gitnexus 1.4.6 → 1.4.8

package/dist/mcp/local/local-backend.d.ts

@@ -15,6 +15,26 @@ export declare function isTestFilePath(filePath: string): boolean;
 export declare const VALID_NODE_LABELS: Set<string>;
 /** Valid relation types for impact analysis filtering */
 export declare const VALID_RELATION_TYPES: Set<string>;
+/**
+ * Per-relation-type confidence floor for impact analysis.
+ *
+ * When the graph stores a relation with a confidence value, that stored
+ * value is used as-is (it reflects resolution-tier accuracy from analysis
+ * time).  This map provides the floor for each edge type when no stored
+ * confidence is available, and is also used for display / tooltip hints.
+ *
+ * Rationale:
+ *   CALLS / IMPORTS  – direct, strongly-typed references → 0.9
+ *   EXTENDS          – class hierarchy, statically verifiable → 0.85
+ *   IMPLEMENTS       – interface contract, statically verifiable → 0.85
+ *   OVERRIDES        – method override, statically verifiable → 0.85
+ *   HAS_METHOD       – structural containment → 0.95
+ *   HAS_PROPERTY     – structural containment → 0.95
+ *   ACCESSES         – field read/write, may be indirect → 0.8
+ *   CONTAINS         – folder/file containment → 0.95
+ *   (unknown type)   – conservative fallback → 0.5
+ */
+export declare const IMPACT_RELATION_CONFIDENCE: Readonly<Record<string, number>>;
 /** Regex to detect write operations in user-supplied Cypher queries */
 export declare const CYPHER_WRITE_RE: RegExp;
 /** Check if a Cypher query contains write operations */
@@ -42,6 +62,8 @@ export declare class LocalBackend {
     private repos;
     private contextCache;
     private initializedRepos;
+    private reinitPromises;
+    private lastStalenessCheck;
     /**
      * Initialize from the global registry.
      * Returns true if at least one repo is available.

