RandomCodeSpace
diff --git a/‎.github/workflows/perf-gate.yml‎
Lines changed: 112 additions & 0 deletions b/‎.github/workflows/perf-gate.yml‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎.github/workflows/release-go.yml‎
Lines changed: 124 additions & 0 deletions b/‎.github/workflows/release-go.yml‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 151 additions & 0 deletions b/‎.goreleaser.yml‎
Lines changed: 151 additions & 0 deletions
@@ -0,0 +1,112 @@
+name: perf-gate
+
+# Performance regression gate. Runs `codeiq index` against fixture-multi-lang
+# and asserts wall-clock + node-count budgets. Catches regressions like:
+#   - Regex pathology re-introduced (e.g. the CertificateAuthDetector
+#     pre-screen miss that pushed indexing from 0.1s → 42s on PSA).
+#   - Detector over-emission past the dedup budget.
+#
+# Trigger: push to main + PRs that touch go/**. Manual via workflow_dispatch.
+# Failure is informational on PRs (`continue-on-error`) until the threshold
+# is curated against real-world load; once stable, set strict gate.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'go/**'
+      - '.github/workflows/perf-gate.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'go/**'
+      - '.github/workflows/perf-gate.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  bench:
+    name: index perf gate (fixture-multi-lang)
+    runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: '1'
+      # Per-target budgets. Tune as the fixture grows. Current
+      # fixture-multi-lang sits at ~50 files; an 8 s ceiling leaves
+      # headroom over the observed ~0.3 s without hiding obvious
+      # regressions (10x cushion catches the kinds of regex pathology
+      # that pushed PSA from 0.1 s → 42 s mid-port).
+      MAX_INDEX_SECONDS: '8'
+      MIN_NODES: '40'
+      MAX_PHANTOM_DROP_RATIO: '50'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25.10'
+          cache: true
+          cache-dependency-path: go/go.sum
+      - name: Install C toolchain
+        run: sudo apt-get update -y && sudo apt-get install -y build-essential
+      - name: Build codeiq
+        working-directory: go
+        run: go build -o /tmp/codeiq ./cmd/codeiq
+      - name: Stage fixture (separate copy so cache writes don't dirty git)
+        run: cp -r go/testdata/fixture-multi-lang /tmp/fm-perf
+      - name: Run + measure
+        id: bench
+        run: |
+          set -euo pipefail
+          START=$(date +%s.%N)
+          /tmp/codeiq index /tmp/fm-perf > /tmp/perf.log 2>&1
+          END=$(date +%s.%N)
+          ELAPSED=$(awk "BEGIN{printf \"%.3f\", $END - $START}")
+
+          # Parse the "Files: F  Nodes: N  Edges: E  ..." summary line.
+          NODES=$(awk -F'[ ]+' '/^Files:/ {print $4}' /tmp/perf.log)
+          EDGES=$(awk -F'[ ]+' '/^Files:/ {print $6}' /tmp/perf.log)
+          # Optional "Deduped: D nodes, ... Dropped: P phantom edges"
+          # line; absence is fine, defaults to 0.
+          DEDUP_NODES=$(awk -F'[ ,]+' '/^Deduped:/ {print $2}' /tmp/perf.log)
+          DEDUP_NODES=${DEDUP_NODES:-0}
+          DROPPED=$(awk -F'[ ]+' '/^Deduped:/ {for(i=1;i<=NF;i++) if($i=="Dropped:") print $(i+1)}' /tmp/perf.log)
+          DROPPED=${DROPPED:-0}
+
+          echo "elapsed=$ELAPSED" >> "$GITHUB_OUTPUT"
+          echo "nodes=$NODES"     >> "$GITHUB_OUTPUT"
+          echo "edges=$EDGES"     >> "$GITHUB_OUTPUT"
+          echo "dropped=$DROPPED" >> "$GITHUB_OUTPUT"
+
+          {
+            echo "## codeiq perf gate"
+            echo ""
+            echo "| metric | value | budget |"
+            echo "|---|---:|---:|"
+            echo "| wall-clock (s) | $ELAPSED | $MAX_INDEX_SECONDS |"
+            echo "| nodes | $NODES | >= $MIN_NODES |"
+            echo "| edges | $EDGES | — |"
+            echo "| deduped nodes | $DEDUP_NODES | — |"
+            echo "| dropped phantom edges | $DROPPED | ratio gated |"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          cat /tmp/perf.log >> "$GITHUB_STEP_SUMMARY"
+
+          # --- Hard gates ---
+          fail=0
+          if awk "BEGIN{exit !($ELAPSED > $MAX_INDEX_SECONDS)}"; then
+            echo "::error::wall-clock $ELAPSED s exceeds budget $MAX_INDEX_SECONDS s"
+            fail=1
+          fi
+          if [ "${NODES:-0}" -lt "$MIN_NODES" ]; then
+            echo "::error::node count $NODES below minimum $MIN_NODES"
+            fail=1
+          fi
+          if [ "${EDGES:-0}" -gt 0 ] && [ "${DROPPED:-0}" -gt 0 ]; then
+            RATIO=$(( DROPPED * 100 / (EDGES + DROPPED) ))
+            if [ "$RATIO" -gt "$MAX_PHANTOM_DROP_RATIO" ]; then
+              echo "::error::phantom-edge drop ratio ${RATIO}% exceeds ${MAX_PHANTOM_DROP_RATIO}%"
+              fail=1
+            fi
+          fi
+          exit $fail
@@ -0,0 +1,124 @@
+name: release-go
+
+# Tag-triggered release pipeline for the codeiq Go binary.
