Skip to content

Releases: Barnett-Studios/cxpak

v3.0.0

Choose a tag to compare

@github-actions github-actions released this 10 Jul 21:22
v3.0.0
0ced217

cxpak 3.0.0 — Deterministic Code + Data Knowledge Graph

A major release. cxpak now models your data layer as a first-class part of the knowledge graph, consolidates the MCP surface into a handful of intent-driven tools, and makes startup non-blocking so editors and agents get an instant handshake. Every default path is deterministic, OpenSSL-free, and runs no LLM anywhere.

Highlights

🧠 MCP surface: 26 tools → 5 intent tools

The Model Context Protocol surface is now five intent-parameterized tools — cxpak_context, cxpak_graph, cxpak_data, cxpak_review, cxpak_insight — each dispatching on an op argument. A hard gate keeps the tool count ≤ 8. All 26 legacy tool names continue to resolve as aliases, so existing integrations keep working.

⚡ Non-blocking MCP startup (ADR-0185)

initialize now returns in milliseconds instead of blocking behind a full index build. Tool calls made during indexing get a graceful "indexing in progress" response rather than hanging the client. This fixes the startup stall that could time out MCP clients on larger repositories.

🗄️ Live database knowledge graph

Read-only introspection of a running Postgres or MySQL instance, reflected from the catalog and merged into the dependency graph alongside your code schema. Pure-Rust/rustls drivers only (no OpenSSL). The DSN is never logged, persisted, or echoed, and all queries are read-only.

🎯 Semantic relevance on by default (ADR-0187 / 0190)

Active Reciprocal Rank Fusion is now the default ranking mode, with competition ("1224") ranking so a uniform signal stays inert and can't leak weight as alphabetical path bias. Gated recall improved measurably over the previous default.

🔎 Opt-in embeddings (ADR-0186)

Query-time embedding is gated on an available embedding index — no silent cost, clean fallback to the deterministic signals.

Invariants (verified this release)

  • No OpenSSL — every target builds a static, portable binary
  • No LLM in any code path
  • DSN never logged / persisted; DB access is read-only
  • MCP ≤ 8 tools
  • Within-platform byte-identical determinism on the default path (guarded by a cross-process golden)

⚠️ Breaking changes

  • The MCP tool surface is consolidated to intent tools with an op discriminator. Legacy tool names still work via aliases, but the canonical shape has changed — update integrations to the new op-parameterized form when convenient.

Install

cargo install cxpak            # crates.io
brew install cxpak             # Homebrew (formula updated by this release)

Prebuilt binaries for Linux (x86_64 / aarch64), macOS (x86_64 / aarch64), and Windows (x86_64) are attached below.

Supported platform: macOS (Apple Silicon) is the primary supported target today; Linux/Windows binaries are provided and on the roadmap for first-class support.


What's Changed

Full Changelog: v2.3.0...v3.0.0

v2.3.0

Choose a tag to compare

@github-actions github-actions released this 19 Jun 13:25
v2.3.0
26858ee

What's Changed

New Contributors

Full Changelog: v2.2.1...v2.3.0

v2.2.1

Choose a tag to compare

@github-actions github-actions released this 22 May 14:16

Full Changelog: v2.2.0...v2.2.1

v2.2.0

Choose a tag to compare

@github-actions github-actions released this 20 May 11:37

What's Changed

New Contributors

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Choose a tag to compare

@github-actions github-actions released this 05 May 07:15

Full Changelog: v2.0.0...v2.1.0

v2.0.0

Choose a tag to compare

@github-actions github-actions released this 16 Apr 21:12

Visual intelligence, WASM plugin SDK, onboarding maps, and 167 bug fixes.

Visual Intelligence

Six interactive views, each rendered as self-contained HTML with D3.js:

  • Dashboard -- health score donut, dimension bars, architecture treemap, alerts panel
  • Architecture Explorer -- Sugiyama-layout directed graph with 3-level zoom (module/file/symbol), color-coded for risk, god files, and circular dependencies
  • Risk Heatmap -- D3 treemap sized by blast radius, colored by risk score
  • Flow Diagram -- data flow from source to sinks with arrowheads and confidence labels
  • Time Machine -- git history snapshots with playback controls to see how your codebase evolved
  • Diff View -- before/after side-by-side with blast radius overlay and affected files table

Export to 6 formats: HTML, Mermaid, SVG, PNG, C4 DSL, JSON.