package/dist/mcp/local/local-backend.js

@@ -37,7 +37,42 @@ export const VALID_NODE_LABELS = new Set([
     'Record', 'Delegate', 'Annotation', 'Constructor', 'Template', 'Module',
 ]);
 /** Valid relation types for impact analysis filtering */
-export const VALID_RELATION_TYPES = new Set(['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS', 'HAS_METHOD', 'OVERRIDES']);
+export const VALID_RELATION_TYPES = new Set(['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS', 'HAS_METHOD', 'HAS_PROPERTY', 'OVERRIDES', 'ACCESSES']);
+/**
+ * Per-relation-type confidence floor for impact analysis.
+ *
+ * When the graph stores a relation with a confidence value, that stored
+ * value is used as-is (it reflects resolution-tier accuracy from analysis
+ * time).  This map provides the floor for each edge type when no stored
+ * confidence is available, and is also used for display / tooltip hints.
+ *
+ * Rationale:
+ *   CALLS / IMPORTS  – direct, strongly-typed references → 0.9
+ *   EXTENDS          – class hierarchy, statically verifiable → 0.85
+ *   IMPLEMENTS       – interface contract, statically verifiable → 0.85
+ *   OVERRIDES        – method override, statically verifiable → 0.85
+ *   HAS_METHOD       – structural containment → 0.95
+ *   HAS_PROPERTY     – structural containment → 0.95
+ *   ACCESSES         – field read/write, may be indirect → 0.8
+ *   CONTAINS         – folder/file containment → 0.95
+ *   (unknown type)   – conservative fallback → 0.5
+ */
+export const IMPACT_RELATION_CONFIDENCE = {
+    CALLS: 0.9,
+    IMPORTS: 0.9,
+    EXTENDS: 0.85,
+    IMPLEMENTS: 0.85,
+    OVERRIDES: 0.85,
+    HAS_METHOD: 0.95,
+    HAS_PROPERTY: 0.95,
+    ACCESSES: 0.8,
+    CONTAINS: 0.95,
+};
+/**
+ * Return the confidence floor for a given relation type.
+ * Falls back to 0.5 for unknown types so they are not silently elevated.
+ */
+const confidenceForRelType = (relType) => IMPACT_RELATION_CONFIDENCE[relType ?? ''] ?? 0.5;
 /** Regex to detect write operations in user-supplied Cypher queries */
 export const CYPHER_WRITE_RE = /\b(CREATE|DELETE|SET|MERGE|REMOVE|DROP|ALTER|COPY|DETACH)\b/i;
 /** Check if a Cypher query contains write operations */
@@ -53,6 +88,8 @@ export class LocalBackend {
     repos = new Map();
     contextCache = new Map();
     initializedRepos = new Set();
+    reinitPromises = new Map();
+    lastStalenessCheck = new Map();
     // ─── Initialization ──────────────────────────────────────────────
     /**
      * Initialize from the global registry.
@@ -195,12 +232,53 @@ export class LocalBackend {
     }
     // ─── Lazy LadybugDB Init ────────────────────────────────────────────
     async ensureInitialized(repoId) {
-        // Always check the actual pool — the idle timer may have evicted the connection
-        if (this.initializedRepos.has(repoId) && isLbugReady(repoId))
-            return;
+        // If a reinit is already in progress for this repo, wait for it
+        const pending = this.reinitPromises.get(repoId);
+        if (pending)
+            return pending;
         const handle = this.repos.get(repoId);
         if (!handle)
             throw new Error(`Unknown repo: ${repoId}`);
+        // Check if the index was rebuilt since we opened the connection (#297).
+        // Throttle staleness checks to at most once per 5 seconds per repo to
+        // avoid an fs.readFile round-trip on every tool invocation.
+        if (this.initializedRepos.has(repoId) && isLbugReady(repoId)) {
+            const now = Date.now();
+            const lastCheck = this.lastStalenessCheck.get(repoId) ?? 0;
+            if (now - lastCheck < 5000)
+                return; // Checked recently — skip
+            this.lastStalenessCheck.set(repoId, now);
+            try {
+                const metaPath = path.join(handle.storagePath, 'meta.json');
+                const metaRaw = await fs.readFile(metaPath, 'utf-8');
+                const meta = JSON.parse(metaRaw);
+                if (meta.indexedAt && meta.indexedAt !== handle.indexedAt) {
+                    // Index was rebuilt — close stale connection and re-init.
+                    // Wrap in reinitPromises to prevent TOCTOU race where concurrent
+                    // callers both detect staleness and double-close the pool.
+                    const reinit = (async () => {
+                        try {
+                            await closeLbug(repoId);
+                            this.initializedRepos.delete(repoId);
+                            handle.indexedAt = meta.indexedAt;
+                            await initLbug(repoId, handle.lbugPath);
+                            this.initializedRepos.add(repoId);
+                        }
+                        finally {
+                            this.reinitPromises.delete(repoId);
+                        }
+                    })();
+                    this.reinitPromises.set(repoId, reinit);
+                    return reinit;
+                }
+                else {
+                    return; // Pool is current
+                }
+            }
+            catch {
+                return; // Can't read meta — assume pool is fine
+            }
+        }
         try {
             await initLbug(repoId, handle.lbugPath);
             this.initializedRepos.add(repoId);
@@ -788,14 +866,14 @@ export class LocalBackend {
         // Categorized incoming refs
         const incomingRows = await executeParameterized(repo.id, `
       MATCH (caller)-[r:CodeRelation]->(n {id: $symId})
-      WHERE r.type IN ['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS']
+      WHERE r.type IN ['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS', 'HAS_METHOD', 'HAS_PROPERTY', 'OVERRIDES', 'ACCESSES']
       RETURN r.type AS relType, caller.id AS uid, caller.name AS name, caller.filePath AS filePath, labels(caller)[0] AS kind
