Coderot — Refactor Priority Engine
Know what to fix. Fix it first.
coderot analyzes your TypeScript and JavaScript codebase and produces a prioritized refactor roadmap — every file scored by impact, sorted by risk. Stop guessing. Start with the file that matters most.
What it does
Most tools tell you what is wrong. coderot tells you which wrong thing to fix first.
It combines three signals into a single Impact Score (0–100) per file:
| Signal |
Weight |
What it measures |
| Dependency graph |
30% |
How many files import this one |
| Git churn |
25% |
Commit frequency over the last 90 days |
| Static complexity |
20% |
Cyclomatic complexity, nesting depth, function length |
| Issue severity |
15% |
Weighted count of detected code issues |
| File size |
10% |
Lines of non-comment code |
A file with a score of 78 is complex, changes frequently, and is imported by many other files. Fix it before it causes an incident.
How to use
1. Install the CLI
The extension requires the coderot-engine CLI to be installed globally:
npm install -g coderot-engine
2. Run the analysis
Open any TypeScript or JavaScript project, then:
- Command Palette:
Cmd+Shift+P → Coderot: Analyze Workspace
- Activity Bar: click the coderot icon in the sidebar and press the analyze button
- Status Bar: click the
$(bug) Coderot item at the bottom of the window
3. Read the results
The analysis runs locally and produces three outputs simultaneously:
Refactor Roadmap sidebar — files sorted by impact score, highest risk first. Each item shows the score and opens the file on click.
Inline diagnostics (squiggles) — every detected issue appears as a squiggle in the editor and in the Problems panel:
| Severity |
Appears as |
| CRITICAL |
Error (red squiggle) |
| HIGH |
Warning (yellow squiggle) |
| MEDIUM |
Information (blue squiggle) |
| LOW |
Hint |
Status bar — updates after each scan to show the number of critical-risk files at a glance.
Screenshot
Requirements
The extension will show a clear error message if coderot-engine is not found in your PATH.
What gets detected
coderot runs 38+ rules across five categories:
Async & Promise issues
- Async functions without error handling (
unhandled-async-risk)
- Floating promises not awaited or handled (
detached-promise)
- Empty catch blocks that silently swallow errors (
swallowed-exception)
await inside loops causing sequential execution (async-loop-antipattern)- Sequential awaits for independent calls (
parallel-await)
Complexity issues
- Cyclomatic complexity above threshold (
cyclomatic-risk) — HIGH at >10, CRITICAL at >20
- Functions exceeding recommended line length (
function-body-length)
- Excessive nesting depth (
nesting-depth-risk)
- Too many parameters (
too-many-params)
Type safety issues
- Variables assigned without type annotations (
inferred-any-assignment)
- Exported functions missing return types (
implicit-return-type)
- Direct array index access without guards (
unguarded-array-index)
- Union type parameters accessed without type guards (
missing-type-guard)
- String literals where enums should be used (
prefer-enum-over-literal)
Architecture issues
- Bus factor risk — single author on widely-imported files (
bus-factor-risk)
- Dead exports — symbols exported but never imported (
dead-export)
- Import coupling — too many imports in one file (
import-coupling)
- Circular dependencies (
import-cycle)
Code hygiene
- Console statements left in production code (
debug-output-leak)
- Magic numbers without named constants (
unnamed-constant)
- Missing test files for source modules (
untested-module)
- Inconsistent return paths (
mixed-return-type)
Privacy & Security
- Runs 100% locally — no data leaves your machine
- Zero network calls — no telemetry, no analytics, no outbound connections
- Uses
execFile (never exec) — shell injection is structurally impossible
Links
