@codragraph/cli 1.6.4 → 2.0.0

package/skills/codragraph-api-surface.md

@@ -0,0 +1,110 @@
+---
+name: codragraph-api-surface
+description: "Use when the user wants to enumerate the public API of a package or codebase, understand what's exported, audit breaking change risk, or compare API shapes across versions. Examples: \"what's our public API\", \"list exports\", \"API surface\", \"what would break if I remove X\", \"document the public interface\""
+---
+
+# API Surface Audit with CodraGraph
+
+## When to Use
+
+- "What's the public API of this package?"
+- "List every exported function / class / type"
+- "What would break if I remove or rename `<symbol>`?"
+- Pre-release API freeze audit
+- Generating API documentation from the graph
+- Comparing API surface across versions (with `codragraph diff --semantic`)
+
+## Why CodraGraph helps here
+
+Reading every `index.ts` / `__init__.py` / `mod.rs` by hand misses re-exports
+and framework-magic exports (Next.js page routes, decorators, registered
+plugins). CodraGraph's `isExported` property is computed by language-aware
+export detection — covers default exports, named re-exports, `__all__`,
+`pub use`, etc., consistently across all 16 supported languages.
+
+## Workflow
+
+```
+1. codragraph_cypher({query: `
+     MATCH (n) WHERE n.isExported = true
+     RETURN labels(n)[0] AS table, n.name, n.filePath, n.id
+     ORDER BY table, n.filePath, n.name
+   `})
+   → every exported symbol, grouped by table
+
+2. For each high-traffic export:
+   codragraph_impact({target: "<name>", direction: "upstream"})
+   → who depends on it (within this repo)
+
+3. For cross-repo audits (multi-repo group):
+   codragraph_impact({repo: "@<group>", target: "<name>", direction: "upstream"})
+   → blast radius across every group member
+
+4. Compare across versions:
+   codragraph diff <baseline> <head> --semantic --json
+   → addedAPIs / removedAPIs / classifiedModifications
+   → produces a versioned changelog of what your public surface gained / lost
+```
+
+> Pair with `codragraph-pr-review` skill when reviewing a PR that touches
+> exported symbols — the impact-across-group check is the difference between
+> "breaks our consumers" and "internal refactor."
+
+## Checklist
+
+```
+- [ ] Cypher query for n.isExported = true
+- [ ] Group by file or by community (Leiden cluster)
+- [ ] For each non-trivial export, run impact upstream
+- [ ] If the package is in a group, run impact with repo: "@group" too
+- [ ] Compare with previous release: codragraph diff <prev-tag> HEAD --semantic
+- [ ] Flag exports with no documented consumers — candidates for visibility
+      reduction (export → internal)
+```
+
+## Example: "What's our public API?"
+
+```
+1. codragraph_cypher({
+     query: `MATCH (n) WHERE n.isExported = true
+              RETURN labels(n)[0] AS table, n.name, n.filePath`
+   })
+   → 47 exports: 22 Function, 12 Class, 8 Interface, 5 Constant
+
+2. Top-level functions:
+   - createClient (src/index.ts) ← 14 callers
+   - fetchUser (src/api.ts)      ← 6 callers
+   - validate (src/utils.ts)     ← 1 internal caller only ⚠ over-exported
+
+3. codragraph_impact({target: "validate", direction: "upstream"})
+   → d=1: only formatPayload (same package). No external consumers.
+   → Recommend: drop the `export` keyword. Internal-only.
+
+4. Compare with v1.5.3 release:
+   codragraph diff v1.5.3 HEAD --semantic
+   → +3 added APIs, -1 removed API (mappings.toCamelCase), ~2 modified
+   → Removed API is a SemVer major bump.