       LIMIT 30
     `, { symId });
         // Categorized outgoing refs
         const outgoingRows = await executeParameterized(repo.id, `
       MATCH (n {id: $symId})-[r:CodeRelation]->(target)
-      WHERE r.type IN ['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS']
+      WHERE r.type IN ['CALLS', 'IMPORTS', 'EXTENDS', 'IMPLEMENTS', 'HAS_METHOD', 'HAS_PROPERTY', 'OVERRIDES', 'ACCESSES']
       RETURN r.type AS relType, target.id AS uid, target.name AS name, target.filePath AS filePath, labels(target)[0] AS kind
       LIMIT 30
     `, { symId });
@@ -1247,14 +1325,21 @@ export class LocalBackend {
                     if (!visited.has(relId)) {
                         visited.add(relId);
                         nextFrontier.push(relId);
+                        const storedConfidence = rel.confidence ?? rel[6];
+                        const relationType = rel.relType || rel[5];
+                        // Prefer the stored confidence from the graph (set at analysis time);
+                        // fall back to the per-type floor for edges without a stored value.
+                        const effectiveConfidence = typeof storedConfidence === 'number' && storedConfidence > 0
+                            ? storedConfidence
+                            : confidenceForRelType(relationType);
                         impacted.push({
                             depth,
                             id: relId,
                             name: rel.name || rel[2],
                             type: rel.type || rel[3],
                             filePath,
-                            relationType: rel.relType || rel[5],
-                            confidence: rel.confidence || rel[6] || 1.0,
+                            relationType,
+                            confidence: effectiveConfidence,
                         });
                     }
                 }
@@ -1279,30 +1364,49 @@ export class LocalBackend {
         let affectedProcesses = [];
         let affectedModules = [];
         if (impacted.length > 0) {
-            const allIds = impacted.map(i => `'${i.id.replace(/'/g, "''")}'`).join(', ');
-            const d1Ids = (grouped[1] || []).map((i) => `'${i.id.replace(/'/g, "''")}'`).join(', ');
-            // Affected processes: which execution flows are broken and at which step
-            const [processRows, moduleRows, directModuleRows] = await Promise.all([
-                executeQuery(repo.id, `
-          MATCH (s)-[r:CodeRelation {type: 'STEP_IN_PROCESS'}]->(p:Process)
-          WHERE s.id IN [${allIds}]
-          RETURN p.heuristicLabel AS name, COUNT(DISTINCT s.id) AS hits, MIN(r.step) AS minStep, p.stepCount AS stepCount
-          ORDER BY hits DESC
-          LIMIT 20
-        `).catch(() => []),
-                executeQuery(repo.id, `
-          MATCH (s)-[:CodeRelation {type: 'MEMBER_OF'}]->(c:Community)
-          WHERE s.id IN [${allIds}]
-          RETURN c.heuristicLabel AS name, COUNT(DISTINCT s.id) AS hits
-          ORDER BY hits DESC
-          LIMIT 20
-        `).catch(() => []),
-                d1Ids ? executeQuery(repo.id, `
-          MATCH (s)-[:CodeRelation {type: 'MEMBER_OF'}]->(c:Community)
-          WHERE s.id IN [${d1Ids}]
-          RETURN DISTINCT c.heuristicLabel AS name
-        `).catch(() => []) : Promise.resolve([]),
-            ]);
+            // Cap IN-clause to 100 IDs to prevent oversized queries that crash
+            // the native DB engine on arm64 macOS (#292)
+            const cappedImpacted = impacted.slice(0, 100);
+            const allIds = cappedImpacted.map(i => `'${String(i.id ?? '').replace(/'/g, "''")}'`).join(', ');
+            const d1Items = (grouped[1] || []).slice(0, 100);
+            const d1Ids = d1Items.map((i) => `'${String(i.id ?? '').replace(/'/g, "''")}'`).join(', ');
+            // Enrichment queries: sequential on arm64 macOS to avoid SIGSEGV from
+            // concurrent native DB access (#285, #290, #292); parallel elsewhere
+            // to preserve performance on unaffected platforms.
+            const isArm64Mac = process.platform === 'darwin' && process.arch === 'arm64';
+            const processQuery = executeQuery(repo.id, `
+        MATCH (s)-[r:CodeRelation {type: 'STEP_IN_PROCESS'}]->(p:Process)
+        WHERE s.id IN [${allIds}]
+        RETURN p.heuristicLabel AS name, COUNT(DISTINCT s.id) AS hits, MIN(r.step) AS minStep, p.stepCount AS stepCount
+        ORDER BY hits DESC
+        LIMIT 20
+      `).catch(() => []);
+            const moduleQuery = () => executeQuery(repo.id, `
+        MATCH (s)-[:CodeRelation {type: 'MEMBER_OF'}]->(c:Community)
+        WHERE s.id IN [${allIds}]
+        RETURN c.heuristicLabel AS name, COUNT(DISTINCT s.id) AS hits
+        ORDER BY hits DESC
+        LIMIT 20
+      `).catch(() => []);
+            const directModuleQuery = () => d1Ids
+                ? executeQuery(repo.id, `
+            MATCH (s)-[:CodeRelation {type: 'MEMBER_OF'}]->(c:Community)
+            WHERE s.id IN [${d1Ids}]
+            RETURN DISTINCT c.heuristicLabel AS name
+          `).catch(() => [])
+                : Promise.resolve([]);
+            let processRows, moduleRows, directModuleRows;
+            if (isArm64Mac) {
+                // Sequential: avoid concurrent native DB access
+                processRows = await processQuery;
+                moduleRows = await moduleQuery();
+                directModuleRows = await directModuleQuery();
+            }
+            else {
+                // Parallel: safe on non-arm64 platforms
+                processRows = await processQuery;
+                [moduleRows, directModuleRows] = await Promise.all([moduleQuery(), directModuleQuery()]);
+            }
             affectedProcesses = processRows.map((r) => ({
                 name: r.name || r[0],
                 hits: r.hits || r[1],

