@sdsrs/code-graph 0.45.0 → 0.45.1

package/claude-plugin/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "sdsrs"
   },
-  "version": "0.45.0",
+  "version": "0.45.1",
   "keywords": [
     "code-graph",
     "ast",

package/claude-plugin/scripts/auto-update.js

@@ -182,6 +182,21 @@ function cachedBinaryPath() {
   return path.join(BINARY_CACHE_DIR, name);
 }
 
+/**
+ * Decide whether the cached native binary must be (re)downloaded: true when it
+ * is missing OR its actual version differs from the latest release. Version-aware
+ * rather than existence-only — a stale-but-present binary must still self-heal
+ * even when the plugin shell version already matches latest. manifest.version
+ * tracks the plugin shell (the marketplace bumps it independently of the native
+ * binary), so an existence-only check leaves the engine permanently pinned to an
+ * old binary while the updater reports "up to date".
+ */
+function cachedBinaryNeedsUpdate(latest, { binaryPath = cachedBinaryPath(), readVersion = readBinaryVersion } = {}) {
+  if (!latest || !latest.binaryUrl) return false;
+  if (!fs.existsSync(binaryPath)) return true;
+  return readVersion(binaryPath) !== latest.version;
+}
+
 /**
  * Download just the platform binary from a GitHub release into the cache.
  * Used in two paths:
@@ -222,15 +237,21 @@ function promoteVerifiedBinary(binaryTmp, binaryDst, expectedVersion) {
     const stat = fs.statSync(binaryTmp);
     if (stat.size <= 1_000_000) return false;
 
+    // chmod BEFORE reading the version. readBinaryVersion executes the binary
+    // (`--version`), which requires the exec bit; `curl -o` writes the tmp file
+    // as 0644 (no exec bit), so reading the version first fails with EACCES →
+    // null → false, which silently wedged every download path. rename preserves
+    // the mode, so the promoted dst ends up 0755.
+    if (os.platform() !== 'win32') {
+      fs.chmodSync(binaryTmp, 0o755);
+    }
+
     const actualVersion = readBinaryVersion(binaryTmp);
     if (!actualVersion || (expectedVersion && actualVersion !== expectedVersion)) {
       return false;
     }
 
     fs.renameSync(binaryTmp, binaryDst);
-    if (os.platform() !== 'win32') {
-      fs.chmodSync(binaryDst, 0o755);
-    }
     clearBinaryCache();
     return true;
   } catch {
@@ -392,12 +413,13 @@ async function checkForUpdate({ installMissing = false } = {}) {
       };
     }
 
-    // No update needed — but self-heal if cache binary is missing.
-    // State file alone is not authoritative; previous download may have failed
-    // silently, cache may have been wiped, or `npm install -g` optionalDependency
-    // may have dropped the platform package.
+    // No plugin-shell update — but self-heal the native binary if it is missing
+    // OR stale. The shell version (manifest.version) can match latest while the
+    // cached binary lags (a previous download failed silently, the cache was
+    // wiped, an `npm install -g` optionalDependency dropped the platform package,
+    // or the marketplace bumped the shell without re-fetching the binary).
     let selfHealedBinary = false;
-    if (latest.binaryUrl && !fs.existsSync(cachedBinaryPath())) {
+    if (cachedBinaryNeedsUpdate(latest)) {
       selfHealedBinary = await downloadBinary(latest);
     }
 
@@ -424,7 +446,7 @@ module.exports = {
   getExtractedPluginVersion, readBinaryVersion, promoteVerifiedBinary,
   isSilentMode, isInstallMissingMode,
   requestJson, parseLatestRelease, fetchLatestRelease,
-  downloadBinary, cachedBinaryPath,
+  downloadBinary, cachedBinaryPath, cachedBinaryNeedsUpdate,
 };
 
 // CLI: node auto-update.js [check|status] [--silent] [--install-missing]

package/claude-plugin/scripts/auto-update.test.js

@@ -13,6 +13,7 @@ const {
   readBinaryVersion,
   promoteVerifiedBinary,
   cachedBinaryPath,
+  cachedBinaryNeedsUpdate,
   downloadBinary,
   isInstallMissingMode,
   isSilentMode,
@@ -32,7 +33,7 @@ test('getExtractedPluginVersion reads extracted plugin manifest version', (t) =>
   assert.equal(getExtractedPluginVersion(root), '1.2.3');
 });
 
