code-review-graph
code-review-graph is an open-source Python project in the claude space with 18.4k GitHub stars. The repository is actively maintained, with recent commits.
Embed badge
[](https://opensources.dev/resource/code-review-graph)MITPermissive — free to use in commercial and proprietary software, with attribution.View license →
Production readiness
4/5- Actively maintainedCommits in the last 6 months
- No known vulnerabilitiesNot yet scanned
- Clear, usable licenseMIT (permissive)
- Proven adoptionWidely used
- Has documentationDocumentation indexed
pip install code-review-graphAI coding tools can end up re-reading large parts of your codebase on review tasks. code-review-graph fixes that. It builds a structural map of your code with Tree-sitter, tracks changes incrementally, and gives your AI assistant precise context via MCP so it reads only what matters.
Quick Start
pip install code-review-graph # or: pipx install code-review-graph
code-review-graph install # auto-detects and configures all supported platforms
code-review-graph build # parse your codebase
One command sets up everything. install detects which AI coding tools you have, writes the correct MCP configuration for each one, installs platform-native hooks/skills where supported, and injects graph-aware instructions into your platform rules. It auto-detects whether you installed via uvx or pip/pipx and generates the right config. Restart your editor/tool after installing.
To target a specific platform:
code-review-graph install --platform codex # configure only Codex
code-review-graph install --platform cursor # configure only Cursor
code-review-graph install --platform claude-code # configure only Claude Code
code-review-graph install --platform gemini-cli # configure only Gemini CLI
code-review-graph install --platform kiro # configure only Kiro
code-review-graph install --platform copilot # configure only GitHub Copilot (VS Code)
code-review-graph install --platform copilot-cli # configure only GitHub Copilot CLI
Requires Python 3.10+. For the best experience, install uv (the MCP config will use uvx if available, otherwise falls back to the code-review-graph command directly).
Then open your project and ask your AI assistant:
Build the code review graph for this project
The initial build takes ~10 seconds for a 500-file project. After that, watch mode and supported hooks can keep the graph updated automatically.
How It Works
Your repository is parsed into an AST with Tree-sitter, stored as a graph of nodes (functions, classes, imports) and edges (calls, inheritance, test coverage), then queried at review time to compute the minimal set of files your AI assistant needs to read.
Blast-radius analysis
When a file changes, the graph traces every caller, dependent, and test that could be affected. This is the "blast radius" of the change. Your AI reads only these files instead of scanning the whole project.
Incremental updates in < 2 seconds
When hooks or watch mode are enabled, file saves and supported commit hooks trigger incremental updates. The graph diffs changed files, finds their dependents via SHA-256 hash checks, and re-parses only what changed. A 2,900-file project re-indexes in under 2 seconds.
The monorepo problem, solved
Large monorepos are where token waste is most painful. The graph cuts through the noise — 27,700+ files excluded from review context, only ~15 files actually read.
Broad language coverage + Jupyter notebooks
Parser support covers functions, classes, imports, call sites, inheritance, and test detection across the current parser surface, using Tree-sitter where available and targeted fallbacks where needed. Current support includes Python, JavaScript/TypeScript/TSX, Go, Rust, Java, C/C++, C#, Ruby, Kotlin, Swift, PHP, Scala, Solidity, Dart, R, Perl, Lua/Luau, Objective-C, shell scripts, Elixir, Zig, PowerShell, Julia, ReScript, GDScript, Nix, Verilog/SystemVerilog, SQL, Vue/Svelte SFCs, Astro files parsed through the TypeScript parser, Jupyter/Databricks notebooks (.ipynb), and Perl XS files (.xs).
Add your own language (no fork needed)
If your repo uses a language the parser does not cover yet, drop a languages.toml into .code-review-graph/ mapping file extensions to any grammar bundled in tree_sitter_language_pack, plus the tree-sitter node types for functions, classes, imports, and calls:
[languages.erlang]
extensions = [".erl"]
grammar = "erlang"
function_node_types = ["function_clause"]
class_node_types = ["record_decl"]
import_node_types = ["import_attribute"]
call_node_types = ["call"]
The generic tree-sitter walker handles extraction from there — no code changes, and built-in languages can never be overridden. See docs/CUSTOM_LANGUAGES.md for the schema reference, validation rules, and a worked end-to-end example.
