chore: release v3.9.1 (#871)

* chore: release v3.10.0

* fix: correct release version to 3.9.1 (patch, no user-facing features)

* fix(release): add 'security' to internal scopes list for version detection

Author: carlos-alm

.claude/skills/release/SKILL.md

@@ -51,7 +51,7 @@ Scan **every commit message** between the last tag and HEAD. Apply these rules i
 
 **Internal scopes — treat as patch, not minor:** The following scopes represent internal developer tooling and infrastructure, not user-facing features. A `feat:` commit with one of these scopes counts as a **patch**, not a minor bump:
 
-`architect`, `bench`, `ci`, `claude`, `deps-audit`, `dogfood`, `hooks`, `housekeep`, `release`, `skills`, `sweep`, `test-health`, `titan`
+`architect`, `bench`, `ci`, `claude`, `deps-audit`, `dogfood`, `hooks`, `housekeep`, `release`, `security`, `skills`, `sweep`, `test-health`, `titan`
 
 For example, `feat(titan): first full pipeline run` is internal tooling — patch. But `feat(cfg): control-flow graph generation` is user-facing — minor.
 

CHANGELOG.md

@@ -2,6 +2,52 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [3.9.1](https://github.com/optave/ops-codegraph-tool/compare/v3.9.0...v3.9.1) (2026-04-05)
+
+**Dead code accuracy, native query performance, and supply-chain hardening.** This release significantly improves dead code detection — class instantiations via `new`, type-only imports, barrel re-exports, and same-file constants are now correctly tracked as consumption. The native Rust engine gains a composite `fnDeps` query that runs dependency resolution in a single cross-language call, and a critical 1238% incremental rebuild regression from v3.9.0 is fixed. WASM grammar validation and npm audit harden the build pipeline. CLI reliability improves with a fix for hangs in git worktree environments.
+
+### Bug Fixes
+
+* track class instantiation (`new`) as consumption for dead code detection ([#861](https://github.com/optave/ops-codegraph-tool/pull/861))
+* resolve type-only imports for dead code analysis ([#862](https://github.com/optave/ops-codegraph-tool/pull/862))
+* trace barrel re-exports in role classification ([#860](https://github.com/optave/ops-codegraph-tool/pull/860))
+* recognize same-file constant consumption in dead code detector ([#859](https://github.com/optave/ops-codegraph-tool/pull/859))
+* resolve codegraph CLI hangs in git worktrees ([#863](https://github.com/optave/ops-codegraph-tool/pull/863))
+* use shared `shouldIgnore`/`isSupportedFile` in watcher ([#864](https://github.com/optave/ops-codegraph-tool/pull/864))
+* resolve barrel resolution quality and cycle regression ([#848](https://github.com/optave/ops-codegraph-tool/pull/848))
+* show both engines side-by-side in README benchmark table ([#826](https://github.com/optave/ops-codegraph-tool/pull/826))
+* release config script validation and broken postbump ([#825](https://github.com/optave/ops-codegraph-tool/pull/825))
+* **native:** lower version gate for native orchestrator ([#867](https://github.com/optave/ops-codegraph-tool/pull/867))
+* **native:** correct incremental purge, scoped deletion, and barrel resolution ([#865](https://github.com/optave/ops-codegraph-tool/pull/865))
+* **ci:** retry npm publish on transient registry errors ([#833](https://github.com/optave/ops-codegraph-tool/pull/833))
+* **ci:** upgrade publish job to Node 24 for OIDC trusted publishing ([#850](https://github.com/optave/ops-codegraph-tool/pull/850))
+* **ci:** add npm auth debug step and fix publish retry logic ([#835](https://github.com/optave/ops-codegraph-tool/pull/835))
+* **perf:** wire engine selection through openRepo to fix query benchmarks ([#869](https://github.com/optave/ops-codegraph-tool/pull/869))
+* **bench:** attribute unified walk time to per-phase timers ([#858](https://github.com/optave/ops-codegraph-tool/pull/858))
+
+### Performance
+
+* native Rust fnDeps composite query ([#870](https://github.com/optave/ops-codegraph-tool/pull/870))
+* **native:** fix 1238% incremental rebuild regression ([#856](https://github.com/optave/ops-codegraph-tool/pull/856))
+
+### Refactors
+
+* **native:** decompose core Rust algorithms and pipeline ([#845](https://github.com/optave/ops-codegraph-tool/pull/845))
+* **native:** extract constants and shared barrel resolution ([#842](https://github.com/optave/ops-codegraph-tool/pull/842))
+* **native:** flatten and decompose extractor match arms ([#844](https://github.com/optave/ops-codegraph-tool/pull/844))
+* DRY shared abstractions in TS features ([#843](https://github.com/optave/ops-codegraph-tool/pull/843))
+* decompose TS complexity and build pipeline ([#846](https://github.com/optave/ops-codegraph-tool/pull/846))
+* improve TS code quality across modules ([#847](https://github.com/optave/ops-codegraph-tool/pull/847))
+
+### Chores
+
+* **security:** WASM grammar validation and npm audit CI ([#834](https://github.com/optave/ops-codegraph-tool/pull/834))
+* **deps:** bump @modelcontextprotocol/sdk from 1.28.0 to 1.29.0 ([#829](https://github.com/optave/ops-codegraph-tool/pull/829))
+* **deps-dev:** bump @huggingface/transformers from 3.8.1 to 4.0.1 ([#831](https://github.com/optave/ops-codegraph-tool/pull/831))
+* **deps-dev:** bump @biomejs/biome from 2.4.9 to 2.4.10 ([#828](https://github.com/optave/ops-codegraph-tool/pull/828))
+* **deps-dev:** bump tree-sitter-gleam ([#830](https://github.com/optave/ops-codegraph-tool/pull/830))
+* **deps-dev:** bump tree-sitter-erlang from 0.0.0 to 0.15 ([#827](https://github.com/optave/ops-codegraph-tool/pull/827))
+
 ## [3.9.0](https://github.com/optave/ops-codegraph-tool/compare/v3.8.1...v3.9.0) (2026-04-04)
 
