@sdsrs/code-graph 0.47.1 → 0.49.0

package/claude-plugin/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "sdsrs"
   },
-  "version": "0.47.1",
+  "version": "0.49.0",
   "keywords": [
     "code-graph",
     "ast",

package/claude-plugin/scripts/adopt.js

@@ -45,8 +45,8 @@ const INDEX_LINE =
   '- [code-graph-mcp](plugin_code_graph_mcp.md) ' +
   '[impact-analysis, callgraph, find-references, module-overview, semantic-search, ast-search, dead-code, find-similar-code, dependency-graph, trace-http-chain] — ' +
   '改 X 影响面/谁调用 X/X 被谁用/看 X 源码/Y 模块长啥样/概念查询 优先于 Grep；字面匹配走 Grep。' +
-  '核心 7（get_call_graph/module_overview/semantic_code_search/ast_search/find_references/get_ast_node/project_map）' +
-  '+ 进阶 5（impact_analysis/trace_http_chain/dependency_graph/find_similar_code/find_dead_code），决策表见全文';
+  'Bash 直呼 CLI 最快（零加载）：`code-graph-mcp callgraph X / show X / overview <dir> / grep "pat" / impact X`；' +
+  'MCP 核心 7（get_call_graph/module_overview/semantic_code_search/ast_search/find_references/get_ast_node/project_map），决策表见全文';
 
 // memdir L1 升格 (per sdscc 重构方案 §5.0): the INDEX_LINE that lands in
 // MEMORY.md is what Claude sees first on every keyword match. Tailoring it
@@ -234,9 +234,12 @@ function detectProjectType(cwd = process.cwd(), env = process.env) {
 // most for THIS project.
 function buildIndexLine(projectType = 'generic') {
   const prefix = '- [code-graph-mcp](plugin_code_graph_mcp.md) ';
+  // v0.49 — CLI form leads: in Claude Code the MCP tools are deferred (need a
+  // ToolSearch load before first call) while Bash is always live; the only
+  // conversions observed in real coding nights were CLI invocations.
   const coreSuffix =
-    '核心 7（get_call_graph/module_overview/semantic_code_search/ast_search/find_references/get_ast_node/project_map）' +
-    '+ 进阶 5（impact_analysis/trace_http_chain/dependency_graph/find_similar_code/find_dead_code），决策表见全文';
+    'Bash 直呼 CLI 最快（零加载）：`code-graph-mcp callgraph X / show X / overview <dir> / grep "pat" / impact X`；' +
+    'MCP 核心 7（get_call_graph/module_overview/semantic_code_search/ast_search/find_references/get_ast_node/project_map），决策表见全文';
   switch (projectType) {
     case 'web-rs':
     case 'web-node':

package/claude-plugin/scripts/cg-answer.js

@@ -48,6 +48,24 @@ function truncateAtLine(text, maxBytes) {
   return { text: buf.subarray(0, maxBytes).toString('latin1'), truncated: true };
 }
 
+/**
+ * v0.48 — drop glob segments from a search path. The hook extracts path tokens
+ * verbatim from the denied command, and spawnSync runs WITHOUT a shell, so a
+ * literal `backend/…/llm_engine/*.py` reaches rg as a nonexistent file →
+ * exit 1 → `unavailable` → static deny with no answer (daagu 2026-06-11: the
+ * night's only deny failed exactly this way). Truncate at the first segment
+ * containing a glob metacharacter; widening the scope to the parent dir is
+ * always safe. A leading glob (`*.py`) drops the scope entirely (repo-wide).
+ */
+function sanitizeSearchPath(searchPath) {
+  if (!searchPath || typeof searchPath !== 'string') return undefined;
+  const segs = searchPath.split('/');
+  const i = segs.findIndex((s) => /[*?[\]{}]/.test(s));
+  if (i === -1) return searchPath;
+  const kept = segs.slice(0, i).join('/');
+  return kept || undefined;
+}
+
 /**
  * Run `code-graph-mcp grep <pattern> [searchPath]` synchronously.
  *
@@ -81,14 +99,20 @@ function runGrepAnswer(opts = {}) {
     }
     if (!binary) return { status: 'unavailable' };
 
