All notable changes to this project will be documented in this file. See commit-and-tag-version for commit guidelines.
3.9.4 (2026-04-17)
Resolution accuracy and incremental-build reliability. The JS/TS extractor now resolves named function references passed as callback arguments — Express middleware, event handlers, Array.map/.filter/.then callbacks, and destructured handler bindings are tracked as real call edges instead of appearing as dead code. On a 1 895-file TypeScript monorepo this surfaced 21 previously-invisible callers of a single auth middleware. A version-mismatch bug that silently forced every native incremental build into a full 5.8s rebuild is fixed — no-op rebuilds now exit in ~200ms. Three WASM incremental-build bugs are also fixed: edge loss during reverse-dep purges, unnecessary reparses, and a V8 crash during GC of orphaned WASM trees. Fan-in/out and import counts are now consistent between full and incremental build paths.
- js-extractor: resolve named function references passed as arguments — middleware, callback, and handler references emit dynamic call edges; destructured bindings from factory calls emit function definitions, eliminating false "dead-unresolved" results for functions passed by reference (#947)
- wasm: resolve incremental edge loss, unnecessary reparses, and V8 crash — save-and-reconnect approach preserves edges without reparsing reverse-dep files; error-path tree cleanup prevents GC crashes (#938)
- native: resolve version-mismatch that broke incremental builds — no-op rebuild dropped from 5.8s to 214ms (#928, #930)
- structure: reconcile
import_countsemantics between fast path and full path — both paths now consistently count distinct imported files (#942) - include
imports-typein fast-pathfan_in/fan_outqueries — aligns incremental metrics with full-build behavior for files with type-only imports (#948) - rust: fix test compilation errors in extractor tests — renamed
Import.path→Import.sourceand missingbuild_import_edgesarguments (#950) - ci: add resilience to Claude Code workflow for fork branch races — concurrency groups and pre-flight branch verification with 3 retries (#949)
- native: port full-build structure computation to Rust — eliminates JS DB round-trip through
reconstructFileSymbolsFromDb()on full builds (#937) - native: defer
NativeDatabase.openReadWriteuntil after change detection — saves ~60ms on every incremental build invocation, no-op builds exit before opening native connection (#939) - native: raise native edge-building threshold to
smallFilesThreshold— small incrementals (≤5 files) use JS edge path to avoid napi-rs marshaling overhead (#940)
- disable adaptive thinking via
CLAUDE_CODE_DISABLE_ADAPTIVE_THINKINGenv var (#943)
3.9.3 (2026-04-12)
Native engine parity and build performance. The Rust engine now produces identical role classifications as the JS fallback — reexport chains, type-only imports, and constant classification all match. Build performance improves across the board: the entire analysis pipeline (complexity, CFG, dataflow, AST) now runs inside the Rust orchestrator on a single rusqlite connection, batched WAL checkpoints cut incremental rebuild overhead by 49%, and a full-build regression from v3.9.2 is fixed. A new CI parity job catches engine divergences before they ship. The incremental rebuild guide documents what data requires a full rebuild and adds automatic 24h staleness detection to Claude Code hooks.
- native: align Rust role classification with JS — reexport chains, type-only imports, constant classification (#918)
- native: strip pre-release suffix in semverCompare — dev builds were silently falling back to JS pipeline (#898)
- test: restore strict parity assertions and add dedicated CI parity job (#916)
- release: decouple version bumps from release PRs to fix CI failures (#893)
- native: move analysis persistence (AST, complexity, CFG, dataflow) into Rust orchestrator — eliminates JS WASM re-parse (#907)
- native: use single rusqlite connection for entire build pipeline — 12% faster full builds, 30% faster incremental, 14% smaller DB (#897)
- native: fix full-build regression from NativeDbProxy overhead (#906)
- incremental: batch WAL checkpoints and fix native CFG bulk insert — 49% faster incremental rebuilds (#917)
- query: fix diffImpact latency regression from redundant config loading (#905)
- adopt dead helpers across codebase — 28 files, -30 net lines (#895)
- incremental vs full rebuild guide with automatic 24h staleness check (#919)
- update build, query, and incremental benchmarks for 3.9.2 (#900, #901, #902)
- deps: bump web-tree-sitter from 0.26.7 to 0.26.8 (#913)
- deps: bump actions/setup-go from 5 to 6, actions/github-script from 8 to 9, actions/setup-python from 5 to 6 (#910, #909, #908)
- deps-dev: bump vitest from 4.1.2 to 4.1.4, @vitest/coverage-v8 from 4.1.2 to 4.1.4 (#915, #912)
- deps-dev: bump tree-sitter-cli from 0.26.7 to 0.26.8, @biomejs/biome from 2.4.10 to 2.4.11 (#911, #914)
3.9.2 (2026-04-06)
Engine parity fix and build performance improvements. This patch fixes a native engine deduplication bug that caused divergent results when multiple type map entries existed for the same symbol, improving engine parity. Build performance improves with deferred native database initialization (skipping the native DB entirely on no-op rebuilds) and a fix for an incremental rebuild regression introduced in v3.9.1. The resolution benchmark suite is significantly expanded with dynamic call tracing across all language fixtures, and the release workflow now gates on precision/recall thresholds.
- native: confidence-aware dedup in type map for engine parity (#885)
- defer NativeDatabase init to after no-op early exit (#884)
- native: fix incremental rebuild regression (#882, #888)
- ci: gate release workflow on resolution precision/recall thresholds (#886)
- bench: resolution benchmark v2 — dynamic tracing, 14 languages, per-mode categories (#878)
- bench: extend dynamic call tracing to all language fixtures (#883)
3.9.1 (2026-04-05)
Dead code accuracy, native query performance, and supply-chain hardening. This release significantly improves dead code detection — class instantiations via new, type-only imports, barrel re-exports, and same-file constants are now correctly tracked as consumption. The native Rust engine gains a composite fnDeps query that runs dependency resolution in a single cross-language call, and a critical 1238% incremental rebuild regression from v3.9.0 is fixed. WASM grammar validation and npm audit harden the build pipeline. CLI reliability improves with a fix for hangs in git worktree environments.
- track class instantiation (
new) as consumption for dead code detection (#861) - resolve type-only imports for dead code analysis (#862)
- trace barrel re-exports in role classification (#860)
- recognize same-file constant consumption in dead code detector (#859)
- resolve codegraph CLI hangs in git worktrees (#863)
- use shared
shouldIgnore/isSupportedFilein watcher (#864) - resolve barrel resolution quality and cycle regression (#848)
- show both engines side-by-side in README benchmark table (#826)
- release config script validation and broken postbump (#825)
- native: lower version gate for native orchestrator (#867)
- native: correct incremental purge, scoped deletion, and barrel resolution (#865)
- ci: retry npm publish on transient registry errors (#833)
- ci: upgrade publish job to Node 24 for OIDC trusted publishing (#850)
- ci: add npm auth debug step and fix publish retry logic (#835)
- perf: wire engine selection through openRepo to fix query benchmarks (#869)
- bench: attribute unified walk time to per-phase timers (#858)
- native: decompose core Rust algorithms and pipeline (#845)
- native: extract constants and shared barrel resolution (#842)
- native: flatten and decompose extractor match arms (#844)
- DRY shared abstractions in TS features (#843)
- decompose TS complexity and build pipeline (#846)
- improve TS code quality across modules (#847)
- security: WASM grammar validation and npm audit CI (#834)
- deps: bump @modelcontextprotocol/sdk from 1.28.0 to 1.29.0 (#829)
- deps-dev: bump @huggingface/transformers from 3.8.1 to 4.0.1 (#831)
- deps-dev: bump @biomejs/biome from 2.4.9 to 2.4.10 (#828)
- deps-dev: bump tree-sitter-gleam (#830)
- deps-dev: bump tree-sitter-erlang from 0.0.0 to 0.15 (#827)
3.9.0 (2026-04-04)
Engine parity hardening and cross-database queries. This release closes the remaining native/WASM divergences — node counts, edge counts, complexity metrics, and import resolution now match across engines. A new --db flag on branch-compare and info lets you point at any .codegraph/graph.db, enabling cross-repo comparisons without rebuilding. WASM grammar loading is now lazy during incremental rebuilds, cutting rebuild times for large codebases. Windows users get a fix for ENOENT failures during auto-install.
