…oad + What's Changed)

The mikepenz changelog builder relies on GitHub's compare API, which 404s
("no common ancestor") for this repo's tag range after the history rewrites, so
it produced an empty changelog. Replace it with GitHub's native generated notes,
which list merged PRs/issues without needing the compare merge-base:

- Compose an install + download-table header (cargo-dist style, like the
  codeanalyzer-typescript release notes).
- softprops/action-gh-release@v2 with generate_release_notes: true appends a
  categorized "What's Changed" section.
- .github/release.yml groups PRs under emoji headings by label (Features, Fixes,
  Docs, Tests, Breaking, …), mirroring the old mikepenz categories.
- Drop the unused mindsers/mikepenz steps and release_config.json.

- update_readme.py: pin typer.rich_utils.MAX_WIDTH to WIDTH (100). Typer caps
  help at MAX_WIDTH=80 regardless of COLUMNS, so CI rendered the box much
  narrower than a dev machine and the release doc-sync kept shrinking it. Pinning
  it makes the rendered help wide and byte-identical local vs CI.
- README: regenerate the (now 100-wide) help block; add a GitHub release badge
  (github/v/release) alongside the PyPI / workflow / license badges.

Add `brew install codellm-devkit/tap/codeanalyzer-python`:
- packaging/homebrew/generate_formula.sh emits a formula that depends on `uv`
  and installs version-pinned wrappers running the published PyPI release via
  `uvx`. The package is pure-Python with heavy native deps (ray, pandas, numpy),
  so vendoring every transitive dependency as a Homebrew resource is impractical
  and pip-at-build-time is blocked by the sandbox; the uv-tool approach keeps the
  formula tiny and `brew install` sandbox-safe.
- release.yml gains a `homebrew` job (needs: release) that regenerates the
  formula on each tag and pushes it to codellm-devkit/homebrew-tap (requires the
  HOMEBREW_TAP_TOKEN secret, same as the codeanalyzer-typescript release).
- README: Install via Homebrew section; CHANGELOG: Unreleased entry.

`brew install` failed with "formula requires at least a URL" because the formula
had only version + depends_on. Point url at the released sdist and add its
sha256 (byte-identical to the PyPI sdist); the install method still just writes
the uv wrappers. The release `homebrew` job now hashes the published sdist and
passes SHA256 to generate_formula.sh.

Closes #47

The per-project analysis venv was built and populated but never used: __init__
left self.virtualenv = None and never reassigned it, so SymbolTableBuilder got
virtualenv=None and Jedi resolved against the default environment, ignoring the
installed dependencies. Set self.virtualenv to the venv path on both a fresh
build and a lazy reuse so Jedi resolves the project's third-party imports.

Also install dependencies with uv (uv pip install --python <venv>) instead of
pip: uv resolves and downloads in parallel with a shared global cache, which is
dramatically faster for large dependency trees (e.g. Odoo). uv ships as a
self-contained binary in its wheel, so it is present wherever canpy is installed
(including Docker); fall back to python -m pip when uv cannot be located.

…ges (#44)

Closes #44

Adopt the model codeanalyzer-typescript uses: external call targets are now
first-class in the IR instead of being re-derived ad hoc during Neo4j projection.

- schema: add PyExternalSymbol{name, module} and PyApplication.external_symbols,
  keyed by signature (mirrors TSExternalSymbol).
- core: _compute_external_symbols() classifies every call-graph endpoint not
  declared in the symbol table as an external (name/module from the signature),
  so analysis.json carries external info that was previously a bare target string.
- neo4j: :PyExternal gains a `module` property (SCHEMA_VERSION 1.0.0 -> 1.1.0,
  additive). project()'s _call_endpoint classifies authoritatively from
  external_symbols rather than a "present in the graph" heuristic, so an imported
  module name (a :PyPackage) can no longer shadow a call target and silently drop
  the PY_CALLS edge.
- rows: track node identity by (merge_label, value) so deferred PY_EXTENDS /
  PY_RESOLVES_TO edges can't be shadowed either.

Fixes the ~3.7% of call edges (e.g. targets os/re/json) that were dropped from
the emitted graph. Adds a regression test and exercises external_symbols in the
sample app; regenerates schema.neo4j.json.

Closes #45

The full-run prune deleted any :PyModule whose file_key was not in the current
emit across the ENTIRE database -- not just the application being written -- so a
full-run push for application B wiped application A's modules, leaving an orphaned
:PyApplication with zero PY_HAS_MODULE edges. A single Neo4j database therefore
could not hold multiple applications via full-run --emit neo4j.

Anchor the prune to the :PyApplication {name} being emitted
(MATCH (:PyApplication {name:$app})-[:PY_HAS_MODULE]->(m:PyModule) WHERE NOT
m.file_key IN $present ...), so it only removes that application's vanished
modules. Adds a container regression test (app-b push leaves app-a intact).

…ent env

Closes #46

Add a --no-venv flag (AnalysisOptions.no_venv) that skips virtualenv creation and
dependency installation and resolves imports against the ambient interpreter
(self.virtualenv stays None, so Jedi uses the default environment). Useful in CI /
containers where the project's dependencies are already installed, for sandboxed
runs where network installs are disallowed, and for speed. Tradeoff: import /
call-resolution quality then depends on what is installed in the ambient env.

Regenerates the README --help block; adds a CLI regression test (no virtualenv is
created and analysis.json is still produced).

Analysis venv (uv + Jedi wiring), external_symbols, app-scoped prune, --no-venv (#44 #45 #46 #47)