Risk-scored PR reviews in CI (GitHub Action)
The same analysis runs as a composite GitHub Action — and it stays local-first: the knowledge graph is built and queried entirely on your CI runner, with no source code sent to any external service. On each pull request the action posts a single sticky comment with risk-scored functions, affected execution flows, and test gaps, updated in place on every push. An optional fail-on-risk input turns the review into a merge gate.
# .github/workflows/code-review-graph.yml
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: tirth8205/code-review-graph@v2.3.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
See docs/GITHUB_ACTION.md for inputs, risk levels, and caching details, or the dogfood workflow this repo runs on itself in .github/workflows/pr-review.yml.
Benchmarks
Headline number: the median per-question token reduction across the 6 repos is ~82x (whole-corpus baseline vs graph query). The frequently quoted 528x is the maximum — a single best-case repo (fastapi) — not the typical result.
All numbers come from the automated evaluation runner against 6 real open-source repositories (13 commits total). Every config pins an upstream SHA, the Leiden community detector runs with a fixed seed, and embeddings are deterministic on CPU — so two runs on different machines produce identical numbers. The full reproduction recipe with expected outputs is in docs/REPRODUCING.md. A weekly report-only run on the two smallest configs lives in .github/workflows/eval.yml.
For a typical agent question ("how does authentication work", "what is the main entry point", etc.), the graph returns ~2,000–3,500 tokens of targeted search hits + neighbor edges instead of forcing the agent to read every source file. The table below averages over the 5 sample questions defined in code_review_graph/token_benchmark.py.
RepoSnapshot SHAnaive_corpus_tokensavg graph_tokensReductionfastapi0227991a951,0712,169528.4xcode-review-graph84bde354208,8212,49593.0xgin5c00df8a166,8681,99091.8xflaska29f88ce125,0221,98671.4xexpressb4ab7d65135,9553,46540.6xhttpxb55d463589,4922,43838.0x
Median per-question reduction across the 6 repos: ~82x. The range is 38x – 528x, where 528x is the best case (fastapi, the largest corpus), not the headline.
The whole-corpus baseline above is an upper bound no real agent pays: a competent agent greps for identifiers and reads only the best-matching files. The agent_baseline eval benchmark measures that realistic baseline — a pure-python grep over the corpus, top-3 files by match count, token-counted and compared to the graph query cost (evaluate/results/<repo>_agent_baseline_*.csv).
The formal eval/benchmarks/token_efficiency.py benchmark measures a different scenario — full get_review_context() JSON versus just the changed-file content of a commit — and reports ratios below 1 for small commits, because the review-context response carries impact-radius edges plus source snippets that exceed a tiny single-file diff. That is not a bug; the two benchmarks answer different questions. See docs/REPRODUCING.md for the full methodology.
Since v2.3.4, review and impact tools attach a compact context_savings estimate so MCP clients can see the approximate context saved per call. In v2.3.5 the CLI surfaces this as the boxed Token Savings panel shown above (see "Token Savings panel" in the Usage section) and adds --verify to cross-check against OpenAI's cl100k_base tokenizer. Calibration data in docs/REPRODUCING.md shows the estimate is within ~1% of real GPT-4 tokens in aggregate across 222 sample files.
Blast-radius analysis recovers every file in the ground truth on all 13 evaluation commits — but read that as an upper bound, not as "100% recall": in this mode the ground truth (changed files + files with call/import edges into them) is derived from the same graph the predictor traverses, so it is circular by construction. The over-prediction visible in the precision column is a deliberate trade-off: better to flag too many files than miss a broken dependency.
