feat: centralize hardcoded config into DEFAULTS with recursive deep merge

[carlos-alm]

Summary

• Route ~50 behavioral constants through the existing .codegraphrc.json config system so users can tune thresholds, depths, weights, and limits without editing source code
• Fix mergeConfig to recurse so partial overrides of nested objects (e.g. risk.weights.complexity) preserve unspecified sibling keys instead of silently dropping them
• Wire all config sections: analysis depths (impact, fn-impact, audit, sequence, brief, module-map), risk scoring (weights, roleWeights, defaultRoleWeight), search (topK, rrfK, minScore, similarityWarnThreshold), display (maxColWidth, excerpt/scan params), MCP page sizes, and structure cohesion threshold

Test plan

• 14 new unit tests: DEFAULTS shape for all new sections, recursive deep merge correctness, config loading with nested overrides
• Full suite: 1934 pass, 0 fail
• Lint clean (biome check)
• Verify .codegraphrc.json overrides flow through to affected commands (manual)

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review: Configuration Centralization

Review Checklist

• Phase 1: Root cause analysis
• Phase 2: Configuration change detection (high scrutiny)
• Phase 3: Test integrity check
• Phase 4: Code quality review
• Phase 5: Backlog compliance assessment
• Final structured assessment

Phase 1: Root Cause Analysis ✅

Problem Being Solved: Previously, behavioral constants like analysis depths, risk weights, search thresholds, and display limits were hardcoded throughout individual modules. This made it impossible for users to tune system behavior without editing source code.

Why This Approach: The PR centralizes ~50 behavioral constants into a comprehensive DEFAULTS object in config.js and fixes mergeConfig() to perform recursive deep merging. This allows users to override nested config sections (like risk.weights.complexity) while preserving unspecified sibling keys.

Risk Assessment: Low risk - this is a pure refactoring that moves existing hardcoded values into a centralized configuration system without changing default behaviors.

Phase 2: Configuration Change Detection ✅

No High-Risk Changes Detected:

• ✅ No biome/linting rules disabled or relaxed
• ✅ No test timeouts increased or coverage thresholds lowered
• ✅ No build configuration changes
• ✅ No TypeScript strict mode flags disabled
• ✅ No workaround patterns or eslint-disable comments

Phase 3: Test Integrity ✅

Tests Are Strengthening, Not Weakening:

• ✅ 14 new unit tests added for DEFAULTS shape validation and recursive merge correctness
• ✅ Tests verify deep merging preserves sibling keys (critical behavioral improvement)
• ✅ Tests cover edge cases like env overrides and secret resolution
• ✅ No existing test expectations lowered or assertions weakened
• ✅ All 1934 tests passing with 0 failures

Test Quality: The new tests in config.test.js:220-237 specifically validate the core fix - that risk.weights.complexity: 0.4 preserves sibling keys like fanIn: 0.25. This is exactly what should be tested.

Phase 4: Code Quality ✅

Implementation Analysis:

• ✅ Recursive mergeConfig() fix (lines 197-214): Properly handles nested object merging without mutating defaults
• ✅ Systematic config consumption: Files like triage.js:98-104, impact.js:112-113, semantic.js:13-16 consistently use opts.config || loadConfig() pattern
• ✅ Backwards compatibility: All default values preserved - this is purely additive
• ✅ No security concerns: No new command injection vectors, proper input validation maintained

Code Pattern Consistency:
The configuration consumption follows a consistent pattern:

const config = opts.config || loadConfig();
const maxDepth = opts.depth || config.analysis?.fnImpactDepth || 5; // fallback chain

Phase 5: Backlog Compliance ✅

Zero-dep: ✓ - No new runtime dependencies added
Foundation-aligned: ✓ - Fully aligned with P1 (always-current) and maintains zero-infrastructure
Problem-fit: 4/5 - Directly improves agent experience by allowing fine-tuning of analysis depths and thresholds without code changes
Breaking: No - Purely additive, all existing behavior preserved

Tier Classification: Tier 1 - Zero-dep ✓ + Foundation-aligned ✓

---

Root Cause Analysis

Problem Being Solved: ~50 behavioral constants were hardcoded across modules, preventing users from tuning system behavior (analysis depths, risk weights, search thresholds) without source code edits.

Why This Approach: Centralizes all tunable constants into DEFAULTS with recursive deep merge support, allowing partial config overrides like {"risk": {"weights": {"complexity": 0.4}}} to preserve sibling keys.

Risk Assessment: Very low - pure refactoring with no behavior changes and comprehensive test coverage.

Backlog Compliance

• Zero-dep: ✓ — No new dependencies
• Foundation-aligned: ✓ — Maintains zero-infrastructure principle
• Problem-fit: 4/5 — Directly improves AI agent experience by enabling behavior tuning
• Breaking: No — Purely additive changes
• Tier: 1

Critical Concerns

None. This is exemplary refactoring work.

