@optave/codegraph 2.6.0 → 3.0.0

package/README.md

@@ -31,19 +31,24 @@
 
 ## The Problem
 
-AI coding assistants are incredible — until your codebase gets big enough. Then they get lost.
+Large codebases are opaque. The structure lives in people's heads, not in tools.
 
-On a large codebase, a great portion of your AI budget isn't going toward solving tasks. It's going toward the AI re-orienting itself in your code. Every session. Over and over. It burns tokens on tool calls — `grep`, `find`, `cat` — just to figure out what calls what. It loses context. It hallucinates dependencies. It modifies a function without realizing 14 callers across 9 files depend on it.
+A developer inherits a project and spends days grepping to understand what calls what. An AI agent burns half its token budget on `grep`, `find`, `cat` — re-discovering the same structure every session. An architect draws boundary rules on a whiteboard that erode within weeks because nothing enforces them. A CI pipeline catches test failures but can't tell you _"this change silently affects 14 callers across 9 files."_
 
-When the AI catches these mistakes, you waste time and tokens on corrections. When it doesn't catch them, your codebase starts degrading with silent bugs until things stop working.
-
-And when you hit `/clear` or run out of context? It starts from scratch.
+The information exists — it's in the code itself. But without a structured map, everyone is navigating blind: developers guess, AI agents hallucinate, and architecture degrades one unreviewed change at a time.
 
 ## What Codegraph Does
 
-Codegraph gives your AI a pre-built, always-current map of your entire codebase — every function, every caller, every dependency — so it stops guessing and starts knowing.
+Codegraph builds a function-level dependency graph of your entire codebase — every function, every caller, every dependency — and keeps it current with sub-second incremental rebuilds.
+
+It parses your code with [tree-sitter](https://tree-sitter.github.io/) (native Rust or WASM), stores the graph in SQLite, and gives you multiple ways to consume it:
+
+- **CLI** — developers explore, query, and audit their code from the terminal
+- **MCP server** — AI agents query the graph directly through 30 tools
+- **CI gates** — `check` and `manifesto` commands enforce quality thresholds with exit codes
+- **Programmatic API** — embed codegraph in your own tools via `npm install`
 
-It parses your code with [tree-sitter](https://tree-sitter.github.io/) (native Rust or WASM), builds a function-level dependency graph in SQLite, and keeps it current with sub-second incremental rebuilds. Your AI gets answers like _"this function has 14 callers across 9 files"_ instantly, instead of spending 30 tool calls to maybe discover half of them.
+Instead of 30 tool calls to maybe discover half your dependencies, you get _"this function has 14 callers across 9 files"_ instantly. Instead of hoping architecture rules are followed, you enforce them. Instead of finding breakage in production, `diff-impact --staged` catches it before you commit.
 
 **Free. Open source. Fully local.** Zero network calls, zero telemetry. Your code stays on your machine. When you want deeper intelligence, bring your own LLM provider — your code only goes where you choose to send it.
 