+```
+
+## Output Format
+
+```markdown
+## API Surface: <package>
+
+### Exports (47 total)
+| Symbol | Table | File | Callers (internal) | Notes |
+|--------|-------|------|-------------------:|-------|
+| createClient | Function | src/index.ts | 14 | core entry |
+| validate | Function | src/utils.ts | 1 | over-exported, suggest internal |
+| ...
+
+### Diff vs <previous-tag>
+- **Added (3):** `subscribe`, `unsubscribe`, `EventBus`
+- **Removed (1):** `toCamelCase` ⚠ SemVer major
+- **Modified (2):** `createClient` (param 3→4), `fetchUser` (return type)
+
+### Recommendations
+- Reduce visibility on 4 over-exported internals
+- Document the 3 new APIs in the release notes
+- The removed `toCamelCase` requires a major version bump
+```

package/skills/codragraph-config-audit.md

@@ -0,0 +1,146 @@
+---
+name: codragraph-config-audit
+description: "Use to audit how environment variables, config files, and feature flags are read and used across the codebase — find unused config, missing defaults, undocumented env vars, secrets read into logs. Examples: \"audit env vars\", \"unused config\", \"who reads FOO_BAR env\", \"feature flag usage\", \"config sprawl\""
+---
+
+# Configuration Audit with CodraGraph
+
+## When to Use
+
+- "Which env vars do we actually read?"
+- "Which env vars are read but never set in deploy configs?"
+- "Find the unused feature flags I can delete."
+- "Who reads `STRIPE_SECRET_KEY`?"
+- "Is `<config>` ever logged or sent to telemetry?"
+- "Audit config sprawl before consolidating."
+
+## Why CodraGraph helps here
+
+Configuration enters your code through a small set of helpers:
+`process.env.X`, `os.getenv("X")`, `config.get("foo.bar")`,
+`featureFlags.isEnabled("flag")`. CodraGraph indexes the calls to those
+helpers and the literal arguments — so a `query` for the helper plus a
+`context` of each call site produces a complete picture of which keys
+are read where.
+
+## Workflow
+
+```
+1. Identify the config helpers (per-language patterns):
+   codragraph_query({query: "process.env getenv ConfigService featureFlags"})
+   → list of config-read helpers
+
+2. For each helper, find every call site and its key argument:
+   codragraph_cypher({query: `
+     MATCH (caller)-[:CALLS]->(helper {name: 'getenv'})
+     RETURN caller.name, caller.filePath
+   `})
+   → For richer key-extraction, read the bodies via context:
+   codragraph_context({name: "<caller>", content: true})
+   → look for the literal string passed to getenv()
+
+3. Cross-check with deploy configs:
+   - Read .env / .env.example / docker-compose.yml / k8s ConfigMaps
+   - Build the SET of keys actually defined
+   - For each key your code reads but isn't defined: undocumented env var
+   - For each key defined but no code reads: dead config — delete
+
+4. Feature-flag specific audit:
+   codragraph_query({query: "featureFlags.isEnabled flag.evaluate"})
+   → For each flag-read site: codragraph_impact upstream
+   → Flags with no callers can be removed
+   → Flags with one branch always returning true / false are stale
+
+5. Secret-leakage check:
+   codragraph_query({query: "STRIPE_SECRET DATABASE_URL API_KEY"})
+   → For each match: codragraph_context to confirm the value is not
+     piped to logger / tracer / metrics
+```
+
+## Audit dimensions
+
+| Dimension | Question | CodraGraph approach |
+|---|---|---|
+| **Used** | Is this env var read anywhere? | `query` for the literal key |
+| **Documented** | Is the key in `.env.example` / docs? | grep deploy files; subtract from used set |
+| **Defaulted** | Does the read have a default? | `context` shows the surrounding code |