RepoCommitsAvg F1Avg PrecisionRecall (graph-derived upper bound)httpx20.8640.7861.0fastapi20.8340.7501.0code-review-graph20.7340.5841.0express20.6670.5001.0flask20.6280.4811.0gin30.6090.4391.0Average130.7140.5781.000
The benchmark also runs an honest co-change mode: the predictor is seeded with a single changed file and graded against the other files the author actually touched in the same commit — independent-ish evidence from git history, not from the graph. Both modes appear side by side in the result CSVs (ground_truth_mode column). Co-change numbers will be added to the canonical stats once captured by the eval runner; we do not quote them before measuring.
RepoFilesNodesEdgesFlow DetectionSearch Latencyexpress1411,91017,553106ms0.7msfastapi1,1226,28527,117128ms1.5msflask831,4467,97495ms0.7msgin991,28616,762111ms0.5mshttpx601,2537,89696ms0.4ms
Limitations and known weaknesses
Impact "recall 1.0" is graph-derived and circular: the historical ground truth comes from the same graph edges the predictor walks, so it is an upper bound by construction. The honest co-change mode (grade against files actually co-changed in the same commit) is measured alongside it; expect those numbers to be substantially lower.
Small single-file changes: Graph context can exceed naive file reads for trivial edits (see express results above). The overhead is the structural metadata that enables multi-file analysis.
Search quality (MRR 0.35): Keyword search finds the right result in the top-4 for most queries, but ranking needs improvement. Express queries return 0 hits due to module-pattern naming.
Flow detection (33% recall): Only reliably detects entry points in Python repos (fastapi, httpx) where framework patterns are recognized. JavaScript and Go flow detection needs work.
Precision vs recall trade-off: Impact analysis is deliberately conservative. It flags files that might be affected, which means some false positives in large dependency graphs.
Features
FeatureDetailsIncremental updatesRe-parses only changed files. Subsequent updates complete in under 2 seconds.Broad language + notebook supportPython, JavaScript/TypeScript/TSX, Go, Rust, Java, C/C++, C#, Ruby, Kotlin, Swift, PHP, Scala, Solidity, Dart, R, Perl, Lua/Luau, Objective-C, shell scripts, Elixir, Zig, PowerShell, Julia, ReScript, GDScript, Nix, Verilog/SystemVerilog, SQL, Vue/Svelte SFCs, Astro files parsed through the TypeScript parser, Jupyter/Databricks (.ipynb), and Perl XS (.xs)Blast-radius analysisShows which functions, classes, and files are likely affected by a changeAuto-update hooksHooks and watch mode can update the graph on file saves and supported commit hooksSemantic searchOptional vector embeddings via sentence-transformers, Google Gemini, MiniMax, or any OpenAI-compatible endpoint (real OpenAI, Azure, new-api, LiteLLM, vLLM, LocalAI)Interactive visualisationD3.js force-directed graph with search, community legend toggles, and degree-scaled nodesHub & bridge detectionFind most-connected nodes and architectural chokepoints via betweenness centralitySurprise scoringDetect unexpected coupling: cross-community, cross-language, peripheral-to-hub edgesKnowledge gap analysisIdentify isolated nodes, untested hotspots, thin communities, and structural weaknessesSuggested questionsAuto-generated review questions from graph analysis (bridges, hubs, surprises)Edge confidenceThree-tier confidence scoring (EXTRACTED/INFERRED/AMBIGUOUS) with float scores on edgesGraph traversalFree-form BFS/DFS exploration from any node with configurable depth and token budgetExport formatsGraphML (Gephi/yEd), Neo4j Cypher, Obsidian vault with wikilinks, SVG static graphGraph diffCompare graph snapshots over time: new/removed nodes, edges, community changesToken benchmarkingMeasure naive full-corpus tokens vs graph query tokens with per-question ratiosEstimated context savingsCompact context_savings metadata on relevant MCP/CLI review outputs, labelled as estimated and kept to three small fieldsMemory loopPersist Q&A results as markdown for re-ingestion, so the graph grows from queriesCommunity auto-splitOversized communities (>25% of graph) are recursively split via LeidenExecution flowsTrace call chains from entry points, sorted by weighted criticalityCommunity detectionCluster related code via Leiden algorithm with resolution scaling