Skip to main content

Local-first repo behavior map generator

Project description

hypergumbo

CI PyPI License Coverage

hypergumbo is a local-first CLI that generates behavior maps and sketches from source code. The goal of this project is to efficiently help developers and LLMs understand a codebase.

pip install hypergumbo

Requires Python 3.10+. For optional extras (embeddings, gitleaks, grammars), run hypergumbo add-extras after installing.

Intel Mac users: Some tree-sitter packages lack x86_64 wheels. See docs/INTEL_MAC.md for a Docker-based workaround.

git clone https://codeberg.org/iterabloom/hypergumbo
hypergumbo hypergumbo/

Output:

# hypergumbo

hypergumbo is a local-first CLI that generates behavior maps and sketches from source code. The goal of this project is to efficiently help developers and LLMs understand a codebase. > Requires Python 3.10+. For optional extras (embeddings, gitleaks, grammars), run `hypergumbo add-extras` after installing. > Intel Mac users:

> **Audited IO surface.** hypergumbo's own filesystem / network / subprocess activity is enumerated per CLI subcommand category in [SECURITY.md](SECURITY.md), with machine-verifiable claims authored at `docs/hypergumbo.claims.yaml`. Re-run the audit locally via `hypergumbo verify-claims --claims docs/hypergumbo.claims.yaml`. The wrapper-function discipline used to make path-bounded claims structurally verifiable is documented as the recommended pattern for any hypergumbo user (any language) wanting the same precision.

## Overview
Python (91%), Markdown (4%), Yaml (3%)
728 files    (383 non-test + 345 test)
~320,798 LOC (~129,172 non-test + ~191,626 test)

## Structure

` ` `
hypergumbo/
├── .agent
│   └── [and 6 other items]
├── .gitea
│   ├── SQUASH_TEMPLATE.md
│   └── [and 1 other items]
├── .githooks
│   ├── commit-msg
│   └── [and 9 other items]
├── docs
│   ├── CACHE.md
│   └── [and 22 other items]
├── packages
│   ├── hypergumbo-core
│      ├── src
│         └── hypergumbo_core
│             ├── analyze
│                ├── base.py
│                └── [and 3 other items]             ├── __main__.py
│             ├── cli.py
│             ├── ir.py
│             └── [and 26 other items]      ├── tests
│         ├── test_framework_patterns.py
│         └── [and 94 other items]      └── [and 2 other items]   ├── hypergumbo-tracker
│      ├── src
│         └── hypergumbo_tracker
│             ├── cli.py
│             └── [and 13 other items]      └── [and 5 other items]   └── [and 4 other items]
├── scripts
│   ├── lib
│      └── forgejo-api.sh
│   └── [and 33 other items]
├── tests
│   ├── test_bakeoff_deep_reflect.py
│   └── [and 2 other items]
├── conftest.py
├── pyproject.toml
├── setup.py
└── [and 21 other items]
` ` `

## Frameworks

- pytest
- pytorch
- transformers

## Tests

345 test files · cargo test, pytest, unittest

*~95% estimated coverage (2693/2847 functions called by tests)*

## Configuration
[...]

See full example output

Use -t to control the token budget:

hypergumbo . -t 1000   # brief overview (structure only)
hypergumbo . -t 4000   # good balance for most LLMs
hypergumbo . -t 8000   # detailed with many symbols

Two Outputs

Sketch (hypergumbo .) — Token-budgeted Markdown sized for LLM context windows. Ranks symbols by graph centrality (★ = most connected).

Behavior map (hypergumbo run) — Full JSON with all symbols, edges, and provenance tracking. Use this for programmatic analysis.

CLI Commands

hypergumbo [path]              # Markdown sketch (default)
hypergumbo run [path]          # Full JSON behavior map
hypergumbo slice --entry X     # Subgraph from entry point
hypergumbo io-boundaries       # Find all I/O (filesystem, network, subprocess, env, IPC, browser storage)
hypergumbo verify-claims ...   # Verify security claims against analysis
hypergumbo routes [path]       # List HTTP routes
hypergumbo search <query>      # Search symbols
hypergumbo symbols [path]      # Browse symbols with connectivity
hypergumbo explain <symbol>    # Detailed symbol info
hypergumbo test-coverage       # Analyze test coverage (transitive)
hypergumbo catalog             # List analysis passes

Useful flags:

hypergumbo . -x                                # exclude test files (cleaner output)
hypergumbo . --no-source                       # omit source code (included by default)
hypergumbo . --no-progress                     # hide progress indicator (sketch/run only; on by default)
hypergumbo io-boundaries --show-external-potential   # opt into the (large) external-potential bucket (text output)
hypergumbo --help --all                        # comprehensive help for all commands

Project-local taint catalogs

verify-claims ships with paranoid defaults auto-derived from the built-in IO primitive catalog. Projects can supply their own trust zones, sanitizers, and label maps:

hypergumbo verify-claims --claims claims.yaml \
    --taint-sources    myrepo/taint/sources.yaml \
    --taint-sinks      myrepo/taint/sinks/ \
    --taint-sanitizers myrepo/taint/sanitizers.yaml

Each flag accepts a YAML file or a directory (globbed as *.yaml), and is repeatable. The same paths can be declared inside the claims YAML under extra_catalogs: {sources, sinks, sanitizers} — relative paths resolve against the claims-file directory. User entries whose (module, name, kind) triple matches a built-in replace it; sanitizers concatenate.

