fix: tighten review-first workflows and cache reuse

[lzehrung]

Summary

• center the default workflow on review-first daily change analysis and align the CLI, docs, and skill guidance around review, impact, and orient -> search -> explain
• surface analysis and provenance metadata across search, explain, impact, and review outputs while improving search ranking toward implementation code by default
• improve warm-session behavior with stale-session refresh checks, persisted snapshot bloom filters, and SQLite readonly compatibility when node:sqlite omits setAuthorizer()

Test plan

• npx vitest run tests/impact-cli.test.ts tests/impact-streaming.test.ts tests/impact.test.ts
• npx vitest run tests/cache-invalidation.test.ts tests/parsed-cache-reuse.test.ts tests/bloom-filter-integration.test.ts
• npx vitest run tests/sqlite.test.ts tests/cli-command-modules.test.ts tests/cli-regressions.test.ts
• npm run check

Made with Cursor

[kilo-code-bot]

WARNING: Empty manifestEntries Map bypasses file staleness tracking

index.manifestEntries can be an empty Map, which is truthy in JavaScript. When this happens, trackedFileSignatures is initialized empty, and refreshNeededFromTrackedFiles() only checks the config file — file changes are never detected. Use index.manifestEntries?.size to guard against empty Maps.

Suggested change

	const trackedEntries = index.manifestEntries
	const trackedEntries = index.manifestEntries?.size

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

No new issues found in the incremental diff.

Files Reviewed (2 files)

• src/session.ts — checkForStalenessNow() now limits the full tracked-file statSync scan to forced checks; directory signatures and per-target file checks remain as the non-forced staleness path.
• tests/session.test.ts — adds coverage verifying that navigation after the stale interval performs fewer than 10 statSync calls (avoiding full tracked-file scans).

Previous Review Summaries (9 snapshots, latest commit f24b903)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit f24b903)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Resolved Issues on Changed Lines

• src/session.ts (line 424): currentBuildOptions() now reloads codegraph.config.json and merges its discovery options before every build, so config scope changes are reflected on refresh. Previous comment addressed.
• src/indexer/build-index.ts (line 1030): initNativeBackendReport() is now called before assigning snapshot.buildReport = report on the snapshot fast-path, ensuring consistent report.backend.native.* fields. Previous comment addressed.

Files Reviewed (4 files)

• src/session.ts — build report capture: report is now created upfront and passed into buildOptions so all build paths populate timings/metadata consistently
• tests/session.test.ts — coverage verifying buildProjectIndexIncremental receives a report during default initialization

Previous review (commit 58d8ea9)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Resolved Issues on Changed Lines

• src/session.ts (line 424): currentBuildOptions() now reloads codegraph.config.json and merges its discovery options before every build, so config scope changes are reflected on refresh. Previous comment addressed.
• src/indexer/build-index.ts (line 1030): initNativeBackendReport(report) is now called before assigning snapshot.buildReport = report on the snapshot fast-path, ensuring consistent report.backend.native.* fields. Previous comment addressed.

Files Reviewed (4 files)

• src/session.ts — config reload on every build (currentBuildOptions()), passes current options to currentProjectFiles()
• src/indexer/build-index.ts — initNativeBackendReport() on snapshot report path
• tests/session.test.ts — coverage for config reload refresh, improved concurrent warmup test
• tests/cache-invalidation.test.ts — snapshot report backend availability assertion

Previous review (commit 52d510f)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Resolved Issues on Changed Lines

• src/session.ts (line 294): directorySignature() no longer reads/sorts full directory listings; now uses statSignature() only. Previous comment outdated.
• src/session.ts (line 386): Expensive per-file statSync scans moved out of sync methods (isReady, getStatus, getStats, getIndex). checkForStaleness() now only checks config + directory signatures; full tracked-file scan is in checkForStalenessNow() which is called only from the async ensureFreshIndex() path. Previous comment addressed.
• src/session.ts (line 549): ensureFreshIndex() now detects in-flight refreshes via refreshPromise and awaits them before returning the index, preventing concurrent callers from throwing Session not ready during refresh. Previous comment addressed.
• src/session.ts: directoriesForProjectFiles() now uses path-segment-aware isPathInsideRoot() via path.relative() instead of string-prefix startsWith(). Previous comment addressed.
• src/session.ts: getStats() now only reports stale/staleReason when status === "ready", avoiding misleading stale metadata after expiration/disposal. Previous comment addressed.
• src/index.ts: SessionStats and SessionStaleReason types are now exported. Previous comment addressed.