+#
+# Trigger: push a tag matching `v*.*.*` (e.g. `git tag v1.0.0 && git push --tags`).
+# Cross-OS build via per-runner matrix (CGO + native kuzudb/sqlite means
+# we can't cross-compile cleanly from a single host).
+#
+# Phase 5 of the Java→Go port. Replaces release-java.yml (kept around
+# until Phase 6 cutover for any emergency Java release).
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release (e.g. v1.0.0). Must already exist.'
+        required: true
+
+permissions:
+  contents: write
+  id-token: write      # Sigstore keyless via GitHub OIDC
+  packages: write
+  attestations: write
+
+jobs:
+  # Per-target release. Runs the same .goreleaser.yml on each runner;
+  # archives are merged in the publish job below.
+  build:
+    name: build (${{ matrix.os }} / ${{ matrix.goarch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: linux
+            goarch: amd64
+            runner: ubuntu-latest
+          - os: linux
+            goarch: arm64
+            runner: ubuntu-24.04-arm
+          - os: darwin
+            goarch: arm64
+            runner: macos-14
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25.10'
+          cache: true
+          cache-dependency-path: go/go.sum
+      - name: Install build deps (linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update -y && sudo apt-get install -y build-essential
+      - name: Install Syft (SBOM)
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Install Cosign (signing)
+        uses: sigstore/cosign-installer@v3
+      - uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          # Single-target build per runner; combined publish runs in a
+          # separate job that consumes all three artifact bundles.
+          args: build --single-target --clean --snapshot
+        env:
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.goarch }}
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeiq-${{ matrix.os }}-${{ matrix.goarch }}
+          path: dist/codeiq_*/codeiq*
+          retention-days: 1
+
+  # Combined publish: pulls the three binaries built above, packages
+  # them with SBOMs, signs the checksum manifest via Sigstore keyless,
+  # and uploads the GitHub Release. Runs on linux only.
+  release:
+    name: publish release
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25.10'
+          cache: true
+          cache-dependency-path: go/go.sum
+      - name: Install build deps
+        run: sudo apt-get update -y && sudo apt-get install -y build-essential
+      - name: Install Syft (SBOM)
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Install Cosign (signing)
+        uses: sigstore/cosign-installer@v3
+      - name: Download pre-built binaries
+        uses: actions/download-artifact@v4
+        with:
+          pattern: codeiq-*
+          path: prebuilt
+      - uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          # Full release: archives + SBOMs + cosign sigs + GitHub Release
+          # draft + (optional) Homebrew tap. The owning org sets
+          # HOMEBREW_TAP_GITHUB_TOKEN to publish to homebrew-codeiq;
+          # forks leave it unset and the brew step skips silently.
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_OWNER: RandomCodeSpace
+          HOMEBREW_TAP_REPO: homebrew-codeiq
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+      - name: Attest release artifacts (build provenance)
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'dist/codeiq_*.tar.gz'
@@ -0,0 +1,151 @@
+# Goreleaser config for codeiq Go binary releases.
+#
+# Trigger: tag push `vX.Y.Z` → .github/workflows/release-go.yml fires
+# this config. Local dry runs: `goreleaser release --snapshot --clean`.
