feat(cli)!: make codehub analyze the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in)#110
Merged
Conversation
theagenticguy
changed the title
codehub analyze fast by default; summaries are opt-incodehub analyze the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in)
`codehub analyze` with no flags now runs only the fast, local, deterministic pipeline — tree-sitter parse, SCIP resolution, graph composition, cochanges, ownership, and detectors. No Bedrock, no network hop, no AWS credentials required. The Bedrock-backed `summarize` phase is opt-in. Opt in one of: - `--summaries` (per-invocation) - `CODEHUB_BEDROCK_SUMMARIES=1` (environment / CI-wide) `--no-summaries` and `CODEHUB_BEDROCK_DISABLED=1` still force the phase off; the kill-switch continues to win against both opt-in forms. Embeddings were already opt-in via `--embeddings`; this change aligns the LLM phase with the same model. Why: a bare `codehub analyze` should not block on a network hop, spend on LLM tokens, or require AWS creds. Summaries can be expensive on large repos (the auto cap is 10% of callables; hundreds of Bedrock calls on a mid-sized monorepo). Making them opt-in matches the indexing contract the rest of the CLI already follows (sbom, coverage, embeddings, skills) and lets `codehub analyze` be the dependable foundation of every agent workflow that doesn't need narrative text. Changes: - `resolveSummariesEnabled()` truth table flipped. Unknown flag + no env → false. New env opt-in `CODEHUB_BEDROCK_SUMMARIES=1`. Test suite refactored (9 tests, full coverage of the combined precedence). - CLI entry now forwards `--summaries=true` to `runAnalyze` (was previously collapsed to `undefined`, which masked a dead code path). - Help text, CLI reference table, indexing guide, and configuration reference all updated. Pipeline-level doc unchanged — it already documented the `PipelineOptions.summaries` default as `false`; only the CLI wrapper's historical default had drifted. BREAKING CHANGE: bare `codehub analyze` no longer runs the summarize phase. Workflows that depended on implicit summarization must add `--summaries` or set `CODEHUB_BEDROCK_SUMMARIES=1`.
Extends the fast-default rework so a bare `codehub analyze` produces the
full local artifact set agents rely on:
- scan (NEW default ON): runs Priority-1 scanners at the end of analyze,
writes `.codehub/scan.sarif`, and ingests findings into the graph.
Makes `verdict`, `list_findings`, and `list_findings_delta` work on
day one without a separate `codehub scan` step. Network-backed
scanners (osv-scanner, grype, npm/pip audit) self-skip under
`--offline`, so the on-default stays honest for air-gapped runs.
Opt out with `--no-scan`; a scanner failure logs-and-continues so
analyze never regresses the graph because of a flaky scanner.
- sbom (flipped to default ON): emitting CycloneDX + SPDX from the
Dependency nodes the graph already has is cheap and universally
wanted. Opt out with `--no-sbom`.
- coverage (flipped to default AUTO): probes `coverage/lcov.info`,
`lcov.info`, `coverage.xml`, `build/reports/jacoco/test/
jacocoTestReport.xml`, `coverage.json` in that order and enables the
phase only when a report exists. Silent no-op otherwise (no spurious
"no report found" warning on repos without tests). `--coverage`
still force-enables and warns; `--no-coverage` force-disables.
New exports for tests: `resolveSbomEnabled`, `resolveScanEnabled`,
`resolveCoverageEnabled`, `detectCoverageReport`.
17 new unit tests (2044 total, was 2027):
- 3 × resolveSbomEnabled (default on, explicit on, --no-sbom)
- 3 × resolveScanEnabled (default on, explicit on, --no-scan)
- 7 × detectCoverageReport (5 candidate paths + miss + priority order)
- 4 × resolveCoverageEnabled (explicit true/false, undefined+none,
undefined+report-found)
Smoke-tested end-to-end on a throwaway 2-function TS repo:
- default `analyze` → runs scan (5 scanners, SARIF written, findings
ingested), emits sbom.cyclonedx.json + sbom.spdx.json, detects no
coverage report → silent no-op. Total ~10s.
- `analyze --no-scan --no-sbom` → 727 ms; pre-flip fast path preserved.
- `analyze` with `lcov.info` in repo → coverage phase auto-engages.
Docs: CLI reference table + indexing guide updated with the new
defaults and the auto-detect candidate paths.
BREAKING CHANGE: bare `codehub analyze` now runs Priority-1 scanners
and emits SBOMs. Pass `--no-scan` / `--no-sbom` for the pre-flip
graph-only behavior. Workflows that previously invoked `codehub scan`
separately still work; the post-analyze scan just makes the separate
invocation optional.