WASM Plugin SDK

  • Define custom analyzers and detectors as WASM plugins with the CxpakPlugin trait
  • Plugin manifest with SHA-256 checksum verification before WASM compilation
  • wasmtime sandbox: epoch interruption for CPU limits, 64 MB memory cap, capability enforcement
  • File pattern scoping -- plugins only see files matching their declared patterns

Onboarding

  • cxpak onboard -- generates a dependency-ordered reading guide for new engineers
  • Topological sort with module grouping, PageRank ordering, and 7+/-2 cognitive limit splitting
  • Reading time estimates (200 tokens/min)

Quality Campaign (167 bugs fixed)

13 independent code audits across every module:

  • Security -- timing-safe auth comparison, path traversal prevention, ReDoS guards, XSS prevention in HTML output
  • Stability -- LSP lock poisoning recovery, atomic file writes, advisory cache locks, graceful shutdown
  • Correctness -- parser fixes across 8 languages, convention metrics bounded to valid ranges, graph rebuild after incremental updates
  • Performance -- regex compiled once via LazyLock, embedding query caching, O(n^2) edge generation capped
  • MCP -- full JSON-RPC 2.0 compliance (parse errors, unknown tool handling), body size limits, pattern length guards
  • LSP -- hover implemented with real data, URI path handling fixed, did_open/did_change/did_close support
  • Visual -- edge CSS selector fix, directional arrowheads, all 6 nav links wired
  • 2427 tests (up from 2059), all covering real regressions

Breaking Changes

  • MSRV bumped from 1.88 to 1.91 (wasmtime cranelift dependency)
  • /v1/health changed from POST to GET
  • Stub endpoints now return {"status": "not_implemented"} instead of fake data

v1.6.0

Choose a tag to compare

@github-actions github-actions released this 11 Apr 13:39

LSP server and Intelligence API -- integrate cxpak into any editor or service.

LSP Server

  • cxpak lsp -- LSP server over stdio, works with any LSP-compatible editor
  • 4 standard methods: CodeLens, hover, diagnostics, workspace symbols
  • 14 custom cxpak/* JSON-RPC methods for architecture, risk, conventions, and more

Intelligence API

  • 12 HTTP POST endpoints at /v1/ via cxpak serve
  • Bearer token auth when --token is set
  • Live endpoints: health, conventions, briefing (remaining endpoints stubbed for future releases)

CLI

  • cxpak conventions export <path> and cxpak conventions diff <path> available as CLI commands

v1.5.0

Choose a tag to compare

@github-actions github-actions released this 09 Apr 20:50

Data flow analysis wired into security detection, plus reliability fixes.

  • Data flow analysis now feeds into the security surface -- detections include touches_security_boundary for values that cross trust zones
  • Reduced false positives in HTTP bridge detection for cross-language analysis
  • Fix: UTF-8 boundary panic when formatting secret snippets near multi-byte characters

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 08 Apr 13:16

Security analysis, data flow tracing, and cross-language boundary detection.

  • cxpak_security_surface -- detect unprotected endpoints, hardcoded secrets (5 types), SQL injection patterns, and input validation gaps with exposure scores
  • cxpak_data_flow -- trace values from source to sink through the call graph
  • cxpak_cross_lang -- detect 6 types of cross-language boundaries: HTTP, FFI, gRPC, GraphQL, shared schema, exec
  • MSRV pinned to Rust 1.88

v1.3.0

Choose a tag to compare

@github-actions github-actions released this 05 Apr 12:46

Monorepo workspaces, change prediction, and architecture drift detection.

  • --workspace flag for monorepo scoping -- index a single package within a monorepo
  • cxpak_predict -- predict which files and tests are affected by a change using structural, historical (git co-change), and call-based signals
  • cxpak_drift -- detect architecture drift against stored baselines with automatic snapshots on each call
  • cxpak_dead_code -- find dead symbols ranked by PageRank importance
  • cxpak_call_graph -- cross-file call graph with confidence levels