v2.3.6 — community-response release

Community-response release. Built from a full audit of every open PR, issue, and discussion — community fixes merged with credit, verified defects fixed (including two open Windows bugs), benchmark claims made independently checkable, and the project's first self-hosted PR review bot: this repo now reviews its own pull requests with its own graph.

Highlights

• Custom languages without forking (#320): drop a .code-review-graph/languages.toml into your repo to index any grammar shipped by tree-sitter-language-pack. See docs/CUSTOM_LANGUAGES.md.
• GitHub Action for risk-scored PR reviews: builds/restores the graph from CI cache and posts a sticky review comment with risk table, affected flows, test gaps, and token savings. See docs/GITHUB_ACTION.md.
• Honest benchmarks: new agent_baseline benchmark (graph vs a realistic grep-and-read agent), failed eval runs excluded from aggregates instead of inflating them, non-circular co-change ground truth for impact accuracy, weekly report-only eval CI. README now leads with the ~82x median; 528x is the best case, not the headline.
• docs/FAQ.md: vs LSP, vs RAG, vs agentic grep, when NOT to use this tool, and how to verify it's working.

Fixes

• Windows: daemon status WinError 87 crash (#511) and CLI detect-changes mapping 0 functions (#528)
• store_file_batch transaction guard (#489 — community PR #529 by @Devilthelegend, thank you)
• Unknown embedding providers now error instead of silently using the local model
• Analysis tools no longer leak SQLite connections; fastmcp capped <4; git hooks now work in worktrees and core.hooksPath/husky setups; shipped hooks drain stdin
• Translated READMEs carry staleness banners and no longer contradict the English benchmark numbers

Full details in CHANGELOG.md. No breaking changes.

v2.3.5 — Real-time token savings, visible to humans

Real-time token savings, visible to humans. The estimated context-savings metric introduced in 2.3.4 was JSON-only. In 2.3.5 it surfaces as a clean boxed panel on the CLI and is verifiable against a real tokenizer in one flag — so when you reach for code-review-graph to review a change, you can immediately see how much of your context window the graph just kept out.

Highlights

• 🪟 Token Savings panel on both code-review-graph detect-changes --brief and the new code-review-graph update --brief. Per-category breakdown (Functions / Tests / Risk / Other) that sums exactly to the graph response size.
• ✅ --verify flag cross-checks the displayed numbers against OpenAI's cl100k_base tokenizer. Calibration shows the estimate stays within +0.5% of real GPT-4 tokens in aggregate across 222 mixed-language source files (data in docs/REPRODUCING.md).
• 🔁 Deterministic eval pipeline — pinned upstream SHAs, full clones with returncode checks, fixed Leiden seed. Two contributors running the benchmark recipe on different machines on different days now produce identical numbers.
• 🎯 Multi-hop retrieval benchmark + richer embedding text + identifier-aware search boost lift compound-query accuracy from 0.545 → 0.909.
• 📦 code-review-graph embed CLI subcommand for explicit embedding generation. Previously only reachable via MCP.

What the panel looks like

```text
┌─────────────────────── Token Savings ────────────────────────┐
│ Full context would be: 12,921 tokens │
│ Graph context used: 762 tokens │
│ Saved: 12,159 tokens (~94%) │
│ Breakdown: Functions 244 · Tests 191 · Risk 244 · Other 83 │
└──────────────────────────────────────────────────────────────┘
```

Add --verify to grow a Verified (tiktoken) row so the numbers are no longer just an estimate.

Reproduction

End-to-end recipe with canonical numbers in docs/REPRODUCING.md. All 6 test repos pin upstream SHAs, embeddings are deterministic on CPU, Leiden detection is seeded.

Full release notes

CHANGELOG.md — v2.3.5 entry

v2.3.4

Focused reliability and token-efficiency release for MCP/CLI review workflows. No breaking changes.

Added

• Estimated context savings metadata for graph-filtered review/impact/architecture responses. The new context_savings field is intentionally compact (estimated, saved_tokens, saved_percent) and uses the existing conservative character-count approximation rather than claiming exact tokenization.
• CLI estimated savings line for code-review-graph detect-changes --brief; full JSON output includes the same compact context_savings metadata.

