depwire/depwire releases

What's new

This release adds 6 new MCP tools designed for multi-agent AI coding workflows. Whether you're a solo developer using Cursor, an autonomous agent making code changes, or an orchestrator coordinating multiple agents — these tools give you deterministic verification, coordination, and decision memory.

New MCP Tools (6)

Pre-action verification

• verify_change — Pass a proposed code change (file + content, or unified diff), get a deterministic safety report: broken imports, new circular dependencies, security findings, health score delta, blast radius, and risk level. Extends "What If" simulation to actual proposed code.

Multi-agent coordination

• claim_files — Declare which files an agent is about to modify. Prevents parallel agents from stomping each other's work. Returns conflicts if files are already claimed.
• release_files — Release a previously made claim when work is done.
• get_active_claims — Query who is currently working on what. Useful for orchestrator agents deciding what to delegate.

Decision memory

• record_decision — Save a structured decision with reasoning so future agents (or the same agent in a future session) can see what was decided and why.
• get_decisions — Retrieve past decisions matching a query, file, tag, or time range.

Tool count

17 → 23 MCP tools total.

Storage

The new tools persist state in a .depwire/ directory in your project:

• .depwire/claims.jsonl — Multi-agent file claims (append-only audit log)
• .depwire/decisions.jsonl — Agent decision records (append-only audit log)

Recommended addition to your project's .gitignore:

.depwire/claims.jsonl
.depwire/decisions.jsonl

Forward compatibility with AIT

All 6 new tools accept an optional agent_identity_token parameter, reserved for future integration with the AIT (Agent Identity Token) open standard. Tools work without it today; future releases will use it for cryptographic verification of agent actions.

Supported languages (15)

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++ · Kotlin · PHP · Swift · Mojo · Ruby · Dart

Install

npm install -g [email protected]

Or for MCP:

mcp install io.github.atef-ataya/depwire

What's new

• Dart and Flutter support — full parser for .dart files, pubspec.yaml, and pubspec.lock
• Flutter widget tree parsing (StatelessWidget, StatefulWidget, State subclasses)
• Server-side Dart route detection (Shelf, Conduit, Angel, Serverpod)
• HTTP client cross-language edges (Dio, http, Chopper, Retrofit)
• Dead code exclusions for Flutter lifecycle methods, Riverpod, Bloc, GetX, test methods
• 8 security patterns including database query safety, process execution safety, runtime evaluation safety
• 6 crypto patterns including weak hashing, credential management, SSL safety

Tested on

• dart-lang/shelf — 108 files, 1,639 symbols, 0.11s parse time

Supported languages (15)

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++ · Kotlin · PHP · Swift · Mojo · Ruby · Dart

What's new

• Ruby support — full parser for .rb, .rake, .gemspec files
• Rails route detection (get/post/put/patch/delete/resources/namespace)
• Sinatra, Rack, Grape API route detection
• Faraday, Net::HTTP, HTTParty cross-language edges
• ActiveRecord and Rails callback exclusions for dead code detection
• 11 security patterns including DB query safety, process execution safety, runtime evaluation safety
• 6 crypto patterns including weak hashing, credential management, SSL safety

Supported languages (14)

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++ · Kotlin · PHP · Swift · Mojo · Ruby

Fixed

• Fixed manifest.json version sync (1.1.8 → 1.1.9)
• Updated website language count from 11 to 13
• Added Swift and Mojo to website language list
• Created missing git tags (v1.1.3)

Added

• Added Agent Identity Token (AIT) spec reference to README
• Depwire is the reference implementation of the AIT open standard

Fixed

• Restored README from v1.1.2 clean state
• Content filter compliance fixes

Fixed

• Sanitized README for npm content filter compliance
• Stability improvements and bug fixes

Added

• What If browser UI — run depwire whatif without --simulate to open side-by-side arc diagrams
• Current vs simulated state visualization
• Ghost nodes and red highlighting for affected files
• Interactive hover/click on affected nodes

Added

• Mojo parser — fn, def, structs, classes, traits, alias, var/let declarations
• Pattern-based parser (no tree-sitter-mojo available)
• mojoproject.toml dependency parsing
• Python interop detection (from python import)
• Cross-language route detection via Python framework interop
• Dead code detection with lifecycle/trait/MLIR exclusions
• Security scanner: Pointer[T] memory safety, Python interop eval, SIMD bounds

Mojo is the first AI-native language supported by Depwire.