for large graphsArchitecture overviewAuto-generated architecture map with coupling warningsRisk-scored reviewsdetect_changes maps diffs to affected functions, flows, and test gapsCustom languagesAdd new languages via .code-review-graph/languages.toml — no fork or code changes neededGitHub ActionSticky risk-scored PR review comments in CI, with an optional fail-on-risk merge gateRefactoring toolsRename preview, framework-aware dead code detection, community-driven suggestionsWiki generationAuto-generate markdown wiki from community structureMulti-repo registryRegister multiple repos, search across all of themMulti-repo daemoncrg-daemon watches multiple repos as child processes, with health checks and auto-restartMCP prompts5 workflow templates: review, architecture, debug, onboard, pre-mergeFull-text searchFTS5-powered hybrid search combining keyword and vector similarityLocal storageSQLite file in .code-review-graph/. Core graph storage needs no external database or cloud service.Watch modeContinuous graph updates as you work
Usage
CommandDescription/code-review-graph:build-graphBuild or rebuild the code graph/code-review-graph:review-deltaReview changes since last commit/code-review-graph:review-prFull PR review with blast-radius analysis
code-review-graph install # Auto-detect and configure all platforms
code-review-graph install --platform <name> # Target a specific platform
code-review-graph build # Parse entire codebase
code-review-graph update # Incremental update (changed files only)
code-review-graph status # Graph statistics
code-review-graph watch # Auto-update on file changes
code-review-graph visualize # Generate interactive HTML graph
code-review-graph visualize --format graphml # Export as GraphML
code-review-graph visualize --format svg # Export as SVG
code-review-graph visualize --format obsidian # Export as Obsidian vault
code-review-graph visualize --format cypher # Export as Neo4j Cypher
code-review-graph wiki # Generate markdown wiki from communities
code-review-graph detect-changes --brief # Risk panel + token savings (read-only)
code-review-graph update --brief # Refresh graph + same panel
code-review-graph detect-changes --brief --verify # Cross-check vs tiktoken
code-review-graph register <path> # Register repo in multi-repo registry
code-review-graph unregister <id> # Remove repo from registry
code-review-graph repos # List registered repositories
code-review-graph daemon start # Start multi-repo watch daemon
code-review-graph daemon stop # Stop the daemon
code-review-graph daemon status # Show daemon status and repos
code-review-graph eval # Run evaluation benchmarks
code-review-graph serve # Start MCP server
Both commands print the same compact panel showing how many tokens the graph saved you compared to handing the changed files to an agent raw. They differ in one thing: whether the graph gets refreshed first.
┌─────────────────────── Token Savings ────────────────────────┐
│ Full context would be: 12,921 tokens │
│ Graph context used: 762 tokens │
│ Saved: 12,159 tokens (~94%) │
│ Breakdown: Functions 244 · Tests 191 · Risk 244 · Other 83 │
└──────────────────────────────────────────────────────────────┘
CommandWhat it doesWhen to usedetect-changes --briefRead-only. Looks at your current changes, queries the existing graph, prints the panel. ~1 sec.Most of the time — the hooks (or crg-daemon) keep the graph fresh in the background, so this is enough.update --briefRe-parses your changed files into the graph first, then prints the same panel. ~5 sec.After a rebase, a large change set, or any time you suspect the graph is stale.
Both end with the same panel because both call the same analyze_changes() step at the end. The difference is whether the graph itself got refreshed before that analysis ran.
Add --verify to either command to cross-check the displayed numbers against OpenAI's cl100k_base tokenizer (the GPT-4 family). Requires pip install tiktoken. The estimate stays within ~1% of real tokens on a typical change set — see docs/REPRODUCING.md for the calibration data.
The same context_savings metadata is also attached automatically to the JSON responses of get_impact_radius, get_review_context, detect_changes, and get_architecture_overview MCP tools, so AI agents can surface the savings to humans in chat without any extra prompting.
