@graphpilot-oss/graphpilot 0.0.1

package/.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab

package/.github/CODEOWNERS

@@ -0,0 +1,22 @@
+# CODEOWNERS — auto-request review on every PR.
+#
+# Syntax: <path-glob> <reviewer> [<reviewer>...]
+# Reviewers are GitHub handles (no @) or team slugs (@org/team).
+#
+# Order matters: the LAST matching rule wins. Default rule first, then
+# overrides for paths that should pull in specific reviewers.
+#
+# Docs: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-security/customizing-your-repository/about-code-owners
+
+# Default: solo maintainer reviews everything.
+*       @codeakki
+
+# When co-maintainers join, add area-specific rules. For example:
+#
+#   /src/mcp/         @codeakki @some-mcp-expert
+#   /src/parser/      @codeakki @some-tree-sitter-expert
+#   /docs/            @codeakki @docs-lead
+#   /bench/           @codeakki @benchmark-owner
+#   /.github/         @codeakki                    # workflow changes are sensitive
+#
+# Until then, the default rule is enough.

package/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [codeakki]

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Something is broken or behaving unexpectedly
+title: 'bug: '
+labels: bug
+---
+
+## Describe the bug
+
+A clear description of what's wrong.
+
+## Reproduction
+
+Steps to reproduce:
+
+1. Run `...`
+2. ...
+3. ...
+
+## Expected behavior
+
+What you expected to happen instead.
+
+## Environment
+
+- OS: [macOS / Linux / Windows + version]
+- Node version: output of `node -v`
+- GraphPilot version: output of `node dist/cli.js --version` (or commit SHA)
+- MCP client (if relevant): [Claude Code / Cursor / Windsurf / ...]
+
+## Additional context
+
+Logs, screenshots, or a minimal repo that reproduces the issue.

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Discussion / Question
+    url: https://github.com/graphpilot-oss/graphpilot/discussions
+    about: Ask questions or share ideas in Discussions instead of opening an issue.

package/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest a new feature or improvement
+title: 'feat: '
+labels: enhancement
+---
+
+## What problem does this solve?
+
+Describe the real-world task or pain point that motivates this feature.
+"My coding agent struggles with X" is more useful than "GraphPilot should support X."
+
+## Proposed solution
+
+What you'd like to see. Rough sketch is fine.
+
+## Alternatives considered
+
+What workarounds have you tried? Any other tools that solve this well?
+
+## Additional context
+
+Links, screenshots, examples.

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## What
+
+Brief description of the change.
+
+## Why
+
+What problem does this solve? Link to issue: closes #...
+
+## How
+
+Brief explanation of the approach. Anything reviewers should look at carefully?
+
+## Checklist
+
+- [ ] Tests added/updated
+- [ ] Documentation updated if user-facing behavior changed
+- [ ] `CHANGELOG.md` updated under `[Unreleased]`
+- [ ] CI passes (`pnpm build && pnpm test`)
+- [ ] Commit message follows [Conventional Commits](https://www.conventionalcommits.org)

package/.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    groups:
+      dev-dependencies:
+        dependency-type: development
+
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: monthly

package/.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  lint:
+    name: lint (ESLint — enforces no-network in src/, T12)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm typecheck
+      - run: pnpm lint
+
+  test:
+    name: test (${{ matrix.os }}, node ${{ matrix.node }})
+    needs: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node: [20, 22]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node }}
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Test
+        run: pnpm test
+
+  audit:
+    name: audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm audit --audit-level=high

package/.github/workflows/release.yml

@@ -0,0 +1,50 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: pnpm
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm run check
+
+      - run: pnpm build
+
+      # Test tags (e.g. v0.0.1-test) publish under --tag test, not latest
+      - name: Publish (test tag)
+        if: contains(github.ref_name, '-test')
+        run: pnpm publish --no-git-checks --tag test
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      # Real releases publish normally with provenance
+      - name: Publish (release)
+        if: "!contains(github.ref_name, '-test')"
+        run: pnpm publish --no-git-checks --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      # Only create a GitHub Release for real tags, not test ones
+      - uses: softprops/action-gh-release@v3
+        if: "!contains(github.ref_name, '-test')"
+        with:
+          generate_release_notes: true

