Grasp v3.20.0

Grasp v3.20.0

New Features

• v3.20.0 — full security scanning suite

Bug Fixes

• correct Apache 2.0 section 9 wording
• use extensions/grasp-code-architecture as submodule path
• correct extension ID to grasp-code-architecture in extensions.toml
• always include path = zed-extension in extensions.toml for Zed
• Apache 2.0 license for Zed store compliance
• MIT license for Zed store compliance (wrapper only)
• replace ELv2 with MIT license for Zed store compliance
• update author email to contact@ashforde.org
• use Elastic License 2.0 (consistent with main repo)
• fix extension ID, use npm_install_package, add context_server_configuration
• raise beforeAll timeout in smoke-new-tools to 120s
• sync innerHTML XSS filter in parser.js with index.html — eliminate false positive on team-dashboard.html
• eliminate innerHTML false positive — extend terminator set to include ;, ), , , ]

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.20.0.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.20.0

Browser App: ashfordeOU.github.io/grasp

Grasp v3.19.0

Grasp v3.19.0

New Features

• kbd-fab — keyboard shortcut popover with hover/click + / and ? bindings
• mobile polish — More menu, auth-bar flex-wrap, breakpoint improvements
• multi-provider auth — GitLab, GHE, Bitbucket, Azure, Gitea
• icon system — replace emoji chrome with Lucide-style inline SVG
• visual brand sweep — match index palette (teal accent, full token set)
• add 8 graph export formats — DOT, Mermaid, D2, PlantUML, DGML, GEXF, draw.io, CSV
• collapse 10-button viz toolbar into a single dropdown picker
• per-repo persistence for ignore patterns and color mode
• compare two new repos via launch modal
• keyboard shortcut hints and bindings
• mobile touch gestures and right-panel auto-collapse
• token indicator and try-it quickstart chips
• snapshot URLs and SARIF/GraphML exports
• mid-analysis rate-limit recovery and helpful error copy

Bug Fixes

• tighten gap between kbd-fab and help-fab on desktop
• allow right panel to open as drawer at <=768px (was unconditionally hidden)
• hide viz picker at <=1080px to prevent overlap with Team Dashboard (still in More menu)
• differentiate left/right panel toggles from More menu (panel icons not 3-line)
• hide auth-badge caption on narrow screens, prevent text wrap
• make viz picker, FABs, and topbar work on phones
• place kbd-fab to the left of help-fab on the same row
• stack kbd-fab above help-fab so they don't overlap
• remove overflow:hidden on viz-topbar so picker dropdown shows
• replace duplicate magnifying-glass icon — Query Graph now uses a distinct network icon
• rename onLine + nextResponse in remaining MCP-stdio clients
• give each smoke test an isolated HOME so brain.db locks don't fight
• pass GRASP_DISABLE_EMBEDDINGS=1 in llm-context-tools test

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.19.0.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.19.0

Browser App: ashfordeOU.github.io/grasp

Grasp v3.18.0

Grasp v3.18.0

New Features

• add grasp_architecture_overview tool — combined community + hub + question report
• add token-reduction eval harness vs 6 OSS repos
• add Claude Code slash commands — grasp-build-graph, grasp-review-delta, grasp-review-pr
• add 3 graph export formats — GraphML, Cypher, Obsidian Canvas
• add TS-config path-alias resolver and improved Python import resolution
• add 4 LLM-context tools — minimal_context, traverse, semantic_search, apply_refactor
• add 5 graph analytics tools — hubs, bridges, surprising connections, knowledge gaps, suggested questions

Bug Fixes

• hide sidebar scrollbar (match .viz-scroll / .panel-tabs)
• explorer was 0px when outer sidebar scrolled

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.18.0.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.18.0

Browser App: ashfordeOU.github.io/grasp

Grasp v3.17.1

v3.17.1 — 2026-04-28

Fixes (vulnerability scanner accuracy)

• Per-directory lockfile scoping — parseManifests was using a single global lockMap keyed only by package name, so a transitive uuid@8.3.2 in browser-extension/package-lock.json was overwriting saas's correctly-resolved uuid@9.0.1. Now each <dir>/package.json only consults <dir>/package-lock.json. Same fix applied to Cargo.toml ↔ Cargo.lock.
• Test-fixture exclusion — manifests under tests/fixtures/, __fixtures__/, test-fixtures/, and test-data/ are now skipped by the vuln scanner. These deliberately pin old vulnerable versions for testing the scanner itself; reporting them as production findings was a category error. Applied to all six manifest formats.
• CI-script debug-statements — .github/actions/, .github/workflows/, /scripts/, and root-level build.mjs are now exempt from the "console.log left in production" low-severity warning. CI helpers print to the workflow log on purpose.
• Sidebar scroll — when the left panel's content (Health Score, Ask Grasp, Color By, Package Impact, stats, Languages, Explorer) exceeds viewport height, the panel now scrolls vertically. Previously the Explorer section disappeared below the fold on shorter viewports.

