Releases: jununfly/ZCodeGraph
Releases · jununfly/ZCodeGraph
Release list
v0.10.2
[0.10.2] - 2026-06-30
New Features
- Source checkouts now install an explicit
zcodegraph-devdogfood command, so maintainers can test local builds across projects without taking over the releasezcodegraphcommand. zcodegraph initandzcodegraph indexnow explain degradedrust-hybridfallback health on the first screen, including whether the graph is usable, the top fallback reasons, and the exact doctor command to collect deeper diagnostics.zcodegraph doctor --engine rust-hybrid --bundlenow prints a compact local summary after creating a bundle, so maintainers can see the graph size, fallback health, and top diagnostic reasons without opening the bundle files first.zcodegraph doctor --engine rust-hybrid --bundle --jsonnow emits a parseable machine-readable summary for agents and CI while preserving the existing human-readable default output.
Fixes
- Legacy source-checkout install helpers now migrate to
zcodegraph-devinstead of linking the development checkout onto the releasezcodegraphcommand.
v0.10.1
[0.10.1] - 2026-06-29
New Features
rust-hybridindexing now locks in guarded Rust finalization for direct named TypeScript and JavaScript imports, while ambiguous bindings remain safely reported as resolver residuals. (#666)rust-hybridindexing now compares Rust-produced EventEmitter shadow candidates against the existing TypeScript heuristic graph in finalization diagnostics without changing graph output. (#665)rust-hybridindexing now reports a dynamic-dispatch heuristic edge protocol seed in finalization diagnostics, making callback and EventEmitter migration planning visible without changing graph output. (#664)rust-hybridindexing now reports a Rust-declared cleanup protocol handoff in finalization diagnostics while keeping TypeScript responsible for the existing safe cleanup execution path. (#663)rust-hybridindexing now has a cross-platform CI smoke that verifies the built CLI can run init, index, status, and doctor on Linux, macOS, and Windows before migration work reaches release. (#662)rust-hybridindexing now has a guarded Rust-side framework post-extract update protocol for NestJS RouterModule route prefixes, preserving route identity while moving the first bounded framework finalization shape toward Rust ownership. (#659, #660, #661)- Rust indexing now reports macro-related diagnostics for Rust projects, making macro definitions, invocations, attributes, and deferred macro-expanded semantics visible without adding unsafe graph edges. (#582, #583, #584, #585)
- Rust indexing now reports Cargo package and workspace diagnostics, including crate roots, local path dependencies, and deferred Cargo resolver areas, without writing unsafe cross-package graph edges. (#578, #579, #580, #581)
Fixes
- Rust-owned indexing no longer reports this repository's Rust core as a parse gap when indexing the large Rust core source file.
- CI now documents and tests the cross-platform
rust-packaged-pathjob as the required Rust indexing health gate for migration work. (#642) - The Release workflow now runs a local Linux package smoke after staging npm packages and before publishing, catching broken bundle or npm layouts without creating releases or contacting registries. (#641)
- npm packaging now fails fast if the staged platform bundles do not exactly match the Rust core release artifact contract, preventing incomplete or unexpected platform packages from being published. (#640)
- Diagnostic bundles now include replay-safe per-file classification fields and a short replay guide, so degraded
rust-hybridreports are easier to classify without exposing source paths or source slices. (#639) - Degraded
rust-hybridruns now point tozcodegraph doctor --engine rust-hybrid --bundle --last-runeven when the issue is a Rust-owned parse or extraction gap rather than a TypeScript fallback append. - Rust files now use the default
rust-hybridRust-owned indexing path for baseline structural symbols, while deeper Rust-specific semantics remain tracked separately. - Troubleshooting now tells users how to verify which
zcodegraphbinary their shell is running whendoctoror its diagnostic flags appear to be missing. - The README now distinguishes the
rust-hybridindexing engine from Rust language semantic support, so.rscoverage is described as structural indexing while deeper Rust-specific analysis is tracked separately.