Changed

• Architecture overview is compact by default: get_architecture_overview_tool now defaults to detail_level="minimal", dropping per-community member lists and aggregating cross-community edges by community pair. Full per-edge output remains available with detail_level="standard".
• Bounded change analysis: detect_changes_tool can now cap very large changed-function and transitive-test frontiers with CRG_MAX_CHANGED_FUNCS and CRG_MAX_TRANSITIVE_FRONTIER, and can return a structured timeout error via CRG_TOOL_TIMEOUT.

Fixed

• Windows semantic search deadlock (#508/#507): local embedding models are pre-warmed on the main thread on Windows before FastMCP starts worker dispatch.
• Rust test detection (#503/#502): Rust #[test] and common async test attributes now produce Test nodes.
• Generated hook stdin handling (#494/#493): Codex and Claude hook commands drain stdin to avoid caller-side broken pipes on large hook payloads.
• Cross-file callers (#486/#472): callers_of now returns cross-file callers even when same-file callers exist.
• Graph path lookup (#469): review, impact, and file-summary tools resolve user-facing paths to the path format stored in the graph.
• Bundled MCP docs (#485/#480): get_docs_section can load the packaged LLM-OPTIMIZED-REFERENCE.md from installed wheels.
• Local embedding provider availability (#484/#448): missing sentence-transformers now reports local provider unavailability instead of silently producing zero embeddings.
• Dead-code response fields (#481/#447): dead-code results now include file_path, relative_path, and language while preserving the legacy file key.
• SVN root validation (#456): MCP/daemon/registry root validation now accepts .svn working copies consistently.
• CLI postprocess flags (#487): build --skip-postprocess and update --skip-flows no longer run an extra full post-processing pass.

Documentation

• Updated stale release-facing version references for 2.3.4.
• Replaced fragile language-count wording with current broad language and notebook support wording.
• Added the missing VS Code extension 0.2.2 changelog entry without changing the extension package version.

Tests

• Added regression coverage for compact architecture overview output and #476 mitigation.
• Added tests for estimated context savings calculation, compact metadata shape, MCP metadata, CLI brief/JSON output, Rust test parsing, hook stdin draining, graph path resolution, dead-code fields, SVN root validation, CLI postprocess flags, embedding availability, and bounded detect-changes behavior.

v2.3.3

Large additive release accumulated since v2.3.2 — 141 non-merge commits, 8 new languages/extensions, 5 new platform install targets, 6 new framework call resolvers, comprehensive Windows hardening, VS Code accessibility pass, and a full sweep of community PRs.

Highlights

Languages and extensions

• Nix (flake-aware), Verilog/SystemVerilog, SQL, ReScript, GDScript (Godot)
• .hh (C++ headers) and .ksh extensions; shebang-based detection for extension-less scripts
• Julia: parametric constructors, @enum, public exports

Platforms

• GitHub Copilot + Copilot CLI, Gemini CLI, Qoder, OpenCode, Cursor hooks
• Native Codex install alignment

Framework call resolution

• Spring DI — receiver method calls resolve through @Autowired/constructor injection to concrete InjectedType.method; emits INJECTS edges + stereotype metadata
• Temporal — workflow/activity stub calls resolve to implementations
• Kafka — @KafkaListener and KafkaTemplate.send(...) emit CONSUMES/PRODUCES edges
• Jedi-based Python call resolution (improved cross-file accuracy)
• Python callback REFERENCES edges
• Mocha TDD suite(), Bun test, __tests__/ directory detection

MCP server / CLI

• crg-daemon multi-repo watch daemon (subprocess.Popen child supervision, 35 tests)
• Streamable HTTP transport (serve) alongside stdio
• serve --tools flag and CRG_TOOLS env var for tool filtering
• External database directory support for network filesystems
• SVN support for change analysis

Embeddings

• OpenAI-compatible provider (OpenAI / Azure OpenAI / any compatible endpoint), configurable batch size

VS Code extension / visualization

• WCAG 2.1 AA contrast across standalone HTML and webview
• Distinct d3.symbol shapes per node kind (colorblind-friendly)
• Full keyboard navigation (tab/arrow/enter/escape, focus styles, skip-link)
• ARIA roles on tooltip, detail panel, legend, search results, edge pills
• Help overlay with interaction guide
• Empty-state webview, contextual depth slider, edge filter popover
• Detail panel relocated to the left; GitHub Dark palette unified
• IMPLEMENTS, TESTED_BY, DEPENDS_ON edge types in standalone HTML

