gitnexus 1.6.4-rc.90 → 1.6.4-rc.92

package/dist/core/git-staleness.d.ts

@@ -12,6 +12,12 @@ export interface StalenessInfo {
  * Check how many commits the index is behind HEAD (synchronous; uses git CLI).
  */
 export declare function checkStaleness(repoPath: string, lastCommit: string): StalenessInfo;
+/**
+ * Async variant of {@link checkStaleness} — spawns git as a child process
+ * instead of blocking the event loop.  Used by `listRepos()` to check many
+ * repos in parallel (issue #1363: 200 repos × sync spawn ≈ 50 s).
+ */
+export declare function checkStalenessAsync(repoPath: string, lastCommit: string): Promise<StalenessInfo>;
 /**
  * Resolve a working directory against the global registry. Returns:
  *   - `match: 'path'`              when `cwd` is inside a registered entry's path

package/dist/core/git-staleness.js

@@ -2,10 +2,12 @@
  * Git working tree vs index commit staleness (used by MCP resources, group status, etc.).
  * Lives in core/ so application code does not depend on the MCP package layer.
  */
-import { execFileSync } from 'node:child_process';
+import { execFile, execFileSync } from 'node:child_process';
+import { promisify } from 'node:util';
 import path from 'path';
 import { readRegistry } from '../storage/repo-manager.js';
 import { findGitRootByDotGit, getCurrentCommit, getRemoteUrl } from '../storage/git.js';
+const execFileAsync = promisify(execFile);
 /**
  * Check how many commits the index is behind HEAD (synchronous; uses git CLI).
  */
@@ -30,6 +32,33 @@ export function checkStaleness(repoPath, lastCommit) {
         return { isStale: false, commitsBehind: 0 };
     }
 }
+/**
+ * Async variant of {@link checkStaleness} — spawns git as a child process
+ * instead of blocking the event loop.  Used by `listRepos()` to check many
+ * repos in parallel (issue #1363: 200 repos × sync spawn ≈ 50 s).
+ */
+export async function checkStalenessAsync(repoPath, lastCommit) {
+    try {
+        // Note: promisified execFile captures stdout/stderr by default (no stdio option needed,
+        // unlike the sync variant which requires explicit stdio: ['pipe','pipe','pipe']).
+        const { stdout } = await execFileAsync('git', ['rev-list', '--count', `${lastCommit}..HEAD`], {
+            cwd: repoPath,
+            encoding: 'utf-8',
+        });
+        const commitsBehind = parseInt(stdout.trim(), 10) || 0;
+        if (commitsBehind > 0) {
+            return {
+                isStale: true,
+                commitsBehind,
+                hint: `⚠️ Index is ${commitsBehind} commit${commitsBehind > 1 ? 's' : ''} behind HEAD. Run analyze tool to update.`,
+            };
+        }
+        return { isStale: false, commitsBehind: 0 };
+    }
+    catch {
+        return { isStale: false, commitsBehind: 0 };
+    }
+}
 /**
  * Compare a sibling-clone HEAD against an indexed `lastCommit`. Returns
  * `undefined` when the indexed commit is not reachable from the sibling