+    // Defensive re-sanitize: callers should pass a clean path, but a glob
+    // reaching argv is a guaranteed nonzero exit (see sanitizeSearchPath).
+    const scope = sanitizeSearchPath(searchPath);
     const args = ['grep', pattern];
-    if (searchPath) args.push(searchPath);
+    if (scope) args.push(scope);
     const res = spawnSync(binary, args, {
       cwd,
       timeout: timeoutMs,
       encoding: 'utf8',
       maxBuffer: 4 * 1024 * 1024,
       stdio: ['ignore', 'pipe', 'ignore'],
+      // Hook-internal run: a delivered answer, not a model-initiated conversion.
+      // The CLI skips its recommendations.jsonl `use` record when this is set.
+      env: { ...process.env, CODE_GRAPH_INTERNAL: '1' },
     });
     if (res.error || res.signal || res.status !== 0) {
       return { status: 'unavailable' };
@@ -104,4 +128,95 @@ function runGrepAnswer(opts = {}) {
   }
 }
 
-module.exports = { runGrepAnswer, truncateAtLine };
+/**
+ * v0.49 — Run `code-graph-mcp show <symbol>` for up to 3 declaration symbols
+ * and concatenate the bodies. Powers the show-mode deny (declaration-anchor +
+ * context-flag greps: the model wants to READ the functions, so hand it the
+ * functions). Same bounded/best-effort posture as runGrepAnswer; symbols that
+ * fail to resolve are skipped, all-fail → no-hits (caller falls back to grep).
+ */
+function runShowAnswer(opts = {}) {
+  const {
+    cwd,
+    symbols,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    maxBytes = DEFAULT_MAX_BYTES,
+  } = opts;
+  try {
+    if (!Array.isArray(symbols) || symbols.length === 0) {
+      return { status: 'unavailable' };
+    }
+    let binary = opts.binary;
+    if (binary === undefined) {
+      binary = process.env._CG_ANSWER_BINARY || require('./find-binary').findBinary();
+    }
+    if (!binary) return { status: 'unavailable' };
+
+    const parts = [];
+    for (const sym of symbols.slice(0, 3)) {
+      if (typeof sym !== 'string' || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(sym)) continue;
+      const res = spawnSync(binary, ['show', sym], {
+        cwd,
+        timeout: timeoutMs,
+        encoding: 'utf8',
+        maxBuffer: 4 * 1024 * 1024,
+        stdio: ['ignore', 'pipe', 'ignore'],
+        env: { ...process.env, CODE_GRAPH_INTERNAL: '1' },
+      });
+      if (res.error || res.signal || res.status !== 0) continue;
+      const out = (res.stdout || '').trim();
+      if (!out || out.startsWith(NO_MATCH_PREFIX)) continue;
+      parts.push(`$ code-graph-mcp show ${sym}\n${out}`);
+    }
+    if (parts.length === 0) return { status: 'no-hits' };
+    const { text, truncated } = truncateAtLine(parts.join('\n\n'), maxBytes);
+    return { status: 'hits', text, truncated };
+  } catch {
+    return { status: 'unavailable' };
+  }
+}
+
+/**
+ * v0.49 — Run `code-graph-mcp overview <dir>` for the read-fanout hint, so the
+ * hint DELIVERS the module map instead of advising a tool call (hints measured
+ * 0/40 transfer on 2026-06-12; delivered answers satisfied 5/5 in place).
+ */
+function runOverviewAnswer(opts = {}) {
+  const {
+    cwd,
+    dir,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    maxBytes = DEFAULT_MAX_BYTES,
+  } = opts;
+  try {
+    if (!dir || typeof dir !== 'string' || dir.length > 300) {
+      return { status: 'unavailable' };
+    }
+    let binary = opts.binary;
+    if (binary === undefined) {
+      binary = process.env._CG_ANSWER_BINARY || require('./find-binary').findBinary();
+    }
+    if (!binary) return { status: 'unavailable' };
+    const res = spawnSync(binary, ['overview', dir], {
+      cwd,
+      timeout: timeoutMs,
+      encoding: 'utf8',
+      maxBuffer: 4 * 1024 * 1024,
+      stdio: ['ignore', 'pipe', 'ignore'],
+      env: { ...process.env, CODE_GRAPH_INTERNAL: '1' },
+    });
+    if (res.error || res.signal || res.status !== 0) {
+      return { status: 'unavailable' };
+    }
+    const out = (res.stdout || '').trim();
+    if (!out || out.startsWith(NO_MATCH_PREFIX)) return { status: 'no-hits' };
+    const { text, truncated } = truncateAtLine(out, maxBytes);
+    return { status: 'hits', text, truncated };
+  } catch {
+    return { status: 'unavailable' };
+  }
+}
+
+module.exports = {
+  runGrepAnswer, runShowAnswer, runOverviewAnswer, truncateAtLine, sanitizeSearchPath,
+};

package/claude-plugin/scripts/cg-answer.test.js

@@ -4,7 +4,7 @@ const assert = require('node:assert/strict');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const { runGrepAnswer, truncateAtLine } = require('./cg-answer');
+const { runGrepAnswer, runShowAnswer, truncateAtLine } = require('./cg-answer');
 
