CodeRadius DocsCLI Commands
Complete reference for all CodeRadius CLI commands, options, and flags.
CLI Commands
The CodeRadius CLI (cr) is the primary interface for analyzing architectural data, evaluating impact, running governance checks, and managing infrastructure. All commands are available after installing the CLI globally.
curl -sSL https://cdn.coderadius.ai/install.sh | bashQuick Start
# Start infrastructure
cr up
# Analyze your codebase architecture
cr analyze code ./services/*
# Open the Architecture Dashboard
cr ui
# Predict blast radius of code changes
cr blast
# Connect coding agents to the graph
cr mcp configureGlobal Usage
cr [command] [subcommand] [options]
cr --version
cr --helpCommand categories:
| Category | Commands |
|---|---|
| Core | analyze, impact, check, ask, ui, docs |
| Setup | init, up, down, mcp |
| Maintenance | reset, clean, state, config |
Init
Initializes the CodeRadius workspace for the current directory or user environment.
What it does:
- Creates
~/.coderadius/config/settings.jsonwith LLM provider configuration (Google Vertex AI, Google AI Studio, Anthropic, OpenAI, or Ollama) - Creates
~/.coderadius/config/credentials.json(chmod 600) for API keys - Interactively generates a
.crignorefile using AI analysis of the current directory tree to exclude frontend noise, vendored dependencies, and generated files - Optionally installs shell autocompletion for
cr
cr initThis command is interactive. It requires no flags but walks you through several prompts.
Example session:
◆ Which LLM provider would you like to use?
│ ● Google Vertex AI (GCP project required)
│ ○ Google AI Studio (API key, simplest)
│ ○ Anthropic Claude
│ ○ OpenAI
│ ○ Ollama (local, no API key needed)
◆ Google Cloud Project ID: my-gcp-project
◆ Default Model: gemini-3.1-flash-lite
◆ Do you want to run the AI now to generate a .crignore?
Yes / NoAfter running cr init, your configuration is stored globally at ~/.coderadius/config/settings.json. You can override it on a per-project basis using a local .env file. The format uses a concise provider/model string syntax:
{
"ai": {
"default": "vertex/gemini-3.1-flash-lite",
"chat": "vertex/gemini-3.1-pro",
"embedding": "openai/text-embedding-3-small"
}
}Architecture Analysis
Commands for analyzing codebases and building the architectural graph. All analysis commands are subcommands of cr analyze.
Analyze Code
The primary analysis command. Analyzes source code directories, parses configuration files, extracts tainted functions, and upserts all results into the Memgraph graph database. The --depth flag controls analysis depth.
cr analyze code [paths...] [options]Arguments:
| Argument | Description |
|---|---|
paths... | One or more source paths to analyze. Accepts globs. Defaults to the current working directory. |
Options:
| Option | Description |
|---|---|
-v, --verbose | Enable verbose logging. Prints timestamps and per-function extraction details. |
--depth <level> | Analysis depth. Default: semantic. See Depth Levels below. |
--force | Bypass all caches (Merkle, Scout, Extractor) and re-analyze everything from scratch. Use after a .crignore change or a suspected stale graph state. |
--json | Outputs the analysis telemetry report as JSON to stdout. Useful for piping into CI dashboards. |
--paths-file <file> | Read source targets from a file (one target per line, useful for large fleets). |
--source-strategy <strategy> | Explicit source resolution strategy override. Values: cache, pull, ci. |
--llm-concurrency <n> | Override LLM parallelism level (1–20, default: 3). |
--taint-depth <n> | Override taint propagation max iterations (1-100, default: 32). |
--vuln | Enrich the dependency graph with known vulnerability data from OSV.dev. See Analyze Vuln. |
--trace [dir] | Generate a structured execution trace report. Defaults to ~/.coderadius/traces/. |
Depth Levels
| Depth | Scope | LLM? | Description |
|---|---|---|---|
structure | Topology, agentic context, API specs, dependencies | No | Lightweight structural scan. Maps repos, services, teams, agentic configs, and structural files. No source code parsing, no LLM. |
semantic (default) | + source code analysis, cross-service resolution | Yes | Full code analysis with AST parsing, taint analysis, LLM semantic extraction, and cross-service dependency resolution. |
contracts | + data contract field extraction | Yes (heavy) | Everything in semantic plus data contract extraction: produced and consumed payload schemas (field names and types) for every I/O boundary. |
Examples:
# Analyze the current directory (default: semantic depth)
cr analyze code
# Analyze multiple service roots
cr analyze code ./services/payments ./services/identity ./services/notifications
# Analyze all repos in a directory (glob)
cr analyze code ./repos/*
# Structure-only scan (no LLM, fast)
cr analyze code ./repos/* --depth structure
# Full data contract extraction
cr analyze code ./services/* --depth contracts
# Force complete re-analysis (no cache)
cr analyze code ./services/* --force
# CI mode: output JSON telemetry to stdout
cr analyze code --source-strategy ci --json
# Increase LLM parallelism for faster extraction
cr analyze code ./services/* --llm-concurrency 10Telemetry Output:
After a successful analyze code run, the CLI prints a funnel report showing:
- Total repositories discovered
- Functions found by language
- Functions after taint filtering
- Functions sent to LLM for semantic extraction
- New nodes/edges written to the graph
- Total LLM token consumption and estimated cost
Analyze Traces
Analyzes runtime telemetry (distributed traces) from Datadog or Jaeger exports. Overlays the trace topology on top of the static graph, validating the static architecture against real runtime behavior.