-function writeFakeBinary(filePath, version) {
+function writeFakeBinary(filePath, version, mode = 0o755) {
   const script = [
     '#!/usr/bin/env bash',
     'if [ "$1" = "--version" ]; then',
@@ -44,7 +45,7 @@ function writeFakeBinary(filePath, version) {
     '',
   ].join('\n');
   fs.writeFileSync(filePath, script);
-  fs.chmodSync(filePath, 0o755);
+  fs.chmodSync(filePath, mode);
 }
 
 test('promoteVerifiedBinary accepts a runnable binary with the expected version', (t) => {
@@ -70,6 +71,51 @@ test('promoteVerifiedBinary rejects binaries with mismatched version', (t) => {
   assert.equal(fs.existsSync(dst), false);
 });
 
+test('promoteVerifiedBinary promotes a non-executable (0644) download — curl -o regression', (t) => {
+  // `curl -o` writes the tmp file as 0644 (no exec bit). promoteVerifiedBinary
+  // must chmod before reading the version (readBinaryVersion executes the
+  // binary), otherwise the version read fails with EACCES → null → false and
+  // every download path silently wedges. Regression for the binary-stuck-at-old
+  // -version deadlock.
+  if (process.platform === 'win32') return; // no exec bit on win32
+  const dir = mkDir(t, 'code-graph-bin-');
+  const tmp = path.join(dir, 'code-graph-mcp.tmp');
+  const dst = path.join(dir, 'code-graph-mcp');
+  writeFakeBinary(tmp, '1.2.3', 0o644);
+
+  assert.equal(readBinaryVersion(tmp), null, 'precondition: 0644 binary is not executable');
+  assert.equal(promoteVerifiedBinary(tmp, dst, '1.2.3'), true);
+  assert.equal(fs.existsSync(dst), true);
+  assert.equal(fs.statSync(dst).mode & 0o111, 0o111, 'promoted binary is executable');
+  assert.equal(readBinaryVersion(dst), '1.2.3');
+});
+
+test('cachedBinaryNeedsUpdate is version-aware, not existence-only', (t) => {
+  const dir = mkDir(t, 'code-graph-heal-');
+  const binaryPath = path.join(dir, 'code-graph-mcp');
+  const latest = { version: '0.45.0', binaryUrl: 'https://example.com/bin' };
+
+  // missing binary → needs update
+  assert.equal(cachedBinaryNeedsUpdate(latest, { binaryPath }), true);
+
+  // present but stale (the actual deadlock: shell at 0.45.0, binary at 0.16.6)
+  fs.writeFileSync(binaryPath, 'x');
+  assert.equal(
+    cachedBinaryNeedsUpdate(latest, { binaryPath, readVersion: () => '0.16.6' }),
+    true,
+  );
+
+  // present and current → no update
+  assert.equal(
+    cachedBinaryNeedsUpdate(latest, { binaryPath, readVersion: () => '0.45.0' }),
+    false,
+  );
+
+  // no binaryUrl / null latest → no-op (nothing to download)
+  assert.equal(cachedBinaryNeedsUpdate({ version: '0.45.0', binaryUrl: null }, { binaryPath }), false);
+  assert.equal(cachedBinaryNeedsUpdate(null, { binaryPath }), false);
+});
+
 test('parseLatestRelease selects the matching platform asset', () => {
   const latest = parseLatestRelease({
     tag_name: 'v1.2.3',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sdsrs/code-graph",
-  "version": "0.45.0",
+  "version": "0.45.1",
   "description": "MCP server that indexes codebases into an AST knowledge graph with semantic search, call graph traversal, and HTTP route tracing",
   "license": "MIT",
   "repository": {
@@ -35,10 +35,10 @@
     "node": ">=16"
   },
   "optionalDependencies": {
-    "@sdsrs/code-graph-linux-x64": "0.45.0",
-    "@sdsrs/code-graph-linux-arm64": "0.45.0",
-    "@sdsrs/code-graph-darwin-x64": "0.45.0",
-    "@sdsrs/code-graph-darwin-arm64": "0.45.0",
-    "@sdsrs/code-graph-win32-x64": "0.45.0"
+    "@sdsrs/code-graph-linux-x64": "0.45.1",
+    "@sdsrs/code-graph-linux-arm64": "0.45.1",
+    "@sdsrs/code-graph-darwin-x64": "0.45.1",
+    "@sdsrs/code-graph-darwin-arm64": "0.45.1",
+    "@sdsrs/code-graph-win32-x64": "0.45.1"
   }
 }