@@ -55,21 +60,22 @@ cd your-project
 codegraph build
 ```
 
-That's it. No config files, no Docker, no JVM, no API keys, no accounts. The graph is ready to query. Add `codegraph mcp` to your AI agent's config and it has full access to your dependency graph through 30 MCP tools (31 in multi-repo mode).
+That's it. No config files, no Docker, no JVM, no API keys, no accounts. The graph is ready to query.
 
 ### Why it matters
 
-| Without codegraph | With codegraph |
-|---|---|
-| AI spends 20+ tool calls per session re-discovering your code structure | AI gets full dependency context in one call |
-| Modifies `parseConfig()` without knowing 9 files import it | `fn-impact parseConfig` shows every caller before the edit |
-| Hallucinates that `auth.js` imports from `db.js` | `deps src/auth.js` shows the real import graph |
-| After `/clear`, starts from scratch | Graph persists — next session picks up where this one left off |
-| Suggests renaming a function, breaks 14 call sites silently | `diff-impact --staged` catches the breakage before you commit |
+| | Without codegraph | With codegraph |
+|---|---|---|
+| **AI agents** | Spend 20+ tool calls per session re-discovering code structure | Get full dependency context in one MCP call |
+| **AI agents** | Modify `parseConfig()` without knowing 9 files import it | `fn-impact parseConfig` shows every caller before the edit |
+| **Developers** | Inherit a codebase and grep for hours to understand what calls what | `context handleAuth -T` gives source, deps, callers, and tests in one command |
+| **Developers** | Rename a function, break 14 call sites silently | `diff-impact --staged` catches breakage before you commit |
+| **CI pipelines** | Catch test failures but miss structural degradation | `check --staged` fails the build when blast radius or complexity thresholds are exceeded |
+| **Architects** | Draw boundary rules that erode within weeks | `manifesto` and `boundaries` enforce architecture rules on every commit |
 
 ### Feature comparison
 
-<sub>Comparison last verified: March 2026. Full analysis: <a href="generated/COMPETITIVE_ANALYSIS.md">COMPETITIVE_ANALYSIS.md</a></sub>
+<sub>Comparison last verified: March 2026. Full analysis: <a href="generated/competitive/COMPETITIVE_ANALYSIS.md">COMPETITIVE_ANALYSIS.md</a></sub>
 
 | Capability | codegraph | [joern](https://github.com/joernio/joern) | [narsil-mcp](https://github.com/postrv/narsil-mcp) | [code-graph-rag](https://github.com/vitali87/code-graph-rag) | [cpg](https://github.com/Fraunhofer-AISEC/cpg) | [GitNexus](https://github.com/abhigyanpatwari/GitNexus) | [CodeMCP](https://github.com/SimplyLiz/CodeMCP) | [axon](https://github.com/harshkedia177/axon) |
 |---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
@@ -94,6 +100,12 @@ That's it. No config files, no Docker, no JVM, no API keys, no accounts. The gra
 | Zero config | **Yes** | — | **Yes** | — | — | **Yes** | — | **Yes** |
 | Embeddable JS library (`npm install`) | **Yes** | — | — | — | — | — | — | — |
 | LLM-optional (works without API keys) | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
+| Dataflow analysis | **Yes** | **Yes** | — | — | **Yes** | — | — | — |
+| Control flow graph (CFG) | **Yes** | **Yes** | — | — | **Yes** | — | — | — |
+| AST node querying | **Yes** | **Yes** | — | — | **Yes** | — | — | — |
+| Expanded node/edge types | **Yes** | **Yes** | — | — | **Yes** | — | — | — |
+| GraphML / Neo4j export | **Yes** | **Yes** | — | — | — | — | — | — |
+| Interactive graph viewer | **Yes** | — | — | — | — | — | — | — |
 | Commercial use allowed | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | No | Paid | **Yes** |
 | Open source | **Yes** | Yes | Yes | Yes | Yes | No | No | Yes |
 
@@ -109,6 +121,7 @@ That's it. No config files, no Docker, no JVM, no API keys, no accounts. The gra
 | **🌐** | **Multi-language, one CLI** | JS/TS + Python + Go + Rust + Java + C# + PHP + Ruby + HCL in a single graph |
 | **💥** | **Git diff impact** | `codegraph diff-impact` shows changed functions, their callers, and full blast radius — enriched with historically coupled files from git co-change analysis. Ships with a GitHub Actions workflow |
 | **🧠** | **Hybrid search** | BM25 keyword + semantic embeddings fused via RRF — `hybrid` (default), `semantic`, or `keyword` mode; multi-query via `"auth; token; JWT"` |
+| **🔬** | **Dataflow + CFG** | Track how data flows through functions (`flows_to`, `returns`, `mutates`) and visualize intraprocedural control flow graphs for all 11 languages |
 
 ---
 
@@ -169,7 +182,7 @@ Full agent setup: [AI Agent Guide](docs/guides/ai-agent-guide.md) &middot; [CLAU
 | 📁 | **File dependencies** | See what a file imports and what imports it |
 | 💥 | **Impact analysis** | Trace every file affected by a change (transitive) |
 | 🧬 | **Function-level tracing** | Call chains, caller trees, function-level impact, and A→B pathfinding with qualified call resolution |
