DeusData/codebase-memory-mcp v0.5.6

on GitHub

What's New in v0.5.6

search_code v2 — Graph-Augmented Code Search

The search_code tool has been completely rewritten with a 4-phase pipeline that combines grep speed with knowledge graph intelligence:

• 3 output modes: compact (default — function names + match lines), full (complete function bodies with highlighted matches), files (file list with match counts)
• Graph ranking: results ranked by structural importance (definitions first, popular functions next, tests last)
• Block expansion: grep matches automatically expanded to containing function boundaries — no more fragmented line snippets
• path_filter: scope searches to specific directories (e.g., src/ only)
• context lines: configurable context around matches in full mode
• Directory distribution summary: shows which directories contain matches

Falls back gracefully to raw grep when the project isn't indexed.

Kubernetes & Kustomize Indexing

Full infrastructure-as-code support for Kubernetes manifests:

• Parses Deployments, Services, ConfigMaps, Secrets, Ingress, CronJobs, and 20+ resource types
• Kustomize overlay resolution (base → overlay relationships)
• Resource nodes appear in the knowledge graph with labels, namespaces, and container specs
• New Resource node label in graph schema

User-Defined Extension Mappings

Custom file extension → language mappings via .codebase-memory.json (project-level) or $XDG_CONFIG_HOME/codebase-memory-mcp/config.json (global):

{"extra_extensions": {".blade.php": "php", ".mjs": "javascript"}}

Project config takes priority over global config.

Security Fixes

• SQL injection in store search/BFS and argument injection in HTTP server (#124 — @map588)
• Use-after-free in handle_manage_adr get path (#126 — @halindrome)
• Ghost .db file prevention: query handlers now verify project exists before opening SQLite — prevents empty database files from accumulating (#120)
• Binary replacement: new cbm_replace_binary with unlink-before-write pattern, handles read-only targets and Windows rename-aside fallback (#114)

Stability & Compatibility Fixes

• MCP stdio buffering: fixed poll()/getline() FILE* mismatch that caused tools/list to hang on some clients (#99 — @halindrome)
• SQLite WAL busy_timeout: set before journal_mode=WAL to prevent SQLITE_BUSY on lock contention (#117 — @halindrome)
• Import parser O(N²) → O(N): replaced indexed ts_node_child() loop with TSTreeCursor walk — fixes quadratic slowdown on files with many imports (#107 — @halindrome)
• Session project name mismatch: detect_session now uses same cbm_project_name_from_path() as pipeline
• Windows: UI zip filename fix, setenv/unsetenv compat wrappers, USERPROFILE fallback when HOME unset
• Linux: add -D_GNU_SOURCE for strcasestr visibility (#111 — @trollkotze)
• libgit2: fix -Wmissing-field-initializers build error (#91 — @jsyrjala)
• Memory leak: resolve_store leaked SQLite connection when querying unlinked .db after delete_project

Comprehensive Smoke Tests

Expanded from 4 phases to 7, covering the full binary lifecycle:

• Phase 5: MCP stdio transport — initialize handshake, tools/list, tool call round-trip, Content-Length framing (OpenCode compatibility)
• Phase 6: CLI subcommands — install/uninstall/update --dry-run, config set/get/reset, simulated binary replacement with read-only edge case
• Phase 7: MCP advanced tool calls — search_code v2, get_code_snippet via JSON-RPC

Smoke tests now run in Docker test infrastructure (test-infrastructure/run.sh smoke) and in CI on all 10 platform×variant combinations.

Update Command Improvements

• --dry-run flag: shows what would happen without downloading or modifying files
• --standard / --ui flags: skip interactive variant prompt (CI-friendly)
• Restart reminder after successful update

CI & Infrastructure

• Pinned GitHub Actions to commit SHAs (dependabot: VirusTotal 5.0.0, setup-node 6.3.0, cosign-installer, attest-build-provenance)
• Docker test infra: smoke and smoke-amd64 services for local cross-platform smoke testing
• Cleaned up Go-era artifacts, updated THIRD_PARTY.md for pure C project

Contributors

A huge thank you to everyone who contributed to this release:

• @halindrome — Outstanding contributions across the board: K8s/Kustomize indexing, user-defined extension mappings, MCP stdio fix, WAL ordering fix, ghost .db prevention, use-after-free fix, O(N²) import parser fix, and WAL journal mode fix. The backbone of this release.
• @map588 — Critical SQL injection and argument injection security fix
• @trollkotze — Linux build fix for strcasestr visibility
• @jsyrjala — Build fix for libgit2 field initializers
• @bingh0 — VS Code compatibility fixes (schema validation, install registration, protocol negotiation)

Thank you all for making codebase-memory-mcp better!

Security Verification

All release binaries have been independently verified:

VirusTotal — scanned by 70+ antivirus engines:

gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp

Sigstore cosign — keyless signature verification:

cosign verify-blob --bundle <file>.bundle <file>

Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):

• Windows: Windows Defender with ML heuristics (the same engine end users run)
• Linux: ClamAV with daily signature updates
• macOS: ClamAV with daily signature updates

SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.

See SECURITY.md for full details.