Files Reviewed (3 files)

• src/index.ts — exports SessionStats and SessionStaleReason
• src/session.ts — targeted staleness checks, refresh deduplication via refreshPromise, stale metadata restricted to ready state, path-segment-aware directory containment
• tests/session.test.ts — coverage for stale scan throttling, concurrent refresh coalescing, stale metadata omission after disposal

Previous review (commit 7defa33)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Files Reviewed (4 files)

• src/indexer/build-index.ts — snapshot fast-path now reuses persisted project snapshots even when a build report is requested; correctly populates fileReport.cached, timings.graphMs, and snapshot.buildReport on the cached path.
• src/session.ts — forceFull refreshes now route to buildProjectIndex when the session is configured with incremental: false, preserving the intended indexing strategy.
• tests/cache-invalidation.test.ts — new test verifies snapshot reuse with a requested build report.
• tests/session.test.ts — new test verifies full builds are used for manual refreshes on non-incremental sessions.

Previous review (commit dd9ca7d)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Files Reviewed (1 file)

• src/session.ts - staleness check optimization: passive checks now only validate config file and directory signatures, while the full per-file stat scan is retained in checkForStalenessNow() (called from ensureFreshIndex() before serving navigation/impact results). getIndex() no longer triggers a stale check, eliminating redundant synchronous scans from the hot path.

Previous review (commit ff7d9b9)

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Files Reviewed (3 files)

• src/indexer/build-cache/project-snapshot.ts
• src/indexer/build-index.ts
• tests/cache-invalidation.test.ts

Previous review (commit 0dccb02)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
src/indexer/build-cache/project-snapshot.ts	262	bitsBase64 upper bound alone allows too-short strings that decode to fewer bytes than size requires

Files Reviewed (4 files)

• src/analysisSummary.ts
• src/indexer/build-cache/project-snapshot.ts — 1 issue
• src/session.ts
• tests/cache-invalidation.test.ts

Fix these issues in Kilo Cloud

Previous review (commit 51fe610)

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
src/session.ts	289	directorySignature tracks node_modules changes, causing unnecessary full rebuilds
src/session.ts	360	Empty manifestEntries Map bypasses file staleness tracking

Files Reviewed (13 files)

• src/agent/search.ts
• src/analysisSummary.ts
• src/cli/impact.ts
• src/impact/index.ts
• src/impact/report.ts
• src/impact/streaming.ts
• src/indexer/build-index.ts
• src/indexer/finalize.ts
• src/indexer/types.ts
• src/session.ts — 2 issues
• tests/agent-search.test.ts
• tests/impact.test.ts
• tests/session.test.ts

Fix these issues in Kilo Cloud

Previous review (commit 21d5849)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
src/session.ts	270	Empty manifestEntries Map bypasses file staleness tracking

Files Reviewed (33 files)

• README.md
• codegraph-skill/codegraph/SKILL.md
• docs/agent-workflows.md
• docs/cli.md
• docs/how-it-works.md
• docs/library-api.md
• docs/plans/2026-06-27-roi-implementation-progress.md
• src/agent-tools.ts
• src/agent/explain.ts
• src/agent/search.ts
• src/agent/session.ts
• src/analysisSummary.ts
• src/cli/help.ts
• src/cli/impact.ts
• src/cli/review.ts
• src/impact/report.ts
• src/impact/reportCompact.ts
• src/impact/reportFull.ts
• src/impact/streaming.ts
• src/impact/types.ts
• src/index.ts
• src/indexer/build-cache/project-snapshot.ts
• src/indexer/build-index.ts
• src/review.ts
• src/review/report.ts
• src/review/types.ts
• src/session.ts — 1 issue
• src/sqlite-driver.ts
• tests/agent-search.test.ts
• tests/cache-invalidation.test.ts
• tests/cli-regressions.test.ts
• tests/impact-cli.test.ts
• tests/impact-streaming.test.ts
• tests/impact.test.ts
• tests/session.test.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by kimi-k2.6-20260420 · Input: 293.7K · Output: 30.6K · Cached: 1.8M}

