All notable changes to Cortex are documented here.
SCIP Index Ingestion
- Parses SCIP protobuf index files (
.scip/index.scip,index.scip,dump.lsif) and creates HIGH-confidence edges (confidence=1.0, edge_source=scip) - Supports indexes produced by scip-python, scip-typescript, rust-analyzer, scip-java, and scip-go
- SCIP edges win over tree-sitter edges on conflicts — deduplication keeps SCIP as primary, tree-sitter as secondary
- Additive, non-blocking pass after tree-sitter extraction; malformed SCIP files log a warning and fall back gracefully
cortex statusshows SCIP coverage percentage per languagecortex index --generate-scipsuggests the appropriate indexer for the detected primary language when no SCIP index is present
Confidence-Tagged Edges
- Every edge now carries
edge_source(scip,framework_adapter,ast_direct,name_match) andconfidence(1.0 / 0.8 / 0.5 / 0.3) - All MCP tools include edge_source and confidence_tier in results so agents can filter by reliability
- Default query threshold: confidence >= MEDIUM (0.7) — filters out name-match heuristics by default
- Optional
min_confidenceparameter ontrace_callersandblast_radiusto lower or raise the threshold
Framework Adapters — six new adapters detect wiring that tree-sitter cannot see:
- FastAPI:
Depends(X)→Injectsedges;@app.get/post/router.get/post/put/delete→Routesedges; transitive dependency chains - Express:
app.use(middleware)/router.use(middleware)→Middlewareedges;router.get/post/put/delete(path, handler)→Routesedges - NestJS:
@Controller()→Routesedges;@Injectable()constructor injection →Injectsedges - Spring:
@Autowired/@Inject→Injectsedges;@Component/@Service/@Repository/@Controllermarks injectable;@Beanfactory methods - Django:
urlpatterns path()/re_path()→Routesedges;@login_required/@permission_required→Middlewareedges - React: JSX component renders →
Rendersedges;useContext(SomeContext)→Injectsedges - Framework detection scans dependency manifests (
package.json,requirements.txt,pyproject.toml,pom.xml,build.gradle,go.mod,Gemfile,composer.json) — only relevant adapters run - Manual override via
.cortex/config.tomlframeworks = ["fastapi", "express"]
User-Configurable Pattern Rules
.cortex/patterns.tomlsupports custom regex rules with named capture groups, edge kind, and confidence tier- Enables framework-specific wiring for any framework not covered by built-in adapters
Evidence-Fusion Task Context (get_task_context overhaul)
- Multi-signal ranking: lexical match (BM25, 0.30) + embedding similarity (0.25) + SCIP reference distance (0.20) + git recency (0.15) + edge confidence (0.10) + file size penalty (−0.05)
- Weight redistributed to lexical (0.55) when embeddings are unavailable
- Greedy budget packing always includes top-1 result; each included file gets a one-line reason explaining selection
- Falls back to file-proximity heuristic (recently modified files matching keywords) when graph signals are weak
- Response includes
confidence(0.0–1.0) andcoverage_percentfields - Non-empty results guaranteed on a healthy index
Ask Tool Overhaul
- Priority-ordered data source querying: SCIP edges first → framework adapter edges → AST-direct edges → grep fallback
FallbackSuggestionreturned when average confidence < 0.7 or zero results — includes grep commands and file-read suggestions derived from query terms- Token cap: results capped at 1000 tokens when average confidence is below MEDIUM
confidence_warningannotation on responses when results exist but confidence is low (never returns empty when results are available)- Detects unindexed file paths in queries and returns targeted fallback suggestions
Index Health Gate
- Startup health check validates
files_indexed > 0,node_count > 0,edge_count > 0 - All MCP tools return a structured
HealthError(with reason, suggested action, and fallback grep commands) when the index is unhealthy — never serves confidently wrong data cortex_statustool is exempt from the health gatecortex index --repairrebuilds the index from scratch (clears all graph tables, resets FTS5, re-runs full pipeline) while preserving observations and ADRs
Token Savings Accounting (honest math)
baseline_costcomputed as(matching_file_count × avg_file_tokens) + grep_output_tokensusing FTS5 to count matching filesnet_saved = baseline_cost − (cortex_response_tokens + query_overhead_tokens)— negative values reported without modificationcortex status --savingsdisplays: cumulative net saved, average per query, net-negative query count, baseline total vs actual total
Repo Brief (get_repo_brief — new MCP tool)
