Docs/Codebase Analysis

Codebase Analysis

The codebase scan is what makes FlowGuard go from zero to a working test suite in minutes. The agent reads your repository locally, extracts a structured map of pages, routes, forms and APIs, and ships only that map — never your source — to the AI service.

How the scan works

1. Local read

The agent walks your repository on your machine. Frameworks are auto-detected (.NET, React, Angular, Vue, Next.js, plain HTML). Files matching --exclude or your .gitignore are skipped.

2. Map extraction

Routes, page components, form fields, API endpoints, navigation links and CSS selectors are extracted. The output is a JSON application map — names, paths, types — no source code.

3. AI proposal

Only the application map is sent to Claude (on Pintor Project's private Azure AI Foundry). Claude proposes flows: one per critical user journey, ordered by risk. You review each proposal in the dashboard.

4. Acceptance

Accepted proposals become real Flow records. Rejected proposals are logged so the next scan doesn't re-suggest them. Modified proposals teach the model your conventions.

What leaves your machine

Only the structured application map. That includes route patterns, page names, form field names and CSS selectors.

Never sent: source file contents, comments, business logic, hardcoded values, connection strings, anything matched by your .gitignore.

Running a scan

Terminal

1"comment"># Basic "function">scan
2"function">flowguard "function">scan "flag">--repo ./my-app "flag">--app-id YOUR_APP_ID
3
4"comment"># Restrict to a subdirectory (e.g. only the web client)
5"function">flowguard "function">scan "flag">--repo ./my-app "flag">--include 'src/Web/**' "flag">--app-id YOUR_APP_ID
6
7"comment"># Cap the analysis (useful for very large monorepos)
8"function">flowguard "function">scan "flag">--repo ./my-app "flag">--max-files 500 "flag">--app-id YOUR_APP_ID
9
10"comment"># Re-"function">scan and merge with existing flows
11"function">flowguard "function">scan "flag">--repo ./my-app "flag">--app-id YOUR_APP_ID "flag">--merge

Tuning the scan

Goal	How
Skip auth-only flows	--exclude '/Login/' or hide them in the dashboard after the first scan
Tighter proposals	Increase --max-files and re-scan; Claude has more context to deduplicate
Monorepo with many apps	Scan once per app with --include narrowed to that app's directory
Generated code (e.g. NSwag clients)	Add to your .gitignore or pass via --exclude
Re-train on your conventions	Reject proposals you don't want — the model learns from rejections

Where the scan is weakest

Apps with heavy server-side rendering and dynamic component composition (e.g. CMS-driven pages, micro-frontend shells) give the scanner less to chew on. Recording flows in Chrome is the better starting point for those — let the AI fill in checkpoints and assertions afterwards.

Up next

Integrations — auto-file failed checkpoints in Azure DevOps or GitHub