Skip to content

Attestor 4.0.0 — first stable 4.x

Choose a tag to compare

View all tags
@bolnet bolnet released this 28 Apr 23:57
· 131 commits to main since this release
v4.0.0
c50ece1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

`pip install attestor` now returns 4.0.0 — promoting the alpha line to stable so the install path matches the documented architecture (Postgres + pgvector + Neo4j + Voyage AI + the four-role gpt-4.1 / claude-sonnet-4-6 model lineup).

Highlights

Security & governance

  • RBAC enforcement at AgentContext layer (#72) — ROLE_PERMISSIONS matrix gates writes / forgets per role
  • Neo4j namespace tenancy (#74) — closes cross-tenant graph-affinity leak

Reliability & safety nets

  • Embedder dimension assertion at startup (#75) — fail-fast on vector(N) ≠ embedder dim instead of silently no-op'ing every write
  • Exhaustive end-to-end pipeline tracing (#76) — ATTESTOR_TRACE=1 surfaces every step of ingest + retrieval as stderr lines + JSONL
  • v4 namespace round-trip fix (#77) — caught by the new tracing within ten minutes of shipping it; was silently dropping 100% of namespace-scoped recall candidates

API parity

  • MemoryClientapi.py parity drift (#73) — recall(namespace=...) now forwards over HTTP; QuotaExceeded → HTTP 429

Distribution

This release auto-publishes to:

  • PyPI: `pip install attestor` (no `--pre` needed any more)
  • Docker registries: GHCR + Docker Hub (`bolnet2025/attestor`) + Quay.io (`bolnet/attestor`)
    • Two image flavors per registry: `:4.0.0` (introspection-only, the artifact Glama / Smithery verify) and `:api-4.0.0` (full HTTP API, what cloud deploys actually pull)

Migration

No breaking API changes vs 4.0.0a5. Three behavior changes worth knowing:

  1. Callers passing `namespace=` to `mem.add()` / `mem.recall()` on v4 backends now actually have their namespace persisted and matched on read (was silently broken in alphas).
  2. `AgentRole` is now enforced — `REVIEWER` / `MONITOR` are read-only at the AgentContext layer. Default `EXECUTOR` is unchanged.
  3. The new embedder-dim assertion is fail-fast. If you see `EmbedderDimMismatchError` on startup, your schema's `vector(N)` doesn't match your embedder's output dim — follow the remediation steps in the error message.

See CHANGELOG.md for the full breakdown.

Assets 2
Loading