cr analyze traces --file <path> [options]Options:
| Option | Required | Description |
|---|---|---|
-f, --file <path> | ✅ Required | Path to the JSON traces export file |
-v, --verbose | No | Verbose logging |
Example:
# Analyze a Datadog traces export
cr analyze traces --file ./traces/datadog-export.json
# Analyze a Jaeger export
cr analyze traces --file ./jaeger-traces.jsonAnalyze Vuln
Scans all package dependencies in the graph for known vulnerabilities (CVEs) by querying the OSV.dev public database. Creates Vulnerability nodes and links them to affected Package nodes with version-aware edges.
This command can also run inline during cr analyze code via the --vuln flag.
cr analyze vuln [options]Options:
| Option | Description |
|---|---|
-v, --verbose | Enable verbose logging |
--refresh | Force re-fetch from OSV even if the local cache is fresh |
--offline | Skip API calls, use cached data only |
--json | Output results as JSON |
Privacy: only public package names and versions are sent to OSV.dev. Source code, file paths, and repository metadata never leave the machine.
Examples:
# Scan all packages in the graph for vulnerabilities
cr analyze vuln
# Force refresh from OSV (bypass 24h cache)
cr analyze vuln --refresh
# Offline mode: use only cached vulnerability data
cr analyze vuln --offline
# Inline during code analysis
cr analyze code ./services/* --vulnGraph impact:
| Node / Edge | Description |
|---|---|
Vulnerability | CVE/advisory node with severity, CVSS score, fix version, references |
(Package)-[:HAS_VULNERABILITY]->(Vulnerability) | Links package to vulnerability, with vulnerableInstalledVersions[] for version-aware blast radius queries |
Example Cypher query (which services have critical CVEs in production deps):
MATCH (v:Vulnerability)<-[hv:HAS_VULNERABILITY]-(p:Package)<-[dep:DEPENDS_ON]-(s:Service)
WHERE v.severity = 'CRITICAL' AND dep.isDev = false
AND dep.installedVersion IN hv.vulnerableInstalledVersions
RETURN s.name, p.name, v.osvId, v.cvssScoreImpact Evaluation
Predicts the architectural blast radius of a code change in memory, without modifying the production graph. Returns a structured finding report at three severity levels (DANGER, WARNING, INFO) and emits a semantic exit code so CI / agents can branch without parsing the text output.
cr blast [path] [options]The repo path is a positional argument and defaults to the current directory, matching the cr analyze convention. Pass an explicit path to evaluate a different workspace.