If your editor doesn't support hooks (e.g. Cursor, OpenCode), or you just want your
graph to stay fresh in the background without any editor integration, the daemon is
for you. It watches your repos for file changes and automatically rebuilds the graph
— no manual build or update commands needed.
The daemon is included with code-review-graph — no separate install required.
Quick setup:
# 1. Register the repos you want to watch
crg-daemon add ~/project-a --alias proj-a
crg-daemon add ~/project-b
# 2. Start the daemon (runs in the background)
crg-daemon start
# 3. That's it — graphs stay up to date automatically
crg-daemon status # check daemon and per-repo watcher status
crg-daemon logs --repo proj-a -f # tail logs for a specific repo
crg-daemon stop # stop daemon and all watcher processes
Also available as code-review-graph daemon start|stop|status|....
Under the hood, crg-daemon add writes to a TOML config file at
~/.code-review-graph/watch.toml. You can also edit this file directly:
[[repos]]
path = "/home/user/project-a"
alias = "proj-a"
[[repos]]
path = "/home/user/project-b"
alias = "project-b"
The daemon monitors this config file for changes and automatically starts/stops watcher processes as repos are added or removed. Health checks every 30 seconds restart dead watchers. No external dependencies required.
See docs/COMMANDS.md for the full config reference and all available options.
Your AI assistant uses these automatically once the graph is built.
ToolDescriptionbuild_or_update_graph_toolBuild or incrementally update the graphrun_postprocess_toolRe-run flow detection, community detection, and FTS indexingget_minimal_context_toolUltra-compact context (~100 tokens) — call this firstget_impact_radius_toolBlast radius of changed filesget_review_context_toolToken-optimised review context with structural summaryquery_graph_toolCallers, callees, tests, imports, inheritance queriestraverse_graph_toolBFS/DFS traversal from any node with token budgetsemantic_search_nodes_toolSearch code entities by name or meaningembed_graph_toolCompute vector embeddings for semantic searchlist_graph_stats_toolGraph size and healthget_docs_section_toolRetrieve documentation sectionsfind_large_functions_toolFind functions/classes exceeding a line-count thresholdlist_flows_toolList execution flows sorted by criticalityget_flow_toolGet details of a single execution flowget_affected_flows_toolFind flows affected by changed fileslist_communities_toolList detected code communitiesget_community_toolGet details of a single communityget_architecture_overview_toolArchitecture overview from community structuredetect_changes_toolRisk-scored change impact analysis for code reviewget_hub_nodes_toolFind most-connected nodes (architectural hotspots)get_bridge_nodes_toolFind chokepoints via betweenness centralityget_knowledge_gaps_toolIdentify structural weaknesses and untested hotspotsget_surprising_connections_toolDetect unexpected cross-community couplingget_suggested_questions_toolAuto-generated review questions from analysisrefactor_toolRename preview, dead code detection, suggestionsapply_refactor_toolApply a previously previewed refactoringgenerate_wiki_toolGenerate markdown wiki from communitiesget_wiki_page_toolRetrieve a specific wiki pagelist_repos_toolList registered repositoriescross_repo_search_toolSearch across all registered repositories
MCP Prompts (5 workflow templates):
review_changes, architecture_map, debug_issue, onboard_developer, pre_merge_check
To exclude paths from indexing, create a .code-review-graphignore file in your repository root:
generated/**
*.generated.ts
vendor/**
node_modules/**
Note: in git repos, only tracked files are indexed (git ls-files), so gitignored files are skipped automatically. Use .code-review-graphignore to exclude tracked files or when git isn't available.
