CodeRadius LogoCodeRadius Docs
User Guide

Supported Frameworks

CodeRadius builds a knowledge graph of a codebase's architecture: services, APIs, databases, and message channels. It combines three extraction methods: tree-sitter AST parsing for deterministic signals (decorators, route registrations, ORM annotations), regex-based entrypoint/connection-string detection, and LLM analysis for anything a parser can't resolve statically. This page lists what's detected for each language, framework, protocol, and infrastructure component, and by which method.

Note: Missing a framework or protocol? coderadius.yaml lets you declare any pattern static analysis can't infer automatically.


StatusMeaning
FullDeterministic AST-level extraction with high precision. Rows marked (eval-verified) are pinned by committed extraction fixtures in tests/eval/extraction/; unmarked rows are deterministic but not yet pinned to a fixture.
PartialCore patterns supported deterministically, or detection is LLM-driven with deterministic post-validation. Advanced or dynamic patterns may need coderadius.yaml hints.
PlannedNot implemented.

TypeScript / JavaScript

AST-level parsing with decorator-based and convention-based (file-path) routing extraction.

FrameworkStatusNotes
NestJSFullControllers, Resolvers (@Resolver/@Query/@Mutation/@Subscription), Guards (@UseGuards), @MessagePattern, @EventPattern, cache interceptors (@UseInterceptors(CacheInterceptor)) (eval-verified)
ExpressFullRoute registration on apps and Routers (eval-verified). Middleware in the handler chain is tolerated, not modeled. Prefix-mounted routers (app.use('/api', router)) resolve without the mount prefix.
FastifyFullRoute registration via shorthand and app.route({method, url}) object form (eval-verified). The schema option is not read.
HonoFullRoute registration (eval-verified). Route-group mounting (app.route('/prefix', subApp)) not yet prefix-resolved.
KoaFullRouter-based route registration (eval-verified)
Next.jsPartialApp Router (app/**/route.ts) and Pages Router (pages/api/**) file-convention routes; server actions extracted as routes. Page-level data fetching not traced.
SvelteKitPartialFile-convention routes (src/routes/**/+server.ts)
NuxtPartialFile-convention routes (server/routes/**)
Apollo ServerPartial@Resolver, @Query, @Mutation, @Subscription. Client-side operations traced as outbound dependencies.
routing-controllers / tsoa / inversify-express-utils / Ts.ED / type-graphqlPartialDecorator routing recognized by the same signal extractor as NestJS (@JsonController, @Route, etc.)

Also detected: TypeORM @Entity/EntitySchema (eval-verified), MikroORM, sequelize-typescript, Mongoose/Typegoose/@nestjs/mongoose, Drizzle pgTable/mysqlTable/sqliteTable entities; Bull/BullMQ @Processor/@Process queue consumers, CQRS handlers, @Cron/@Interval/@Timeout scheduled jobs, nest-commander CLI entrypoints; capability decorators for auth, rate-limit, cache, and transactional boundaries; typed API clients via Zodios and urql.


PHP

AST-level parsing with support for PHP 8 attributes, legacy DocBlock annotations, and convention-based routing.

FrameworkStatusNotes
SymfonyFull#[Route] attributes and legacy @Route annotations (class prefix + method), Messenger handlers (#[AsMessageHandler] and legacy __invoke(TypedMessage)), Doctrine ORM entities (eval-verified)
SlimFullRoute registration via $app, route groups with prefix concatenation (eval-verified)
LaravelFullRoute::get/post/..., Route::resource, Route::apiResource, Route::match, Route::any, Eloquent models (eval-verified). Complex facade-based calls may benefit from coderadius.yaml hints.
API PlatformPartial#[ApiResource] default REST surface (collection + item CRUD) derived from the class name. Custom operations/uriTemplate not parsed. GraphQL operations surfaced via an LLM hint only.
LumenPartialRoute registration via $router. Shares Laravel's facade-resolution limitations.
CodeIgniter 4PartialRoute registration
WordPressPartialREST routes (register_rest_route/wp-json/...), AJAX hooks (wp_ajax_*)
Hyperf / SwoolePartial#[GetMapping], #[Controller] attributes
PhalconPartial#[Get] attributes, action-method convention
Yii 2PartialactionXxx() method convention
Legacy filesystem routingPartialPlain PHP files under a web root treated as implicit routes

Python

No static route extractor. AST parsing covers functions, imports, and env vars. Routes and ORM models are detected via LLM analysis; a deterministic path validator (validateInboundPath) checks the result and accommodates framework-specific path styles (e.g. Django's optional leading slash).