package/dist/core/group/cross-impact.d.ts

@@ -12,6 +12,20 @@ export interface RunGroupImpactDeps {
     port: GroupToolPort;
     gitnexusDir: string;
 }
+/**
+ * Clamp the impact timeout to a sane bounded range. Callers can feed this
+ * via tool params, so an unclamped value lets a single request hold a
+ * timer slot for an arbitrarily long duration (CodeQL js/resource-
+ * exhaustion). 100ms lower bound preserves test-suite scenarios that
+ * exercise tight timeouts; 5min upper bound is well above any legitimate
+ * single-impact compute. Applied at the validate boundary so the
+ * downstream `deadline` (Date.now() + timeoutMs) and the local-leg
+ * `setTimeout` see the same clamped value — earlier shapes had a 1hr
+ * outer cap and a 5min inner clamp that disagreed.
+ */
+export declare const IMPACT_TIMEOUT_MIN_MS = 100;
+export declare const IMPACT_TIMEOUT_MAX_MS: number;
+export declare function clampTimeout(timeoutMs: number): number;
 export declare function validateGroupImpactParams(params: Record<string, unknown>): {
     ok: true;
     name: string;
@@ -31,6 +45,36 @@ export declare function validateGroupImpactParams(params: Record<string, unknown
     ok: false;
     error: string;
 };
+/**
+ * Race a single Phase-2 `impactByUid` call against a remaining-budget
+ * timer. The Codex adversarial review on PR #1331 surfaced that the
+ * fanout loop only checked `Date.now() > deadline` *between* neighbor
+ * calls — once `await port.impactByUid(...)` was reached, a hung
+ * neighbor could pin the request indefinitely, and slow neighbors
+ * could compound past the 5-min `IMPACT_TIMEOUT_MAX_MS` cap.
+ *
+ * This helper wraps each call: a `setTimeout(remainingMs)` aborts an
+ * `AbortController` whose signal is forwarded to `impactByUid`, and a
+ * `Promise.race` resolves to `{ timedOut: true }` when the timer
+ * fires before the call completes. Implementors that ignore the
+ * signal (current local backend) still see their await resolved by
+ * the race; full cooperative cancellation inside the BFS is a future
+ * follow-up. On rejection, the value is `null` (matching the
+ * fanout's existing `if (fan == null)` truncation contract).
+ *
+ * Exported for direct unit testing — the helper IS the load-bearing
+ * mitigation surface, so the U3 regression test pins it directly
+ * rather than driving the full `runGroupImpact` path.
+ */
+export declare function safeNeighborImpact(port: GroupToolPort, repoId: string, uid: string, direction: string, opts: {
+    maxDepth: number;
+    relationTypes: string[];
+    minConfidence: number;
+    includeTests: boolean;
+}, remainingMs: number): Promise<{
+    value: unknown;
+    timedOut: boolean;
+}>;
 export declare function collectImpactSymbolUids(local: unknown, servicePrefix: string | undefined): {
     uids: string[];
     targetFilePath?: string;