+| **Validated** | Is the value parsed / type-checked? | `context` for `parseInt` / `URL` / Zod schema in the caller |
+| **Logged** | Does the value flow to telemetry? | `impact` downstream from the read site → check telemetry helpers |
+| **Stale flag** | Is the flag still toggled in production? | combine with deploy-config check |
+
+## Feature flag lifecycle audit
+
+```
+codragraph_cypher({query: `
+  MATCH (caller)-[:CALLS]->(ff {name: 'isEnabled'})
+  RETURN caller.name, caller.filePath, count(*) AS uses
+  ORDER BY uses DESC
+`})
+→ for each call site, codragraph_context to extract the flag NAME literal
+
+# Then:
+- Flag name read by 0 callers → remove
+- Flag name with both branches identical → stale (always-true or always-false)
+- Flag still wired in code, but config has it pinned `true` for >90 days → graduate
+```
+
+## Checklist
+
+```
+- [ ] Listed config helpers (env / config / featureFlag readers)
+- [ ] Built the read-set: { key: [ call sites ] }
+- [ ] Built the defined-set from deploy configs
+- [ ] Diff: undocumented (in code, not in config) + dead (in config, not in code)
+- [ ] Spot-check defaults / validation / secret leakage on critical keys
+- [ ] Feature-flag staleness check
+- [ ] Output: read map + recommended deletions / required deploy changes
+```
+
+## Example: "Audit our feature flags"
+
+```
+1. codragraph_query({query: "featureFlags.isEnabled"})
+   → 47 call sites in 23 files
+
+2. For each call site, extract the flag string (codragraph_context):
+   - 'new_checkout' (12 sites)
+   - 'experimental_search' (4 sites)
+   - 'use_new_pricing' (8 sites)
+   - 'kill_legacy_admin' (1 site)
+   - 'canary_v3' (0 sites — defined in code dead)
+
+3. Cross-check deploys:
+   - 'new_checkout' set to TRUE for 100%% prod since 2026-01 (graduate it)
+   - 'experimental_search' set to TRUE for 5%% prod (active experiment, keep)
+   - 'use_new_pricing' set to TRUE for 100%% prod since 2026-03 (graduate)
+   - 'kill_legacy_admin' set to TRUE for 100%% prod since 2026-02 (graduate)
+   - 'canary_v3' not configured anywhere (truly dead)
+
+4. Findings:
+   - DELETE: 'canary_v3' (dead code, no callers, no config)
+   - GRADUATE: 'new_checkout', 'use_new_pricing', 'kill_legacy_admin' →
+     remove the flag check; keep the new behavior unconditionally
+   - KEEP: 'experimental_search'
+   - Codebase loses: 21 call sites, 1 unused flag definition
+```
+
+## Output Format
+
+```markdown
+## Config Audit: <scope>
+
+### Env vars / config keys
+| Key | Read sites | Defined? | Default? | Validated? | Notes |
+|---|--:|---|---|---|---|
+| DATABASE_URL | 4 | ✓ | ✗ | ✗ | add Zod parse |
+| EXPERIMENTAL_FOO | 1 | ✗ | ✓ ('false') | ✓ | undocumented; either document or delete |
+| ... | ... | ... | ... | ... | ... |
+
+### Feature flags
+- DELETE (no callers): canary_v3, legacy_dashboard_b
+- GRADUATE (100%% production for >90 days): new_checkout, kill_legacy_admin
+- KEEP (active experiment): experimental_search, ai_summarize_v2
+
+### Secret-leak check
+- 0 paths from secret reads to logger/metrics/tracer found ✓
+```

package/skills/codragraph-cross-repo-impact.md

@@ -0,0 +1,135 @@
+---
+name: codragraph-cross-repo-impact
+description: "Use when assessing the blast radius of a change that crosses repository boundaries — a shared library used by multiple services, a contract / protobuf / OpenAPI schema consumed by N consumers, a microservices change. Examples: \"what services consume X\", \"cross-repo blast radius\", \"will this break the consumers\", \"who depends on this contract\""
+---
+
+# Cross-Repo Impact Analysis with CodraGraph
+
+## When to Use
+
+- "What other repos consume `<symbol>` from this one?"