package/.prettierignore

@@ -0,0 +1,19 @@
+# Don't reformat:
+node_modules/
+dist/
+coverage/
+
+# Lockfiles + generated data are not human-edited.
+pnpm-lock.yaml
+package-lock.json
+yarn.lock
+
+# Benchmark output is generated by `pnpm bench` — prettier would
+# pointlessly reformat the JSON every run.
+bench/results/
+
+# Private notes are not part of the project, don't touch.
+.notes/
+
+# CLAUDE.md is per-developer + gitignored, leave alone.
+CLAUDE.md

package/.prettierrc.json

@@ -0,0 +1,20 @@
+{
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "all",
+  "printWidth": 100,
+  "tabWidth": 2,
+  "useTabs": false,
+  "arrowParens": "always",
+  "endOfLine": "lf",
+  "bracketSpacing": true,
+  "overrides": [
+    {
+      "files": "*.md",
+      "options": {
+        "proseWrap": "preserve",
+        "printWidth": 80
+      }
+    }
+  ]
+}

package/CHANGELOG.md

@@ -0,0 +1,138 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- **Evidence anchors** on every MCP tool response. Symbol records and call
+  edges now carry a `file:line @ <short-sha>` provenance tag inline so the
+  agent can quote a verifiable reference. Backed by `src/provenance.ts` and
+  pure-fs git helpers in `src/git.ts` (no `child_process` — T6-safe). The
+  graph schema gained two optional fields, `indexedSha` and `indexedBranch`,
+  populated at index time when the root is inside a git worktree. Old graphs
+  load unchanged.
+- **Differential impact:** `gp_impact` now accepts `since: <commit|tag|branch>`.
+  When set, the returned callers (direct + transitive) are filtered to files
+  changed between that ref and HEAD — ideal for PR-scoped refactor review
+  ("of every caller of X, which ones does my branch actually touch?"). Diff
+  computation runs through `isomorphic-git`; pure JS, no shell-out.
+- **Worktree-scoped indexing.** `graphpilot index ./src/feature` and the
+  `gp_index` MCP tool auto-resolve to the git worktree top when called from
+  a subdirectory, so two `git worktree add`-ed branches naturally produce
+  two separate indexes. Pass `--no-worktree` to opt out and index a subdir
+  directly.
+- Repositioned the README around the "refactor-safe code graph" framing —
+  evidence-backed, branch-aware, worktree-native.
+- Initial project scaffold (Node.js + TypeScript)
+- Tree-sitter-based parser for TS/TSX/JS/JSX
+- Symbol extraction for functions, classes, methods, interfaces, type aliases, enums
+- Directory indexer with sensible default ignores (node_modules, dist, .d.ts, etc.)
+- JSON storage at `~/.graphpilot/<repo-id>/graph.json`
+- CLI: `graphpilot index <path>`, `graphpilot status <path>`, `graphpilot mcp`
+- Call-edge extraction (`gp_callers` precursor): captures every call/new
+  expression inside a function body, attributes it to the immediate enclosing
+  function, and resolves the target across the indexed symbol table.
+- Outputs include both resolved (`toId` set) and unresolved (`toName` only) edges
+  so the agent can still see stdlib/external calls.
+- Query layer (`GraphIndex`): pre-computed lookup tables for findByName,
+  findById, callers, callees. Sub-millisecond lookups on indexed repos.
+- MCP server over stdio (`@modelcontextprotocol/sdk`). Tool surface:
+  - `gp_stats` — index health probe
+  - `gp_index` — re-index a repo from the agent
+  - `gp_recall` — find symbols by name (exact CI by default, substring opt-in)
+  - `gp_callers` — list callers or callees (with direction param)
+  - `gp_impact` — blast-radius analysis: direct callers, transitive
+    callers (BFS, depth 1–5), tests likely affected (heuristic on file
+    paths), and a public-API flag derived from `exported`. Answers "what
+    breaks if I rename X?" in a single tool call. Pure-function core in
+    `src/impact.ts`; cycle-safe; per-level cap with `truncated` flag.
+- Watch mode: `graphpilot watch <path>` keeps the index fresh as you
+  edit. Uses `chokidar` (fsevents/inotify/RDCW) with editor-save
+  debouncing. Each file save triggers an incremental update — re-parse
+  one file, drop its old contribution, re-resolve edges across the
+  whole symbol table, save atomically. Real-world 3–5 ms per save on
+  small repos. Updates serialize through an internal chain so chokidar
