v0.5.7 — Stability, Install & Endurance Testing Overhaul

53 commits, 3 merged PRs, 10 bugs closed. The most significant stability release since the Go→C rewrite.

Database Concurrency Fix (Critical)

• Root cause found: three threads (MCP handler, autoindex, watcher) could corrupt the database — rename(.db.tmp, .db) over open SQLite connections produced 48K+ garbage rows
• Architecture change: rename() eliminated entirely. Indexing writes directly, reindexing deletes old DB first, incremental upserts unchanged
• Pipeline lock serializes concurrent runs; corrupt DB auto-detected and cleaned

Install & Update

• install.sh + install.ps1 included in every release archive with --skip-config flag (#145)
• Kills stale MCP servers, strips macOS quarantine, ad-hoc signs binary
• Refreshes all 10 agent configs on every update
• In-memory zip extraction — no unzip needed on Windows
• Windows .exe path handling fixed across install, update, and uninstall

Windows Path Normalization (PR #146)

• Mixed path separators normalized to forward slashes at all entry points
• cbm_normalize_path_sep() works on ALL platforms (cross-platform DB files)

Soak Test Suite (New)

• Quick soak (10 min), ASan soak (15 min), weekly endurance (4h) — all per-platform
• RSS tracking, FD drift, query latency, crash recovery (kill -9 + clean restart)
• All soak tiers are release gates — no release ships without passing

Bug Fixes

• #139 Stack overflow in autoindex — 8MB default thread stack (thanks @theron-sapp for the detailed crash report with stack addresses, frequency table, and workaround!)
• #140 index_repository fails on Windows — this report by @Flipper1994 triggered the complete concurrency architecture overhaul!
• #137 detect_changes fails on paths with spaces (thanks @shekthesnek for the sharp observation that 12 tools worked but 1 didn't!)
• #135 macOS Gatekeeper blocks binary (thanks @heraque for the thorough xattr/spctl/codesign analysis!)
• #133 search_code rejects Windows backslash (thanks @ckelly8 for pinpointing the root cause!)
• #130 O(N²) import extractors hang on large files (thanks @halindrome for both the issue AND the fix in PR #131!)
• #127 Connection closed constantly — all crash paths fixed (thanks @kingofthebongo2008!)
• #145 Skip agent config in install scripts (thanks @sherif-fanous — implemented same day!)
• Arena buffer overflow, test detection gaps, memory leaks, CodeQL TOCTOU, taskkill self-kill, MSYS2 python3 path translation, vendored tre ssize_t

Testing

• 2586 unit tests (up from 2042), zero skipped, zero memory leaks
• 480+ new tests covering arena, FQN, graph buffer, MCP dispatch, pipeline, store, YAML, watcher
• 15-phase smoke suite on all platforms including Windows
• Soak tests as release gate — endurance verified before every release

Security

• Install scripts in VirusTotal scan alongside binaries (120 min timeout, all files must pass)
• system() eliminated from all production code
• Vendored dependency integrity checksums enforced

Contributors 🙏

Every bug report and PR made this release better. Thank you:

Security Verification

All release binaries have been independently verified:

VirusTotal — scanned by 70+ antivirus engines:

gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp

Sigstore cosign — keyless signature verification:

cosign verify-blob --bundle <file>.bundle <file>

Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):

• Windows: Windows Defender with ML heuristics (the same engine end users run)
• Linux: ClamAV with daily signature updates
• macOS: ClamAV with daily signature updates

SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.

See SECURITY.md for full details.