Merge dev-publish and stable-publish into one publish.yml to satisfy
npm Trusted Publishing's one-workflow-per-package constraint.

- push to main → dev release (e.g. 2.0.1-dev.abc1234) with --tag dev
- GitHub Release event → stable release with --tag latest
- Concurrency group cancels in-flight dev publishes on rapid merges
- Skip logic for stable version bump commits (chore: release v*)
- Version computed in dedicated job, shared via outputs
- No git commits/tags/PRs for dev releases

The Rust resolve_import function produced paths like src/./db.js
because Path::join preserves . segments from relative imports.
This caused import edges to be lost for native engine users.

Fix by normalizing the resolved PathBuf immediately after join using
components().collect(), and upgrading normalize_path to also clean
. / .. segments. Remove the temporary path.normalize() JS workaround
since the Rust side now returns clean paths directly.

Prevent registry pollution from temp directory builds by checking
os.tmpdir() before auto-registration. Auto-prune stale entries on
`registry list` (CLI) and `list_repos` (MCP) so users and AI agents
always see a clean registry.

Prevent concurrent Claude Code instances from unstaging, deleting,
or reverting each other's files.

Wrap native resolveImport and resolveImports results with
normalizePath(path.normalize()) to catch any remaining ./.. segments
that the Rust engine might produce on edge cases.

Track lastAccessedAt on registry entries (updated on build and MCP
query). pruneRegistry now removes entries not accessed within a
configurable TTL (default 30 days) in addition to missing directories.
CLI `registry prune --ttl <days>` exposes the TTL parameter.

Move 9 language extractors (~1,630 lines) from parser.js into
src/extractors/, mirroring the native engine's per-file structure.
parser.js re-exports all extractors for backward compatibility.

Also fix config.test.js to match current embeddings default (jina-code).

Mark registry cleanup (#4) and git-diff guard (#6) as fixed.
Update testing summary for native engine and registry status.

…PATH env var

The cli.test.js afterAll called pruneRegistry() with no arguments, operating
on the real ~/.codegraph/registry.json. The run() helper also lacked HOME
isolation, risking writes to the real registry. Add CODEGRAPH_REGISTRY_PATH
env var support to registry.js, isolate all CLI spawns with a fake HOME, and
remove the bare pruneRegistry() call.

Previously --engine native silently fell back to WASM with a warning,
which was easy to miss. Now it throws a clear error with install
instructions, matching user intent. Auto mode remains unchanged.

…ctors

Each extractor's internal AST traversal function was identically named
`walk`, making codegraph search results ambiguous across languages.
Renamed to walkPythonNode, walkJavaScriptNode, walkGoNode, etc. so
symbol searches return unique, language-specific hits.

Unified command showing node/edge breakdowns, language distribution,
cycle counts, coupling hotspots, and embedding status. Supports --json.

Add guard-git.sh (PreToolUse) to block dangerous git commands that
interfere with parallel sessions, and track-edits.sh (PostToolUse) to
log edited files so commits can be validated against the session log.
Update CLAUDE.md with worktree-first workflow and fix the Claude Code
hooks example in recommended-practices.md to use the correct schema.

Add integration test that runs the embed+search pipeline with the real
minilm model to catch regressions from model updates, embedding text
format changes, or pipeline bugs. Includes a dedicated CI workflow
(weekly + on relevant PR changes) with HuggingFace model caching.

check-readme.sh and enrich-context.sh used jq for JSON parsing, which
isn't available on Windows. Switch to node inline scripts matching the
pattern used by guard-git.sh and track-edits.sh. Also commit
rebuild-graph.sh which was wired into settings.json but never tracked.