-| 🎯 | **Deep context** | `context` gives AI agents source, deps, callers, signature, and tests for a function in one call; `explain` gives structural summaries of files or functions |
+| 🎯 | **Deep context** | `context` gives AI agents source, deps, callers, signature, and tests for a function in one call; `audit --quick` gives structural summaries of files or functions |
 | 📍 | **Fast lookup** | `where` shows exactly where a symbol is defined and used — minimal, fast |
 | 📊 | **Diff impact** | Parse `git diff`, find overlapping functions, trace their callers |
 | 🔗 | **Co-change analysis** | Analyze git history for files that always change together — surfaces hidden coupling the static graph can't see; enriches `diff-impact` with historically coupled files |
@@ -177,14 +190,14 @@ Full agent setup: [AI Agent Guide](docs/guides/ai-agent-guide.md) &middot; [CLAU
 | 🏗️ | **Structure & hotspots** | Directory cohesion scores, fan-in/fan-out hotspot detection, module boundaries |
 | 🏷️ | **Node role classification** | Every symbol auto-tagged as `entry`/`core`/`utility`/`adapter`/`dead`/`leaf` based on connectivity patterns — agents instantly know architectural role |
 | 🔄 | **Cycle detection** | Find circular dependencies at file or function level |
-| 📤 | **Export** | DOT (Graphviz), Mermaid, and JSON graph export |
+| 📤 | **Export** | DOT, Mermaid, JSON, GraphML, GraphSON, and Neo4j CSV graph export |
 | 🧠 | **Semantic search** | Embeddings-powered natural language search with multi-query RRF ranking |
 | 👀 | **Watch mode** | Incrementally update the graph as files change |
 | 🤖 | **MCP server** | 30-tool MCP server for AI assistants; single-repo by default, opt-in multi-repo |
 | ⚡ | **Always fresh** | Three-tier incremental detection — sub-second rebuilds even on large codebases |
 | 🧮 | **Complexity metrics** | Cognitive, cyclomatic, nesting depth, Halstead, and Maintainability Index per function |
 | 🏘️ | **Community detection** | Louvain clustering to discover natural module boundaries and architectural drift |
-| 📜 | **Manifesto rule engine** | Configurable pass/fail rules with warn/fail thresholds for CI gates (exit code 1 on fail) |
+| 📜 | **Manifesto rule engine** | Configurable pass/fail rules with warn/fail thresholds for CI gates via `check` (exit code 1 on fail) |
 | 👥 | **CODEOWNERS integration** | Map graph nodes to CODEOWNERS entries — see who owns each function, ownership boundaries in `diff-impact` |
 | 💾 | **Graph snapshots** | `snapshot save`/`restore` for instant DB backup and rollback — checkpoint before refactoring, restore without rebuilding |
 | 🔎 | **Hybrid BM25 + semantic search** | FTS5 keyword search + embedding-based semantic search fused via Reciprocal Rank Fusion — `hybrid`, `semantic`, or `keyword` modes |
@@ -195,6 +208,13 @@ Full agent setup: [AI Agent Guide](docs/guides/ai-agent-guide.md) &middot; [CLAU
 | 📋 | **Composite audit** | Single `audit` command combining explain + impact + health metrics per function — one call instead of 3-4 |
 | 🚦 | **Triage queue** | `triage` merges connectivity, hotspots, roles, and complexity into a ranked audit priority queue |
 | 📦 | **Batch querying** | Accept a list of targets and return all results in one JSON payload — enables multi-agent parallel dispatch |
+| 🔬 | **Dataflow analysis** | Track how data moves through functions with `flows_to`, `returns`, and `mutates` edges — opt-in via `build --dataflow` (JS/TS) |
+| 🧩 | **Control flow graph** | Intraprocedural CFG construction for all 11 languages — `cfg` command with text/DOT/Mermaid output, opt-in via `build --cfg` |
+| 🔎 | **AST node querying** | Stored queryable AST nodes (calls, `new`, string, regex, throw, await) — `ast` command with SQL GLOB pattern matching |
+| 🧬 | **Expanded node/edge types** | `parameter`, `property`, `constant` node kinds with `parent_id` for sub-declaration queries; `contains`, `parameter_of`, `receiver` edge kinds |
+| 📊 | **Exports analysis** | `exports <file>` shows all exported symbols with per-symbol consumers, re-export detection, and counts |
+| 📈 | **Interactive viewer** | `codegraph plot` generates an interactive HTML graph viewer with hierarchical/force/radial layouts, complexity overlays, and drill-down |
+| 🏷️ | **Stable JSON schema** | `normalizeSymbol` utility ensures consistent 7-field output (name, kind, file, line, endLine, role, fileHash) across all commands |
 
 See [docs/examples](docs/examples) for real-world CLI and MCP usage examples.
 
@@ -222,6 +242,8 @@ codegraph stats                # Graph health: nodes, edges, languages, quality
 codegraph roles                # Node role classification (entry, core, utility, adapter, dead, leaf)
 codegraph roles --role dead -T # Find dead code (unreferenced, non-exported symbols)
 codegraph roles --role core --file src/  # Core symbols in src/
+codegraph exports src/queries.js  # Per-symbol consumer analysis (who calls each export)
+codegraph children <name>         # List parameters, properties, constants of a symbol
 ```
 
