gitnexus 1.3.10

[1.3.10] - 2026-03-07

MCP transport buffer cap: Added 10 MB MAX_BUFFER_SIZE limit to prevent out-of-memory attacks via oversized Content-Length headers or unbounded newline-delimited input
Content-Length validation: Reject Content-Length values exceeding the buffer cap before allocating memory
Stack overflow prevention: Replaced recursive readNewlineMessage with iterative loop to prevent stack overflow from consecutive empty lines
Ambiguous prefix hardening: Tightened looksLikeContentLength to require 14+ bytes before matching, preventing false framing detection on short input
Closed transport guard: send() now rejects with a clear error when called after close(), with proper write-error propagation

Dual-framing MCP transport (CompatibleStdioServerTransport): Auto-detects Content-Length (Codex/OpenCode) and newline-delimited JSON (Cursor/Claude Code) framing on the first message, responds in the same format (#207)
Lazy CLI module loading: All CLI subcommands now use createLazyAction() to defer heavy imports (tree-sitter, ONNX, KuzuDB) until invocation, significantly improving gitnexus mcp startup time (#207)
Type-safe lazy actions: createLazyAction uses constrained generics to validate export names against module types at compile time
Regression test suite: 13 unit tests covering transport framing, security hardening, buffer limits, and lazy action loading

CALLS edge sourceId alignment: findEnclosingFunctionId now generates IDs with :startLine suffix matching node creation format, fixing process detector finding 0 entry points (#194)
LRU cache zero maxSize crash: Guard createASTCache against maxSize=0 when repos have no parseable files (#144)

Transport constructor accepts NodeJS.ReadableStream / NodeJS.WritableStream (widened from concrete ReadStream/WriteStream)
processReadBuffer simplified to break on first error instead of stale-buffer retry loop