Fixed

Parser

• C++ scoped/destructor/operator method names (PR #371, PR #403)
• Java method/superclass/super_interfaces extraction (PR #275, #278)
• Java import resolution to file paths (PR #280)
• PHP CALL extraction — methods, statics, unqualified (PR #298)
• Module-scope CALLS edges (PR #285)

Windows

• MCP stdio hang on long-running tools — auto-select thread pool (PR #400)
• MCP stdin hang on git/svn subprocesses — stdin=DEVNULL everywhere (PR #425)
• Non-UTF-8 locale handling — encoding="utf-8" on subprocess.run
• Windows test failures — UTF-8/CRLF/stop_at boundary (PR #274)

Hooks and install

• Hooks JSON schema with required matcher (PR #288)
• Merge-don't-overwrite for existing hook arrays + .bak backup (PR #114, #145, #203)
• Pre-commit hook uses update subcommand (PR #315)
• Skip hooks gracefully outside git repos (PR #293)
• Poetry / uv environment detection for the MCP serve command (PR #287)

MCP server

• fastmcp ≥3.2.4 compatibility — _apply_tool_filter restored
• FastMCP banner suppressed for stdio transport (PR #290)
• MCP config: cwd, skills path, JSONC tolerance

Other

• __version__ stuck at 2.1.0 since v2.1.0 — embeddings.py builds the cloud-API User-Agent from this string, so cloud-embedding traffic was being mis-attributed across every release between v2.1.0 and v2.3.2.
• SQLite transaction safety + FTS5 sync (PR #94, #279)
• CLI build/update/watch run post-processing (signatures/FTS/flows/communities) (PR #98)
• Flow trace adjacency loaded in-memory (PR #296)
• Dead-code callback references (PR #424)

Security

• Embeddings RCE hardening (PR #397) — RCE paths gated behind explicit env var; cloud requests send a versioned User-Agent (PR #390); refuses to mix indexes built with different providers.

Upgrade notes

• uvx --reinstall code-review-graph or pip install -U code-review-graph
• Re-run code-review-graph install once to pick up the JSONC-tolerant config writer and the corrected cwd / skills path in .mcp.json
• The __version__ fix changes the cloud-embedding User-Agent from code-review-graph/2.1.0 to code-review-graph/2.3.3 — update any proxy allow-lists keyed on the old string.
• The VS Code extension still ships separately — repackage/republish the .vsix to publish the v2.3.3 a11y improvements to the Marketplace.

See CHANGELOG.md for the full breakdown.

v2.3.2

What's New in v2.3.2

Major feature release — 15 new capabilities, 6 community PRs merged, 6 new MCP tools, 4 new languages, multi-format export, and a full graph analysis suite.

New MCP Tools (6)

Tool	What it does
get_hub_nodes_tool	Find most-connected nodes (architectural hotspots)
get_bridge_nodes_tool	Find chokepoints via betweenness centrality
get_knowledge_gaps_tool	Identify isolated nodes, untested hotspots, thin communities
get_surprising_connections_tool	Detect unexpected cross-community/cross-language coupling
get_suggested_questions_tool	Auto-generate prioritized review questions from analysis
traverse_graph_tool	BFS/DFS traversal from any node with token budget

Total MCP tools: 28 (was 22)

New Features

• Edge confidence scoring — three-tier system (EXTRACTED/INFERRED/AMBIGUOUS) with float scores
• Export formats — visualize --format graphml|cypher|obsidian|svg for Gephi, Neo4j, Obsidian vault, SVG
• Graph diff — compare graph snapshots over time (new/removed nodes, edges, community changes)
• Token benchmarking — measure naive-vs-graph token reduction with per-question ratios
• Memory loop — persist Q&A results as markdown for re-ingestion into the graph
• Community auto-split — oversized communities (>25%) recursively split via Leiden
• Visualization — node size by degree, community legend with toggles

New Languages (4)

Zig, PowerShell, Julia, Svelte SFC → 23 languages total

Community PRs Merged (6)

• #127 (xtfer): SQLite compound edge indexes
• #184 (realkotob): batch _compute_summaries — fixes build hangs on large repos
• #202 (lngyeen): Swift extension detection + inheritance edges
• #249 (gzenz): Leiden resolution scaling (21x speedup), 56 new tests, framework-aware dead code
• #253 (cwoolum): auto build graph for new worktrees
• #267 (jindalarpit): Kiro platform support

README Translations

🌐 Simplified Chinese · 日本語 · 한국어 · हिन्दी

Upgrade

pip install --upgrade code-review-graph   # → 2.3.2
code-review-graph install                 # re-run to pick up new config

788 tests pass. Schema v9. Full changelog: CHANGELOG.md

v2.3.1 — Windows MCP hang hotfix (#46, #136)

Summary

Hotfix for the Windows long-running MCP tool hang. v2.2.4 shipped the event-loop policy fix, but @dev-limucc's test on #136 showed that was necessary but not sufficient — read-only tools worked, but build_or_update_graph_tool and embed_graph_tool still hung indefinitely on Windows 11 / Python 3.14.

