…4.0.3

Bump commander from 12.1.0 to 14.0.3

Mark registry cleanup (#4) and git-diff guard (#6) as fixed.
Update testing summary for native engine and registry status.

Re-rank codegraph from #8 (4.0) to #5 (4.5) reflecting v3.2.0 features:
41 CLI commands, 32 MCP tools, dataflow across all 11 languages, CFG,
sequence diagrams, architecture boundaries, unified graph model.

Add new competitors: GitNexus (#1, 18k stars), DeusData/codebase-memory-mcp
(#6, 793 stars in 25 days). Update star counts and feature status across
all 85+ ranked projects. Mark 7 roadmap items as DONE. Flag stagnant
projects. Update joern.md (3,021 stars, 75 contributors, 4 community MCP
wrappers) and narsil-mcp.md (129 stars, SPA frontend, +36 security rules,
development paused since Feb 25).

…#559)

* docs: update competitive analysis for v3.2.0 and March 2026 landscape

Re-rank codegraph from #8 (4.0) to #5 (4.5) reflecting v3.2.0 features:
41 CLI commands, 32 MCP tools, dataflow across all 11 languages, CFG,
sequence diagrams, architecture boundaries, unified graph model.

Add new competitors: GitNexus (#1, 18k stars), DeusData/codebase-memory-mcp
(#6, 793 stars in 25 days). Update star counts and feature status across
all 85+ ranked projects. Mark 7 roadmap items as DONE. Flag stagnant
projects. Update joern.md (3,021 stars, 75 contributors, 4 community MCP
wrappers) and narsil-mcp.md (129 stars, SPA frontend, +36 security rules,
development paused since Feb 25).

* docs: fix narsil SPA version attribution in competitive analysis overview

Line 18 incorrectly stated "v1.6.1" as the version when the SPA feature
was introduced. The SPA frontend was added in v1.6.0; v1.6.1 is the
current release. Updated to "added v1.6.0, current v1.6.1" to match the
detailed narsil-mcp.md entry.

* docs: remove hardcoded star count from joern comparison table

The "32 stars, growing" value in the Community & maturity row hardcodes
a stale star count. Other comparison tables use "Growing" consistently
for codegraph's community status. Updated to match.

* fix: correct GitNexus score, Tier 2 rank numbering, and jelly star count

- GitNexus overall score corrected from 4.7 to 4.5 to match the
  arithmetic mean of its six sub-scores (5+5+4+4+4+5)/6 = 4.5
- Tier 2 renumbered starting at #38 (was duplicating #37 with Tier 1);
  also resolves the pre-existing duplicate #43 (Bikach/ChrisRoyse now
  #44/#45), with all subsequent entries incremented accordingly
- jelly section header updated from 417 to 423 stars to match the
  ranking table

* fix: correct aider rank and codegraph star count per review feedback

* fix: align scoring breakdown sub-scores with overall rankings for stagnant projects

glimpse: Community 4→2 (stagnant since Jan 2026), avg now 3.83≈3.8 matching ranking.
autodev-codebase: Community 3→1 (stagnant since Jan 2026), avg now 3.33, ranking updated 3.4→3.3.

* fix: align ranking scores with sub-score averages for colbymchenry and axon

* fix: correct ranking inversion at positions #23/#24 (#559)

autodev-codebase (3.3) was ranked #23 above Claude-code-memory (3.4)
at #24. Swapped to maintain descending score order.

* fix: correct score mismatches for code-graph-rag (4.5→4.2) and arbor (3.7→4.2) (#559)

* fix: sync breakdown table row order with ranking table for #23/#24 (#559)

* fix: correct ranking inversions and stale rank references (#559)

* fix: correct sub-score/overall-score mismatches for codexray, loregrep, MATE

* fix: correct score mismatches and aider header rank

* fix: update narsil-mcp Key Metrics to reflect development stagnation (#559)

* fix: add missing "vs arbor" comparison section (#559)

* fix: remove duplicate vs-glimpse section and correct role names in vs-arbor (#559)

The duplicate vs-glimpse block (stale rank #10) was left behind when
vs-arbor was inserted. Removed it — the correct version exists at #11.
Also fixed role vocabulary in vs-arbor: bridge → adapter, added entry.