Exit codes:
| Code | State | When |
|---|---|---|
0 | SAFE | No breaks, no warnings |
1 | WATCH | No breaks, at least one warning worth reviewing |
2 | BREAKING | At least one downstream consumer will break |
Options:
| Option | Description |
|---|---|
--base <sha-or-branch> | Base commit SHA or branch to diff against (default: origin/main) |
--head <sha> | Head commit SHA to analyze (defaults to HEAD) |
--files <files> | Comma-separated list of files to analyze, bypassing git diff |
--repo-name <name> | Canonical identifier for the repository within the global graph |
-m, --intent <text> | Semantic context declaring the purpose of the change (enhances analysis precision) |
--output <file> | Direct structured output to a specified file path |
--format <format> | Output format: auto (default, tty-aware), markdown, or json |
--advisory | Always return exit code 0, even on DANGER findings (advisory mode) |
--allow-unknown-baseline | Proceed even if the repository is absent from the master graph (confidence drops to LOW) |
--verbose | Emit extended execution traces for the resolution pipeline |
Examples:
# Standard usage (current directory, default base origin/main)
cr blast
# Analyze a sibling repo
cr blast ../orchestrator
# Override base / head refs
cr blast --base main --head feature/redis-auth
# Describe the intent for better LLM context
cr blast -m "Migrate auth module to Redis"
# Output markdown for CI comment injection
cr blast --format markdown > report.md
# Analyze specific files without git
cr blast --files "src/payments/PaymentController.php"
# Advisory mode (never blocks CI)
cr blast --advisorySee Impact Evaluation for full integration instructions for GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Governance Policy Check
Runs governance rules defined in YAML against the architecture graph. Returns violations at configurable severity levels.
cr check [options]Options:
| Option | Required | Description |
|---|---|---|
--rules <path> | ✅ Required | Path to a YAML policy file or directory of policy files |
--output <mode> | No | Output format: json, sarif, table (default), graph |
--fail-on <severity> | No | Exit with code 1 if violations at or above this severity (error, warning, info). Default: error |
--timeout <ms> | No | Per-query timeout in milliseconds (DoS guard). Default: 5000 |
--tag <tag> | No | Only run rules with this tag |
--min-severity <severity> | No | Only run rules at or above this severity (info, warning, error) |
--out <file> | No | Write output to a file instead of stdout |
Examples:
# Run all rules in a directory
cr check --rules ./policies/
# Output as SARIF (for IDE integration)
cr check --rules ./policies/ --output sarif --out results.sarif
# Fail on warnings too
cr check --rules ./policies/ --fail-on warning
# Only run rules tagged "security"
cr check --rules ./policies/ --tag security
# Write evaluation results into the graph for dashboard visualization
cr check --rules ./policies/ --output graphArchitecture Dashboard
Generates the Architecture Dashboard — a unified view of organizational AI tooling observability, package dependencies, data gravity, governance alerts, and impact topology.
cr ui [options]Options:
| Option | Default | Description |
|---|---|---|
--out <path> | Generated temp file | Output path for the self-contained HTML dashboard |
--focus <domain> | All tabs | Focus the dashboard on a single architectural domain (inventory, agentic-radar, deps, gravity, impact, governance) |
--json | false | Output pure JSON (headless/CI mode) |
Example:
# Generate the dashboard and auto-open it
cr ui
# Generate with a timestamped filename
cr ui --out ./reports/health-$(date +%Y-%m-%d).html
# Focus the dashboard exclusively on the blast radius/impact topology
cr ui --focus impact
# Output raw JSON for CI pipelines
cr ui --jsonSee Architecture Dashboard for a full explanation of the dashboard domains and components.
Docs
Commands for generating and managing architecture documentation. All doc commands are subcommands of cr docs.
Generate Specifications
Generates a comprehensive ARCHITECTURE.md for a target service, including C4 diagrams and architectural risk analysis. Uses the LLM configured during cr init.
cr docs generate [options]Options:
| Option | Default | Description |
|---|---|---|
-t, --target <service-name> | Interactive prompt | Name of the service to document. If omitted, an autocomplete prompt shows all known services. |
-o, --output <path> | ./ARCHITECTURE.md | Output file path |
--skip-risk | false | Skip risk analysis — generates C4 diagrams only. Faster and cheaper. |
Example:
# Interactive service selection
cr docs generate
# Target a specific service
cr docs generate --target payments-service
# Generate for a specific service, output to a custom path
cr docs generate --target orders-api --output ./docs/architecture/orders.md
# Skip risk analysis (faster)
cr docs generate --target payments-service --skip-riskThe generated document includes:
- C4 Context and Container diagrams (Mermaid format)
- List of inbound consumers and outbound dependencies
- Architectural risk metrics: Blast Radius Score, downstream services impacted, critical data dependencies
- LLM-generated narrative describing the service's purpose, responsibilities, and risk profile
Agentic Chat
Opens an interactive terminal chat session with the CodeRadius Architect Agent — an LLM-powered agent with full access to your architectural graph via MCP tools.
cr askYou can ask the agent questions like:
- "Which services consume the payments queue?"