[kilo-code-bot]

WARNING: directorySignature tracks node_modules changes, causing unnecessary full rebuilds

The directory signature includes every entry name, filtering out only .codegraph-cache and .git. When node_modules is present in a tracked directory (commonly the project root), any package install or update changes the directory listing and triggers a full session rebuild. Consider also ignoring node_modules, dist, build, target, .venv, and __pycache__ to match the default file discovery ignores.

Suggested change

	.filter((entry) => entry.name !== ".codegraph-cache" && entry.name !== ".git")
	.filter((entry) => entry.name !== ".codegraph-cache" && entry.name !== ".git" && entry.name !== "node_modules")

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[Copilot]

Pull request overview

This PR recenters Codegraph’s default workflows around review-first daily change analysis, while surfacing analysis/provenance metadata across agent search/explain and impact/review outputs, and improving warm-session/cache reuse behavior (stale-session refresh + persisted bloom filters + SQLite readonly compatibility).

Changes:

• Add AnalysisSummary plumbing and expose analysis / provenance metadata in search, explain, impact (batch + streaming), and review outputs/CLI formatting.
• Add warm CodeReviewSession stale detection with auto-refresh before serving navigation/impact, plus richer session stats.
• Persist bloom filters into the on-disk project snapshot and reuse them on unchanged incremental loads; adjust SQLite readonly authorizer handling for runtimes without setAuthorizer().

Reviewed changes

Copilot reviewed 38 out of 38 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/session.test.ts	Adds coverage for stale-session detection, auto-refresh, and refresh stats.
tests/impact.test.ts	Asserts impact reports include analysis metadata (native semantic label).
tests/impact-streaming.test.ts	Ensures streaming impact summaries include analysis metadata.
tests/impact-cli.test.ts	Validates CLI JSON/pretty output includes analysis label/section.
tests/cli-regressions.test.ts	Formatting-only change to keep sqlite driver import regression check readable.
tests/cache-invalidation.test.ts	Adds tests for persisted snapshot bloom filter reuse and snapshot schema upgrade behavior.
tests/agent-search.test.ts	Updates agent search tests for top-level analysis + per-result provenance + code-first hybrid ranking.
src/sqlite-driver.ts	Makes setAuthorizer() optional for readonly mode when unavailable in node:sqlite.
src/session.ts	Implements stale detection + refresh orchestration + richer session stats and build report propagation.
src/review/types.ts	Adds optional analysis to ReviewReport output shape.
src/review/report.ts	Threads optional analysis metadata into assembled review reports.
src/review.ts	Produces review analysis metadata via summarizeAnalysis() and includes it in reports.
src/indexer/types.ts	Adds buildReport?: BuildReport to ProjectIndex for downstream provenance/analysis.
src/indexer/finalize.ts	Plumbs buildReport into finalized ProjectIndex.
src/indexer/build-index.ts	Ensures build runs always have a report object and attaches it to the resulting index; adjusts snapshot reuse behavior.
src/indexer/build-cache/project-snapshot.ts	Bumps snapshot version and serializes/deserializes bloom filters into project snapshots.
src/index.ts	Re-exports analysis summary types from the public entrypoint.
src/impact/types.ts	Adds optional analysis to impact report shapes (full/compact/stream-summary).
src/impact/streaming.ts	Adds analysis metadata generation and threads build report context through streaming.
src/impact/reportFull.ts	Includes analysis metadata in full impact report output.
src/impact/reportCompact.ts	Includes analysis metadata in compact impact report output.
src/impact/report.ts	Computes and injects analysis metadata when building impact reports.
src/impact/index.ts	Adds impact analysis context for passing build report into report-building.
src/cli/review.ts	Prints analysis label in review CLI summary output.
src/cli/impact.ts	Captures build report during indexing and prints analysis label in pretty output; includes analysis in full JSON conversion.
src/cli/help.ts	Reorders commands and updates help text toward review-first/orient→search→explain workflow and analysis/provenance messaging.
src/analysisSummary.ts	Introduces shared AnalysisSummary derivation + label formatting used across outputs.
src/agent/session.ts	Captures build report and analysis summary in agent session snapshots.
src/agent/search.ts	Adds top-level analysis and per-result provenance; retunes doc boosts to keep hybrid searches code-first by default.
src/agent/explain.ts	Adds top-level analysis metadata to explain packets and formatting.
src/agent-tools.ts	Switches tool indexing to incremental+disk cache defaults for better warm reuse.
README.md	Updates primary docs to emphasize review-first daily workflow and analysis visibility.
docs/plans/2026-06-27-roi-implementation-progress.md	Adds an implementation progress tracking doc for session handoff/context.
docs/library-api.md	Updates library guidance for warm session reuse and analysis/provenance behavior.
docs/how-it-works.md	Documents warm-cache/session reuse and stale refresh behavior.
docs/cli.md	Updates CLI docs for default workflow guidance and analysis/provenance behavior.
docs/agent-workflows.md	Updates agent workflow docs for review-first flow, analysis/provenance fields, and canonical session reuse.
codegraph-skill/codegraph/SKILL.md	Updates skill guidance to match review-first workflow and analysis/provenance behavior.