Dependencies

• saas: uuid 9.0.1 → 14.0.0 to clear GHSA-w5hq-g745-h8pq (CVSS 4.0 medium — missing buffer-bounds check in v3/v5/v6 codepaths). saas only uses uuidv4 so was not actually exploitable, but bumping clears the OSV report. @types/uuid bumped to ^11.0.0 to match.

CI / release infrastructure

• scripts/mint-cws-token.py — one-shot Chrome Web Store refresh-token rotation tool. Spins up a local HTTP server on :8731, walks Google's OAuth consent in your default browser, captures the refresh token, and updates the CHROME_REFRESH_TOKEN GitHub secret via gh CLI. ~30 seconds end-to-end.
• Auto-issue on token expiry — when the publish workflow's CWS token-exchange returns invalid_grant, CI now opens a labelled cws-token-expired GitHub issue with copy-pasteable recovery steps. Failure is no longer silent.
• Workflow hardening — Chrome Web Store publish step is now continue-on-error: true and the create-release job runs if: ${{ !cancelled() }} so a failed Chrome upload never blocks the GitHub Release or any other downstream artifact.

---

Install

npm install -g grasp-mcp-server@3.17.1

Try in browser: ashfordeou.github.io/grasp

Browser extension: Chrome Web Store · Firefox AMO · Safari .zip (sideload).

IDE plugins: VS Code .vsix asset below · JetBrains · Raycast · Zed.

Docker: docker pull ghcr.io/ashfordeou/grasp:v3.17.1

Verify provenance

sigstore verify npm grasp-mcp-server@3.17.1

cosign verify \
  --certificate-identity-regexp="https://github.com/ashfordeOU/grasp/.github/workflows/publish.yml" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/ashfordeou/grasp:v3.17.1

Self-analysis result

After this release, Grasp self-analysis on ashfordeOU/grasp reports:

• Health: 100/100, Grade A
• 0 architecture issues · 0 security findings · 0 vulnerabilities
• 534 files · 76 packages scanned via OSV.dev

Grasp v3.17.0

v3.17.0 — 2026-04-28

New Features

• OSV.dev Dependency Vulnerability Scanner — declared dependencies (npm, PyPI, Go modules, Cargo crates, Maven) are scanned against the OSV.dev free public vulnerability database on every analysis. Manifest parsers cover package.json (with package-lock.json resolution), requirements.txt, pyproject.toml, go.mod, Cargo.toml (with Cargo.lock resolution), and pom.xml.
• New VULN tab in the right panel — severity counts (critical / high / medium / low), per-package CVE list with fix-version suggestion and direct OSV.dev link. Empty-state explains how to add a manifest.
• grasp_vulnerabilities MCP tool — same scan from any agent; markdown report with severity filter (all / critical / high / medium / low).
• grasp vulns <path> CLI command — walks the filesystem for manifest files, scans via OSV, prints colorized severity report. CI-friendly: exits 1 if any critical/high vulnerability is found.
• Health score integration — calcHealth now deducts 5 points per critical (CVSS 9+) and 3 points per high (CVSS 7–8.9), capped at 25 combined. Medium and low do not deduct.
• Privacy preserved — analysis runs in the browser; OSV requests go directly from the user's browser to OSV.dev, never through a Grasp server. The 100% client-side, zero-upload posture is unchanged.
• 24-hour localStorage cache — repeat analyses of the same repo skip OSV calls until the cache expires. Network failures degrade silently rather than failing the analysis.

Fixes

• CSP: added https://api.osv.dev to the page's connect-src directive (without it the browser silently blocked all OSV requests).
• Cyclomatic complexity ternary regex: false positives on ?? null-coalescing and SQL ? placeholders eliminated; brain.ts complexity drops from ~55 to ~21.
• Hardcoded-secret scanner: false positive on args.find(a => a.startsWith('--token=')) style CLI argument parsing fixed.
• Topbar overflow: overflow-x: clip prevents action buttons from extending off-screen at narrow viewports.

---

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server@3.17.0

Try it instantly (no install): ashfordeOU.github.io/grasp — paste any GitHub or GitLab URL.