- cli: add
--dbflag tobranch-compareandinfocommands for cross-database queries (#820) - add resolution precision/recall metrics and version stamp to README benchmarks (#796)
- respect
--engine wasmin pipeline guard (#819) - resolve npm ENOENT on Windows for auto-install (#818)
- resolve native/WASM engine divergence in node and edge counts (#810)
- native: resolve importedNames priority and type map scope collisions (#811)
- native: resolve import path mismatch and add post-native structure phase (#807)
- native: extract export name for destructured dynamic imports (#813)
- native: fix incremental barrel edges, median parity, and analysis data loss (#806)
- parity: align native vs WASM complexity metrics (#809)
- v3.8.1 regression fixes (fnDeps, WASM lazy-load, edge parity, CI guard) (#815)
- ci: remove npm self-upgrade that breaks publish workflow (#790)
- lazy-load WASM grammars for incremental rebuilds (#808)
3.8.1 (2026-04-03)
Windows stability, native engine fixes, and large-codebase performance. This patch hardens the v3.8.0 release with critical Windows fixes (polling watcher to avoid ReFS BSOD, Windows-scoped import-edge handling), several native engine corrections (dataflow parameter indexing, embedding path resolution, build orchestrator sequencing), and performance improvements for large codebases — cycle detection and stats queries are faster, and query-time analysis now routes through the native Rust engine.
- native: resolve dataflow null paramIndex and import edge key mismatch (#788)
- native: keep nativeDb open through finalize for correct build_meta (#784)
- embed: handle absolute file paths from native engine (#780, #783)
- default watcher to polling on Windows to avoid ReFS BSOD (#778)
- scope native import-edge skip to Windows only (#777)
- run analysis phases after native Rust build orchestrator (#757)
- skip native build orchestrator for addon ≤3.8.0 and fix path bug (#758)
- auto-install @huggingface/transformers in non-TTY environments (#779)
- remove duplicate function definitions in leiden optimiser (#786)
- replace empty catch blocks with structured error handling (#764)
- replace console.log with structured logging in non-CLI-output code (#765)
- ci: add concurrency group to codegraph-impact workflow (#785)
- bench: resolve query benchmark CI failure and increase embedding timeout (#749)
- route query analysis through native Rust engine (#745)
- optimize cycles and stats for large codebases (#781)
- filter reverse-dep files from native build analysis scope (#782)
- forward langId hint to native standalone analysis functions (#743)
- decompose ast-analysis visitor framework (#771)
- Titan v3.8.0 — decompose god-functions, structured logging, error handling (#775)
- extract class declaration handlers in language extractors (#769)
- split hybridSearchData into keyword, vector, and merge steps (#768)
- decompose makePartition into focused graph operations (#766)
- extract rendering sub-functions from inspect and diff-impact-mermaid (#767)
- address quality warnings in shared modules (#770)
3.8.0 (2026-04-01)
34 languages and a fully native build pipeline. This release completes Phase 7 (Expanded Language Support) by shipping the final 11 languages — F#, Gleam, Clojure, Julia, R, Erlang, Solidity, Objective-C, CUDA, Groovy, and Verilog — bringing codegraph from 23 to 34 supported languages. On the performance side, the entire build pipeline now runs natively in Rust: graph algorithms (BFS, shortest path, Louvain, centrality), import edge building with barrel resolution, and build-glue queries all migrate from JS to napi-rs. A new Rust build orchestration layer coordinates the full native pipeline end-to-end.
- add F#, Gleam, Clojure, Julia, R, Erlang language support (#722)
- add Solidity, Objective-C, CUDA, Groovy, Verilog language support (#729)
- full Rust build orchestration (#740)
- native: enable bulkInsertNodes native path (#736)
- native: enable bulkInsertNodes native path — null-visibility serialisation (#737)
- native: prevent SQLITE_CORRUPT in incremental pipeline (#728)
- ocaml: use LANGUAGE_OCAML_INTERFACE grammar for .mli files (#730)
- address unresolved review feedback from batch4 language extractors (#731)
- bench: report partial native results when incremental rebuild fails (#741)
- migrate graph algorithms (BFS, shortest path, Louvain, centrality) to Rust (#732)
- migrate import edge building + barrel resolution to Rust (#738)
- native: expose standalone complexity/CFG/dataflow analysis via napi-rs (#733)
- native Rust build-glue queries (detect-changes, finalize, incremental) (#735)
- native: remove call kind from AST node extraction (#734)
3.7.0 (2026-03-30)
Six more languages and a CFG stability fix. Codegraph now supports Elixir, Lua, Dart, Zig, Haskell, and OCaml — bringing the total to 23 languages with dual-engine extractors. A WAL conflict in the native CFG bulk-insert path is also fixed, preventing database corruption when JS and native connections overlap during control-flow graph writes.
- add Elixir, Lua, Dart, Zig, Haskell, OCaml language support (#718)
- cfg: avoid dual-connection WAL conflict in native bulkInsertCfg (#719)
3.6.0 (2026-03-30)
Six new languages: Elixir, Lua, Dart, Zig, Haskell, OCaml. This release adds first-class support for Elixir, Lua, Dart, Zig, Haskell, and OCaml — bringing the total supported languages to 23. Each language ships with dual-engine extractors (WASM TypeScript + native Rust), AST configs, and parser tests. The native Rust engine gains batched query methods for the read path, WAL corruption is fixed when native and JS connections overlap, and WASM call-AST extraction is restored for full engine parity.
- add C, C++, Kotlin, Swift, Scala, Bash language support (#708)
- parity: restore call AST node extraction in WASM engine (#705)
- native: suspend JS connection around native writes to prevent WAL corruption (#704)
- native visibility crash and dual-SQLite WAL corruption in benchmarks (#689)
- ci: resolve visibility null crash and sequence dataflow annotation (#693)
- publish: update repository URLs for npm provenance (#682)
- queries: batched native Rust query methods for read path (#698)
- extractors: parser abstraction layer (Phase 7.1) (#700)
- native: extract generic walk_tree to eliminate walk_node_depth duplication (#703)
- remove dead WASM call-AST extraction and pre-3.2 edge shim (#686)
- Titan audit — decompose, reduce complexity, remove dead code (#699)
3.5.0 (2026-03-29)
Full rusqlite database migration and sub-100ms incremental rebuilds. This release completes the migration of all SQLite operations from better-sqlite3 to native Rust/rusqlite via napi-rs, delivering major performance gains across the entire build pipeline. Incremental rebuilds drop from 466ms to 67–80ms, and bulk inserts for nodes, edges, roles, AST nodes, CFG, and dataflow all run through the native engine. better-sqlite3 is now lazy-loaded only as a fallback. Path aliases are restored with TS 6.x-compatible subpath imports, and several WASM/native parity bugs are fixed.
- config: restore path aliases with TS 6.x-compatible subpath imports (#672)
- db: fold reverse-dep edge deletion into NativeDatabase.purgeFilesData (#670, #679)
- wasm: extract call-site AST nodes in ast-store-visitor (#678)
- parser: close WASM–native engine parity gap (#649, #657)
- test: remove constant-kind exclusion from parity test (#676, #680)
- db: NativeDatabase napi-rs class for rusqlite connection lifecycle (6.13) (#666)
- db: migrate Repository read queries to NativeDatabase rusqlite (6.14) (#671)
- db: migrate build pipeline writes to NativeDatabase (6.15) (#669)
- db: generic query execution on NativeDatabase (6.16) (#677)
- db: bulk CFG and dataflow DB writes via rusqlite (#653)
- build: native Rust/rusqlite for roles & edge insertion (6.12) (#658)
- insert-nodes: native Rust/rusqlite pipeline for node insertion (#654)
- ast: bulk-insert AST nodes via native Rust/rusqlite (#651)
- sub-100ms incremental rebuilds (466ms → 67–80ms) (#644)
- hooks: narrow Bash hook matchers to git commands only (#655)
- db: lazy-load better-sqlite3 and remove standalone napi functions (6.17) (#673)
- deps: upgrade TypeScript from 5.9 to 6.0 (#667)
- deps: bump @modelcontextprotocol/sdk from 1.27.1 to 1.28.0 (#664)
- deps-dev: bump @vitest/coverage-v8 from 4.1.1 to 4.1.2 (#662)
- deps-dev: bump @biomejs/biome from 2.4.8 to 2.4.9 (#661)
3.4.1 (2026-03-26)
Post-migration stabilization and native engine accuracy. This release fixes a Rust findCaller bug that misattributed 68 call edges, adds compound database indexes to restore query performance after the TypeScript migration, and delivers a 96% speedup to incremental role classification (255ms → 9ms). WASM builds are more resilient, incremental rebuilds handle JSONC and version changes correctly, and error handling is safer across the board.