 ### Deep Context (AI-Optimized)
@@ -229,20 +251,20 @@ codegraph roles --role core --file src/  # Core symbols in src/
 ```bash
 codegraph context <name>       # Full context: source, deps, callers, signature, tests
 codegraph context <name> --depth 2 --no-tests  # Include callee source 2 levels deep
-codegraph explain <file>       # Structural summary: public API, internals, data flow
-codegraph explain <function>   # Function summary: signature, calls, callers, tests
+codegraph audit <file> --quick    # Structural summary: public API, internals, data flow
+codegraph audit <function> --quick  # Function summary: signature, calls, callers, tests
 ```
 
 ### Impact Analysis
 
 ```bash
 codegraph impact <file>        # Transitive reverse dependency trace
-codegraph fn <name>            # Function-level: callers, callees, call chain
-codegraph fn <name> --no-tests --depth 5
+codegraph query <name>         # Function-level: callers, callees, call chain
+codegraph query <name> --no-tests --depth 5
 codegraph fn-impact <name>     # What functions break if this one changes
-codegraph path <from> <to>     # Shortest path between two symbols (A calls...calls B)
+codegraph path <from> <to>            # Shortest path between two symbols (A calls...calls B)
 codegraph path <from> <to> --reverse  # Follow edges backward
-codegraph path <from> <to> --max-depth 5 --kinds calls,imports
+codegraph path <from> <to> --depth 5 --kinds calls,imports
 codegraph diff-impact          # Impact of unstaged git changes
 codegraph diff-impact --staged # Impact of staged changes
 codegraph diff-impact HEAD~3   # Impact vs a specific ref
@@ -273,8 +295,8 @@ Co-change data also enriches `diff-impact` — historically coupled files appear
 
