fix: break circular dependency cycle and remove dead queryName export (#378)

* perf: skip ensureWasmTrees when native engine provides complete data

Before calling ensureWasmTrees, check whether native engine already
supplies CFG and dataflow data for all files. When it does, skip the
WASM pre-parse entirely — avoiding a full WASM parse of every file
on native builds where the data is already available.

Impact: 1 functions changed, 14 affected

* fix: address PR #344 review comments — TODO for constant exclusion, complete changelog

* fix: add null guard on symbols.definitions in pre-parse check

Impact: 1 functions changed, 0 affected

* fix: treat empty cfg.blocks array as valid native CFG

d.cfg?.blocks?.length evaluates to 0 (falsy) when the native engine
returns cfg: { blocks: [] } for trivial functions, spuriously triggering
needsWasmTrees. Use Array.isArray(d.cfg?.blocks) instead, and preserve
d.cfg === null for nodes that intentionally have no CFG (e.g. interface
members).

Impact: 1 functions changed, 1 affected

* style: format cfg check per biome rules

Impact: 1 functions changed, 0 affected

* feat: add `sequence` command for Mermaid sequence diagrams

Generate inter-module call sequence diagrams from the graph DB.
Participants are files (not functions), keeping diagrams readable.
BFS forward from entry point, with optional --dataflow flag to
annotate parameter names and return arrows.

New: src/sequence.js, tests/integration/sequence.test.js
Modified: cli.js, mcp.js, index.js, CLAUDE.md, mcp.test.js

Impact: 8 functions changed, 6 affected

* perf: hoist db.prepare() calls and build O(1) lookup map in sequence

Impact: 1 functions changed, 1 affected

* fix: address sequence review comments — alias collision, truncation, escape, pagination

- Fix buildAliases join('/') producing Mermaid-invalid participant IDs;
  use join('_') and strip '/' from allowed regex chars
- Add Mermaid format validation to alias collision test
- Fix truncated false-positive when nextFrontier has unvisited nodes at
  maxDepth boundary
- Add angle bracket escaping to escapeMermaid (#gt;/#lt; entities)
- Filter orphaned participants after pagination slices messages
- Fix misleading test comment (4 files → 5 files)

Impact: 1 functions changed, 2 affected

* ci: retrigger workflows

* fix: address round-3 review — deduplicate findBestMatch, guard truncation, add dataflow tests

- Export findMatchingNodes from queries.js; remove duplicated findBestMatch
  from flow.js and sequence.js, replacing with findMatchingNodes(...)[0] ?? null
- Guard sequenceToMermaid truncation note on participants.length > 0
  to prevent invalid "note right of undefined:" in Mermaid output
- Add dataflow annotation test suite with dedicated fixture DB: covers
  return arrows, parameter annotations, disabled-dataflow path, and
  Mermaid dashed arrow output

Impact: 4 functions changed, 27 affected

* chore: add hook to block "generated with" in PR bodies

* feat: add pre-commit hooks for cycle detection and dead export checks

Add two new PreToolUse hooks that block git commits when issues are
detected:

- check-cycles.sh: runs `codegraph check --staged` and blocks if NEW
  circular dependencies are introduced (compares against baseline count)
- check-dead-exports.sh: checks staged src/ files for newly added
  exports with zero consumers (diff-aware, ignores pre-existing dead
  exports)

Also wire the --unused flag on the exports CLI command, adding
totalUnused to all output formats.

Impact: 4 functions changed, 5 affected

* fix: scope cycle and dead-export hooks to session-edited files

Update both hooks to use the session edit log so pre-existing issues
in untouched files don't block commits. Add hook descriptions to
recommended-practices.md.

* feat: add signature change warning hook with role-based risk levels

Non-blocking PreToolUse hook that detects when staged changes modify
function signatures. Enriches each violation with the symbol's role
(core/utility/etc.) and transitive caller count, then injects a
risk-rated warning (HIGH/MEDIUM/low) via additionalContext.

* fix: break circular dependency cycle and remove dead queryName export

Extract isTestFile into src/test-utils.js to break the
owners.js → cycles.js → cochange.js → queries.js → boundaries.js cycle.
Remove unused queryName display function (CLI uses fnDeps instead).
Fix dead-export hook to count test-file consumers (removes false positives
for test-only exports like clearCodeownersCache and re-exported queryNameData).