- native: remove spurious else-if in Rust
findCallerthat misattributed 68 call edges (#637) - native: recurse into
await_expressionchildren inwalk_ast_nodes(#618) - build: JSONC parse and version-aware incremental rebuilds (#631)
- WASM build resilience and lint cleanup from TypeScript migration (#629)
- dogfood fixes 9.1–9.4 — version warning, barrel exports, quieter tsconfig, Set compatibility (#634)
- use safe error coercion in debug catch blocks (#630)
- add debug logging to empty catch blocks across infrastructure and domain layers (#616)
- bench: use
dist/for npm benchmark installs to avoid Node type-stripping error (#624) - bench: repair benchmark workflow broken by TypeScript migration (#612)
- skills: prevent
/reviewfrom spamming@greptileaiwhen already approved (#628)
- db: add compound indexes to fix query regression from TypeScript migration (#632)
- build: incremental rebuild optimizations — roles 255ms → 9ms (#622)
- errors: extract shared
toErrorMessagehelper (#633) - extract
MAX_WALK_DEPTHconstant to extractors helpers (#620) - address SLOC warnings in domain and features layers (#621)
- split
cfg-visitor.tsby control-flow construct (#619)
- titan: first full Titan Paradigm pipeline run — audit report generation and skill improvements (#623)
3.4.0 (2026-03-25)
TypeScript migration complete, Leiden community detection, and native engine hardening. The entire codebase — all 271 source files — is now TypeScript with zero .js files remaining. Community detection upgrades from Louvain to a vendored Leiden algorithm with true probabilistic refinement, removing the graphology dependency. Go gains structural interface matching and C# gets proper implements disambiguation. The native Rust engine now extracts call-site AST nodes and bypasses the JS CFG visitor entirely on native builds. MCP server shutdown is graceful, and several edge-attribution and WASM fallback bugs are fixed.
- types: complete TypeScript migration — all 271 source files migrated from JavaScript, zero
.jsfiles remaining. Covers leaf modules, core domain, graph algorithms, builder stages, search, CLI layer (48 command handlers), AST analysis, features, presentation, MCP tools, and test suite (#553, #554, #555, #558, #566, #570, #579, #580, #581, #588) - communities: vendor Leiden community detection algorithm, replacing
graphology-communities-louvain— full control over resolution, quality functions, and probabilistic refinement (#545, #552, #556) - resolution: Go structural interface matching — post-extraction pass matches struct method sets against interface method sets; C#
implementsdisambiguation via post-walk reclassification ofextendsentries targeting known interfaces (#522) - native: extract call-site AST nodes in Rust during native parse, fixing WASM fallback path for incomplete extraction (#591)
- native: extract
base_listfor C# classes in the Rust engine (#577) - cfg: bypass JS CFG visitor entirely on native builds; fix Go
for-rangeCFG parity between engines (#595)
- edges: remove
findCallerfallback that misattributed file-scope calls to unrelated functions (#607) - mcp: add graceful shutdown to prevent "MCP Failed" errors on session clear (#598)
- resolver: apply JS-side
.js→.tsextension remap after native resolution (#594) - resolver: normalize paths in native resolver for
.js→.tsremap (#600) - deps: patch 5 high-severity transitive vulnerabilities (#583)
- types: narrow parser return types,
cachedStmtinbuildTestFileIds, WASM parser path, and triage query results (#569, #576, #578) - scripts: use version-aware
strip-typesflag inpackage.jsonscripts (#599) - tests: use
fs.cpSyncfor fixture copy to handle subdirectories (#584)
- native: fix WASM fallback bypass so native builds skip redundant JS analysis passes; batch SQL inserts for node/edge operations (#606)
- queries: apply
cachedStmttobuildTestFileIdsstatic SQL for faster test filtering (#575)
- strengthen weak assertions and add presentation layer coverage (#586)
- add
npm run benchscript and stale embeddings warning (#604) - bump
commit-and-tag-version,tree-sitter-cli,web-tree-sitter,@commitlint/cli,@commitlint/config-conventional(#560, #561, #562, #563, #564)
- constants:
EXTENSIONSandIGNORE_DIRSin the programmatic API are nowSet<string>(changed during TypeScript migration). Both expose a.toArray()convenience method for consumers that need array semantics.
3.3.1 (2026-03-20)
Incremental rebuild accuracy and post-3.3.0 stabilization. This patch fixes a critical edge gap in the file watcher's single-file rebuild path where call edges were silently dropped during incremental rebuilds, aligns the native Rust engine's edge builder kind filters with the JS engine for parity, plugs a WASM tree memory leak in native engine typeMap backfill, and restores query performance to pre-3.1.4 levels. Several post-reorganization import path issues are also corrected.
- watcher: close edge gap in single-file rebuild — incremental rebuilds now correctly preserve call edges by coercing native typeMap arrays to Maps and rebuilding edges for reverse-dependency files (#533, #542)
- native: align edge builder kind filters with JS engine parity — ensures native and WASM engines produce identical edge sets (#541)
- native: free leaked WASM trees in native engine typeMap backfill (#534)
- cli: correct
astcommand import path after src/ reorganization (#532) - benchmarks: stabilize benchmark targets across engines and preserve README links (#527)
- benchmarks: update benchmark script import paths after src/ restructure (#521)
- ci: sync Cargo.toml version before native binary build (#538)
- queries: reduce query latency regression from 3.1.4 to 3.3.0 — cached prepared statements for
findReverseDepsanddeleteOutgoingEdges(#528)
- watcher: incremental edge parity CI check — ensures watcher rebuilds produce identical edge sets to full builds (#539)
- ci: add dynamic import verification to catch stale paths (#540)
3.3.0 (2026-03-19)
Resolution accuracy reaches a new level. This release delivers Phase 4 resolution improvements — type inference across all typed languages, receiver type tracking with graded confidence, package.json exports field resolution, and monorepo workspace resolution. Method calls like repo.findCallers() now resolve through receiver types instead of matching any findCallers in scope. Barrel files correctly show re-exported symbols. A precision/recall benchmark suite tracks call resolution accuracy across versions. On the infrastructure side, all hardcoded behavioral constants are centralized into DEFAULTS with recursive deep merge, and the TypeScript migration begins with project setup and core type definitions.
- resolution: type inference for all typed languages (TS, Java, Go, Rust, C#, PHP, Python) —
obj.method()resolves through declared types in both WASM and native engines (#501) - resolution: receiver type tracking with graded confidence — constructors (
new Foo()) at 1.0, annotations at 0.9, factory methods at 0.7; highest-confidence assignment wins per variable (#505) - resolution:
package.jsonexportsfield and monorepo workspace resolution — conditional exports, subpath patterns, npm/pnpm/Yarn workspaces resolved with high confidence instead of brute-force filesystem probing (#509) - exports: show re-exported symbols for barrel files —
codegraph exportsnow traces through re-exports to show the actual consumers of each symbol (#515) - roles: dead role sub-categories —
dead-leaf,dead-entry,dead-ffi,dead-unresolvedreplace the coarsedeadrole for more precise dead code classification (#504) - config: centralize all hardcoded behavioral constants into
DEFAULTSwith recursive deep merge — partial.codegraphrc.jsonoverrides now preserve sibling keys (#506) - benchmarks: call resolution precision/recall benchmark suite — hand-annotated fixtures per language with expected-edges manifests, CI gate on accuracy regression (#507)
- benchmarks: child-process isolation for benchmarks — benchmark runner spawns builds in separate processes to prevent state leaks (#512)
- typescript: project setup for incremental migration —
tsconfig.json, build pipeline,dist/output with source maps (#508) - typescript: core type definitions (
src/types.ts) — comprehensive types for symbols, edges, nodes, config, queries, and all domain model interfaces (#516) - languages: add
.pyi,.phtml,.rake,.gemspecextensions to Python, PHP, and Ruby parsers (#502)
- cli: reword misleading 'stale' warning in
codegraph info— no longer implies the graph is broken when it's simply older than some files (#510) - skills: update dogfood and release skill templates to match current CLI surface (#511)
3.2.0 (2026-03-17)
Post-Phase 3 decomposition and dead code accuracy. This release completes a thorough decomposition of the remaining monolithic modules — language extractors, AST analysis visitors, domain analysis functions, and feature modules are all broken into focused, single-responsibility helpers. Dead code detection now correctly classifies symbols that are only referenced by tests as "test-only" instead of "dead", and constants are properly included in edge building so they no longer appear as false-positive dead exports. A new brief command provides token-efficient file summaries designed for AI hook context injection. The native engine gains a MAX_WALK_DEPTH guard to prevent stack overflows on deeply nested ASTs.