 ```bash
 codegraph structure            # Directory overview with cohesion scores
-codegraph hotspots             # Files with extreme fan-in, fan-out, or density
-codegraph hotspots --metric coupling --level directory --no-tests
+codegraph triage --level file  # Files with extreme fan-in, fan-out, or density
+codegraph triage --level directory --sort coupling --no-tests
 ```
 
 ### Code Health & Architecture
@@ -287,19 +309,38 @@ codegraph complexity --above-threshold -T  # Only functions exceeding warn thres
 codegraph communities             # Louvain community detection — natural module boundaries
 codegraph communities --drift -T  # Drift analysis only — split/merge candidates
 codegraph communities --functions # Function-level community detection
-codegraph manifesto               # Pass/fail rule engine (exit code 1 on fail)
-codegraph manifesto -T            # Exclude test files from rule evaluation
+codegraph check                   # Pass/fail rule engine (exit code 1 on fail)
+codegraph check -T                # Exclude test files from rule evaluation
 ```
 
+### Dataflow, CFG & AST
+
+```bash
+codegraph dataflow <name>             # Data flow edges for a function (flows_to, returns, mutates)
+codegraph dataflow <name> --impact    # Transitive data-dependent blast radius
+codegraph cfg <name>                  # Control flow graph (text format)
+codegraph cfg <name> --format dot     # CFG as Graphviz DOT
+codegraph cfg <name> --format mermaid # CFG as Mermaid diagram
+codegraph ast                         # List all stored AST nodes
+codegraph ast "handleAuth"            # Search AST nodes by pattern (GLOB)
+codegraph ast -k call                 # Filter by kind: call, new, string, regex, throw, await
+codegraph ast -k throw --file src/    # Combine kind and file filters
+```
+
+> **Note:** Dataflow requires `codegraph build --dataflow` (JS/TS only). CFG requires `codegraph build --cfg`. Both are opt-in to keep default builds fast.
+
 ### Audit, Triage & Batch
 
