GitNexus v1.6.8
The Program Dependence Graph release. Opt-in PDG-backed impact analysis and taint tracking, built out across every supported language — plus multi-branch indexing, private-repo cloning, and a streamable-HTTP MCP server.
✨ Highlights
- 🎯 PDG-backed impact analysis —
impactgains an opt-inmode: 'pdg'that runs statement-level and inter-procedural program slicing for a far more precise blast radius, validated by a mutation oracle. The default call-graph mode is unchanged. (#2227) - 🧬 A full Program Dependence Graph substrate — control-flow graphs, reaching-definitions data dependence, and control dependence (post-dominators + a Ferrante-style CDG) now exist for every supported language. All of it is opt-in behind
--pdg; a defaultanalyzerun stays byte-identical. (#2197, #2160, #2188, #2211) - 🔬 Taint analysis — intra-procedural tracking over the PDG plus inter-procedural taint via function summaries propagated over resolved
CALLSedges. (#2164, #2179) - 🌿 Multi-branch indexing — analyze and query a repository per branch, each stored under its own subdirectory, with the primary-branch layout untouched. (#2137)
- 🔐 Private repositories — clone private GitHub repos with a PAT, with Azure DevOps Server support. (#2223)
- 🔌 MCP gains a
tracetool and an HTTP server — shortest call path between two symbols, andgitnexus mcp --httpover Streamable HTTP (with legacy SSE). (#2173, #2141)
🚀 Added
- PDG-backed impact analysis (opt-in) —
impactgains amode: 'pdg'that runs statement-level and inter-procedural program slicing for far more precise blast radius, with resolved-callee-id soundness and validation by a mutation oracle; the default call-graph mode is unchanged (#2227) - Program Dependence Graph substrate across the language matrix — a control-flow-graph layer landed for TS/JS (#2099) and was extended to PDG/CFG visitors for every supported language (#2197); on top of it an intra-procedural
REACHING_DEFdata-dependence layer (#2160), value-position branches (if/when/switch/match/tryused as expressions) modeled as control dependence (#2211), and full control dependence via post-dominators + a Ferrante-style CDG (#2188). All layers are opt-in behind--pdg; a defaultanalyzerun stays byte-identical (#2082, #2085, #2205, #2207, #2195) - Taint analysis — intra-procedural taint tracking over the PDG (#2164) plus inter-procedural taint via function summaries propagated over resolved
CALLSedges (#2179) (#2083, #2084) - Multi-branch indexing and branch-scoped querying — analyze and query a repository per branch, with each branch stored under its own subdirectory and the primary branch layout left unchanged (#2137, #2106)
- Private GitHub repos via PAT + Azure DevOps Server support —
gitnexus analyzecan clone private GitHub repositories with a personal access token and supports Azure DevOps Server remotes (#2223, #2076, #2210) - MCP
tracetool — returns the shortest call path between two symbols (#2173) - MCP HTTP server —
gitnexus mcp --httpexposes the server over Streamable HTTP with legacy SSE transport support (#2141) - HTTP route extraction — Java Spring route annotations are now extracted into
Routenodes (#2078), and the HTTP method is persisted on eachRoutenode (#2234, #2138) gitnexus analyzecircular import cycle check (#2166)gitnexus analyzeembeddings flags —--embeddings-baseurl,--embeddings-model,--embeddings-auth-token, and--embeddings-dimsto point analyze at a custom embeddings provider (#2140)gitnexus setupcoding-agent integration selection — choose which coding-agent integrations to install during setup (#2168)- C++ CUDA source extensions parsed —
.cu/.cuhfiles are now ingested (#2213)
🐛 Fixed
impact()/route_mapunder-reporting blast radius — name-resolution gaps that caused callers and routes to be dropped are fixed, with ambiguous symbols reported per-candidate (#2136, #2129, #1858, #1852)- Single-ancestor method override detection in the MRO processor (#2199)
- MCP