- cli:
codegraph brief <file>command — token-efficient file summary with symbols, roles, caller counts, and risk tiers; designed for hook-based context injection (#480)
- roles: classify test-only-called symbols as "test-only" instead of "dead" — reduces false positives in dead code detection (#497)
- builder: include constant nodes in edge building — constants no longer appear as false-positive dead exports (#495)
- native: add MAX_WALK_DEPTH guard to native engine AST walkers — prevents stack overflows on deeply nested files (#484)
- cli: support repeated
--fileflag for multi-file scoping across all commands (#498) - versioning: use semver-compliant dev version numbering (
-dev.0suffix instead of non-standard format) (#479)
- extractors: decompose monolithic language extractors (JS/TS, Python, Java) into per-category handlers (#490)
- ast-analysis: decompose AST analysis visitors and domain builder stages into focused helpers (#491)
- domain: decompose domain analysis and feature modules into single-responsibility functions (#492)
- presentation: split data fetching from formatting and extract CLI/MCP subcommand dispatch (#493)
- cleanup: dead code removal, shared abstractions, and empty catch block replacement across all layers (#489)
3.1.5 (2026-03-16)
Phase 3 architectural refactoring completes. This release finishes the remaining two Phase 3 roadmap tasks — domain directory grouping (3.15) and CLI composability (3.16) — bringing Phase 3 to 14 of 14 tasks complete. The src/ directory is now reorganized into domain/, features/, and presentation/ layers. A new openGraph() helper eliminates DB-open/close boilerplate across CLI commands, and a universal output formatter adds --table and --csv output to all commands. Several post-reorganization bugs are fixed: complexity/CFG/dataflow analysis restored after the move, MCP server imports corrected, worktree boundary escapes prevented, CJS require() support added, and LIKE wildcard injection in queries patched.
- cli:
openGraph()helper and universal output formatter with--tableand--csvoutput formats — eliminates per-command DB boilerplate and format-switching logic (#461)
- builder: restore complexity/CFG/dataflow analysis that silently stopped running after src/ reorganization (#469)
- db: prevent
findDbPathfrom escaping git worktree boundary — stops codegraph from accidentally using a parent repo's database (#457) - mcp: update MCP server import path after src/ reorganization (#466)
- api: add CJS
require()support to package exports — fixesERR_REQUIRE_ESMfor CommonJS consumers (#472) - db: escape LIKE wildcards in
NodeQuery.fileFilterandnameLike— prevents filenames containing%or_from matching unrelated rows (#446)
- architecture: reorganize
src/intodomain/,features/,presentation/layers — completes Phase 3.15 domain directory grouping (#456) - architecture: move remaining flat
src/files into subdirectories (#458) - architecture: resolve three post-reorganization issues (circular imports, barrel exports, path corrections) (#459)
- queries: deduplicate BFS impact traversal and centralize config loading (#463)
- tests: migrate integration tests to InMemoryRepository for faster execution (#462)
- db: add
findRepoRootandfindDbPathceiling boundary tests (#475)
3.1.4 (2026-03-16)
Phase 3 architectural refactoring reaches near-completion. This release delivers 11 of 14 roadmap tasks in Phase 3 (Vertical Slice Architecture), restructuring the codebase from a flat collection of large files into a modular subsystem layout. The 3,395-line queries.js is decomposed into src/analysis/ and src/shared/ modules. The MCP tool registry becomes composable. CLI commands are self-contained modules under src/commands/. A domain error hierarchy replaces ad-hoc throws. The build pipeline is decomposed into named stages. The embedder is extracted into src/embeddings/ with pluggable stores and search strategies. A unified graph model (src/graph/) consolidates four parallel graph representations. Nodes gain qualified names, hierarchical scoping, and visibility metadata. An InMemoryRepository enables fast unit testing without SQLite. The presentation layer (src/presentation/) separates all output formatting from domain logic. better-sqlite3 is bumped to 12.8.0.
- graph-model: unified in-memory
CodeGraphmodel with 3 builders, 6 algorithms, and 2 classifiers — consolidates four parallel graph representations intosrc/graph/(#435, #436) - qualified-names:
qualified_name,scope, andvisibilitycolumns on nodes (migration v15) — enables direct lookups like "all methods of class X" without edge traversal (#437) - testing:
InMemoryRepositoryfor unit tests without SQLite — repository pattern now supports in-memory and persistent backends (#444)
- queries: decompose
queries.js(3,395 lines) intosrc/analysis/andsrc/shared/modules (#425) - mcp: composable MCP tool registry — tools defined alongside their implementations (#426)
- cli: split
cli.jsinto self-contained command modules undersrc/commands/(#427) - api: curate public API surface — explicit exports, remove internal leaks (#430)
- errors: domain error hierarchy — typed errors replace ad-hoc throws (#431)
- embeddings: extract embedder into
src/embeddings/subsystem with pluggable stores and search strategies (#433) - builder: decompose
buildGraph()into named pipeline stages (#434) - presentation: extract all output formatting into
src/presentation/— viewer, export, table, sequence renderer, result formatter (#443)
- ci: add backlog compliance phase to automated PR review (#432)
- deps: bump better-sqlite3 from 12.6.2 to 12.8.0 (#442)
- deps-dev: bump @biomejs/biome from 2.4.6 to 2.4.7 (#441)
- deps-dev: bump @commitlint/cli from 20.4.3 to 20.4.4 (#440)
- deps-dev: bump @commitlint/config-conventional from 20.4.3 to 20.4.4 (#439)
- deps-dev: bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 (#438)
3.1.3 (2026-03-11)
Bug fixes and build instrumentation. This patch fixes WASM builds silently producing zero complexity rows, resolves four dogfood-reported issues (benchmark crash resilience, WASM parser memory cleanup, native dynamic import tracking, stale native version reporting), and adds missing build phase timers so setupMs and finalizeMs now account for the previously untracked ~45% of total build time. Prepared statement caching is extracted into a reusable cachedStmt utility.
- builder: add
setupMsandfinalizeMsphase timers tobuildGraph— closes the ~45% gap in phase breakdown accounting (#415)
- complexity: fix WASM builds producing zero
function_complexityrows — incorrect import alias causedfindFunctionNodeto be undefined in WASM-only path (#414) - native: track
import()expressions in Rust extractor — addsdynamicImportfield toImportstruct, matching WASM behavior for dead-export analysis (#418) - native: report correct native package version in
codegraph info— reads from platform npm package.json instead of binary-embedded version (#418) - benchmark: wrap engine calls in try/catch so one engine failure doesn't prevent the other from running; fix embedding benchmark
disposeModelleak (#418) - parser: add
disposeParsers()to release cached WASM parsers/queries; calltree.delete()after AST analysis to prevent segfaults on repeated builds (#418) - queries: hoist prepared statement out of BFS loop in
getClassHierarchy(#403) - ci: only trigger Claude automated review on PR open, not every push (#419)
- db: extract
cachedStmtutility intosrc/db/repository/cached-stmt.js— reusable prepared statement caching for hot-path repository functions (#417, #402)
3.1.2 (2026-03-11)
Phase 3 architectural refactoring reaches substantial completion. This release finishes the unified AST analysis framework (Phase 3.1) — all four analyses (complexity, CFG, dataflow, AST-store) now run in a single DFS walk via pluggable visitors, with cfg.js shrinking from 1,242 to 518 lines and cyclomatic complexity derived directly from CFG structure. CLI command/query separation (Phase 3.2) moves ~1,059 lines of formatting code into a dedicated src/commands/ directory. Repository pattern migration (Phase 3.3) extracts raw SQL from 14 source modules. Dynamic import() expressions are now tracked as dynamic-imports graph edges, fixing false positives in dead-export analysis and impact tracing. Prepared statement caching cuts hot-path DB overhead in the repository layer.
- ast-analysis: unified AST analysis framework — shared DFS walker with pluggable
enterNode/exitNode/enterFunction/exitFunctionhooks; complexity, CFG, AST-store, and dataflow visitors in a single coordinated pass (#388) - cfg: CFG visitor rewrite — node-level DFS visitor replaces statement-level
buildFunctionCFG, Mode A/B split eliminated; cyclomatic complexity now derived from CFG (E - N + 2);cfg.jsreduced from 1,242 → 518 lines (#392) - commands: extract CLI wrappers into
src/commands/directory (Phase 3.2) — command/query separation complete across all 19 analysis modules;src/infrastructure/added for sharedresult-formatter.jsandtest-filter.js(#393) - builder: track dynamic
import()expressions asdynamic-importsgraph edges — destructured names feed into call resolution, fixing false "zero consumers" in dead-export analysis (#389)
- hooks: fix
check-dead-exportshook silently no-ops on ESM codebases (#394) - hooks: guard pre-push hook against
sh -efailure whendiff-impactis unavailable - complexity: remove function nodes from
nestingNodeTypesand eliminate O(n²) lookup - complexity: remove function nesting inflation in
computeAllMetricsand passlangIdto LOC - ast-analysis: guard
runAnalysescall, fix nested function nesting, rename_engineOpts - ast-analysis: fix Halstead skip depth counter, debug logging, perf import
- db: cache prepared statements in hot-path repository functions — avoids repeated statement compilation on incremental builds
- migrate raw SQL from 14 source modules into repository pattern (Phase 3.3) —
src/db/repository/split into 10 domain files (nodes, edges, build-stmts, complexity, cfg, dataflow, cochange, embeddings, graph-read, barrel) - address Greptile review — deduplicate
relatedTests, hoist prepared stmts, fix.raw()no-op
3.1.1 (2026-03-08)
Reliability, architecture, and MCP cold-start fixes. This patch breaks a circular dependency cycle, fixes MCP server first-connect reliability by deferring heavy imports, corrects flow matching to use core symbol kinds, and refactors all database access to use try/finally for reliable db.close(). Internal architecture improves with repository pattern for data access and command/query separation.