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph

If you were affected by either #46 or #136 on v2.2.4, this release should fix it.

What's fixed

FastMCP 2.x dispatches sync handlers inline on the only event-loop thread. When a handler runs for more than a few seconds — especially one that spawns subprocesses (full_build uses ProcessPoolExecutor) or does CPU-bound inference (sentence-transformers) — the loop stops pumping stdin/stdout, Claude Code's request never gets a response, and the MCP client shows "Synthesizing…" forever.

Fix: the five heavy tools are now async def and offload their blocking work with asyncio.to_thread. The event loop stays responsive and stdio keeps pumping.

Tools now async

• build_or_update_graph_tool — full_build / incremental_update
• run_postprocess_tool — community detection can take 20s+ on large graphs
• embed_graph_tool — sentence-transformers / Gemini inference
• detect_changes_tool — git diff subprocess + BFS traversal
• generate_wiki_tool — many SQLite reads + file writes

The other 19 tools are fast SQLite-read paths and stay sync.

Lock-in tests

Two new regression tests in tests/test_main.py::TestLongRunningToolsAreAsync:

1. test_heavy_tools_are_coroutines — asserts via mcp.get_tools() introspection that all 5 heavy tools register as coroutine functions.
2. test_heavy_tool_source_uses_to_thread — greps each tool's source for a literal asyncio.to_thread call, so we don't accidentally make a tool async def without actually offloading the work.

These will fail at collection time if someone converts one of the 5 tools back to sync in a future refactor.

Verification

macOS / Python 3.11:

• All 24 tools register, 5 heavy ones as coroutines
• 737 tests pass (+2 new lock-in tests), coverage 74.63%
• ruff / mypy / bandit clean
• CI matrix 3.10 / 3.11 / 3.12 / 3.13 green

Windows: will be verified by @dev-limucc post-release against the original repro (build_or_update_graph_tool(full_rebuild=True) + embed_graph_tool).

Upgrade notes

• Nothing to do beyond upgrading. The async wrappers are transparent to MCP clients — they still call the tools the same way.
• If you're coming from v2.2.2 or earlier, the usual code-review-graph install is still needed to pick up the v2.2.3 hook schema rewrite.

Closes (pending final Windows test)

• #46 (build hangs on Windows)
• #136 (embed_graph_tool hangs on Windows)

v2.3.0 — Elixir + Obj-C + Bash, Qwen, CRG_DATA_DIR, refactor dry-run

Highlights

Minor-version release with 9 features and 1 bug fix. All additive on top of v2.2.4. Upgrade with:

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph

New language + platform support

• Elixir (#112) — .ex / .exs files parse modules, def/defp/defmacro/defmacrop, alias/import/require/use, and internal call resolution. Close the MathHelpers.double → Calculator.compute loop.
• Objective-C (#88) — .m files parse @interface / @implementation, instance + class methods, [receiver message:args] calls (including multi-part selectors), C-style main(), and #import/#include.
• Bash / Shell (#197) — .sh / .bash / .zsh files parse functions, every command as a CALLS edge, and source path / . path as IMPORTS_FROM with filesystem path resolution.
• Qwen Code (#83) — new MCP install target: code-review-graph install --platform qwen merges into ~/.qwen/settings.json without clobbering existing entries.