Impact: 1 functions changed, 0 affected

* fix: convert hook to ESM imports, respect --kind filter in flow

Impact: 1 functions changed, 1 affected

* fix: align hook deny pattern and fix subdirectory glob in dead-exports check

Author: carlos-alm

.claude/hooks/check-cycles.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+# check-cycles.sh — PreToolUse hook for Bash (git commit)
+# Blocks commits if circular dependencies involve files edited in this session.
+
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the command from tool_input JSON
+COMMAND=$(echo "$INPUT" | node -e "
+  let d='';
+  process.stdin.on('data',c=>d+=c);
+  process.stdin.on('end',()=>{
+    const p=JSON.parse(d).tool_input?.command||'';
+    if(p)process.stdout.write(p);
+  });
+" 2>/dev/null) || true
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+# Only trigger on git commit commands
+if ! echo "$COMMAND" | grep -qE '(^|\s|&&\s*)git\s+commit\b'; then
+  exit 0
+fi
+
+# Guard: codegraph DB must exist
+WORK_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) || WORK_ROOT="${CLAUDE_PROJECT_DIR:-.}"
+if [ ! -f "$WORK_ROOT/.codegraph/graph.db" ]; then
+  exit 0
+fi
+
+# Guard: must have staged changes
+STAGED=$(git diff --cached --name-only 2>/dev/null) || true
+if [ -z "$STAGED" ]; then
+  exit 0
+fi
+
+# Load session edit log
+LOG_FILE="$WORK_ROOT/.claude/session-edits.log"
+if [ ! -f "$LOG_FILE" ] || [ ! -s "$LOG_FILE" ]; then
+  exit 0
+fi
+EDITED_FILES=$(awk '{print $2}' "$LOG_FILE" | sort -u)
+
+# Run check with cycles predicate on staged changes
+RESULT=$(node "$WORK_ROOT/src/cli.js" check --staged --json -T 2>/dev/null) || true
+
+if [ -z "$RESULT" ]; then
+  exit 0
+fi
+
+# Check if cycles predicate failed — but only block if a cycle involves
+# a file that was edited in this session
+CYCLES_FAILED=$(echo "$RESULT" | EDITED="$EDITED_FILES" node -e "
+  let d='';
+  process.stdin.on('data',c=>d+=c);
+  process.stdin.on('end',()=>{
+    try {
+      const data=JSON.parse(d);
+      const cyclesPred=(data.predicates||[]).find(p=>p.name==='cycles');
+      if(!cyclesPred || cyclesPred.passed) return;
+      const edited=new Set(process.env.EDITED.split('\\n').filter(Boolean));
+      // Filter to cycles that involve at least one file we edited
+      const relevant=(cyclesPred.cycles||[]).filter(
+        cycle=>cycle.some(f=>edited.has(f))
+      );
+      if(relevant.length===0) return;
+      const summary=relevant.slice(0,5).map(c=>c.join(' -> ')).join('\\n  ');
+      const extra=relevant.length>5?'\\n  ... and '+(relevant.length-5)+' more':'';
+      process.stdout.write(summary+extra);
+    }catch{}
+  });
+" 2>/dev/null) || true
+
+if [ -n "$CYCLES_FAILED" ]; then
+  REASON="BLOCKED: Circular dependencies detected involving files you edited:
+  $CYCLES_FAILED
+Fix the cycles before committing."
+
+  node -e "
+    console.log(JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
+        permissionDecision: 'deny',
+        permissionDecisionReason: process.argv[1]
+      }
+    }));
+  " "$REASON"
+  exit 0
+fi
+
+exit 0