- hooks: add pre-commit hooks for cycles, dead exports, signature warnings (#381)
- benchmark: add 1-file rebuild phase breakdown to build benchmarks (#370)
- cycles: break circular dependency cycle and remove dead
queryNameexport (#378) - queries: use
CORE_SYMBOL_KINDSin flow matching (#382) - mcp: defer heavy imports in MCP server for first-connect reliability (#380)
- wrap all db usage in try/finally for reliable
db.close()(#384, #383) - repository pattern for data access (#371)
- command/query separation — extract CLI wrappers, shared output helper (#373)
- ci: allow
mergetype in commitlint config (#385) - deps-dev: bump tree-sitter-go from 0.23.4 to 0.25.0 (#356)
3.1.0 (2026-03-08)
Sequence diagrams, native engine performance leap, and unused export detection. This release adds codegraph sequence for Mermaid sequence diagram generation from call graph edges, delivers major native engine build optimizations (deep-clone elimination, batched SQLite inserts, call edge building in Rust, FS caching, rayon-parallel import resolution), introduces --unused on the exports command to detect dead exports, and fixes an ~80x native no-op rebuild regression.
- sequence: add
codegraph sequence <name>command for Mermaid sequence diagram generation from call graph edges — participants are files, BFS forward from entry point, optional--dataflowflag for parameter/return annotations; exposed via CLI, MCP tool, and programmatic API (#345) - exports: add
--unusedflag tocodegraph exports— newexportedcolumn (migration v14) populated from parser export declarations, enabling detection of symbols declared as exports but with zero consumers (#361)
- native: eliminate deep-clone in
normalizeNativeSymbols— replace 125-line JS deep-clone with in-placepatchNativeResultvia#[napi(js_name)]annotations on Rust types (#361) - native: add
include_ast_nodesflag toparse_file/parse_files— initial parse skips AST node walking, saving ~200ms (#361) - native: move call/receiver/extends edge building to Rust (
edge_builder.rs) — narrowest-span caller resolution, confidence sorting, dedup via u64 edge keys (#361) - native: add
known_filesHashSet cache toresolve_imports_batch— avoids redundant FS syscalls during import resolution (#361) - native: parallelize
resolve_imports_batchwith rayon for concurrent import resolution (#361) - builder: batch SQLite multi-value INSERTs — accumulate node/edge rows and flush with chunked INSERT statements (200 rows per chunk) instead of individual prepared statement runs (#361)
- native: fix no-op rebuild regression (~80x slower than WASM) —
extToLangmap was not built when native engine provided pre-computed CFG, causinglangIdlookup to return null and triggering full re-parse on every incremental build (#360) - native: pass full file list to
known_filescache — on incremental builds only changed files were passed, causing valid import targets to be dropped (#361) - benchmark: install native package explicitly in npm benchmark mode (#351)
- reorder README to be AI-first throughout (#362)
- add MCP tool surface optimization proposal (#363)
- update build performance, query, and incremental benchmarks for 3.0.4 (#352, #353, #354)
- deps: bump graphology from 0.25.4 to 0.26.0 (#358)
- deps-dev: bump @biomejs/biome from 2.4.4 to 2.4.6 (#359)
- deps-dev: bump @commitlint/cli from 20.4.2 to 20.4.3 (#357)
- deps-dev: bump @commitlint/config-conventional (#355)
3.0.4 (2026-03-05)
Native engine goes full-stack: CFG, AST nodes, and WASM double-parse elimination. This release completes the native engine migration — CFG computation and AST node extraction now run in Rust for 8 languages, eliminating the redundant WASM pre-parse on native builds.
- native: compute CFG in Rust native engine for all 8 languages (JS/TS/TSX, Python, Go, Rust, Java, C#, Ruby, PHP) — ports
buildFunctionCFGalgorithm to Rust with per-languageCfgRules, eliminates WASM re-parsing in CFG phase (#342) - native: extract AST nodes (call, new, throw, await, string, regex) for all non-JS languages in Rust via shared
walk_ast_nodes_with_config()— astMs drops from ~651ms to ~50ms (#340) - builder: skip
ensureWasmTreesentirely when native engine provides complete CFG + dataflow + AST data — wasmPreMs drops from ~388ms to 0 on native builds (#344)
- native: fix function-scoped
constdeclarations being incorrectly extracted as top-level constants (#344) - benchmark: show all build phases (astMs, cfgMs, dataflowMs, wasmPreMs) in benchmark report and document v3.0.0→v3.0.3 native regression cause (#339)
3.0.3 (2026-03-04)
Note: 3.0.2 was an internal/unpublished version used during development.
- ast: use single transaction for AST node insertion — astMs drops from ~3600ms to ~350ms (native) and ~547ms (WASM), reducing overall native build from 24.9 to 8.5 ms/file (#333)
3.0.2 (2026-03-04)
Dataflow goes multi-language, build performance recovery, and native engine parity fixes. This patch extends dataflow analysis from JS/TS-only to all 11 supported languages, recovers build performance lost after CFG/dataflow became default-on, fixes language-aware identifier collection in dataflow, and closes a native engine scoping bug for constants.
- dataflow: extend dataflow analysis to all supported languages (Python, Go, Rust, Java, C#, PHP, Ruby) with per-language
DATAFLOW_RULESandmakeDataflowRules()factory (#318)
- dataflow: use
isIdentincollectIdentifiersfor language-awarereferencedNames— fixes PHPvariable_nameand other non-identifiernode types being missed in return statements (#324) - native: skip local constants inside function bodies — the native JS extractor incorrectly extracted function-scoped
constas top-level constants (#327) - native: enable extended kinds (parameters, properties, constants, receivers) in parity tests and update native binary to v3.0.1 (#327)
- builder: fix v3.0.1 build performance regression (14.1 → ~5.8 ms/file) — eliminate redundant WASM parsing via
ensureWasmTrees(), memoizecreateParsers(), filter CFG/dataflow to changed files only (#325)
3.0.1 (2026-03-03)
Post-release fixes and dataflow multi-language expansion. This patch extends dataflow analysis (flows_to, returns, mutates edges) from JS/TS-only to all 11 supported languages, enables --cfg and --dataflow by default on builds, closes several native/WASM engine parity gaps, and fixes miscellaneous issues found during v3.0.0 dogfooding.
- dataflow: extend dataflow analysis to all supported languages (Python, Go, Rust, Java, C#, PHP, Ruby, Terraform) (221a791)
- builder: enable
--cfgand--dataflowby default on builds (#312)
- native: close engine parity gap between native and WASM (#292) (#309)
- native: extract new/throw/await/string/regex AST nodes in native engine (#306) (#314)
- native: bump native engine version to 3.0.0 (#305) (#310)
- queries: include role-based entry points in
flow --list(#313) - benchmark: handle missing WASM grammars gracefully in benchmark scripts (#311)
- ci: prevent duplicate benchmark PRs on stable releases (#304)
- document dataflow multi-language support in README (851f060)
- mark resolved bugs and suggestions in dogfood reports (#316)
- add dogfood report for v3.0.0 (#307)
- update build performance, query, and incremental benchmarks for 3.0.0 (#298, #299, #300)
- ci: include Cargo.toml in publish version bump commit (#315)
- ci: replace
npm ciwithnpm installin benchmark and license workflows (#308)
3.0.0 (2026-03-03)
Dataflow analysis, intraprocedural CFG, AST node storage, expanded node/edge types, and a streamlined CLI surface. This release introduces three new analysis dimensions — dataflow tracking (flows_to, returns, mutates edges), intraprocedural control flow graphs for all 11 supported languages, and stored queryable AST nodes (calls, new, string, regex, throw, await). The type system expands with parameter, property, and constant node kinds plus contains, parameter_of, and receiver edge kinds, enabling structural queries without reading source. Export gains GraphML, GraphSON, and Neo4j CSV formats plus an interactive HTML viewer (codegraph plot). A stable normalizeSymbol utility standardizes JSON output across all commands. The CLI surface is streamlined by consolidating redundant commands into fewer, more capable ones.