MCP tool improvements

• apply_refactor_tool(dry_run=True) (#176) — preview the exact unified diff before committing the rename to disk. The refactor_id stays valid after the dry-run so you can review and then call again with dry_run=False to actually write the changes.
• install --no-instructions + -y/--yes (#173) — new flags on code-review-graph install:
  • --no-instructions skips the CLAUDE.md / AGENTS.md / .cursorrules / .windsurfrules injection entirely.
  • -y / --yes auto-confirms the instruction injection without the interactive TTY prompt.
  • Even without --dry-run, install now prints the target list before writing.
• Cloud embeddings stderr warning (#174) — get_provider() now writes a one-time warning to stderr before returning a Google Gemini or MiniMax provider, making it explicit that source code will be sent to an external API. Set CRG_ACCEPT_CLOUD_EMBEDDINGS=1 to suppress the warning in scripted workflows. The warning is stderr-only — it never touches stdout or stdin so the MCP stdio transport remains uncorrupted.

Graph storage

• CRG_DATA_DIR (#155) — when set, replaces the default <repo>/.code-review-graph directory verbatim. Useful for ephemeral workspaces, Docker volumes, shared CI caches, or multi-repo orchestrators that want graphs outside the working tree.
• CRG_REPO_ROOT (#155) — find_project_root() checks this env var before the usual git-root walk. Lets you script the CLI from any cwd.
• Both variables honor ~ expansion and fall through cleanly if the path doesn't exist.

Fixed

• Multi-edit refactor correctness — apply_refactor() could silently stomp earlier changes when a single refactor touched the same file with multiple edits. The plan-computation step now groups edits by file and applies them sequentially against updated content, in both real-write and dry-run modes.

Docs

• docs/TROUBLESHOOTING.md — new top section covers the 4 most common support questions:
  1. Hooks use a matcher + hooks array error → upgrade to v2.2.4+ and re-run install
  2. command not found after pip install → use pipx / uvx / python -m code_review_graph
  3. "Is this project-scoped or user-scoped?" — the 4-piece scope table (package / graph.db / .mcp.json / registry)
  4. "Built the graph but Claude Code doesn't see it" — 4-item debug checklist (restart, cwd, install step, MCP logs)

Closes

#83, #88, #112, #155, #173, #174, #176, #197, #211 (closed separately as already-implemented)

Superseded contributor PRs (closed with credit)

• PR #204 by @lngyeen (install preview) — reimplemented cleanly in #228 with isatty()-guarded confirmation
• PR #207 by @yashmewada9618 (CRG_DATA_DIR) — reimplemented cleanly in #228 without input()-on-stdio
• PR #179 by @Bakul2006 (cloud embeddings warning) — reimplemented cleanly in #228 with stderr-only messaging

Thank you to all three contributors — your original designs pushed these forward.

Still pending for a future release

• #199 Terraform/Helm — HCL's resource graph needs a design call (dependency-DAG model doesn't fit the call-graph shape); Helm chart template + values cross-referencing is a separate analyzer
• #210 TOON serialization — previously declined; keeping the issue open for long-term tracking
• #143 / #144 fastmcp CVE PRs — already closed as superseded by v2.2.4's fastmcp bump
• VS Code extension v0.2.2 — repackage + republish manually (the PyPI publish.yml doesn't cover it)

v2.2.4 — fastmcp CVE fix, Windows hang, 11 bug fixes

Highlights

Ships the 11 bugs from PR #222 plus the v2.2.3.1 smoke-test hotfixes. If you're on v2.2.3 or earlier, this is a straight upgrade — re-run code-review-graph install afterward to pick up any config updates.

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph

Security — CVE remediation

• fastmcp 1.0 → >=2.14.0,<3 (closes #139, #195)
  • CVE-2025-62800 (XSS)
  • CVE-2025-62801 (command injection via server_name)
  • CVE-2025-66416 (Confused Deputy)
  • Transitively drops the broken docket → fakeredis chain that caused ImportError: FakeConnection renamed to FakeRedisConnection on fresh installs (#195)
  • All 24 MCP tools verified to register and round-trip real data on fastmcp 2.14.6 across a 6-repo smoke test

