructure layer
Depwire is the context and safety layer for AI-generated code.
Depwire sits between your AI and your codebase. It builds a complete dependency graph using tree-sitter — deterministic, not probabilistic — and serves it to your AI through 23 MCP tools.
Four guarantees:
- Local — everything runs on your machine. No cloud parsing. No data sent anywhere.
- Secure — your code never leaves your machine. The security scanner requires no API key.
- Token-efficient — Depwire serves pre-computed graph data. Your AI gets surgical answers, not file dumps. 40% fewer tool calls. 56% fewer file reads.
- Deterministic — tree-sitter parses your code the same way every time. 100% accurate. Not a guess.
Start here
npm install -g depwire-cliThree commands to understand any codebase:
depwire whatif # know what breaks before you change anything
depwire security # catch vulnerabilities before AI ships them
depwire viz # see your entire architecture instantlyTested on real-world projects
| Project | Language | Files | Symbols | Edges | Health |
|---|---|---|---|---|---|
| google/guice | Java (multi-module, 13 modules) | 647 | 30,592 | 10,081 | 31/100 |
| honojs/hono | TypeScript | 352 | 6,462 | 2,194 | 41/100 |
| apache/commons-lang | Java (single-module) | 624 | 29,723 | 9,037 | — |
| pallets/flask | Python | 79 | 2,005 | 851 | — |
| dart-lang/shelf | Dart | 108 | 1,639 | 219 | — |
| rstudio/plumber | R | 197 | 1,194 | 219 | — |
Numbers from real
depwire parseruns on public repositories. Last validated: v1.7.1 (June 2026).
What If simulation
Know the blast radius before you touch anything.
depwire whatif . --simulate delete --target src/utils/encode.tsReal output on honojs/hono — 352 files, 6,245 symbols:
Health Score: 41 → 41 (+0 → unchanged)
Affected Nodes: 29
Broken Imports: 30
• src/utils/jwt/jwt.ts imports decodeBase64Url
• src/adapter/aws-lambda/handler.ts imports encodeBase64
• src/utils/basic-auth.ts imports decodeBase64
[27 more...]
Removed Edges: 32Before touching a single file. Zero file I/O. Pure in-memory simulation.
Five operations:
depwire whatif . --simulate delete --target src/utils/encode.ts
depwire whatif . --simulate move --target src/utils/encode.ts --destination src/core/encode.ts
depwire whatif . --simulate rename --target src/utils/encode.ts --destination src/utils/encoder.ts
depwire whatif . --simulate split --target src/services/auth.ts --symbols "validateToken,refreshToken"
depwire whatif . --simulate merge --target src/utils/helpers.ts --merge-target src/utils/formatters.tsRun without --simulate to open the browser UI — side-by-side arc diagrams showing current vs simulated state.
Cross-module dependency intelligence
For multi-module Maven and Gradle projects, Depwire resolves imports across module boundaries — not just within a single module.
Example: simulating deletion of Injector.java in google/guice (a 13-module Java DI framework):
$ depwire whatif . --simulate delete --target core/src/com/google/inject/Injector.java
Action: DELETE core/src/com/google/inject/Injector.java
Affected Nodes: 128
Broken Imports: 124 (cross-module: 106 across 10 extension modules)Without this, your AI agent has no visibility into cross-module blast radius. With it, dangerous changes are caught before they happen.
Supported build systems:
- Maven (
pom.xmlwith<modules>declarations, recursive nested modules) - Gradle (
settings.gradle/settings.gradle.ktswithinclude()declarations)
Both standard (src/main/java) and non-standard (src/) source layouts are supported.
Security scanner
AI will confidently ship vulnerable code. Depwire stops it before production.
depwire security . # full repo scan
depwire security . --target src/auth.ts # single file
depwire security . --format sarif # GitHub Security tab integration
depwire security . --fail-on high # CI gate — exit 1 if HIGH or above
depwire security . --class secrets # specific check onlyReal output on honojs/hono:
6 Critical 19 High 14 Medium 1 Low10 check categories — dependency CVEs, process safety, credential management, path safety, authentication safety, input validation, information disclosure, cryptography weaknesses, output encoding safety, and architecture-level risks.
Graph-aware severity: a medium-severity finding reachable from an MCP tool or HTTP route is automatically elevated to critical. This is what no generic SAST tool can replicate — Depwire knows your architecture, so it knows what's actually reachable.
Available as MCP tool security_scan and via depwire-cli/sdk.
Pre-action verification
Verify a proposed change is safe before applying it. Checks broken imports, new circular dependencies, health score regression, and security findings in one pass.
depwire verify-change --file src/auth.ts --content-from new-auth.ts
depwire verify-change --diff changes.patch
depwire verify-change --file src/auth.ts --content-from new-auth.ts --json
cat new-auth.ts | depwire verify-change --file src/auth.tsExample output:
Verify Change Report
──────────────────────────────────────────────────
✗ UNSAFE — risk: high
──────────────────────────────────────────────────
Health Score: 62 → 59 (-3)
Broken Imports: 2
• src/index.ts — missing trackCommand
• src/server.ts — missing handleAuth
New Circular Deps: 0
Security Findings: 1
• [HIGH] Hardcoded secret detected (src/auth.ts:14)
Blast Radius: 8 files affected
──────────────────────────────────────────────────CI integration:
depwire verify-change --diff pr.patch --fail-on-warnings --quiet
# exits 1 for medium risk, 2 for high riskAvailable as MCP tool verify_change
…