v0.6.0

v0.6.0 — Semantic Search, SIMILAR_TO Edges & Cross-Language Intelligence

85+ commits since v0.5.7. Major release adding vector-based semantic search, structural near-clone detection, cross-language import resolution, and significant quality-of-life improvements across all platforms.

Semantic Search & Vector Embeddings

• semantic_query tool: keyword-based vector search across the entire codebase graph via cbm_cosine_i8 SQL function
• Nomic nomic-embed-code embeddings: 40K pretrained token vectors (768d int8), distilled from nomic-ai/nomic-embed-code with simulated attention
• 11-signal combined scoring: TF-IDF, Reflective Random Indexing, API/Type/Decorator signatures, AST structural profiles, approximate data flow, Halstead-lite metrics, MinHash, module proximity, graph diffusion
• SEMANTICALLY_RELATED edges: connect functions with vocabulary mismatch but similar purpose (score >= 0.80, max 10 per node, same-language only)
• Per-keyword min-cosine scoring replaces merged vector averaging for better precision
• Score clamping to [0,1] — proximity multiplier no longer pushes scores above 1.0
• Clone deduplication: SIMILAR_TO pairs with Jaccard >= threshold skip SEMANTICALLY_RELATED

SIMILAR_TO Edges (Near-Clone Detection)

• MinHash fingerprinting: 64-hash signatures from leaf-only AST tokens with structural weighting
• LSH index: band-based locality-sensitive hashing for O(1) candidate retrieval
• Parallel scoring: worker pool queries LSH, scores candidates, emits edges
• Unique trigram gate filters trivially short functions
• SIMILAR_TO edges with Jaccard similarity and same-file flag in properties

Full-Text Search

• BM25 full-text search via FTS5 with cbm_camel_split tokenizer (camelCase/snake_case aware)
• Incremental FTS5 rebuild on index updates

New Edge Types & Detection

• EMITS / LISTENS_ON edges for Socket.IO, EventEmitter, and generic channel patterns
• Constant resolution: const EVENT = "foo"; emit(EVENT) resolves channel names through per-file constant tables
• IMPORTS edges with relative path resolution for JS/TS (./foo, ../bar), Python (.helpers, ..utils), Ruby
• DATA_FLOWS edges with argument-to-parameter mapping + field access chains
• Cross-service communication discovery + RAM-first incremental indexing
• AST-based route registration replacing prescan infrastructure
• HCL infrastructure binding extraction + prefix-decorator false positive fix
• Generalized route registration + infra binding bridge

Graph Query & Tool Improvements

• 6 previously-ignored params wired up: min_degree, max_degree, exclude_entry_points, include_connected, aspects filter, since for detect_changes
• include_tests param on trace_path — mark test files in BFS results
• risk_labels on trace_path for security-sensitive path tracing
• --progress CLI flag for real-time indexing feedback
• CBM_CACHE_DIR env var for configurable database directory
• moderate index mode added to tool schema (between full and fast)
• Schema properties exposure for param_names, param_types, decorators
• include_connected fix: BFS inbound+outbound run separately (was merging incorrectly)

Quality of Life

• Nested .gitignore support: subdirectory gitignores now respected during indexing — critical for monorepos (#178)
• Skill consolidation: 4 separate skills merged into 1 with progressive disclosure
• Smart update: skip update when already on latest version
• Runtime binary detection in install command (no longer hardcoded)
• Git submodule support in watcher: detect dirty state inside submodules
• Fast→full mode change detection + auto-enable UI for ui-variant binary
• Layout endpoint: O(n*e) edge mapping replaced with binary search
• Layout JSON: handle invalid UTF-8 and NaN in serialization

Platform Fixes

• Windows: Zed/VS Code/KiloCode config paths, PATH delimiter, S_IXUSR check, agent detection using home_dir-relative paths, APPDATA-based userconfig test
• Linux portable: Alpine musl compatibility, security audits added to smoke tests, XDG_CONFIG_HOME in smoke environment
• Cross-platform vector blob assembly: preprocessor conditionals for macOS Mach-O / Linux ELF / Windows COFF
• C++ SEGV fix: NULL deref in LSP type resolver on large header files

Code Quality & Linting

• 337 linter warnings resolved across 16 files (named constants, cognitive complexity extraction)
• Cognitive complexity threshold set to industry default (25), 168 functions split
• cbm_write_db god-function split (569 → 325 lines)
• All NOLINTNEXTLINE suppressions eliminated, iterative AST walkers
• ASan leak fix in semantic corpus token_map