package/dist/mcp/resources.js

@@ -271,6 +271,15 @@ nodes:
 
 additional_node_types: "Multi-language: Struct, Enum, Macro, Typedef, Union, Namespace, Trait, Impl, TypeAlias, Const, Static, Property, Record, Delegate, Annotation, Constructor, Template, Module (use backticks in queries: \`Struct\`, \`Enum\`, etc.)"
 
+node_properties:
+  common: "name (STRING), filePath (STRING), startLine (INT32), endLine (INT32)"
+  Method: "parameterCount (INT32), returnType (STRING), isVariadic (BOOL)"
+  Function: "parameterCount (INT32), returnType (STRING), isVariadic (BOOL)"
+  Property: "declaredType (STRING) — the field's type annotation (e.g., 'Address', 'City'). Used for field-access chain resolution."
+  Constructor: "parameterCount (INT32)"
+  Community: "heuristicLabel (STRING), cohesion (DOUBLE), symbolCount (INT32), keywords (STRING[]), description (STRING), enrichedBy (STRING)"
+  Process: "heuristicLabel (STRING), processType (STRING — 'intra_community' or 'cross_community'), stepCount (INT32), communities (STRING[]), entryPointId (STRING), terminalId (STRING)"
+
 relationships:
   - CONTAINS: File/Folder contains child
   - DEFINES: File defines a symbol
@@ -278,6 +287,10 @@ relationships:
   - IMPORTS: Module imports
   - EXTENDS: Class inheritance
   - IMPLEMENTS: Interface implementation
+  - HAS_METHOD: Class/Struct/Interface owns a Method
+  - HAS_PROPERTY: Class/Struct/Interface owns a Property (field)
+  - ACCESSES: Function/Method reads or writes a Property (reason: 'read' or 'write')
+  - OVERRIDES: Method overrides another Method (MRO)
   - MEMBER_OF: Symbol belongs to community
   - STEP_IN_PROCESS: Symbol is step N in process
 