+#
+# CGO is required (kuzudb + go-sqlite3 native deps), so we cross-compile
+# via per-target runners — see the release workflow matrix. This file
+# is consumed once per target OS.
+
+version: 2
+project_name: codeiq
+
+env:
+  - CGO_ENABLED=1
+  - GO_VERSION=1.25.10
+
+before:
+  hooks:
+    # Sanity gate. Failing here aborts the release before any binary
+    # leaves the runner.
+    - cd go && go mod download
+    - cd go && go test ./... -count=1
+
+builds:
+  - id: codeiq
+    main: ./cmd/codeiq
+    dir: go
+    binary: codeiq
+    env:
+      - CGO_ENABLED=1
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Version={{.Version}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Commit={{.ShortCommit}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Date={{.Date}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Dirty={{.IsGitDirty}}'
+    # CGO + kuzudb makes cross-arch fragile from a single host; the
+    # release workflow runs this config once per (OS, arch) runner.
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      # darwin/amd64 needs a darwin runner — skip when this config is
+      # consumed on a linux runner. The release workflow re-runs the
+      # darwin builds on macOS runners.
+      - goos: darwin
+        goarch: amd64
+
+archives:
+  - id: codeiq
+    formats: [tar.gz]
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}
+    files:
+      - LICENSE*
+      - README.md
+      - CHANGELOG.md
+
+checksum:
+  name_template: 'checksums.sha256'
+  algorithm: sha256
+
+snapshot:
+  version_template: '{{ incpatch .Version }}-next'
+
+# SBOM generation — Plan §5 SBOM signing requirement. Syft is the
+# OSS-CLI choice (matches the existing security.yml stack).
+sboms:
+  - id: codeiq-sbom
+    artifacts: archive
+    documents:
+      - '{{ .ArtifactName }}.sbom.spdx.json'
+    cmd: syft
+    args:
+      - '$artifact'
+      - --output
+      - 'spdx-json={{ .ArtifactName }}.sbom.spdx.json'
+
+# Cosign keyless signing of the checksum manifest. The release workflow
+# supplies the OIDC token via `id-token: write`; cosign records the
+# signature transparency entry in Rekor (public Sigstore log). No
+# long-lived signing key required.
+signs:
+  - id: cosign
+    cmd: cosign
+    args:
+      - sign-blob
+      - '--yes'
+      - '--output-signature=${signature}'
+      - '--output-certificate=${certificate}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
+    certificate: '${artifact}.pem'
+    signature: '${artifact}.sig'
+
+# Homebrew tap publish — opt-in via $HOMEBREW_TAP_GITHUB_TOKEN. When the
+# env var is empty (forks, dry runs), the upload is skipped so the same
+# .goreleaser.yml works for the owning org and downstream forks alike.
+brews:
+  - name: codeiq
+    repository:
+      owner: '{{ envOrDefault "HOMEBREW_TAP_OWNER" "RandomCodeSpace" }}'
+      name: '{{ envOrDefault "HOMEBREW_TAP_REPO" "homebrew-codeiq" }}'
+      token: '{{ envOrDefault "HOMEBREW_TAP_GITHUB_TOKEN" "" }}'
+    skip_upload: '{{ if eq (envOrDefault "HOMEBREW_TAP_GITHUB_TOKEN" "") "" }}true{{ else }}false{{ end }}'
+    commit_author:
+      name: codeiq-bot
+      email: noreply@github.com
+    directory: Formula
+    homepage: 'https://github.com/RandomCodeSpace/codeiq'
+    description: 'Deterministic code knowledge graph + MCP server'
+    license: 'Apache-2.0'
+    install: |
+      bin.install "codeiq"
+    test: |
+      assert_match "codeiq", shell_output("#{bin}/codeiq --version")
+
+release:
+  github:
+    owner: RandomCodeSpace
+    name: codeiq
+  draft: true
+  prerelease: auto
+  mode: replace
+  name_template: 'v{{ .Version }}'
+  header: |
+    ## codeiq v{{ .Version }}
+
+    Deterministic code knowledge graph — Go single-binary release.
+
+    Verify the download:
+
+        # Checksum
+        sha256sum -c checksums.sha256
+
+        # Signature (Sigstore keyless)
+        cosign verify-blob \
+          --certificate checksums.sha256.pem \
+          --signature checksums.sha256.sig \
+          --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+          checksums.sha256
+  footer: |
+    ---
+    Built with Go {{ envOrDefault "GO_VERSION" "1.25.10" }} via Goreleaser.