Loading…
Loading…
Your agent reads 40 files out of 4,000, edits something load-bearing, and you find out in prod. X-Ray extracts the real architecture of any repo — every route with auth status, entities, blast radius, boundary risks — and gives it to you and your agent. Deterministic. No LLM. Your code never leaves your machine.
Run on a 7,000-file production codebase: 1,991 routes, 210 entities, and 121 background tasks mapped in seconds — including 510 routes with no detectable auth guard. On the official FastAPI template it flagged a real auth-token-in-localStorage bug. The map pays for itself on day one.
The human map: module dependency graph (Mermaid), domain model, every route with its auth status, blast-radius hotspots, and risk findings. Rendered natively by GitHub.
Drop it into your CLAUDE.md or Cursor rules. Your agent learns the layers, entities, danger zones, and observed invariants of your codebase — today, with zero workflow change.
The machine-readable repo genome: routes, entities, relations, tasks, dependency edges, findings. Feed it to CI, dashboards, or your own tooling.
X-Ray ships as an MCP server for Claude Code, Cursor, and Windsurf. Four tools, queried live, no LLM behind any of them:
blast_radiusWho depends on this file? What breaks if the agent edits it?arch_summaryWhere routes, entities, and services actually live — ground truth before searching.boundary_findingsHardcoded secrets, raw SQL bypassing the ORM, tokens in localStorage, routes without auth guards.xray_scanRe-scan after structural changes. Deterministic — same repo, same map.| Tool | What you get | LLM-free? | Local-first? |
|---|---|---|---|
| Archiet X-Ray | Web-architecture semantics: routes + auth coverage, entities, boundary/security findings, agent context pack | No — deterministic, every fact traces to file:line | Yes — stdlib-only, zero network |
| Function-level graph MCPs (Codegraph, dependency-mcp) | Call graphs and import edges — no auth coverage, no security boundary findings, no agent context file | No | Varies |
| CLAUDE.md generators (ClaudeForge, web tools) | Conventions and instructions for the agent — opinions, not extracted architecture facts | Usually LLM-written | Varies |
| CodeScene / code-health analytics | Statistical hotspots from git history for engineering managers — descriptive, not agent-facing | No | Cloud |
Archiet X-Ray is a free, open-source tool that deterministically extracts the real architecture of a codebase — routes with auth-guard status, ORM entities and relations, async tasks, the module dependency graph with blast-radius hotspots, and boundary risks — and delivers it as a human-readable map, an AI-agent context file, and a machine-readable JSON model. It also runs as an MCP server so coding agents can query the architecture before editing.
Dependency-graph tools show call and import edges. X-Ray extracts web-architecture semantics on top of the graph: which routes exist, which carry auth guards, where the domain entities and their relations live, and where the security boundaries leak (hardcoded secrets, raw SQL, tokens in localStorage). No graph tool reports that 510 of your routes have no detectable auth guard.
No and no. The pipeline is pure static extraction (Python ast + structured parsers), stdlib-only, with zero network calls and zero telemetry. The same repo always produces the same map, and anything that cannot be extracted with confidence is labelled unknown — never guessed.
Python (Flask, FastAPI, Django, SQLAlchemy, Celery) via ast — including FastAPI Annotated/Depends auth detection — plus Next.js app and pages routers, Express, and Prisma schemas. Go, Java, Rails, and .NET extractors are the roadmap; the extractor pattern is one class per language and PRs are welcome.
Two ways: commit the generated AGENT_CONTEXT.md and reference it from your CLAUDE.md or rules file, or register the MCP server (one command) so the agent can query blast_radius and boundary_findings live before it edits.
The map X-Ray extracts is the same formal model Archiet uses to generate production-ready applications and enforce architecture with consulting-grade gates. When X-Ray finds 510 unguarded routes, Archiet is how they stay fixed.