+- "If I change this gRPC method / OpenAPI route / protobuf message, what breaks?"
+- "Cross-repo blast radius for `<change>`"
+- Microservices architecture: assessing a contract change
+- Shared-library author: deciding if a function is safe to remove
+
+## Why CodraGraph helps here
+
+CodraGraph's **groups** (sets of related repos sharing a `group.yaml`)
+maintain a Contract Registry — provider/consumer rows for every cross-repo
+reference (gRPC service / method, OpenAPI route, protobuf message). The
+group-mode `impact` walks both the local call graph AND the contract
+bridges, so a single call returns the blast radius across every member
+repo. You don't need to re-run impact in each consumer separately.
+
+## Workflow
+
+```
+1. Identify the group:
+   codragraph_group_list({})
+   → list of groups + their member repos
+
+2. Confirm the symbol exists in the producer repo:
+   codragraph_context({repo: "<producerRepo>", name: "<symbol>"})
+
+3. Run group-mode impact:
+   codragraph_impact({repo: "@<group>", target: "<symbol>", direction: "upstream"})
+   → d=1 callers spanning every group member
+     (in-repo callers + contract-bridge consumers)
+
+4. Inspect the Contract Registry to see provider/consumer rows directly:
+   READ codragraph://group/<groupName>/contracts
+   → list of contracts touching the symbol or its API
+
+5. Check group-status / staleness:
+   READ codragraph://group/<groupName>/status
+   → which member repos haven't been re-indexed recently
+     (stale members produce stale impact results)
+
+6. Surface the worst-case consumer:
+   any consumer not updated since the schema change = potential breakage
+```
+
+> If any member repo's index is stale, group-mode impact may underreport.
+> Re-analyze stale members before relying on the results.
+
+## Checklist
+
+```
+- [ ] group_list to confirm the group exists and the producer is a member
+- [ ] context on the symbol in the producer repo
+- [ ] Group-mode impact upstream
+- [ ] Inspect Contract Registry for provider/consumer rows
+- [ ] Check group/status for stale members; re-analyze if needed
+- [ ] List affected consumer repos by impact depth
+- [ ] Recommend coordinated PRs across consumers (if breaking)
+```
+
+## When to Use Which Tool
+
+| Question | Tool |
+| --- | --- |
+| "Which repos are in my group?" | `group_list` |
+| "What contracts cross between member A and member B?" | Contract Registry resource |
+| "If I change this provider method, what breaks?" | Group-mode `impact` |
+| "Are all consumers up to date with the latest provider commit?" | `group/<name>/status` resource |
+| "What's the structural diff between last release and now in repo X?" | Per-repo `diff --semantic` |
+
+## Example: "Will renaming `getUserProfile` break my microservices?"
+
+```
+1. codragraph_group_list({})
+   → group "platform": [user-service, web-app, mobile-bff, admin-portal]
+
+2. codragraph_context({repo: "user-service", name: "getUserProfile"})
+   → exported gRPC method in user.proto, defined in user-service
+
+3. codragraph_impact({repo: "@platform", target: "getUserProfile", direction: "upstream"})
+   → d=1 callers (across the group):
+       - web-app/src/api/userClient.ts (CALLS via grpc-web)
+       - mobile-bff/internal/user.go (CALLS via grpc.NewClient)
+       - admin-portal/src/services/users.tsx (CALLS via grpc-web)
+   → 3 consumer repos depend on this method by exact name.
+
+4. READ codragraph://group/platform/contracts
+   → user.UserService.getUserProfile: provider=user-service,
+     consumers=[web-app, mobile-bff, admin-portal]
+
+5. READ codragraph://group/platform/status
+   → web-app last indexed 2 hours ago ✓
+   → mobile-bff last indexed 3 days ago ⚠ (might miss recent callers)
+   → admin-portal last indexed 1 month ago ⚠⚠ (re-analyze first!)