.claude/hooks/warn-signature-changes.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# warn-signature-changes.sh — PreToolUse hook for Bash (git commit)
+# Warns when staged changes modify function signatures, highlighting risk
+# level based on the symbol's role (core > utility > others).
+# Informational only — never blocks.
+
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the command from tool_input JSON
+COMMAND=$(echo "$INPUT" | node -e "
+  let d='';
+  process.stdin.on('data',c=>d+=c);
+  process.stdin.on('end',()=>{
+    const p=JSON.parse(d).tool_input?.command||'';
+    if(p)process.stdout.write(p);
+  });
+" 2>/dev/null) || true
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+# Only trigger on git commit commands
+if ! echo "$COMMAND" | grep -qE '(^|\s|&&\s*)git\s+commit\b'; then
+  exit 0
+fi
+
+# Guard: codegraph DB must exist
+WORK_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) || WORK_ROOT="${CLAUDE_PROJECT_DIR:-.}"
+if [ ! -f "$WORK_ROOT/.codegraph/graph.db" ]; then
+  exit 0
+fi
+
+# Guard: must have staged changes
+STAGED=$(git diff --cached --name-only 2>/dev/null) || true
+if [ -z "$STAGED" ]; then
+  exit 0
+fi
+
+# Run check --staged to get signature violations, then enrich with role + caller count
+WARNING=$(echo "" | node --input-type=module -e "
+  import path from 'path';
+  const workRoot = process.argv[2];
+  const { checkData } = await import(path.join(workRoot, 'src/check.js'));
+  const { openReadonlyOrFail } = await import(path.join(workRoot, 'src/db.js'));
+
+  const result = checkData(undefined, { staged: true, noTests: true });
+  if (!result || result.error) process.exit(0);
+
+  const sigPred = (result.predicates || []).find(p => p.name === 'signatures');
+  if (!sigPred || sigPred.passed || !sigPred.violations.length) process.exit(0);
+
+  const db = openReadonlyOrFail();
+  const lines = [];
+
+  for (const v of sigPred.violations) {
+    // Get role from DB
+    const node = db.prepare(
+      'SELECT role FROM nodes WHERE name = ? AND file = ? AND line = ?'
+    ).get(v.name, v.file, v.line);
+    const role = node?.role || 'unknown';
+
+    // Count transitive callers (BFS, depth 3)
+    const defNode = db.prepare(
+      'SELECT id FROM nodes WHERE name = ? AND file = ? AND line = ?'
+    ).get(v.name, v.file, v.line);
+
+    let callerCount = 0;
+    if (defNode) {
+      const visited = new Set([defNode.id]);
+      let frontier = [defNode.id];
+      for (let d = 0; d < 3; d++) {
+        const next = [];
+        for (const fid of frontier) {
+          const callers = db.prepare(
+            'SELECT DISTINCT n.id FROM edges e JOIN nodes n ON e.source_id = n.id WHERE e.target_id = ? AND e.kind = \\'calls\\''
+          ).all(fid);
+          for (const c of callers) {
+            if (!visited.has(c.id)) {
+              visited.add(c.id);
+              next.push(c.id);
+              callerCount++;
+            }
+          }
+        }
+        frontier = next;
+        if (!frontier.length) break;
+      }
+    }
+
+    const risk = role === 'core' ? 'HIGH' : role === 'utility' ? 'MEDIUM' : 'low';
+    lines.push(risk + ': ' + v.name + ' (' + v.kind + ') [' + role + '] at ' + v.file + ':' + v.line + ' — ' + callerCount + ' transitive callers');
+  }
+
+  db.close();
+
+  if (lines.length > 0) {
+    process.stdout.write(lines.join('\\n'));
+  }
+" -- "$WORK_ROOT" 2>/dev/null) || true
+
+if [ -z "$WARNING" ]; then
+  exit 0
+fi
+
+# Escape for JSON
+ESCAPED=$(printf '%s' "$WARNING" | node -e "
+  let d='';
+  process.stdin.on('data',c=>d+=c);
+  process.stdin.on('end',()=>process.stdout.write(JSON.stringify(d)));
+" 2>/dev/null) || true
+
+if [ -z "$ESCAPED" ]; then
+  exit 0
+fi
+
+# Inject as additionalContext — informational, never blocks
+node -e "
+  console.log(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'allow',
+      additionalContext: '[codegraph] Signature changes detected in staged files:\\n' + JSON.parse(process.argv[1])
+    }
+  }));
+" "$ESCAPED" 2>/dev/null || true
+
+exit 0

commitlint.config.js

@@ -1,5 +1,6 @@
 export default {
   extends: ["@commitlint/config-conventional"],
+  ignores: [(msg) => /^merge[:\s]/i.test(msg)],
   rules: {
     "type-enum": [
       2,

docs/guides/recommended-practices.md

@@ -335,6 +335,12 @@ You can configure [Claude Code hooks](https://docs.anthropic.com/en/docs/claude-
 
 **Graph update hook** (PostToolUse on Edit/Write): keeps the graph incrementally updated after each file edit. Only changed files are re-parsed.
 
+**Cycle check hook** (PreToolUse on Bash): when Claude runs `git commit`, the hook runs `codegraph check --staged --json -T` and checks if any circular dependencies involve files edited in this session. If found, blocks the commit with a `deny` decision listing the cycles. Uses the session edit log to scope checks — pre-existing cycles in untouched files don't trigger.
+
+**Dead export check hook** (PreToolUse on Bash): when Claude runs `git commit`, the hook runs `codegraph exports <file> --unused --json -T` for each staged `src/` file that was edited in this session. If any export has zero consumers (dead code), blocks the commit. This catches accidentally introduced dead exports before they reach a PR.
+
+**Signature change warning hook** (PreToolUse on Bash): when Claude runs `git commit`, the hook runs `codegraph check --staged` to detect modified function declaration lines, then enriches each violation with the symbol's role (`core`, `utility`, etc.) and transitive caller count from the graph. Injects a risk-rated summary via `additionalContext` — `HIGH` for core symbols, `MEDIUM` for utility, `low` for others. Non-blocking — the agent sees the warning and can decide whether the signature change is intentional.
+
 **Git operation hook** (PostToolUse on Bash): detects `git rebase`, `git revert`, `git cherry-pick`, `git merge`, and `git pull` commands and automatically: (1) rebuilds the codegraph so dependency context stays fresh, (2) logs all files changed by the operation to `session-edits.log` so commit validation doesn't block rebase-modified files, and (3) clears stale entries from `codegraph-checked.log` so the edit reminder re-fires for affected files. Uses `ORIG_HEAD` (set by all these git operations) to detect which files changed. If the operation failed (e.g. merge conflicts), the diff safely returns nothing.
 