+  bursts can't race into a torn graph. Storage writes are atomic
+  (`.tmp` + rename) so a crash never leaves a half-written graph.json.
+  CLI runs until SIGINT.
+- Reproducible benchmark (Tier A): `pnpm bench` runs 10 hand-curated
+  structural tasks against GraphPilot's own codebase (the corpus) and
+  scores precision/recall/F1 + bytes processed vs a grep-simulator
+  baseline. Anyone with `pnpm install` can reproduce. First run:
+  **F1 0.89 vs grep 0.42, 99.9 % byte reduction (721 B vs 528 KB),
+  7 wins / 2 ties / 1 expected loss** (the string-literal task,
+  deliberately included as the honest "grep wins" case). Spec for the
+  agent-eval Tier B is in `bench/run-agent-tier.md`.
+- Contributor Covenant 2.1 code of conduct (closes GitHub Community
+  Standards check). Reporting email is `codewithakki@gmail.com`;
+
+### Dev workflow
+
+- Pre-commit hooks via `lefthook` (added 2026-05-20):
+  - `pre-commit`: `pnpm typecheck` + ESLint + `prettier --check` on
+    staged source files (parallel). Hits sub-second on small changes.
+  - `commit-msg`: Conventional Commits regex enforcement. Bad messages
+    get a friendly error pointing at the format spec. Allows
+    `Merge`/`Revert`/`fixup!`/`squash!` for ergonomics.
+  - `pre-push`: full `pnpm test`. Stops broken builds from reaching
+    the remote.
+  - Bypass for emergencies: `LEFTHOOK=0 git commit` or
+    `LEFTHOOK_EXCLUDE=<jobname> git commit`. Installed automatically by
+    `pnpm install`; no manual `lefthook install` required.
+- Prettier configured (added 2026-05-20): `.prettierrc.json` + scripts
+  `pnpm format` / `pnpm format:check`. Single quotes, trailing commas,
+  100-col print width, LF endings. Normalized 31 files in one mechanical
+  pass; wired into `pnpm check` and the lefthook pre-commit so future
+  drift gets blocked.
+- Hand-rolled input validation for every MCP tool (no deps). Rejects unknown
+  fields, type errors, out-of-range numbers, oversize strings.
+- Interaction log (`~/.graphpilot/<repo-id>/interactions.jsonl`): every tool
+  call recorded locally with sanitized inputs. Enables future ranking /
+  personalization. Disabled via `GRAPHPILOT_NO_LOG=1`. Mode 0600.
+
+### Security
+
+- 5 MB per-file size cap (`MAX_FILE_BYTES`)
+- Iterative `walk()` (no stack overflow on deep ASTs)
+- Symlink-escape protection: `followSymbolicLinks: false` + realpath bounds check
+- 50,000 file hard cap per index (`MAX_FILES_PER_INDEX`)
+- Refuses to index `/`, `/etc`, `~`, `/Users`, Windows system paths, and macOS
+  resolved aliases (`/private/etc`, etc.)
+- Graph dir/file written with mode `0o700` / `0o600`
+- Pattern-based secret redaction at signature-extraction time
+  (`src/redact.ts`): OpenAI/Anthropic `sk-`, GitHub `ghp_`/`ghs_`, AWS
+  `AKIA`, JWTs, PEM private-key headers, Slack tokens, Stripe live keys,
+  plus a defensive long-token catch-all.
+- Schema validation on graph.json load (`src/graph-schema.ts`): strict
+  shape check, version enforcement, per-entry sanitization (control chars
+  stripped, length-capped), and recomputed counts (attacker-supplied
+  symbol/edge counts are ignored). Defends against tampered or corrupt
+  files; falls back to "no index" on rejection.
+- ESLint policy enforcing "no network in `src/`" at the build gate
+  (`eslint.config.js`): bans `http`, `https`, `undici`, `axios`,
+  `node-fetch`, `cross-fetch`, `got`, `request`, `superagent`, plus
+  `child_process`. Looser rules for `tests/` and `scripts/`. CI runs
+  `pnpm lint` as a gating job; meta-tests in `tests/lint-policy.test.ts`
+  prove the rule fires on every banned import (catches rule-rot in
+  future PRs).
+
+### Pending (for v0.1.0 launch)
+
+- Tier-B agent benchmark — Claude-Code-in-the-loop scoring on real
+  refactor tasks; produces the "X/10 vs Y/10" headline. Spec in
+  [`bench/run-agent-tier.md`](bench/run-agent-tier.md).
+- `release.yml` workflow + npm publish on tag.
+- CodeQL + dependency-review workflows.
+- Branch protection on `main` (GitHub web UI step).
+- Hero GIF + 30-second demo video.
+- Domain + landing page.
+- MCP registry submissions (Glama, PulseMCP, mcpservers.org,
+  `awesome-mcp-servers`).
+- `examples/<each-client>/` scaffolds.
+
+[Unreleased]: https://github.com/graphpilot-oss/graphpilot/commits/main

