CodeAtlas Extension

A VSIX that runs in any Code-OSS-based editor. It indexes your workspace, persists a SQLite snapshot under .codeatlas/state.db, and renders six diagram layers (Microservices, Features, API sequences, File deps, Function flowcharts, Health) in a local browser tab — live-updated as you edit.

How it works

  • On activation it scans the workspace, parses every source file with Babel (JS/TS) or tree-sitter (Python, Java, Kotlin, Go, Rust, Ruby, PHP, Swift, Dart, C#) and writes the resulting graphs to .codeatlas/state.db.
  • A local web server starts on localhost:7742. Diagrams render there as React Flow / custom SVG. The extension itself only ships a small welcome view — the diagrams are not in a webview.
  • A file watcher rebuilds affected layers on save with a 500 ms debounce. Cascade rules push changes from L5 (function flow) up through L4 (file), L3 (sequence), L2 (features) to L1 (microservices).
  • Clicking a node in the browser deep-links back into the editor via vscode://codeatlaslive.codeatlas-live/… (or the equivalent custom scheme for Cursor / Windsurf / Antigravity).

What gets indexed

Routes (HTTP, gRPC, GraphQL, WebSocket, SSE, MCP), background jobs, message-queue consumers, CLI commands, ORM lifecycle hooks, migrations, deep-link intent filters, widget targets, and 30+ web frameworks plus the mobile stacks. The full list lives on the tools reference page.

Install

Pick your editor:

VS CodeCursorWindsurfAntigravity

State & security

  • Where state lives: .codeatlas/state.db in your workspace root. Delete it to reset all diagrams and the baseline.
  • Secret redaction: passwords and connection URIs are stripped before persisting to disk.
  • Path-traversal guard: every file open validates the path stays inside the workspace root.
  • CSP: the welcome webview usesscript-src 'nonce-{crypto}' 'strict-dynamic' — no unsafe-inline.
  • LLM consent: cluster / service naming hits an LLM only after an explicit one-time prompt. Code snippets are redacted before sending.

AI code review

The extension reviews your code using the same six layers it draws. Click AI Review on the home page and every route, job, and background task gets reviewed individually. Findings appear on the diagram layer they belong to — auth issues on the API row, N+1 queries on the sequence diagram, dead code on the file view.

  • Every finding quotes the actual source. If a model invents an issue, the quote won't match your file and it gets filtered out before you see it. A DEBUG toggle on the home page lets you compare what gets filtered vs. what the model first said.
  • Smarter severity. Known-bad patterns — JWT_SECRET || fallbacks, eval(), dangerouslySetInnerHTML, N+1 queries — auto-bump to error severity regardless of what the model rated them.
  • False alarms get caught early. "Auth required on writes" no longer fires on GET routes; "webhook signature missing" no longer fires on non-webhook paths.
  • Your own review rules. A Review Guidelines section on the home page lets your team write rules in plain text (up to 8 KB) — the AI reads them on every review run.
  • Findings on every layer. Each diagram header shows a count chip color-coded by severity. Click it to open the review panel scoped to that view. Click any colored dot on a node, message, or function to read the full finding with Resolve / Ignore actions.
  • Search in plain English. Type "what's wrong with auth?" or "anything fishy in the article create flow?" and you get the matching findings, ranked by relevance.
  • Bring your own AI. OpenRouter, OpenAI, Anthropic, or Ollama (fully local — no API key needed). Configure once from the home page.

Want to drive review from your AI coding assistant instead of the panel? The MCP server exposes 15 review tools — see /docs/mcp/tools.

Running alongside the MCP server

The extension and the standalone MCP server can both attach to the same workspace. They coordinate via an atomic lock file at .codeatlas/.mcp-owner. The MCP server is preferred — when it starts it writes .codeatlas/.mcp-preempt; the extension watches that file and yields by disabling auto-update and dropping the lock. Symmetric on the way back.

TL;DR
Install the VSIX, open a workspace, wait a few seconds for the initial index, then visit http://localhost:7742 in your browser. Diagrams update as you save.

Uninstall / reset

Reset the workspace indexbash
# Stop the editor first, then:
rm -rf .codeatlas/
# Reopen — it re-indexes from scratch.