merge: resolve conflict in embedder.js imports

Impact: 13 functions changed, 34 affected

Author: github-actions[bot]

.github/workflows/publish.yml

@@ -66,25 +66,9 @@ jobs:
             echo "Stable release (manual retry): $VERSION"
           else
             IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
-            BASE_PATCH=$((PATCH + 1))
+            DEV_PATCH=$((PATCH + 1))
             SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
-
-            # Query npm for the highest dev patch number published so far
-            LATEST_DEV=$(npm view "@optave/codegraph" versions --json 2>/dev/null \
-              | node -e "
-                const versions = JSON.parse(require('fs').readFileSync(0,'utf8'));
-                const prefix = '${MAJOR}.${MINOR}.';
-                let maxPatch = ${BASE_PATCH} - 1;
-                for (const v of (Array.isArray(versions) ? versions : [versions])) {
-                  if (v.startsWith(prefix) && v.includes('-dev.')) {
-                    const patch = parseInt(v.split('.')[2], 10);
-                    if (patch > maxPatch) maxPatch = patch;
-                  }
-                }
-                console.log(maxPatch + 1);
-              " 2>/dev/null) || LATEST_DEV="$BASE_PATCH"
-
-            VERSION="${MAJOR}.${MINOR}.${LATEST_DEV}-dev.${SHORT_SHA}"
+            VERSION="${MAJOR}.${MINOR}.${DEV_PATCH}-dev.${SHORT_SHA}"
             NPM_TAG="dev"
             echo "Dev release: $VERSION"
           fi
@@ -152,7 +136,158 @@ jobs:
           path: crates/codegraph-core/*.node
           if-no-files-found: error
 