package/dist/core/group/cross-impact.js

@@ -55,6 +55,24 @@ function clampCrossDepth(raw) {
     }
     return { depth: d };
 }
+/**
+ * Clamp the impact timeout to a sane bounded range. Callers can feed this
+ * via tool params, so an unclamped value lets a single request hold a
+ * timer slot for an arbitrarily long duration (CodeQL js/resource-
+ * exhaustion). 100ms lower bound preserves test-suite scenarios that
+ * exercise tight timeouts; 5min upper bound is well above any legitimate
+ * single-impact compute. Applied at the validate boundary so the
+ * downstream `deadline` (Date.now() + timeoutMs) and the local-leg
+ * `setTimeout` see the same clamped value — earlier shapes had a 1hr
+ * outer cap and a 5min inner clamp that disagreed.
+ */
+export const IMPACT_TIMEOUT_MIN_MS = 100;
+export const IMPACT_TIMEOUT_MAX_MS = 5 * 60 * 1_000;
+export function clampTimeout(timeoutMs) {
+    if (!Number.isFinite(timeoutMs) || timeoutMs <= 0)
+        return IMPACT_TIMEOUT_MIN_MS;
+    return Math.min(IMPACT_TIMEOUT_MAX_MS, Math.max(IMPACT_TIMEOUT_MIN_MS, Math.trunc(timeoutMs)));
+}
 export function validateGroupImpactParams(params) {
     const name = String(params.name ?? '').trim();
     const repoPath = String(params.repo ?? '').trim();
@@ -88,13 +106,18 @@ export function validateGroupImpactParams(params) {
         minConfidence = 1;
     const service = normalizeServicePrefix(params.service);
     const subgroup = typeof params.subgroup === 'string' ? params.subgroup : undefined;
-    let timeoutMs = typeof params.timeoutMs === 'number' && params.timeoutMs > 0
+    // Clamp at the validate boundary so the downstream `deadline` (line
+    // ~366) and `safeLocalImpact`'s `setTimeout` both see a single
+    // bounded value. Without this, the outer deadline budgeted Phase-2
+    // cross-repo fanout up to 1hr while only the inner setTimeout was
+    // capped to 5min — the two halves of CodeQL #184's mitigation
+    // disagreed.
+    const rawTimeoutMs = typeof params.timeoutMs === 'number' && params.timeoutMs > 0
         ? params.timeoutMs
         : typeof params.timeout === 'number' && params.timeout > 0
             ? params.timeout
             : DEFAULT_LOCAL_IMPACT_TIMEOUT_MS;
-    if (timeoutMs > 3_600_000)
-        timeoutMs = 3_600_000;
+    const timeoutMs = clampTimeout(rawTimeoutMs);
     return {
         ok: true,
         name,
@@ -125,12 +148,13 @@ async function resolveGroupRepo(port, config, repoPath) {
     }
 }
 async function safeLocalImpact(port, repo, impactParams, timeoutMs) {
+    const safeTimeoutMs = clampTimeout(timeoutMs);
     let timer;
     const impactP = port.impact(repo, impactParams).catch((err) => ({
         error: err instanceof Error ? err.message : String(err),
     }));
     const timeoutP = new Promise((resolve) => {
-        timer = setTimeout(() => resolve('timeout'), timeoutMs);
+        timer = setTimeout(() => resolve('timeout'), safeTimeoutMs);
     });
     const won = await Promise.race([
         impactP.then((v) => ({ tag: 'impact', v })),
@@ -146,6 +170,50 @@ async function safeLocalImpact(port, repo, impactParams, timeoutMs) {
     }
     return { value: won.v, timedOut: false };
 }
+/**
+ * Race a single Phase-2 `impactByUid` call against a remaining-budget
+ * timer. The Codex adversarial review on PR #1331 surfaced that the
+ * fanout loop only checked `Date.now() > deadline` *between* neighbor
+ * calls — once `await port.impactByUid(...)` was reached, a hung
+ * neighbor could pin the request indefinitely, and slow neighbors
+ * could compound past the 5-min `IMPACT_TIMEOUT_MAX_MS` cap.
+ *
+ * This helper wraps each call: a `setTimeout(remainingMs)` aborts an
+ * `AbortController` whose signal is forwarded to `impactByUid`, and a
+ * `Promise.race` resolves to `{ timedOut: true }` when the timer
+ * fires before the call completes. Implementors that ignore the
+ * signal (current local backend) still see their await resolved by
+ * the race; full cooperative cancellation inside the BFS is a future
+ * follow-up. On rejection, the value is `null` (matching the
+ * fanout's existing `if (fan == null)` truncation contract).
+ *
+ * Exported for direct unit testing — the helper IS the load-bearing
+ * mitigation surface, so the U3 regression test pins it directly
+ * rather than driving the full `runGroupImpact` path.
+ */
+export async function safeNeighborImpact(port, repoId, uid, direction, opts, remainingMs) {
+    const controller = new AbortController();
+    let timer;
+    const callP = port
+        .impactByUid(repoId, uid, direction, { ...opts, signal: controller.signal })
+        .catch(() => null);
+    const timeoutP = new Promise((resolve) => {
+        timer = setTimeout(() => {
+            controller.abort();
+            resolve('timeout');
+        }, Math.max(0, remainingMs));
+    });
+    const won = await Promise.race([
+        callP.then((v) => ({ tag: 'impact', v })),
+        timeoutP.then(() => ({ tag: 'timeout' })),
+    ]);
+    if (timer !== undefined)
+        clearTimeout(timer);
+    if (won.tag === 'timeout') {
+        return { value: null, timedOut: true };
+    }
+    return { value: won.v, timedOut: false };
+}
 export function collectImpactSymbolUids(local, servicePrefix) {
     const uids = new Set();
     let targetFilePath;
@@ -372,7 +440,8 @@ export async function runGroupImpact(deps, params) {
             if (seen.has(key))
                 continue;
             seen.add(key);
-            if (Date.now() > deadline) {
+            const remainingMs = deadline - Date.now();
+            if (remainingMs <= 0) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }
@@ -387,13 +456,18 @@ export async function runGroupImpact(deps, params) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }
-            const fan = await deps.port.impactByUid(neighborHandle.id, n.neighborUid, direction, {
+            // Phase-2 hardening: race each impactByUid against a per-call
+            // timeout derived from the remaining budget. Without this wrap a
+            // single hung neighbor would pin the request past the clamped
+            // timeout, which Codex's adversarial review on PR #1331 flagged
+            // as the still-open half of CodeQL #184 / js/resource-exhaustion.
+            const { value: fan, timedOut: neighborTimedOut } = await safeNeighborImpact(deps.port, neighborHandle.id, n.neighborUid, direction, {
                 maxDepth,
                 relationTypes: relationTypes ?? [],
                 minConfidence,
                 includeTests,
-            });
-            if (fan == null) {
+            }, remainingMs);
+            if (neighborTimedOut || fan == null) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }

package/dist/core/group/extractors/rust-workspace-extractor.d.ts

@@ -17,6 +17,20 @@ interface CrateMeta {
     repoPath: string;
     workspaceDeps: string[];
 }
+/**
+ * Linear-time `[package].name = "..."` lookup. The previous regex
+ * `^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"` had a nested
+ * lazy quantifier on `\n` that CodeQL js/redos flagged as exponential
+ * on inputs like `[package]\n` + many bare `\n`. We walk lines
+ * explicitly: scan from the first `[package]` header until we hit the
+ * next `[...]` section header, looking for the `name = "..."` line.
+ * O(n) with the line count.
+ *
+ * Exported so the U8 ReDoS regression test can drive the production
+ * line-walk directly with adversarial fixtures (multi-line strings,
+ * trailing sections, etc.) instead of duplicating it inline.
+ */
+export declare function parseCargoPackageName(content: string): string | null;
 export interface RustWorkspaceResult {
     links: GroupManifestLink[];
     discoveredCrates: Map<string, CrateMeta>;

package/dist/core/group/extractors/rust-workspace-extractor.js

@@ -3,6 +3,34 @@ import path from 'node:path';
 import { shouldIgnorePath } from '../../../config/ignore-service.js';
 import { loadIgnoreRules } from '../../../config/ignore-service.js';
 import { logger } from '../../logger.js';
+/**
+ * Linear-time `[package].name = "..."` lookup. The previous regex
+ * `^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"` had a nested
+ * lazy quantifier on `\n` that CodeQL js/redos flagged as exponential
+ * on inputs like `[package]\n` + many bare `\n`. We walk lines
+ * explicitly: scan from the first `[package]` header until we hit the
+ * next `[...]` section header, looking for the `name = "..."` line.
+ * O(n) with the line count.
+ *
+ * Exported so the U8 ReDoS regression test can drive the production
+ * line-walk directly with adversarial fixtures (multi-line strings,
+ * trailing sections, etc.) instead of duplicating it inline.
+ */
+export function parseCargoPackageName(content) {
+    const lines = content.split('\n');
+    const packageStart = lines.findIndex((l) => l.trim() === '[package]');
+    if (packageStart < 0)
+        return null;
+    for (let i = packageStart + 1; i < lines.length; i++) {
+        const line = lines[i].trimStart();
+        if (line.startsWith('['))
+            break; // hit the next section header
+        const m = /^name\s*=\s*"([^"]+)"/.exec(line);
+        if (m)
+            return m[1];
+    }
+    return null;
+}
 /**
  * Parse a Cargo.toml to extract the crate name and workspace dependency
  * names. Uses simple line-based parsing — no TOML library needed for
@@ -17,11 +45,8 @@ async function parseCrateManifest(repoPath) {
     catch {
         return null;
     }
-    let name = '';
+    const name = parseCargoPackageName(content) ?? '';
     const workspaceDeps = [];
-    const nameMatch = content.match(/^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"/m);
-    if (nameMatch)
-        name = nameMatch[1];
     // Match dependencies that use workspace = true, which indicates they
     // are workspace-internal deps:
     //   dep_name = { workspace = true }