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,83 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at codewithakki@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at [https://www.contributor-covenant.org/faq][FAQ]. Translations are available at [https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

package/CONTRIBUTING.md

@@ -0,0 +1,111 @@
+# Contributing to GraphPilot
+
+Thanks for your interest! GraphPilot is young — every contribution helps shape it.
+
+## Before you start
+
+- For non-trivial changes, **open an issue first** so we can discuss the approach before
+  you spend time writing code.
+- Look for the [`good first issue`](../../labels/good%20first%20issue) label.
+- Read the [README](README.md) to understand the project shape.
+
+## Development setup
+
+```bash
+git clone https://github.com/graphpilot-oss/graphpilot.git
+cd graphpilot
+pnpm install
+pnpm build
+pnpm test
+```
+
+You need Node.js 20+ and pnpm 9+.
+
+## Running locally against Claude Code
+
+Once the MCP server is in (it's not yet, as of this writing), point Claude Code at
+your local build by adding to `~/.claude.json`:
+
+```jsonc
+{
+  "mcpServers": {
+    "graphpilot-dev": {
+      "command": "node",
+      "args": ["/absolute/path/to/graphpilot/dist/cli.js", "mcp"],
+    },
+  },
+}
+```
+
+Restart Claude Code.
+
+## Commit style
+
+We use [Conventional Commits](https://www.conventionalcommits.org):
+
+- `feat: add gp_callers tool`
+- `fix: handle empty TS files gracefully`
+- `docs: clarify mcp setup for Cursor`
+- `test: add fixture for re-exports`
+- `chore: bump deps`
+- `refactor: simplify symbol id format`
+
+One topic per commit. Commit messages explain the _why_, not just the _what_.
+
+## Pull requests
+
+1. Fork the repo.
+2. Create a branch: `git checkout -b feat/your-feature`.
+3. Make your changes; add tests for any new behavior.
+4. Run `pnpm test` and `pnpm build` — both must pass.
+5. Update [CHANGELOG.md](CHANGELOG.md) under the `[Unreleased]` section.
+6. Open a PR with a clear description (what + why; link the issue).
+7. CI must pass. At least one maintainer review is required before merge.
+
+## Code style
+
+- TypeScript strict mode, no `any` unless commented why.
+- 2-space indent, single quotes, trailing commas where valid (matches `.editorconfig`).
+- One thing per file. If a file passes ~300 lines, consider splitting it.
+- Tests next to code in `tests/`. Fixtures in `tests/fixtures/`.
+
+## Security
+
+GraphPilot reads code from people's repos and exposes a memory layer to AI agents.
+That means it's an attractive target for both supply-chain attacks and prompt-injection
+via crafted code. Before you contribute:
+
+- **Read [SECURITY.md](SECURITY.md)** for how to report vulnerabilities privately.
+- **No network code in `src/`.** Local-first is a user promise. If a feature seems to
+  need the network, open a Discussion first.
+- **No `child_process` / `exec` / `spawn`.** We don't shell out, ever.
+- **Validate every input that crosses a trust boundary.** Files on disk, CLI args, and
+  (when the MCP server lands) tool arguments are all untrusted by default.
+- **No telemetry, analytics, or "anonymous usage stats."** Not by default, not behind
+  a flag, not at all in v1.
+
+PRs that introduce network calls, child processes, eval, dynamic require, or unvalidated
+file-path arguments will be rejected unless there's a written threat-model justification
+in the PR description.
+
+## What we are NOT doing in v1
+
+Please don't open PRs that add:
+
+- Cross-repo indexing
+- A query DSL
+- A web visualization
+- Watch mode (manual re-index is fine for v1)
+- Stack Graphs / production-grade name resolution
+- Languages other than TS/JS
+
+These are explicitly deferred. Keeping v1 small is the only way it ships.
+
+## Code of Conduct
+
+By participating you agree to [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
+
+## Questions
+
+Open a [Discussion](../../discussions) for general questions; open an
+[Issue](../../issues) for bugs.