- "What would break if I rename the
customerIdfield in the orders table?" - "Which teams have the highest SPOF exposure in the architecture?"
MCP Server
Commands for managing the Model Context Protocol (MCP) server integration with IDE agents.
Start Server
Starts the CodeRadius MCP server on stdio for IDE agent integration.
cr mcp startConfigure IDE
Interactive wizard that auto-detects installed IDE environments (Cursor, Windsurf, Claude Desktop, Claude Code, Gemini CLI, Antigravity) and injects the MCP server configuration automatically.
cr mcp configureFor full MCP documentation — available tools, security model, IDE configuration examples, and debugging tips — see the dedicated MCP Server page.
Infrastructure Management
Commands for managing the local infrastructure (Memgraph graph database).
Start Database
Starts the Memgraph graph database container using Docker and initializes the database schema.
cr upWhat it does:
- Runs preflight checks (Docker installed, daemon running, workspace initialized, port available)
- Creates or restarts the Memgraph container on
bolt://localhost:7687 - Initializes the database schema and vector indexes
Requires Docker to be running. If Memgraph is already running, this command is idempotent.
Stop Database
Stops the Memgraph container. Data is persisted in Docker volumes by default.
cr down [options]| Option | Description |
|---|---|
--clean | Remove container and volumes (full reset) |
Example:
# Stop, preserving data
cr down
# Stop and wipe all data
cr down --cleanState Management
Export and import architecture graph snapshots. Useful for sharing state between environments, version-controlling your graph, or disaster recovery.
State Export
Dumps the architecture graph to a .cypherl snapshot file (one Cypher statement per line, Git-diffable).
cr state export [options]| Option | Default | Description |
|---|---|---|
--out <path> | ./state.cypherl | Output file path |
Example:
# Export to default file
cr state export
# Export to a specific path
cr state export --out ./backups/graph-$(date +%Y%m%d).cypherlState Import
Restores the architecture graph from a .cypherl snapshot. By default, the existing graph is wiped before importing.
cr state import <file> [options]| Option | Description |
|---|---|
--force | Skip confirmation prompt (for scripting/CI) |
--no-wipe | Don't clear the graph before import (additive import) |
Example:
# Restore from a snapshot (wipes current graph)
cr state import ./state.cypherl
# Additive import (layer on top of existing graph)
cr state import ./second-env.cypherl --no-wipe
# CI mode (no confirmation)
cr state import ./state.cypherl --forceData Pruning
Destructive operations for removing data from the graph or cache. Use with caution — these operations cannot be undone.
Prune Graph
Permanently deletes all nodes, relationships, and indexes from the Memgraph database. Requires explicit confirmation.
cr prune graph [options]| Option | Description |
|---|---|
--force | Skip confirmation prompt (e.g. for scripting/CI) |
After pruning, run cr analyze code to repopulate the graph.
Prune Cache
Clears all local caches (embeddings, classifiers, OSV, datastore assignments) and downloaded repositories. The next analysis run will re-analyze everything from scratch.
cr prune cache [options]| Option | Description |
|---|---|
--force | Skip confirmation prompt (e.g. for scripting/CI) |
Prune All
Wipes the graph database AND deletes all local caches in a single operation.
cr prune all [options]| Option | Description |
|---|---|
--force | Skip confirmation prompt (e.g. for scripting/CI) |
Grounding Review
Read-only commands for inspecting the trust attribution of entities in the graph. See the Grounding & Trust Tiers guide for the conceptual model.
Review Pending
Lists every inferred entity flagged with needsReview = true, grouped by node label. The engine flags entities when it cannot decide between competing signals, when a sanitizer fallback fires on a weak source, or when a mutation runs without a grounding argument (defensive catch).
cr review pending [options]| Option | Description |
|---|---|
--label <name> | Restrict to a single inferred label (MessageChannel, DataContainer, APIEndpoint, ...) |
--quality-at-least <tier> | Keep only entities whose quality is at least the given tier (exact, high, medium, low, speculative) |
--source <s> | Keep only entities whose grounding source matches (ast, heuristic, llm, composite, declared, infra, runtime). Repeat the flag for multiple sources |
The command is read-only: it prints the triage list and exits. To act on a flagged entity, either accept the engine's inference (no action), tighten the source code so a static extractor catches it, or declare the entity in coderadius.yaml to override the tier with a declared source.
