Fraunhofer-AISEC
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎AGENTS.md‎
Lines changed: 143 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 143 additions & 0 deletions
diff --git a/‎codyze-console/README.md‎
Lines changed: 65 additions & 0 deletions b/‎codyze-console/README.md‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎codyze-console/build.gradle.kts‎
Lines changed: 19 additions & 0 deletions b/‎codyze-console/build.gradle.kts‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎codyze-console/src/main/kotlin/de/fraunhofer/aisec/codyze/console/ConsoleService.kt‎
Lines changed: 6 additions & 0 deletions b/‎codyze-console/src/main/kotlin/de/fraunhofer/aisec/codyze/console/ConsoleService.kt‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎codyze-console/src/main/kotlin/de/fraunhofer/aisec/codyze/console/Main.kt‎
Lines changed: 42 additions & 6 deletions b/‎codyze-console/src/main/kotlin/de/fraunhofer/aisec/codyze/console/Main.kt‎
Lines changed: 42 additions & 6 deletions
@@ -67,7 +67,7 @@ jobs:
         uses: gradle/actions/setup-gradle@v5
       - name: Build ${{ env.version }}
         run: |
-          ./gradlew --parallel spotlessCheck -x spotlessApply build -x distZip -x distTar koverXmlReport koverHtmlReport performanceTest integrationTest
+          ./gradlew --parallel spotlessCheck -x spotlessApply build -x distZip -x distTar -x shadowJar -x shadowDistZip -x shadowDistTar koverXmlReport koverHtmlReport performanceTest integrationTest
         id: build
         env:
           ORG_GRADLE_PROJECT_version: ${{ env.version }}
 
