v0.4.2

codeiq v0.4.2

Deterministic code knowledge graph — Go single-binary release.
Verify the download:
# Checksum
sha256sum -c checksums.sha256
# Signature (Sigstore keyless, bundle format)
cosign verify-blob
--bundle checksums.sha256.cosign.bundle
--certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*'
--certificate-oidc-issuer https://token.actions.githubusercontent.com
checksums.sha256

Changelog

• 0870fab docs(README): visual refresh + supply-chain badges (#171)
• 970e7bc docs: complete brownfield reference documentation (#170)
• 506e918 fix(release): make README.md / CHANGELOG.md optional in archive bundling (#169)
• 61230ae docs: wipe all documentation for clean reference-docs rewrite (#168)

---

Built with Go 1.25.10 via Goreleaser.

v0.4.1

codeiq v0.4.1

Deterministic code knowledge graph — Go single-binary release.
Verify the download:
# Checksum
sha256sum -c checksums.sha256
# Signature (Sigstore keyless, bundle format)
cosign verify-blob
--bundle checksums.sha256.cosign.bundle
--certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*'
--certificate-oidc-issuer https://token.actions.githubusercontent.com
checksums.sha256

Changelog

• 0ed3cf8 release: cut [Unreleased] → [v0.4.1] (#167)
• e2392e7 docs(changelog): cut [Unreleased] → [v0.4.0], document the reset (#166)
• 808bec0 chore(actions)(deps): bump step-security/harden-runner (#164)
• e09f984 chore(deps)(deps): bump github.com/spf13/pflag in the cobra-viper group (#163)
• 6229241 fix(ci): widen release-darwin poll budget + early-bail on release-go failure (#165)

---

Built with Go 1.25.10 via Goreleaser.

v0.4.0

codeiq v0.4.0

Deterministic code knowledge graph — Go single-binary release.
Verify the download:
# Checksum
sha256sum -c checksums.sha256
# Signature (Sigstore keyless, bundle format)
cosign verify-blob
--bundle checksums.sha256.cosign.bundle
--certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*'
--certificate-oidc-issuer https://token.actions.githubusercontent.com
checksums.sha256