CI/CD & Security

• Decoupled security gate: security-static + CodeQL run independently, don't block test/build/smoke pipeline
• Security audits on ALL binary variants (standard + UI) — previously UI binaries were unaudited
• AV-safe token vocabulary: 11 heuristic-triggering words removed from Nomic embeddings
• CI split into reusable workflow components
• Vendored dependency bumps: SQLite 3.51.3, Mongoose 7.21, mimalloc 3.2.8
• Actions bumped: download-artifact v8.0.1, attest-sbom v2, cosign v4.1.1, msys2 v2.31.0, checkout v6.0.2, cache v5.0.4, upload-artifact v7.0.0, attest-build-provenance v4.1.0, codeql-action v4.35.1

Contributors

• @halindrome — Git submodule dirty state detection, risk_labels on trace_path
• @Koolerx — C# Interface registry fix, base_list handler, FTS5 BM25 search, JS/TS IMPORTS resolution, Channel schema
• @dLo999 — CBM_CACHE_DIR configurable database directory, skip-update-when-latest, nested .gitignore support (#178)
• @Selene29 — Layout binary search optimization, UTF-8/NaN serialization fix
• @slvnlrt — Windows PATH delimiter fix, runtime binary path detection
• @jimpark — Zed and VS Code Windows config path fixes
• @ahundt — Wire up silently-ignored search_graph params
• @maplenk — include_tests param on trace_path, search_graph param wiring
• @gdilla — Skill consolidation, risk_labels + --progress CLI flag

VirusTotal Scan Results

All release artifacts scanned — 0 detections across all engines.

File	Engines	Detections	Report
codebase-memory-mcp-linux-amd64	64	0	View
codebase-memory-mcp-linux-arm64	62	0	View
codebase-memory-mcp-linux-amd64-portable	64	0	View
codebase-memory-mcp-linux-arm64-portable	62	0	View
codebase-memory-mcp-darwin-arm64	63	0	View
codebase-memory-mcp-darwin-amd64	61	0	View
codebase-memory-mcp-windows-amd64.exe	71	0	View
codebase-memory-mcp-ui-linux-amd64	64	0	View
codebase-memory-mcp-ui-linux-arm64	61	0	View
codebase-memory-mcp-ui-linux-amd64-portable	64	0	View
codebase-memory-mcp-ui-linux-arm64-portable	63	0	View
codebase-memory-mcp-ui-darwin-arm64	62	0	View
codebase-memory-mcp-ui-darwin-amd64	61	0	View
codebase-memory-mcp-ui-windows-amd64.exe	71	0	View
install.sh	62	0	View
install.ps1	62	0	View
LICENSE	61	0	View

v0.5.7

v0.5.7 — Stability, Install & Endurance Testing Overhaul

53 commits, 3 merged PRs, 10 bugs closed. The most significant stability release since the Go→C rewrite.

Database Concurrency Fix (Critical)

• Root cause found: three threads (MCP handler, autoindex, watcher) could corrupt the database — rename(.db.tmp, .db) over open SQLite connections produced 48K+ garbage rows
• Architecture change: rename() eliminated entirely. Indexing writes directly, reindexing deletes old DB first, incremental upserts unchanged
• Pipeline lock serializes concurrent runs; corrupt DB auto-detected and cleaned

Install & Update

• install.sh + install.ps1 included in every release archive with --skip-config flag (#145)
• Kills stale MCP servers, strips macOS quarantine, ad-hoc signs binary
• Refreshes all 10 agent configs on every update
• In-memory zip extraction — no unzip needed on Windows
• Windows .exe path handling fixed across install, update, and uninstall

Windows Path Normalization (PR #146)

• Mixed path separators normalized to forward slashes at all entry points
• cbm_normalize_path_sep() works on ALL platforms (cross-platform DB files)

Soak Test Suite (New)

• Quick soak (10 min), ASan soak (15 min), weekly endurance (4h) — all per-platform
• RSS tracking, FD drift, query latency, crash recovery (kill -9 + clean restart)
• All soak tiers are release gates — no release ships without passing