package/dist/core/group/service.d.ts

@@ -34,6 +34,7 @@ export interface GroupToolPort {
         relationTypes: string[];
         minConfidence: number;
         includeTests: boolean;
+        signal?: AbortSignal;
     }): Promise<unknown | null>;
     context(repo: GroupRepoHandle, params: {
         name?: string;

package/dist/core/ingestion/cobol/cobol-preprocessor.d.ts

@@ -202,6 +202,8 @@ export interface CobolRegexResults {
  * Preserves exact line count for position mapping.
  */
 export declare function preprocessCobolSource(content: string): string;
+export declare const RE_SET_TO_TRUE: RegExp;
+export declare const RE_SET_INDEX: RegExp;
 /**
  * Extract COBOL symbols using a single-pass state machine.
  * Extracts program name, paragraphs, sections, CALL, PERFORM, COPY,

package/dist/core/ingestion/cobol/cobol-preprocessor.js

@@ -178,8 +178,20 @@ const RE_DECLARATIVES_START = /^\s*DECLARATIVES\s*\.\s*$/i;
 const RE_DECLARATIVES_END = /^\s*END\s+DECLARATIVES\s*\.\s*$/i;
 const RE_USE_AFTER = /\bUSE\s+(?:AFTER\s+)?(?:STANDARD\s+)?(?:EXCEPTION|ERROR)\s+ON\s+([A-Z][A-Z0-9-]+|INPUT|OUTPUT|I-O|EXTEND)\b/i;
 // SET statement (condition, index)
-const RE_SET_TO_TRUE = /\bSET\s+((?:[A-Z][A-Z0-9-]+(?:\s+OF\s+[A-Z][A-Z0-9-]+)?\s+)+)TO\s+TRUE\b/i;
-const RE_SET_INDEX = /\bSET\s+((?:[A-Z][A-Z0-9-]+\s+)+)(TO|UP\s+BY|DOWN\s+BY)\s+(\d+|[A-Z][A-Z0-9-]+)/i;
+//
+// Catastrophic-backtracking note (CodeQL js/redos): the previous shape
+// `((?:[A-Z][A-Z0-9-]+(?:\s+OF\s+[A-Z][A-Z0-9-]+)?\s+)+)TO\s+TRUE`
+// nested `\s+` quantifiers across alternations and was exponential on
+// inputs like "SET a OF a OF a ... TO TRUE". Replaced with a lazy
+// dot-match bounded by the explicit `\s+TO\s+TRUE` suffix — `.+?` is
+// O(n) with the trailing anchor, and the captured group is parsed
+// downstream the same way as before.
+// Exported so the U8 ReDoS regression test can pin the exact production
+// pattern. Direct import is the only way to ensure the test's
+// pathological-input timing assertion exercises the production regex
+// instead of an inline copy that drifts.
+export const RE_SET_TO_TRUE = /\bSET\s+(.+?)\s+TO\s+TRUE\b/i;
+export const RE_SET_INDEX = /\bSET\s+(.+?)\s+(TO|UP\s+BY|DOWN\s+BY)\s+(\d+|[A-Z][A-Z0-9-]+)/i;
 // INITIALIZE statement — data reset (captures targets before REPLACING/WITH clause)
 const RE_INITIALIZE = /\bINITIALIZE\s+([\s\S]*?)(?=\bREPLACING\b|\bWITH\b|\.\s*$|$)/i;
 const INITIALIZE_CLAUSE_KEYWORDS = new Set([