- Zero-parameter cold-start summary under 400 tokens: detected languages and frameworks, top 5 entry points, top 10 hotspots (complexity × churn), auth/security patterns, test coverage shape, index health
- Cached in
repo_brief_cachetable; invalidated whenfiles_indexed,node_count, oredge_countchanges - Returns partial info even when the index is unhealthy
Tool Surface Management
- Default tools (always-on, 10):
get_repo_brief,get_task_context,ask,trace_callers,blast_radius,get_complexity_hotspots,get_git_hotspots,search_symbols,write_observation,read_observations - Experimental tools (opt-in via
.cortex/config.tomlexperimental_tools = true, 7):find_taint_paths,check_dependencies,decompose_boundaries,generate_steering,find_dead_code,generate_sbom,find_similar_functions - Smart-tools mode (
cortex serve --smart-tools, 5):get_repo_brief,ask,get_task_context,write_observation,read_observations - All tool descriptions kept under 100 tokens
semantic_searchonly appears in the tool manifest when embeddings are built
Hybrid Semantic Retrieval
- Incremental embedding: only re-embeds functions whose content hash changed since the last run; removes stale embeddings for deleted nodes
cortex semantic enablebuilds the initial embedding index (Ollama nomic-embed-code or bundled ONNX model)- Cosine similarity integrated as a 0.25-weight signal in evidence-fusion ranking
cortex statusshows embedding count and a degradation warning when running in BM25-only mode
Correctness Benchmarks
cortex benchmarkcommand runs JSON-based test suites with ground-truth answers fortrace_callers,blast_radius,get_task_context, andask- Reports pass rate, per-tool accuracy, and average token savings vs grep baseline
- 24-case self-referential benchmark suite ships in
benchmark/cortex_self_benchmark.json - CI gate:
cortex benchmarkruns on every release and exits with code 1 if pass rate drops below 70% cortex statusdisplays a warning when the last benchmark run was below the 70% threshold
Schema Migrations
0009_confidence_edges.sql: addsedge_sourceandconfidencecolumns to edges; adds new edge kinds (Injects,Middleware,Routes,Renders); migrates existing edges toast_direct/ 0.50010_scip_coverage.sql:scip_coveragetable (per-file SCIP tracking) andindex_healthsingleton table0011_enhanced_savings.sql: addsbaseline_cost,net_saved,query_termscolumns totoken_savings0012_repo_brief_cache.sql:repo_brief_cachetable for cached repo briefs
trace_callersnow traversesInjectsedges (framework DI injection sites) and followsImplementsedges to include callers of interface/trait methods; annotates each result withedge_sourceandconfidence_tierblast_radiusnow traverses all edge types (Calls,Imports,Injects,Implements,Middleware,Routes,Renders) with confidence filteringget_task_contextreplaced with evidence-fusion ranking (see above); response format extended withconfidence,coverage_percent, andreasonsfieldscortex statusextended with SCIP coverage %, active framework adapters, per-language file breakdown, semantic search status, and benchmark pass rate warning- Indexing pipeline now runs framework detection before adapters, SCIP ingestion after tree-sitter, and updates
index_healthat the end of every index run - Universal exclusions hardened: generation markers (
// Code generated,# AUTO-GENERATED,@generated) detected in first 2KB;*.mapsource maps excluded;.cortexignoresupport verified
get_task_contextno longer returns empty on a healthy index — file-proximity fallback guarantees at least one resultaskno longer returns confidently wrong answers from a corrupt or empty index — health gate blocks all tools when unhealthytrace_callersmissed framework-wired connections (FastAPIDepends, Spring@Autowired, NestJS constructor injection) — now included viaInjectsedge traversal- Low-confidence name-match edges no longer pollute results by default — filtered at confidence >= 0.7
- User-defined pattern rules (
.cortex/patterns.toml) were incorrectly stored withedge_source=name_match(confidence 0.3) instead ofedge_source=framework_adapter(confidence 0.8) — pattern rule edges now pass the defaultmin_confidence >= 0.7filter and appear correctly intrace_callers,blast_radius, andaskresults
cortex uninstallcommand: removes all Cortex traces (binary, graph DB, config, PATH entries, steering files)- Installer automatically removes stale cortex binaries from
~/.local/bin, npm global, and other known locations before installing - Installer prepends
~/.cortex/binto the current session PATH so reindex uses the new binary immediately - Installer checks
.profilein addition to.bashrc/.zshrcfor Unix PATH configuration - Live visualizer (
cortex serveathttp://127.0.0.1:9749) now serves the clean viz.rs-style 3D graph UI - Dashboard page at
