Skip to content

Releases: SubmuxHQ/CodeDecay

CodeDecay v0.3.5

Choose a tag to compare

@kunaldhongade kunaldhongade released this 06 Jul 15:24
7ceab71

CodeDecay v0.3.5

This patch release packages the recent PR safety improvements while keeping the public release line on 0.3.x.

Highlights

  • Persistent JS/TS symbol impact graph for richer changed-code reachability.
  • Changed path test proof map to show whether production paths are actually exercised.
  • Base/head differential runtime probe evidence.
  • Architecture boundary and ownership checks.
  • OpenAPI contract breaking-change detection.
  • Reviewable memory learning proposals from PR, CI, and incident signals.
  • Agent preflight guidance before code generation.
  • Incremental analyzer cache for large-repo scan viability.

Safety boundaries

  • No hidden model calls.
  • No telemetry.
  • No CodeDecayCloud dependency.
  • Command execution remains explicit and safety-gated.

Install

npm install -D @submuxhq/codedecay@0.3.5
npx codedecay --help

Validation

  • CI passed on PR #653.
  • @submuxhq/codedecay@0.3.5 published to npm with latest dist-tag.
  • Published-package smoke passed for @submuxhq/codedecay@0.3.5.

CodeDecay v0.3.4

Choose a tag to compare

@kunaldhongade kunaldhongade released this 30 Jun 17:06
4a461cf

CodeDecay v0.3.4

This release ships the new codedecay loop command: a local-first closed-loop controller that can drive a user-owned coding agent through fix, re-verify, and repeat rounds before merge.

Highlights

  • Adds codedecay loop for autonomous plan/fix/recheck workflows.
  • Runs in plan-only mode when no agent command is configured.
  • Supports explicit user-owned agent commands via --agent-cmd, with prompts passed on stdin.
  • Re-runs deterministic CodeDecay analysis and configured checks after each agent action.
  • Stops honestly with merge-safe, unverified, plan-only, stuck, needs-human, or agent-error.
  • Never auto-commits or auto-pushes; changes stay in the working tree for review.

Safety boundaries

  • No hidden LLM/model calls.
  • No telemetry.
  • No CodeDecayCloud dependency.
  • No required API keys.
  • Agent output is treated as untrusted until deterministic checks verify it.
  • Command execution still goes through CodeDecay's configured execution safety controls.

Install

npm install -D @submuxhq/codedecay@0.3.4
npx codedecay loop --help

CodeDecay v0.3.3

Choose a tag to compare

@kunaldhongade kunaldhongade released this 30 Jun 14:00
c127496

CodeDecay v0.3.3

This release sharpens CodeDecay as a local-first PR red-team orchestrator for AI-assisted development.

Highlights

  • Adds the reproducible codedecay benchmark proof command with deterministic recall, false-positive, cost, LLM, and telemetry metrics.
  • Adds sticky GitHub Action PR comments so CodeDecay can update one pull request report instead of spamming new comments.
  • Adds benchmark-backed launch/README positioning generated from real benchmark output.
  • Adds optional memory provider configuration plus safe Mem0 and Supermemory provider adapters.
  • Adds codedecay memory setup with dry-run defaults and explicit --apply behavior.
  • Wires configured memory provider context into redteam/agent workflows while keeping external context untrusted.
  • Adds JWT auth edge-case knowledge pack groundwork and OSS tool recommendations in doctor output.

Safety guarantees

  • Local-first by default.
  • No telemetry.
  • No required API keys.
  • No hidden LLM/model calls.
  • Optional external memory providers only run when explicitly configured.

Package

  • npm: @submuxhq/codedecay@0.3.3
  • CLI: codedecay

CodeDecay v0.3.2

Choose a tag to compare

@kunaldhongade kunaldhongade released this 29 Jun 20:10

CodeDecay v0.3.2 ships the next local-first PR safety harness update.\n\nHighlights:\n- Adds a deterministic security matcher registry.\n- Adds a language/parser support boundary.\n- Adds optional grounded redteam investigation.\n- Adds a resumable local audit data model.\n- Adds deterministic revalidation and memory preview.\n- Adds an explicit plugin registry.\n- Adds a unified harness planted-issue benchmark corpus.\n\nCodeDecay remains local-first and OSS-first: no telemetry, no required API keys, no required LLM/model calls, and no CodeDecayCloud dependency.

CodeDecay v0.3.1

Choose a tag to compare

@kunaldhongade kunaldhongade released this 28 Jun 09:42
ff11fd8

CodeDecay v0.3.1 is a release of the local-first PR safety harness and CLI.

Highlights:

  • Adds Semgrep static-analysis tool adapter evidence.
  • Adds coverage artifact/tool adapter support.
  • Adds Agent Process harness support for user-owned local agents such as Codex, Claude Code, OpenCode, Pi, desktop agents, or custom CLIs.
  • Keeps local execution gated behind explicit config and safety.allowCommands.
  • Records agent output as untrusted agent-suggestion evidence.
  • Fixes CodeQL-reported sanitization and regex security alerts.
  • Expands OSS-first agent guidance and requires squash merges/modular package structure for future PRs.

Validation:

  • pnpm install
  • pnpm run lint
  • pnpm typecheck
  • pnpm test (341 tests)
  • pnpm build
  • pnpm --filter @submuxhq/codedecay pack --dry-run
  • Installed npm package smoke test
  • Code scanning open alerts: 0

Package:

  • npm: @submuxhq/codedecay@0.3.1
  • CLI: codedecay

CodeDecay remains local-first, deterministic by default, no telemetry, no required API keys, and no hidden model calls.