Move CFG block/edge and dataflow edge inserts from JS iteration to Rust
bulk operations, following the same pattern as bulk_insert_ast_nodes (6.9).

Rust side:
- cfg_db.rs: bulk_insert_cfg() resolves function node IDs, deletes stale
  data, inserts blocks+edges in a single rusqlite transaction
- dataflow_db.rs: bulk_insert_dataflow() pre-builds node resolution cache
  (local-first, global fallback), inserts edges in a single transaction

JS side:
- cfg.ts: native fast path collects CfgFunctionBatch[] and delegates to
  Rust when all CFG is pre-computed by the native engine
- dataflow.ts: native fast path converts DataflowResult (argFlows,
  assignments, mutations) into FileDataflowBatch[] for Rust insertion
- Both fall back to existing JS paths when native addon is unavailable

Target: cfgMs + dataflowMs < 50ms combined (from ~286ms with JS iteration)

* perf(ast): bulk-insert AST nodes via native Rust/rusqlite

Move AST node SQLite inserts from per-row JS iteration to a single
native Rust transaction via napi-rs + rusqlite. The new
bulkInsertAstNodes function opens the DB directly from Rust,
pre-fetches parent node definitions, and inserts all rows in one
transaction — eliminating the JS-native FFI overhead per row.

The JS-side buildAstNodes tries the native fast path first (when
all files have native astNodes arrays), falling back to the existing
JS loop for WASM or mixed-engine scenarios.

Target: astMs < 50ms on native full builds (was ~393ms).

* fix(ast): add busy_timeout pragma to Rust SQLite connection (#651)

The Rust connection omitted busy_timeout = 5000 which the JS-side
connection.ts sets. Without it, SQLITE_BUSY is returned immediately
on WAL contention instead of retrying for 5 seconds.

* fix(ast): fall back to JS when native bulk insert count mismatches (#651)

bulkInsertAstNodes returns 0 for both "nothing to insert" and hard
errors (DB open failure, SQLITE_BUSY, etc). Compare expected vs actual
count and fall through to the JS path on mismatch so errors don't
silently drop all AST nodes.

* docs(cargo): document rusqlite bundled feature rationale (#651)

Explain why bundled is intentional: Windows CI lacks system SQLite,
and dual-instance WAL coordination is OS-safe.

* fix(ast): match JS findParentDef semantics for null end_line (#651)

The Rust find_parent_id skipped definitions with end_line = NULL,
but the JS findParentDef treats them as always-enclosing with a
negative span (preferred over wider defs). This caused parent_node_id
mismatches between native and JS paths.

* fix(ast): treat row-level execute errors as fatal for transaction (#651)

Return 0 immediately on any insert_stmt.execute() failure so the
transaction drops and rolls back, ensuring all-or-nothing semantics.
Previously, .is_ok() silently swallowed row-level errors which could
commit partial data and misfire the JS fallback causing duplicate rows.

* perf(db): bulk CFG and dataflow DB writes via rusqlite (#6.10)

Move CFG block/edge and dataflow edge inserts from JS iteration to Rust
bulk operations, following the same pattern as bulk_insert_ast_nodes (6.9).

Rust side:
- cfg_db.rs: bulk_insert_cfg() resolves function node IDs, deletes stale
  data, inserts blocks+edges in a single rusqlite transaction
- dataflow_db.rs: bulk_insert_dataflow() pre-builds node resolution cache
  (local-first, global fallback), inserts edges in a single transaction

JS side:
- cfg.ts: native fast path collects CfgFunctionBatch[] and delegates to
  Rust when all CFG is pre-computed by the native engine
- dataflow.ts: native fast path converts DataflowResult (argFlows,
  assignments, mutations) into FileDataflowBatch[] for Rust insertion
- Both fall back to existing JS paths when native addon is unavailable

Target: cfgMs + dataflowMs < 50ms combined (from ~286ms with JS iteration)

* fix(db): add JS fallback on bulk-insert count mismatch (#653)

Match the ast.ts reference pattern: check the Rust return value
against the expected count and fall through to the JS path when
they disagree, preventing silent data loss on Rust-side errors.