# All pending entities
cr review pending
# Only flagged MessageChannels
cr review pending --label MessageChannel
# Only LLM-inferred entities with quality medium or above
cr review pending --quality-at-least medium --source llm
# LLM-inferred OR heuristic-inferred (anything not from AST or composite)
cr review pending --source llm --source heuristicDiagnostic Coverage Dump
The diagnostic script scripts/diag-graph-coverage.ts dumps every inferred entity in the graph with its grounding columns. Useful for sanity-checking an analysis, comparing two ingestion runs, or finding stale entities filtered by source.
bun run scripts/diag-graph-coverage.ts [options]| Option | Description |
|---|---|
--repo <name> | Restrict to a single repository scope |
--quality-at-least <tier> | Keep only entities whose quality is at least the given tier |
--source <s> | Keep only entities whose grounding source matches |
# Production-trust baseline: only what the AST extractor verified directly
bun run scripts/diag-graph-coverage.ts --source ast
# Trust above the noise floor
bun run scripts/diag-graph-coverage.ts --quality-at-least high
# Find what the LLM inferred for a single repo (so you can sanity-check it)
bun run scripts/diag-graph-coverage.ts --repo my-repo --source llmConfiguration
Commands for managing settings, team aliases, and shell completion.
Show Config
Displays the current resolved configuration — showing the merged result of global settings (~/.coderadius/config/settings.json), local .env file, and environment variables. Shows resolved provider and model per action context (default, ingest, chat, doc, mcp).
cr config show [options]| Option | Description |
|---|---|
--json | Output as raw JSON |
Team Alias Management
Manages AI-proposed team identity aliases. During analysis, CodeRadius may detect that multiple repository-level organization names refer to the same logical team. These proposals are surfaced as "phantom teams" that can be approved or rejected.
# List all pending team alias proposals
cr config team-alias list
cr config team-alias list --pending # Only pending
# Approve a phantom team alias
cr config team-alias approve "platform-payments"
# Reject a phantom team alias
cr config team-alias reject "platform-payments-old"Shell Completion
Manages shell autocompletion for the cr CLI.
# Install autocompletion into your shell profile (.bashrc / .zshrc)
cr config completion --setup
# Remove autocompletion from your shell profile
cr config completion --cleanupAfter running --setup, restart your terminal or source your profile file. Tab completion will then work for all cr commands and subcommands.
Legacy Command Aliases
For backward compatibility, the following old command names are still supported as hidden aliases. They delegate to the new canonical commands:
| Legacy Command | New Command |
|---|---|
cr sync code | cr analyze code |
cr sync meta | cr analyze code --depth structure |
cr sync traces | cr analyze traces |
cr ingest code | cr analyze code |
cr ingest meta | cr analyze code --depth structure |
cr ingest traces | cr analyze traces |
cr eval blast | cr blast |
cr eval impact | cr blast |
cr impact | cr blast |
cr policy check | cr check |
cr dashboard | cr ui |
cr chat | cr ask |
cr start | cr up |
cr stop | cr down |
cr doc generate | cr docs generate |
cr team-alias | cr config team-alias |
cr completion | cr config completion |
Legacy aliases are hidden from cr --help output but continue to work. Update scripts and CI pipelines to use the new canonical commands.
Environment Variables
CodeRadius reads the following environment variables, either from your shell, a local .env file, or the global ~/.coderadius/config/credentials.json:
| Variable | Description |
|---|---|
MEMGRAPH_URI | Bolt URI for Memgraph (default: bolt://localhost:7687) |
MEMGRAPH_USER | Memgraph username (default: coderadius) |
MEMGRAPH_PASSWORD | Memgraph password (default: coderadius) |
GOOGLE_APPLICATION_CREDENTIALS | Path to Google Cloud service account JSON (for Vertex AI) |
GOOGLE_GENERATIVE_AI_API_KEY | Google AI Studio API key |
OPENAI_API_KEY | OpenAI API key |
ANTHROPIC_API_KEY | Anthropic API key |
CODERADIUS_DEBUG | Set to 1 to enable debug logging globally |