v0.10.0
[0.10.0] - 2026-06-26
Breaking Changes
- The public
Subgraphtype now exposesentryNodesinstead ofroots, matching the project terminology for Entry Nodes. - Database access interfaces now use Access Model names, so TypeScript users should import
AgentAccessModel,MaintenanceAccessModel,ResolutionAccessModel, andStatusAccessModelfrom the new access-model module. - ZCodeGraph now uses a private
zcodegraphnamespace for new project indexes and MCP server configs: project data lives in.zcodegraph/zcodegraph.db, and installers write the MCP server keyzcodegraph. Existing.codegraph/indexes are no longer opened as initialized projects; runzcodegraph initto build a fresh index in the new namespace. zcodegraph initis now the clean initialization command and always builds the initial index; the historical-i/--indexflag has been removed.- Index engine selection now uses explicit
--engineflags only;ZCODEGRAPH_INDEX_ENGINEis no longer supported and now points users tozcodegraph index --engine typescript.
Security
- Closed a path-traversal hole where a symbolic link inside an indexed project that pointed outside the project root could make CodeGraph serve that out-of-root file's contents (for example a file under your home directory) to the AI agent. CodeGraph now resolves symlinks when validating file access and refuses to read anything whose real location is outside the project, while still allowing symlinks that stay within it. Thanks @sulthonzh. (#527)
- CodeGraph now indexes Spring configuration files (
application.properties/application.yml) by key only, and never includes their values incodegraph_exploreorcodegraph_nodeoutput. Previously a secret committed to one of these files — a database password, API key, or connection string with embedded credentials — could be surfaced to an AI agent that asked about nearby code, even though the agent never opened the file. The configuration keys are still indexed, so reference and impact analysis are unaffected; an agent that genuinely needs a value reads the file itself. Shopify Liquid{% schema %}blocks are likewise indexed by name only. (#383)
New Features
rust-hybridprofile output now includes shadow semantic replay diagnostics for direct named TypeScript and JavaScript imports, helping audit resolver migration without changing indexed results. (#521)rust-hybridprofile output now labels the LowerName, QualifiedName, and FileNodes candidate-fact protocol shapes with their ownership status and semantic boundary, making resolver migration work easier to audit without changing indexed results. (#520)rust-hybridindexing now owns baseline Python extraction by default, so ordinary Python files are indexed by the Rust path instead of being appended through same-language TypeScript fallback. (#485, #486, #487)rust-hybridindexing now understands repo-local TypeScript config inheritance for module resolution, including inherited paths aliases, rootDirs, and safer package-map behavior for classic module resolution. (#447, #448, #449)rust-hybridindexing now follows repo-local packageexportsandimportscondition order more closely, includingtypes, CommonJSrequire, and configured custom conditions. (#451, #452, #453)rust-hybridindexing now resolves extensionless repo-local imports through modern TypeScript source extensions such as.mtsand.cts, while keeping config/data files out of graph-edge candidates. (#455, #456, #457)rust-hybridindexing now resolves explicit JavaScript runtime extensions to matching TypeScript source files, so imports like./thing.jscan link tothing.tsorthing.tsxwhen that is how the project is authored. (#446)- Programmatic SDK full indexing now uses the same
rust-hybriddefault as the CLI, while still offering explicittypescriptandrustengine choices for compatibility and debugging. (#263) zcodegraph_explorenow handles Gin-styleMETHOD /pathroute questions more directly, surfacing the matched route and handler in one response for first-user Go projects. (#281)- The first-user
rust-hybridrelease path now has refreshed pre-release docs, troubleshooting, smoke evidence, and README-backed Agent Sufficiency validation for TypeScript/JavaScript and Go. rust-hybridindexing now safely falls back to the TypeScript indexer for individual Rust-owned files that hit a Rust parse gap, marks the run as degraded, and records privacy-preserving diagnostics for replayable bug reports. (#257)- The Rust indexing profiler now breaks reference resolution into database, name-matching, import, framework, and other timing buckets, so large-repo bottlenecks can be targeted with evidence. (#87)
- The experimental Rust indexer now accepts more modern TypeScript syntax used in large VS Code sources, including import-type queries and contextual keyword identifiers. (#88)
