v0.2.3

Added

• cmk remember --from-file <fact.json> and cmk remember --json (stdin): capture a rich fact as a JSON object read from a file or piped in, so backtick / $() / quote-heavy Why/How content never rides the shell command line. Fixes the silent corruption where bash command-substitution ate backtick spans in --why/--how arguments (D-81). (Task 108a)

• Claude can now do every memory operation through conversation — the MCP tools reach parity with the CLI (Task 108b). The MCP surface (the tools Claude drives on your behalf, so you never type a command) gained:

  • Rich capture — mk_remember now writes a structured Why/How fact file (not just a one-line bullet) when given why/how/title/type, matching cmk remember --why/--how.
  • mk_trust — change a fact's trust level (low/medium/high).
  • mk_lessons_promote — carry a project-tier fact to your cross-project user tier so it applies in every project.
  • mk_forget — tombstone a fact (audit trail preserved). Destructive, so it's two-step: the first call previews exactly what would be removed and returns a confirm token; Claude must call again with that token to delete — nothing vanishes without you seeing it first.

  Plus the review/conflict queues are now MCP-drivable too — mk_queue_list shows what's pending and mk_queue_resolve clears it (promote/discard a review item; keep-old/keep-new a conflict) — so Claude can resolve a queued capture in conversation instead of you running cmk queue.

  And the CLI gained the read verbs the MCP tools already had, so the surfaces match both ways: cmk get <id…> (full fact bodies + provenance), cmk timeline <id> (what was captured around an observation), cmk cite <id> (a canonical citation link), and cmk recent-activity (recent changes in a time window). Both surfaces run the same shared core, so they always return the same thing — and a build-time guard fails CI if a memory op ever exists on only one side.

• cmk install now registers the MCP server, so Claude can use those tools with zero friction (Task 108b). Install writes .mcp.json (the cmk stdio server) and allow-lists mcp__cmk__* in .claude/settings.json, so the moment you open Claude Code it can capture/recall/forget through the tools above without a per-call approval prompt. This sidesteps a real Claude Code permission edge where a cd … && cmk … compound command always re-prompts — running the same op as an allow-listed MCP tool is prompt-free. The memory-write skill now prefers those tools too (falling back to the cmk CLI when the server isn't connected). --no-hooks skips this wiring.

• Steer your memory in plain language — "forget that" and "trust this / that's not important" now work in conversation (Task 117). The memory-write skill recognizes these as triggers and routes them to the safe path: "forget about X" → tombstone it (mk_forget, with a preview-then-confirm step); "trust this" / "that's important" → raise its trust; "that's not important / I'm not sure" → lower it (mk_trust). Trust drives what gets loaded first and what ages out, so you can curate your own memory without ever touching a file or typing a command.

Fixed

• cmk persona generate no longer times out on a real project (Task 111). On a project with substantial memory, generating your cross-project persona failed with claude --print did not return within 50000ms — the classifier was fed your entire project memory as one unbounded prompt, and the timeout was sized for the 60-second session-end hook even though the command you run by hand has no such limit. Now the corpus is byte-capped (whole facts only) so the prompt can't balloon, and the explicit command (and the weekly curate pass) get a generous timeout since nothing is waiting on them. If it ever does time out (a transient API slowdown), the error now says so and tells you to re-run.
• cmk forget (and any removal) now disappears from search automatically — no manual cmk reindex (Task 110). A forgotten fact was tombstoned correctly, but its search-index entry lingered, so it kept showing up in cmk search (and could resurface in context) until you manually ran cmk reindex. A memory you told the assistant to forget reappearing is a trust failure, not cosmetic. Now the index self-heals: the boot reindex (which every read path runs) prunes entries for any source file that no longer exists, and forget reindexes in-band so the fact is gone the instant it returns — whether you forget via the CLI or by telling Claude in conversation (the mk_forget tool). In-place changes like cmk trust and adds like cmk lessons promote already propagated; this closes the deletion gap.
• cmk register-crons now works on Windows and macOS — it had been broken since v0.1 (Task 109). Registering the daily-distill + weekly-curate background jobs failed on Windows (even --dry-run, exit 2) because the kit built the scheduler command as a pre-quoted string and then rejected its own inner quotes — so the cron jobs could never register. It now hands the arguments to schtasks directly as an args array (no shell re-parsing), so the quoted absolute paths survive intact; macOS got the sibling fix (the launchd job no longer bakes literal " into the program path). Linux was already fine. (Skipping cron remains fully supported — the kit falls back to compressing at session start.)
• Stale pre-1.0 messaging cleaned up across the unified MCP + CLI memory surface (Task 121, D-102). After the CLI and MCP cores were merged (108b), a live run surfaced a hardcoded mk_remember in v0.1.0 only writes to tier P error plus other drifted v0.1.0/v0.1.x strings, and the MCP server reported a hardcoded version. Now: requesting a non-project tier (U/L) on a capture returns a clear note that it was saved to the project tier (and how to promote it cross-project) instead of erroring; the MCP server reports its real package version; and the user-facing tier/citation messages are version-agnostic.
• Every memory capture now leaves an audit-log entry (Task 123). Rich fact writes (both your explicit remember and automatic auto-extract) were silently skipping the operational audit trail on the create path — only duplicate-skips were logged. Now each create is recorded in .locks/audit.log with its tier, provenance, and trust, so the audit trail the kit promises is actually complete. Also: orphaned auto-extract temp files are now swept instead of accumulating.

Security

• Vulnerability reporting now goes through GitHub private Security Advisories (Task 123). SECURITY.md routes reports through the repo's Security tab (private, with coordinated disclosure + reporter credit) instead of a direct email.