+
+6. Recommendation:
+   - HIGH-RISK rename. 3 consumer repos must change in lockstep.
+   - Re-index admin-portal before trusting the d=1 list.
+   - Coordinated PR sequence:
+     1. Add new method (getUserProfileV2) in user-service
+     2. Migrate web-app, mobile-bff, admin-portal to V2
+     3. Remove getUserProfile in user-service after all consumers ship
+   - Alternative: keep both, deprecate old, drop in next major.
+```
+
+## Output Format
+
+```markdown
+## Cross-Repo Impact: `<symbol>` in `<producer-repo>` (group `@<group>`)
+
+### Consumers (d=1)
+| Repo | Caller | Path | Notes |
+| --- | --- | --- | --- |
+| web-app | userClient.ts | grpc-web | active |
+| mobile-bff | internal/user.go | grpc native | active |
+| admin-portal | services/users.tsx | grpc-web | last indexed 1mo ago ⚠ |
+
+### Contracts touching this symbol
+- `user.UserService.getUserProfile` (provider: user-service)
+
+### Staleness
+Re-analyze `admin-portal` before trusting these results.
+
+### Recommended migration sequence
+1. Add `getUserProfileV2` alongside the old method
+2. Migrate consumers to V2 (separate PRs per repo)
+3. Remove old method after all consumers ship
+```

package/skills/codragraph-data-lineage.md

@@ -0,0 +1,137 @@
+---
+name: codragraph-data-lineage
+description: "Use when tracing data flow through an ETL pipeline, finding where a column or table is read/written, mapping data dependencies in a notebook-heavy or data-engineering project. Examples: \"where does this data come from\", \"trace this column\", \"data lineage for X\", \"who reads from this table\", \"what's downstream of this query\""
+---
+
+# Data Lineage with CodraGraph
+
+## When to Use
+
+- "Where does the `user_events` table get written?"
+- "Trace the data flow that produces `daily_revenue.csv`"
+- "What's downstream of this Snowflake query?"
+- "Which notebook cells transform this DataFrame?"
+- Auditing a data pipeline before changing a schema
+- Understanding an unfamiliar ETL project
+
+## Why CodraGraph helps here
+
+Data pipelines often look like a graph of small functions: `extract_*`,
+`transform_*`, `load_*`, `enrich_*`. Their connections are *function calls*
+plus *string-literal table names* and *file paths*. CodraGraph already
+captures the call graph; combining it with `query` over identifier strings
+gives you data lineage at the *symbol* level, regardless of whether your
+pipeline is in vanilla Python, Airflow, dbt, Pandas, PySpark, or Notebooks.
+
+## Workflow
+
+```
+1. codragraph_query({query: "<table_or_column_name>"})
+   → find every symbol that mentions the data identifier
+
+2. For each candidate symbol:
+   codragraph_context({name: "<symbol>"})
+   → see callers (who triggers this read/write) and callees (what it depends on)
+
+3. Walk the producer side (downstream → upstream):
+   codragraph_impact({target: "<load function>", direction: "upstream"})
+   → trace back to where the data originates
+
+4. Walk the consumer side (upstream → downstream):
+   codragraph_impact({target: "<extract function>", direction: "downstream"})
+   → trace forward to every transform / sink that depends on it
+
+5. READ codragraph://repo/{name}/process/<pipeline-flow>
+   → the canonical step-by-step flow if CodraGraph detected this as a process
+
+6. Build the lineage diagram: source → transform stages → sink
+```
+
+> CodraGraph is graph-aware, not SQL-aware: it sees a string literal that
+> *looks* like a table name, but doesn't parse SQL semantics. For mature SQL
+> lineage tooling (column-level resolution), pair with `codragraph-sql-tracing`
+> skill and a SQL parser like sqlglot.