Final Recommendation

• Rating: ⭐⭐⭐⭐⭐ (5/5)
• Action: APPROVE
• Reasoning: Excellent implementation that solves a real user pain point with comprehensive testing, no risk, and perfect backwards compatibility. The recursive merge fix and systematic config centralization will significantly improve the user experience.

[greptile-apps]

Greptile Summary

This PR centralizes ~50 scattered behavioral constants into a structured DEFAULTS object in src/infrastructure/config.js and fixes mergeConfig to recurse through nested objects, enabling users to tune thresholds, depths, weights, and limits via .codegraphrc.json without touching source code. The wiring spans analysis depths, risk scoring (weights, role weights, default role weight), search parameters, display settings, MCP page sizes, and the structure cohesion threshold.

Key changes:

• DEFAULTS in config.js gains new sections: analysis, community, structure, risk, display, mcp — each consumed by the relevant feature module via opts.config || loadConfig()
• mergeConfig is made recursive so partial nested overrides (e.g. risk.weights.complexity) preserve sibling keys instead of silently replacing the whole object
• All previously-discussed issues (unwired display opts, community.resolution fallback, MCP defaults test isolation) are addressed in this revision

Issues found:

• The local ROLE_WEIGHTS constant in src/graph/classifiers/risk.js was not updated to match the expanded DEFAULTS.risk.roleWeights — the four extended dead-variant roles (dead-leaf, dead-entry, dead-ffi, dead-unresolved) added to DEFAULTS are absent from the hardcoded fallback, so any direct caller of scoreRisk without opts will silently mismatch those roles to DEFAULT_ROLE_WEIGHT = 0.5
• opts.depth || config...depth || default patterns in fnImpactData, diffImpactData, and auditData use || instead of ??, silently discarding an explicitly-passed depth: 0

Confidence Score: 3/5

• Safe to merge after addressing the ROLE_WEIGHTS divergence; the depth || vs ?? issue is lower risk but worth fixing for correctness.
• The core config plumbing (mergeConfig recursion, DEFAULTS shape, wiring through feature modules) is correct and well-tested. Two genuine issues introduced by this PR reduce confidence: (1) the stale ROLE_WEIGHTS constant creates a silent scoring discrepancy for extended dead-variant node roles whenever scoreRisk is called without opts, and (2) the || depth pattern silently ignores depth: 0 across multiple call sites.
• src/graph/classifiers/risk.js — ROLE_WEIGHTS constant must be updated to include the 4 extended dead-variant roles added to DEFAULTS. src/domain/analysis/impact.js and src/features/audit.js — depth resolution should use ?? instead of ||.

Important Files Changed

Filename	Overview
src/infrastructure/config.js	Core of the PR: adds extensive DEFAULTS object with all new config sections, exports mergeConfig for testing, and correctly implements recursive deep-merge with array-replacement semantics. Logic is clean and well-tested.
src/graph/classifiers/risk.js	The local ROLE_WEIGHTS constant (7 entries) was not updated to match the 11-entry DEFAULTS.risk.roleWeights — direct callers of scoreRisk without opts fall back to the stale constant, silently misscoring dead-leaf/dead-entry/dead-ffi/dead-unresolved nodes.
src/domain/analysis/impact.js	Config wired correctly for fnImpactDepth and impactDepth, but uses `
src/features/audit.js	Config wired for auditDepth, but uses `
src/mcp/middleware.js	Clean — initMcpDefaults/resetMcpDefaults pattern correctly addresses the test-isolation concern flagged in previous review; module-level state is now resettable.
src/shared/paginate.js	New getMcpDefaults helper is straightforward and correct; flat-object shallow merge is appropriate for the MCP defaults shape.
src/features/triage.js	Risk config wired properly through config; correctly builds riskOpts from config.risk and passes to scoreRisk. The triageData path is safe, but relies on the config-provided roleWeights being present to avoid the stale fallback in risk.js.
tests/unit/config.test.js	Comprehensive new tests covering all new DEFAULTS sections, recursive deep-merge, array replacement, and immutability. Good coverage of the critical mergeConfig behavior.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    RC[".codegraphrc.json"] -->|"loadConfig()"| MC["mergeConfig(DEFAULTS, userConfig)\n(recursive deep-merge)"]
    MC --> CFG["config object"]

    CFG -->|"config.analysis"| AN["Analysis modules\nbriefData · fnImpactData\ndiffImpactData · auditData\nsequenceData · moduleMapData"]
    CFG -->|"config.risk"| TR["triageData\n→ scoreRisk(items, weights, riskOpts)"]
    CFG -->|"config.search"| SR["hybridSearchData\nsemanticSearchData"]
    CFG -->|"config.display"| DI["file-utils\nreadSourceRange · extractSummary\nextractSignature"]
    CFG -->|"config.structure"| ST["moduleBoundariesData\n(cohesionThreshold)"]
    CFG -->|"config.community"| CM["communitiesData\n(resolution)"]
    CFG -->|"config.mcp.defaults"| MCP["initMcpDefaults()\n→ effectiveLimit()"]
    CFG -->|"config.display.maxColWidth"| FMT["printAutoTable"]

