CodeAtlas Extension
A VSIX that runs in any Code-OSS-based editor. It indexes your workspace, persists a SQLite snapshot under .codeatlas/state.db, and renders six diagram layers (Microservices, Features, API sequences, File dependencies, Function flowcharts, plus a Code Health dashboard) in a local browser tab — live-updated as you edit. Plus a Knowledge Map, Domain view, guided Tour, API Testing workbench, and AI Code Review built on the same six-layer model.
How it works
- On activation it scans the workspace and parses every source file — 11 languages (JS / TS, Python, Java, Kotlin, Go, Rust, Ruby, PHP, Swift, Dart, C#).
- A local web server starts on
localhost:7742. Diagrams render in your browser as you edit. - A file watcher rebuilds affected layers on save with a 500 ms debounce. When you change a function, the function flowchart updates first, then the file diagram, then the sequence diagram for any route that calls into it, then the feature cluster, then the system-design view — automatically.
- Clicking a node in the browser deep-links back into the editor via
vscode://codeatlaslive.codeatlas-live/…(or the equivalent custom scheme for Cursor / Windsurf / Antigravity).
What gets indexed
Routes (HTTP, gRPC, GraphQL, WebSocket, SSE, MCP), background jobs, message-queue consumers, CLI commands, ORM lifecycle hooks, migrations, deep-link intent filters, widget targets, and 40+ web frameworks plus the mobile stacks (Jetpack Compose, SwiftUI, Flutter, React Native, Expo Router, Xamarin / .NET MAUI) and infrastructure-as-code (AWS SAM, AWS CDK, Serverless Framework). The full list lives on the tools reference page.
Install
Pick your editor:
State & security
- Where state lives:
.codeatlas/state.dbin your workspace root. Delete it to reset all diagrams and the baseline. - Secret redaction: passwords and connection URIs are stripped before persisting to disk.
- Path-traversal guard: every file open validates the path stays inside the workspace root.
- Strict Content Security Policy on the welcome webview — no inline scripts, every script source signed with a fresh per-load nonce.
- LLM consent: cluster / service naming hits an LLM only after an explicit one-time prompt. Code snippets are redacted before sending.
AI code review
The extension reviews your code using the same six layers it draws. Click AI Review on the home page and every route, job, and background task gets reviewed individually. Findings appear on the diagram layer they belong to — auth issues on the API row, N+1 queries on the sequence diagram, dead code on the file view.
- Every finding quotes the actual source. If a model invents an issue, the quote won't match your file and it gets filtered out before you see it. A DEBUG toggle on the home page lets you compare what gets filtered vs. what the model first said.
- Smarter severity. Known-bad patterns —
JWT_SECRET ||fallbacks,eval(),dangerouslySetInnerHTML, N+1 queries — auto-bump to error severity regardless of what the model rated them. - False alarms get caught early. "Auth required on writes" no longer fires on GET routes; "webhook signature missing" no longer fires on non-webhook paths.
- Your own review rules. A Review Guidelines section on the home page lets your team write rules in plain text (up to 8 KB) — the AI reads them on every review run.
- Findings on every layer. Each diagram header shows a count chip color-coded by severity. Click it to open the review panel scoped to that view. Click any colored dot on a node, message, or function to read the full finding with Resolve / Ignore actions.
- Search in plain English. Type "what's wrong with auth?" or "anything fishy in the article create flow?" and you get the matching findings, ranked by relevance.
- Bring your own AI. OpenRouter, OpenAI, Anthropic, or Ollama (fully local — no API key needed). Configure once from the home page.
Want to drive review from your AI coding assistant instead of the panel? The MCP server exposes 15 review tools — see /docs/mcp/tools.
Running alongside the MCP server
The extension and the standalone MCP server can both run against the same workspace without conflict. The MCP server takes priority when it's running — the extension automatically defers so you don't end up with two processes fighting over the snapshot. When the MCP server stops, the extension picks back up. Nothing to configure.
http://localhost:7742 in your browser. Diagrams update as you save.Uninstall / reset
# Stop the editor first, then:
rm -rf .codeatlas/
# Reopen — it re-indexes from scratch.