package/dist/mcp/server.js

@@ -15,6 +15,7 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { CompatibleStdioServerTransport } from './compatible-stdio-transport.js';
 import { CallToolRequestSchema, ListToolsRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListResourceTemplatesRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
 import { GITNEXUS_TOOLS } from './tools.js';
+import { realStdoutWrite } from './core/lbug-adapter.js';
 import { getResourceDefinitions, getResourceTemplates, readResource } from './resources.js';
 /**
  * Next-step hints appended to tool responses.
@@ -237,12 +238,22 @@ Follow these steps:
  */
 export async function startMCPServer(backend) {
     const server = createMCPServer(backend);
-    // Connect to stdio transport
-    const transport = new CompatibleStdioServerTransport();
+    // Use the shared stdout reference captured at module-load time by the
+    // lbug-adapter.  Avoids divergence if anything patches stdout between
+    // module load and server start.
+    const _safeStdout = new Proxy(process.stdout, {
+        get(target, prop, receiver) {
+            if (prop === 'write')
+                return realStdoutWrite;
+            const val = Reflect.get(target, prop, receiver);
+            return typeof val === 'function' ? val.bind(target) : val;
+        }
+    });
+    const transport = new CompatibleStdioServerTransport(process.stdin, _safeStdout);
     await server.connect(transport);
     // Graceful shutdown helper
     let shuttingDown = false;
-    const shutdown = async () => {
+    const shutdown = async (exitCode = 0) => {
         if (shuttingDown)
             return;
         shuttingDown = true;
@@ -254,11 +265,22 @@ export async function startMCPServer(backend) {
             await server.close();
         }
         catch { }
-        process.exit(0);
+        process.exit(exitCode);
     };
     // Handle graceful shutdown
     process.on('SIGINT', shutdown);
     process.on('SIGTERM', shutdown);
+    // Log crashes to stderr so they aren't silently lost.
+    // uncaughtException is fatal — shut down.
+    // unhandledRejection is logged but kept non-fatal (availability-first):
+    // killing the server for one missed catch would be worse than logging it.
+    process.on('uncaughtException', (err) => {
+        process.stderr.write(`GitNexus MCP uncaughtException: ${err?.stack || err}\n`);
+        shutdown(1);
+    });
+    process.on('unhandledRejection', (reason) => {
+        process.stderr.write(`GitNexus MCP unhandledRejection: ${reason?.stack || reason}\n`);
+    });
     // Handle stdio errors — stdin close means the parent process is gone
     process.stdin.on('end', shutdown);
     process.stdin.on('error', () => shutdown());

package/dist/mcp/tools.js

@@ -61,7 +61,7 @@ SCHEMA:
 - Nodes: File, Folder, Function, Class, Interface, Method, CodeElement, Community, Process
 - Multi-language nodes (use backticks): \`Struct\`, \`Enum\`, \`Trait\`, \`Impl\`, etc.
 - All edges via single CodeRelation table with 'type' property
-- Edge types: CONTAINS, DEFINES, CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, OVERRIDES, MEMBER_OF, STEP_IN_PROCESS
+- Edge types: CONTAINS, DEFINES, CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, HAS_PROPERTY, ACCESSES, OVERRIDES, MEMBER_OF, STEP_IN_PROCESS
 - Edge properties: type (STRING), confidence (DOUBLE), reason (STRING), step (INT32)
 
 EXAMPLES:
@@ -77,6 +77,12 @@ EXAMPLES:
 • Find all methods of a class:
   MATCH (c:Class {name: "UserService"})-[r:CodeRelation {type: 'HAS_METHOD'}]->(m:Method) RETURN m.name, m.parameterCount, m.returnType
 
+• Find all properties of a class:
+  MATCH (c:Class {name: "User"})-[r:CodeRelation {type: 'HAS_PROPERTY'}]->(p:Property) RETURN p.name, p.declaredType
+
+• Find all writers of a field:
+  MATCH (f:Function)-[r:CodeRelation {type: 'ACCESSES', reason: 'write'}]->(p:Property) WHERE p.name = "address" RETURN f.name, f.filePath
+
 • Find method overrides (MRO resolution):
   MATCH (winner:Method)-[r:CodeRelation {type: 'OVERRIDES'}]->(loser:Method) RETURN winner.name, winner.filePath, loser.filePath, r.reason
 
@@ -87,8 +93,8 @@ OUTPUT: Returns { markdown, row_count } — results formatted as a Markdown tabl
 