@@ -0,0 +1,143 @@
+# AGENTS.md
+
+This file provides guidance to AI coding agents (Claude Code, Cursor, Codex, Gemini CLI, etc.) working in this repository.
+
+## Project Overview
+
+**CPG** is a code property graph library and analysis platform.
+
+Key modules:
+- **cpg-core** – Core library: AST nodes, graph structures, passes, type system
+- **cpg-analysis** – Higher-level analyses built on top of cpg-core (dataflow, control flow, call graphs, etc.)
+- **cpg-language-\*** – Language frontends, one module per language (e.g., `cpg-language-go`, `cpg-language-python`)
+- **cpg-concepts** – Concept and operation definitions
+- **cpg-mcp** – MCP server exposing CPG analysis tools (dataflow, symbol analysis, concept application) to LLMs via streamable HTTP
+- **codyze-console** – Web-based analysis UI with AI agent chat (see [Architecture](#codyze-console-architecture) below)
+
+## Technology Stack
+
+### Backend
+- **Language**: Kotlin (requires Java 21)
+- **Build**: Gradle with Kotlin DSL
+- **Testing**: JUnit 5, kotlin.test
+- **Formatting**: Google Java Style via spotless plugin
+
+### Frontend (`codyze-console/src/main/webapp`)
+- **Framework**: Svelte 5 with SvelteKit
+- **Styling**: Tailwind CSS
+- **Package Manager**: pnpm (not npm)
+
+## Development Commands
+
+### Build
+
+```bash
+# Full build (format + test + publish locally)
+./gradlew clean spotlessApply build publishToMavenLocal
+
+# Quick build
+./gradlew build
+
+# Build a single module
+./gradlew :cpg-core:build
+./gradlew :codyze-console:build
+```
+
+### Test & Quality
+
+```bash
+./gradlew test                  # Unit tests
+./gradlew integrationTest       # Integration tests
+./gradlew performanceTest       # Performance tests
+./gradlew spotlessApply         # Auto-format 
+./gradlew spotlessCheck         # Check formatting only
+```
+
+### Frontend (`codyze-console`)
+
+```bash
+cd codyze-console/src/main/webapp
+pnpm install        # Install dependencies
+pnpm run dev        # Dev server
+pnpm run build      # Production build
+pnpm run check      # Type check
+pnpm run lint       # Lint
+pnpm run format     # Format
+```
+
+### Backend (`codyze-console`)
+
+```bash
+./gradlew :codyze-console:compileKotlin --console=plain
+```
+
+### MCP Server (`cpg-mcp`)
+
+```bash
+./gradlew :cpg-mcp:installDist           # Build & install
+./gradlew :cpg-mcp:run                   # Run (stdio)
+./gradlew :cpg-mcp:run --args="--http 8080"  # Run with streamable HTTP on port 8080
+```
+
+## Code Conventions
+
+- Follow **Google Java Style** (enforced by spotless – run `./gradlew spotlessApply` before committing)
+- Kotlin idioms preferred over Java-style patterns
+- Use `kotlin.test` assertions in tests, not JUnit assertions directly
+- Frontend: use **Svelte 5 runes** exclusively (no legacy `$:` reactive syntax)
+
+## codyze-console Architecture
+
+codyze-console is a full-stack web application with a Ktor backend and a Svelte 5 SPA frontend. It provides code analysis capabilities and an AI agent chat interface.
+
+### Backend (`codyze-console/src/main/kotlin/.../console/`)
+
+| File / Package | Responsibility |
+|---|---|
+| `Main.kt` | Ktor/Netty entry point (port 8080), optionally starts MCP server on port 8081 |
+| `Router.kt` | REST API routes (`/api/analyze`, `/api/chat`, `/api/querytrees`, etc.) |
+| `ConsoleService.kt` | Core business logic: CPG analysis, QueryTree caching, concept management |
+| `Nodes.kt` | JSON serialization models and CPG node-to-JSON conversion |
+| `ai/ChatClient.kt` | MCP client + agentic tool-calling loop (connects to cpg-mcp via streamable HTTP) |
+| `ai/ChatService.kt` | Loads LLM config from HOCON, creates `ChatClient` with configured provider |
+| `ai/LlmClient.kt` | Provider-agnostic LLM interface (`sendPrompt` -> `List<ToolCall>`) |
+| `ai/OpenAiClient.kt` | OpenAI-compatible client (also works with Ollama, vLLM, MLX) |
+| `ai/GeminiClient.kt` | Google Gemini API client |
+| `ai/McpServerHelper.kt` | Reflection-based bridge to cpg-mcp; loads module dynamically so it remains an optional dependency |
+| `ai/ClientModels.kt` | Data classes for OpenAI/Gemini request/response formats |
+
+#### AI Agent Data Flow
+
+1. Frontend sends chat messages via `POST /api/chat` (SSE stream)
+2. `ChatClient` forwards to LLM with MCP tool definitions
+3. If LLM returns tool calls, `ChatClient` executes them against cpg-mcp via `mcp.callTool()`
+4. Tool results are streamed to the frontend and fed back to the LLM
+5. Loop repeats (max 8 iterations) until the LLM produces a text response
+
+#### MCP Integration
+
+codyze-console acts as both **MCP server host** and **MCP client**:
+- It starts the cpg-mcp server on port 8081 (via reflection, so cpg-mcp is an optional dependency)
+- `ChatClient` connects to it as a client using `StreamableHttpClientTransport`
+- After analysis, the global `TranslationResult` is injected into the MCP server so tools can access the CPG
+
+### Frontend (`codyze-console/src/main/webapp/src/`)
+
+| Directory | Content |
+|---|---|
+| `routes/` | SvelteKit pages: dashboard, components, requirements, chat, new-analysis |
+| `lib/components/ai-agent/` | Chat UI: `ChatInterface`, `WelcomeScreen`, `MessageInput`, `McpCapabilitiesModal` |
+| `lib/components/analysis/` | Code viewer, node tables, findings list, file tree |
+| `lib/components/requirements/` | Requirement cards, charts, QueryTree explorer (lazy-loading) |
+| `lib/services/apiService.ts` | SSE streaming utility (`streamPost` for `/api/chat`) |
+| `lib/services/llmAgent.ts` | Chat API facade wrapping `apiService` |
+| `lib/stores/queryTreeStore.ts` | In-memory cache for QueryTrees with batch fetching and lazy loading |
+| `lib/types.ts` | TypeScript interfaces mirroring backend JSON models |
+
+### API Endpoints
+
+**Analysis:** `POST /api/analyze`, `POST /api/reanalyze`, `GET /api/result`, `GET /api/component/{name}`
+
+**Chat & MCP:** `POST /api/chat` (SSE), `GET /api/chat/mcp/capabilities`, `POST /api/chat/mcp/prompts/{name}`, `GET /api/features`
+
+**Requirements:** `GET /api/requirement/{id}`, `GET /api/querytree/{id}`, `POST /api/querytrees` (batch), `GET /api/querytrees/{id}/parents`
@@ -0,0 +1,65 @@
+# Codyze Console
+
+A web application for Codyze with an optional AI chat, which is enhanced by an MCP client that acts as an agent.
+The agent uses the tools of the CPG MCP server to analyze code and answer questions.
+
+## Getting Started
+
+The easiest way to get started is by using the predefined IntelliJ run configurations in the `.run/` directory:
+- *Codyze Console* (standalone)
+- *Codyze Compliance Scan (with Console and Example)* (with an example project).
+
+Alternatively, starting the application from the command line:
+
+```bash
+# Start the console only
+./gradlew :codyze:run --args="console"
+
+# With an analysis of a project
+./gradlew :codyze:run --args="compliance scan --project-dir <path> --console=true"
+```
+
+The web console is available at `http://localhost:8080`.
+
+## AI Chat Features
+
+The AI chat requires the `cpg-mcp` module to be enabled and a configured LLM provider.
+
+### 1. Enable the `cpg-mcp` module
+
+Run the configuration script:
+
+```bash
+./configure_frontends.sh
+```
+
+Or enable it manually by setting `enableMCPModule=true` in `gradle.properties`.
+
+### 2. Configure your LLM provider
+
+Copy the example configuration:
+
+```bash
+cp codyze-console/src/main/resources/application.conf.example codyze-console/src/main/resources/application.conf
+```
+
+Then edit `application.conf` and set the `client` field of the provider:
+
+```hocon
+llm {
+  client = "ollama"
+
+  ollama {
+    baseUrl = "http://localhost:11434"
+    model = "llama3"
+  }
+
+  # ... other providers are preconfigured as placeholders.
+}
+```
+
+Currently, only Gemini and OpenAI-compatible endpoints are supported. The predefined clients (`ollama`, `vLLM`, `mlx`, etc.) use all the same OpenAI-compatible client internally. They are intended for testing and development and allows to switch between different server URLs without reconfiguring every time.
+
+### 3. MCP Server
+
+When `cpg-mcp` is enabled, the MCP server is automatically started on port `8081`. The AI chat connects to it as an MCP client to access the CPG tools (e.g., listing functions, records, and calls).
@@ -14,13 +14,32 @@ mavenPublishing {
     }
 }
 