- mcp: MCP tools
fn_deps,symbol_path, andlist_entry_pointsremoved — usequerywithdeps/pathmodes andexecution_flowwithlistmode instead (d874aa5) - cli: commands
fnandpathremoved — usequeryinstead;query --pathreplaced by standalonepath <from> <to>(d874aa5) - cli: commands
batch-query,hotspots,manifesto, andexplainremoved — usebatch,triage --level,check, andaudit --quickrespectively (4f08082)
- cli: add dataflow analysis —
build --dataflowextractsflows_to,returns,mutatesedges tracking data movement through functions (JS/TS MVP), withdataflowcommand, MCP tool, and batch support (#254) - cli: add intraprocedural control flow graph (CFG) —
build --cfgconstructs basic-block CFGs from tree-sitter AST,cfgcommand with text/DOT/Mermaid output (#274) - cli: extend CFG to all supported languages — Python, Go, Rust, Java, C#, Ruby, PHP with per-language
CFG_RULESand cross-languageprocessIf/processSwitch/processTryCatch(#283) - cli: add stored queryable AST nodes — persist calls,
new, string, regex, throw, await nodes inast_nodestable, queryable viaastcommand with SQL GLOB pattern matching (#279) - cli: expand node types with
parameter,property,constantkinds andparent_idcolumn for sub-declaration queries across all 9 WASM extractors (#270) - cli: add expanded edge types —
contains(file→definition, parent→child),parameter_of(inverse),receiver(method-call dispatch) (#279) - cli: add
exports <file>command — per-symbol consumer analysis with re-export detection and counts (#269) - export: add GraphML, GraphSON, Neo4j CSV formats and interactive HTML viewer (
codegraph plot) with hierarchical/force/radial layouts, complexity overlays, and drill-down (#268) - cli: add
normalizeSymbolutility for stable 7-field JSON schema across all query and search commands (#267) - cli: add batch-query multi-command mode with
splitTargets()for comma-separated expansion andmultiBatchData()for mixed-command orchestration (#256) - queries: expose
fileHashinwhereandqueryJSON output (#257) - builder: add scoped rebuild for parallel agents (#269)
- queries: correct reexport query direction and add exports integration tests (#276)
- parser: correct extractor line counts and duplicate section numbering (fa7eee8)
- triage: map triage sort values to valid hotspot metrics (a1583cb)
- complexity: fix C# language ID mismatch (
c_sharp→csharp) inCOMPLEXITY_RULES,HALSTEAD_RULES, andCOMMENT_PREFIXES(#283) - dataflow: handle spread args, optional chaining, and reassignment in dataflow extraction (#254)
- consolidate MCP tools — reduce surface from 32 to 29 by merging
fn_deps/symbol_path/list_entry_pointsintoqueryandexecution_flow(#263) - consolidate CLI — remove 5 redundant commands (
batch-query,hotspots,manifesto,explain,query --path) in favor of unified alternatives (#280) - consolidate MCP tools to match CLI changes from PR #280 (cbda266)
- consolidate CFG rules with defaults factory and validation (#284)
- align dataflow.js with
normalizeSymbolandALL_SYMBOL_KINDS(#285)
- add architecture audit and roadmap for v2.7.0 (5fe0a82)
- add competitive deep-dives for Joern and Narsil-MCP (#260, #262, #264, #265)
- add one-PR-one-concern rule to git conventions (#281)
- update references to consolidated CLI commands (#282)
- add TypeScript migration as Phase 4 in roadmap (#255)
- add Claude Code MCP registration to recommended practices (#273)
- add CLA Assistant workflow (#244)
- add pre-commit diff-impact hook (#271)
- remove stale benchmark files from
generated/(#275)
2.6.0 (2026-03-02)
CI validation, architecture boundaries, CODEOWNERS, multi-agent support, and incremental build reliability. This release adds a check command for CI validation predicates (complexity, coverage, staleness gates), architecture boundary enforcement via manifesto rules with an onion-architecture preset, CODEOWNERS integration for ownership queries, codegraph snapshot for DB backup/restore, hybrid BM25 + semantic search via FTS5, composite audit and triage commands for risk-driven workflows, and batch querying for multi-agent dispatch. It also fixes several incremental rebuild bugs — EISDIR crashes on directory nodes, dropped barrel-file edges, orphaned complexity rows — and adds configurable drift detection to warn when incremental results diverge from full rebuilds.
- cli: add
checkcommand — CI validation predicates for complexity, coverage, staleness, and custom thresholds (0a4c1bf) - cli: add
auditcommand — composite risk audit combining explain + impact + health in one call (6530d27) - cli: add
triagecommand — composite risk audit queue for prioritized review (98b509f) - cli: add
codegraph snapshotfor DB backup and restore (8d7416b) - cli: add
codegraph owners— CODEOWNERS integration for ownership queries (36c6fdb) - manifesto: add architecture boundary rules to manifesto engine (79b9f32)
- boundaries: add onion architecture preset to boundary rules (c47ae76)
- embedder: add hybrid BM25 + semantic search via FTS5 for combined keyword and vector ranking (db3d3a3)
- batch: add batch querying for multi-agent dispatch (850ef3e)
- mcp: expose
checkas MCP tool (3c36ef7)
- builder: filter directory nodes from reverse-deps query to prevent EISDIR on incremental rebuilds (#241)
- builder: load unchanged barrel files into reexportMap so barrel-resolved edges aren't dropped during incremental rebuilds (#241)
- builder: purge
function_complexitytable on full rebuild — prevents orphaned rows accumulating across--no-incrementalrebuilds (#239) - builder: add node/edge count drift detection after incremental builds — warns when counts drift >20% and suggests
--no-incremental(#240) - builder: make drift threshold configurable via
build.driftThresholdconfig (default 0.2) and include actual percentages in warning (#240) - complexity: improve missing-data message — suggest
--no-incrementalrebuild instead of implying no graph exists (#240) - skill: support dev build tarball installs in dogfood skill — branch Phase 0/4b pre-flight based on
-dev.version detection (#233) - ci: add
--stripflag tosync-native-versions.jsremoving platform optionalDependencies in dev builds, fixingnpm installfailures (#241) - ci: sync Cargo.toml version with package.json and automate via version script (#241)
- owners: add CODEOWNERS parse cache and tighten email validation (f35c797)
- bench: add timeout and remove redundant stdio option (978b590)
- ci: save all benchmark reports and use git-based dev versioning (267cabe)
- docs: correct ~20 inaccurate cells in feature comparison tables (572268d)
- docs: correct remaining MCP tool count in README (24/25 → 26/27) (262874a)
- add barrel-project fixture and incremental-parity test for edge consistency across rebuild modes (#241)
- organize
generated/intobenchmarks/anddogfood/subdirs (35bfa3c)
- bump web-tree-sitter from 0.26.5 to 0.26.6 (70f26c0)
- bump tree-sitter-cli from 0.26.5 to 0.26.6 (161c2a0)
- bump @modelcontextprotocol/sdk from 1.26.0 to 1.27.1 (1385207)
- consolidate Dependabot bumps (Actions + commitlint v20) (d48be1a)
2.5.1 (2026-02-28)
Critical fix: recover missing branch-compare command and broken programmatic API. The branch-compare command and its implementation file were never committed in v2.5.0, causing codegraph branch-compare to crash and import('@optave/codegraph') to fail entirely due to a top-level re-export of the missing module. This patch recovers the full implementation (568 lines), adds an export guard test to prevent regressions, and introduces --dry-run for registry prune.
- cli: recover
branch-compareimplementation — command was registered in cli.js and index.js butsrc/branch-compare.jswas never committed, crashing both the CLI command and the entire programmatic API (2ee10d4, 3d1224d) - registry: add
--dry-runflag toregistry prune— preview what would be removed without deleting entries (2ee10d4) - bench: remove unnecessary
shell: truefromexecFileSync— minor security hardening (14d03ce) - docs: correct dogfood benchmark data from stale v2.4.0 native binary — native complexity was reported as 2.2x slower than WASM when it's actually 47x faster (3d1224d)
- skill: add native binary version check to dogfood benchmark phase to prevent stale binary misreports (3d1224d)
- add
index-exportsunit test — validates all re-exports in index.js resolve withoutERR_MODULE_NOT_FOUND(2ee10d4) - add
branch-compareintegration tests (7 tests, 192 lines) (3d1224d) - add
registry prune --dry-rununit tests (2ee10d4)
- update build performance benchmarks for 2.5.0 (eb52074)
- add dogfood report for v2.5.0 (3d1224d)
- reframe Principle 5 from library-first to CLI-first identity (3d1224d)
2.5.0 (2026-02-27)
Complexity analysis, community detection, execution flow tracing, and manifesto rule engine. This release adds a full code quality suite — cognitive, cyclomatic, Halstead, and Maintainability Index metrics for all 11 supported languages — with native Rust parity for maximum performance. Louvain community detection surfaces module boundaries and drift. A configurable manifesto rule engine enables CI-gated quality thresholds. Execution flow tracing lets you follow call paths through the codebase. Dev builds now publish as GitHub pre-releases instead of npm.