 TIPS:
 - All relationships use single CodeRelation table — filter with {type: 'CALLS'} etc.
-- Community = auto-detected functional area (Leiden algorithm)
-- Process = execution flow trace from entry point to terminal
+- Community = auto-detected functional area (Leiden algorithm). Properties: heuristicLabel, cohesion, symbolCount, keywords, description, enrichedBy
+- Process = execution flow trace from entry point to terminal. Properties: heuristicLabel, processType, stepCount, communities, entryPointId, terminalId
 - Use heuristicLabel (not label) for human-readable community/process names`,
         inputSchema: {
             type: 'object',
@@ -102,12 +108,14 @@ TIPS:
     {
         name: 'context',
         description: `360-degree view of a single code symbol.
-Shows categorized incoming/outgoing references (calls, imports, extends, implements), process participation, and file location.
+Shows categorized incoming/outgoing references (calls, imports, extends, implements, methods, properties, overrides), process participation, and file location.
 
 WHEN TO USE: After query() to understand a specific symbol in depth. When you need to know all callers, callees, and what execution flows a symbol participates in.
 AFTER THIS: Use impact() if planning changes, or READ gitnexus://repo/{name}/process/{processName} for full execution trace.
 
-Handles disambiguation: if multiple symbols share the same name, returns candidates for you to pick from. Use uid param for zero-ambiguity lookup from prior results.`,
+Handles disambiguation: if multiple symbols share the same name, returns candidates for you to pick from. Use uid param for zero-ambiguity lookup from prior results.
+
+NOTE: ACCESSES edges (field read/write tracking) are included in context results with reason 'read' or 'write'. CALLS edges resolve through field access chains and method-call chains (e.g., user.address.getCity().save() produces CALLS edges at each step).`,
         inputSchema: {
             type: 'object',
             properties: {
@@ -183,7 +191,9 @@ Depth groups:
 - d=2: LIKELY AFFECTED (indirect)
 - d=3: MAY NEED TESTING (transitive)
 
-EdgeType: CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, OVERRIDES
+TIP: Default traversal uses CALLS/IMPORTS/EXTENDS/IMPLEMENTS. For class members, include HAS_METHOD and HAS_PROPERTY in relationTypes. For field access analysis, include ACCESSES in relationTypes.
+
+EdgeType: CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, HAS_PROPERTY, OVERRIDES, ACCESSES
 Confidence: 1.0 = certain, <0.8 = fuzzy match`,
         inputSchema: {
             type: 'object',
@@ -191,7 +201,7 @@ Confidence: 1.0 = certain, <0.8 = fuzzy match`,
                 target: { type: 'string', description: 'Name of function, class, or file to analyze' },
                 direction: { type: 'string', description: 'upstream (what depends on this) or downstream (what this depends on)' },
                 maxDepth: { type: 'number', description: 'Max relationship depth (default: 3)', default: 3 },
-                relationTypes: { type: 'array', items: { type: 'string' }, description: 'Filter: CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, OVERRIDES (default: usage-based)' },
+                relationTypes: { type: 'array', items: { type: 'string' }, description: 'Filter: CALLS, IMPORTS, EXTENDS, IMPLEMENTS, HAS_METHOD, HAS_PROPERTY, OVERRIDES, ACCESSES (default: usage-based, ACCESSES excluded by default)' },
                 includeTests: { type: 'boolean', description: 'Include test files (default: false)' },
                 minConfidence: { type: 'number', description: 'Minimum confidence 0-1 (default: 0.7)' },
                 repo: { type: 'string', description: 'Repository name or path. Omit if only one repo is indexed.' },

package/dist/server/api.d.ts

@@ -5,6 +5,24 @@
  * Also hosts the MCP server over StreamableHTTP for remote AI tool access.
  *
  * Security: binds to 127.0.0.1 by default (use --host to override).
- * CORS is restricted to localhost and the deployed site.
+ * CORS is restricted to localhost, private/LAN networks, and the deployed site.
  */
+/**
+ * Determine whether an HTTP Origin header value is allowed by CORS policy.
+ *
+ * Permitted origins:
+ * - No origin (non-browser requests such as curl or server-to-server calls)
+ * - http://localhost:<port> — local development
+ * - http://127.0.0.1:<port> — loopback alias
+ * - RFC 1918 private/LAN networks (any port):
+ *     10.0.0.0/8      → 10.x.x.x
+ *     172.16.0.0/12   → 172.16.x.x – 172.31.x.x
+ *     192.168.0.0/16  → 192.168.x.x
+ * - https://gitnexus.vercel.app — the deployed GitNexus web UI
+ *
+ * @param origin - The value of the HTTP `Origin` request header, or `undefined`
+ *                 when the header is absent (non-browser request).
+ * @returns `true` if the origin is allowed, `false` otherwise.
+ */
+export declare const isAllowedOrigin: (origin: string | undefined) => boolean;
 export declare const createServer: (port: number, host?: string) => Promise<void>;