package/dist/core/lbug/lbug-config.d.ts

@@ -32,9 +32,12 @@ import type lbug from '@ladybugdb/core';
  * integer; anything invalid falls back to the default.
  */
 export declare const LBUG_MAX_DB_SIZE: number;
+export declare const WAL_RECOVERY_SUGGESTION = "WAL corruption detected. Run `gitnexus analyze` to rebuild the index.";
+export declare function isWalCorruptionError(err: unknown): boolean;
 type LbugModule = typeof lbug;
 export interface LbugDatabaseOptions {
     readOnly?: boolean;
+    throwOnWalReplayFailure?: boolean;
 }
 export interface LbugConnectionHandle {
     db: lbug.Database;

package/dist/core/lbug/lbug-config.js

@@ -39,8 +39,22 @@ export const LBUG_MAX_DB_SIZE = (() => {
     }
     return 16 * 1024 * 1024 * 1024;
 })();
+/** Matches WAL corruption errors from the LadybugDB engine. */
+const WAL_CORRUPTION_RE = /corrupt(ed)?\s+wal|invalid\s+wal\s+record|wal.*corrupt|checksum.*wal/i;
+export const WAL_RECOVERY_SUGGESTION = 'WAL corruption detected. Run `gitnexus analyze` to rebuild the index.';
+export function isWalCorruptionError(err) {
+    if (!err)
+        return false;
+    const msg = err instanceof Error ? err.message : String(err);
+    return WAL_CORRUPTION_RE.test(msg);
+}
 export function createLbugDatabase(lbugModule, databasePath, options = {}) {
-    return new lbugModule.Database(databasePath, 0, false, options.readOnly ?? false, LBUG_MAX_DB_SIZE);
+    // .d.ts declares fewer args than the native constructor accepts.
+    return new lbugModule.Database(databasePath, 0, // bufferManagerSize
+    false, // enableCompression (pinned for v0.16.0)
+    options.readOnly ?? false, LBUG_MAX_DB_SIZE, true, // autoCheckpoint
+    -1, // checkpointThreshold
+    options.throwOnWalReplayFailure ?? true, true);
 }
 export async function openLbugConnection(lbugModule, databasePath, options = {}) {
     let db;