+  # ── Dev builds: GitHub pre-release with tarballs ──
+
+  publish-dev:
+    if: github.event_name == 'push'
+    needs: [compute-version, build-native]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - run: npm install
+
+      - name: Set version
+        env:
+          VERSION: ${{ needs.compute-version.outputs.version }}
+        run: |
+          npm version "$VERSION" --no-git-tag-version --allow-same-version
+          node scripts/sync-native-versions.js
+          echo "Packaging version $VERSION"
+
+      - name: Disable prepublishOnly
+        run: npm pkg delete scripts.prepublishOnly
+
+      - name: Download native artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/artifacts/
+
+      - name: Pack main package
+        run: npm pack
+
+      - name: Pack platform packages
+        env:
+          VERSION: ${{ needs.compute-version.outputs.version }}
+        shell: bash
+        run: |
+          declare -A PACKAGES=(
+            ["linux-x64"]="@optave/codegraph-linux-x64-gnu"
+            ["darwin-arm64"]="@optave/codegraph-darwin-arm64"
+            ["darwin-x64"]="@optave/codegraph-darwin-x64"
+            ["win32-x64"]="@optave/codegraph-win32-x64-msvc"
+          )
+
+          ARTIFACTS="${RUNNER_TEMP}/artifacts"
+          PKG_DIR="${RUNNER_TEMP}/pkg"
+
+          for artifact_dir in "${ARTIFACTS}"/native-*/; do
+            platform=$(basename "$artifact_dir" | sed 's/^native-//')
+            pkg_name=${PACKAGES[$platform]}
+            node_os=${platform%%-*}
+            node_arch=${platform##*-}
+
+            mkdir -p "${PKG_DIR}/$platform"
+            cp "$artifact_dir"/*.node "${PKG_DIR}/$platform/codegraph-core.node"
+
+            cat > "${PKG_DIR}/$platform/package.json" <<PKGJSON
+          {
+            "name": "${pkg_name}",
+            "version": "${VERSION}",
+            "description": "Native codegraph-core binary for ${node_os}-${node_arch}",
+            "os": ["${node_os}"],
+            "cpu": ["${node_arch}"],
+            "main": "codegraph-core.node",
+            "files": ["codegraph-core.node"],
+            "license": "Apache-2.0",
+            "repository": {
+              "type": "git",
+              "url": "https://github.com/optave/codegraph.git"
+            }
+          }
+          PKGJSON
+
+            npm pack "${PKG_DIR}/$platform"
+          done
+
+      - name: Create GitHub pre-release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.compute-version.outputs.version }}
+        run: |
+          TAG="dev-v${VERSION}"
+          gh release create "$TAG" \
+            --prerelease \
+            --title "Dev build ${VERSION}" \
+            --notes "Dev build from commit \`${{ github.sha }}\` on \`main\`." \
+            *.tgz
+
+      - name: Prune old dev releases
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # List dev releases sorted newest-first, skip the first 5, delete the rest
+          # Non-critical: failures here should not fail the workflow
+          TAGS=$(gh release list --limit 100 --json tagName,isPrerelease,createdAt 2>&1) || {
+            echo "::warning::Failed to list releases for pruning: ${TAGS}"
+            exit 0
+          }
+
+          OLD_TAGS=$(echo "$TAGS" | jq -r '
+              [ .[] | select(.isPrerelease and (.tagName | startswith("dev-v"))) ]
+              | sort_by(.createdAt) | reverse
+              | .[5:]
+              | .[].tagName
+            ' 2>&1) || {
+            echo "::warning::Failed to parse release list for pruning: ${OLD_TAGS}"
+            exit 0
+          }
+
+          # When fewer than 5 dev releases exist, OLD_TAGS is empty and the loop is a no-op
+          echo "$OLD_TAGS" | while read -r tag; do
+            [ -z "$tag" ] && continue
+            echo "Deleting old dev release: $tag"
+            gh release delete "$tag" --yes --cleanup-tag || echo "::warning::Failed to delete release ${tag}"
+          done
+
+      - name: Summary
+        env:
+          VERSION: ${{ needs.compute-version.outputs.version }}
+        run: |
+          TAG="dev-v${VERSION}"
+          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
+          ## Dev Build Published
+
+          **Version:** \`${VERSION}\`
+          **Commit:** \`${{ github.sha }}\`
+
+          ### Download
+
+          Tarballs attached to [GitHub release \`${TAG}\`](${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}).
+
+          \`\`\`bash
+          # Install the main package (uses WASM fallback):
+          npm install ${{ github.server_url }}/${{ github.repository }}/releases/download/${TAG}/optave-codegraph-${VERSION}.tgz
+
+          # For native performance, also install your platform package:
+          # Linux x64:
+          npm install ${{ github.server_url }}/${{ github.repository }}/releases/download/${TAG}/optave-codegraph-linux-x64-gnu-${VERSION}.tgz
+          # macOS arm64:
+          npm install ${{ github.server_url }}/${{ github.repository }}/releases/download/${TAG}/optave-codegraph-darwin-arm64-${VERSION}.tgz
+          \`\`\`
+          EOF
+
+  # ── Stable releases: publish to npm ──
+
   publish:
+    if: github.event_name != 'push'
     needs: [compute-version, build-native]
     runs-on: ubuntu-latest
     environment: npm-publish
@@ -179,7 +314,6 @@ jobs:
       - run: npm install
 
       - name: Set version
-        id: version
         env:
           VERSION: ${{ needs.compute-version.outputs.version }}
         run: |
@@ -270,20 +404,15 @@ jobs:
           NPM_TAG: ${{ needs.compute-version.outputs.npm_tag }}
         run: npm publish --access public --provenance --tag "$NPM_TAG"
 
-      # ── Stable-only: version bump PR and tag ──
-
       - name: Configure git
-        if: github.event_name != 'push'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Generate DEPENDENCIES.json
-        if: github.event_name != 'push'
         run: mkdir -p generated && npm ls --json --all --omit=dev > generated/DEPENDENCIES.json 2>/dev/null || true
 