Bug Fixes

• #139 Stack overflow in autoindex — 8MB default thread stack (thanks @theron-sapp for the detailed crash report with stack addresses, frequency table, and workaround!)
• #140 index_repository fails on Windows — this report by @Flipper1994 triggered the complete concurrency architecture overhaul!
• #137 detect_changes fails on paths with spaces (thanks @shekthesnek for the sharp observation that 12 tools worked but 1 didn't!)
• #135 macOS Gatekeeper blocks binary (thanks @heraque for the thorough xattr/spctl/codesign analysis!)
• #133 search_code rejects Windows backslash (thanks @ckelly8 for pinpointing the root cause!)
• #130 O(N²) import extractors hang on large files (thanks @halindrome for both the issue AND the fix in PR #131!)
• #127 Connection closed constantly — all crash paths fixed (thanks @kingofthebongo2008!)
• #145 Skip agent config in install scripts (thanks @sherif-fanous — implemented same day!)
• Arena buffer overflow, test detection gaps, memory leaks, CodeQL TOCTOU, taskkill self-kill, MSYS2 python3 path translation, vendored tre ssize_t

Testing

• 2586 unit tests (up from 2042), zero skipped, zero memory leaks
• 480+ new tests covering arena, FQN, graph buffer, MCP dispatch, pipeline, store, YAML, watcher
• 15-phase smoke suite on all platforms including Windows
• Soak tests as release gate — endurance verified before every release

Security

• Install scripts in VirusTotal scan alongside binaries (120 min timeout, all files must pass)
• system() eliminated from all production code
• Vendored dependency integrity checksums enforced

---

Contributors 🙏

Every bug report and PR made this release better. Thank you:

Contributor	Contribution
@halindrome	O(N²) import fix (PR #131) — merged
@jimpark	Windows path normalization (PR #146) — merged
@chitralverma	OpenCode config format fix (PR #134) — merged
@theron-sapp	Stack overflow crash report (#139) — fixed
@Flipper1994	Windows rename failure (#140) — fixed, triggered concurrency overhaul
@shekthesnek	Windows path-with-spaces (#137) — fixed
@heraque	macOS quarantine analysis (#135) — fixed
@ckelly8	Windows backslash root cause (#133) — fixed
@kingofthebongo2008	Connection stability (#127) — fixed
@sherif-fanous	Skip-config feature request (#145) — implemented

---

Security Verification

All release binaries have been independently verified:

VirusTotal — scanned by 70+ antivirus engines:

Binary	Scan
install.sh	View Report
install.ps1	View Report
codebase-memory-mcp-windows-amd64.exe	View Report
codebase-memory-mcp-ui-windows-amd64.exe	View Report
codebase-memory-mcp-ui-linux-arm64	View Report
codebase-memory-mcp-ui-linux-amd64	View Report
codebase-memory-mcp-ui-darwin-arm64	View Report
codebase-memory-mcp-ui-darwin-amd64	View Report
codebase-memory-mcp-linux-arm64	View Report
codebase-memory-mcp-linux-amd64	View Report
codebase-memory-mcp-darwin-arm64	View Report
codebase-memory-mcp-darwin-amd64	View Report
LICENSE	View Report
Build Provenance (SLSA) — cryptographic proof each binary was built by GitHub Actions from this repo:

gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp

Sigstore cosign — keyless signature verification:

cosign verify-blob --bundle <file>.bundle <file>

Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):

• Windows: Windows Defender with ML heuristics (the same engine end users run)
• Linux: ClamAV with daily signature updates
• macOS: ClamAV with daily signature updates

SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.

See SECURITY.md for full details.

v0.5.6

What's New in v0.5.6

search_code v2 — Graph-Augmented Code Search

The search_code tool has been completely rewritten with a 4-phase pipeline that combines grep speed with knowledge graph intelligence:

• 3 output modes: compact (default — function names + match lines), full (complete function bodies with highlighted matches), files (file list with match counts)
• Graph ranking: results ranked by structural importance (definitions first, popular functions next, tests last)
• Block expansion: grep matches automatically expanded to containing function boundaries — no more fragmented line snippets
• path_filter: scope searches to specific directories (e.g., src/ only)
• context lines: configurable context around matches in full mode
• Directory distribution summary: shows which directories contain matches

Falls back gracefully to raw grep when the project isn't indexed.

