chore: implement release hardening plan v2.2.0

[Anandb71]

Description

Brief description of what this PR does. Link any related issues.

Fixes #(issue number)

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Performance improvement
• Code refactoring

Changes Made

• List the key changes made in this PR
• Be specific about files/modules affected

Testing

Describe how you tested your changes:

• Ran cargo test --all
• Ran cargo clippy --all
• Ran flutter test (if applicable)
• Tested manually with a real codebase

Screenshots (if applicable)

For visualizer changes, include before/after screenshots.

Checklist

• My code follows the project's style guidelines
• I have added tests for my changes
• I have updated the documentation where necessary
• All new and existing tests pass
• I have added appropriate comments where the code isn't self-explanatory

[arbor-cloud]

🔴 Arbor PR Walk

Path heat	HIGH ░░░░░░░░░░ 3%
Branch	release-hardening-2.2.0 → main
Impact	19 files · 28 symbols · 14 reachable callers
Entry Points	5 production endpoints reached
Languages	Rust, TypeScript

Changed Files

	File	Symbols	Direct	Transitive	Risk
🔴	extensions/arbor-vscode/src/extension.ts	18	9	—	HIGH
🔴	crates/arbor-cli/tests/diff_command_integration.rs	9	5	—	HIGH
⚪	scripts/install.sh	1	—	—	NONE

🎯 Production Entry Points Reached

This change propagates to these entry points (HTTP handlers, jobs, CLI commands):

• activate
• analyzeImpact
• reindexWorkspace
• showDiffImpact
• showStatus

✅ Before You Merge

• Manually verify the affected entry points: activate, analyzeImpact, reindexWorkspace (+2).
• Trace the 14 affected callers for unintended side-effects.
• Request a senior engineer review before merging.

🔍 Sensitive Path Check — REVIEW REQUIRED

1 sensitive surface · 0 entry points reachable · Confidence: 80%

Category	File	Symbols
Input Validation	…s/arbor-cli/tests/diff_command_integration.rs	Command Injection (CWE-78), line 41

Sensitive call paths

• change reaches sink: diff_uses_env_commit_range_when_provided → run_git_stdout (1 hop) — full graph path to Command Injection in crates/arbor-cli/tests/diff_command_integration.rs line 41
• change reaches sink: diff_uses_env_commit_range_when_provided → run_git_stdout (1 hop) — full graph path to Command Injection in crates/arbor-cli/tests/diff_command_integration.rs line 193
• change reaches sink: diff_uses_env_commit_range_when_provided → run_git_stdout (1 hop) — full graph path to Command Injection in crates/arbor-cli/tests/diff_command_integration.rs line 250
• change reaches sink: diff_uses_env_commit_range_when_provided → run_git_stdout (1 hop) — full graph path to Command Injection in crates/arbor-cli/tests/diff_command_integration.rs line 277

• 🟡 Fix Command Injection in diff_command_integration.rs (line 41) [5 internal callers — inspect full call path before merge; path: diff_uses_env_commit_range_when_provided -> run_git_stdout] — Command::new() with non-literal command name — validate all inputs.
• 🟡 Verify input validation still rejects malformed and malicious input

📊 Analysis confidence: High · 1390 nodes · 5063ms

• Graph has 1390 nodes and 683 edges — well-connected codebase
• 28 symbols changed, 14 upstream nodes analyzed

---

_{Arbor · View full report → · 5063ms · 1390 nodes · Senior engineer in your repo · Was this useful? 👍 👎}

[github-actions]

🌳 Arbor Impact Report

Risk Level: 🟠 High | Blast Radius: 29 nodes | Changed Symbols: 103

Changed Files

File	Status
CHANGELOG.md	Modified
Cargo.lock	Modified
Cargo.toml	Modified
crates/arbor-cli/Cargo.toml	Modified
crates/arbor-cli/tests/diff_command_integration.rs	Modified
crates/arbor-core/Cargo.toml	Modified
crates/arbor-graph/Cargo.toml	Modified
crates/arbor-gui/Cargo.toml	Modified
crates/arbor-gui/README.md	Modified
crates/arbor-mcp/Cargo.toml	Modified
crates/arbor-server/Cargo.toml	Modified
crates/arbor-watcher/Cargo.toml	Modified
docs/INSTALL.md	Modified
docs/MCP_INTEGRATION.md	Modified
docs/ROADMAP.md	Modified
extensions/arbor-vscode/package-lock.json	Modified
extensions/arbor-vscode/src/extension.ts	Modified
scripts/install.ps1	Modified
scripts/install.sh	Modified

📊 Visual Impact Graph

graph TD
  classDef changed fill:#ef4444,stroke:#333,stroke-width:2px,color:#fff;
  classDef caller fill:#f59e0b,stroke:#333,stroke-width:1px,color:#fff;
  class Setup changed;
  class What changed;
  class step changed;
  class Arbor changed;

Loading

Impact Summary

Metric	Count
Direct callers affected	16
Indirect callers affected	13
API entrypoints impacted	16
Files likely requiring updates	2
Total blast radius	29

⚠️ Warning: 16 API entrypoints are affected. Integration tests recommended.

🔍 Suggestion: Consider breaking this change into smaller PRs.

---

Powered by Arbor v2.2.0 — graph-native code intelligence