Releases: Perseus-Computing-LLC/perseus
Release list
v1.0.23 — dynamic vault tool-name resolution
Headline: dynamic MCP tool-name resolution (#779) — this is the minimum CLI version for Perseus Vault ≥ 2.20. Vault 2.x advertises tools under canonical perseus_vault_* names only; older CLIs hard-coded the legacy mimir_recall and, gating on tools/list, silently degraded to empty local-only recall. All vault tool-call sites now resolve names dynamically (perseus_vault_* → mneme_* → mimir_*), so the CLI works against any vault generation. Older CLIs can bridge via PERSEUS_VAULT_TOOL_ALIASES=all on the vault (server-side companion: perseus-vault#633).
Also ships:
- Optional LLM query expansion for memory recall (#580, default off) — multi-query fusion validated on LongMemEval: weak-category retrieval recall@10 0.90 → 0.99.
perseus doctorduplicate-install check (#734) — flags stale copies left behind by Python minor-version upgrades.- Tooltrim Rovo Dev documentation (#741) and a README 3-line quickstart (#733).
Full details in CHANGELOG.md.
v1.0.22
Release infrastructure only (#743): validates the signed SLSA build-provenance pipeline (GitHub Artifact Attestations + PEP 740 PyPI attestations) end-to-end. No functional runtime changes.
v1.0.21 — bridge fixes + perseus knows
Fixed
- Legacy
mneme:/mimir:config no longer shadowed by the defaultperseus_vault:block (#704) — the silent "Vault unreachable → local results only" regression for everyone who followed the recommendedmimir:→mneme:migration. Legacy blocks fold into the canonical key at load (user values win); newperseus doctorcheck errors on a shadowed block. MnemeConnector.recallsends canonical Vault tool args (#699) —max_resultsnever reachedlimit(every bridge recall was pinned to 10) andmin_decay_scorenever applied.- Serve index version badge follows the real package version (#696).
Added
perseus knows(#692, aliasperseus memory review) — plain-language "what does my assistant know about me?" with active-only counts, trust markers, short ids, and curation (--show/--forget/--correct, confirm-before-write)./knowsserve endpoint + index panel (#695) — the same view over HTTP (markdown or?format=json) through the redact + bearer-auth path; index gains active-only Vault stat cards.
Full changelog: CHANGELOG.md
v1.0.20 — @focus global-workspace tier
@Focus — the global-workspace tier
Adds @focus / the perseus_focus MCP tool: a small, capacity-bounded (default 32), salience-ranked working set that Perseus broadcasts into the rendered context — the shared "what I'm working on now" set for an agent and its subagents. The external, orchestration-layer analog of a global workspace.
add/pin/unpin/drop/touch/clear; salience = weight × frequency × recency-decay; lowest-salience non-pinned items evicted on overflow, pinned protected.- Opt-in Vault graph-centrality salience (
focus.centrality.enabled): boost by degree centrality in the Perseus Vault memory graph; off by default, graceful fallback. - Distinct from unbounded recall (
@mimir/@memory).
v1.0.19 — security housekeeping (2026-07-05)
Patch release shipping the 2026-07-05 review housekeeping follow-ups (#684).
- Self-update fails closed — unattended (
update.auto) refuses without a configuredupdate.gpg_fingerprint; a set fingerprint enforces a matching, valid signature.--skip-signature-checkstill bypasses. @perseusfences remote content as untrusted DATA (blocks prompt-injection from a hostile/compromised peer).- Webhook empty-secret fails closed (no silent unsigned delivery).
serverejects a missing Host on loopback binds (DNS-rebinding).- Vault-connector CWD binary search gated behind
PERSEUS_DEV_VAULT_BUILD=1(CWE-427).
See docs/security-review-2026-07-05.md.
v1.0.18 — security review (2026-07-05)
Patch release carrying the 2026-07-05 pre-launch security review fixes.
Code hardening (#681): @tree symlink-escape (out-of-tree filename disclosure) closed; @tool --flag=value allow-list bypass closed; federation fetch/push SSRF-guarded (scheme + private-IP block + no-redirect); bounded LLM response reads.
Deploy/supply-chain posture (#682): Docker image no longer bakes PERSEUS_ALLOW_DANGEROUS=1 and runs non-root; bootstrap.sh installer repointed off the personal fork to the org namespace (+ optional version pin); pyyaml capped <7.
Full ranked review: docs/security-review-2026-07-05.md. Verified sound with no change: the @query/@agent double-gate, path containment, MCP SSE auth, build integrity, PyPI OIDC publishing.