    TR -.->|"opts.roleWeights = config.risk.roleWeights\n(11-entry set)"| RW["scoreRisk()"]
    RW -.->|"fallback (no opts)"| RWCONST["ROLE_WEIGHTS constant\n⚠ only 7 entries — stale"]

    style RWCONST fill:#ffcccc,stroke:#cc0000

Loading

_{Last reviewed commit: "fix: thread config.d..."}

[greptile-apps]

display config opts never passed by callers

The display config section in DEFAULTS (excerptLines, summaryMaxChars, jsdocEndScanLines, jsdocOpenScanLines, signatureGatherLines) was added to enable user-tunable display behavior, and the function signatures here correctly accept an opts argument. However, every call site in src/domain/analysis/context.js and src/domain/analysis/exports.js invokes these functions without any opts:

// context.js line 37
const summary = cLines ? extractSummary(cLines, c.line) : null;
// context.js line 103-104
signature: fileLines ? extractSignature(fileLines, s.line) : null,
summary:   fileLines ? extractSummary(fileLines, s.line) : null,
// context.js line 331
: readSourceRange(repoRoot, node.file, node.line, node.end_line);

Because no opts is ever passed, the functions always fall back to the hardcoded defaults in the parameter list (e.g. opts.excerptLines ?? 50), meaning any value a user sets under display in .codegraphrc.json is silently ignored. Similarly, opts.display in result-formatter.js is never populated from config anywhere in the CLI command handlers, so display.maxColWidth is also unreachable.

The display config section as merged from loadConfig() needs to be threaded through to these call sites, otherwise these config keys are effectively dead.

[carlos-alm]

Fixed. Added loadConfig() calls in contextData, explainData (context.js) and exportsData (exports.js), extracting config.display and threading it as the opts parameter through all internal calls to readSourceRange, extractSummary, and extractSignature — including buildCallees, explainFileImpl, explainFunctionImpl, explainCallees, and exportsFileImpl. Pattern used: const config = opts.config || loadConfig(); const displayOpts = config.display || {}; at each entry point, then passed down.

[greptile-apps]

community.resolution is never consumed from config

community.resolution is added to DEFAULTS (and will be merged into user config), but src/features/communities.js reads the resolution value directly from opts.resolution:

// features/communities.js line 147
const resolution = opts.resolution ?? 1.0;

The communities feature is not in the changed files for this PR and no wiring from config.community.resolution to opts.resolution was added. As a result, a user setting { "community": { "resolution": 2.0 } } in .codegraphrc.json will have no effect — the DEFAULTS entry is unreachable by the actual feature code.

[carlos-alm]

Fixed. communitiesData now loads config and uses a three-level fallback: opts.resolution ?? config.community?.resolution ?? 1.0. This makes the community.resolution DEFAULTS entry actually consumable via .codegraphrc.json.

[greptile-apps]

Module-level mutable state causes test isolation issues

resolvedDefaults is a module-level variable mutated by initMcpDefaults. Since ES modules are cached by the Node.js module registry, a call to initMcpDefaults in one test leaks into all subsequent tests that import effectiveLimit — there is no teardown/reset mechanism.

Consider exporting a resetMcpDefaults helper (or a getter pattern) so tests can clean up after themselves:

export function resetMcpDefaults() {
  resolvedDefaults = MCP_DEFAULTS;
}

Alternatively, pass resolvedDefaults as a parameter to effectiveLimit to avoid the shared mutable state entirely.

[carlos-alm]

Fixed. Added resetMcpDefaults() export that sets resolvedDefaults = MCP_DEFAULTS. Tests can call this in afterEach to avoid cross-test pollution from initMcpDefaults().

[carlos-alm]

All four review findings have been addressed in separate commits:

1. config.display threading (267bfb7) — contextData, explainData, and exportsData now load config.display and pass it through to all readSourceRange, extractSummary, and extractSignature call sites.

2. community.resolution wiring (6aba162) — communitiesData now reads config and falls back through opts.resolution ?? config.community?.resolution ?? 1.0.

3. resetMcpDefaults() for test isolation (741f3dc) — Added export that resets the module-level resolvedDefaults back to MCP_DEFAULTS.

4. || to ?? in search (0cc9e71) — Replaced || with ?? for minScore, limit, rrfK, and topK in semantic.js and hybrid.js so explicit 0 values are respected.

All 1922 tests pass, lint is clean.

@greptileai

[carlos-alm]

Addressed the two remaining issues from Greptile's summary:

1. cohesionThreshold || to ?? — structure.js now uses nullish coalescing so an explicit threshold of 0.0 is respected.
2. display.maxColWidth unreachable — outputResult now falls back to loadConfig().display when opts.display is not provided by CLI callers, making display.maxColWidth actually consumable via .codegraphrc.json.

All 1922 tests pass, lint clean.

@greptileai