 // Stub "binary": a node script that reacts to its first real arg so one stub
 // covers hits / no-hits / error / timeout cases.
@@ -58,6 +58,19 @@ test('runGrepAnswer: passes grep subcommand, pattern and path as argv', () => {
   assert.match(r.text, /args=\["grep","fts5_search","src\/storage\/"\]/);
 });
 
+test('runGrepAnswer: child env carries CODE_GRAPH_INTERNAL=1 (not a funnel conversion)', () => {
+  // Stub variant that echoes the marker back in its output.
+  const envStub = path.join(stubDir, 'cg-env-stub.js');
+  fs.writeFileSync(envStub, `#!/usr/bin/env node
+process.stdout.write('internal=' + (process.env.CODE_GRAPH_INTERNAL || '') + '\\n');
+`);
+  fs.chmodSync(envStub, 0o755);
+  const r = runGrepAnswer({ cwd: stubDir, pattern: 'whatever', binary: envStub });
+  assert.equal(r.status, 'hits');
+  assert.match(r.text, /internal=1/,
+    'hook-internal CLI runs must be marked so record_cli_use skips them');
+});
+
 test('runGrepAnswer: omits path argv when no searchPath', () => {
   const r = runGrepAnswer({ cwd: stubDir, pattern: 'fts5_search', binary: stubBinary() });
   assert.match(r.text, /args=\["grep","fts5_search"\]/);
@@ -133,3 +146,61 @@ test('truncateAtLine: single oversized line → hard cut', () => {
   assert.equal(truncated, true);
   assert.equal(Buffer.byteLength(text, 'utf8'), 10);
 });
+
+// ── v0.48 sanitizeSearchPath: glob args reach rg literally (no shell) ──
+
+test('sanitizeSearchPath: truncates at first glob segment (daagu denied command)', () => {
+  const { sanitizeSearchPath } = require('./cg-answer');
+  assert.equal(
+    sanitizeSearchPath('backend/app/services/llm_engine/*.py'),
+    'backend/app/services/llm_engine');
+});
+
+test('sanitizeSearchPath: clean path unchanged; leading glob drops scope; falsy → undefined', () => {
+  const { sanitizeSearchPath } = require('./cg-answer');
+  assert.equal(sanitizeSearchPath('src/storage/'), 'src/storage/');
+  assert.equal(sanitizeSearchPath('*.py'), undefined);
+  assert.equal(sanitizeSearchPath('src/**/x.rs'), 'src');
+  assert.equal(sanitizeSearchPath('src/file[1].rs'), 'src');
+  assert.equal(sanitizeSearchPath(''), undefined);
+  assert.equal(sanitizeSearchPath(undefined), undefined);
+});
+
+test('runGrepAnswer: glob searchPath is truncated before spawn (defensive layer)', () => {
+  const r = runGrepAnswer({
+    cwd: stubDir, pattern: 'fts5_search', searchPath: 'src/storage/*.rs', binary: stubBinary(),
+  });
+  assert.equal(r.status, 'hits');
+  assert.match(r.text, /args=\["grep","fts5_search","src\/storage"\]/);
+});
+
+// ── runShowAnswer (v0.49) — show-mode deny bodies ────────────────────
+
+test('runShowAnswer: concatenates per-symbol show output with $ headers', () => {
+  const r = runShowAnswer({ cwd: stubDir, symbols: ['alpha_one', 'beta_two'], binary: stubBinary() });
+  assert.equal(r.status, 'hits');
+  assert.match(r.text, /\$ code-graph-mcp show alpha_one/);
+  assert.match(r.text, /\$ code-graph-mcp show beta_two/);
+});
+
+test('runShowAnswer: skips non-identifier symbols, all-skipped → unavailable-safe no-hits', () => {
+  const r = runShowAnswer({ cwd: stubDir, symbols: ['$(rm -rf)', 'a|b'], binary: stubBinary() });
+  assert.equal(r.status, 'no-hits');
+});
+
+test('runShowAnswer: caps at 3 symbols', () => {
+  const r = runShowAnswer({
+    cwd: stubDir, symbols: ['s_one', 's_two', 's_three', 's_four'], binary: stubBinary(),
+  });
+  assert.equal(r.status, 'hits');
+  assert.doesNotMatch(r.text, /show s_four/);
+});
+
+test('runShowAnswer: empty symbol list → unavailable', () => {
+  assert.equal(runShowAnswer({ cwd: stubDir, symbols: [], binary: stubBinary() }).status, 'unavailable');
+});
+
+test('runShowAnswer: failing binary → no-hits (caller falls back to grep answer)', () => {
+  const r = runShowAnswer({ cwd: stubDir, symbols: ['ExplodePlease'], binary: stubBinary() });
+  assert.equal(r.status, 'no-hits');
+});