package/dist/core/lbug/pool-adapter.js

@@ -17,7 +17,7 @@
 import fs from 'fs/promises';
 import lbug from '@ladybugdb/core';
 import { loadFTSExtension } from './lbug-adapter.js';
-import { createLbugDatabase } from './lbug-config.js';
+import { createLbugDatabase, isWalCorruptionError } from './lbug-config.js';
 const pool = new Map();
 const poolCloseListeners = new Set();
 /**
@@ -51,7 +51,7 @@ let idleTimer = null;
 // @ladybugdb/core), corrupting stdout in the pre-sentinel window. Routing
 // through the leaf breaks that chain.
 export { realStdoutWrite, realStderrWrite, setActiveStdoutWrite } from '../../mcp/stdio-capture.js';
-import { getActiveStdoutWrite } from '../../mcp/stdio-capture.js';
+import { getActiveStdoutWrite, realStderrWrite } from '../../mcp/stdio-capture.js';
 let stdoutSilenceCount = 0;
 /** True while pre-warming connections — prevents watchdog from prematurely restoring stdout */
 let preWarmActive = false;
@@ -203,6 +203,44 @@ const QUERY_TIMEOUT_MS = 30_000;
 const WAITER_TIMEOUT_MS = 15_000;
 const LOCK_RETRY_ATTEMPTS = 3;
 const LOCK_RETRY_DELAY_MS = 2000;
+async function openReadOnlyDatabase(dbPath) {
+    let db;
+    silenceStdout();
+    try {
+        db = createLbugDatabase(lbug, dbPath, {
+            readOnly: true,
+            throwOnWalReplayFailure: false,
+        });
+        await db.init();
+        return db;
+    }
+    catch (err) {
+        if (db)
+            await db.close().catch(() => { });
+        throw err;
+    }
+    finally {
+        restoreStdout();
+    }
+}
+/**
+ * Quarantine the .wal file and retry opening the database.
+ * Used when the initial open fails with a WAL corruption error.
+ */
+async function tryQuarantineAndReopen(dbPath, repoId) {
+    const walPath = dbPath + '.wal';
+    const quarantineName = `${walPath}.corrupt.${Date.now()}-${Math.random().toString(36).slice(2)}`;
+    try {
+        await fs.rename(walPath, quarantineName);
+    }
+    catch {
+        throw new Error(`LadybugDB WAL corruption detected for ${repoId}. ` +
+            `Run \`gitnexus analyze\` to rebuild the index. (quarantine failed)`);
+    }
+    realStderrWrite(`GitNexus: LadybugDB WAL quarantined for ${repoId}; graph may be stale. ` +
+        `Run \`gitnexus analyze\` to rebuild the index.\n`);
+    return await openReadOnlyDatabase(dbPath);
+}
 /** Deduplicates concurrent initLbug calls for the same repoId */
 const initPromises = new Map();
 /**
@@ -256,17 +294,27 @@ async function doInitLbug(repoId, dbPath) {
         // avoids lock conflicts when `gitnexus analyze` is writing.
         let lastError = null;
         for (let attempt = 1; attempt <= LOCK_RETRY_ATTEMPTS; attempt++) {
-            silenceStdout();
             try {
-                const db = createLbugDatabase(lbug, dbPath, { readOnly: true });
-                restoreStdout();
+                const db = await openReadOnlyDatabase(dbPath);
                 shared = { db, refCount: 0, ftsLoaded: false };
                 dbCache.set(dbPath, shared);
                 break;
             }
             catch (err) {
-                restoreStdout();
                 lastError = err instanceof Error ? err : new Error(String(err));
+                if (isWalCorruptionError(lastError)) {
+                    try {
+                        const db = await tryQuarantineAndReopen(dbPath, repoId);
+                        shared = { db, refCount: 0, ftsLoaded: false };
+                        dbCache.set(dbPath, shared);
+                        break;
+                    }
+                    catch (retryErr) {
+                        throw new Error(`LadybugDB WAL corruption detected for ${repoId}. ` +
+                            `Run \`gitnexus analyze\` to rebuild the index. ` +
+                            `(${retryErr instanceof Error ? retryErr.message : String(retryErr)})`);
+                    }
+                }
                 const isLockError = lastError.message.includes('Could not set lock') || lastError.message.includes('lock');
                 if (!isLockError || attempt === LOCK_RETRY_ATTEMPTS)
                     break;

package/dist/mcp/local/local-backend.d.ts

@@ -259,6 +259,7 @@ export declare class LocalBackend {
      * UID-based direct lookup. No cluster in output.
      */
     private context;
+    private _contextImpl;
     /**
      * Legacy explore — kept for backwards compatibility with resources.ts.
      * Routes cluster/process types to direct graph queries.
@@ -290,6 +291,7 @@ export declare class LocalBackend {
         relationTypes: string[];
         minConfidence: number;
         includeTests: boolean;
+        signal?: AbortSignal;
     }): Promise<any | null>;
     private handleGroupTool;
     /**

