codebase-scanning
Codebase Scanning
Detection patterns and scanning rules for discovering strategic product context from existing codebases. Covers web and mobile platforms.
When to Use This Skill
Auto-loaded by agents:
context-scanner- For all codebase scanning operations
Feature Discovery
Scan routes, pages, and components to identify user-facing functionality.
Methods:
- Parse route files (Express routes, Next.js pages/, API routes)
- Analyze page/component names
- Identify API endpoints from route definitions
- Map features to evidence (file paths)
Return format per feature:
- name: Feature name (lowercase, descriptive)
- confidence: high/medium/low
- evidence: File paths, routes, or patterns
Common features detected: Authentication, project/task management, team collaboration, analytics/reporting, settings/configuration.
Tech Stack Detection
Parse package manifests and project files to identify technologies.
Supported Manifests
Web Platforms:
| Platform | Manifest |
|---|---|
| Node.js | package.json |
| Python | requirements.txt, pyproject.toml, Pipfile |
| Go | go.mod |
| Ruby | Gemfile |
| PHP | composer.json |
| Rust | Cargo.toml |
| Java | pom.xml, build.gradle |
Mobile Platforms:
| Platform | Manifests |
|---|---|
| iOS | Podfile, Package.swift, *.xcodeproj/project.pbxproj |
| Android | build.gradle, build.gradle.kts, AndroidManifest.xml |
| Flutter | pubspec.yaml, pubspec.lock |
| React Native | package.json, ios/Podfile, android/build.gradle |
What to Detect
Web: Frontend frameworks (React, Vue, Angular, Svelte, Next.js), backend frameworks (Express, FastAPI, Rails, Django, Laravel, Gin), databases (PostgreSQL, MySQL, MongoDB, Redis via client packages), languages/versions, build tools (Vite, Webpack, esbuild).
iOS: Swift version, Objective-C, UIKit vs SwiftUI, iOS deployment target, Xcode version.
Android: Kotlin version, Java, Jetpack Compose vs XML layouts, minSdk, targetSdk, Gradle version.
Flutter: Flutter SDK version, Dart version, platform targets (iOS, Android, Web, Desktop).
React Native: RN version, TypeScript usage, Expo detection, native module detection.
Integration Discovery
Identify 3rd party services from package dependencies.
Common integrations by category:
| Category | Services |
|---|---|
| Payments | Stripe, PayPal, Square, Braintree, In-App Purchases |
| SendGrid, Mailgun, AWS SES | |
| SMS | Twilio, Plivo |
| Auth | Auth0, Firebase Auth, Okta, Sign in with Apple, Google Sign-In |
| Cloud | AWS SDK, GCP SDK, Azure SDK |
| Analytics | Segment, Mixpanel, Amplitude, Firebase Analytics, Facebook SDK |
| Monitoring | Sentry, Datadog, New Relic, Crashlytics, Bugsnag |
| Push | Firebase Cloud Messaging, OneSignal, APNs |
| Maps/Location | Google Maps SDK, Mapbox, Apple Maps, Core Location |
| State Mgmt | Redux, MobX, Provider, Riverpod, GetX |
Mobile backend/database: Firebase (Firestore, Realtime DB, Storage), Supabase, Realm, Core Data (iOS), Room (Android), Hive (Flutter).
Mobile networking: Alamofire (iOS), Retrofit (Android), Dio (Flutter), Axios (React Native).
Mobile media: Kingfisher (iOS), Coil (Android), cached_network_image (Flutter), react-native-fast-image.
Confidence note: Package installed does not mean actively used. Assign medium confidence to integrations.
Mobile Platform Detection
Check in this order:
- Flutter: pubspec.yaml exists AND lib/main.dart exists
- React Native: package.json exists AND (ios/ + android/ directories OR "react-native" in dependencies)
- iOS Native: (Podfile OR Package.swift OR *.xcodeproj) AND NO android/ directory
- Android Native: (build.gradle OR build.gradle.kts) AND NO ios/ directory
- Hybrid/Monorepo: Multiple platform indicators present
Edge cases:
- Expo: Detect from app.json or "expo" in package.json dependencies
- Flutter with custom native code: Both pubspec.yaml and platform directories with custom code
- Monorepo: Multiple apps/ subdirectories with different platforms - scan each separately
Mobile Feature Discovery
iOS Native: Search for *ViewController.swift (UIKit), *View.swift (SwiftUI). Count distinct ViewControllers/Views = feature count. Exclude Tests/, Pods/.