package/claude-plugin/scripts/pre-edit-guide.js

@@ -11,10 +11,14 @@ const fs = require('fs');
 const path = require('path');
 const { findBinary } = require('./find-binary');
 const { cgTmpDir } = require('./tmp-dir');
+const { resolveProjectRoot } = require('./project-root');
+const { recordRecommendation } = require('./recommendation-log');
 
-const cwd = process.cwd();
-const dbPath = path.join(cwd, '.code-graph', 'index.db');
-if (!fs.existsSync(dbPath)) process.exit(0);
+// v0.49 — walk up from the shell cwd (subdir-cwd fix). The per-cwd index.db
+// gate kept this hook dark for entire sessions after `cd backend/` — daagu
+// 2026-06-12: 115 edits, zero impact injections.
+const cwd = resolveProjectRoot(process.cwd());
+if (cwd === null) process.exit(0);
 
 // Resolve binary the same way the other hooks do — bare PATH lookup misses
 // npm-global installs on systems where the global bin dir isn't on PATH for
@@ -22,10 +26,15 @@ if (!fs.existsSync(dbPath)) process.exit(0);
 const binary = findBinary();
 if (!binary) process.exit(0);
 
+// Hook-internal CLI runs are deliveries, not model-initiated conversions —
+// the marker keeps them out of the recommendations.jsonl `use` funnel leg.
+const internalEnv = { ...process.env, CODE_GRAPH_INTERNAL: '1' };
+
 // --- Parse tool input ---
 let input;
 try {
-  input = JSON.parse(fs.readFileSync('/dev/stdin', 'utf8'));
+  // fd 0, not '/dev/stdin': the path form fails ENXIO on socketpair stdin.
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
 } catch { process.exit(0); }
 
 const oldStr = (input.tool_input && input.tool_input.old_string) || '';
@@ -72,6 +81,7 @@ if (!symbol || symbol.length < 3) {
         try {
           const raw = execFileSync(binary, ['grep', candidate, filePath, '--json'], {
             cwd, timeout: 2000, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+            env: internalEnv,
           });
           const grepResult = JSON.parse(raw);
           // Pick this candidate if it has few matches (precise location)
@@ -122,11 +132,14 @@ let jsonResult;
 try {
   const args = ['impact', symbol, '--json'];
   if (relFile && !relFile.startsWith('..')) args.push('--file', relFile);
-  const raw = execFileSync('code-graph-mcp', args, {
+  // v0.49 — use the resolved binary (bare 'code-graph-mcp' was PATH-dependent,
+  // diverging from the findBinary() result the rest of the hook trusts).
+  const raw = execFileSync(binary, args, {
     cwd,
     timeout: 2500,
     encoding: 'utf8',
     stdio: ['pipe', 'pipe', 'pipe'],
+    env: internalEnv,
   });
   jsonResult = JSON.parse(raw);
 } catch {
@@ -154,6 +167,9 @@ if (directCallers < 1) process.exit(0);
 // Mark cooldown
 try { fs.writeFileSync(cooldownFile, ''); } catch { /* ok */ }
 
+// Funnel visibility (v0.49): an injected impact summary is a delivered answer.
+recordRecommendation(cwd, { hook: 'edit', action: 'hint', answered: true });
+
 // --- Inject compact impact summary ---
 const routeCount = jsonResult.affected_routes || 0;
 const testCount = jsonResult.tests_affected || 0;