This release includes 4 security fixes for security teams reviewing exposed deployments.
Published 1mo
MCP Data & Storage
✓ No known CVEs patched
This release patches 4 known CVEs
Topics
agent-memory-system
anthropic
artificial-intelligence
causal-inference
claude
claude-code
+14 more
claude-code-plugin
cognitive-architecture
cognitive-science
episodic-memory
hopfield-network
llm-memory
long-term-memory
mcp-server
model-context-protocol
neuroscience
persistent-memory
predictive-coding
retrieval-augmented-generation
vector-db
Affected surfaces
rce_ssrf
Summary
AI summaryCalls edges are no longer silently dropped and all dependency chain details are now available.
Full changelog
- release: v3.14.2 — native AST CALLS chains + humanized panel + Dijkstra compliance
- refactor(compliance): Dijkstra YELLOW items — all UI files under 300 LOC
- fix(ci+compliance): ruff format + Dijkstra RED items (panel split, dead param)
- fix(ui): humanization corrections from Eco + Vygotsky + Feynman audits
- feat(ui): humanize workflow-graph detail panel for non-technical users
- fix(ci): install [codebase] extra + skip tree-sitter tests without it
- fix(graph): CALLS edges were silently dropped — cross-verified by Wu + Feynman
- feat(graph): caller-qualified CALLS — full method-to-method dependency chain
- refactor(ap): remove legacy CORTEX_ENABLE_AP env var — single source of truth
- feat(ap): flip default to ON, make user-overridable via MCP config
- feat(graph): native AST source — L6 depth without automatised-pipeline
- docs: GitNexus competitive analysis + 5-move science-grounded plan
- docs: gap analysis v2 — CORRECTED after reading AP source + web search
- docs: gap analysis — codebase analysis as first-class Cortex core
- docs(darval): reply draft for issue #14 OB4 fix + O1 resolution
- refactor(homeostatic): tighten OB4 fix — fold clips, flag estimate
- fix(homeostatic): issue #14 OB4 — emit bimodality_after on scale-invariant paths
- test(main): bump tool-count assertion to 46 for Gap 1 (query_workflow_graph)
- feat(graph): Gap 1 — query_workflow_graph MCP tool + README refresh
- feat(graph): Gap 6 — confidence + reason on WorkflowEdge
- fix(graph): populate Calls_* / Imports_* rel tables via AP resolve pass
- fix(security): replace ancestor-walk loop with Path.is_relative_to
- fix(security): werkzeug-style whitelist + Path.is_relative_to for CWE-22
- fix(security): apply CodeQL's exact canonical sanitizer patterns
- test(invariants): bump I2 allowlist for handlers/anchor.py after ruff format
- fix(security): satisfy CodeQL on response-splitting + path-injection
- feat(mcp): add title + annotations + outputSchema to every tool
- fix(security): clear remaining CodeQL path-injection + response-splitting alerts
- fix(security): add explicit path-containment checks (CWE-22)
- docs: bump test count to 2500+ across README, CLAUDE.md, linkedin post
- docs(readme): document L6 AST-symbol layer in Graph View
- docs(readme): correct companion project name to automatised-pipeline
- docs(readme): add ai-architect automated pipeline to companion projects
- style: ruff format workflow_graph_source_ast
Full Changelog: https://github.com/cdeust/Cortex/compare/v3.14.1...v3.14.2
Breaking Changes
- Removed legacy CORTEX_ENABLE_AP environment variable
Security Fixes
- Replaced ancestor‑walk loop with Path.is_relative_to to mitigate CWE-22 (path traversal)
- Added werkzeug‑style whitelist and Path.is_relative_to checks for CWE-22
- Applied CodeQL exact canonical sanitizer patterns for path injection
- Resolved response‑splitting vulnerabilities per CodeQL alerts
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About cdeust/Cortex
Persistent memory for Claude Code grounded in computational neuroscience (41 cited papers)
Related context
Beta — feedback welcome: [email protected]