docs(windows): ASR callouts on every shim-invoking docs page#350
Open
Huntehhh wants to merge 1 commit into
Open
docs(windows): ASR callouts on every shim-invoking docs page#350Huntehhh wants to merge 1 commit into
Huntehhh wants to merge 1 commit into
Conversation
Adds Microsoft Defender ASR rule 01443614 ("Block executable files
from running unless they meet a prevalence, age, or trusted list
criteria") callouts to every documentation page that recommends a
`truememory-mcp` or `truememory-ingest` invocation.
- docs/cli.md: callout at top (visible alongside both CLI references)
- docs/guides/debugging.md: full "Risky action blocked" section in
Common Issues with the canonical command list + Claude Desktop
tray-quit guidance
- docs/setup-cursor.md, docs/setup-codex.md, docs/setup-gemini.md,
docs/setup-hermes.md, docs/setup-kimi.md, docs/setup-openclaw.md:
per-adapter Troubleshooting bullet pointing at the debugging.md
canonical block
Pattern: every callout names the rule, explains why (per-install
unique hash fails MS cloud-prevalence check), and shows the
`python -m truememory.{mcp_server,ingest.cli}` equivalent. The
adapter-page callouts link back to debugging.md so the full
explanation lives in one place.
No code changes. Branched off origin/main directly — no PR
dependencies.
Co-Authored-By: claude-opus-4-7 <wontreply@getfucked.ai>
This was referenced May 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Microsoft Defender ASR rule
01443614-cd74-433a-b99e-2ecdc07bfc25("Block executable files from running unless they meet a prevalence, age, or trusted list criteria") callouts to every documentation page that recommends atruememory-mcportruememory-ingestinvocation. No code changes.Branched off
origin/maindirectly — no PR dependencies, ships standalone.Why
A growing share of hardened Windows-11 baselines run ASR rule
01443614in Block mode (rather than the default Audit). On those hosts, thetruememory-mcp.exeandtruememory-ingest.execonsole-script shims are silently killed atCreateProcesstime — they're setuptools / uv trampolines with per-install unique hashes, so they fail the MS cloud-prevalence check before any user code runs. Users following any of the existing docs pages had no documented escape hatch.The canonical workaround (already used by
mcp_server._setup_claudewhen it writes the Claude MCP config in #346) is to invoke the equivalent module form through the signed, high-prevalencepython.exewrapper:What changed
docs/cli.mddocs/guides/debugging.mdtruememory-mcp.exe" section under Common Issues — the canonical command list + rationale + tray-quit guidancedocs/setup-cursor.mddebugging.mddocs/setup-codex.mddocs/setup-gemini.mddocs/setup-hermes.mddocs/setup-kimi.mddocs/setup-openclaw.mdCHANGELOG.md[Unreleased] / DocumentationentryPattern: every callout names the rule, explains why (per-install unique hash fails MS cloud-prevalence check), and shows the module-form equivalent. The adapter-page callouts link back to
debugging.mdso the full explanation lives in one canonical place instead of being duplicated 6 times.Test plan
cli.mdrenders correctly with the embedded code blockdebugging.md#windows-risky-action-blocked--defender-asr-kills-truememory-mcpexeanchor from any setup-*.md page — confirm the anchor resolves (GitHub-flavoured markdown auto-generates anchors from headings)Coordination context
Last of agent-C's planned PRs in the multi-agent TrueMemory hardening sweep. Sibling PRs from the same sweep: #346 (ASR installer fix + shim-migration), #348 (
_setup_claudeparse-miss + atomic settings.json), #349 (logging hygiene + Popen file-handle cleanup). agent-A's PRs (#344, #345, #347) and agent-B's planned PR-2a/PR-2b cover orthogonal scopes.Zero code dependencies — this PR can merge in any order relative to the others.
Merge ordering
Order-independent / docs-only. Pure markdown changes under
docs/andCHANGELOG.md. Zero code risk, zero merge conflicts with any other open PR in the sweep.Depends on: none.
Blocks: none.
Recommended sequence position: anywhere in the queue — can land first, last, or middle without affecting any other PR's merge state.