FrameworkStatusNotes
FastAPIPartialRoute decorators (@app.get/post) detected via LLM analysis with deterministic path validation. App entrypoint detection (FastAPI(, uvicorn.run() is regex-based. Committed openapi.yaml specs cross-referenced like any other repo.
FlaskPartialRoute decorators (@app.route) detected via LLM analysis with deterministic path validation. Flask( entrypoint detection is regex-based. Blueprints and url_for are not specifically modeled.
DjangoPartialService/entrypoint detection via DJANGO_SETTINGS_MODULE / django.core. regexes. Routes and ORM models extracted via LLM (Django's path style is accommodated in validation). No deterministic urls.py parsing, no class-based-view handling.
CeleryPartialtask.delay() / apply_async() / send_task() recognized as MessageChannel publishes; @app.task / @shared_task / @celery.task consumers detected via LLM prompt contract

Go

No static route extractor. Framework recognition is an entrypoint regex (for service classification) plus LLM-driven handler and path detection, checked by the same deterministic path validator used for Python.

FrameworkStatusNotes
GinPartialHandler detection via LLM analysis + deterministic path validation. gin.Default(/gin.New( is the service-classification entrypoint signal.
FiberPartialSame mechanism. fiber.New( is the entrypoint signal.
net/httpPartialSame mechanism. http.ListenAndServe( is the entrypoint signal.

Path validation also accommodates Echo, gorilla/mux, and chi route styles; these frameworks have no dedicated entrypoint signal yet. Route groups and middleware are not modeled for any Go router.


Java

Deterministic route extraction from annotations. No cross-file value resolution, DI/bean tracing, or critical-invocation extraction yet. The plugin is a route-extraction bootstrap, not a full semantic layer.

FrameworkStatusNotes
Spring BootFull@RestController/@Controller classes, @RequestMapping class-level prefixes, @GetMapping-family + @RequestMapping(method=...) method routes, @Value("${...}") env-key extraction (eval-verified). Route extraction is deterministic; deeper semantic hooks are not yet implemented.
JAX-RS / Quarkus / Jakarta RESTFull@Path class prefix + @GET/@POST/@PUT/@PATCH/@DELETE + method-level @Path (including {id:\d+} regex constraint stripping). Annotations are matched by simple name regardless of package, so Quarkus and Jakarta REST work without extra code. Not yet eval-pinned.

In Development

No language plugin exists yet for these (core/languages/registry.ts currently registers TypeScript, PHP, Python, Go, Java). No route, ORM, or infra extraction until a plugin lands.

LanguageFrameworkStatus
C#ASP.NET CorePlanned
RubyRailsPlanned

API Patterns & Protocols

ProtocolStatusNotes
REST APIsFullAuto-discovered from framework decorators, route registrations, and OpenAPI specs
OpenAPI / SwaggerFullopenapi.yaml, swagger.json files parsed and cross-referenced with code
GraphQLFullServer-side schema extraction (.graphql/.gql SDL, resolvers). Client-side operations traced as outbound dependencies.
AvroFull.avsc schema files parsed into DataStructure/DataField nodes
gRPCPartial@grpc/grpc-js/grpc are recognized I/O packages; grpc.NewServer( is a Go service-entrypoint signal; Go prompt hints extract client calls as ExternalAPI and server methods as emergent endpoints. .proto file parsing not yet implemented.

Databases

CodeRadius detects which databases a service communicates with via ORM configurations, table/collection names extracted from SQL and ORM call sites, and connection endpoint detection in environment files. Credentials are never read or stored. Connection strings are parsed but the user/password fields are deliberately discarded.

DatabaseStatusNotes
PostgreSQLFullORM configs including TypeORM ormconfig.{ts,js,json} and Doctrine doctrine.yaml via dedicated config-aware plugins. Prisma/SQLAlchemy connection strings are picked up by the generic env-var/DSN scanner, not by ORM-config parsing. Table names extracted from SQL/ORM literals via LLM analysis.
MySQL / MariaDBFullSame detection path as PostgreSQL
MongoDBPartialCollection names from model() and .collection() calls (Mongoose, native driver). Endpoint detection via env files.
SQLitePartialORM-based detection (Drizzle sqliteTable); sqlite3/better-sqlite3 imports gate files into analysis. Limited raw query tracing.
RedisPartialredis/ioredis/memcached clients classified as Cache; usage patterns surfaced via LLM analysis. Key-level tracing not supported.
Neo4jPartialneo4j-driver import recognized as datastore I/O
CassandraPartialcassandra-driver import recognized as datastore I/O
CouchbasePartialcouchbase import recognized as datastore I/O
Elasticsearch / OpenSearchPartial@elastic/elasticsearch, @opensearch-project/opensearch recognized as datastore I/O
InfluxDBPartial@influxdata/influxdb-client, influx recognized as datastore I/O
Vector databases (Pinecone, Chroma, Qdrant, Weaviate, Milvus)PartialClient imports recognized as datastore I/O
Supabase / libSQLPartial@supabase/supabase-js, @libsql/client recognized as datastore I/O
Query builders / ORMs (knex, kysely, slonik, sequelize, mikro-orm)PartialRecognized as datastore I/O imports; routed to whichever database they're configured against