Browser extension: Chrome Web Store · Firefox AMO · Safari .zip (sideload — see assets below).

IDE plugins: VS Code (.vsix asset below) · JetBrains Marketplace · Raycast · Zed.

Docker: docker pull ghcr.io/ashfordeou/grasp:v3.17.0

Quick CVE scan of any local repo (new in v3.17.0):

grasp vulns ~/projects/my-repo
# Exits 1 if any critical or high CVE is found — drop into CI as a quality gate.

Try the new vulnerability scanner

In the browser app, paste a repo URL → look for the new VULN tab in the right panel. It scans every dependency manifest in the repo against the OSV.dev free public CVE database and shows severity-classified findings with fix-version suggestions. Or run it from the MCP server:

result = await mcp_call('grasp_vulnerabilities', {'session_id': sid})

Verify provenance

# npm (SLSA Level 2 provenance)
npm install -g @sigstore/verify
sigstore verify npm grasp-mcp-server@3.17.0

# Docker (Cosign keyless)
cosign verify \
  --certificate-identity-regexp="https://github.com/ashfordeOU/grasp/.github/workflows/publish.yml" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/ashfordeou/grasp:v3.17.0

Grasp v3.15.0

Grasp v3.15.0

New Features

• replace all stub integrations with real CLI-backed implementations
• surface v3.15.0 tools and resources in browser app and dashboard
• grasp_generate_agents_md + grasp_generate_skills MCP tools
• setup-manager — codex/opencode support, MCP config + hooks for all editors, generateSkills
• MCP Prompts — detect_impact + generate_map guided workflows
• MCP Resources — 8 dynamic templates (repos, clusters, processes, schema)
• grasp_detect_changes — git diff → affected symbols + processes + risk level
• pipeline.ts — additive enrichment orchestrator (scope, type-propagation, orm)
• orm-tracker + grasp_orm_map — detect Prisma/TypeORM/Sequelize/SQLAlchemy patterns
• grasp_graph_schema + grasp_type_propagation MCP tools
• constructor inference — detect new ClassName() patterns, record in QUERIES
• type-propagator — Kahn topological sort + cross-file type inference
• scope-resolver 3-tier confidence on CALLS edges
• populate Class/Method/Constructor nodes with HAS_METHOD/EXTENDS edges
• ClassDef interface + heritage extraction in analyzer
• schema v2 — Class/Interface/Method/Constructor nodes, confidence edges, versioning

Bug Fixes

• retry zed fork clone with visible error output and backoff
• unindented PR body lines breaking GitHub Actions YAML parser in publish-zed job
• YAML syntax error in publish-zed job (multi-line python3 -c)
• Firefox upload continue-on-error; rewrite Zed publish with correct submodule format
• move AMO secrets to job-level env so Firefox AMO submission if-condition works
• remove named readCypher/writeCypher locals in graph.ts to break false cycle detection
• eliminate remaining high-complexity and circular-dep issues
• setup-manager test + queue pendingGraphIndex from grasp_analyze
• type _bfsProcess insert param as Database.Statement (TS2554)
• rename social image to bust GitHub CDN cache
• modal body shrinks to content instead of filling full viewport height
• drill-down description as plain text, not fake input box
• default right panel width 300→280px (user-preferred size)
• reduce default right panel width 390→300px
• tab bar — label below emoji not above, no dead space on inactive tabs
• tab bar — active tab shows 3-char label below emoji, inactive tabs icon-only, tooltip on hover
• tab bar — emoji-only tabs, no overlap, CSS tooltip on hover

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.15.0.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.15.0

Browser App: ashfordeOU.github.io/grasp

Grasp v3.14.0

Grasp v3.14.0

New Features

• @groupName fan-out routing — grasp_search, grasp_ask, grasp_context fan out to all repos in a named group
• group-manager.ts + grasp_group_add + grasp_group_list — @groupName multi-repo group management
• grasp_tool_map (MCP/gRPC service contracts) + grasp_shape_check (call-site coverage)
• grasp_route_map + grasp_api_impact — HTTP route scanning (Express/FastAPI/Gin) + handler blast radius
• grasp_rename — graph-aware whole-word symbol rename with dry-run diff and apply=true write
• grasp_search MCP tool (BM25+vector+RRF), wire FTS/embed/process indexing into grasp_brain_index
• BrainStore hybrid search — bm25Search (FTS5) + vectorSearch (cosine) + hybridSearch (RRF k=60)
• BrainStore.indexFts + indexEmbeddings + indexProcesses — build process/FTS/vector index at brain index time
• extend brain.db schema — fts_idx (FTS5), embeddings (vector BLOBs), processes tables
• add embed.ts — local 384D Xenova embeddings with cosine + blob serialization