 Composite commands for risk-driven workflows and multi-agent dispatch.
 
 ```bash
-codegraph audit <file-or-function>    # Combined explain + impact + health in one report
+codegraph audit <file-or-function>    # Combined structural summary + impact + health in one report
+codegraph audit <target> --quick      # Structural summary only (skip impact and health)
 codegraph audit src/queries.js -T     # Audit all functions in a file
 codegraph triage                      # Ranked audit priority queue (connectivity + hotspots + roles)
 codegraph triage -T --limit 20        # Top 20 riskiest functions, excluding tests
+codegraph triage --level file -T      # File-level hotspot analysis
+codegraph triage --level directory -T # Directory-level hotspot analysis
 codegraph batch target1 target2 ...   # Batch query multiple targets in one call
 codegraph batch --json targets.json   # Batch from a JSON file
 ```
@@ -309,7 +350,9 @@ codegraph batch --json targets.json   # Batch from a JSON file
 `codegraph check` provides configurable pass/fail predicates for CI gates and state machines. Exit code 0 = pass, 1 = fail.
 
 ```bash
-codegraph check --staged                    # Check staged changes
+codegraph check                             # Run manifesto rules on whole codebase
+codegraph check --staged                    # Check staged changes (diff predicates)
+codegraph check --staged --rules            # Run both diff predicates AND manifesto rules
 codegraph check --no-new-cycles             # Fail if staged changes introduce cycles
 codegraph check --max-complexity 30         # Fail if any function exceeds complexity threshold
 codegraph check --max-blast-radius 50       # Fail if blast radius exceeds limit
@@ -347,7 +390,11 @@ codegraph snapshot delete before-refactor   # Delete a snapshot
 codegraph export -f dot        # Graphviz DOT format
 codegraph export -f mermaid    # Mermaid diagram
 codegraph export -f json       # JSON graph
+codegraph export -f graphml    # GraphML (XML standard)
+codegraph export -f graphson   # GraphSON (TinkerPop v3 / Gremlin)
+codegraph export -f neo4j      # Neo4j CSV (bulk import, separate nodes/relationships files)
 codegraph export --functions -o graph.dot  # Function-level, write to file
+codegraph plot                 # Interactive HTML viewer with force/hierarchical/radial layouts
 codegraph cycles               # Detect circular dependencies
 codegraph cycles --functions   # Function-level cycles
 ```
@@ -413,12 +460,12 @@ codegraph registry remove <name>  # Unregister
 | Flag | Description |
 |---|---|
 | `-d, --db <path>` | Custom path to `graph.db` |
-| `-T, --no-tests` | Exclude `.test.`, `.spec.`, `__test__` files (available on `fn`, `fn-impact`, `path`, `context`, `explain`, `where`, `diff-impact`, `search`, `map`, `hotspots`, `roles`, `co-change`, `deps`, `impact`, `complexity`, `communities`, `manifesto`, `branch-compare`, `audit`, `triage`, `check`) |
+| `-T, --no-tests` | Exclude `.test.`, `.spec.`, `__test__` files (available on most query commands including `query`, `fn-impact`, `path`, `context`, `where`, `diff-impact`, `search`, `map`, `roles`, `co-change`, `deps`, `impact`, `complexity`, `communities`, `branch-compare`, `audit`, `triage`, `check`, `dataflow`, `cfg`, `ast`, `exports`, `children`) |
 | `--depth <n>` | Transitive trace depth (default varies by command) |
 | `-j, --json` | Output as JSON |
 | `-v, --verbose` | Enable debug output |
 | `--engine <engine>` | Parser engine: `native`, `wasm`, or `auto` (default: `auto`) |
-| `-k, --kind <kind>` | Filter by kind: `function`, `method`, `class`, `struct`, `enum`, `trait`, `record`, `module` (`fn`, `context`, `search`) |
+| `-k, --kind <kind>` | Filter by kind: `function`, `method`, `class`, `interface`, `type`, `struct`, `enum`, `trait`, `record`, `module`, `parameter`, `property`, `constant` |
 | `-f, --file <path>` | Scope to a specific file (`fn`, `context`, `where`) |
 | `--mode <mode>` | Search mode: `hybrid` (default), `semantic`, or `keyword` (`search`) |
 | `--ndjson` | Output as newline-delimited JSON (one object per line) |
@@ -456,10 +503,11 @@ codegraph registry remove <name>  # Unregister
 ```
 
 1. **Parse** — tree-sitter parses every source file into an AST (native Rust engine or WASM fallback)
-2. **Extract** — Functions, classes, methods, interfaces, imports, exports, and call sites are extracted
+2. **Extract** — Functions, classes, methods, interfaces, imports, exports, call sites, parameters, properties, and constants are extracted