Kubernetes & Kustomize Indexing

Full infrastructure-as-code support for Kubernetes manifests:

• Parses Deployments, Services, ConfigMaps, Secrets, Ingress, CronJobs, and 20+ resource types
• Kustomize overlay resolution (base → overlay relationships)
• Resource nodes appear in the knowledge graph with labels, namespaces, and container specs
• New Resource node label in graph schema

User-Defined Extension Mappings

Custom file extension → language mappings via .codebase-memory.json (project-level) or $XDG_CONFIG_HOME/codebase-memory-mcp/config.json (global):

{"extra_extensions": {".blade.php": "php", ".mjs": "javascript"}}

Project config takes priority over global config.

Security Fixes

• SQL injection in store search/BFS and argument injection in HTTP server (#124 — @map588)
• Use-after-free in handle_manage_adr get path (#126 — @halindrome)
• Ghost .db file prevention: query handlers now verify project exists before opening SQLite — prevents empty database files from accumulating (#120)
• Binary replacement: new cbm_replace_binary with unlink-before-write pattern, handles read-only targets and Windows rename-aside fallback (#114)

Stability & Compatibility Fixes

• MCP stdio buffering: fixed poll()/getline() FILE* mismatch that caused tools/list to hang on some clients (#99 — @halindrome)
• SQLite WAL busy_timeout: set before journal_mode=WAL to prevent SQLITE_BUSY on lock contention (#117 — @halindrome)
• Import parser O(N²) → O(N): replaced indexed ts_node_child() loop with TSTreeCursor walk — fixes quadratic slowdown on files with many imports (#107 — @halindrome)
• Session project name mismatch: detect_session now uses same cbm_project_name_from_path() as pipeline
• Windows: UI zip filename fix, setenv/unsetenv compat wrappers, USERPROFILE fallback when HOME unset
• Linux: add -D_GNU_SOURCE for strcasestr visibility (#111 — @trollkotze)
• libgit2: fix -Wmissing-field-initializers build error (#91 — @jsyrjala)
• Memory leak: resolve_store leaked SQLite connection when querying unlinked .db after delete_project

Comprehensive Smoke Tests

Expanded from 4 phases to 7, covering the full binary lifecycle:

• Phase 5: MCP stdio transport — initialize handshake, tools/list, tool call round-trip, Content-Length framing (OpenCode compatibility)
• Phase 6: CLI subcommands — install/uninstall/update --dry-run, config set/get/reset, simulated binary replacement with read-only edge case
• Phase 7: MCP advanced tool calls — search_code v2, get_code_snippet via JSON-RPC

Smoke tests now run in Docker test infrastructure (test-infrastructure/run.sh smoke) and in CI on all 10 platform×variant combinations.

Update Command Improvements

• --dry-run flag: shows what would happen without downloading or modifying files
• --standard / --ui flags: skip interactive variant prompt (CI-friendly)
• Restart reminder after successful update

CI & Infrastructure

• Pinned GitHub Actions to commit SHAs (dependabot: VirusTotal 5.0.0, setup-node 6.3.0, cosign-installer, attest-build-provenance)
• Docker test infra: smoke and smoke-amd64 services for local cross-platform smoke testing
• Cleaned up Go-era artifacts, updated THIRD_PARTY.md for pure C project

---

Contributors

A huge thank you to everyone who contributed to this release:

• @halindrome — Outstanding contributions across the board: K8s/Kustomize indexing, user-defined extension mappings, MCP stdio fix, WAL ordering fix, ghost .db prevention, use-after-free fix, O(N²) import parser fix, and WAL journal mode fix. The backbone of this release.
• @map588 — Critical SQL injection and argument injection security fix
• @trollkotze — Linux build fix for strcasestr visibility
• @jsyrjala — Build fix for libgit2 field initializers
• @bingh0 — VS Code compatibility fixes (schema validation, install registration, protocol negotiation)

Thank you all for making codebase-memory-mcp better!

---

Security Verification

All release binaries have been independently verified:

VirusTotal — scanned by 70+ antivirus engines:

Binary	Scan
codebase-memory-mcp-windows-amd64.exe	View Report
codebase-memory-mcp-ui-windows-amd64.exe	View Report
codebase-memory-mcp-ui-linux-arm64	View Report
codebase-memory-mcp-ui-linux-amd64	View Report
codebase-memory-mcp-ui-darwin-arm64	View Report
codebase-memory-mcp-ui-darwin-amd64	View Report
codebase-memory-mcp-linux-arm64	View Report
codebase-memory-mcp-linux-amd64	View Report
codebase-memory-mcp-darwin-arm64	View Report
codebase-memory-mcp-darwin-amd64	View Report
LICENSE	View Report
Build Provenance (SLSA) — cryptographic proof each binary was built by GitHub Actions from this repo:

gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp

Sigstore cosign — keyless signature verification:

cosign verify-blob --bundle <file>.bundle <file>

Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):

• Windows: Windows Defender with ML heuristics (the same engine end users run)
• Linux: ClamAV with daily signature updates
• macOS: ClamAV with daily signature updates

SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.

