CSCSoftware/AiDex

v2.0.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

ai-coding claude claude-code code-indexing code-search copilot

+10 more

cursor developer-tools gemini gemini-cli mcp mcp-server sqlite tree-sitter vscode windsurf

Summary

AI summary

AiDex adds local semantic search with hybrid ranking and an optional LLM layer while remaining backward compatible.

Full changelog

AiDex grew a brain.

v1 was a Tree-sitter identifier index — fast, but you had to know what you were looking for. v2 is a memory: semantic search over code, docs, and workspace items, all running locally.

npm install -g aidex-mcp

Then aidex_init({ path: ".", embeddings: true }) on a project — ~30s for a typical codebase, free for unchanged files afterwards.

What changed

Local semantic search — three modes: exact (identifier match), semantic (vector KNN), hybrid (RRF fusion of both, default). One ranking covers code methods, README sections, and your task notes. jina-code embeddings (768d), runs on CPU, no GPU required.

Optional LLM layer — Anthropic, OpenAI, OpenRouter, Ollama, HuggingFace, or any custom OpenAI-compatible endpoint. Translates non-English queries, expands vague ones, reranks results. Privacy switch llm_send_code defaults to OFF — code bodies never leave your machine unless you explicitly opt in per project.

Settings tab in the Viewer — aidex_settings({ path, open: true }) opens a clear UI: master toggles for embeddings and LLM, a custom combobox for model selection, an API-key field that auto-detects environment variable names, and a Test-Connection button.

Workspace memory in the same ranking — tasks, task logs, session notes, and archived note history are embedded alongside code. The query "what was that parser bug last week" hits the relevant task, the related note, and the actual code change in one search.

3 new MCP tools — aidex_search, aidex_settings, aidex_log (Log Hub).

12 languages — added HCL/Terraform.

Security & robustness

LogHub (3335), Viewer (3333), Progress (3334) bind to 127.0.0.1 only — verified externally unreachable
WebSocket setSettings payload passes through a typed validator (length, type, unknown-key drop)
Save validation rejects enabling a paid LLM backend without a resolvable key — clear error instead of silent fallback
8 bug fixes from a 6-agent regression test (full list in CHANGELOG.md)

Migration

Schema is additive — existing v1 indexes keep working without re-indexing. Embeddings are opt-in per project. Pure embeddings work fully offline; the LLM layer is never required.

Restore points: tags v1.18.0-pre-bugsweep (clean v1.18.0) and v2.0-pre-cleanup (mid-branch checkpoint).

Stack

Node.js 22+, SQLite + sqlite-vec for KNN, Tree-sitter for parsing, @xenova/transformers for embeddings, MCP for AI-client integration. MIT licensed.

Security Fixes

LogHub, Viewer, and Progress services now bind only to 127.0.0.1
WebSocket setSettings payload validated through typed schema (length, type, unknown‑key drop)
Save validation rejects enabling a paid LLM backend without a resolvable API key

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CSCSoftware/AiDex

Get notified when new releases ship.

About CSCSoftware/AiDex

Persistent code index MCP server using Tree-sitter for fast, precise code search. Replaces grep with ~50 token responses instead of 2000+. Supports 11 languages including C#, TypeScript, Python, Rust, and Go.

All releases →