 **Engine parity hardening and cross-database queries.** This release closes the remaining native/WASM divergences — node counts, edge counts, complexity metrics, and import resolution now match across engines. A new `--db` flag on `branch-compare` and `info` lets you point at any `.codegraph/graph.db`, enabling cross-repo comparisons without rebuilding. WASM grammar loading is now lazy during incremental rebuilds, cutting rebuild times for large codebases. Windows users get a fix for `ENOENT` failures during auto-install.

crates/codegraph-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "codegraph-core"
-version = "3.9.0"
+version = "3.9.1"
 edition = "2021"
 license = "Apache-2.0"
 

docs/roadmap/BACKLOG.md

@@ -1,6 +1,6 @@
 # Codegraph Feature Backlog
 
-**Last updated:** 2026-04-04
+**Last updated:** 2026-04-05
 **Source:** Features derived from [COMPETITIVE_ANALYSIS.md](../../generated/competitive/COMPETITIVE_ANALYSIS.md) and internal roadmap discussions.
 
 ---
@@ -76,7 +76,7 @@ These features leverage the `ast_nodes` table that already exists and is populat
 | 40 | Complexity from AST nodes | `complexity.js` currently re-walks the tree-sitter AST to count nesting, branches, operators. Supplement it by querying `ast_nodes` instead — count `throw`/`await` per function via `parent_node_id`, get call counts, derive async complexity scores. Won't replace the full complexity walk but adds cheap signal. | Analysis | Richer complexity metrics without additional parsing cost; `await` density and `throw` frequency are meaningful risk indicators that the current walker doesn't surface | ✓ | ✓ | 3 | No | — |
 | 41 | AST-based lint predicates in `check` | Add configurable `check` predicates like "no `new` of banned classes", "all `await` must be inside try/catch", or "no `throw` of raw strings". Implemented as SQL queries against `ast_nodes` + `cfg_blocks`, not a full linter. | CI | Pattern-based lint rules for CI gates without adding a linter dependency; agents get first-class pass/fail signals for anti-patterns | ✓ | ✓ | 3 | No | — |
 | 42 | AST density in triage risk scoring | Factor AST node density into `triage.js` risk scoring — a function with 15 `await` calls and 3 `throw` statements is objectively riskier than pure synchronous logic. Add `asyncDensity` and `throwCount` as scoring dimensions alongside fan-in, complexity, and churn. | Intelligence | Triage produces more accurate risk rankings; agents prioritize genuinely risky functions over merely complex ones | ✓ | ✓ | 4 | No | — |
-| 43 | Dead code detection via `new` cross-reference | Cross-reference `ast_nodes` `new ClassName()` calls against `nodes` table to find classes that are defined but never instantiated. Extend to string literals matching route patterns or config keys for unused-route / unused-config detection. | Analysis | Catches dead classes that the current role-based dead code detection misses (a class can have zero call edges but still be instantiated via `new`) | ✓ | ✓ | 4 | No | — |
+| 43 | ~~Dead code detection via `new` cross-reference~~ | Cross-reference `ast_nodes` `new ClassName()` calls against `nodes` table to find classes that are defined but never instantiated. Extend to string literals matching route patterns or config keys for unused-route / unused-config detection. | Analysis | Catches dead classes that the current role-based dead code detection misses (a class can have zero call edges but still be instantiated via `new`) | ✓ | ✓ | 4 | No | — | **DONE** — Class instantiation via `new` is now tracked as consumption in dead code detection. Also: type-only imports, barrel re-exports, and same-file constants now correctly tracked. ([#861](https://github.com/optave/ops-codegraph-tool/pull/861), [#862](https://github.com/optave/ops-codegraph-tool/pull/862), [#860](https://github.com/optave/ops-codegraph-tool/pull/860), [#859](https://github.com/optave/ops-codegraph-tool/pull/859)) |
 | 44 | Migration/refactoring pattern queries | Higher-level queries built on `ast_nodes`: "find all `new Promise()` that could be async/await", "find all `throw` of raw strings instead of Error objects", "find all regex patterns" for regex-to-library migration. Expose as `ast` subcommands or `check` predicates. | Refactoring | Agents can identify modernization opportunities and anti-patterns in one query instead of grep + manual classification | ✓ | ✓ | 3 | No | — |
 | 85 | Hot-path expensive-initialization detection | Cross-reference `ast_nodes` call expressions (e.g. `db.prepare(...)`, `new RegExp(...)`, `JSON.parse(...)`, `fs.readFileSync(...)`) with graph fan-in to flag functions that compile/allocate expensive objects on every invocation. A function containing `db.prepare()` with fan-in > N is almost certainly a performance bug — the statement should be prepared once and cached. Query: find `call` AST nodes matching a configurable pattern list inside functions whose `fan_in` exceeds a threshold; surface as a `check` predicate (`--no-hot-path-alloc`) and in `triage` risk scoring. The pattern list should be user-configurable via `.codegraphrc.json` `check.hotPathPatterns` so it works beyond SQLite (Redis clients, HTTP agents, compiled regexes). | Performance | Catches a class of performance regression that no complexity metric surfaces — a function can have low cyclomatic complexity and still be a hot allocation source. Directly prevents the "missed blast radius" problem: changing a helper that was accidentally called N×/request has outsized perf impact invisible to call-graph analysis alone | ✓ | ✓ | 4 | No | — |
 