Android Native: Search for classes extending Activity, Fragment, @Composable functions. Parse navigation.xml. Count Activities + Fragment groups + Composable screens. Look in app/src/main/.
Flutter: Search lib/screens/, lib/pages/, route definitions. Parse MaterialApp.routes or GoRouter. Count screen files + routes.
React Native: Search src/screens/, src/pages/, Stack.Screen definitions. Parse React Navigation navigators. Count screen components.
Mobile Integration Mapping
Map platform-specific dependencies to universal names:
| Universal Name | iOS (CocoaPods/SPM) | Android (Gradle) | Flutter (pub) | React Native (npm) |
|---|---|---|---|---|
| Firebase Auth | Firebase/Auth | firebase-auth | firebase_auth | @react-native-firebase/auth |
| Stripe | Stripe | stripe-android | stripe_flutter | @stripe/stripe-react-native |
| Image Loading | Kingfisher | coil | cached_network_image | react-native-fast-image |
| Networking | Alamofire | retrofit | dio | axios |
Integration categories: Authentication, Payments, Analytics, Database, Networking, Media, Location, Push Notifications, Crash Reporting, State Management.
Scale Estimation
Metrics to collect:
- Total source files (excluding node_modules, dist, build, .git)
- Lines of code (approximated from file sizes, not precise line counts)
Complexity tiers:
| Tier | Files | LOC | Characteristics |
|---|---|---|---|
| Simple | <50 | ~10k | Single service |
| Medium | 50-500 | 10k-100k | Few services |
| Complex | >500 | 100k+ | Many services/repos |
Maturity signals:
| Stage | LOC | Indicators |
|---|---|---|
| Prototype | ~5k | Rapid changes |
| MVP | 5k-25k | Core features present |
| Established | 25k-100k | Feature-complete |
| Mature | 100k+ | Extensive feature set |
Edge Cases & Limitations
Large Codebases (>100k LOC, >1000 files)
- Limit scanning to primary directories: src/, pages/, routes/, api/, lib/
- Skip: node_modules/, dist/, build/, .git/, vendor/, test/ (unless small)
- Sample large directories (first 100 files, warn about remaining)
- Maximum 60 seconds total scan time
- Graceful degradation: return partial results with limitation note
Monorepos
Detection: Check for lerna.json, nx.json, turbo.json, pnpm-workspace.yaml. Identify workspace structure (packages/, apps/).
Handling: Scan each workspace individually. Detect mobile + web combinations. Report tech stack per app with shared packages noted.
Hybrid Mobile Apps
Types:
- React Native with custom native modules (RN + Swift + Kotlin)
- Flutter with platform channels (Flutter + native iOS/Android code)
- Capacitor/Ionic (web app in native container)
Detection:
- React Native: ios/ and android/ with custom .swift or .kt files beyond standard RN setup
- Flutter: ios/Runner/ or android/app/ with custom native code
- Capacitor: capacitor.config.json present
Permission Issues
- Attempt to read file/directory
- If permission denied: log warning, continue with accessible files
- Report in scan_limitations
Ambiguous Patterns
- If uncertain, assign lower confidence
- Provide evidence, let user decide
- Better to under-report than hallucinate
Deprecated Code
- Report what exists (facts)
- Flag as medium/low confidence if evidence is weak
- User validation catches deprecated features
Multi-Language Projects
- Scan all tech stacks present
- Report separately in tech_stack
- Note in confidence_notes
Empty Projects
- No src/, pages/, routes/, api/ directories and no manifests
- Return empty findings
- Note: "Project appears empty or very early stage"
- pm-setup falls back to manual questions