Fixed

• #46 / #136 — Windows build/embed_graph_tool silent hangs. main() now sets WindowsSelectorEventLoopPolicy before mcp.run() on sys.platform == "win32". The default ProactorEventLoop deadlocks with ProcessPoolExecutor (used by full_build) over stdio MCP. No-op on macOS/Linux.
• #190 — Go method receivers. func (s *T) Foo() now attaches Foo to T as a member with a CONTAINS edge, instead of appearing as a top-level function.
• #87 — Dart parser, three bugs:
  • CALLS edges (_extract_dart_calls_from_children()) — tree-sitter-dart doesn't wrap calls in a call_expression; the pattern is identifier + selector > argument_part.
  • package:<pkg>/<path> URI resolution — walks up to a pubspec.yaml whose name: declaration matches <pkg> and resolves to <root>/lib/<path>.
  • inheritors_of bare-vs-qualified fallback — affects all languages, not just Dart.
• #91 — Nested dependency directories now ignored. node_modules/** also matches packages/app/node_modules/react/index.js in monorepos. Added Laravel (vendor/**, bootstrap/cache/**), Gradle (.gradle/**, *.jar), Flutter (.dart_tool/**, .pub-cache/**), and generic (coverage/**, .cache/**) defaults. Deliberately did not add packages/** or bin/**/obj/** — those are false positives for yarn/pnpm workspaces and .NET source trees respectively.
• #194 — Replaced bare except Exception with specific exception types + logger.debug(...) across 11 files. Debuggability win; no behavioral change at happy path.
• #132 — Visualization no longer hides all edges on graphs above ~300 nodes. The unconditional auto-collapse at page load has been raised to a 2000-node threshold; below that, all File / Function / Class nodes and their connecting edges are visible by default.
• #212 — eval command now surfaces ImportError: pyyaml is required: pip install code-review-graph[eval] instead of AttributeError: 'NoneType' object has no attribute 'safe_load' when PyYAML isn't installed.
• #218 — VS Code extension (v0.2.2 — repackage separately): better-sqlite3@11 → @12.4.1+ for VS Code 1.115 (Electron 39 / V8 14.2). v11 used v8::Context::GetIsolate() which was removed in V8 14.2, causing the extension to fail activation with every command undefined.

Carried forward from v2.2.3.1

• #223 — code-review-graph serve --repo <X> now honored by all 24 MCP tools (was only read by get_docs_section_tool).
• #223 — Wiki slug collisions no longer silently overwrite pages. Previously a ~70% data loss bug on real repos: "Data Processing" / "data processing" / "Data Processing" all slugged to the same filename and later iterations overwrote earlier content. Now tracks used slugs per-run and appends -2/-3/… suffixes.

⚠️ Windows note

The Windows event-loop fix (#46 / #136) was applied blind — the maintainer is on macOS and could not verify it on Windows before release. The fix itself is surgical (a single line in main.py behind sys.platform == "win32" — no-op everywhere else) and is the canonical remediation for the ProactorEventLoop + ProcessPoolExecutor + stdio-MCP deadlock, so it's unlikely to regress anything. But if you're on Windows and still see build or embed_graph_tool hang on v2.2.4, please open a fresh issue with:

• python -c "import sys, platform; print(sys.version, platform.platform())"
• Which tool hangs (build, embed, both, other)
• Any stack trace from Ctrl+C

A follow-up patch will ship quickly if needed.

Upgrade notes

• Re-run code-review-graph install after upgrading to pick up any config updates (this is still a requirement if you're coming from v2.2.2 or earlier — the hook schema was rewritten in v2.2.3).
• The VS Code extension needs to be repackaged and republished separately; the existing publish.yml workflow only covers PyPI.

Closes

#46, #87, #91, #132, #136, #139, #190, #194, #195, #212, #218, #223

v2.2.3.1 — --repo flag + wiki slug collisions

Hotfix on top of 2.2.3

Two bugs surfaced by a full first-time-user smoke test run against six real OSS repos (express, fastapi, flask, gin, httpx, next.js). Both are pre-existing and independent of any ongoing work on v2.2.4.

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph

Fixed

• serve --repo <X> was ignored by 21 of 24 MCP tools (#223). main.py captured the flag into _default_repo_root, but only get_docs_section_tool actually read it — every other tool wrapper passed repo_root=None straight through to the impl, which then resolved against the server's cwd. Real-world blast radius is small because install writes a .mcp.json that launches the server with cwd=<repo>, so first-time Claude Code users don't hit this. But anyone scripting serve manually or running a multi-repo orchestrator would silently get the wrong graph. Fixed with a single _resolve_repo_root() helper with explicit precedence (client arg > --repo flag > cwd) threaded through all 24 wrappers.

• Wiki slug collisions silently overwrote pages (#223). _slugify() folds non-alphanumerics to dashes and truncates to 80 chars, so similar community names collided ("Data Processing" / "data processing" / "Data Processing" → data-processing.md). The previous generate_wiki() loop wrote each community to its <slug>.md regardless of collisions — overwriting earlier content while the counter reported overwrites as "updated". On the express smoke test this was ~70% silent data loss (32 real files on disk vs 107 claimed pages). Fixed by tracking used slugs per-run and appending -2, -3, … suffixes until the slug is unique; every community now gets its own page and the counter matches the physical file count. get_wiki_page() lookup still resolves by name via the existing partial-match fallback.