 > **Windows note:** If your hooks use bash scripts, normalize backslashes inside `node -e` rather than bash (`${VAR//\\//}` fails on Git Bash). See this repo's `.claude/hooks/enrich-context.sh` for the pattern.

src/cli.js

@@ -266,10 +266,10 @@ QUERY_OPTS(
     fileExports(file, opts.db, {
       noTests: resolveNoTests(opts),
       json: opts.json,
+      unused: opts.unused || false,
       limit: opts.limit ? parseInt(opts.limit, 10) : undefined,
       offset: opts.offset ? parseInt(opts.offset, 10) : undefined,
       ndjson: opts.ndjson,
-      unused: opts.unused || false,
     });
   });
 

src/flow.js

@@ -99,10 +99,10 @@ export function flowData(name, dbPath, opts = {}) {
   try {
     const maxDepth = opts.depth || 10;
     const noTests = opts.noTests || false;
+    const flowOpts = { ...opts, kinds: opts.kind ? [opts.kind] : CORE_SYMBOL_KINDS };
 
     // Phase 1: Direct LIKE match on full name (use all 10 core symbol kinds,
     // not just FUNCTION_KINDS, so flow can trace from interfaces/types/structs/etc.)
-    const flowOpts = { ...opts, kinds: opts.kind ? [opts.kind] : CORE_SYMBOL_KINDS };
     let matchNode = findMatchingNodes(db, name, flowOpts)[0] ?? null;
 
     // Phase 2: Prefix-stripped matching — try adding framework prefixes

src/queries.js

@@ -18,6 +18,10 @@ import { debug } from './logger.js';
 import { ownersForFiles } from './owners.js';
 import { paginateResult } from './paginate.js';
 import { LANGUAGE_REGISTRY } from './parser.js';
+import { isTestFile } from './test-filter.js';
+
+// Re-export from dedicated module for backward compat
+export { isTestFile, TEST_PATTERN } from './test-filter.js';
 
 /**
  * Resolve a file path relative to repoRoot, rejecting traversal outside the repo.
@@ -29,11 +33,6 @@ function safePath(repoRoot, file) {
   return resolved;
 }
 
-// Re-export from dedicated module for backward compat
-export { isTestFile, TEST_PATTERN } from './test-filter.js';
-
-import { isTestFile } from './test-filter.js';
-
 export const FALSE_POSITIVE_NAMES = new Set([
   'run',
   'get',

tests/unit/queries-unit.test.js

@@ -23,7 +23,6 @@ import {
   fnImpact,
   impactAnalysis,
   moduleMap,
-  queryName,
 } from '../../src/queries-cli.js';
 
 // ─── Helpers ───────────────────────────────────────────────────────────
@@ -380,34 +379,6 @@ describe('diffImpactMermaid', () => {
 
 // ─── Display wrappers ─────────────────────────────────────────────────
 
-describe('queryName (display)', () => {
-  it('outputs JSON when opts.json is true', () => {
-    const spy = vi.spyOn(console, 'log').mockImplementation(() => {});
-    queryName('handleRequest', dbPath, { json: true });
-    expect(spy).toHaveBeenCalledTimes(1);
-    const output = JSON.parse(spy.mock.calls[0][0]);
-    expect(output).toHaveProperty('query', 'handleRequest');
-    expect(output).toHaveProperty('results');
-    spy.mockRestore();
-  });
-
-  it('outputs human-readable format', () => {
-    const spy = vi.spyOn(console, 'log').mockImplementation(() => {});
-    queryName('handleRequest', dbPath);
-    const allOutput = spy.mock.calls.map((c) => c[0]).join('\n');
-    expect(allOutput).toContain('handleRequest');
-    spy.mockRestore();
-  });
-
-  it('outputs "No results" for unknown name', () => {
-    const spy = vi.spyOn(console, 'log').mockImplementation(() => {});
-    queryName('zzzzNotExist', dbPath);
-    const allOutput = spy.mock.calls.map((c) => c[0]).join('\n');
-    expect(allOutput).toContain('No results');
-    spy.mockRestore();
-  });
-});
-
 describe('impactAnalysis (display)', () => {
   it('outputs JSON when opts.json is true', () => {
     const spy = vi.spyOn(console, 'log').mockImplementation(() => {});