docs/roadmap/ROADMAP.md

@@ -1,6 +1,6 @@
 # Codegraph Roadmap
 
-> **Current version:** 3.9.0 | **Status:** Active development | **Updated:** 2026-04-04
+> **Current version:** 3.9.1 | **Status:** Active development | **Updated:** 2026-04-05
 
 Codegraph is a strong local-first code graph CLI. This roadmap describes planned improvements across fourteen phases -- closing gaps with commercial code intelligence platforms while preserving codegraph's core strengths: fully local, open source, zero cloud dependency by default.
 
@@ -23,7 +23,7 @@ Codegraph is a strong local-first code graph CLI. This roadmap describes planned
 | [**7**](#phase-7--expanded-language-support) | Expanded Language Support | Parser abstraction layer, 23 new languages in 4 batches (11 → 34), dual-engine support — all 4 batches shipped across v3.6.0–v3.8.0 | **Complete** (v3.8.0) |
 | [**8**](#phase-8--analysis-depth) | Analysis Depth | TypeScript-native resolution, inter-procedural type propagation, field-based points-to analysis, enhanced dynamic dispatch, barrel file resolution, precision/recall CI gates | Planned |
 | [**9**](#phase-9--runtime--extensibility) | Runtime & Extensibility | Event-driven pipeline, unified engine strategy, subgraph export filtering, transitive confidence, query caching, configuration profiles, pagination, plugin system | Planned |
-| [**10**](#phase-10--quality-security--technical-debt) | Quality, Security & Technical Debt | Supply-chain security, test quality gates, architectural debt cleanup | Planned |
+| [**10**](#phase-10--quality-security--technical-debt) | Quality, Security & Technical Debt | Supply-chain security, test quality gates, architectural debt cleanup | In Progress |
 | [**11**](#phase-11--intelligent-embeddings) | Intelligent Embeddings | LLM-generated descriptions, enhanced embeddings, build-time semantic metadata, module summaries | Planned |
 | [**12**](#phase-12--natural-language-queries) | Natural Language Queries | `ask` command, conversational sessions, LLM-narrated graph queries, onboarding tools | Planned |
 | [**13**](#phase-13--github-integration--ci) | GitHub Integration & CI | Reusable GitHub Action, LLM-enhanced PR review, visual impact graphs, SARIF output | Planned |
@@ -1685,9 +1685,14 @@ Commander supports shell completion but it's not implemented. Basic UX gap for a
 **Deliverables:**
 
 1. **CI `npm audit`** -- add `npm audit --omit=dev` step to CI pipeline; fail on critical/high vulnerabilities
+   - ✅ npm audit CI step added (v3.10.0, [#834](https://github.com/optave/ops-codegraph-tool/pull/834))
+   - ✅ WASM grammar validation — build-time integrity checks for tree-sitter grammar files (v3.10.0, [#834](https://github.com/optave/ops-codegraph-tool/pull/834))
 2. **SBOM generation** -- produce CycloneDX or SPDX SBOM on each release via `@cyclonedx/cyclonedx-npm` or similar
+   - 🔲 Not yet started
 3. **SLSA provenance** -- enable SLSA Level 2+ build provenance using `actions/attest-build-provenance` in the publish workflow; attach attestation to npm packages
+   - 🔲 Not yet started
 4. **Security audit log** -- maintain `docs/security/AUDIT_LOG.md` documenting past audits, dependency reviews, and remediation history
+   - 🔲 Not yet started
 
 **Affected files:** `.github/workflows/ci.yml`, `.github/workflows/publish.yml`, `docs/security/`
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@optave/codegraph",
-  "version": "3.9.0",
+  "version": "3.9.1",
   "description": "Local code graph CLI — parse codebases with tree-sitter, build dependency graphs, query them",
   "type": "module",
   "main": "dist/index.js",