See SECURITY.md for full details.

v0.5.5

Security

• CodeQL SAST — static analysis with build-mode manual (100% source coverage), zero open alerts gate
• Shell injection elimination — replaced system() calls with cbm_exec_no_shell() (fork+execvp), no tainted data reaches a shell
• snprintf overflow fixes — 11 buffer overflow vulnerabilities fixed (clamp offset after each append)
• TOCTOU race fixes — atomic file permissions, open-then-fstat pattern
• 31 security defense tests — shell injection, SQLite authorizer, SQL injection via Cypher, path containment, shell-free exec
• Fuzz testing — random/mutated JSON-RPC + Cypher inputs on every build
• Native antivirus scanning — Windows Defender, ClamAV (Linux + macOS) on every build
• VirusTotal zero-tolerance gate — all release binaries scanned by 70+ engines before publish
• SLSA provenance + Sigstore cosign + SBOM (SPDX 2.3) + SHA-256 checksums
• GitHub Actions pinned to SHA with Dependabot

Antivirus false positive prevention

Added multi-layer AV scanning to the build pipeline to catch and prevent false positives before they reach users. Removed DLL resolve tracking strings that triggered heuristic detection. Every binary in this release has been verified clean by 70+ antivirus engines via VirusTotal. (Fixes #89)

New features

• Content-Length framed transport — OpenCode compatibility
• 10 agent detection — OpenClaw + VS Code support
• Dual MCP config location — ~/.claude/.mcp.json + ~/.claude.json

Bug fixes

• Fix Swift call extraction: 0 CALLS edges (#43)
• Fix Laravel route false positives: extension scoping + path filter (PR #65)
• Port FastAPI Depends() edge tracking (PR #66)
• Keep WAL journal mode during bulk write (PR #72)
• Fix VS Code compatibility (PR #79)
• Remove DLL resolve tracking (Windows Defender false positive)

Contributors

Thanks to @halindrome, @bingh0, @mariomeyer, @kingchenc for code contributions, and @Maton-Nenoso for reporting #89 which led to the comprehensive AV scanning infrastructure in this release.

---

Security Verification

All release binaries have been independently verified:

VirusTotal — scanned by 70+ antivirus engines:

Binary	Scan
codebase-memory-mcp-darwin-amd64	View Report
codebase-memory-mcp-darwin-arm64	View Report
codebase-memory-mcp-linux-amd64	View Report
codebase-memory-mcp-linux-arm64	View Report
codebase-memory-mcp-ui-darwin-amd64	View Report
codebase-memory-mcp-ui-darwin-arm64	View Report
codebase-memory-mcp-ui-linux-amd64	View Report
codebase-memory-mcp-ui-linux-arm64	View Report
codebase-memory-mcp-ui.exe	View Report
codebase-memory-mcp-windows-amd64.exe	View Report
LICENSE	View Report
Build Provenance (SLSA) — cryptographic proof each binary was built by GitHub Actions from this repo:

gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp

Sigstore cosign — keyless signature verification:

cosign verify-blob --bundle <file>.bundle <file>

Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):

• Windows: Windows Defender with ML heuristics (the same engine end users run)
• Linux: ClamAV with daily signature updates
• macOS: ClamAV with daily signature updates

SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.

See SECURITY.md for full details.

v0.5.3

Incremental Reindex

Auto-detects previously indexed projects and re-parses only changed files.

• mtime+size classification against stored hashes
• Surgical node deletion (edges cascade), re-parse only deltas
• Instant no-op (<1ms) when nothing changed
• Auto-routes: first run = full RAM pipeline, subsequent = incremental disk

Scenario	Time
Nothing changed	<1ms
1 file modified	~2ms
1 file added/deleted	~1ms

ADR Hints

• index_repository: adr_present + adr_hint when no ADR exists
• get_graph_schema: adr_present + adr_hint per project
• manage_adr GET: creation hint when no ADR

Simplified get_code_snippet

Streamlined to exact QN + suffix matching. Guides users to search_graph when symbol not found.