- cli: add cognitive & cyclomatic complexity metrics with per-function and file-level analysis (35f6176)
- cli: add Halstead metrics (volume, difficulty, effort, bugs) and Maintainability Index (452d9e9)
- cli: add multi-language complexity analysis — extend metrics to all 11 supported languages (b1166e0)
- cli: add execution flow tracing —
flowcommand and MCP tools for tracing call paths (bc33f3b) - cli: add
pathcommand for shortest-path queries between symbols (ef0ea81) - communities: add Louvain community detection for module boundary analysis and drift detection (f3e36ad)
- manifesto: add configurable pass/fail rule engine with warn/fail thresholds for CI gates (5a7d039)
- native: add Halstead, LOC, and MI metrics to Rust native engine — full metrics parity across all 8 extractors (44fe899)
- embedder: interactive install prompt for
@huggingface/transformerswhen missing (8e717b2) - builder: add build metadata tracking and
excludeTestsconfig shorthand (f65b364) - structure: add file limit to structure tool to reduce token usage (2c565fa)
- ci: publish dev builds as GitHub pre-releases instead of npm (70c7627)
- ci: benchmark dev/release versioning and npm source resolution (5d532a6)
- native: eliminate WASM re-parse for native complexity + build optimizations (b8c8ca7)
- native: native complexity computation for all languages with phase breakdown benchmarks (231e941)
- builder: incremental rebuild drops edges from unchanged files (9c3e3ba)
- queries: scope-aware caller selection for nested functions (72497dc)
- complexity: sanitize threshold values in complexity SQL queries (c5ca1f2)
- builder: upgrade build metadata failure log from debug to warn (1c60b88)
- cli: embed
--dbflag, DB locking, prerelease check, build logging improvements (6a700b2) - native: add win32 native binary to optionalDependencies, fix embedder crashes (f026c6a)
- hooks: hook resilience for git ops, regex bypass, and worktree isolation (2459cfc)
- ci: benchmark uses stale native addon from npm (83f2d4e)
- ci: preserve hand-written notes in benchmark report regeneration (2d79f18)
- ci: benchmark script regex + workflow branch naming (53fc34f)
- ci: harden benchmark workflow against transient npm failures (1b97fb9)
- ci: isolate publish concurrency by event type (529bf6f)
- ci: use npx for license-checker to avoid intermittent 403 errors (84e8e38)
- ci: force-add gitignored DEPENDENCIES.json in release workflow (fe22813)
- ci: add error handling to dev release pruning step (fe45512)
- simplify redundant
unwrap_orpattern in complexity.rs (150c3eb)
- add unit tests for interactive install prompt (cc7c3e1)
- complexity, communities, manifesto across all docs (8f12f66)
- correct engine parity section — 100% parity confirmed (55c8ee3)
- update build performance benchmarks (550b3b5, ea6b050, 15e893c)
2.4.0 (2026-02-25)
Co-change analysis, node roles, faster parsing, and richer Mermaid output. This release adds git co-change analysis to surface files that change together, classifies nodes by architectural role (entry/core/utility/adapter/dead/leaf), replaces the manual AST walk with tree-sitter's Query API for significantly faster JS/TS/TSX extraction, and enhances Mermaid export with subgraphs, edge labels, node shapes, and styling.
- cli: add git co-change analysis — surfaces files that frequently change together using Jaccard similarity on git history (61785f7)
- cli: add node role classification — automatically labels nodes as entry, core, utility, adapter, dead, or leaf based on graph topology (165f6ca)
- cli: add
--jsontosearch,--fileglob filter,--excludetoprune, exclude worktrees from vitest (00ed205) - cli: add update notification after commands — checks npm for newer versions and displays an upgrade hint (eb3ccdf)
- export: enhance Mermaid export with subgraphs, edge labels, node shapes, and styling (ae301c0)
- parser: replace manual AST walk with tree-sitter Query API for JS/TS/TSX extraction (fb6a139)
- builder: avoid disk reads for line counts during incremental rebuild (7b538bc)
- builder: preserve structure data during incremental builds (7377fd9)
- embedder: make embed command respect config
embeddings.model(77ffffc) - embedder: use
DEFAULT_MODELas single source of truth for embed default (832fa49) - embedder: add model disposal to prevent ONNX memory leak (383e899)
- export: escape quotes in Mermaid labels (1c4ca34)
- queries: recompute Jaccard from total file counts during incremental co-change analysis (e2a771b)
- queries: collect all distinct edge kinds per pair instead of keeping only first (4f40eee)
- queries: skip keys without
::separator in role lookup (0c10e23) - resolve: use
indexOffor::split to handle paths with colons (b9d6ae4) - validate glob patterns and exclude names, clarify regex escaping (6cf191f)
- clean up regex escaping and remove unsupported brace from glob detection (ab0d3a0)
- ci: prevent benchmark updater from deleting README subsections (bd1682a)
- ci: add
--allow-same-versiontonpm versionin publish workflow (9edaf15)
- reuse
coChangeForFilesindiffImpactData(aef1787)
- add query vs walk parity tests for JS/TS/TSX extractors (e68f6a7)
- configure
bge-largeas default embedding model (c21c387)
- add co-change analysis to README and mark backlog #9 done (f977f9c)
- reorganize docs — move guides to
docs/guides/, roadmap intodocs/(ad423b7) - move roadmap files into
docs/roadmap/(693a8aa) - add Plan Mode Default working principle to CLAUDE.md (c682f38)
2.3.0 (2026-02-23)
Smarter embeddings, richer CLI output, and robustness fixes. This release introduces graph-enriched embedding strategies that use dependency context instead of raw source code, adds config-level test exclusion and recursive explain depth, outputs Mermaid diagrams from diff-impact, filters low-confidence edges from exports, and fixes numerous issues found through dogfooding.
- embeddings: graph-enriched embedding strategy — uses callers/callees from the dependency graph instead of raw source (~100 tokens vs ~360 avg), with context window overflow detection and
--strategyflag (c5dcd59) - cli: add
excludeTestsconfig option with--include-testsCLI override (56135e7) - cli: add
--depthoption toexplainfor recursive dependency exploration (56135e7) - cli: add coupling score column to
mapcommand output (56135e7) - cli: add Mermaid output to
diff-impactcommand for visual impact diagrams (d2d767f) - export: add
--min-confidencefilter (default 0.5) to DOT/Mermaid/JSON exports (08057f0) - skill: add
/dogfoodskill for automated release validation — install, test, compare engines, generate report (c713ce6) - ci: add query, incremental, and embedding regression benchmarks (0fd1967, e012426)
- parser: reduce WASM boundary crossings in JS extractor for faster parsing (d4ef6da)
- cli: graceful error for
cycles,export,embedwhen nograph.dbexists (3f56644) - embedder: fix
splitIdentifierlowercasing that broke camelCase search relevance (dd71a64) - embedder: change default model to minilm (public, no auth required) with clear error guidance (08057f0)
- embedder: split camelCase/snake_case identifiers in embedding text for better search relevance (08057f0)
- builder: invalidate embeddings when nodes are deleted during incremental rebuild (08057f0)
- builder: handle concurrent file edits and symlink loops in watcher/builder (6735967)
- builder: use busy-wait sleep instead of
Atomics.waitfor broader compatibility (24f8ab1) - builder: move engine status messages from stdout to stderr (56135e7)
- structure: treat
.as no filter instructureData()(08057f0) - hooks: add missing shebangs to husky hooks for Windows compatibility (b1e012c)
- hooks: track
mv/git mv/cpcommands in session edit log (cfe633b) - ci: use PR instead of direct push for green-path version pin (beddf94)
- ci: skip dev publish when merging release version bump PR (ceb4c9a)
- cli: rename
--include-test-sourceto--with-test-sourcefor clarity (242066f) - builder: lazy-load
node:osto reduce startup overhead (603ee55)
- add
readFileSafeand symlink loop detection tests (5ae1cde) - add embedding strategy benchmark and tests (56a0517, b8ce77c)
- add STABILITY.md with anticipated stability policy (d3dcad5)
- add LLM integration feature planning document (3ac5138)
- add feature backlog and reorganize planning docs into
roadmap/(088b797) - reorganize README — lead with problem and value, not competition (545aa0f)
- add benchmarks section to CONTRIBUTING.md (8395059)
2.2.1 (2026-02-23)
- embedder: change default embedding model from jina-code to nomic-v1.5 (f40bb91)
- config: update config default and test to match nomic-v1.5 change (3a88b4c)
- ci: run benchmark after publish to prevent workflow cancellation (68e274e)
2.2.0 (2026-02-23)
New query commands, smarter call resolution, and full --no-tests coverage. This release adds explain, where, and context commands for richer code exploration, introduces three-tier incremental change detection, improves call resolution accuracy, and extends the --no-tests flag to every query command.