Message Brokers

CodeRadius models messaging across three ontological layers so blast radius, governance, and lineage stay correct even on multi-cluster deployments:

  • MessageBroker: physical broker instance (cluster, host, vhost, region, env). Identity is fingerprinted on (provider:host:port:vhost) so two clusters with the same nominal name stay distinct.
  • MessageChannel with scope ∈ {logical, physical, transport}: logical is the business event (e.g. OrderCreated), physical is the broker address (e.g. exchange acme.orders on rmq-prod-eu), and transport is the Symfony Messenger / Mass Transit / Spring-Cloud wrapper around an underlying physical channel.
  • Edges: (LogicalChannel)-[:MANIFESTS_AS]->(PhysicalChannel), (TransportChannel)-[:BACKED_BY]->(PhysicalChannel), (MessageChannel)-[:HOSTED_ON]->(MessageBroker), (MessageChannel)-[:ROUTES_TO {bindingKey, isPattern, patternRegex}]->(MessageChannel), and (MessageChannel)-[:DEAD_LETTERS_TO]->(MessageChannel).

Two safety rules are non-negotiable: strict broker isolation (channels on different brokers are never merged, or "welded", heuristically) and user-declared mirrors only (Shovel / Federation / MirrorMaker convergence requires an explicit message_channels.mirrors[] block in coderadius.yaml).

Provider matrix

BrokerStatusDiscoveryNotes
RabbitMQ (AMQP)Fullstructural + coderabbitmq-definitions.json parsed for exchanges/queues/bindings, with topic-pattern regex compilation for */#. rabbitmq.conf presence registers the broker instance only; its contents aren't parsed. Publisher/consumer call sites extracted via LLM.
Symfony MessengerFullstructural + codeconfig/packages/messenger.yaml parsed for transports + routing. Emits a meta-broker plus MANIFESTS_AS edges from each MessageClass to its routed transport(s), and BACKED_BY to the underlying AMQP/Doctrine/Redis/SQS channel. Modern #[AsMessageHandler] and legacy __invoke patterns both supported.
Google Cloud Pub/SubFullstructural + codeTopic/subscription declarations via configurable Crossplane CRD kinds. Subscription filters, when extracted from consumer code, are stored on the consumer's LISTENS_TO edge. The structural subscription→topic ROUTES_TO edge does not carry the filter.
KafkaPartialcodeCode-level publisher/consumer detection via kafkajs, @upstash/kafka, client libraries like node-rdkafka/confluent-kafka-python (tech-inference regex). Structural extraction from server.properties / AsyncAPI is planned.
AWS SQS / SNSPartialcodeCode-level detection via @aws-sdk/client-sqs, @aws-sdk/client-sns, sqs-consumer. CloudFormation/Terraform topology parsing is planned.
Azure Service BusPartialcodeCode-level detection via @azure/service-bus. ARM/Bicep parsing planned.
NATSPartialcodeCode-level detection via the nats import (TS) and PHP NATS client markers. Config parsing planned.
Bull / BullMQPartialcodeRedis-backed queues classified as MessageChannels from bull/bullmq imports
Apache PulsarPartialcodeEndpoint detection via PULSAR_URL env var / pulsar:// connection strings. No client-SDK call-site detection yet.
STOMPPartialcodestompjs recognized as a messaging I/O import
TemporalPartialcode@temporalio/client recognized as a messaging I/O import
AWS EventBridgePartialcode@aws-sdk/client-eventbridge recognized as a messaging I/O import
Redis StreamsPartialcoderedis/ioredis imports gate files into LLM analysis, which may surface stream usage. No deterministic stream-command detection.
MQTT / MosquittoPartialcodemqtt client import gates files into LLM analysis for topic-level pub/sub. Broker config (mosquitto.conf) parsing planned.
LaminasPartialstructuralLaminas Messenger config parsed for message routing; Laminas RabbitMQ config parsed for exchanges/queues
ZeroMQPlannednoneDeclarable as a broker provider via coderadius.yaml only. No code-level socket detection exists.

Brokers not auto-detected can also be declared explicitly in coderadius.yaml under messageBrokers, with an optional fingerprint override for cases where host/port/vhost can't be inferred from config.

Custom decorator support

NestJS broker decorators (@MessagePattern, @EventPattern, @RabbitSubscribe, @RabbitRPC, @SqsMessageHandler, @SqsConsumerEventHandler, @Process, @Processor) are recognized natively. Custom consumer decorators, configurable per repository, plug in via coderadius.yaml:

decorators:
  - name: AcmeBusConsumer
    kind: message-consumer
    args: [queueName, routingKey, queue, name, topic]

The framework-signal extractor consults the registered decorator name (case-insensitive) and emits a LISTENS_TO edge with the resolved channel name (from the named arg or the first string literal). See Custom decorator registration and Messaging domain model for the full architecture.