CodeDecay v0.3.0

Choose a tag to compare

@kunaldhongade kunaldhongade released this 27 Jun 18:31

CodeDecay v0.3.0

This release focuses on making CodeDecay safer to adopt in real PR workflows: lower-noise scoring, clearer release gating, stronger CLI utilities, memory learning, and package smoke coverage.

Highlights:

  • Recalibrated low-signal changes so docs/assets/metadata-only updates do not create false high-risk reports.
  • Added a focused runtime config plus database/schema risk lift for production-sensitive changes.
  • Added memory learning flows for CI, PR, and CodeDecay report signals.
  • Added/verified CLI utility surfaces for help, man, update, uninstall, version, and unknown-command suggestions.
  • Added StrykerJS mutation report ingestion support and stronger published-package smoke coverage.

Install:

npm install -D @submuxhq/codedecay@0.3.0

Verification completed:

  • GitHub CI, docs deploy, and CodeQL passed on the release commit.
  • Tarball smoke passed before publish.
  • npm registry package smoke passed after publish.

CodeDecay v0.2.0

Choose a tag to compare

@kunaldhongade kunaldhongade released this 25 Jun 12:52
80ebb4b

CodeDecay v0.2.0

This release migrates the public npm package to the GitHub organization-aligned scope:

npm install -D @submuxhq/codedecay

The installed CLI binary remains unchanged:

npx codedecay --help

What Changed

  • Renamed the primary npm package from @submux/codedecay to @submuxhq/codedecay.
  • Kept the CLI binary name as codedecay.
  • Updated README, docs, release docs, GitHub Action metadata, CLI help text, tests, and workflow/package references.
  • Kept npmjs as the default public install path.
  • Kept GitHub Packages as an optional mirror using the same package name.

Validation

  • pnpm install
  • pnpm run lint
  • pnpm typecheck
  • pnpm test - 239 passing
  • pnpm build
  • pnpm --filter @submuxhq/codedecay pack --dry-run
  • Fresh install from npm: npm install @submuxhq/codedecay@0.2.0
  • Binary check: node_modules/.bin/codedecay version -> 0.2.0

CodeDecay remains local-first, deterministic by default, and has no telemetry, no required API keys, and no required LLM/model calls.

CodeDecay v0.1.6

Choose a tag to compare

@kunaldhongade kunaldhongade released this 25 Jun 11:50
80134ce

CodeDecay v0.1.6

Patch release for release hygiene, security scanning cleanup, and CLI polish.

Changes

  • Fixes CodeQL polynomial regex alerts by replacing risky regex parsing with linear scanners.
  • Resolves dependency alerts for Vite and esbuild through workspace overrides.
  • Adds stronger end-user demo coverage for MCP/client and GitHub Action runtime smoke paths.
  • Improves CLI discovery by suggesting similar commands and flags.
  • Keeps CodeDecay local-first, deterministic, no telemetry, no API keys, and no required LLM/model calls.

Package

  • npm: npm install -D @submux/codedecay
  • version: @submux/codedecay@0.1.6
  • binary: codedecay

Validation

  • pnpm install
  • pnpm run lint
  • pnpm typecheck
  • pnpm test
  • pnpm build
  • pnpm --filter @submux/codedecay pack --dry-run
  • fresh npm install and codedecay --help

CodeDecay v0.1.5

Choose a tag to compare

@kunaldhongade kunaldhongade released this 25 Jun 10:55
b9b7d2c

CodeDecay v0.1.5

Patch release focused on install and first-run clarity.

Changed

  • Clarifies install commands for npm, pnpm, Bun, and Yarn users.
  • Adds a no-install smoke-test command with npx -y @submux/codedecay --help.
  • Documents why npm install can fail inside non-npm workspaces that use workspace:* dependencies.
  • Documents Bun minimumReleaseAge behavior and a local-evaluation override.

Package

  • npm: @submux/codedecay@0.1.5
  • CLI binary: codedecay
  • License: Apache-2.0

CodeDecay remains local-first and deterministic by default: no telemetry, no required API keys, no required LLM/model calls, and no CodeDecayCloud dependency.

CodeDecay v0.1.4

Choose a tag to compare

@kunaldhongade kunaldhongade released this 25 Jun 10:10
e382d36

CodeDecay v0.1.4

This release expands CodeDecay from deterministic PR risk scoring toward a local-first PR safety harness for AI-assisted development.

Highlights

  • Adds deterministic redteam, agent handoff, execution, differential, memory, skills, MCP, and tool-adapter foundations.
  • Adds agent handoff profiles for Codex, Claude Code, Cursor, Pi, OpenCode, desktop apps, and generic user-owned agents.
  • Adds optional local/BYOK provider plumbing while keeping CodeDecay usable without LLM calls.
  • Adds adapters and planning support for Playwright, StrykerJS, Schemathesis, and Pact-style workflows.
  • Improves route/API impact evidence and test-audit reporting in redteam/agent outputs.
  • Improves README and contributor-facing project positioning.
  • Fixes scoring gates so low-only findings do not fail --fail-on high.

Safety Boundaries

CodeDecay remains local-first and open-source. It does not require telemetry, CodeDecayCloud, API keys, hosted LLMs, or model calls.

Install

npm install -D @submux/codedecay

Validate

npx codedecay analyze --format markdown
npx codedecay redteam --format markdown
npx codedecay agent --profile codex --format markdown