- cli: add
codegraph explain <file|function>command — structural summary without an LLM (ff72655) - cli: add
codegraph where <name>command — fast symbol lookup for definition and usage (7fafbaa) - cli: add
codegraph context <name>command — full function context (source, deps, callers) in one call (3fa88b4) - cli: add graph quality score to
statscommand (130a52a) - cli: add
--no-testsflag to all remaining query commands for consistent test file filtering (937b60f) - parser: extract symbols from Commander/Express/Event callback patterns (2ac24ef)
- builder: three-tier incremental change detection — skip unchanged, reparse modified, clean removed (4b50af1)
- hooks: add remind-codegraph hook to nudge agents before editing (e6ddeea)
- ci: automated performance benchmarks per release (f79d6f2)
- ci: add
workflow_dispatchtrigger for retrying failed stable releases (8d4f0cb)
- resolve: improve call resolution accuracy with scoped fallback, dedup, and built-in skip (3a11191)
- parser: add receiver field to call sites to eliminate false positive edges (b08c2b2)
- queries:
statsDatafully filters test nodes and edges when--no-testsis set (2f9730a) - mcp: fix file/kind parameter handling in MCP handlers (d5af194)
- mcp: use schema objects for
setRequestHandlerinstead of string literals (fa0d358) - security: add path traversal guard and debug logging to file read helpers (93a9bcf)
- hooks: fix Claude Code hooks for Windows and add branch name validation (631e27a)
- hooks: add required
hookSpecificOutputfields for context injection (d51a3a4) - hooks: guard-git hook validates branch name on
gh pr create(c9426fa) - ci: rewrite Claude Code workflow for working automated PR reviews (1ed4121)
- ci: move publish artifacts to
$RUNNER_TEMPto prevent repo contamination (d9849fa) - ci: make publish workflow resilient to partial failures (5dd5b00)
- ci: validate version input in
workflow_dispatch(73a1e6b) - fix default embedding model in README and enforce LF line endings (c852707)
- exclude dev dependencies from DEPENDENCIES.md (63c6923)
- add AI Agent Guide with 6-step workflow, command reference, and MCP mapping (5965fb4)
- rewrite adding-a-language guide for LANGUAGE_REGISTRY architecture (8504702)
- add Codegraph vs Narsil-MCP and GitNexus comparison sections to README (aac963c)
- update CLAUDE.md dogfooding section to follow recommended practices (04dbfe6)
- update Claude Code hooks section with enrichment pattern and Windows notes (4987de9)
2.1.0 (2026-02-23)
Parser refactor, unified publish pipeline, and quality-of-life improvements. This release splits the monolithic parser into per-language extractor files, consolidates the dev and stable publish workflows into a single pipeline, adds the codegraph stats command, and hardens native engine path handling and registry management.
- cli: add
codegraph statscommand for graph health overview — node/edge counts, language breakdown, staleness check (12f89fa) - registry: add TTL-based pruning for idle entries — stale repos auto-removed on access (5e8c41b)
- ci: consolidate dev + stable publish into a single
publish.ymlworkflow with automatic channel detection (bf1a16b) - ci: add embedding regression test with real ML model validation and dedicated weekly workflow (5730a65)
- ci: add worktree workflow hooks (
guard-git.sh,track-edits.sh) for parallel session safety (e16dfeb)
- hooks: replace
jqwithnodein hooks for Windows compatibility (ac0b198) - native: throw on explicit
--engine nativewhen addon is unavailable instead of silently falling back (02b931d) - native: normalize import paths to remove
.and..segments in native engine (5394078) - native: add JS-side
path.normalize()defense-in-depth for native resolve (e1222df) - registry: auto-prune stale entries and skip temp dir registration (d0f3e97)
- tests: isolate CLI tests from real registry via
CODEGRAPH_REGISTRY_PATHenv var (dea0c3a) - ci: prevent publish crash on pre-existing tags (6906448)
- ci: harden publish workflow version resolution (1571f2a)
- ci: use PR-based version bumps to avoid pushing directly to protected main branch (3aab964)
- parser: split monolithic
parser.jsextractors into per-language files undersrc/extractors/(92b2d23) - parser: rename generic
walkto language-specific names in all extractors (6ed1f59)
- expand competitive analysis from 21 to 135+ tools (0a679aa)
- add competitive analysis and foundation principles (21a6708)
- reposition around always-fresh graph + optional LLM enhancement (a403acc)
- add parallel sessions rules to CLAUDE.md (1435803)
2.0.0 (2026-02-22)
Phase 2.5 — Multi-Repo MCP & Structural Analysis. This release adds multi-repo support for AI agents, structural analysis with architectural metrics, and hardens security across the MCP server and SQL layers.
- parser: Node kinds now use language-native types — Go structs →
struct, Rust structs/enums/traits →struct/enum/trait, Java enums →enum, C# structs/records/enums →struct/record/enum, PHP traits/enums →trait/enum, Ruby modules →module. Rebuild required:codegraph build --no-incremental. (72535fb)
- mcp: add multi-repo MCP support with global registry at
~/.codegraph/registry.json— optionalrepoparam on all 11 tools, newlist_repostool, auto-register on build (54ea9f6) - mcp: default MCP server to single-repo mode for security isolation — multi-repo access requires explicit
--multi-repoor--reposopt-in (49c07ad) - registry: harden multi-repo registry —
pruneRegistry()removes stale entries,--reposallowlist for repo-level access control, auto-suffix name collisions (a413ea7) - structure: add structural analysis with directory nodes, containment edges, and metrics (symbol density, avg fan-out, cohesion scores) (a413ea7)
- cli: add
codegraph structure [dir],codegraph hotspots, andcodegraph registry list|add|remove|prunecommands (a413ea7) - export: extend DOT/Mermaid export with directory clusters (a413ea7)
- parser: add
SYMBOL_KINDSconstant and granular node types across both WASM and native Rust extractors (72535fb)
- security: eliminate SQL interpolation in
hotspotsData— replace dynamic string interpolation with static map of pre-built prepared statements (f8790d7) - parser: break
parser.js↔constants.jscircular dependency by inlining path normalization (36239e9) - structure: add
NULLS LASTto hotspotsORDER BYclause (a41668f) - ci: add license scan allowlist for
@img/sharp-*dual-licensed packages (9fbb084)
- add 18 unit tests for registry, 4 MCP integration tests, 4 CLI integration tests for multi-repo (54ea9f6)
- add 277 unit tests and 182 integration tests for structural analysis (a413ea7)
- add MCP single-repo / multi-repo mode tests (49c07ad)
- add registry hardening tests (pruning, allowlist, name collision) (a413ea7)
- add dogfooding guide for self-analysis with codegraph (36239e9)
1.4.0 (2026-02-22)
Phase 2 — Foundation Hardening is complete. This release hardens the core infrastructure: a declarative parser registry, a full MCP server, significantly improved test coverage, and secure credential management.
- mcp: expand MCP server from 5 to 11 tools —
fn_deps,fn_impact,diff_impact,semantic_search,export_graph,list_functions(510dd74) - config: add
apiKeyCommandfor secure credential resolution via external secret managers (1Password, Bitwarden, Vault, pass, macOS Keychain) (f3ab237) - parser: add
LANGUAGE_REGISTRYfor declarative parser dispatch — adding a new language is now a single registry entry + extractor function (cb08bb5)
- add unit tests for 8 core modules, improve coverage from 62% to 75% (62d2694)
- add end-to-end CLI smoke tests (15211c0)
- add 11 tests for
resolveSecretsandapiKeyCommandintegration - make normalizePath test cross-platform (36fa9cf)
- skip native engine parity tests for known Rust gaps (7d89cd9)
- add secure credential management guide with examples for 5 secret managers
- update ROADMAP marking Phase 2 complete
- add community health files (CONTRIBUTING, CODE_OF_CONDUCT, SECURITY)