Added

• Swift parser — functions, methods, initializers, classes, structs, enums, protocols, extensions, actors, properties
• Package.swift (SPM) dependency parsing
• Vapor, Hummingbird, Perfect cross-language route detection
• URLSession and Alamofire HTTP client edge detection
• Dead code detection with SwiftUI/AppDelegate/XCTestCase exclusions
• Security scanner: memory pointer safety, UserDefaults secrets, weak hashing, ATS patterns

Mojo Language Support

Depwire now supports Mojo (.mojo, .🔥) — the first AI-native language in our lineup. Mojo is a superset of Python by Modular, designed for high-performance AI/ML workloads.

What's included

• Pattern-based parser (no tree-sitter-mojo on npm): extracts fn, def, struct, class, trait, alias, var/let, imports, decorators, parameter modifiers, SIMD/Tensor/DType references, and function call edges
• File detection: .mojo and .🔥 extensions, mojoproject.toml as project marker
• Cross-language edges: Python interop detection (from python import), FastAPI/Starlette route detection via Python bridge
• Dead code detection: init/copyinit/moveinit lifecycle exclusions, trait implementation methods, MLIR dialect operations, @export functions
• Security scanner: Pointer[T]/DTypePointer unsafe memory, Python eval() via interop, uninitialized memory patterns, SIMD store/load without bounds checking, weak random via Python random, hardcoded keys in alias declarations, hashlib interop

Language count: 13

TypeScript, JavaScript, Python, Go, Rust, C, C#, Java, C++, Kotlin, PHP, Swift, Mojo

• PHP language support (11th language)
• What If CLI browser UI: ghost effect + red highlighting for affected nodes/edges
• README: deterministic vs RAG positioning + architecture diagram
• GitHub Actions CI/CD pipeline for automated npm publishing
• Health score calibration for large repos
• Security scanner descriptions sanitized for npm content filter compliance

Changes

• Verified trackCommand() is called unconditionally on every execution for all 9 CLI commands
• Bumped version to 1.0.9 in package.json, manifest.json, and server.json

Commands tracked

parse, query, viz, temporal, mcp, docs, health, dead-code, whatif, security

Adds full PHP language support (11th language).

• Laravel, Symfony, Slim, WordPress REST API route detection
• Security scanner: eval(), unserialize(), md5() passwords, shell_exec(), preg_replace /e modifier, extract() on superglobals
• Dead code detection excludes WordPress hooks, Laravel service providers, Symfony controllers, PHPUnit test methods
• composer.json recognized as project marker

Kotlin / JVM Language Support

Full production-quality Kotlin support through Kotlin 2.0.

What's included

• All Kotlin patterns: data classes, sealed classes, objects, companion objects, value classes, extension functions, coroutines
• Spring Boot, Ktor, Http4k, Ktor Resources cross-language route detection
• Android Retrofit outgoing edge detection
• Dead code detection with Android lifecycle and Spring annotation exclusions
• Security scanner: SQL injection via string templates, not-null assertion abuse
• Tested on ktor-samples: 208 files, 4,288 symbols, 3,667 edges, 1.23s, health score 92/100

Fix: What If browser UI broken connections now highlighted in red

• Left diagram: current state in normal rainbow colors
• Right diagram: broken connections clearly visible in red with glow effect
• Red ghost file bar shows where deleted file used to be

Languages now supported

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++ · Kotlin

Fix: What If simulation now opens browser UI automatically

Running depwire whatif . --simulate delete --target <file> now:

1. Prints simulation results to terminal (affected nodes, broken imports, removed edges)
2. Automatically opens browser UI at http://127.0.0.1:3335
3. Shows both arc diagrams side by side — current state left, simulated state right
4. Broken connections highlighted in red
5. Health score delta in the header banner

Previously required two separate commands. Now one command does everything.

Languages now supported

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++

• README: full C++ language support entry with all patterns documented
• Website: nlohmann/json test stats added to real-world projects table
• Language badge row complete: TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++

• Removed unused readFileSync import in detect.ts
• Completed C++ language support section in README
• Added nlohmann/json test statistics to website

C++ / Systems Language Support

Full production-quality C++ support through C++23.