What is NOT in this release

Everything on #222, which is still pending Windows verification:

• fastmcp 1.0 → 2.14.6 (CVEs — #139, fakeredis rename — #195)
• Windows ProactorEventLoop deadlock fix (#46, #136)
• Go receiver methods (#190), Dart parser fixes (#87), nested node_modules ignores (#91), except Exception cleanup (#194), viz auto-collapse (#132), eval yaml.safe_load guard (#212), VS Code better-sqlite3 12.x for VS Code 1.115 (#218)

Once Windows reporters confirm the fix on PR #222's branch, we'll cut v2.2.4 with all of the above.

Upgrade notes

• No schema changes; no action required beyond upgrading.
• No .claude/settings.json rewrite needed (that was a v2.2.3 thing).

Closes

#223

v2.2.3 — hook schema + SQLite transaction fix

Highlights

This release ships 16 fix/feature commits that had been sitting on main since v2.2.2. If you're on v2.2.2, upgrade now — most of the hooks/SQLite issues opened in the last few days are already fixed here.

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph
# then re-run `code-review-graph install` to rewrite .claude/settings.json

Fixed

• Claude Code hook schema (#208) — fixes #97, #138, #163, #168, #172, #182, #188, #191, #201. generate_hooks_config() now emits the valid v1.x+ schema — every hook entry has matcher + a nested hooks: [{type, command, timeout}] array, timeouts are in seconds (not ms), and the invalid PreCommit event is gone. Pre-commit checks now install as a real git pre-commit hook via install_git_hook(). After upgrading, re-run code-review-graph install to rewrite .claude/settings.json.
• SQLite transaction nesting (#205) — fixes #110, #135, #181. GraphStore.__init__ now connects with isolation_level=None, disabling Python's implicit transactions that caused sqlite3.OperationalError: cannot start a transaction within a transaction on update. store_file_nodes_edges flushes any stray open transaction before BEGIN IMMEDIATE as defense-in-depth.
• Go method receivers (#166) — method names are now resolved from field_identifier inside method_declaration (previously they'd get picked up as the result type, e.g. int64).
• UTF-8 decode errors in detect_changes (#170) — fixes #169. Diffs with binary files no longer crash.
• --platform target scope (#142) — fixes #133. code-review-graph install --platform <target> now correctly filters which skills, hooks, and instruction files get written.
• Large-repo community detection hangs (#213, #183) — removed recursive sub-community splitting, capped Leiden at n_iterations=2, batched store_communities writes. 100k+ node graphs no longer hang.
• CI: ruff + tomllib on Python 3.10 (#220) — tomli backport for 3.10, assorted N806/E501/W291 fixes.
• Missing dev dependencies (#159) — pytest-cov added, 50 ruff errors swept.
• JSX component CALLS edges (#154) — JSX component usage now produces graph edges.

Added

• Codex platform install support (#177) — code-review-graph install --platform codex appends to ~/.codex/config.toml without clobbering existing settings.
• Luau language support (#165) — closes #153. Roblox Luau .luau parsing.
• REFERENCES edge type (#217) — new edge kind for symbol references that aren't direct calls (map/dispatch lookups, string-keyed handlers).
• recurse_submodules build option (#215) — optionally recurse into git submodules during build/update.
• Default .gitignore entry for .code-review-graph/ (#185) — fresh installs auto-add the SQLite DB to .gitignore.
• Clearer gitignore docs (#171) — closes #157.

Upgrade notes

• Re-run code-review-graph install after upgrading so your .claude/settings.json is rewritten with the correct hook schema. The old schema from v2.2.2 will remain and continue to throw "Hooks use a matcher + hooks array" errors until you do.
• If you hit "cannot start a transaction within a transaction" on update in v2.2.2, that's fixed here — no action needed beyond upgrading.

Closes

Hooks-schema cluster: #97, #138, #163, #168, #172, #182, #188, #191, #201
SQLite transaction cluster: #110, #135, #181
Other: #133, #147, #148, #149, #153, #157, #169, #175

Full changelog: see CHANGELOG.md.