package/dist/mcp/local/local-backend.js

@@ -8,6 +8,7 @@
 import fs from 'fs/promises';
 import path from 'path';
 import { initLbug, executeQuery, executeParameterized, closeLbug, isLbugReady, isWriteQuery, } from '../../core/lbug/pool-adapter.js';
+import { isWalCorruptionError, WAL_RECOVERY_SUGGESTION } from '../../core/lbug/lbug-config.js';
 export { isWriteQuery };
 // Embedding imports are lazy (dynamic import) to avoid loading onnxruntime-node
 // at MCP server startup — crashes on unsupported Node ABI versions (#89)
@@ -22,7 +23,7 @@ import { rankExactEmbeddingRows, } from '../../core/embeddings/exact-search.js';
 import { EMBEDDING_TABLE_NAME, EMBEDDING_INDEX_NAME } from '../../core/lbug/schema.js';
 import { getExactScanLimit, isVectorExtensionSupportedByPlatform, } from '../../core/platform/capabilities.js';
 import { PhaseTimer } from '../../core/search/phase-timer.js';
-import { checkStaleness, checkCwdMatch } from '../../core/git-staleness.js';
+import { checkStalenessAsync, checkCwdMatch } from '../../core/git-staleness.js';
 import { logger } from '../../core/logger.js';
 // AI context generation is CLI-only (gitnexus analyze)
 // import { generateAIContextFiles } from '../../cli/ai-context.js';
@@ -464,8 +465,12 @@ export class LocalBackend {
             list.push(h);
             byRemote.set(h.remoteUrl, list);
         }
-        return handles.map((h) => {
-            const stale = checkStaleness(h.repoPath, h.lastCommit);
+        // Check staleness for all repos in parallel instead of sequentially.
+        // Each check spawns an async `git rev-list` — with 200 repos the sync
+        // variant took ~50 s; parallel async brings it under a second (#1363).
+        const stalenessResults = await Promise.all(handles.map((h) => checkStalenessAsync(h.repoPath, h.lastCommit)));
+        return handles.map((h, i) => {
+            const stale = stalenessResults[i];
             const selfNorm = norm(h.repoPath);
             const siblings = h.remoteUrl
                 ? (byRemote.get(h.remoteUrl) ?? []).filter((e) => norm(e.repoPath) !== selfNorm)
@@ -1018,7 +1023,14 @@ export class LocalBackend {
             return result;
         }
         catch (err) {
-            return { error: err.message || 'Query failed' };
+            const msg = err.message || 'Query failed';
+            if (isWalCorruptionError(err)) {
+                return {
+                    error: msg,
+                    recoverySuggestion: WAL_RECOVERY_SUGGESTION,
+                };
+            }
+            return { error: msg };
         }
     }
     /**
@@ -1385,6 +1397,21 @@ export class LocalBackend {
      * UID-based direct lookup. No cluster in output.
      */
     async context(repo, params) {
+        try {
+            return await this._contextImpl(repo, params);
+        }
+        catch (err) {
+            const msg = (err instanceof Error ? err.message : String(err)) || 'Context query failed';
+            if (isWalCorruptionError(err)) {
+                return {
+                    error: msg,
+                    recoverySuggestion: WAL_RECOVERY_SUGGESTION,
+                };
+            }
+            throw err;
+        }
+    }
+    async _contextImpl(repo, params) {
         await this.ensureInitialized(repo.id);
         const { name, uid, file_path, kind, include_content } = params;
         if (!name && !uid) {
@@ -1986,6 +2013,7 @@ export class LocalBackend {
                 impactedCount: 0,
                 risk: 'UNKNOWN',
                 suggestion: 'The graph query failed — try gitnexus context <symbol> as a fallback',
+                ...(isWalCorruptionError(err) ? { recoverySuggestion: WAL_RECOVERY_SUGGESTION } : {}),
             };
         }
     }
@@ -2423,6 +2451,12 @@ export class LocalBackend {
      * Returns null if the repo is unknown, the UID is missing, or analysis fails.
      */
     async impactByUid(repoId, uid, direction, opts) {
+        // Honor an already-aborted signal at the entry boundary as a fast
+        // path. Cooperative cancellation inside _runImpactBFS is out of
+        // scope — the caller's Promise.race against the same signal
+        // resolves the await regardless of how long this body runs.
+        if (opts.signal?.aborted)
+            return null;
         try {
             await this.refreshRepos();
             await this.ensureInitialized(repoId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.90",
+  "version": "1.6.4-rc.92",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",