theagenticguy
force-pushed
the
feat/analyze-fast-default
branch
from
f06d1f2 to
154cd99
Compare
Merged
theagenticguy
pushed a commit
that referenced
this pull request
May 15, 2026
🤖 Automated release via release-please --- <details><summary>cli: 0.3.0</summary> ## [0.3.0](cli-v0.2.3...cli-v0.3.0) (2026-05-15) ### ⚠ BREAKING CHANGES * **cli:** make `codehub analyze` the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) ([#110](#110)) * **plugin:** the five slash commands (/probe, /verdict, /owners, /audit-deps, /rename) shipped by the Claude Code plugin are gone with no backward compatibility. Slash commands as a plugin surface are deprecated; the same workflows are still available via: ### Features * **cli:** make `codehub analyze` the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) ([#110](#110)) ([62bff2f](62bff2f)) * **plugin:** remove deprecated Claude Code slash commands ([5769fc1](5769fc1)) </details> <details><summary>root: 0.4.0</summary> ## [0.4.0](root-v0.3.2...root-v0.4.0) (2026-05-15) ### ⚠ BREAKING CHANGES * **cli:** make `codehub analyze` the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) ([#110](#110)) * **plugin:** the five slash commands (/probe, /verdict, /owners, /audit-deps, /rename) shipped by the Claude Code plugin are gone with no backward compatibility. Slash commands as a plugin surface are deprecated; the same workflows are still available via: ### Features * **cli:** make `codehub analyze` the one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) ([#110](#110)) ([62bff2f](62bff2f)) * **plugin:** remove deprecated Claude Code slash commands ([5769fc1](5769fc1)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reshapes
codehub analyzeso a bare invocation produces the full localartifact set agents rely on — graph, SARIF, SBOM, coverage overlay
(when present), ownership, cochanges — while keeping the LLM phase
opt-in.
Before:
codehub analyzebuilt the graph;codehub scanand--sbom/--coveragewere separate steps the operator had to remember.Agents calling
list_findingsorverdicton a fresh index got emptytables because the SARIF hadn't been written yet.
After: one command, one
.codehub/folder with everything the MCPsurface reads. Zero AWS, zero Bedrock, zero LLM calls unless explicitly
opted in.
Default behavior (new)
.codehub/scan.sarif→ graph findings)--no-scan--no-sbom--no-coverage--summariesto enable--embeddingsto enable--offlineflag continues to work: network-backed scanners(osv-scanner, grype, npm/pip audit) self-skip, so the scan default
stays honest for air-gapped runs.
Why
A bare
codehub analyzeshould be the dependable foundation of everyagent workflow. Before this change, calling
list_findingsorverdicton a fresh analyze returned empty — the SARIF hadn't beenwritten yet. Operators either knew to chain
codehub analyze && codehub scan, or silently got the degraded experience. Folding scan intoanalyze makes the MCP surface work on day one.
sbomandcoveragefollow the same logic: the cost of producingthem is negligible when the data is already in the graph, and every
downstream audit wants them. Coverage auto-detect is the key wrinkle —
we silently skip when no report exists so repos without tests don't
get warnings, and force-on (
--coverage) still warns to catch setuperrors.
Commits
feat(cli)!: make codehub analyze fast by default; summaries are opt-in— flips
--summariesdefault from ON to OFF; addsCODEHUB_BEDROCK_SUMMARIES=1env opt-in; fixes a latent bug wherethe CLI collapsed
--summaries=truetoundefinedbeforeforwarding.
feat(cli)!: scan + sbom default on; coverage auto-detects reports— folds
runScan()intorunAnalyzeas a best-effort step; flips--sbomdefault to ON; addsresolveCoverageEnabled+detectCoverageReportfor silent auto-detect.Precedence — summaries
CODEHUB_BEDROCK_DISABLED=1flag=trueflag=falseCODEHUB_BEDROCK_SUMMARIES=1Changes
resolveSummariesEnabled()— truth table flipped, new env opt-in.resolveSbomEnabled()— trivial default-on.resolveScanEnabled()— trivial default-on.resolveCoverageEnabled()+detectCoverageReport()— auto-detectlcov / cobertura / jacoco / coverage.py at the same candidate paths
the ingestion phase uses.
runAnalyze— invokesrunScan()(from./scan.js) as a best-effortstep at the end, logs findings count, writes
.codehub/scan.sarif.Scanner failure logs-and-continues so analyze never regresses the
graph over a flaky scanner.
sbom/coverage/scanopts, adds--no-sbom/--no-coverage/--no-scan.4 × resolveCoverageEnabled, 9 × resolveSummariesEnabled).
reference/cli.mdandguides/indexing-a-repo.mdupdated.Verification
pnpm typecheck— green across 19 workspace projects.pnpm lint— green. (The oneinfodiagnostic is the stale Biome$schemaURL fixed in build(deps): unify dependabot bumps for npm + GitHub Actions #109.)pnpm -r test— 2,044 tests pass (was 2,027 on main; +26 new /-9 replaced).
verdictflagged this PRas
dual_review(2 symbols / 4 communities / 28 symbols affected) —expected for a breaking CLI change; surfaced here for reviewer
awareness, not a CI failure.
Smoke test on a fresh 2-function TS repo (bare
codehub analyze).codehub/now contains:graph.lbug,temporal.duckdb,meta.json,scan.sarif,sbom.cyclonedx.json,sbom.spdx.json,scan-state.json,parse-cache/. Previously it contained onlygraph.*,meta.json, andparse-cache/.--no-scan --no-sbomreproduces the pre-flip fast path (~727 ms).Opt-in Bedrock path:
BREAKING CHANGES
codehub analyzeno longer runs the summarize phase. Workflowsdepending on implicit summarization must add
--summariesor setCODEHUB_BEDROCK_SUMMARIES=1.CODEHUB_BEDROCK_DISABLED=1continues to work unchanged.
codehub analyzenow runs Priority-1 scanners and emits SBOMs.Pass
--no-scan/--no-sbomfor the pre-flip graph-only behavior.Workflows that previously chained
codehub analyze && codehub scanstill work; the chained scan is now redundant.
Test plan
priority order.
pnpm -r test— 2,044 passing, 0 fails.--no-scan --no-sbom,--coveragewith report,--summaries,CODEHUB_BEDROCK_SUMMARIES=1, and kill-switch all behave asspecified.