- Phase 4 readiness work now records profile, memory, package-safety, and large VS Code sufficiency evidence for experimental Rust indexing, with a continue opt-in decision while follow-up blockers are addressed. (#83)
- New Rust indexing profiler script reports source scanning, parsing/extraction, SQLite writing, TypeScript finalization, and subprocess handoff timings as JSON, making the experimental Rust path easier to compare across local runs. (#66)
- The experimental Rust indexing path now batches SQLite writes in one transaction, reducing write overhead while preserving the TypeScript indexer as the default. (#67)
zcodegraph indexnow has an experimental opt-in Rust indexing engine path for the first JavaScript/TypeScript migration slice; the TypeScript indexer remains the default while the Rust core proves out parity, performance, memory, safe SQLite handoff, JS/TS/JSX/TSX indexing, graph-resolution, semantic-parity, CLI/MCP integration, benchmark, agent-sufficiency, and packaging-readiness gates. (#50, #51, #52, #53, #54, #55, #56, #57, #58, #59)- New
zcodegraph upgradecommand updates CodeGraph to the latest release in place — it detects how you installed (the standaloneinstall.sh/install.ps1bundle, npm, or npx) and does the right thing for each, on macOS, Linux, and Windows. Usezcodegraph upgrade --checkto see whether an update is available without installing, orzcodegraph upgrade <version>to move to a specific version. After upgrading it reminds you to re-index your projects so they pick up the newer engine's improvements. (#679) zcodegraph statusnow flags when a project's index was built by an older engine than the one you're running and recommends re-indexing (also surfaced inzcodegraph status --json), so you know when azcodegraph index -forzcodegraph syncwill add coverage a newer release introduced.- Cross-file impact and blast-radius coverage now spans all 22 supported languages and 14 web frameworks, each validated on a real-world repo — see the new coverage table in the README. This release ships the cross-file resolution behind it, including Lua and Luau
require, Shopify OS 2.0 Liquid section templates, Delphi form code-behind, Rust cross-module calls and Rocket route macros, Swift Fluent relationships, and the SvelteKit / Nuxt / Vapor / Axum route conventions. The residual everywhere is genuine static-analysis frontiers (runtime dispatch, reflection / DI, framework-convention entry points), never hidden. - C# types are now tracked by their namespace-qualified name. Same-named types in different namespaces — a domain entity and a DTO both called
CatalogBrand, say — are told apart instead of collapsing into one arbitrary match, so a reference resolves to the right one and impact no longer conflates them. (C#) - ASP.NET Razor (
.cshtml) and Blazor (.razor) markup are now parsed for code relationships. A@model/@inherits/@injectdirective links the view to the C# view-model, base type, or service it names; a Blazor<MyComponent/>tag (plus@typeof(...)and genericTItem="..."arguments) links to the component class; and the C# inside@code { }/@functions { }/@{ }blocks is analyzed too, so services and types used in component logic are linked. A view-model, component, or service referenced only from markup is no longer reported as having no dependents, and editing it surfaces the views that use it. (ASP.NET, Blazor) - A Razor/Blazor type reference now resolves through the component's
@usingnamespaces — including the folder's cascading_Imports.razor— so a simple name that exists in several namespaces lands on the right one. A@model/<MyComponent>/@codereference toCatalogBrandresolves to the@using'd DTO (BlazorShared.Models.CatalogBrand) rather than a same-named domain entity. (ASP.NET, Blazor) zcodegraph status --jsonnow also reports the running CLIversion, the index directory (indexPath), and alastIndexedtimestamp (ISO-8601, or null when nothing's indexed yet), so CI and scripts can pin the CLI version and check index freshness from a single command. A matchingCodeGraph.getLastIndexedAt()library method exposes the same freshness check without shelling out. Thanks @12122J and @eddieran. (#329)
Fixes
rust-hybridindexing now batches more candidate lookups during reference resolution, reducing default indexing time on TypeScript-heavy projects without changing indexed results or fallback behavior. (#491)rust-hybridindexing now completes sparse-checkout projects when a planned non-Rust-owned fallback file is missing, and reports the missing fallback coverage as degraded diagnostics instead of failing the whole run. (#482, #483, #484)rust-hybridindexing now reuses Rust parser instances by source language during extraction, reducing repeated parser setup work without changing indexed results or fallback behavior. (#292)rust-hybridindexing now writes Rust-extracted source fac...