package/dist/server/api.js

@@ -5,7 +5,7 @@
  * Also hosts the MCP server over StreamableHTTP for remote AI tool access.
  *
  * Security: binds to 127.0.0.1 by default (use --host to override).
- * CORS is restricted to localhost and the deployed site.
+ * CORS is restricted to localhost, private/LAN networks, and the deployed site.
  */
 import express from 'express';
 import cors from 'cors';
@@ -20,6 +20,69 @@ import { hybridSearch } from '../core/search/hybrid-search.js';
 // at server startup — crashes on unsupported Node ABI versions (#89)
 import { LocalBackend } from '../mcp/local/local-backend.js';
 import { mountMCPEndpoints } from './mcp-http.js';
+/**
+ * Determine whether an HTTP Origin header value is allowed by CORS policy.
+ *
+ * Permitted origins:
+ * - No origin (non-browser requests such as curl or server-to-server calls)
+ * - http://localhost:<port> — local development
+ * - http://127.0.0.1:<port> — loopback alias
+ * - RFC 1918 private/LAN networks (any port):
+ *     10.0.0.0/8      → 10.x.x.x
+ *     172.16.0.0/12   → 172.16.x.x – 172.31.x.x
+ *     192.168.0.0/16  → 192.168.x.x
+ * - https://gitnexus.vercel.app — the deployed GitNexus web UI
+ *
+ * @param origin - The value of the HTTP `Origin` request header, or `undefined`
+ *                 when the header is absent (non-browser request).
+ * @returns `true` if the origin is allowed, `false` otherwise.
+ */
+export const isAllowedOrigin = (origin) => {
+    if (origin === undefined) {
+        // Non-browser requests (curl, server-to-server) have no Origin header
+        return true;
+    }
+    if (origin.startsWith('http://localhost:')
+        || origin === 'http://localhost'
+        || origin.startsWith('http://127.0.0.1:')
+        || origin === 'http://127.0.0.1'
+        || origin.startsWith('http://[::1]:')
+        || origin === 'http://[::1]'
+        || origin === 'https://gitnexus.vercel.app') {
+        return true;
+    }
+    // RFC 1918 private network ranges — allow any port on these hosts.
+    // We parse the hostname out of the origin URL and check against each range.
+    let hostname;
+    let protocol;
+    try {
+        const parsed = new URL(origin);
+        hostname = parsed.hostname;
+        protocol = parsed.protocol;
+    }
+    catch {
+        // Malformed origin — reject
+        return false;
+    }
+    // Only allow HTTP(S) origins — reject ftp://, file://, etc.
+    if (protocol !== 'http:' && protocol !== 'https:')
+        return false;
+    const octets = hostname.split('.').map(Number);
+    if (octets.length !== 4 || octets.some(o => !Number.isInteger(o) || o < 0 || o > 255)) {
+        return false;
+    }
+    const [a, b] = octets;
+    // 10.0.0.0/8
+    if (a === 10)
+        return true;
+    // 172.16.0.0/12  →  172.16.x.x – 172.31.x.x
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    // 192.168.0.0/16
+    if (a === 192 && b === 168)
+        return true;
+    return false;
+};
 const buildGraph = async () => {
     const nodes = [];
     for (const table of NODE_TABLES) {
@@ -101,14 +164,11 @@ const requestedRepo = (req) => {
 };
 export const createServer = async (port, host = '127.0.0.1') => {
     const app = express();
-    // CORS: only allow localhost origins and the deployed site.
+    // CORS: allow localhost, private/LAN networks, and the deployed site.
     // Non-browser requests (curl, server-to-server) have no origin and are allowed.
     app.use(cors({
         origin: (origin, callback) => {
-            if (!origin
-                || origin.startsWith('http://localhost:')
-                || origin.startsWith('http://127.0.0.1:')
-                || origin === 'https://gitnexus.vercel.app') {
+            if (isAllowedOrigin(origin)) {
                 callback(null, true);
             }
             else {