Upgrading

```bash
codebase-memory-mcp update
```

v0.5.2

Fixes

• Release RAM after indexing: Call `mi_collect(true)` after pipeline completion to return mimalloc pages to the OS. On Linux this immediately reduces RSS; on macOS pages are marked reusable (cosmetically retained until memory pressure).
• Standalone Windows binary: Add `-static` to Windows linker flags. The binary no longer requires `libc++.dll`, `libunwind.dll`, or any MSYS2/CLANG64 runtime DLLs — fully self-contained .exe.

Upgrading

```bash
codebase-memory-mcp update
```

v0.5.1

Hotfix: MCP protocol handshake

Fixes the MCP server failing to connect to Claude Code (and other MCP clients).

Bug: protocolVersion in the initialize response was returned as a nested object {"version":"2024-11-05"} instead of the plain string "2024-11-05" required by the MCP specification. Claude Code rejected the malformed response and marked the server as failed.

Fix: One-line change — protocolVersion is now a plain string value.

Upgrading from v0.5.0

```bash
codebase-memory-mcp update
```

All other v0.5.0 features (Go-to-C rewrite, 8-agent install, UI, auto-index, update check) are unchanged.

v0.5.0

Complete Go to C Rewrite

v0.5.0 is the first release built entirely from C. The entire codebase -- pipeline, store, MCP server, CLI, watcher -- has been rewritten from Go to C, with tree-sitter grammars compiled via CGo replaced by vendored C source for all 64 languages.

What this enables

• RAM-first pipeline: All indexing runs in memory (LZ4 HC compressed read, in-memory SQLite, single dump at end). Zero disk I/O between bulk load and final write.
• Fused Aho-Corasick multi-pattern matching: Call resolution uses a single pass over the AST with all patterns loaded simultaneously, replacing sequential per-function grep.
• C/C++ hybrid LSP resolver: Template substitution, smart pointer chains, overload scoring, lambda/decltype inference, virtual dispatch -- 700+ dedicated tests.
• mimalloc global allocator: Tracks all allocations (C + C++ via global override), enabling precise memory budgeting per worker.
• No CGo boundary overhead: All tree-sitter parsing happens in pure C -- no per-file CGo hop.

Performance

Indexing the Linux kernel (28M LOC, 75K files):

• Full mode: 2.1M nodes, 5m33s (Apple M3 Pro)
• Fast mode: 1.88M nodes, 1m12s (Apple M3 Pro)

New: Graph Visualization UI

v0.5.0 ships in two variants:

• standard -- MCP server only (smaller binary)
• ui -- MCP server + embedded 3D graph visualization

Enable the UI:
```bash
codebase-memory-mcp --ui=true --port=9749
```
Then open http://localhost:9749 to explore your knowledge graph visually. The UI runs as a background thread on localhost, serving embedded frontend assets and proxying queries to a read-only SQLite connection.

Session Auto-Detect + Auto-Index

The MCP server now detects your project root from the working directory on session start. Combined with the config store:

```bash
codebase-memory-mcp config set auto_index true
```

When enabled, new projects are automatically indexed on first MCP connection, and the watcher registers them for ongoing git-based change detection. Previously-indexed projects are always registered with the watcher regardless of this setting.

The config CLI supports: `list`, `get `, `set `, `reset `.

Multi-Agent Install (8 Coding Agents)

`codebase-memory-mcp install` now auto-detects all installed coding agents and configures each one with MCP server entries, instruction files, and pre-tool hooks where supported.

Agent	MCP Config	Instructions	Hooks
Claude Code	.claude/.mcp.json	4 Skills (directive pattern)	PreToolUse on Grep/Glob/Read
Codex CLI	.codex/config.toml	.codex/AGENTS.md	--
Gemini CLI	.gemini/settings.json	.gemini/GEMINI.md	BeforeTool on grep/read
Zed	settings.json (JSONC)	--	--
OpenCode	opencode.json	.config/opencode/AGENTS.md	--
Antigravity	mcp_config.json	.gemini/antigravity/AGENTS.md	--
Aider	--	CONVENTIONS.md	--
KiloCode	mcp_settings.json	~/.kilocode/rules/	--

Agentic Behavior Improvements

Agents now actively prefer MCP tools over grep/glob/read for code discovery:

• Directive skill descriptions achieve ~100% auto-activation (up from ~37% with the old descriptive pattern)
• PreToolUse / BeforeTool hooks print advisory reminders when agents reach for built-in search tools
• Keyword-rich MCP tool descriptions improve Claude's Tool Search discovery
• Instruction files with concrete examples and explicit fallback guidance for all agents
• Startup update check notifies on first tool call if a newer release is available

These improvements were driven by community reports and contributions:

• @David34920 -- reported Claude ignoring MCP tools without CLAUDE.md edits (#69)
• @sonicviz -- detailed analysis of agent tool-selection heuristics (#34)
• @chitralverma -- reported Gemini CLI defaulting to built-in tools (#19)
• @noelkurian -- identified Zed config format bug and JSONC parsing issue (#24)
• @zeval -- OpenCode install PR with config path research (#36)
• @harshil480 -- KiloCode install PR with config format and test plan (#53)

Fixes

• Zed: Config now uses args:[""] instead of broken source:"custom" (#24)
• Zed: Parser handles JSONC (comments + trailing commas) in existing settings.json
• Install is idempotent: Running install twice produces no duplicates -- marker-based upsert for instructions, key-based upsert for JSON/TOML configs

Cross-Platform Support

Fully tested on all platforms with ASan + LeakSanitizer + UBSan:

Platform	Tests	Build
macOS arm64	2030 passed	OK
macOS amd64	OK	OK
Linux arm64	2012 passed	OK
Linux amd64	OK	OK
Windows amd64	OK	OK (CLANG64)

Vendored dependencies (zero system library requirements): sqlite3, mimalloc, tree-sitter runtime, yyjson, zlib, TRE regex (Windows only).

Upgrading

```bash
codebase-memory-mcp update
```

Or fresh install:
```bash
curl -fsSL https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.sh | bash
codebase-memory-mcp install -y
```

Existing indexes will be rebuilt automatically -- the C pipeline produces a different (improved) graph format.

v0.4.10

Explicit Watch List for Watcher (#49)

Fixes the OOM issue where the watcher would open every indexed project's database on startup, even projects the user isn't actively working on.

What changed

• Replaced scan-all polling with an explicit watch list — the watcher no longer calls ListProjects() to discover databases on disk. Only projects in the watch list get polled for file changes.
• Watch on index — projects are added to the watch list when index_repository succeeds or auto-index completes.
• Unwatch on delete — delete_project removes the project from the watch list immediately.
• Cross-project touch — when a tool call references a non-session project (e.g., search_graph(project="other-repo")), that project is added to the watch list so it stays fresh for the duration of the session.
• Removed dead code — cachedProjects, projectsCacheTime, projectsCacheTTL, and InvalidateProjectsCache() are all gone.

Why

On machines with many indexed projects, the old watcher would open every .db file and capture file snapshots for all of them every 60 seconds. This caused unbounded memory growth proportional to the total number of indexed projects × their file counts. The new approach only watches projects the user is actively interacting with.

Behavior change

Projects indexed in a previous session are not automatically watched in the current session. They become watched again when the user interacts with them (index, query, trace, etc.). This is the desired behavior — don't spend resources on projects the user isn't using.

Upgrade

codebase-memory-mcp update

Full Changelog: v0.4.9...v0.4.10

v0.4.9

Dynamic Memory Limit

Replaces the static 2GB GOMEMLIMIT from v0.4.8 with platform-aware auto-detection.

What changed

• Auto-detect system memory on all platforms:
  • Linux: syscall.Sysinfo
  • macOS: sysctl hw.memsize
  • Windows: GlobalMemoryStatusEx
• GOMEMLIMIT set to 25% of physical RAM, clamped to [2GB, 8GB]
• Falls back to 4GB if detection fails
• User-configured mem_limit still takes priority

Why

The static 2GB default in v0.4.8 could cause excessive GC pressure on machines with plenty of RAM (e.g., a 64GB workstation was limited to 2GB). The new approach adapts to the system: a 16GB laptop gets a 4GB limit, a 32GB+ machine gets 8GB.

GOMEMLIMIT is a soft limit — hitting it causes more frequent garbage collection (slightly slower indexing) but never crashes or refuses allocations.

Examples

System RAM	GOMEMLIMIT
8 GB	2 GB (min clamp)
16 GB	4 GB
32 GB	8 GB (max clamp)
64 GB	8 GB (max clamp)

Upgrade

codebase-memory-mcp update