Comments suppressed due to low confidence (1)

src/indexer/build-index.ts:422

• createIndexBuildRunState() now always assigns a default { timings: {} } report, which makes report truthy even when the caller did not provide opts.report. Downstream logic in buildProjectIndexIncremental() uses report as a signal (e.g. if (explicitFileSet.size && (!explicitFilesCoverAllFiles || report)) ...), so this change can unintentionally force files to be treated as changed and prevent snapshot/manifest reuse. Consider threading an explicit reportProvided = !!opts?.report boolean (or switching those conditions to check opts?.report) so the semantics remain stable while still populating index.buildReport.

  const report = opts?.report ?? { timings: {} };
  initNativeBackendReport(report);
  const cacheMode = opts?.cache ?? "off";
  return {
    normalizedProjectRoot: normalizePath(projectRoot),

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kilo-code-bot]

WARNING: bitsBase64 upper bound alone allows too-short strings that decode to fewer bytes than size requires

A truncated or otherwise too-short bitsBase64 still passes the <= maxBase64Length check. When BloomFilter.fromBuffer receives a buffer shorter than Math.ceil(size / 8) bytes, mightContain silently returns false for bit indices beyond the buffer, causing false negatives in reference filtering and potentially missing valid results. Consider using === to match the exact padded base64 length produced by Buffer.toString("base64").

Suggested change

	return filter.bitsBase64.length <= maxBase64Length;
	return filter.bitsBase64.length === maxBase64Length;

---

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/agent-tools.ts:520

• getToolIndex() now forces cache: "disk", which will attempt to create .codegraph-cache/index-v1 under the project root (via fs.mkdirSync(...) in the disk cache implementation). This can break agent/tool usage on read-only checkouts (containers, sandboxed hosts, or repos mounted ro), where the previous behavior could still work.

Recommend falling back to an in-memory cache (or cache: "off") when disk cache initialization fails with EACCES/EROFS/EPERM, so navigation tools remain usable even without write access.

async function getToolIndex(root: string, options: ToolRuntimeOptions): Promise<ProjectIndex> {
  return (
    options.index ??
    (await buildProjectIndexIncremental(root, {
      cache: "disk",
      keepParsed: true,
      useBloomFilters: true,
      logLevel: "error",
      ...(options.native ? { native: options.native } : {}),
    }))
  );

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.