What's new in SourceVault. Everything below runs on infrastructure you control — local models, zero source-code egress.
2026-07-03 — Production hardening: quieter errors, rate limits everywhere, and a current-generation stack
Server errors keep your internals private
Error responses no longer echo raw messages — which could carry absolute file paths or upstream response bodies — and a global handler replaces the HTML stack trace Express would otherwise emit. The specifics still land in the server log, where they belong. Crash guards round it out: an unexpected exception exits cleanly for the service manager to respawn, and a background failure can't take the server down.
Every API surface is rate-limited
The signed machine API and the task relay now sit behind rate limits mounted ahead of signature checks, so even brute-force attempts are throttled. Limits are tunable per install; the defaults are generous for real use.
Hardened install and container
The Docker image runs as a non-root user on a digest-pinned base, and the Linux installer now downloads, shows a checksum, and asks before executing — instead of piping straight from the network into a root shell. The Homebrew path is unchanged: brew upgrade sourcevault keeps working as before, and releases now publish to the tap automatically.
A current-generation stack underneath
The server now runs on Node 24 (Active LTS) and Express 5; the dashboard builds on React 19 and Vite 8 with a zero-warning build. Dependency updates are automated weekly, so security patches don't wait for a release cycle.
2026-06-18 — Indexing at scale, live progress, and a retrieval-accuracy jump
More accurate file finding
A natural-language question that named a method (for example, "how does res.sendFile send a file?") could anchor too hard on the literal name and surface where the method is used instead of where it's defined. Retrieval now folds exact-name matches into the hybrid ranking instead of letting them short-circuit it. On the public Express benchmark, the share of answers citing the exact ground-truth file rose from 60% to 83%.
Large repositories index reliably
Indexing now runs as a background job instead of inside the request, so a large repository no longer times out mid-run. A single unreadable or malformed file is skipped instead of aborting the whole index, and text that a strict vector store would reject is sanitized automatically — the kind of edge that used to stall a big repo at 80-something percent.
Live progress that survives a reload — and a restart
The dashboard shows scanning, indexing percentage, and an estimated time remaining instead of a bare spinner, and each repository keeps its own progress when several index at once. Reopen the page mid-index and the progress reattaches; restart the server and an interrupted index resumes where it left off, finishing only the remaining files.
Faster indexing on large and vendored repositories
Files now embed and upsert through a bounded concurrent pool — roughly twice as fast on a full index — and vendored, generated, and build directories are filtered out by default, with a per-repository .sourcevaultignore for anything else. On a dependency-heavy repository that's about 90% fewer files to index, which means faster runs and more relevant answers.
Optional high-throughput embedding and reranking backends
For larger installs, search and reranking can now route through a dedicated Text Embeddings Inference server, with optional embedding-dimension truncation for a smaller, faster vector index. Off by default — the local-only path is unchanged, and the built-in cross-encoder reranker remains the default, with its isolated benefit being re-measured on larger repositories.