chore: add automated semantic versioning and commit enforcement

- Add commitlint with conventional commit validation (local hook + CI)
- Add husky hooks for pre-commit linting and commit-msg validation
- Add commit-and-tag-version for auto-detected semver bumps and CHANGELOG generation
- Add CI workflow for PR commit and branch name validation
- Add PR template, admin guide for GitHub settings
- Update publish.yml to use commit-and-tag-version instead of manual npm version
- Update CONTRIBUTING.md with branch naming, breaking changes, expanded commit types

Author: github-actions[bot]

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,29 @@
+## Summary
+
+<!-- Briefly describe what this PR does and why -->
+
+## Type of change
+
+- [ ] Bug fix (`fix:`)
+- [ ] New feature (`feat:`)
+- [ ] Breaking change (`feat!:` or `fix!:`)
+- [ ] Refactoring (`refactor:`)
+- [ ] Documentation (`docs:`)
+- [ ] Tests (`test:`)
+- [ ] Maintenance (`chore:`, `ci:`, `build:`)
+
+## Testing checklist
+
+- [ ] I ran `npm test` and all tests pass
+- [ ] I ran `npm run lint` with no errors
+- [ ] I added/updated tests for my changes (if applicable)
+
+## Breaking changes
+
+<!-- If this is a breaking change, describe what breaks and the migration path -->
+
+N/A
+
+## Related issues
+
+<!-- Link related issues: Fixes #123, Closes #456 -->

.github/workflows/commitlint.yml

@@ -0,0 +1,41 @@
+name: Commitlint
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-commits:
+    name: Validate commits
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - run: npm install
+
+      - name: Validate PR commits
+        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
+  validate-branch-name:
+    name: Validate branch name
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch name
+        run: |
+          BRANCH="${{ github.head_ref }}"
+          PATTERN="^(feat|fix|docs|refactor|test|chore|ci|perf|build|release|dependabot|revert)/"
+          if [[ ! "$BRANCH" =~ $PATTERN ]]; then
+            echo "::error::Branch name '$BRANCH' does not match the required pattern."
+            echo "Branch names must start with one of: feat/, fix/, docs/, refactor/, test/, chore/, ci/, perf/, build/, release/, dependabot/, revert/"
+            exit 1
+          fi
+          echo "Branch name '$BRANCH' is valid."

.husky/commit-msg

@@ -0,0 +1 @@
+npx --no -- commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1 @@
+npm run lint

.npmignore

@@ -1,7 +1,11 @@
 .git/
 .github/
 .codegraph/
+.husky/
 tests/
+docs/
 *.db
 .codegraphrc.json
+.versionrc.json
+commitlint.config.js
 codegraph-improvements.md

.versionrc.json

@@ -0,0 +1,21 @@
+{
+  "types": [
+    { "type": "feat", "section": "Features" },
+    { "type": "fix", "section": "Bug Fixes" },
+    { "type": "perf", "section": "Performance" },
+    { "type": "refactor", "section": "Refactoring" },
+    { "type": "revert", "section": "Reverts" },
+    { "type": "docs", "hidden": true },
+    { "type": "test", "hidden": true },
+    { "type": "chore", "hidden": true },
+    { "type": "ci", "hidden": true },
+    { "type": "build", "hidden": true },
+    { "type": "style", "hidden": true },
+    { "type": "release", "hidden": true }
+  ],
+  "releaseCommitMessageFormat": "release: v{{currentTag}}",
+  "tagPrefix": "v",
+  "scripts": {
+    "postbump": "node scripts/sync-native-versions.js"
+  }
+}

CLAUDE.md

@@ -90,6 +90,10 @@ Releases are triggered via the `publish.yml` workflow (`workflow_dispatch`). By
 
 The workflow can be overridden with a specific version via the `version-override` input. Locally, `npm run release:dry-run` previews the bump and changelog.
 
+## Git Conventions
+
+- Never add AI co-authorship lines (`Co-Authored-By` or similar) to commit messages.
+
 ## Node Version
 
 Requires Node >= 20.

CONTRIBUTING.md

@@ -11,12 +11,18 @@ kinds — bug fixes, new features, documentation, and new language support.
 ```bash
 git clone https://github.com/optave/codegraph.git
 cd codegraph
-npm install
+npm install                      # also installs git hooks via husky
 npm test                         # run the full test suite
 ```
 
 **Requirements:** Node.js >= 20
 
+After `npm install`, [Husky](https://typicode.github.io/husky/) automatically
+installs two git hooks:
+
+- **pre-commit** — runs `npm run lint` (Biome) before each commit
+- **commit-msg** — validates your commit message against the [commit convention](#commit-convention)
+
 ## Project Structure
 
 ```
@@ -61,9 +67,22 @@ npx vitest run -t "finds cycles"          # Single test by name
 npm run build:wasm               # Rebuild WASM grammars
 ```
 
+## Branch Naming Convention
+
+Branch names **must** match one of these prefixes:
+
+```
+feat/    fix/    docs/    refactor/    test/    chore/
+ci/      perf/   build/   release/     revert/  dependabot/
+```
+
+Examples: `feat/add-cpp-support`, `fix/cycle-detection-edge-case`,
+`chore/update-deps`. This is enforced in CI on pull requests.
+
 ## Commit Convention
 