CI/CD Platforms

cr blast integrates with any CI system via exit codes and structured output. The table below refers to native pipeline integration: pre-built job templates that run the impact check and post results as a PR/MR comment automatically, without custom scripting.

PlatformStatusNotes
GitHub ActionsPartialPre-built workflow template available. Impact report posted as PR comment via --format markdown.
GitLab CI/CDPartialPre-built pipeline template available. Impact report posted as MR note via --format markdown.
Bitbucket PipelinesPartialPre-built pipeline template available. Manual comment posting required.
JenkinsPlannedJenkinsfile integration

Configuration File Detection

CodeRadius automatically detects and extracts architectural information from configuration and build files.

File / PatternStatusWhat is extracted
docker-compose.ymlDetectedDatabase/broker instances from known service images + env blocks (POSTGRES_DB, MYSQL_DATABASE, MONGO_INITDB_DATABASE); container images (USES_IMAGE). Network links, volume mounts, and depends_on topology are not extracted.
DockerfileDetectedBase image (including registry-qualified refs), multi-stage build stages (FROM ... AS alias, --platform)
Makefile, GNUmakefileDetectedBuild targets exposed as Task nodes
package.jsonDetectedscripts block with task commands and precise runner detection (npm/pnpm/yarn/bun)
composer.jsonDetectedscripts block with Composer task commands
openapi.yaml, swagger.jsonDetectedFull endpoint and schema extraction
ormconfig.{ts,js,json}, doctrine.yamlDetectedORM datasource configuration
prisma/schema.prismaDetectedFile detected and routed to schema extraction. Model→table mapping depth depends on the LLM extraction pass.
database.php, knexfile.*, and other datasource/orm/persistence-named config filesPartialFile presence detected and routed to schema/config extraction
Doctrine Migrations (migrations/Version*.php)DetectedCREATE TABLE/ALTER TABLE/RENAME ... TO SQL statements parsed into table facts. Catches tables no live code path touches.
renovate.json, .renovatercDetectedDependency update policy (extends, automerge, schedule)
.github/dependabot.ymlDetectedDependency-update tool presence
catalog-info.yaml (Backstage)DetectedComponent, system, team ownership
cortex.yaml (Cortex)DetectedComponent, system, ownership (OpenAPI 3.0 + x-cortex-* extensions). When both a Backstage and a Cortex catalog are present, a configurable catalogPriority decides which one wins for a given entity.
CODEOWNERSDetectedOwnership mapping
.eslintrc*, eslint.config.*, .prettierrc*, prettier.config.*, jest.config.*, vitest.config.*DetectedTool presence, exposed as ToolConfig nodes
.github/workflows/*, .gitlab-ci.yml, generic CI configDetectedCI pipeline presence
Helm values, Kubernetes ConfigMapsDetectedDatabase definitions; container images (USES_IMAGE)
Crossplane claim CRDsDetectedGCP Pub/Sub topic/subscription declarations (CRD kinds configurable per repo)
.devcontainer/devcontainer.jsonDetectedDev environment standardization signal
Lockfiles (package-lock.json, yarn.lock, composer.lock, etc.)DetectedFull dependency extraction into Library nodes, not just package-manager identification
*.avsc (Avro)DetectedSchema extraction into DataStructure/DataField nodes
*.protoPlannedgRPC service definitions

Package Manager Detection

CodeRadius detects the specific package manager used per project, not just the ecosystem. This is exposed as ToolConfig nodes in the graph and visible in the System Registry dashboard.

JavaScript / TypeScript

Detection priority:

  1. packageManager field in package.json (Corepack standard, e.g. "packageManager": "pnpm@9.15.0")
  2. Lockfile presence checked in the same directory, then walking up to the repo root (monorepo-aware)
  3. Fallback to npm
Lockfile / markerDetected Package Manager
pnpm-lock.yaml, pnpm-workspace.yamlDetected pnpm
yarn.lock, .yarnrc.ymlDetected yarn
bun.lock / bun.lockbDetected bun
package-lock.jsonDetected npm

PHP

LockfileDetected Package Manager
composer.lockDetected Composer

Python

LockfileDetected Package Manager
poetry.lockDetected Poetry
Pipfile.lockDetected Pipenv
uv.lockDetected uv
pdm.lockDetected PDM

Go

LockfileDetected Package Manager
go.sumDetected Go Modules

Other manifests

pyproject.toml / requirements.txt (Python) and pom.xml / build.gradle / build.gradle.kts (Java) drive language and manifest detection, not package-manager identification. Python and Java don't have a single-lockfile convention the way JS/PHP/Go do.

On this page