feat(neo4j): read Neo4j connection options from env vars

The four --neo4j-* connection options now fall back to the standard
NEO4J_URI / NEO4J_USERNAME / NEO4J_PASSWORD / NEO4J_DATABASE environment
variables when the flag is omitted (explicit flag wins). Prefer the env var
for the password so it doesn't land in shell history or the process list.

Author: rahlk

CHANGELOG.md

@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **`graph.cypher` snapshot** (default) — a self-contained Cypher script (constraints + indexes, a scoped wipe of the project's prior subgraph, then batched `UNWIND … MERGE`). Load it with `cypher-shell < graph.cypher`. Needs no extra dependencies.
   - **Live Bolt push** (`--neo4j-uri`) — an **incremental** writer: only modules whose `content_hash` changed are rewritten, and on a full run modules whose source file vanished are pruned. Requires the optional `neo4j` driver (`pip install 'codeanalyzer-python[neo4j]'`).
 - **`--emit schema`** — emit the machine-readable, version-stamped Neo4j schema contract (`schema.json`: node labels, relationships, properties, constraints, indexes). Needs no project; bundled in every release as a GitHub Release asset and checked in as `schema.neo4j.json`. A `schema_version` (`1.0.0`) is stamped onto every graph's `:Application` node.
-- **New CLI options** mirroring the TypeScript analyzer's entrypoints: `--emit {json,neo4j,schema}`, `--app-name`, `--neo4j-uri`, `--neo4j-user`, `--neo4j-password`, `--neo4j-database`. `-i/--input` is now optional (not required for `--emit schema`).
+- **New CLI options** mirroring the TypeScript analyzer's entrypoints: `--emit {json,neo4j,schema}`, `--app-name`, `--neo4j-uri`, `--neo4j-user`, `--neo4j-password`, `--neo4j-database`. `-i/--input` is now optional (not required for `--emit schema`). The four Neo4j connection options also read from the standard `NEO4J_URI` / `NEO4J_USERNAME` / `NEO4J_PASSWORD` / `NEO4J_DATABASE` environment variables when the flag is omitted (an explicit flag wins), so the password need not appear in shell history or the process list.
 - **`codeanalyzer.neo4j`** package: `catalog` (the single source-of-truth schema catalog), `project` (pure IR → graph rows), `cypher` (snapshot writer), `bolt` (incremental writer), and `rows` (the output-agnostic intermediate).
 - **Schema conformance test** (`test/test_neo4j_schema.py`, always runs) — asserts the emitter never produces a label/relationship/property the catalog doesn't declare, and that the checked-in `schema.neo4j.json` is regenerated.
 - **Neo4j Testcontainers integration test** (`test/test_neo4j_bolt.py`, opt-in via `RUN_CONTAINER_TESTS=1`) — spins up a real Neo4j and asserts the pushed graph, idempotent re-push, vanished-declaration cleanup, and full-run orphan pruning.

README.md

@@ -95,10 +95,10 @@ To view the available options and commands, run `codeanalyzer --help`. You shoul
 │    --emit                                [json|neo4j|    Output target: json (analysis.json) | neo4j (graph.cypher or live    │
 │                                           schema]         Bolt push) | schema (the Neo4j schema.json contract). [default: json]│
 │    --app-name                            TEXT            Logical application name for the graph :Application anchor.          │
-│    --neo4j-uri                           TEXT            Push the graph to a live Neo4j over Bolt; omit to write graph.cypher.│
-│    --neo4j-user                          TEXT            Neo4j username. [default: neo4j]                                     │
-│    --neo4j-password                      TEXT            Neo4j password. [default: neo4j]                                     │
-│    --neo4j-database                      TEXT            Neo4j database name (default: server default).                       │
+│    --neo4j-uri                           TEXT            Push the graph to a live Neo4j over Bolt. [env: NEO4J_URI]            │
+│    --neo4j-user                          TEXT            Neo4j username. [env: NEO4J_USERNAME] [default: neo4j]               │
+│    --neo4j-password                      TEXT            Neo4j password. [env: NEO4J_PASSWORD] [default: neo4j]               │
+│    --neo4j-database                      TEXT            Neo4j database name. [env: NEO4J_DATABASE]                           │
 │    --codeql              --no-codeql                     Enable CodeQL-based analysis. [default: no-codeql]                   │
 │    --eager               --lazy                          Enable eager or lazy analysis. Defaults to lazy. [default: lazy]     │
 │    --cache-dir       -c                  PATH            Directory to store analysis cache. [default: None]                   │
@@ -183,6 +183,14 @@ By default this is printed to stdout in JSON; with `--output` it is written to `
 
 Call-graph endpoints that aren't present in the symbol table (third-party / framework / RPC targets) are materialized as `:External` ghost nodes, mirroring the analyzer's own ghost-node behaviour.
 
+The connection options also read from the standard Neo4j environment variables — `NEO4J_URI`, `NEO4J_USERNAME`, `NEO4J_PASSWORD`, `NEO4J_DATABASE` — when the corresponding flag is omitted (an explicit flag wins). Prefer the env var for the password so it doesn't land in shell history or the process list:
+
+```sh
+export NEO4J_URI=bolt://localhost:7687
+export NEO4J_PASSWORD=secret
+codeanalyzer -i ./my-project --emit neo4j     # credentials picked up from the environment
+```
+
 ### Schema contract
 
 `--emit schema` writes the machine-readable, version-stamped Neo4j schema (`schema.json`: node labels, relationships, properties, constraints, and indexes). It needs no project and is checked into the repo as `schema.neo4j.json` and bundled in every release as a GitHub Release asset, so a consumer can validate producer/consumer compatibility without invoking the tool. The shape of the contract matches the [`codeanalyzer-typescript`](https://github.com/codellm-devkit/codeanalyzer-typescript) backend.

codeanalyzer/__main__.py

@@ -53,19 +53,35 @@ def main(
         Optional[str],
         typer.Option(
             "--neo4j-uri",
+            envvar="NEO4J_URI",
             help="Push the graph to a live Neo4j over Bolt (incremental); omit to write "
-            "graph.cypher.",
+            "graph.cypher. [env: NEO4J_URI]",
         ),
     ] = None,
     neo4j_user: Annotated[
-        str, typer.Option("--neo4j-user", help="Neo4j username.")
+        str,
+        typer.Option(
+            "--neo4j-user",
+            envvar="NEO4J_USERNAME",
+            help="Neo4j username. [env: NEO4J_USERNAME]",
+        ),
     ] = "neo4j",
     neo4j_password: Annotated[
-        str, typer.Option("--neo4j-password", help="Neo4j password.")
+        str,
+        typer.Option(
+            "--neo4j-password",
+            envvar="NEO4J_PASSWORD",
+            help="Neo4j password. Prefer the env var over the flag (the flag is visible in shell "
+            "history / process list). [env: NEO4J_PASSWORD]",
+        ),
     ] = "neo4j",
     neo4j_database: Annotated[
         Optional[str],
-        typer.Option("--neo4j-database", help="Neo4j database name (default: server default)."),
+        typer.Option(
+            "--neo4j-database",
+            envvar="NEO4J_DATABASE",
+            help="Neo4j database name (default: server default). [env: NEO4J_DATABASE]",
+        ),
     ] = None,
     using_codeql: Annotated[
         bool, typer.Option("--codeql/--no-codeql", help="Enable CodeQL-based analysis.")