Results are automatically cached in ~/.cache/hypergumbo/. Just run:

hypergumbo .    # auto-runs analysis if no cache exists, then generates sketch

The cache auto-invalidates when source files change. See docs/CACHE.md for details.

See hypergumbo --help for all options.

What It Understands

  • Language analyzers: Python, JS/TS, Java, Rust, Go, C/C++, and many more
  • Linkers: Tier 2 edge-recovery passes across four subcategories — Protocol (HTTP, WebSocket, message queues, SQL), Bridge (JNI, wasm_bindgen, Tauri IPC, language-pair FFI), Framework (gRPC, GraphQL, React components, DI resolution, ORM), Infrastructure (containment, inheritance, module imports). Full catalogue.
  • Framework patterns: FastAPI, Django, Rails, Spring Boot, Phoenix, Express, and many more
  • I/O boundary detection: Maps every call chain that reaches the filesystem, network, subprocess, environment, IPC, or browser-local storage — across FFI boundaries
  • Taint-flow analysis: Traces data from sensitive sources (environment variables, received network input, crypto outputs, key material) to sinks in six trust zones (host_fs, network, host_env, ipc, browser_storage, relay), with sanitizer awareness
  • Supply chain tiers: Classifies code as first-party, internal, external, or derived for dependency-aware analysis

How It Works

  1. Profile: Scan the repo for languages, file counts, LOC
  2. Analyze: Run language-specific analyzers to extract symbols and edges
  3. Link: Connect symbols across language boundaries (JS fetch → Python route)
  4. Enrich: Detect frameworks via YAML pattern matching
  5. Classify: Assign supply chain tiers (first-party, internal, external, derived)
  6. Trace I/O: Map call chains to I/O boundaries; run taint-flow analysis
  7. Output: Generate Markdown sketch or JSON behavior map

The Internal Representation

All analyzers produce the same IR types:

  • Symbol: A code element (function, class, method) with name, location, and stable ID
  • Edge: A relationship between symbols (calls, imports, extends, implements)
  • Span: Source location (file, line, column)

This uniform IR is what allows all language analyzers and linkers (Protocol / Bridge / Framework / Infrastructure — see ADR-3bbb) to work together coherently.

Architecture

packages/
├── hypergumbo-core/           # CLI, IR, slice, sketch, linkers
│   └── src/hypergumbo_core/
│       ├── cli.py             # Entry point
│       ├── ir.py              # Symbol, Edge, Span
│       ├── sketch.py          # Token-budgeted Markdown
│       ├── slice.py           # Subgraph extraction
│       ├── linkers/           # Tier 2 edge-recovery passes (Protocol/Bridge/Framework/Infrastructure)
│       └── frameworks/        # Framework detection (YAML patterns)
├── hypergumbo-lang-mainstream/  # Python, JS, Java, Go, Rust, etc.
├── hypergumbo-lang-common/      # Haskell, Elixir, GraphQL, etc.
├── hypergumbo-lang-extended1/   # Zig, Solidity, Agda, etc.
├── hypergumbo-tracker/           # Structured work tracker for agent governance (MPL-2.0)
└── hypergumbo/                  # Meta-package (installs all above)

Key design choices:

  • Registry pattern: Analyzers and linkers self-register via decorators
  • Two-pass analysis: First collect symbols, then resolve edges (enables cross-file references)
  • Provenance tracking: Every edge records which analyzer/linker created it
  • YAML-driven patterns: Framework detection is declarative, not hardcoded

Development

git clone https://codeberg.org/iterabloom/hypergumbo.git
cd hypergumbo
python3 -m venv .venv && source .venv/bin/activate
./scripts/dev-install
source .venv/bin/activate  # reload to enable pytest alias
pytest                      # runs smart-test (affected tests only)

dev-install installs all packages, git hooks, and the pytest/smart-test wrapper. 100% test coverage required.

See CONTRIBUTING.md for PR workflow (including fork-based workflow for external contributors), smart test selection setup, and coverage requirements. Agent instructions live in AGENTS.md.

Links

License

AGPL-3.0-or-later

Hypergumbo logo

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hypergumbo-6.1.0.tar.gz (8.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hypergumbo-6.1.0-py3-none-any.whl (7.0 kB view details)

Uploaded Python 3

File details

Details for the file hypergumbo-6.1.0.tar.gz.

File metadata

  • Download URL: hypergumbo-6.1.0.tar.gz
  • Upload date:
  • Size: 8.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.14

File hashes

Hashes for hypergumbo-6.1.0.tar.gz
Algorithm Hash digest
SHA256 3160d2a2daa32dcd4c541f458c469c935d60fd31873a7c2e2a910951befe1e58
MD5 ec9b950c13cd7c1abb5f193c51f2ea3f
BLAKE2b-256 5c12a8790f2b3cb91c62fdd50c0a0ac72b73da066c10a54b5c419f581cad6a32

See more details on using hashes here.

File details

Details for the file hypergumbo-6.1.0-py3-none-any.whl.

File metadata

  • Download URL: hypergumbo-6.1.0-py3-none-any.whl
  • Upload date:
  • Size: 7.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.14

File hashes

Hashes for hypergumbo-6.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9392d2fac6625588c57472378f1f786c443cd42ad7202ab8b1f8dc0029206f9d
MD5 e1e918ee519f0bf585a371f76eeac57c
BLAKE2b-256 78c2674972f18b10b01a3cca4132e41d7395094ca1a05504d05f626e015c320e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page