       - name: Push version bump via PR
-        if: github.event_name != 'push'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VERSION: ${{ needs.compute-version.outputs.version }}
@@ -313,25 +442,3 @@ jobs:
             git tag -a "$TAG" -m "release: $TAG"
             git push origin "$TAG"
           fi
-
-      # ── Dev-only: summary with install instructions ──
-
-      - name: Summary
-        if: github.event_name == 'push'
-        env:
-          VERSION: ${{ needs.compute-version.outputs.version }}
-        run: |
-          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
-          ## Dev Release Published
-
-          **Version:** \`${VERSION}\`
-          **Commit:** \`${{ github.sha }}\`
-
-          ### Install
-
-          \`\`\`bash
-          npm install @optave/codegraph@dev
-          # or pin this exact version:
-          npm install @optave/codegraph@${VERSION}
-          \`\`\`
-          EOF

docs/roadmap/BACKLOG.md

@@ -37,9 +37,11 @@ Non-breaking, ordered by problem-fit:
 | 13 | Architecture boundary rules | User-defined rules for allowed/forbidden dependencies between modules (e.g., "controllers must not import from other controllers"). Violations flagged in `diff-impact` and CI. Inspired by codegraph-rust, stratify. | Architecture | Prevents architectural decay in CI; agents are warned before introducing forbidden cross-module dependencies | ✓ | ✓ | 3 | No |
 | 15 | Hybrid BM25 + semantic search | Combine BM25 keyword matching with embedding-based semantic search using Reciprocal Rank Fusion. Better recall than either approach alone. Inspired by GitNexus, claude-context-local. | Search | Search results improve dramatically — keyword matches catch exact names, embeddings catch conceptual matches, RRF merges both | ✓ | ✓ | 3 | No |
 | 18 | CODEOWNERS integration | Map graph nodes to CODEOWNERS entries. Show who owns each function, surface ownership boundaries in `diff-impact`. Inspired by CKB. | Developer Experience | `diff-impact` tells agents which teams to notify; ownership-aware impact analysis reduces missed reviews | ✓ | ✓ | 3 | No |
+| 22 | Manifesto-driven pass/fail | User-defined rule engine with custom thresholds (e.g. "cognitive > 15 = fail", "cyclomatic > 10 = fail", "imports > 10 = decompose"). Outputs pass/fail per function/file. Generalizes ID 13 (boundary rules) into a generic rule system. | Analysis | Enables autonomous multi-agent audit workflows (GAUNTLET pattern); CI integration for code health gates with configurable thresholds | ✓ | ✓ | 3 | No |
 | 6 | Formal code health metrics | Cyclomatic complexity, Maintainability Index, and Halstead metrics per function — we already parse the AST, the data is there. Inspired by code-health-meter (published in ACM TOSEM 2025). | Analysis | Agents can prioritize refactoring targets; `hotspots` becomes richer with quantitative health scores per function | ✓ | ✓ | 2 | No |
 | 7 | OWASP/CWE pattern detection | Security pattern scanning on the existing AST — hardcoded secrets, SQL injection patterns, eval usage, XSS sinks. Lightweight static rules, not full taint analysis. Inspired by narsil-mcp, CKB. | Security | Catches low-hanging security issues during `diff-impact`; agents can flag risky patterns before they're committed | ✓ | ✓ | 2 | No |
 | 11 | Community detection | Leiden/Louvain algorithm to discover natural module boundaries vs actual file organization. Reveals which symbols are tightly coupled and whether the directory structure matches. Inspired by axon, GitNexus, CodeGraphMCPServer. | Intelligence | Surfaces architectural drift — when directory structure no longer matches actual dependency clusters; guides refactoring | ✓ | ✓ | 2 | No |
+| 21 | Cognitive + cyclomatic complexity | Cognitive Complexity (SonarSource) as the primary readability metric — penalizes nesting, so it subsumes nesting depth analysis. Cyclomatic complexity (McCabe) as secondary testability metric. Both computed from existing tree-sitter AST in a single traversal. Cognitive > 15 or cyclomatic > 10 = flag for refactoring. Extends ID 6 with the two most actionable metrics. | Analysis | Agents can flag hard-to-understand and hard-to-test functions in one pass; cognitive complexity captures both decision complexity and nesting depth in a single score | ✓ | ✓ | 2 | No |
 
 Breaking (penalized to end of tier):
 
@@ -90,3 +92,4 @@ When filling in the assessment columns during a prioritization session:
 - **3** — Useful for developers and agents but doesn't address the core "lost AI" problem
 - **2** — Nice-to-have; improves the tool but tangential to the stated problem
 - **1** — Cool feature, but doesn't help AI agents navigate codebases better
+