What's included

• All modern C++ patterns: classes, structs, unions, enums, namespaces, concepts, coroutines, C++20 modules
• Template support with parameter stripping
• CMakeLists.txt, Conan, vcpkg dependency edge parsing
• Crow, Drogon, Pistache, cpp-httplib cross-language route detection
• Dead code detection with vtable/template exclusions
• Health score: circular includes, missing header guards, god classes, raw pointers, missing virtual destructors
• Security scanner: buffer overflow, format string vulnerability, use-after-free, command injection

Languages now supported

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java · C++

Why C++

Systems programming, game engines, AI inference (llama.cpp, ggml), embedded, HPC. If your AI is touching C++ — and it is — it needs a map.

Java / JVM Support

Full production-quality Java support — the most requested language addition.

What's included

• Class, interface, enum, record, annotation parsing
• Maven pom.xml and Gradle/Gradle KTS dependency edges
• Spring Boot REST route detection (@GetMapping, @PostMapping, @RequestMapping)
• JAX-RS / Jakarta EE route detection
• Spring WebFlux RouterFunction support
• Dead code detection with Spring/JUnit annotation exclusions
• Health score: god class detection, circular package dependencies, deep inheritance chains
• Security scanner: SQL injection, XXE, insecure deserialization, Spring Security misconfiguration, log injection

Languages now supported

TypeScript · JavaScript · Python · Go · Rust · C · C# · Java

Why Java

The JVM ecosystem powers most enterprise backends. Spring Boot alone runs on millions of production servers. If your AI is touching Java code — and it is — it needs a map.

Depwire v1.0.0

First major release. All planned v1.0 features shipped.

What's new in v1.0.0

• Full C# / .NET language support
  • Records, file-scoped namespaces, primary constructors, global usings
  • .csproj ProjectReference and PackageReference edge detection
  • ASP.NET Core cross-language edges (attribute routing + Minimal API)
  • Dead code detection and health scoring for C# codebases

Full language support

TypeScript · JavaScript · Python · Go · Rust · C · C#

All v1.0 features

• 17 MCP tools
• What If simulation (CLI + Browser UI)
• Security scanner with graph-aware severity
• Cross-language edge detection (7 languages)
• Architecture health score
• Dead code detection
• Auto-generated documentation
• Temporal graph
• depwire-cli/sdk public API

3,800+ npm downloads/month at launch.

• Fixed false 'No project root found' warning on macOS when running from /tmp paths
• /tmp is a symlink to /private/tmp on macOS — realpathSync() now resolves it correctly
• Removed overly strict home-directory guard (blocklist already prevents system dir traversal)

Cross-language edge detection

• Detects REST API connections: fetch/axios calls matched to Express, FastAPI, Flask, Gin routes
• Detects subprocess edges: execSync/subprocess.run matched to target files in graph
• Flask @app.route() and @blueprint.route() support included
• Edges flow through all existing features: What If simulation, impact analysis, security scanner, arc diagram
• Arc diagram: REST API edges shown in coral, subprocess edges in yellow, with legend
• MCP tools updated: impact_analysis, simulate_change, get_file_context now cross-language aware
• SDK export: detectCrossLanguageEdges from depwire-cli/sdk
• Tested on honojs/hono: 4,048 REST API edges detected

• Hardened depwire-cli against its own security scanner findings
• resolve() containment on all file I/O paths
• package.json: pinned chalk, minimatch, simple-git, web-tree-sitter to exact versions
• README updated with security scanner section

Security Scanner

• New command: depwire security [path]
• 10 vulnerability categories: dependency CVEs, shell injection, hardcoded secrets, path traversal, auth bypass, input validation, information disclosure, cryptography, frontend XSS, architecture-level
• Graph-aware severity elevation: vulnerabilities reachable from MCP tools or HTTP routes automatically elevated
• 3 output formats: table (default), JSON, SARIF 2.1.0 (GitHub Security tab)
• CI gate: --fail-on high exits with code 1
• New MCP tool: security_scan (tool #17)
• SDK export: scanSecurity() from depwire-cli/sdk

What If Phase B — Browser UI

• depwire whatif (no --simulate flag) now opens browser automatically
• Side-by-side arc diagrams: current vs simulated state
• Health score delta banner between panels
• WebSocket-free, inline JSON data

depwire-cli/sdk — Public API Surface

• src/sdk.ts created — stable public export surface
• Exports: parseProject, buildGraph, calculateHealthScore, analyzeDeadCode, generateDocs, SimulationEngine, searchSymbols, getImpact, getArchitectureSummary, DepwireSDKVersion
• Available as depwire-cli/sdk via package.json exports map
• Cloud parser migrated to depwire-cli/sdk — no more internal path imports

