CodeDecay v0.3.1

CodeDecay v0.3.1 is a release of the local-first PR safety harness and CLI.

Highlights:

• Adds Semgrep static-analysis tool adapter evidence.
• Adds coverage artifact/tool adapter support.
• Adds Agent Process harness support for user-owned local agents such as Codex, Claude Code, OpenCode, Pi, desktop agents, or custom CLIs.
• Keeps local execution gated behind explicit config and safety.allowCommands.
• Records agent output as untrusted agent-suggestion evidence.
• Fixes CodeQL-reported sanitization and regex security alerts.
• Expands OSS-first agent guidance and requires squash merges/modular package structure for future PRs.

Validation:

• pnpm install
• pnpm run lint
• pnpm typecheck
• pnpm test (341 tests)
• pnpm build
• pnpm --filter @submuxhq/codedecay pack --dry-run
• Installed npm package smoke test
• Code scanning open alerts: 0

Package:

• npm: @submuxhq/codedecay@0.3.1
• CLI: codedecay

CodeDecay remains local-first, deterministic by default, no telemetry, no required API keys, and no hidden model calls.

CodeDecay v0.3.0

CodeDecay v0.3.0

This release focuses on making CodeDecay safer to adopt in real PR workflows: lower-noise scoring, clearer release gating, stronger CLI utilities, memory learning, and package smoke coverage.

Highlights:

• Recalibrated low-signal changes so docs/assets/metadata-only updates do not create false high-risk reports.
• Added a focused runtime config plus database/schema risk lift for production-sensitive changes.
• Added memory learning flows for CI, PR, and CodeDecay report signals.
• Added/verified CLI utility surfaces for help, man, update, uninstall, version, and unknown-command suggestions.
• Added StrykerJS mutation report ingestion support and stronger published-package smoke coverage.

Install:

npm install -D @submuxhq/codedecay@0.3.0

Verification completed:

• GitHub CI, docs deploy, and CodeQL passed on the release commit.
• Tarball smoke passed before publish.
• npm registry package smoke passed after publish.

CodeDecay v0.2.0

CodeDecay v0.2.0

This release migrates the public npm package to the GitHub organization-aligned scope:

npm install -D @submuxhq/codedecay

The installed CLI binary remains unchanged:

npx codedecay --help

What Changed

• Renamed the primary npm package from @submux/codedecay to @submuxhq/codedecay.
• Kept the CLI binary name as codedecay.
• Updated README, docs, release docs, GitHub Action metadata, CLI help text, tests, and workflow/package references.
• Kept npmjs as the default public install path.
• Kept GitHub Packages as an optional mirror using the same package name.

Validation

• pnpm install
• pnpm run lint
• pnpm typecheck
• pnpm test - 239 passing
• pnpm build
• pnpm --filter @submuxhq/codedecay pack --dry-run
• Fresh install from npm: npm install @submuxhq/codedecay@0.2.0
• Binary check: node_modules/.bin/codedecay version -> 0.2.0

CodeDecay remains local-first, deterministic by default, and has no telemetry, no required API keys, and no required LLM/model calls.

CodeDecay v0.1.6

CodeDecay v0.1.6

Patch release for release hygiene, security scanning cleanup, and CLI polish.

Changes

• Fixes CodeQL polynomial regex alerts by replacing risky regex parsing with linear scanners.
• Resolves dependency alerts for Vite and esbuild through workspace overrides.
• Adds stronger end-user demo coverage for MCP/client and GitHub Action runtime smoke paths.
• Improves CLI discovery by suggesting similar commands and flags.
• Keeps CodeDecay local-first, deterministic, no telemetry, no API keys, and no required LLM/model calls.

Package

• npm: npm install -D @submux/codedecay
• version: @submux/codedecay@0.1.6
• binary: codedecay

Validation

• pnpm install
• pnpm run lint
• pnpm typecheck
• pnpm test
• pnpm build
• pnpm --filter @submux/codedecay pack --dry-run
• fresh npm install and codedecay --help

CodeDecay v0.1.5

CodeDecay v0.1.5

Patch release focused on install and first-run clarity.

Changed

• Clarifies install commands for npm, pnpm, Bun, and Yarn users.
• Adds a no-install smoke-test command with npx -y @submux/codedecay --help.
• Documents why npm install can fail inside non-npm workspaces that use workspace:* dependencies.
• Documents Bun minimumReleaseAge behavior and a local-evaluation override.

Package

• npm: @submux/codedecay@0.1.5
• CLI binary: codedecay
• License: Apache-2.0

CodeDecay remains local-first and deterministic by default: no telemetry, no required API keys, no required LLM/model calls, and no CodeDecayCloud dependency.

CodeDecay v0.1.4

CodeDecay v0.1.4

This release expands CodeDecay from deterministic PR risk scoring toward a local-first PR safety harness for AI-assisted development.

Highlights

• Adds deterministic redteam, agent handoff, execution, differential, memory, skills, MCP, and tool-adapter foundations.
• Adds agent handoff profiles for Codex, Claude Code, Cursor, Pi, OpenCode, desktop apps, and generic user-owned agents.
• Adds optional local/BYOK provider plumbing while keeping CodeDecay usable without LLM calls.
• Adds adapters and planning support for Playwright, StrykerJS, Schemathesis, and Pact-style workflows.
• Improves route/API impact evidence and test-audit reporting in redteam/agent outputs.
• Improves README and contributor-facing project positioning.
• Fixes scoring gates so low-only findings do not fail --fail-on high.

Safety Boundaries

CodeDecay remains local-first and open-source. It does not require telemetry, CodeDecayCloud, API keys, hosted LLMs, or model calls.

Install

npm install -D @submux/codedecay

Validate

npx codedecay analyze --format markdown
npx codedecay redteam --format markdown
npx codedecay agent --profile codex --format markdown

CodeDecay v0.1.2

CodeDecay v0.1.2 is a patch release focused on OSS trust hardening after the first public package release.

Highlights:

• Improves JS/TS analyzer fixture coverage.
• Adds live git integration coverage.
• Fixes Prisma schema detection so prisma/schema.prisma is treated as database/schema risk.
• Fixes nested cwd untracked path normalization.

CodeDecay remains open-source, local-first, and deterministic:

• No telemetry
• No API keys
• No LLM/model calls
• No cloud dependency

Install:

npm install -D @submux/codedecay

Run:

npx codedecay analyze --format markdown

CodeDecay v0.1.1

CodeDecay v0.1.1 is a patch release focused on npm package hygiene before broader launch.

Highlights:

• Published package: @submux/codedecay@0.1.1
• Install with npm install -D @submux/codedecay
• Added a standalone Apache-2.0 LICENSE file to the npm tarball
• Confirmed the package includes README.md, package.json, and built dist files
• Verified the installed codedecay binary works from a fresh npm install

CodeDecay remains open-source, local-first, and deterministic:

• No API keys
• No LLM/model calls
• No telemetry
• No cloud dependency

Try it:

npm install -D @submux/codedecay
npx codedecay analyze --format markdown

Next engineering work:

• #9 analyzer fixture coverage
• #10 live git integration coverage