Optional dependency groups:
pip install code-review-graph[embeddings] # Local vector embeddings (sentence-transformers)
pip install code-review-graph[google-embeddings] # Google Gemini embeddings
pip install code-review-graph[communities] # Community detection (igraph)
pip install code-review-graph[enrichment] # Python call-resolution enrichment (Jedi)
pip install code-review-graph[eval] # Evaluation benchmarks (matplotlib)
pip install code-review-graph[wiki] # Wiki generation with LLM summaries (ollama)
pip install code-review-graph[all] # All optional dependencies
Environment Variables
VariableDescriptionDefaultCRG_GIT_TIMEOUTTimeout in seconds for Git operations30CRG_DATA_DIROverride directory for graph databases and generated graph artefacts-CRG_EMBEDDING_MODELDefault model for vector embeddingsall-MiniLM-L6-v2CRG_ACCEPT_CLOUD_EMBEDDINGSSuppress the cloud embedding egress warning after explicit acknowledgement-CRG_ALLOW_REMOTE_CODEAllow HuggingFace models that require trust_remote_code=True0CRG_MAX_IMPACT_NODESMaximum nodes to include in impact analysis500CRG_MAX_IMPACT_DEPTHSearch depth for blast-radius analysis2CRG_MAX_BFS_DEPTHMaximum depth for graph traversal15CRG_MAX_CHANGED_FUNCSMaximum changed functions analysed in one change report500CRG_MAX_TRANSITIVE_FRONTIERMaximum frontier size for transitive caller/callee expansion50CRG_TOOL_TIMEOUTOptional timeout in seconds for bounded MCP tools (0 disables timeout)0CRG_RECURSE_SUBMODULESInclude git submodules in file collection when set to 1, true, or yes-CRG_TOOLSComma-separated allowlist of MCP tools to expose when serving-GOOGLE_API_KEYAPI key for Google Gemini embeddings-MINIMAX_API_KEYAPI key for MiniMax embeddings-CRG_OPENAI_BASE_URLOpenAI-compatible embeddings endpoint-CRG_OPENAI_API_KEYAPI key for OpenAI-compatible embeddings-CRG_OPENAI_MODELModel name for OpenAI-compatible embeddings-CRG_OPENAI_DIMENSIONPin embedding dimension (v3 models support reduction)-NO_COLORIf set, disables ANSI colors in terminal-CRG_SERIAL_PARSEIf 1, disables parallel parsing (use for debugging)-
OpenAI-compatible embeddings (real OpenAI, Azure, or any self-hosted gateway like
new-api / LiteLLM / vLLM / LocalAI / Ollama in openai mode) need no extra install —
just set the environment variables and pass provider="openai" to embed_graph:
export CRG_OPENAI_BASE_URL=http://127.0.0.1:3000/v1 # or https://api.openai.com/v1
export CRG_OPENAI_API_KEY=sk-...
export CRG_OPENAI_MODEL=text-embedding-3-small # whatever your gateway serves
# optional:
export CRG_OPENAI_DIMENSION=1536 # pin dim (v3 models support reduction)
export CRG_OPENAI_BATCH_SIZE=100 # lower for gateways with tight limits
# (e.g. Qwen text-embedding-v4 caps at 10)
The cloud-egress warning is auto-skipped when the base URL points to localhost
(127.0.0.1, localhost, 0.0.0.0, ::1).
Model selection tip. Avoid
-preview/-beta/-expmodel IDs (e.g.google/gemini-embedding-2-preview) for anything you plan to keep long-term — preview models can change weights (different dimension → full re-embed required) or be deprecated without notice. Prefer stable GA releases such astext-embedding-3-small/text-embedding-3-large(OpenAI),Qwen/Qwen3-Embedding-8B(via self-hosted vLLM / LocalAI), orgemini-embedding-001(via the native Gemini provider, which requiresGOOGLE_API_KEYinstead of the OpenAI-compatible path).Also note:
code-review-graphcurrently embeds function signatures only (~10 tokens per node, e.g."parse_file function (path: str) returns Tree"). Models whose headline quality comes from long-context body understanding (such as Gemini 2 or Qwen3-8B at their MTEB-code SOTA scores) will see a much narrower quality gap against smaller models at this input length. Body/docstring embedding is tracked as a follow-up enhancement.
