CodeGraph Files

[0.9.2] - 2026-05-21

Added

• Installer target: Hermes Agent (Nous Research). codegraph install now supports Hermes Agent — it writes the mcp_servers.codegraph entry and ensures platform_toolsets.cli includes mcp-codegraph in $HERMES_HOME/config.yaml, so Hermes can drive the CodeGraph knowledge graph like the other agents.
• Framework support: Drupal 8/9/10/11 — CodeGraph now detects Drupal projects (via a drupal/* dependency in composer.json) and adds three levels of intelligence:
• Route extraction: *.routing.yml files emit a route node per route, linked by a references edge to the _controller, _form, or entity-handler class/method, so querying a controller method surfaces the URL route that binds it.
• Hook detection: hook implementations in .module, .install, .theme, and .inc files are detected via docblock (Implements hook_X()) with a module-name-prefix fallback. Each emits a references edge to the canonical hook_X name so codegraph_callers("hook_form_alter") returns every implementation across modules.
• Resolution: _controller/_form FQCNs resolve to their PHP class/method nodes. New yaml/twig languages are tracked at the file level, the Drupal PHP extensions (.module/.install/.theme/.inc) are indexed with the PHP grammar, and web/core, web/modules/contrib, web/themes/contrib are excluded by default. Resolves #268.

Changed

• Zero-config indexing that respects .gitignore. CodeGraph no longer has a config file. It indexes every file whose extension maps to a supported language and honors your .gitignore everywhere: in git repos via git itself, and in non-git projects (e.g. a freshly-scaffolded app before git init) by reading .gitignore files directly — root and nested, the same way git does (via the ignore library, so negation/anchoring/nested rules all behave correctly). To keep something out of the graph, add it to .gitignore. Behavior change: committed files that are not gitignored are now indexed even under vendor/, Pods/, or a committed dist/ — previously a hardcoded exclude list skipped those names; now .gitignore is the single source of truth. Resolves #283.

Fixed

• Windows: npm i -g @colbymchenry/codegraph then any codegraph command failed with spawnSync …\codegraph.cmd EINVAL. The npm launcher spawned the bundle's .cmd file directly, which modern Node refuses to do on Windows (the CVE-2024-27980 hardening — seen on Node 24). The launcher now invokes the bundled node.exe against the app directly, so codegraph works on Windows regardless of your Node version. Resolves #289.

Removed

• .codegraph/config.json and the entire config surface. Every field was either inert or now redundant with .gitignore:
• languages/frameworks never affected indexing (languages are detected per file from extensions; frameworks are auto-detected). languages was also broken — its validator only knew the original 8 languages, so setting it to anything newer (C#, PHP, Ruby, C/C++, Swift, Kotlin, Dart, Vue, Scala, Lua, …) threw Invalid configuration format.
• extractDocstrings/trackCallSites/customPatterns were never read by any extractor.
• include is now derived from the supported language extensions, exclude is replaced by .gitignore, and maxFileSize (1 MB) is a constant.

Breaking (library API): the CodeGraphConfig type, the config option on CodeGraph.init(), and the getConfig()/updateConfig()/getConfigPath exports are gone. Existing .codegraph/config.json files are simply ignored. The .codegraphignore marker is no longer supported — use .gitignore.

Security

• MCP session marker no longer follows symlinks (CWE-59). Every codegraph_context call writes a codegraph-consulted-* marker into the system temp dir; the previous write followed symlinks, so on a multi-user system another local user could pre-plant that path as a symlink and redirect the write onto a victim-writable file. The marker is now opened with O_NOFOLLOW and mode 0600, and a planted symlink is refused rather than followed. Resolves #280.