Security
- MCP transport buffer cap: Added 10 MB
MAX_BUFFER_SIZElimit to prevent out-of-memory attacks via oversizedContent-Lengthheaders or unbounded newline-delimited input - Content-Length validation: Reject
Content-Lengthvalues exceeding the buffer cap before allocating memory - Stack overflow prevention: Replaced recursive
readNewlineMessagewith iterative loop to prevent stack overflow from consecutive empty lines - Ambiguous prefix hardening: Tightened
looksLikeContentLengthto require 14+ bytes before matching, preventing false framing detection on short input - Closed transport guard:
send()now rejects with a clear error when called afterclose(), with proper write-error propagation
Added
- Dual-framing MCP transport (
CompatibleStdioServerTransport): Auto-detects Content-Length and newline-delimited JSON framing on the first message, responds in the same format (#207) - Lazy CLI module loading: All CLI subcommands now use
createLazyAction()to defer heavy imports (tree-sitter, ONNX, KuzuDB) until invocation, significantly improvinggitnexus mcpstartup time (#207) - Type-safe lazy actions:
createLazyActionuses constrained generics to validate export names against module types at compile time - Regression test suite: 13 unit tests covering transport framing, security hardening, buffer limits, and lazy action loading
Fixed
- CALLS edge sourceId alignment:
findEnclosingFunctionIdnow generates IDs with:startLinesuffix matching node creation format, fixing process detector finding 0 entry points (#194) - LRU cache zero maxSize crash: Guard
createASTCacheagainstmaxSize=0when repos have no parseable files (#144)
Changed
- Transport constructor accepts
NodeJS.ReadableStream/NodeJS.WritableStream(widened from concrete types) processReadBuffersimplified to break on first error instead of stale-buffer retry loop
What's Changed
- feat: local backend mode for web UI by @paulrobello in #49
- feat(plugin): self-contained Claude Code plugin with bundled MCP, hooks, and skills by @L1nusB in #68
- feat(ui): Add a copy button to the Nexus AI and copy the md result by @CrazyBunQnQ in #75
- feat(php): full PHP 8+ / Laravel support with Eloquent model tracking by @gunesbizim in #64
- Probe for CUDA before attempting GPU embeddings by @BlockSecCA in #58
- feat: remote server connection mode and multi-repo switching by @baconwasr1ght in #66
- fix(mcp): don't crash server when no repos are indexed by @abhigyanpatwari in #96
- fix: lazy-import embeddings to avoid onnxruntime crash on Node v24+ by @abhigyanpatwari in #99
- fix: ensure exec usage does not allow poisoning by @strazzere in #61
- feat(ingestion): add AST decorator-based entrypoint hints by @PurpleNewNew in #102
- fix(web): map API path field to repoPath in fetchRepoInfo by @christopheralex-cc in #105
- feat(swift): full Swift / iOS language support with SPM import resolution by @jandyx in #94
- feat: add Kotlin language support by @magyargergo in #84
- Feat/php laravel support by @gunesbizim in #133
- feat: inline imperative instructions in CLAUDE.md/AGENTS.md by @abhigyanpatwari in #190
- chore: bump version to 1.3.7 by @abhigyanpatwari in #191
- fix(cli): force-exit after analyze to prevent KuzuDB hang by @abhigyanpatwari in #192
- chore: bump version to 1.3.8 by @abhigyanpatwari in #193
- fix(ingestion): align CALLS edge sourceId with node ID format by @abhigyanpatwari in #194
- fix: guard createASTCache against zero maxSize to prevent LRU cache crash by @magyargergo in #144
- Improve MCP startup compatibility and lazy-load CLI commands by @Shockang in #207
New Contributors
- @paulrobello made their first contribution in #49
- @L1nusB made their first contribution in #68
- @CrazyBunQnQ made their first contribution in #75
- @gunesbizim made their first contribution in #64
- @BlockSecCA made their first contribution in #58
- @baconwasr1ght made their first contribution in #66
- @strazzere made their first contribution in #61
- @PurpleNewNew made their first contribution in #102
- @christopheralex-cc made their first contribution in #105
- @jandyx made their first contribution in #94
- @magyargergo made their first contribution in #84
- @Shockang made their first contribution in #207
Full Changelog: v1.2.8...v1.3.10