Skip to content

v0.2.4

Latest
Latest

Choose a tag to compare

View all tags
@het0814 het0814 released this 26 Jun 22:32
· 29 commits to main since this release
v0.2.4
d922b7a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes for v0.2.4

This release ships an official TypeScript SDK (@moorcheh-ai/memanto) with lifecycle hooks and OpenAPI-generated types, a new memanto edit command for in-place memory updates, v2 memory route response models, and a set of security hardening fixes (cross-agent authorization, upload path-traversal, and secret leakage in the UI config endpoint).

New Features

  • TypeScript SDK (sdks/typescript/)

    • New @moorcheh-ai/memanto npm package: a fully-typed client generated from
      the API's OpenAPI spec (openapi-ts), covering agents, sessions, remember,
      recall, answer, upload, and the new extract/edit endpoints.
    • Lifecycle helpers (src/lifecycle.ts) for session start/stop memory
      flows, plus a doctor command (src/doctor.ts) for config/connectivity
      checks.
    • All recently-added API features exposed as first-class SDK methods.
    • CI workflow .github/workflows/sdk-typescript.yml builds, tests (Vitest),
      and publishes the package; full test suite (memanto.test.ts,
      lifecycle.test.ts, doctor.test.ts).

  • memanto edit command and PATCH endpoint (memanto/app/routes/memory.py,
    memanto/cli/commands/memory.py, memanto/app/models/__init__.py)

    • New PATCH /{agent_id}/memories/{memory_id} endpoint with
      MemoryEditRequest for partial in-place updates.
    • CLI memanto edit <memory_id> with --title, --content, --type,
      --confidence, --tags, --source options (at least one required).
    • Field validation on both the API and direct-client paths: non-empty content
      with length limits, confidence range 0.0–1.0, and valid memory-type
      membership — matching the create-endpoint contract.

  • v2 memory route response models (memanto/app/models/__init__.py,
    memanto/app/routes/memory.py)

    • Added explicit Pydantic response_model schemas to the v2 memory routes,
      giving typed/validated responses and accurate OpenAPI documentation (which
      in turn feeds the TypeScript SDK codegen).

Improvements

  • Local metadata logging (memanto/app/services/session_service.py)
    • Session service now logs memory metadata locally alongside the memory write,
      keeping the local session summary in sync with stored memories.

Security

  • Cross-agent authorization returns 403 (memanto/app/routes/memory.py)

    • All 12 agent-scoped endpoints now return HTTP 403 (not 500) when a
      session's agent_id doesn't match the URL's agent_id, correctly
      signaling an authorization failure instead of a server error.

  • Upload path-traversal fixed (CWE-22) (memanto/app/routes/memory.py)

    • Uploaded filenames are stripped to their basename (Path.name) with a
      defense-in-depth realpath check, preventing a crafted filename
      (e.g. ../../../etc/cron.d/backdoor.txt) from escaping the temp directory.

  • Secrets removed from UI config endpoint (memanto/app/ui/routes/ui_router.py)

    • GET /api/ui/config no longer returns the plaintext Moorcheh API key or
      session JWT; only safe metadata (api_key_configured, api_key_preview)
      remains, closing an unauthenticated secret-disclosure path.

Tests

  • Expanded tests/test_api.py and tests/test_cli.py for the edit endpoint,
    v2 response models, the 403 scope guard, and filename sanitization.
  • New TypeScript test suites under sdks/typescript/test/.

Full Changelog

Full Changelog: v0.2.3...v0.2.4

Assets 2
Loading