+val mcpEnabled = findProject(":cpg-mcp") != null
+
 dependencies {
     // CPG modules
     implementation(projects.cpgConcepts)
+    implementation(projects.cpgSerialization)
+
+    // MCP dependencies
+    if (mcpEnabled) {
+        implementation(project(":cpg-mcp"))
+        // MCP SDK
+        implementation(libs.mcp)
+        // MCP Client SDK - for custom MCP client implementation
+        implementation(libs.mcp.client)
+    } else {
+        // MCP SDK only available at compile time so the files in `/ai` compile,
+        compileOnly(libs.mcp)
+        compileOnly(libs.mcp.client)
+    }
 
     // Ktor server dependencies
     implementation(libs.bundles.ktor)
 
+    // Ktor client dependencies
+    implementation(libs.bundles.ktor.client)
+
     // Serialization
     implementation(libs.kotlinx.serialization.json)
     implementation(libs.jacksonyml)
 
@@ -30,6 +30,7 @@ import com.fasterxml.jackson.databind.SerializationFeature
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory
 import de.fraunhofer.aisec.codyze.AnalysisProject
 import de.fraunhofer.aisec.codyze.AnalysisResult
+import de.fraunhofer.aisec.codyze.console.ai.McpServerHelper
 import de.fraunhofer.aisec.cpg.TranslationConfiguration
 import de.fraunhofer.aisec.cpg.graph.concepts.Concept
 import de.fraunhofer.aisec.cpg.graph.concepts.conceptBuildHelper
@@ -40,6 +41,8 @@ import de.fraunhofer.aisec.cpg.passes.concepts.LoadPersistedConcepts.PersistedCo
 import de.fraunhofer.aisec.cpg.passes.concepts.LoadPersistedConcepts.PersistedConcepts
 import de.fraunhofer.aisec.cpg.passes.concepts.config.python.PythonStdLibConfigurationPass
 import de.fraunhofer.aisec.cpg.query.QueryTree
+import de.fraunhofer.aisec.cpg.serialization.NodeJSON
+import de.fraunhofer.aisec.cpg.serialization.toJSON
 import java.io.File
 import java.nio.file.Path
 import kotlin.uuid.Uuid
@@ -125,6 +128,9 @@ class ConsoleService {
 
         val result = project.analyze()
 