 3. **Resolve** — Imports are resolved to actual files (handles ESM conventions, `tsconfig.json` path aliases, `baseUrl`)
-4. **Store** — Everything goes into SQLite as nodes + edges with tree-sitter node boundaries
-5. **Query** — All queries run locally against the SQLite DB — typically under 100ms
+4. **Store** — Everything goes into SQLite as nodes + edges with tree-sitter node boundaries, plus structural edges (`contains`, `parameter_of`, `receiver`)
+5. **Analyze** (opt-in) — Complexity metrics, control flow graphs (`--cfg`), dataflow edges (`--dataflow`), and AST node storage
+6. **Query** — All queries run locally against the SQLite DB — typically under 100ms
 
 ### Incremental Rebuilds
 
@@ -505,12 +553,12 @@ Self-measured on every release via CI ([build benchmarks](generated/benchmarks/B
 | Metric | Latest |
 |---|---|
 | Build speed (native) | **1.9 ms/file** |
-| Build speed (WASM) | **7.8 ms/file** |
-| Query time | **2ms** |
-| No-op rebuild (native) | **3ms** |
-| 1-file rebuild (native) | **93ms** |
-| Query: fn-deps | **1.8ms** |
-| Query: path | **1ms** |
+| Build speed (WASM) | **8.3 ms/file** |
+| Query time | **3ms** |
+| No-op rebuild (native) | **4ms** |
+| 1-file rebuild (native) | **124ms** |
+| Query: fn-deps | **1.4ms** |
+| Query: path | **1.4ms** |
 | ~50,000 files (est.) | **~95.0s build** |
 
 Metrics are normalized per file for cross-version comparability. Times above are for a full initial build — incremental rebuilds only re-parse changed files.
@@ -556,7 +604,7 @@ This project uses codegraph. The database is at `.codegraph/graph.db`.
 
 ### Before modifying code, always:
 1. `codegraph where <name>` — find where the symbol lives
-2. `codegraph explain <file-or-function>` — understand the structure
+2. `codegraph audit <file-or-function> --quick` — understand the structure
 3. `codegraph context <name> -T` — get full context (source, deps, callers)
 4. `codegraph fn-impact <name> -T` — check blast radius before editing
 
@@ -566,7 +614,7 @@ This project uses codegraph. The database is at `.codegraph/graph.db`.
 ### Other useful commands
 - `codegraph build .` — rebuild the graph (incremental by default)
 - `codegraph map` — module overview
-- `codegraph fn <name> -T` — function call chain
+- `codegraph query <name> -T` — function call chain (callers + callees)
 - `codegraph path <from> <to> -T` — shortest call path between two symbols
 - `codegraph deps <file>` — file-level dependencies
 - `codegraph roles --role dead -T` — find dead code (unreferenced symbols)
@@ -574,14 +622,21 @@ This project uses codegraph. The database is at `.codegraph/graph.db`.
 - `codegraph co-change <file>` — files that historically change together
 - `codegraph complexity -T` — per-function complexity metrics (cognitive, cyclomatic, MI)
 - `codegraph communities --drift -T` — module boundary drift analysis
-- `codegraph manifesto -T` — pass/fail rule check (CI gate, exit code 1 on fail)
-- `codegraph audit <target> -T` — combined explain + impact + health in one report
+- `codegraph check -T` — pass/fail rule check (CI gate, exit code 1 on fail)
+- `codegraph audit <target> -T` — combined structural summary + impact + health in one report
 - `codegraph triage -T` — ranked audit priority queue
+- `codegraph triage --level file -T` — file-level hotspot analysis
 - `codegraph check --staged` — CI validation predicates (exit code 0/1)
 - `codegraph batch target1 target2` — batch query multiple targets at once
 - `codegraph owners [target]` — CODEOWNERS mapping for symbols
 - `codegraph snapshot save <name>` — checkpoint the graph DB before refactoring
 - `codegraph branch-compare main HEAD -T` — structural diff between two refs (added/removed/changed symbols)
+- `codegraph exports <file>` — per-symbol consumer analysis (who calls each export)
+- `codegraph children <name>` — list parameters, properties, constants of a symbol
+- `codegraph dataflow <name>` — data flow edges (flows_to, returns, mutates)
+- `codegraph cfg <name>` — intraprocedural control flow graph
+- `codegraph ast <pattern>` — search stored AST nodes (calls, new, string, regex, throw, await)
+- `codegraph plot` — interactive HTML dependency graph viewer
 - `codegraph search "<query>"` — hybrid search (requires `codegraph embed`)
 - `codegraph search "<query>" --mode keyword` — BM25 keyword search
 - `codegraph cycles` — check for circular dependencies
@@ -665,7 +720,7 @@ Create a `.codegraphrc.json` in your project root to customize behavior:
 
 ### Manifesto rules
 
-Configure pass/fail thresholds for `codegraph manifesto`:
+Configure pass/fail thresholds for `codegraph check` (manifesto mode):
 