Changelog

• 24fef39 refactor: hoist Go module from go/ to repo root (#162)
• c20c109 feat(buildinfo): fall back to debug.BuildInfo when ldflags unset (#161)
• e5fd3fe docs: post-cutover + Kuzu 0.11 sweep (#160)
• 799be73 refactor(graph): use Kuzu 0.11 native features (FTS, param LIMIT, []string) (#159)
• 690fba6 chore(deps)(deps): bump github.com/kuzudb/go-kuzu (#155)
• 235986c chore(actions)(deps): bump the actions group across 1 directory with 4 updates (#158)
• fd77ec9 chore(deps)(deps): bump github.com/mattn/go-sqlite3 (#157)
• 7869842 chore(deps)(deps): bump the cobra-viper group in /go with 2 updates (#156)
• 2263146 chore(deps): drop Java + npm Dependabot sections; add gomod (#154)
• cc96e1b fix(parser): unquote TOML keys and section headers (#152)
• a83b768 fix(enrich): explicit QUOTE/ESCAPE so Kuzu COPY honors RFC-4180 (#153)
• 4a6d82a fix(analyzer): path-qualify SERVICE node IDs to break PK collisions (#151)
• 7867a79 fix(enrich): use pipe '|' delimiter for Kuzu COPY staging files (#150)
• 91e34c3 fix(mcp): correct dispatch arg names in tools_consolidated (#149)
• 7313a0a ci+docs(perf-gate): enrich memory regression gate + OOM-fix evidence (Phase D) (#148)
• 51efda7 perf(enrich): --memprofile + --max-buffer-pool + --copy-threads flags (Phase C) (#147)
• 548a5ec perf(parser): rewrite Walk to use TreeCursor (Task B1) (#146)
• 9f54673 perf(enrich): Phase A quick wins for OOM fix (#145)
• 4136977 perf(graph): batch BulkLoad CSV / COPY FROM at 50k rows (#143)
• 9994900 docs: enrich OOM-fix streaming-refactor plan + gitignore fix (#144)
• 094cffd test(mcp): per-mode parity for 6 consolidated tools (#139)
• d2853dd chore(mcp): drop 24 narrow tools from user-facing MCP surface (#142)
• e544af0 fix(detector/jvm): discriminator guard on KtorRouteDetector + scala/kotlin fixtures (#141)
• 531e089 fix(detector): anchor nodes for bicep/dockerfile/shell/proto imports (#140)
• ecb5ede chore: drop Homebrew + delete stale Java-era docs (CLI + MCP only) (#138)
• c6097e7 feat(release): darwin/arm64 release workflow (#137)
• ffb3a16 fix(release): cosign v4 bundle format (#136)
• 13cd11b fix(release): simplify to single-runner linux-only build (#135)
• e590843 docs: switch version target from v1.0.0 → v0.3.0 (#134)
• 7f32aa4 fix(release): wrap goreleaser before-hooks in sh -c (#133)
• e21fe0f feat: Phase 6 cutover — delete Java reference, ship v1.0.0 (#132)
• c630245 feat(release): Phase 5 — Goreleaser + Sigstore + perf gate (#131)
• c363727 feat: port codeiq from Java/Spring Boot to Go single-binary (Phases 1-4) (#130)
• f7e792e perf(treemap): on-demand subtree fetch + visible directory labels (#120)
• d6e34ea perf(serve): bound JVM/Neo4j memory and dedupe topology snapshot (#118)
• a2bb2e0 perf(ui): cap initial file-tree fetch at depth 8 on dashboard (#119)
• 4b7cb45 release: v0.2.0 — frontend rewrite, ActiveMQ detector, mode=none default, drill-down treemap (#112)
• 3bc3ebf perf(detectors): quick-reject pre-screen on auth detectors (-31% detector CPU) (#111)
• 9f0d3d2 feat(serving): config validation, integration coverage, docs refresh (PR 5/5) (#110)
• 5f3021a feat(observability): production-readiness PR 4 — request tracing + JSON logs + structured errors (#109)
• e40350f feat(supply-chain): production-readiness PR 3 — bundle integrity + secret hygiene + scanner pin (#108)
• 82ded68 feat(security): prod-readiness PR 1 of 5 — bearer auth, security headers, error envelope (#106)
• c352720 chore(deps): bump Node from v20.11.0 to v22.12.0 for Vite 8 (unblocks #86) (#105)
• 833b403 chore(deps)(deps-dev): bump com.github.eirslett:frontend-maven-plugin (#84)
• 07106fb chore(deps)(deps): bump tools.jackson.core:jackson-databind (#81)
• 13624c1 chore(deps)(deps): bump tools.jackson.core:jackson-core (#85)
• 60f826b chore(deps)(deps): bump io.modelcontextprotocol.sdk:mcp-core (#80)
• c3ea61e chore(deps)(deps): bump org.springdoc:springdoc-openapi-starter-webmvc-ui (#82)
• e6aa245 chore(actions)(deps): bump the actions group across 1 directory with 4 updates (#100)
• dac13c6 chore(frontend)(deps-dev): bump the typescript group across 1 directory with 2 updates (#99)
• 4a097da chore(deps)(deps-dev): bump org.apache.maven.plugins:maven-gpg-plugin (#93)
• 0c1a4c8 feat: sub-project 1 Phase 4-6 — resolver pipeline wiring + 4 Java detector migrations (#104)
• 47e6404 feat: AKS read-only deploy hardening (sub-project 2) (#103)
• 5a46598 feat(resolver): symbol-resolver SPI + Java backend (sub-project 1, Phases 1-4) (#101)
• 54be162 chore(deps)(deps): bump the spring group across 1 directory with 2 updates (#75)
• 15c0c3c chore(frontend)(deps): bump the react group across 1 directory with 4 updates (#78)
• 06b16f3 chore(frontend)(deps): bump the ant-design group across 1 directory with 2 updates (#83)
• 53a4f67 chore(deps)(deps): bump org.neo4j:neo4j (#77)
• 58fb9d5 chore(frontend)(deps): bump echarts (#87)
• 92c6e00 chore(bestpractices): embed URLs inline + resolve SUGGESTED ? placeholders (RAN-52) (#98)
• 25a365e docs(changelog): add CHANGELOG.md to close OpenSSF release_notes (RAN-52) (#97)
• 80c2fc8 chore(bestpractices): rewrite to canonical autofill schema (RAN-57) (#96)
• bbacb86 docs(claude-md): document OpenSSF Best Practices + Scorecard baseline (RAN-52 AC #7) (#95)
• 4117d03 chore(security): revert to OSS-CLI stack (RAN-46 path B board ruling) (#91)
• 9bdfcc7 docs(badge): wire OpenSSF Best Practices project_id 12650 (RAN-46 AC #8) (#92)
• 6c3b9e9 chore(ci): add top-level permissions: read-all to workflows (RAN-46 AC) (#90)
• 6c8497f docs(runbooks): add test-strategy.md (RAN-46 AC #5) (#89)
• 19c6619 fix(security): enforce max-bytes cap on /api/file + MCP read_file (RAN-9) (#67)
• f7c4401 fix(security): block path traversal via symlinks in /api/file and read_file (RAN-8) (#65)
• 0e93226 fix(build): restore SpotBugs quality gate on main (RAN-26) (#68)
• ffe537a docs(claude-md): refresh stale gotchas (RAN-13) (#63)
• eb05201 fix(build): unblock mvn test — drop tsconfig baseUrl, add frontend.skip (RAN-27) (#66)
• d3692cd chore(hygiene): batch 5 LOW-severity follow-ups from RAN-6 review (RAN-33) (#70)
• b6648c0 refactor(cli): split EnrichCommand.enrichFromCache into phase helpers (RAN-41) (#73)
• 1ae0278 chore(bootstrap): RAN-46 engineering bootstrap (security, runbooks, OpenSSF wiring) (#74)
• 8f1ce18 fix(spotbugs): eliminate 12 SpotBugs findings (RAN-23) (#71)
• 0b47514 perf(detector): hoist inline Pattern.compile to static finals (RAN-32) (#69)
• cab71a4 refactor: rename code-iq → codeiq across the project (#62)
• 4c46a60 fix(detector): eliminate regex backtracking in Liquibase YAML patterns (#61)
• bfab2e7 fix: Sonar follow-ups — ModuleDeps ordering, Express dead code, RepositoryIdentity env (#60)
• dd8adaa test(coverage): add targeted tests for SonarCloud new-code backfill (#59)
• eaea1ff...