query/cypherparameter names — renamed so Claude Code can invoke them, while still accepting the legacy parameter (#2186) - C++ overload resolution — homogeneous braced-init overloads are now ranked (#2214), deleted overload winners are suppressed (#2094), and the C++ hook layer handles pack-base comments and missing hook overrides (#2247)
- Large-repo
analyzecrash — the pipeline now survives non-cloneable worker results instead of aborting (#2135, #2112) - Embeddings —
onnxruntime-commonresolves under pnpm-strict /pnpm dlxinstalls (#2139, #307), and theVECTORindex is created viaconn.queryrather than the prepared-statement path that silently skipped it (#2114) - Vendored tree-sitter grammars — loaded from
vendor/by absolute path so analyze finds them regardless of CWD (#2144, #2111) - Registry wipe on transient I/O errors prevented — a failed read no longer clears the repository registry (#2124)
- Server roots resolve from
GITNEXUS_HOME— clone, upload, and mapping roots honor the configured home directory (#2229) - Wiki generation keeps the graph DB pinned so it is not evicted mid-generation (#2232)
- Group sync pins repositories so large groups resolve their cross-repo links (#2191)
- Web viewer — a chat-only mode for large projects prevents the WebUI from hanging (#2185, #2178), and the broken Browse-for-folder control was replaced with an upload directory picker (#1850)
- Hooks — the augment CLI child is wrapped in the orphan guard (#2169), db-lock probe subprocesses are bounded and gated behind a hook slot (#2165), and the MCP-owned-DB augment-skip diagnostic is silenced for strict hook runners (#2134, #2163, #1913)
- Docker image ships runtime-needed published assets —
hooks/andskills/are copied into the image sogitnexus analyzeno longer crashes withMODULE_NOT_FOUND(#2132, #2130) gitnexus analyzepreserves trailing spaces in git roots (#2192)- Write-route origin guard scoped to the server's own bound host (#2172)
- Impact PDG Mutation Report workflow — fixed three latent oracle bugs (dist-CLI invocation under Node ≥ 22.18 type-stripping, undeclared
@babel/*deps, and a recall-gated check filter) so the mutation oracle CI runs green (#2258)
🔧 Changed
- tree-sitter readiness/summary CI hardened — readiness and grammar-update workflows aligned on a shared manifest (#2187, #858), readiness summary counts kept current (#2196), and the summary now fails on parse drift (#2246)
- Devcontainer simplified — Dockerfile and
devcontainer.jsonno longer pin version args for the AI CLIs (#2174)
⚡ Performance
- Graph-DB emit/persistence — cut overall emit/persistence wall time (#2215) and overlap node
COPYwith relationship emit (#2226) (#2203) - PDG/CFG emit — streaming/chunked PDG graph emit for full-kernel-scale repos (#2216, #2202) and an SSA-sparse reaching-defs solver replacing the dense-set worklist (#2212, #2201)
- Hook db-lock scan — cmdline-first on Linux, dropping the
lsoffallback (#2183, #2180)
📦 Chore / Dependencies — 30 dependency & CI-action bumps
- gitnexus runtime —
hono4.12.23 → 4.12.26 (#2244),tar7.5.13 → 7.5.16 (#2218),protobufjs7.5.8 → 7.6.4 (#2219),js-yaml4.1.1 → 4.2.0 (#2097, #2217), and annpm_and_yarnsecurity group, 3 updates (#2220) - gitnexus dev —
vitest4.1.8 → 4.1.9 (#2249),@vitest/coverage-v8(#2250),esbuild0.28.0 → 0.28.1 (#2182), and@types/node(#2128, #2222) - gitnexus-web —
react-dom19.2.6 → 19.2.7 (#2240),langchain1.4.2 → 1.4.4 (#2149),@langchain/langgraph(#2235),@langchain/ollama(#2236),mnemonist0.39.8 → 0.40.4 (#2237),lucide-react(#2238),sigma3.0.2 → 3.0.3 (#2151),dompurify3.4.7 → 3.4.8 (#2150, #2245),@vercel/node(#2156), and@vitest/coverage-v8(#2153) - eval —
aiohttp(#2224) - CI actions —
gitleaks/gitleaks-action2.3.9 → 3.0.0 (#2241),github/codeql-action4.36.0 → 4.36.2 (#2242),actions/checkout6.0.2 → 6.0.3 (#2152),actions/attest-build-provenance2.4.0 → 4.1.0 (#2158),docker/setup-qemu-action4.0.0 → 4.1.0 (#2159),release-drafter/release-drafter7.3.0 → 7.3.1 (#2157), andactions/setup-python5.6.0 → 6.2.0 (#2155)
📥 Upgrade
npm install -g gitnexus@1.6.8Then re-index to pick up the new graph layers:
gitnexus analyze # standard re-index
gitnexus analyze --pdg # opt in to the PDG/taint layersFull changelog: v1.6.7...v1.6.8