-We use short conventional-style prefixes:
+We use [Conventional Commits](https://www.conventionalcommits.org/). Messages
+are validated locally by a `commit-msg` hook and in CI on pull requests.
 
 | Prefix | Use for |
 |--------|---------|
@@ -72,16 +91,38 @@ We use short conventional-style prefixes:
 | `docs:` | Documentation only |
 | `refactor:` | Code changes that don't fix bugs or add features |
 | `test:` | Adding or updating tests |
-| `chore:` | Maintenance, dependencies, CI |
+| `chore:` | Maintenance, dependencies |
+| `ci:` | CI/CD changes |
+| `perf:` | Performance improvements |
+| `build:` | Build system or external dependencies |
+| `style:` | Code style (formatting, whitespace) |
+| `revert:` | Reverting a previous commit |
 
 Examples:
 ```
 feat: add C language support
 fix: resolve false positive cycles in HCL modules
 docs: update adding-a-language guide
 test: add parity tests for Python extractor
+perf: cache tree-sitter parser instances
+ci: add branch naming check to PR workflow
 ```
 
+### Breaking Changes
+
+For breaking changes, add a `!` after the type or include a `BREAKING CHANGE:`
+footer:
+
+```
+feat!: rename --output flag to --format
+
+fix: change default export format
+
+BREAKING CHANGE: JSON export now uses camelCase keys instead of snake_case.
+```
+
+Breaking changes trigger a **major** version bump during release.
+
 ## Testing
 
 Tests use [vitest](https://vitest.dev/) with a 30-second timeout and globals
@@ -175,7 +216,9 @@ Use [GitHub Issues](https://github.com/optave/codegraph/issues) with:
 ## Code Style
 
 - All source is plain JavaScript (ES modules) — no transpilation
-- No linter is currently configured; keep style consistent with existing code
+- [Biome](https://biomejs.dev/) is used for linting and formatting (config in `biome.json`)
+- Run `npm run lint` to check and `npm run lint:fix` to auto-fix
+- The pre-commit hook runs the linter automatically
 - Use `const`/`let` (no `var`)
 - Prefer early returns over deep nesting
 - Keep functions focused and reasonably sized

commitlint.config.js

@@ -0,0 +1,24 @@
+export default {
+  extends: ["@commitlint/config-conventional"],
+  rules: {
+    "type-enum": [
+      2,
+      "always",
+      [
+        "feat",
+        "fix",
+        "docs",
+        "refactor",
+        "test",
+        "chore",
+        "ci",
+        "perf",
+        "build",
+        "style",
+        "revert",
+        "release",
+      ],
+    ],
+    "header-max-length": [2, "always", 100],
+  },
+};

docs/admin-guide.md

@@ -0,0 +1,67 @@
+# Admin Guide — GitHub Repository Settings
+
+This document describes the recommended GitHub settings for the codegraph
+repository. These must be configured manually by a repository admin.
+
+---
+
+## Branch Protection on `main`
+
+Go to **Settings > Branches > Add branch protection rule** for `main`:
+
+| Setting | Value |
+|---------|-------|
+| Require a pull request before merging | Yes |
+| Required approvals | 1 |
+| Dismiss stale pull request approvals when new commits are pushed | Yes |
+| Require status checks to pass before merging | Yes |
+| Required status checks | `Preflight checks` (CI), `Lint` (CI), `Validate commits` (Commitlint), `Validate branch name` (Commitlint) |
+| Require branches to be up to date before merging | Yes |
+| Require conversation resolution before merging | Yes |
+| Restrict who can push to matching branches | Optional (recommended for teams) |
+
+## Merge Strategy
+
+Go to **Settings > General > Pull Requests**:
+
+| Setting | Value |
+|---------|-------|
+| Allow merge commits | Yes |
+| Allow squash merging | Yes |
+| Allow rebase merging | No |
+| Automatically delete head branches | Yes |
+
+Disabling rebase merge ensures conventional commit history is preserved on
+`main`. Squash merging is allowed so that messy PR branches can be collapsed
+into a single conventional commit.
+
+## Environment Protection
+
+Go to **Settings > Environments** and create an environment called
+`npm-publish`:
+
+| Setting | Value |
+|---------|-------|
+| Required reviewers | At least 1 (e.g. project lead) |
+| Deployment branches | `main` only |
+
+This ensures that the publish workflow (`publish.yml`) requires manual
+approval before publishing to npm.
+
+## Secrets and Variables
+
+Go to **Settings > Secrets and variables > Actions**:
+
+| Secret | Purpose |
+|--------|---------|
+| `ANTHROPIC_API_KEY` | Used by the Claude workflow (if enabled) |
+
+**npm publishing** uses OIDC provenance (`--provenance` flag), so no
+`NPM_TOKEN` secret is needed — the publish workflow uses the built-in
+`id-token: write` permission with `setup-node`'s registry-url.
+
+## Dependabot
+
+Dependabot is already configured via `.github/dependabot.yml`. No additional
+admin setup is needed. Dependabot branches (`dependabot/`) are explicitly
+allowed by the branch naming convention.