 ```json
 {
@@ -681,7 +736,7 @@ Configure pass/fail thresholds for `codegraph manifesto`:
 }
 ```
 
-When any function exceeds a `fail` threshold, `codegraph manifesto` exits with code 1 — perfect for CI gates.
+When any function exceeds a `fail` threshold, `codegraph check` exits with code 1 — perfect for CI gates.
 
 ### LLM credentials
 
@@ -705,13 +760,14 @@ Works with any secret manager: 1Password CLI (`op`), Bitwarden (`bw`), `pass`, H
 Codegraph also exports a full API for use in your own tools:
 
 ```js
-import { buildGraph, queryNameData, findCycles, exportDOT } from '@optave/codegraph';
+import { buildGraph, queryNameData, findCycles, exportDOT, normalizeSymbol } from '@optave/codegraph';
 
 // Build the graph
 buildGraph('/path/to/project');
 
 // Query programmatically
 const results = queryNameData('myFunction', '/path/to/.codegraph/graph.db');
+// All query results use normalizeSymbol for a stable 7-field schema
 ```
 
 ```js
@@ -748,6 +804,7 @@ const { results: fused } = await multiSearchData(
 - **No full type inference** — parses `.d.ts` interfaces but doesn't use TypeScript's type checker for overload resolution
 - **Dynamic calls are best-effort** — complex computed property access and `eval` patterns are not resolved
 - **Python imports** — resolves relative imports but doesn't follow `sys.path` or virtual environment packages
+- **Dataflow analysis** — currently JS/TS only; intraprocedural (single-function scope), not interprocedural
 
 ## 🗺️ Roadmap
 
@@ -755,12 +812,12 @@ See **[ROADMAP.md](docs/roadmap/ROADMAP.md)** for the full development roadmap a
 
 1. ~~**Rust Core**~~ — **Complete** (v1.3.0) — native tree-sitter parsing via napi-rs, parallel multi-core parsing, incremental re-parsing, import resolution & cycle detection in Rust
 2. ~~**Foundation Hardening**~~ — **Complete** (v1.4.0) — parser registry, 12-tool MCP server with multi-repo support, test coverage 62%→75%, `apiKeyCommand` secret resolution, global repo registry
-3. **Architectural Refactoring** — parser plugin system, repository pattern, pipeline builder, engine strategy, domain errors, curated API
-4. **Intelligent Embeddings** — LLM-generated descriptions, hybrid search
+3. ~~**Deep Analysis**~~ — **Complete** (v3.0.0) — dataflow analysis (flows_to, returns, mutates), intraprocedural CFG for all 11 languages, stored AST nodes, expanded node/edge types (parameter, property, constant, contains, parameter_of, receiver), GraphML/GraphSON/Neo4j CSV export, interactive HTML viewer, CLI consolidation, stable JSON schema
+4. **Architectural Refactoring** — parser plugin system, repository pattern, pipeline builder, engine strategy, domain errors, curated API
 5. **Natural Language Queries** — `codegraph ask` command, conversational sessions
 6. **Expanded Language Support** — 8 new languages (12 → 20)
 7. **GitHub Integration & CI** — reusable GitHub Action, PR review, SARIF output
-8. **Visualization & Advanced** — web UI, monorepo support, agentic search
+8. **TypeScript Migration** — gradual migration from JS to TypeScript
 
 ## 🤝 Contributing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@optave/codegraph",
-  "version": "2.6.0",
+  "version": "3.0.0",
   "description": "Local code graph CLI — parse codebases with tree-sitter, build dependency graphs, query them",
   "type": "module",
   "main": "src/index.js",
@@ -71,10 +71,10 @@
   },
   "optionalDependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "@optave/codegraph-darwin-arm64": "2.6.0",
-    "@optave/codegraph-darwin-x64": "2.6.0",
-    "@optave/codegraph-linux-x64-gnu": "2.6.0",
-    "@optave/codegraph-win32-x64-msvc": "2.6.0"
+    "@optave/codegraph-darwin-arm64": "3.0.0",
+    "@optave/codegraph-darwin-x64": "3.0.0",
+    "@optave/codegraph-linux-x64-gnu": "3.0.0",
+    "@optave/codegraph-win32-x64-msvc": "3.0.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.4",