/dashboardwith token savings, symbol search, and tool usage table - Navigation between graph view and dashboard via header links
Methodnode kind added to SQLite CHECK constraint (fixes indexing of Python__init__, class methods, TS constructors)- CI auto-fixes formatting and clippy before checking (no more spurious failures)
get_architecturefiles count now derived from distinct files in the nodes table (fixes inaccurate count whenfilestable drifts from actual indexed content)- Old cortex binaries in
~/.local/binor npm global shadowing the new install (causedcortex -Vshowing wrong version after update) - IDE auto-detection no longer falsely detects agents from generic directories (
.github/,.vscode/,.idea/,.kiro/) - Embedded migrations 0007 and 0008 were missing from the binary (Method kind, token savings tables)
- Windows
setxPATH note tells user to open a new terminal
- HTML templates moved from
src/cli/commands/tosrc/cli/templates/(proper structure) - Visualizer root (
/) serves the viz.rs-style graph; dashboard at/dashboard - Dashboard rewritten: clean dark UI matching viz.rs aesthetic, no more janky tabbed interface
- Removed dead
dashboard_html.htmlfile
- Old tabbed unified UI (replaced by separate graph + dashboard pages)
cortex updateself-update command: downloads latest release from GitHub, verifies SHA-256 checksum, replaces binary (with Windows rename-then-replace pattern), and triggers reindexcortex reindexcommand: deletes and rebuilds the graph database from scratch- Default exclusions for
.serena,.cursor,.kiro,.agentdirectories and lock files (pnpm-lock.yaml,package-lock.json,yarn.lock,Cargo.lock) - Renamed
.cortex-ignoreto.cortexignorefor consistency - Installer PATH configuration (Windows
setx, Unix shell profile export) - Post-install automatic reindex with 120s timeout
- Windows x86 (
win32-ia32) binary support in release workflow and npm installer
- Visualizer serves dynamic graph template (fetches
/api/nodesand/api/edgesat runtime) with loading state, reset button, and additional node kind badges (Method, Interface, Type) - Unified UI fully dark-themed (
#1e1e2ebackground) with corner-positioned icon navigation replacing the nav bar - Hotspots table uses
overflow-x: autoto prevent horizontal overflow - Statistics overlay uses CSS Grid with
tabular-numsfor numeric alignment
- Configurable model pricing via
~/.cortex/pricing.tomlwith longest-prefix matching - Ego-graph node cap at 500 with priority ordering (depth ASC, caller_count DESC)
- Coverage field on graph nodes populated from LCOV data
- Agent steering improvements: module boundaries, complexity hotspots, active ADRs
- Unified tabbed UI (Graph, Dashboard, Explorer) served at visualizer root
GET /api/metricsandGET /api/symbolsendpoints for the visualizer- Port documentation in
docs/ports.md - Property-based tests for version comparison, pricing, ego-graph, coverage, NodeKind, steering, install, and release notes
- Update notification on startup when newer version available
- CI pipeline now fails on clippy warnings and formatting violations
- Release workflow publishes to npm automatically after GitHub Release
- npm installer supports single-command install and update via
npx @1337xcode/cortex install - IDE install hardened with config validation, directory creation, and permission error reporting
- Method vs Function NodeKind correctly assigned across Python, TypeScript, Rust, Go, Java
- Steering generation enforces 2000-token budget
- Obsolete files (site/_patch_mcp.py)
continue-on-error: truefrom CI clippy and fmt steps- Stale copy style inconsistencies across source and documentation
- Support for 25 AI coding agents (up from 15): added OpenCode, OpenClaw, Factory Droid, Trae, Trae CN, Gemini CLI, Hermes, Kimi Code, Kiro IDE, and Pi coding agent.
- Dedicated subcommands:
cortex cursor install,cortex vscode install,cortex kiro install,cortex antigravity installfor one-step setup without--platform. - Platform alias normalization:
--platformnow accepts flexible names (e.g.copilot,codex,droid,claw,trae-cn) and maps them to canonical IDs. synthesize_agentfallback:cortex install --platform <name>now works even when the agent's config directory does not exist yet (creates it on the fly).- Comprehensive IDE setup documentation with quick-reference install table.
.editorconfigat repo root to enforce UTF-8 without BOM, LF line endings, and consistent indentation across all editors going forward.- CI
lint-scriptsjob that fails the build if any.js,.ts,.mjs,.cjs, or.shfile contains a UTF-8 BOM, preventing regressions.