Perseus v1.0.17 — @memory Recent Activity fix + render/brand fixes
Fixed
@memoryRecent Activity no longer renders empty (#670, HIGH) when the background harvest writes session entities to the vault instead of Perseus checkpoints. The narrative render now falls back to a vault recall of recentsession-category memories (render-only, never persisted; no-op when the vault is unavailable/empty; never fires when checkpoint activity exists).perseus render -o /dev/null(or any non-regular output target) no longer crashes withPermissionError(#672) — the atomic writer detects a non-regular target and writes through directly.
Changed
- Remaining old-brand labels on the
@memorysurface route through the Perseus Vault brand (#666): the rendered narrative title (# Mnēmē — …→# Perseus Vault — …, visible in everyAGENTS.md), theperseus memory show/status/query/doctoroutput, and stale/compact notes.
Full detail in CHANGELOG.md.
v1.0.16
Time-to-value onboarding release. Fresh operators now get a working memory config: perseus quickstart emits the canonical perseus_vault: block (command: ["perseus-vault","serve"], no --db) that spawns the actual installed binary — previously it pointed at a nonexistent mimir binary (#665/#667). Doctor labels, first-run output, README and SETUP-GUIDE fully rebranded to Perseus Vault (#666); read-side mimir:/mneme: config back-compat preserved. Also: cold-start perf gate (#660), include-cache + session-redaction fixes (#656/#657), cold-start work (#659/#642). See CHANGELOG [1.0.16].
Perseus v1.0.15 — forensic context accounting, @speculate, @profile, @bandit
Waves 4–5: forensic context accounting, speculative prefetch, per-model memory profiles, adaptive directive selection — plus every finding from the independent adversarial reviews of those features, fixed in the same release. 30 MCP tools.
⚠️ Breaking:@queryshell execution now enforces thePERSEUS_ALLOW_DANGEROUSenv gate in addition torender.allow_query_shell(#616). This was always the documented posture; config-only setups mustexport PERSEUS_ALLOW_DANGEROUS=1to restore@queryexecution.
✨ Enhancements
perseus prompt-size/@budget --forensic(#606) — byte-exact per-directive attribution of the rendered prompt, tokenizer-accurate counts (tiktoken when available),--since <ref>historical diffing, and@budgetthresholds enforced against the measured render. Exposed read-only as theperseus_budgetMCP tool.@speculate(#607) — speculative context prefetch via next-intent prediction. Default off; reuses the reactive prefetch path so trust gates apply identically, and speculation failures can never break the primary render.- Recall-first memory posture +
@profileper-model context profiles (#553, #608) — memory posture defaults toon_demand(byte-stable pointer block instead of always-injected dumps);@profileselects posture/limits by model (read-onlyperseus_profileMCP tool); AGENTS.md renders dedup memory sections with relevance gating. @bandit(#605) — adaptive, outcome-driven directive selection: scores directives by observed outcome feedback and adapts which ones render over time.- Observability metadata block (#511) — opt-in
<!-- perseus:meta ... -->render header (version, context hash, span id) for tracers like Langfuse/LangSmith. (1.0.14, first tagged release to include it) - Quoted + named macro arguments — directive macros accept quoted multi-word args and
key="value"named args, backward compatibly. (1.0.14)
🐛 Fixes
@tier:Nno longer leaks into directive resolver args, modifier parsing, cache keys, or (for unquoted commands) the executed command itself; quote-aware@tier:Nparsing (#631).@bandithardening from independent review: abort-safe context, capped arms ledger with eviction, guarded config parsing, pre-scan/decision coherence with prefetch cost charging (#622–#625).@profilescan is fence-aware and column-0 anchored; multiple@profilelines get visible first-wins banners; memory dedup matches only exact Perseus-generated headers (#627).@budgetdeclarations inside@include'd files surface as a not-enforced warning, cache-independently;static.tokensclamped and flagged (#626).@memory mode=searchno longer silently drops vault hits or misreports why — distinct "vault unreachable" vs "no matches" reporting (#539). (1.0.14)- Wave-3 merge-review follow-ups:
compare_digeston bytes,do_POSThost guard,@servicesno-redirect, env-fingerprint scoping, prefetch cache key, identity file permissions (#609–#614).
Includes the previously untagged 1.0.14 changes — v1.0.13 was the last tagged release. Full details in CHANGELOG.md.
Install: pip install -U perseus-ctx
Perseus v1.0.13 — MCP Registry listing
Publishes Perseus to the Official MCP Registry (registry.modelcontextprotocol.io) and fixes the connector construction side effect. Install: pip install -U perseus-ctx