Releases: SubmuxHQ/CodeDecay
Release list
CodeDecay v0.3.5
CodeDecay v0.3.5
This patch release packages the recent PR safety improvements while keeping the public release line on 0.3.x.
Highlights
- Persistent JS/TS symbol impact graph for richer changed-code reachability.
- Changed path test proof map to show whether production paths are actually exercised.
- Base/head differential runtime probe evidence.
- Architecture boundary and ownership checks.
- OpenAPI contract breaking-change detection.
- Reviewable memory learning proposals from PR, CI, and incident signals.
- Agent preflight guidance before code generation.
- Incremental analyzer cache for large-repo scan viability.
Safety boundaries
- No hidden model calls.
- No telemetry.
- No CodeDecayCloud dependency.
- Command execution remains explicit and safety-gated.
Install
npm install -D @submuxhq/codedecay@0.3.5
npx codedecay --helpValidation
- CI passed on PR #653.
@submuxhq/codedecay@0.3.5published to npm withlatestdist-tag.- Published-package smoke passed for
@submuxhq/codedecay@0.3.5.
CodeDecay v0.3.4
CodeDecay v0.3.4
This release ships the new codedecay loop command: a local-first closed-loop controller that can drive a user-owned coding agent through fix, re-verify, and repeat rounds before merge.
Highlights
- Adds
codedecay loopfor autonomous plan/fix/recheck workflows. - Runs in plan-only mode when no agent command is configured.
- Supports explicit user-owned agent commands via
--agent-cmd, with prompts passed on stdin. - Re-runs deterministic CodeDecay analysis and configured checks after each agent action.
- Stops honestly with
merge-safe,unverified,plan-only,stuck,needs-human, oragent-error. - Never auto-commits or auto-pushes; changes stay in the working tree for review.
Safety boundaries
- No hidden LLM/model calls.
- No telemetry.
- No CodeDecayCloud dependency.
- No required API keys.
- Agent output is treated as untrusted until deterministic checks verify it.
- Command execution still goes through CodeDecay's configured execution safety controls.
Install
npm install -D @submuxhq/codedecay@0.3.4
npx codedecay loop --helpCodeDecay v0.3.3
CodeDecay v0.3.3
This release sharpens CodeDecay as a local-first PR red-team orchestrator for AI-assisted development.
Highlights
- Adds the reproducible
codedecay benchmarkproof command with deterministic recall, false-positive, cost, LLM, and telemetry metrics. - Adds sticky GitHub Action PR comments so CodeDecay can update one pull request report instead of spamming new comments.
- Adds benchmark-backed launch/README positioning generated from real benchmark output.
- Adds optional memory provider configuration plus safe Mem0 and Supermemory provider adapters.
- Adds
codedecay memory setupwith dry-run defaults and explicit--applybehavior. - Wires configured memory provider context into redteam/agent workflows while keeping external context untrusted.
- Adds JWT auth edge-case knowledge pack groundwork and OSS tool recommendations in doctor output.
Safety guarantees
- Local-first by default.
- No telemetry.
- No required API keys.
- No hidden LLM/model calls.
- Optional external memory providers only run when explicitly configured.
Package
- npm:
@submuxhq/codedecay@0.3.3 - CLI:
codedecay
CodeDecay v0.3.2
CodeDecay v0.3.2 ships the next local-first PR safety harness update.\n\nHighlights:\n- Adds a deterministic security matcher registry.\n- Adds a language/parser support boundary.\n- Adds optional grounded redteam investigation.\n- Adds a resumable local audit data model.\n- Adds deterministic revalidation and memory preview.\n- Adds an explicit plugin registry.\n- Adds a unified harness planted-issue benchmark corpus.\n\nCodeDecay remains local-first and OSS-first: no telemetry, no required API keys, no required LLM/model calls, and no CodeDecayCloud dependency.
CodeDecay v0.3.1
CodeDecay v0.3.1 is a release of the local-first PR safety harness and CLI.
Highlights:
- Adds Semgrep static-analysis tool adapter evidence.
- Adds coverage artifact/tool adapter support.
- Adds Agent Process harness support for user-owned local agents such as Codex, Claude Code, OpenCode, Pi, desktop agents, or custom CLIs.
- Keeps local execution gated behind explicit config and
safety.allowCommands. - Records agent output as untrusted
agent-suggestionevidence. - Fixes CodeQL-reported sanitization and regex security alerts.
- Expands OSS-first agent guidance and requires squash merges/modular package structure for future PRs.
Validation:
pnpm installpnpm run lintpnpm typecheckpnpm test(341 tests)pnpm buildpnpm --filter @submuxhq/codedecay pack --dry-run- Installed npm package smoke test
- Code scanning open alerts: 0
Package:
- npm:
@submuxhq/codedecay@0.3.1 - CLI:
codedecay
CodeDecay remains local-first, deterministic by default, no telemetry, no required API keys, and no hidden model calls.