Bug Fixes

• add repository.url to mcp/package.json for npm --provenance validation
• cosign sign target — use GHCR image and correct image name
• add sharp + @xenova/transformers to all esbuild externals (Docker build)
• fanOut Promise.allSettled, result_count slice, skipped_sources diagnostic, type narrowing
• GroupManager.read() validates JSON is an object before returning
• route-scanner keyword handler guard, description accuracy, api_impact min(1)
• computeRename infinite loop, path traversal guard, destructiveHint, remove unused imports
• ask-architecture fallback condition — use text content check instead of lines.length
• bm25Search sanitizer + repo-scoped FTS MATCH + hybridSearch batch file query
• indexProcesses — mark-at-enqueue BFS to prevent queue bloat, atomically delete+insert processes
• blobToVec — use slice() to handle non-zero byteOffset pool-allocated Buffers
• clean up README section header and plans doc wording

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.14.0.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.14.0

Browser App: ashfordeOU.github.io/grasp

Grasp v3.13.3

Grasp v3.13.3

New Features

• advanced graph rendering — entity coloring, typed edges, ego-graph hover, community halos

Bug Fixes

• exclude entry-points/extractors from Strategy suggestion and non-JS/TS files from Observer suggestion
• exclude known large entry-point files (index, parser, analyzer, cli) from Long File anti-pattern
• exclude analyzer from High Complexity check (orchestrator entry point)
• tighten High Complexity filter — raise threshold to 50, exclude extractors/sources paths and cli/parser entry points
• exclude test files from High Complexity Files architecture issue
• restrict VBA God Module to actual VBA files; raise Long File threshold to 1000
• suppress false circular deps from identically-named inner functions
• unterminated regex — missing closing / in Function constructor check
• remove interface method_signatures from TS extractor; skip binary/md files in complexity/security scanners; fix Function() DDL false positive
• move timeAgo to top-level scope — was inaccessible from DiffPanel component
• hide micro-workspaces (<3 files) from sidebar; make min-edge-confidence slider fully hide low-confidence edges
• normalize CLI preload data format for browser rendering
• eliminate all false positives so Grasp self-analysis scores 100/100
• extend entry-point exclusion to server/main/app files in both analysis paths
• eliminate all false-positive issues when Grasp self-analyzes
• eliminate false-positive circular deps, arch violations, and custom rule violations
• eliminate false circular dependency in browser health score
• eliminate 9 false-positive security issues in browser health score

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.13.3.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.13.3

Browser App: ashfordeOU.github.io/grasp

Grasp v3.13.2

Grasp v3.13.2

Bug Fixes

• use --ignore-scripts in Docker builder stage to prevent premature build
• build Docker image from source — removes npm registry dependency
• Firefox MV3 manifest + Docker race condition + JetBrains release ordering; bump to 3.13.2

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.13.2.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.13.2

Browser App: ashfordeOU.github.io/grasp

Grasp v3.13.1

Grasp v3.13.1

New Features

• redesign social card — 1200×630, canvas graph, gradient title, multi-color theme
• show cached repos in rate limit dialog + update social card

Bug Fixes

• switch Firefox AMO to unlisted channel — Elastic-2.0 blocked listed submissions
• exempt entry-point and hub files from coupling detection
• restore Grasp self-score from 75→96/100 A via analyzer false-positive fixes
• correct MCP tool count to 98 in social card
• correct license to Elastic License 2.0 in social card footer

Install

MCP Server (Claude Code, Cursor, Cline, Windsurf):

npm install -g grasp-mcp-server

VS Code: Not yet on the Marketplace — install the .vsix directly: download grasp-vscode-v3.13.1.vsix from the assets below, then in VS Code run Extensions: Install from VSIX… (Cmd+Shift+P / Ctrl+Shift+P)

JetBrains: Marketplace — search "Grasp" in IDE Settings → Plugins

Chrome Extension: Chrome Web Store — or install from the .zip asset below

Firefox Extension: Firefox Add-ons — or install the .xpi asset below

Safari Extension: Install the .zip asset below — unzip, move Grasp.app to Applications, open it once, then enable in Safari Settings → Extensions (macOS 13+; see README for full sideload instructions)

Docker: docker pull ashforde/grasp:v3.13.1

Browser App: ashfordeOU.github.io/grasp