repotoire-0.3.52 is not a library.
Repotoire πΌ
Graph-Powered Code Intelligence β Local-First, Blazing Fast
Repotoire builds a knowledge graph of your codebase to detect architectural issues, code smells, and security vulnerabilities that traditional linters miss.
Why Repotoire?
Most linters analyze files in isolation. Repotoire sees the whole picture:
Traditional Linters Repotoire
βββββββββββββββββββββ βββββββββββββββββββββ
file1.py β file1.py βββ
file2.py β file2.py βββΌββ Knowledge Graph
file3.py β file3.py βββ
β
Circular deps?
God classes?
Dead code?
Coupling hotspots?
Quick Start
Option 1: Download Binary (Easiest)
# Linux
|
# macOS (Apple Silicon)
|
# macOS (Intel)
|
Option 2: Cargo Binstall (No cmake needed)
Option 3: Cargo Install
That's it. No API keys required. No Docker. No cloud account.
β‘ Performance
Pure Rust. No external dependencies. Blazing fast.
| Codebase | Files | Time | Speed |
|---|---|---|---|
| Django | 3,000 | 55s | 54 files/sec |
| Express.js | 141 | 0.4s | 350 files/sec |
| Medium project | 500 | ~5s | 100 files/sec |
Progress bars show you what's happening:
Processing files... ββββββββββββββββ 75% (375/500) 0:00:08
What It Finds
81 detectors across 4 categories:
ποΈ Architecture
- Circular dependencies (Tarjan's SCC algorithm)
- Architectural bottlenecks (betweenness centrality)
- Hub dependencies (fragile central nodes)
- Module cohesion problems
π Code Smells
- God classes (too many responsibilities)
- Dead code (unreachable functions/classes)
- Feature envy (methods using wrong class data)
- Shotgun surgery (changes ripple everywhere)
- AI-generated code patterns (complexity spikes, churn, naming)
π Security
- SQL injection patterns
- Hardcoded secrets (API keys, passwords)
- Unsafe deserialization (pickle, yaml.load)
- Eval/exec with user input
- GitHub Actions injection
π Quality
- Complexity hotspots
- Type hint coverage gaps
- Duplicate code blocks
- Missing tests for new functions
Sample Output
βββββββββββββββββββββ πΌ Repotoire Health Report βββββββββββββββββββββ
β Grade: B β
β Score: 82.5/100 β
β Good - Minor improvements recommended β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββ¬βββββββββ¬ββββββββββββ
β Category β Weight β Score β
βββββββββββββββββββββββΌβββββββββΌββββββββββββ€
β Graph Structure β 40% β 85.0/100 β
β Code Quality β 30% β 78.3/100 β
β Architecture Health β 30% β 84.2/100 β
βββββββββββββββββββββββ΄βββββββββ΄ββββββββββββ
π Findings (23 total)
βββββββββββββββ¬ββββββββ
β π΄ Critical β 2 β
β π High β 5 β
β π‘ Medium β 12 β
β π΅ Low β 4 β
βββββββββββββββ΄ββββββββ
Supported Languages
| Language | Parsing | Call Graph | Imports | Status |
|---|---|---|---|---|
| Rust | β | β | β | Full Support |
| Python | β | π§ | π§ | Parsing only |
| TypeScript | β | π§ | π§ | Parsing only |
| JavaScript | β | π§ | π§ | Parsing only |
| Go | β | π§ | π§ | Parsing only |
| Java | β | π§ | π§ | Parsing only |
| C/C++ | β | π§ | π§ | Parsing only |
| C# | β | π§ | π§ | Parsing only |
| Kotlin | β | π§ | π§ | Parsing only |
All languages use tree-sitter for parsing, compiled to native code via Rust.
Note: Call graph analysis (function calls, imports) is currently implemented for Rust only. Other languages get full AST parsing with class/function/module detection β call graph support is actively in development and coming soon!
CLI Reference
# Analysis
# Graph operations
# Utilities
Doctor Output
$ repotoire doctor
Repotoire Doctor
β Python version: 3.12.0
β Rust extension: Loaded
β API keys: Present: OPENAI | Missing: ANTHROPIC, DEEPINFRA
β Kuzu database: Importable v0.11.3
β Disk space (home): 150.2GB free (35% used)
AI-Powered Fixes (Optional)
Bring your own API key β or use local AI for free:
# Cloud providers (pick one):
# Claude (best quality)
# GPT-4
# Llama 3.3 (cheapest cloud)
# Any model
# Or use Ollama for 100% local, free AI:
Get your key:
- Anthropic: https://console.anthropic.com/settings/keys
- OpenAI: https://platform.openai.com/api-keys
- Deepinfra: https://deepinfra.com/dash/api_keys
- OpenRouter: https://openrouter.ai/keys
- Ollama: https://ollama.ai (π free, runs locally)
No API key and no Ollama? No problem. All analysis works offline.
