fix(ci): add resilience to Claude Code workflow for fork branch races (…

…#949)

* fix(ci): add resilience to Claude Code workflow for fork branch races

Add concurrency groups and pre-flight branch verification to both
claude.yml jobs. Prevents failures when "Update branch" and @claude
are triggered simultaneously — the git fetch previously hit a transient
window where the fork ref was being rewritten, causing exit code 128.

Changes:
- Concurrency groups (cancel-in-progress) keyed on PR number for both
  automated-review and interactive-claude jobs
- Pre-flight step that verifies the fork branch is fetchable with 3
  retries at 10s intervals before handing off to claude-code-action

* fix(ci): harden claude workflow against shell injection and redundant sleep

- Move HEAD_REPO/HEAD_REF interpolation into env: block to prevent
  shell injection from malicious branch names (addresses Greptile P1
  security concern: GitHub Actions sanitises env values but not
  expressions inlined directly into the shell script).
- Guard the 10s retry sleep with 'if [ "${i}" -lt 3 ]' so the final
  failure path exits immediately instead of sleeping 10s before exit 1.
- Apply the same fixes to the interactive-claude pre-flight step.
- Also pass PR_NUMBER and REPO_FULL_NAME via env: for consistency.

Refs PR #949 Greptile review.

* fix(ci): use headRepositoryOwner for head repo in claude.yml pre-flight check (#949)

fix(rust): fix test compilation errors and add verification rule to C…

…LAUDE.md (#950)

Fix pre-existing Rust test compilation errors:
- Import.path → Import.source in bash, c, kotlin, swift extractor tests
- Add missing 7th argument (symbol_nodes: None) to build_import_edges
  test call sites

Add CLAUDE.md rule: never silently skip verification — report failures
to the user immediately instead of proceeding with unverified changes.

Impact: 14 functions changed, 0 affected

docs(backlog): add Weft-inspired items #103 and #104 (#945)

* docs(backlog): add Weft-inspired items #103 and #104

#103 — Recursively foldable graph viewer (Tier 1g)
#104 — Architecture-as-code validation gate (Tier 1j)

* fix(backlog): correct stale .js file references to .ts in item #103

fix(structure): reconcile import_count semantics between fast path an…

…d full path (#942)

* fix(structure): reconcile import_count semantics between fast path and full path

The full path (compute_file_metrics) counted raw import statements via
symbols.imports.len(), while the fast path (update_changed_file_metrics)
counted distinct imported files via COUNT(DISTINCT n2.file). A file with
two imports from the same module would get import_count=2 in full builds
but import_count=1 in incremental builds.

Both paths now consistently count distinct imported files by querying the
DB edges table. The full path batch-loads counts upfront to avoid N+1
queries. Fix applied to both the Rust native engine and the JS/TS WASM
engine.

Closes #941

Impact: 2 functions changed, 2 affected

* fix: move importCountMap query inside transaction for Rust parity (#942)

Impact: 1 functions changed, 1 affected

perf(native): defer NativeDatabase.openReadWrite until after change d…

…etection (#939)

* perf(native): defer NativeDatabase.openReadWrite until after change detection

setupPipeline eagerly opened a rusqlite connection (~60ms) before
knowing whether any files changed. On no-op incremental builds this
was entirely wasted — WASM only paid ~4ms for better-sqlite3.

Defer NativeDatabase.openReadWrite + initSchema to tryNativeOrchestrator,
which runs after the Rust orchestrator confirms files need rebuilding.
Setup now always uses better-sqlite3 for the cheap metadata reads
(schema mismatch check), and the native connection opens on-demand
only when the Rust pipeline will actually run.

Closes #934

Impact: 2 functions changed, 6 affected

* fix: clarify advisory-lock transfer and defensive flag reset (#939)

Impact: 1 functions changed, 5 affected

fix(bench): sample symbols in embedding benchmark to prevent CI timeo…

…uts (#927)

* fix(bench): sample symbols in embedding benchmark to prevent CI timeouts

The codebase grew from ~1095 to 7128 symbols, causing every model worker
to exceed the 30-min timeout during the search phase. Add deterministic
sampling (seeded PRNG, cap 1500 symbols) so runtime stays bounded as the
repo grows. Embedding still covers all DB symbols; only the search
evaluation is sampled.

* fix(bench): correct stale timing estimates in JSDoc comment (#927)

fix(bench): use per-engine file count in benchmark reports (#926)

* docs: update build performance benchmarks (3.9.3)

* fix(bench): include per-engine file count in benchmark output

Add `files` to formatEngineResult() so each engine preserves its own
file count. Use `e.files ?? h.files` in engineRow() and raw totals
for correct per-engine display with backward-compat fallback.

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

docs: update build performance benchmarks (3.9.3) (#924)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: carlos-alm <[email protected]>

docs: prepare release notes for v3.9.3 (#920)

* docs: prepare release notes for v3.9.3

* fix(deps): restore missing libc fields in package-lock.json for Linux packages

docs: incremental vs full rebuild guide with staleness check (#919)

* docs: document incremental vs full rebuild behavior and add staleness check

- Add "What incremental rebuilds refresh" section to README with comparison
  table and guidance on when to run full rebuilds
- Create docs/guides/incremental-builds.md with detailed guide covering
  three-tier change detection, what gets skipped, recommended schedules,
  configuration, and Claude Code hook integration
- Update recommended-practices.md with periodic full rebuild section (husky
  post-merge example) and watch mode freshness note
- Update hooks example README with incremental build freshness section
  documenting the automatic staleness detection mechanism
- Upgrade post-git-ops.sh to run --no-incremental after merge/rebase/pull
  (both our hooks and example hooks) with staleness marker update
- Add 24h staleness check to update-graph.sh: first edit of a stale session
  auto-upgrades to full rebuild via .codegraph/last-full-build marker,
  subsequent edits stay incremental

* fix: restore fallback guard and gate marker on build success (#919)

- Restore :-$PROJECT_DIR default in node fallback path (update-graph.sh)
  to prevent unbound variable exit under set -euo pipefail
- Only update staleness marker when build exits 0, so a silent failure
  doesn't defer the next full rebuild by up to 24 hours
- Apply both fixes consistently across .claude/hooks/ and docs/examples/

* fix: correct docs claiming incremental is sufficient after git pull (#919)

The post-git-ops.sh hook unconditionally runs --no-incremental after
every pull/merge/rebase. Updated the guide to reflect actual behavior.