- Stripped UTF-8 BOM (EF BB BF) from
npm/scripts/install.jsthat caused a Node.jsSyntaxError: Invalid or unexpected tokenonnpm install, breaking the post-install binary download on all platforms.
- Antigravity renamed to "Google Antigravity" in display output.
- Codex CLI detection now also checks
~/.codex/(home directory). cortex installhelp output lists all 25 supported platforms with config file paths.
- Documentation site built with Astro 5, deployed to GitHub Pages
- Interactive 3D codebase visualization (same as
cortex vizoutput) - Dark/light mode with system preference detection
- Bento grid feature showcase with animated cards
- Ctrl+K / Cmd+K search across docs
- GitHub OAuth issue submission form via Cloudflare Worker
- RSS and Atom feeds for documentation updates
llms.txtandai-plugin.jsonfor AI discoverability- Confetti effect on install command copy
- npm package version aligned with changelog (0.0.30)
- Site URL set to
1337xcode.github.io/cortex - Comparison table updated with accurate data from each project's docs
- Federation console animation now types top-to-bottom
- Bento card overflow on MCP tools and Federation cards
- Language marquee no longer pauses on hover
- Theme toggle properly switches between light and dark mode
- License changed from PolyForm Noncommercial to MIT
- Release workflow archive naming aligned with install scripts (darwin/x64/arm64/win32 convention)
- All platforms now produce tar.gz archives for consistency
- SECURITY.md version table corrected from 0.1.x to 0.0.x
- CONTRIBUTING.md with build, test, and PR guidelines
- Committed binary files from npm/vendor/ (now download-only via GitHub Releases)
- Agent-specific files (skill/, SKILL.md, tile.json)
- All 32 MCP tools registered and verified in server.rs
- All stub CLI commands implemented: status, memory list, memory prune, security vulns, config get/set/reset
- Version synced to 0.0.20 across Cargo.toml, npm/package.json, SKILL.md, tile.json
- Documentation reconciled with actual implementation (no false claims remain)
- Removed non-existent --ui flag from docs
cortex askMCP meta-tool: single-call code intelligence that auto-routes to the right internal tools and composes a unified answercortex federate add/remove/list: multi-repo federation with unified cross-repo queriescortex ingest <path>: local document ingestion (markdown, text, CSV, HTML, YAML) into the knowledge graphcortex serve --smart-tools: expose only 5 core tools, reducing context window overhead by 89%- Build system awareness: detects Cargo workspaces, npm workspaces, Go workspaces, Gradle/Maven multi-module projects
cortex hotspots: combines git commit frequency with call graph connectivity to find maintenance risksget_class_hierarchy,get_git_hotspots,get_import_graph,find_similar_functionsMCP toolscortex coverage --lcov: cross-references call graph with test coverage data
- Leiden community detection algorithm for module boundary analysis
decompose_boundariesMCP tool with coupling scores between clusters- 3D graph visualization:
cortex viz --export graph.htmlgenerates standalone HTML with embedded 3d-force-graph - Nodes colored by community assignment, sized by caller count
cortex reportgenerates CORTEX_REPORT.md with architecture overview, hotspots, dead code, security findings
- Community detection was treating all edges as undirected; now respects call direction for modularity score
- Hybrid search: when
search_symbolsreturns fewer than 3 graph results, FTS5 BM25 runs as fallback - Results merged and deduplicated by FQN, sorted by confidence descending
cortex semantic enable/disable/statusfor local ONNX vector search management- sqlite-vec compiled as a loadable extension, statically linked for HNSW vector search
- FTS5 ranking switched to explicit BM25 weighting (k1=1.2, b=0.75)
- Cross-session memory layer:
write_observationstores text linked to a node FQN with agent ID and timestamp read_observationsretrieves observations withis_staleboolean flag- Staleness invalidation: when indexer detects a node's content hash changed, linked observations get
is_stale = true prune_observationsremoves stale observations filtered by age- ADR storage:
write_adr/read_adrswith status and optional linked FQN - Migration 0004 creates observations and adrs tables
cortex security reportprints human-readable security summary with taint flows, OWASP categories, dependency countcheck_dependenciesMCP tool cross-references SBOM entries against OSV.dev API- Vulnerability check integrated into the report (skipped gracefully when offline)
- SBOM generation extracts package versions from lock files (Cargo.lock, package-lock.json, go.sum, requirements.txt)