+        // Update the global analysis result in the MCP server
+        McpServerHelper.setGlobalAnalysisResult(result.translationResult)
+
         // Populate QueryTree cache for lazy loading
         populateQueryTreeCache(result.requirementsResults)
 
 
@@ -25,34 +25,66 @@
  */
 package de.fraunhofer.aisec.codyze.console
 
-import io.ktor.http.HttpHeaders
+import de.fraunhofer.aisec.codyze.console.ai.ChatService
+import de.fraunhofer.aisec.codyze.console.ai.McpServerHelper
+import io.ktor.http.*
 import io.ktor.serialization.kotlinx.json.*
 import io.ktor.server.application.*
 import io.ktor.server.engine.*
 import io.ktor.server.netty.*
 import io.ktor.server.plugins.contentnegotiation.*
 import io.ktor.server.plugins.cors.routing.*
 import io.ktor.server.routing.*
+import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.json.Json
+import org.slf4j.LoggerFactory
+
+private val log = LoggerFactory.getLogger("de.fraunhofer.aisec.codyze.console.Main")
 
 /**
  * This function starts the embedded server for the web console. It uses the Netty engine and
  * listens on [host] (default: localhost) at [port] (default: 8080). The server is configured using
  * the [configureWebconsole] function.
  */
 fun ConsoleService.startConsole(host: String = "localhost", port: Int = 8080) {
-    embeddedServer(Netty, host = host, port = port) { configureWebconsole(this@startConsole) }
+    val chatService: ChatService? =
+        if (McpServerHelper.isEnabled) {
+            runBlocking { initChatService() }
+        } else {
+            log.info("MCP module not enabled, AI chat features will be disabled")
+            null
+        }
+    embeddedServer(Netty, host = host, port = port) {
+            configureWebconsole(this@startConsole, chatService)
+        }
         .start(wait = true)
 }
 
+private suspend fun ConsoleService.initChatService(): ChatService? {
+    val chatService = ChatService.createIfConfigExist() ?: return null
+
+    McpServerHelper.startMcpServer(8081)
+
+    val translationResult = getTranslationResult()?.analysisResult?.translationResult
+    if (translationResult != null) {
+        McpServerHelper.setGlobalAnalysisResult(translationResult)
+    }
+    chatService.connect()
+    log.info("MCP client connected")
+    return chatService
+}
+
 /**
  * This function takes care of configuring the web console based on the [service]. It sets up the
  * CORS policy, content negotiation, and routing.
  *
  * Note: Currently, the CORS policy allows any host. This should be restricted to specific hosts in
  * a production environment and will be made available as an option later.
  */
-fun Application.configureWebconsole(service: ConsoleService = ConsoleService()) {
+fun Application.configureWebconsole(
+    service: ConsoleService = ConsoleService(),
+    chatService: ChatService? = null,
+) {
     install(CORS) {
         anyHost()
         allowHeader(HttpHeaders.ContentType)
@@ -67,17 +99,21 @@ fun Application.configureWebconsole(service: ConsoleService = ConsoleService())
         )
     }
 
-    configureRouting(service)
+    configureRouting(service, chatService)
 }
 
 /**
  * This function sets up the routing for the web console. It defines the API routes and static
  * resources (for serving the single-page application frontend).
  */
-fun Application.configureRouting(service: ConsoleService) {
+fun Application.configureRouting(service: ConsoleService, chatService: ChatService? = null) {
     routing {
-        // We'll add routes here
         apiRoutes(service)
+        // If the cpg-mcp module is enabled, chatService won't be null, so the endpoints will be
+        // reachable
+        if (chatService != null) {
+            chatRoutes(chatService)
+        }
         frontendRoutes()
     }
 }