+
+## Checklist
+
+```
+- [ ] query for the table/column/file identifier
+- [ ] context on each candidate to map producers vs consumers
+- [ ] impact upstream on the load/sink function
+- [ ] impact downstream on the extract/source function
+- [ ] Cross-reference with processes for canonical pipeline flows
+- [ ] Render the lineage as: source → transform_1 → transform_2 → sink
+```
+
+## Identifier Patterns to Search
+
+| Layer | Search hints |
+| --- | --- |
+| File-based source | filename, path fragments (`raw_events.parquet`) |
+| Database table | bare table name + `FROM table_name` |
+| Column / field | column name in conjunction with the table name |
+| API endpoint | URL path or function name (`fetchUserEvents`) |
+| Event topic / queue | topic name (`user.signup.v2`) |
+
+## Example: "Where does daily_revenue.csv come from?"
+
+```
+1. codragraph_query({query: "daily_revenue"})
+   → 4 symbols:
+     - write_daily_revenue (src/etl/daily.py)
+     - read_daily_revenue (src/dashboards/finance.py)
+     - DailyRevenueRow (src/schemas/types.py)
+     - daily_revenue_dag (airflow/dags/finance_etl.py)
+
+2. codragraph_context({name: "write_daily_revenue"})
+   → callers: daily_revenue_dag (Airflow task)
+   → callees: aggregate_orders, attach_currency_rates, format_csv_row
+
+3. codragraph_impact({target: "aggregate_orders", direction: "upstream"})
+   → reads from: orders_raw, returns_raw (both tables)
+
+4. codragraph_impact({target: "read_daily_revenue", direction: "downstream"})
+   → consumed by: finance_dashboard.render(), revenue_alerts.check()
+
+5. READ codragraph://repo/CodraGraph/process/DailyRevenueETL
+   → 6 steps:
+       fetch_orders → fetch_returns → aggregate_orders →
+       attach_currency_rates → format_csv_row → write_daily_revenue
+
+Lineage:
+  orders_raw, returns_raw  (DB tables)
+       ↓
+  fetch_orders + fetch_returns  (extract)
+       ↓
+  aggregate_orders → attach_currency_rates → format_csv_row  (transform)
+       ↓
+  daily_revenue.csv  (sink)
+       ↓
+  finance_dashboard, revenue_alerts  (consumers)
+```
+
+## Output Format
+
+```markdown
+## Data Lineage: <data-asset>
+
+### Sources
+- `orders_raw` (DB)
+- `returns_raw` (DB)
+
+### Pipeline (DailyRevenueETL flow, 6 steps)
+1. `fetch_orders` — reads `orders_raw`
+2. `fetch_returns` — reads `returns_raw`
+3. `aggregate_orders` — joins, sums by day
+4. `attach_currency_rates` — enriches with FX
+5. `format_csv_row` — schema-conforming serialization
+6. `write_daily_revenue` — writes `daily_revenue.csv`
+
+### Consumers
+- `finance_dashboard` (renders chart)
+- `revenue_alerts` (threshold checks)
+
+### Risk if `<schema/source>` changes
+- 6 transform stages depend on it
+- 2 consumers depend on the output schema
+```

package/skills/codragraph-dead-code.md

@@ -0,0 +1,119 @@
+---
+name: codragraph-dead-code
+description: "Use when the user wants to find unused code, orphan functions/classes, dead code, or symbols safe to delete. Examples: \"what's unused\", \"find dead code\", \"can I delete this function\", \"orphan symbols\", \"clean up unused exports\""
+---
+
+# Dead Code Detection with CodraGraph
+
+## When to Use
+
+- "What's unused in this codebase?"
+- "Find dead code / orphan functions / unused exports"
+- "Can I safely delete `<symbol>`?"
+- Periodic cleanup before a release
+- Identifying candidates for the next refactor
+
+## Why CodraGraph helps here
+
+Linters can find unreachable code in *one file*. CodraGraph walks the
+*whole-repo* call graph, including dynamic dispatch, framework entry
+points, and exports — so it can tell you a symbol is genuinely unreachable
+rather than just "the linter couldn't see the caller."