- SBOM generation in SPDX 2.3 JSON format from the import graph
generate_sbomMCP toolcortex security sbomCLI command- Dependency extraction from Cargo.toml, package.json, go.mod, requirements.txt, pyproject.toml, Gemfile
- OWASP Top 10 pattern detection against the structural call graph
- Patterns detected: A01 (Broken Access Control), A02 (Crypto Failures), A03 (Injection), A04 (Insecure Design)
scan_owaspMCP tool returns findings with category, node FQN, and confidence- Inter-procedural taint propagation: follows call edges up to depth 5
- Taint analysis was missing async function sinks in Python
- Taint flow analysis: detects HTTP input sources flowing to SQL queries, file writes, shell command execution
- Source annotations for Flask, FastAPI, Express, Go net/http
- Sink annotations for raw SQL, os.system/subprocess, file open with write mode
find_taint_pathsMCP toolcortex security scanCLI command- Migration 0003 creates security_findings and taint_paths tables
- Bundle export:
cortex bundle exportserializes full graph to cortex.json - Bundle import:
cortex bundle importrebuilds SQLite from JSON bundle - Bundle format versioned (schema_version field) for forward compatibility
- CCG export format via
cortex bundle export --format ccg
cortex installcommand: scans for installed AI agents and writes MCP server config- Detection for Claude Code and Cursor with idempotent config merging
- Expanded detection: Windsurf, VS Code, Zed, JetBrains (7 agents total)
- Workspace-level
.cortex/mcp.jsonauto-written for VS Code/Cursor/Kiro auto-discovery
- Claude Code settings.json was being overwritten entirely instead of merged
- HTTP route extraction for Python Flask/FastAPI, TypeScript Express, Go net/http
get_http_routesandtrace_http_callMCP tools- Cross-service linking: when service A calls an endpoint matching service B's route, creates an edge
- Go parser was not extracting method receivers
- TypeScript arrow function exports were missing from the symbol table
- 15 additional tree-sitter languages: Scala, Swift, PHP, SQL, Kotlin, Dart, Elixir, Haskell, Lua, Zig, Bash, Perl, R, Objective-C, OCaml
- Total language count now 25
- Language quality tiers: Tier 1 (Python, TS, Rust, Go, Java), Tier 2 (C#, C++, Ruby, Kotlin, Swift), Tier 3 (remaining)
- Parser module refactored: one file per language under
src/indexer/languages/
query_graphMCP tool: Cypher-like subset (MATCH, WHERE, RETURN, LIMIT, ORDER BY)get_code_snippetMCP tool: reads source lines for a symbol by FQNdetect_changesMCP tool: nodes modified since a Unix timestampblast_radiusMCP tool: BFS over inbound edges to configurable depth- MCP server over stdio transport (JSON-RPC 2.0, Tokio async runtime)
cortex servecommand with concurrent tool handling
- File watcher using notify crate: inotify on Linux, FSEvents on macOS, ReadDirectoryChangesW on Windows
- Sub-second incremental re-indexing: only re-parses files whose content hash changed
- .gitignore and .cortex-ignore exclusion rules applied to watcher events
- Watcher was triggering on .git/ internal file changes
- MCP server initial tool set:
search_symbols,trace_callers,trace_callees,get_file_context,get_architecture find_dead_codequery: nodes with zero inbound call edges, excluding entry points- FTS5 full-text search over symbol names, file paths, and FQN components
- Schema migration system formalized: numbered SQL files applied in order on startup
- Rayon parallel file parsing: each file gets its own tree-sitter parser instance on a thread pool
- Progress reporting during indexing (file count, elapsed time, files/second)
- Large repositories (50K+ files) caused OOM; now processed in batches of 500
- Call edge extraction: function A calls function B creates a directed edge
- FQN resolution across files using the import graph
- Import relationship tracking stored as edges with kind "Imports"
- Two-pass resolution: first pass collects definitions, second pass resolves call targets
- Python nested function definitions were being skipped
- TypeScript re-exports were not creating import edges
- SQLite store with WAL mode, nodes/edges/files tables
- tree-sitter parsing for 10 languages: Python, TypeScript, JavaScript, Go, Rust, Java, C#, C++, C, Ruby
- Symbol extraction: functions, classes, methods, modules, interfaces, enums
cortex indexwalks the repository respecting .gitignore- Migration 0001 creates initial schema with indexes
- Initial project scaffold: Cargo.toml with clap, rusqlite, serde, tree-sitter
- CLI skeleton with
cortex indexandcortex serve(stub) subcommands - Config loading from environment variables and .cortex/config.toml
- Structured logging via tracing crate with configurable log level