package/dist/storage/git.d.ts

@@ -4,3 +4,15 @@ export declare const getCurrentCommit: (repoPath: string) => string;
  * Find the git repository root from any path inside the repo
  */
 export declare const getGitRoot: (fromPath: string) => string | null;
+/**
+ * Check whether a directory contains a .git entry (file or folder).
+ *
+ * This is intentionally a simple filesystem check rather than running
+ * `git rev-parse`, so it works even when git is not installed or when
+ * the directory is a git-worktree root (which has a .git file, not a
+ * directory).  Use `isGitRepo` for a definitive git answer.
+ *
+ * @param dirPath - Absolute path to the directory to inspect.
+ * @returns `true` when `.git` is present, `false` otherwise.
+ */
+export declare const hasGitDir: (dirPath: string) => boolean;

package/dist/storage/git.js

@@ -1,4 +1,5 @@
 import { execSync } from 'child_process';
+import { statSync } from 'fs';
 import path from 'path';
 // Git utilities for repository detection, commit tracking, and diff analysis
 export const isGitRepo = (repoPath) => {
@@ -33,3 +34,23 @@ export const getGitRoot = (fromPath) => {
         return null;
     }
 };
+/**
+ * Check whether a directory contains a .git entry (file or folder).
+ *
+ * This is intentionally a simple filesystem check rather than running
+ * `git rev-parse`, so it works even when git is not installed or when
+ * the directory is a git-worktree root (which has a .git file, not a
+ * directory).  Use `isGitRepo` for a definitive git answer.
+ *
+ * @param dirPath - Absolute path to the directory to inspect.
+ * @returns `true` when `.git` is present, `false` otherwise.
+ */
+export const hasGitDir = (dirPath) => {
+    try {
+        statSync(path.join(dirPath, '.git'));
+        return true;
+    }
+    catch {
+        return false;
+    }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.4.6",
+  "version": "1.4.8",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",
@@ -20,6 +20,7 @@
     "knowledge-graph",
     "cursor",
     "claude",
+    "codex",
     "ai-agent",
     "gitnexus",
     "static-analysis",
@@ -39,9 +40,9 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsx watch src/cli/index.ts",
-    "test": "vitest run test/unit",
+    "test": "vitest run",
+    "test:unit": "vitest run test/unit",
     "test:integration": "vitest run test/integration",
-    "test:all": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "prepare": "npm run build",
@@ -50,6 +51,7 @@
   },
   "dependencies": {
     "@huggingface/transformers": "^3.0.0",
+    "@ladybugdb/core": "^0.15.2",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "cli-progress": "^3.12.0",
     "commander": "^12.0.0",
@@ -59,10 +61,10 @@
     "graphology": "^0.25.4",
     "graphology-indices": "^0.17.0",
     "graphology-utils": "^2.3.0",
-    "@ladybugdb/core": "^0.15.1",
     "ignore": "^7.0.5",
     "lru-cache": "^11.0.0",
     "mnemonist": "^0.39.0",
+    "onnxruntime-node": "^1.24.0",
     "pandemonium": "^2.4.0",
     "tree-sitter": "^0.21.0",
     "tree-sitter-c": "^0.21.0",
@@ -89,10 +91,16 @@
     "@types/node": "^20.0.0",
     "@types/uuid": "^10.0.0",
     "@vitest/coverage-v8": "^4.0.18",
+    "husky": "^9.1.7",
     "tsx": "^4.0.0",
     "typescript": "^5.4.5",
     "vitest": "^4.0.18"
   },
+  "overrides": {
+    "@huggingface/transformers": {
+      "onnxruntime-node": "$onnxruntime-node"
+    }
+  },
   "engines": {
     "node": ">=18.0.0"
   }