Developer ToolsLive

ProjScan

Agent-first code intelligence.

Platform: Node.js 18+, macOS, Linux, Windows
Pricing: Free (MIT)

View on GitHub Install from npm Plugin docs

projscan

$ npx projscan

✓

~ npx projscan start

ProjScan running on a repository: banner, scan progress, and project report

Overview

Built: 2026
Version: 3.0.9
Category: Developer Tools / MCP server
Platform: Node.js 18+ (20+ for watch)
Languages: 11
MCP tools: 40
Price: Free (MIT)

When you ask your agent which files implement auth, or what breaks if you bump React from 18 to 19, it should not be guessing from filenames or shelling out to grep.

ProjScan answers from a stable v3 semantic graph of file, function, package, and symbol nodes, plus a dataflow engine that tracks direct, propagated, and bridge source-to-sink risk, all served over MCP. Forty tools span graph traversal, bug-hunt queues, PR evidence, trust gates, and release readiness. It runs offline, with no source upload, no telemetry, and no API key.

Features

What it does well.

Deep graph platform

A stable v3 semantic graph with file, function, package, and symbol nodes, a dataflow engine that tracks direct, propagated, and bridge source-to-sink risk, and graph traversal and coupling analysis. The foundation every other 3.x surface reads from. (4 tools)

Adoption layer

One MCP tool returns ready-to-paste client configs, workflow recipes, or first-run diagnostics. The first run checks Node.js, Git, package metadata, config, Tree-sitter runtime, plugins, and MCP startup. The entry path a new agent or human follows on day one. (5 tools)

Agent mission control

Workplans, agent briefs, quality scorecards, function explanations, and file-level analysis that keep long-running agent work coordinated. Each tool returns ordered tasks, evidence, suggested tools, and verification commands. (5 tools)

Autonomous bug hunt

Bug-hunt queues ranked by risk, hotspot analysis that ranks high-churn and high-complexity files, and semantic search across the codebase. A prioritized starting point before the first edit. (3 tools)

Readiness evidence

Evidence packs, regression matrices, coverage analysis, and transitive impact scoring. Composes preflight, bug-hunt, and product risk into one auditable view an agent or reviewer can act on. (4 tools)

Agent trust

One MCP tool answers whether an agent can safely proceed before edits, commits, and merges. Returns proceed, caution, or block with evidence, including dataflow risk findings, and a suggested next call. (1 tool)

Multi-agent coordination

Monorepo package intelligence, cross-repo sibling awareness, durable session and feedback memory, and per-call cost budgeting. State management for multi-agent and long-running workflows. (5 tools)

Deeper review intelligence

Structural diffs, one-call verdicts with intent labelling and contract-change detection, taint flows that force a block, and bridge-helper dataflow risks that block automatically. Structured fix suggestions and a mechanical apply layer with rollback. (7 tools)

Plugin platform

The stable analyzer and reporter plugin contract with projscan plugin init, projscan plugin test, and gallery examples. Author, test, and publish local plugins that extend the analysis surface. (1 tool)

Release trust

Product-line release plans that understand 3.0.x and 3.1.x, remote version-tag validation, declared-versus-installed drift, npm audit wrapped to SARIF, and a blast-radius preview before any package bump lands. (5 tools)

See it in action

A closer look.

AI coding agent calling ProjScan tools over MCP in a macOS-style terminal — Built for agents first
Plug ProjScan into any MCP-aware client and the agent reads the repo through a typed, context-budget-aware surface. Forty tools cover graph traversal, dataflow, PR evidence, and trust gates, all running locally.

Hotspot analysis ranking high-risk files — Hotspots, ranked by risk
High-churn, high-complexity files rise to the top, each with a risk score and the signals behind it. An agent knows where to look before it touches a line.

Semantic search returning ranked symbols — Semantic search, not grep
Ask for the code that handles auth or talks to the database and get ranked symbols straight from the graph. The local ONNX model runs on your machine, so nothing about the repo leaves it.

Custom markdown report produced by a reporter plugin — Shape the output with plugins
The reporter plugin contract turns a scan into whatever your team needs. This custom markdown report was scaffolded with projscan plugin init and verified with projscan plugin test.

How it works in practice

Practical workflows.

From first clone to a gated production merge.

First PR magic: projscan review --format markdown writes a PR evidence comment with a verdict, top risks, CODEOWNERS hints, exact next commands, and what changed since the local baseline. It blocks on real semantic risk; scale-only concerns show as caution, not fake defects.
Team bootstrap: projscan init team generates a starter policy file, a GitHub Action config, CODEOWNERS hints, and first-run setup. One command wires a new repo, and the generated config ships with onboarding docs.
Baseline and trend memory: After each scan, projscan writes a local baseline snapshot. Later runs show deltas: risk up or down from main, new hotspots, quality-score trend, and noisy recurring rules you can suppress. No external store; the baseline lives in the repo.
MCP setup that works: projscan mcp doctor --client claude|cursor|codex checks your config against the installed version and outputs a corrected, paste-ready snippet. One-shot wiring with npx projscan init mcp --client all. Registry id: io.github.abhiyoheswaran1/projscan.
Ownership routing: PR comments and workplans carry CODEOWNERS-derived routing: which team owns the changed files, who to flag for security review, and which packages cross ownership boundaries. It handles monorepos with per-package CODEOWNERS files.
Trust calibration: Blocks are rare and reserved for real semantic risk: new bridge-helper dataflow paths, dependency-audit findings above the configured threshold, or preflight gates that fail with evidence. Scale-only release concerns return caution with a manual-review note.

Stable surface

What 3.x means.

A versioned contract your agents and CI can depend on.

Semver covers: MCP tool names and input schemas, CLI command names and documented flags, exit codes, the CLI JSON envelope (schemaVersion 2), the analyzer and reporter plugin contract (schemaVersion 1), and the new API exports (buildSemanticGraph, computeDataflow, and the graph, dataflow, and review risk types).
New in 3.0: projscan_semantic_graph, projscan_dataflow, projscan_adoption, and (in 3.0.4) projscan_start. projscan_review blocks bridge-helper dataflow risks, and projscan_preflight carries dataflow findings. Every 2.x surface (Mission Control, Readiness Evidence, MCP resources) stays.
Language coverage: Eleven languages. JavaScript and TypeScript via Babel; Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, and Swift via Tree-sitter. LanguageId stays open for plugin languages, while BuiltinLanguageId pins the bundled set.
Supply chain: npm provenance on every release and a CycloneDX SBOM published as a GitHub asset. projscan verify-release checks both against the installed tarball, and drift fails. The same validators run locally as npm run release:check.
Runtime: Node.js 18+ for the core CLI, Node.js 20+ for recursive Linux file watching. Runs on macOS, Linux, and Windows.
Privacy: Fully offline. No source upload, no telemetry, no API key. Semantic search uses a local ONNX model that downloads once on first use. Your repo, and the graph projscan builds from it, never leaves the machine.

Pick the entry point.

Four commands cover most first-session needs.

Orient your agent in 60 seconds

Wire MCP into your client

Generate PR evidence

Check repo health

View on GitHub

TokenTrace

Reads what Claude Code, Codex, and other AI CLIs write on disk. Shows cost, models, projects, and sessions in a local dashboard. No cloud, no telemetry.

View