Configuration
Create repotoire.toml in your repository root for project-specific settings:
# repotoire.toml - Project Configuration
# Detector-specific overrides
[]
= true
= { = 30, = 600 }
[]
= "high" # Downgrade from critical for this project
= true
[]
= { = 8 } # More lenient than default (6)
[]
= false # Disable this detector entirely
# Scoring customization
[]
= 5.0 # Weight security findings more heavily (default: 3.0)
[]
= 0.3 # Code structure/complexity (default: 0.4)
= 0.4 # Code quality/smells (default: 0.3)
= 0.3 # Architectural health (default: 0.3)
# Path exclusions (in addition to .gitignore)
[]
= [
"generated/",
"vendor/",
"**/migrations/**",
"**/*.generated.ts",
]
# Default CLI flags (can still be overridden via command line)
[]
= "text" # Default output format
= "low" # Minimum severity to report
= 8 # Parallel workers
= 20 # Findings per page
= false # Don't run external tools by default
= false # Include git enrichment
= false # Use emoji in output
= "critical" # CI failure threshold
= [] # Always skip these detectors
Alternative Config Formats
Repotoire also supports:
.repotoirerc.json(JSON format).repotoire.yamlor.repotoire.yml(YAML format)
The search order is: repotoire.toml β .repotoirerc.json β .repotoire.yaml
Detector Names
Use kebab-case for detector names in config (e.g., god-class, sql-injection).
The following formats are all equivalent:
god-classgod_classGodClassDetector
Inline Suppression
Suppress individual findings with comments:
# repotoire: ignore
# This line won't trigger findings
pass
// repotoire: ignore
const sqlQuery = `SELECT * FROM ${table}`; // Suppressed
// repotoire: ignore
exec.Command(userInput) // Suppressed
The comment must be on the line before or on the same line as the finding.
Works with #, //, /* */, and -- comment styles.
How It Works
ββββββββββββ βββββββββββββββββ ββββββββββββββββ ββββββββββββ
β Source βββββΆβ Rust Parser βββββΆβ Kuzu Graph βββββΆβ Detectorsβ
β Files β β (tree-sitter) β β (embedded) β β (81) β
ββββββββββββ βββββββββββββββββ ββββββββββββββββ ββββββββββββ
β β
β 6 languages β Graph algorithms:
β Parallel parsing β β’ Tarjan's SCC
β ~100-400 files/sec β β’ Betweenness centrality
β β β’ Community detection
β βΌ
β ββββββββββββββββ
ββββββββββββββββββββββββββββββββΆβ Reports β
β CLI/HTML/JSONβ
ββββββββββββββββ
Key components:
- Tree-sitter β Fast, accurate parsing for all languages
- Kuzu β Embedded graph database (no external deps)
- Rust extension β Native speed for parsing + graph algorithms
CI/CD Integration
GitHub Actions
- name: Code Health Check
run: |
pip install repotoire
repotoire analyze . --output report.json
- name: Fail on critical issues
run: |
CRITICAL=$(jq '.findings | map(select(.severity == "critical")) | length' report.json)
if [ "$CRITICAL" -gt 0 ]; then exit 1; fi
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: repotoire
name: repotoire
entry: repotoire analyze . --offline
language: system
pass_filenames: false
Comparison
| Feature | Repotoire | SonarQube | CodeClimate |
|---|---|---|---|
| Local-first | β | β | β |
| No Docker | β | β | β |
| Graph analysis | β | Partial | β |
| Multi-language | 6 | Many | Many |
| Circular deps | β | β | β |
| Dead code | β | β | β |
| AI code smell detection | β | β | β |
| BYOK AI fixes | β | β | β |
| Free | β | Limited | Limited |
Troubleshooting
"Cannot open file .repotoire/kuzu_db/.lock: Not a directory"
You have a stale database from a previous version. Delete it:
"cmake not installed" during cargo install
Install cmake first:
# macOS
# Ubuntu/Debian
# Or use cargo binstall (no cmake needed)
Analysis is slow
Use --relaxed for faster runs (only high-severity findings):
Documentation
- Schema Reference β Graph node/edge types and Cypher examples
- Detectors β Full list of 81 detectors with configuration
Contributing
The Rust extension builds automatically on first install.
License
MIT β see LICENSE
&&