CodeDecay v0.3.0
CodeDecay v0.3.0
This release focuses on making CodeDecay safer to adopt in real PR workflows: lower-noise scoring, clearer release gating, stronger CLI utilities, memory learning, and package smoke coverage.
Highlights:
- Recalibrated low-signal changes so docs/assets/metadata-only updates do not create false high-risk reports.
- Added a focused runtime config plus database/schema risk lift for production-sensitive changes.
- Added memory learning flows for CI, PR, and CodeDecay report signals.
- Added/verified CLI utility surfaces for help, man, update, uninstall, version, and unknown-command suggestions.
- Added StrykerJS mutation report ingestion support and stronger published-package smoke coverage.
Install:
npm install -D @submuxhq/codedecay@0.3.0Verification completed:
- GitHub CI, docs deploy, and CodeQL passed on the release commit.
- Tarball smoke passed before publish.
- npm registry package smoke passed after publish.
CodeDecay v0.2.0
CodeDecay v0.2.0
This release migrates the public npm package to the GitHub organization-aligned scope:
npm install -D @submuxhq/codedecayThe installed CLI binary remains unchanged:
npx codedecay --helpWhat Changed
- Renamed the primary npm package from
@submux/codedecayto@submuxhq/codedecay. - Kept the CLI binary name as
codedecay. - Updated README, docs, release docs, GitHub Action metadata, CLI help text, tests, and workflow/package references.
- Kept npmjs as the default public install path.
- Kept GitHub Packages as an optional mirror using the same package name.
Validation
pnpm installpnpm run lintpnpm typecheckpnpm test- 239 passingpnpm buildpnpm --filter @submuxhq/codedecay pack --dry-run- Fresh install from npm:
npm install @submuxhq/codedecay@0.2.0 - Binary check:
node_modules/.bin/codedecay version->0.2.0
CodeDecay remains local-first, deterministic by default, and has no telemetry, no required API keys, and no required LLM/model calls.
CodeDecay v0.1.6
CodeDecay v0.1.6
Patch release for release hygiene, security scanning cleanup, and CLI polish.
Changes
- Fixes CodeQL polynomial regex alerts by replacing risky regex parsing with linear scanners.
- Resolves dependency alerts for Vite and esbuild through workspace overrides.
- Adds stronger end-user demo coverage for MCP/client and GitHub Action runtime smoke paths.
- Improves CLI discovery by suggesting similar commands and flags.
- Keeps CodeDecay local-first, deterministic, no telemetry, no API keys, and no required LLM/model calls.
Package
- npm:
npm install -D @submux/codedecay - version:
@submux/codedecay@0.1.6 - binary:
codedecay
Validation
pnpm installpnpm run lintpnpm typecheckpnpm testpnpm buildpnpm --filter @submux/codedecay pack --dry-run- fresh npm install and
codedecay --help
CodeDecay v0.1.5
CodeDecay v0.1.5
Patch release focused on install and first-run clarity.
Changed
- Clarifies install commands for npm, pnpm, Bun, and Yarn users.
- Adds a no-install smoke-test command with
npx -y @submux/codedecay --help. - Documents why
npm installcan fail inside non-npm workspaces that useworkspace:*dependencies. - Documents Bun
minimumReleaseAgebehavior and a local-evaluation override.
Package
- npm:
@submux/codedecay@0.1.5 - CLI binary:
codedecay - License: Apache-2.0
CodeDecay remains local-first and deterministic by default: no telemetry, no required API keys, no required LLM/model calls, and no CodeDecayCloud dependency.
CodeDecay v0.1.4
CodeDecay v0.1.4
This release expands CodeDecay from deterministic PR risk scoring toward a local-first PR safety harness for AI-assisted development.
Highlights
- Adds deterministic redteam, agent handoff, execution, differential, memory, skills, MCP, and tool-adapter foundations.
- Adds agent handoff profiles for Codex, Claude Code, Cursor, Pi, OpenCode, desktop apps, and generic user-owned agents.
- Adds optional local/BYOK provider plumbing while keeping CodeDecay usable without LLM calls.
- Adds adapters and planning support for Playwright, StrykerJS, Schemathesis, and Pact-style workflows.
- Improves route/API impact evidence and test-audit reporting in redteam/agent outputs.
- Improves README and contributor-facing project positioning.
- Fixes scoring gates so low-only findings do not fail
--fail-on high.
Safety Boundaries
CodeDecay remains local-first and open-source. It does not require telemetry, CodeDecayCloud, API keys, hosted LLMs, or model calls.
Install
npm install -D @submux/codedecayValidate
npx codedecay analyze --format markdown
npx codedecay redteam --format markdown
npx codedecay agent --profile codex --format markdown