Tool Filtering
CRG exposes 30 MCP tools by default. In token-constrained environments, you can
limit the server to a subset of tools using --tools or the CRG_TOOLS
environment variable:
# Via CLI flag
code-review-graph serve --tools query_graph_tool,semantic_search_nodes_tool,detect_changes_tool
# Via environment variable
CRG_TOOLS=query_graph_tool,semantic_search_nodes_tool code-review-graph serve
The CLI flag takes precedence over the environment variable. When neither is set, all tools are available. This is especially useful for MCP client configurations:
{
"mcpServers": {
"code-review-graph": {
"command": "code-review-graph",
"args": ["serve", "--tools", "query_graph_tool,semantic_search_nodes_tool,detect_changes_tool,get_review_context_tool"]
}
}
}
FAQ & how it compares
Short, honest answers in docs/FAQ.md:
vs LSP / language servers — one persistent cross-language graph instead of per-language daemons; LSP stays more precise per symbol.
vs RAG / embeddings — structural edges parsed from the AST, not similarity chunks; embeddings are optional and only assist search.
vs grep / agentic search — grep wins on one-hop lookups; the graph wins on multi-hop questions (impact radius, callers-of-callers, tests-for, affected flows).
vs Serena, codegraph, claude-context, repomix — factual comparison table.
When NOT to use it — small repos, trivial single-file diffs, one-off questions.
Does it phone home? — no; zero telemetry, cloud embeddings are opt-in.
How do I verify it is working? —
status,detect-changes --brief,/mcp.
Troubleshooting
pip / pipx cannot download hatchling (or Errno 9 / Bad file descriptor to PyPI)
Installing from a source tree (for example pipx install .) needs build dependencies from PyPI (for example hatchling). If you see Could not find a version that satisfies the requirement hatchling after connection warnings, the Python/pip in that terminal may not be able to open an HTTPS client to pypi.org (sometimes seen in an integrated editor terminal; less often system-wide with VPN, firewall, or proxy).
Options:
Run the same command from macOS Terminal.app (or iTerm) instead of the IDE’s terminal, then retry
pipx install .orpipx install "git+https://...".Use uv to install the CLI from a checkout (uses different download machinery than
pipin many cases):cd /path/to/code-review-graph uv tool install . --forceFor development in a clone without a global install, use
uv syncanduv run code-review-graph …(or activate.venvafteruv sync).
Diagnose (optional): python3 scripts/diagnose_pypi_connectivity.py — if it prints FAILED, the issue is environment/network, not a wrong package name in this repo.
Windows Configuration Issues (Invalid JSON / Connection Closed)
If you are using Windows and encounter Invalid JSON: EOF while parsing or MCP error -32000: Connection closed when connecting via Claude Code, do not use the cmd /c wrapper in your config.
Ensure fastmcp is updated to at least 3.2.4+. Then, configure your ~/.claude.json to execute the .exe directly and pass the UTF-8 environment variable via the config:
"code-review-graph": {
"command": "C:\\path\\to\\your\\venv\\Scripts\\code-review-graph.exe",
"args": ["serve", "--repo", "C:\\path\\to\\your\\project"],
"env": { "PYTHONUTF8": "1" }
}
Contributing
git clone https://github.com/tirth8205/code-review-graph.git
cd code-review-graph
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest
Edit code_review_graph/parser.py and add your extension to EXTENSION_TO_LANGUAGE along with node type mappings in _CLASS_TYPES, _FUNCTION_TYPES, _IMPORT_TYPES, and _CALL_TYPES. Include a test fixture and open a PR.
Licence
MIT. See LICENSE.
On this page
- Quick Start
- How It Works
- Blast-radius analysis
- Incremental updates in < 2 seconds
- The monorepo problem, solved
- Broad language coverage + Jupyter notebooks
- Add your own language (no fork needed)
- Risk-scored PR reviews in CI (GitHub Action)
- Benchmarks
- Limitations and known weaknesses
- Features
- Usage
- Environment Variables
- Tool Filtering
- FAQ & how it compares
- Troubleshooting
- pip / pipx cannot download hatchling (or Errno 9 / Bad file descriptor to PyPI)
- Windows Configuration Issues (Invalid JSON / Connection Closed)
- Contributing
- Licence