Deterministic repository analysis

TraceMap turns code into evidence-backed maps.

Scan repositories, compare snapshots, reduce contract deltas, and assemble release review packets from rule-backed facts. Every finding keeps its rule ID, evidence tier, file span, commit SHA, and extractor version.

TraceMap is static analysis. It does not use LLM calls, embeddings, vector databases, or prompt-based classification in the scanner or reducer.

Run the demo Explore the evidence model

scan-manifest.json
facts.ndjson
index.sqlite
report.md
logs/analyzer.log

ruleId: contract.delta.impact.v2
tier: Tier2Structural
commitSha: 5e7fe17
classification: NeedsReview

4 evidence tiers

5 scan artifacts

0 AI calls in scanner

Evidence model

No conclusion without evidence.

Tier 1

Semantic

Compiler-resolved symbol evidence where the language adapter can prove identity.

Tier 2

Structural

Known framework, project, endpoint, package, SQL, config, or DTO patterns.

Tier 3

Syntax or text

Useful static clues when semantic proof is not available.

Tier 4

Unknown

Analysis gaps, unavailable sections, reduced coverage, or unable-to-prove cases.

Artifacts

The scanner emits files people and machines can inspect.

scan-manifest.jsonRepo, commit, scanner, build, and coverage metadata.

facts.ndjsonRule-backed facts with evidence tiers and source spans.

index.sqliteQueryable facts, symbols, relationships, surfaces, and flows.

report.mdHuman-readable summary with coverage and known gaps.

logs/analyzer.logAnalyzer diagnostics for partial or failed project loading.

Workflows

Static evidence for contract and dependency review.

Scan

Index .NET, TypeScript, JVM, and Python repositories into deterministic facts.

Reduce

Compare contract deltas against indexed evidence and label reduced coverage honestly.

Combine

Merge many indexes with source provenance for cross-repo dependency reports.

Paths and reverse

Trace bounded static evidence from endpoints to surfaces, or from surfaces back to roots.

Diff and impact

Compare snapshots and summarize changed static evidence without claiming runtime behavior.

Release review

Assemble a release-oriented packet from coverage, impact, contract, and gap evidence.

Get started

Run the checked-in public demo.

The demo scans sample repositories, writes a generated artifact bundle, and produces public-shareable summaries without local absolute paths.

git clone https://github.com/joefeser/tracemap.git
cd tracemap
./scripts/demo-public.sh

dotnet run --project src/dotnet/TraceMap.Cli -- scan \
  --repo samples/modern-sample \
  --out .tracemap

Boundaries

TraceMap keeps the claim narrow.

No raw source snippets are stored by default.
No failed or partial scan is reported as clean.
No runtime traffic, production usage, deployment state, or release approval is inferred.
No impact conclusion is emitted without a rule ID and supporting evidence.

Source of truth

Open source, testable, and intentionally inspectable.

Evidence tiers Scan outputs Workflows Limitations Product requirements Validation guide Rule catalog GitHub repository