• All 16 vulnerabilities from security audit fixed
• resolve() containment checks across all file I/O
• package.json dependencies pinned to exact versions

• Additional security hardening across CLI and cloud
• Path traversal guards added
• Token leakage in error logs fixed

• Fixed simple-git RCE vulnerability (CVSS 9.8) — was shipping to 2,400+ monthly users
• Fixed shell injection in src/temporal/git.ts
• Fixed Hono auth bypass CVE (CVSS 7.5)
• Updated all dependencies — 0 vulnerabilities

What's New

simulate_change MCP Tool (Full Implementation)

The simulate_change MCP tool is now fully implemented. AI coding assistants can now simulate architectural changes before touching any code directly through MCP.

Supported operations:

• delete — full blast radius analysis before deleting a file
• move — see broken imports before moving a file
• rename — see all affected nodes before renaming
• split — simulate splitting a file by moving specified symbols
• merge — simulate merging two files, fails fast on symbol collision

Returns: health score delta, broken imports count, affected nodes, circular deps introduced/resolved, human-readable summary.

depwire-cli/sdk — Public API Surface

depwire-cli now exposes a stable public SDK entrypoint:

import { 
  parseProject, buildGraph, calculateHealthScore,
  analyzeDeadCode, generateDocs, SimulationEngine,
  searchSymbols, getImpact, getArchitectureSummary,
  DepwireSDKVersion
} from 'depwire-cli/sdk';

This is the canonical import path for all cloud and tooling integrations. Never import from internal paths.

Installation

npm install -g depwire-cli

Full Changelog

• feat(mcp): implement simulate_change tool — wires whatif engine into MCP
• feat(sdk): add src/sdk.ts — public API surface for cloud and future consumers
• docs: update README, server.json, website for v0.9.21

What's New

What If Simulation

Simulate architectural changes before touching a single line of code.

# What breaks if I delete this file?
depwire whatif . --simulate delete --target src/services/auth.ts

# What happens if I move this file?
depwire whatif . --simulate move --target src/utils/helpers.ts --destination src/core/helpers.ts

# What happens if I rename this file?
depwire whatif . --simulate rename --target src/router.ts --new-name routes.ts

Each simulation returns:

• Health score delta — does this change improve or degrade your architecture?
• Broken imports — exactly which files would break and why
• Affected nodes — full blast radius of the change
• Circular deps — new cycles introduced or existing ones resolved
• Edge changes — added and removed dependency connections

Supported actions: move, delete, rename, split, merge

MCP Tool Stub

Added simulate_change tool stub to the MCP server (16 tools total). Returns coming_soon — full implementation ships in v1.0.0.

Documentation Updates

• README updated with What If Simulation section and examples
• Updated to 8 commands and 16 MCP tools
• Added comparison table: Deterministic Graph vs RAG vs LLM Native
• Added cloud dashboard mention (app.depwire.dev)
• Website updated with SEO phrases, ecosystem section, and benchmark stats

Bug Fixes

• Fixed MCP Registry version sync — server.json now auto-updates via postversion script
• Fixed npm README rendering (converted HTML badges to markdown)

Install

npm install -g [email protected]

What's new in v0.9.5

Fixed

• Removed git stash pop warning from temporal command output
• Terminal output is now clean with no stack traces or warnings
• Properly checks if stash exists before attempting to pop

Before

Warning: Failed to restore stashed changes: Error: Command failed: git stash pop -q
    at genericNodeError (node:internal/errors:998:15)
    ...

After

🔍 Analyzing git history...
Found 2563 commits
Sampled 20 commits using even strategy
✓ Created 20 snapshots

🚀 Starting temporal visualization server...
✓ Temporal visualization server running at http://127.0.0.1:3334

Clean output — no warnings, no errors.

Install

npm install -g [email protected]

What's new in v0.9.4

Fixed

• Temporal graph now opens on the latest snapshot instead of the empty initial commit
• Users immediately see the full arc diagram on page load
• Scrubbing backward in time now shows graph evolution correctly

Tested

• Verified on Hono repo: 30 snapshots, opens showing 352 files correctly

Install

npm install -g [email protected]

Fixed: dead code symbol lists now display under each confidence header

What's New

• C language support (.c and .h files)
• Functions, structs, enums, typedefs, macros, #include directives
• 6 languages now supported: TypeScript, JavaScript, Python, Go, Rust, C

Install

npm install -g depwire-cli