This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+3 more
Summary
AI summaryNew validate_diff MCP tool assesses patch safety with risk levels and blast radius.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Adds `validate_diff` tool for patch safety risk assessment. Adds `validate_diff` tool for patch safety risk assessment. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Introduces episodic memory across AI sessions via SQLite log. Introduces episodic memory across AI sessions via SQLite log. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Sharpened import graph resolution to 92‑100% across measured repos. Sharpened import graph resolution to 92‑100% across measured repos. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Adds C/C++ `#include` and C# `using` directive support to import graph. Adds C/C++ `#include` and C# `using` directive support to import graph. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Fresh‑by‑default index uses git hooks; `carto watch` becomes optional. Fresh‑by‑default index uses git hooks; `carto watch` becomes optional. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Expands IDE auto‑wiring support from 4 to 7 tools (adds Codex, Windsurf, VS Code Copilot). Expands IDE auto‑wiring support from 4 to 7 tools (adds Codex, Windsurf, VS Code Copilot). Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Feature | Low |
Introduces read‑only `carto inspect` diagnostic command with JSON output. Introduces read‑only `carto inspect` diagnostic command with JSON output. Source: llm_adapter@2026-06-07 Confidence: high |
— |
| Performance | Medium |
Bitmap query engine makes five MCP tools up to 10.8× faster than SQLite. Bitmap query engine makes five MCP tools up to 10.8× faster than SQLite. Source: llm_adapter@2026-06-07 Confidence: high |
— |
Full changelog
What's new
validate_diff — your AI can ask "is this patch safe?"
A new MCP tool that takes a unified diff and returns a risk level
(SAFE / LOW / MEDIUM / HIGH), per-file blast radius, and cross-domain
violations. The agent calls this before showing a patch to the
user, so a bad refactor never makes it to the screen. p99 0.5ms on
a 7K-file repo.
Episodic memory across AI sessions
Every validate_diff call writes to a local SQLite session log.
A session that runs five hours later can ask
did_we_discuss_this("snake_case naming") and get back the prior
decision. Four new tools surface this — your AI stops re-deciding
settled questions. MCP tool count: 17 → 22.
Bitmap query engine in production
Five MCP tools now answer from a Uint32Array bitmap sidecar
materialised from SQLite, plus the new simulate_change_impact
tool that's only feasible with bitmap OR-aggregation. Median
10.8× faster than SQLite on vscode. Sub-millisecond on every
benchmarked repo.
Sharper import graph
A post-pass resolution step brings transitive edge resolution to
92-100% across the corpus — vscode 99.4%, express 100%,
supabase 97.5%. Blast radius and cross-domain queries now read
a fully-connected graph on every measured repo.
More languages in the import graph
C/C++ #include and C# using directives now feed the graph
(Java and Ruby were already wired). C++ resolves project headers
via tree-sitter; C# resolves namespaces through a per-project
namespace map.
Fresh-by-default index — no daemon
carto init installs four git hooks (pre-commit, post-checkout,
post-merge, post-rewrite) and the MCP server lazily re-parses
stale files at query time. carto watch is now optional.
Wider IDE auto-wiring (4 → 7)
Added Codex (~/.codex/config.toml), Windsurf, and VS Code Copilot.
Cursor, Claude Code, Kiro, and Claude Desktop already worked.
carto inspect
Read-only diagnostic command: paths, sizes, freshness, bitmap
shape, top-impact files. --json mode pipes into jq. Never
triggers a rebuild.
Install
npm install -g [email protected]
cd your-project
carto initWeekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Carto
All releases →Related context
Beta — feedback welcome: [email protected]