+
+The trick is to combine three signals:
+
+1. **No incoming references** — `cypher` query for symbols with zero
+   `<-[:CALLS|REFERENCES]-` edges.
+2. **Not exported** — internal-only symbols are stronger candidates than
+   `isExported = true` ones (which may be public API).
+3. **Not in any process** — execution flows are the canonical "this is
+   used" signal; symbols outside every process are extra suspect.
+
+## Workflow
+
+```
+1. codragraph_cypher({query: `
+     MATCH (n)
+     WHERE NOT (n)<-[:CALLS|REFERENCES]-()
+       AND NOT (n.isExported = true)
+     RETURN n.id, n.name, labels(n)[0] AS label, n.filePath
+     LIMIT 200
+   `})
+   → list of orphan candidates
+
+2. For each candidate:
+   codragraph_context({name: "<candidate>"})
+   → confirm: 0 callers, 0 callees that matter, not in any process
+
+3. Cross-check against processes:
+   READ codragraph://repo/{name}/processes
+   → if the symbol appears in ANY process, it's not actually dead
+
+4. For exported orphans (potentially public API):
+   codragraph_impact({target: "<symbol>", direction: "upstream"})
+   → if d=1 has external callers (in another indexed repo group), keep it
+
+5. Group by file/cluster, prioritize by file size of dead code
+```
+
+> If "Index is stale" → run `npx @codragraph/cli analyze` first. Stale
+> indexes produce false-positive dead-code reports because new callers
+> aren't visible.
+
+## Checklist
+
+```
+- [ ] Cypher query for orphan symbols (no incoming edges, not exported)
+- [ ] context check on each candidate (confirm 0 callers)
+- [ ] Cross-reference with processes (symbols in flows are not dead)
+- [ ] For exported orphans, impact across groups (cross-repo callers?)
+- [ ] Group findings by file → suggest which files can lose the most code
+- [ ] Flag any candidate that's a framework convention (e.g., default export
+      of a Next.js page route) — those LOOK orphan but aren't
+```
+
+## Pitfalls
+
+| Pitfall | What to do |
+| --- | --- |
+| Framework conventions (Next.js pages, Astro routes, Django URLs) | Check `isEntryPoint` on the node — these often score high |
+| Test-only symbols | Filter `filePath CONTAINS '/test'` separately |
+| Re-exported symbols | A re-export creates `REFERENCES` edges; a true orphan has none |
+| Dynamic dispatch (factories, plugin systems) | Cross-check with `query` for the registration string |
+
+## Example: "Clean up unused code in src/utils/"
+
+```
+1. codragraph_cypher({
+     query: `MATCH (n) WHERE n.filePath STARTS WITH 'src/utils/'
+              AND NOT (n)<-[:CALLS|REFERENCES]-()
+              AND NOT (n.isExported = true)
+              RETURN n.id, n.name, n.filePath`
+   })
+   → 7 candidates
+
+2. codragraph_context({name: "formatLegacyDate"})
+   → 0 callers, 0 callees, not in any process. Truly dead.
+
+3. codragraph_context({name: "DEBUG_TIMER"})
+   → 0 callers but called dynamically via process.env injection.
+   → Keep it.
+
+4. Final: 6 of 7 candidates safe to delete. Total: 142 LoC across 4 files.
+```
+
+## Output Format
+
+```markdown
+## Dead Code Audit: <scope>
+
+### High-confidence (0 callers, 0 callees, not in any process)
+- `formatLegacyDate` — `src/utils/date.ts:42` (12 LoC)
+- ...
+
+### Possibly dead (verify dynamic dispatch first)
+- `DEBUG_TIMER` — used via env-driven hook?
+
+### Total cleanup potential
+N functions, M LoC, X files.
+```