Hivemind turns agent traces into skills and shares with your team

v0.7.40 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 14d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai ai-agents ai-memory anthropic artificial-intelligence claude

+12 more

claude-agent-sdk claude-agents claude-code-plugin claude-skills codex embeddings long-term-memory memory-engine openclaw openclaw-skills postgresql llm

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 14d

Hivemind v0.7.40 adds a sign-in consent prompt to install flow with device-flow, API-key paste, and non-interactive token (`--token` / env var) authentication paths. Install no longer aborts if auth fails, and autoupdate is protected via triple-guard checks.

Why it matters: Interactive installs show a sign-in prompt for shared memory; CI/scripted installs skip via `--token` or `HIVEMIND_TOKEN`. Install succeeds even if auth fails. Safe upgrade; consider for next cycle.

Summary

AI summary

Updates Test plan, Structural changes, and Out of scope across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Inserts a single 🐝 consent prompt between `hivemind install` and the device-flow browser open. Inserts a single 🐝 consent prompt between `hivemind install` and the device-flow browser open. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Adds an API-key paste fallback when the user declines or the device flow fails to complete. Adds an API-key paste fallback when the user declines or the device flow fails to complete. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Provides a non-interactive token path (`--token` / `DEEPLAKE_API_TOKEN` / `HIVEMIND_TOKEN`) for CI / scripted installs. Provides a non-interactive token path (`--token` / `DEEPLAKE_API_TOKEN` / `HIVEMIND_TOKEN`) for CI / scripted installs. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Failed/declined sign-in no longer aborts install; hooks always land, making auth a separable concern. Failed/declined sign-in no longer aborts install; hooks always land, making auth a separable concern. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Introduces `runAuthGate()` dispatcher in `src/cli/index.ts` with three authentication paths based on context. Introduces `runAuthGate()` dispatcher in `src/cli/index.ts` with three authentication paths based on context. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Adds new banner copy prompting users to sign in for shared memory and auto-learning across agents. Adds new banner copy prompting users to sign in for shared memory and auto-learning across agents. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Provides alternative API-key paste method if device flow fails or user declines. Provides alternative API-key paste method if device flow fails or user declines. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Autoupdate is insulated against the new prompt via triple-guard checks and `--skip-auth` flag. Autoupdate is insulated against the new prompt via triple-guard checks and `--skip-auth` flag. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Introduces `loginWithProvidedToken()` in `src/cli/auth.ts` for token-based authentication. Introduces `loginWithProvidedToken()` in `src/cli/auth.ts` for token-based authentication. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Ensures autoupdate does not trigger when no credentials exist, preserving insulation from consent prompt. Ensures autoupdate does not trigger when no credentials exist, preserving insulation from consent prompt. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Refactor
Refactor	Medium	Extracts `saveCredentialsFromToken()` into `src/commands/auth.ts` for shared credential handling. Extracts `saveCredentialsFromToken()` into `src/commands/auth.ts` for shared credential handling. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Refactor	Medium	Moves `confirm()` and new `promptLine()` to `src/cli/util.ts` for reuse by multiple commands. Moves `confirm()` and new `promptLine()` to `src/cli/util.ts` for reuse by multiple commands. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Refactor	Medium	Adds new `parseToken()` flag parser and updates `runAuthGate()` dispatcher in `src/cli/index.ts`. Adds new `parseToken()` flag parser and updates `runAuthGate()` dispatcher in `src/cli/index.ts`. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Other
Other	Medium	Includes 16 unit cases in `tests/cli/install-consent.test.ts` covering various TTY and non-TTY scenarios. Includes 16 unit cases in `tests/cli/install-consent.test.ts` covering various TTY and non-TTY scenarios. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Ensures full per-file coverage thresholds are met for new utility and auth files (80%). Ensures full per-file coverage thresholds are met for new utility and auth files (80%). Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Adds 5 test cases for `confirm()` in `tests/cli/cli-util.test.ts`. Adds 5 test cases for `confirm()` in `tests/cli/cli-util.test.ts`. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Provides 7 test cases for `loginWithProvidedToken()` in `tests/cli/cli-auth.test.ts`. Provides 7 test cases for `loginWithProvidedToken()` in `tests/cli/cli-auth.test.ts`. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Includes 3 bundle smoke cases in `tests/cli/install-consent-bundle.test.ts` against a mock /me endpoint. Includes 3 bundle smoke cases in `tests/cli/install-consent-bundle.test.ts` against a mock /me endpoint. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Updates regression tests in `tests/cli/update-skip-auth-guard.test.ts` to preserve `--skip-auth` argument. Updates regression tests in `tests/cli/update-skip-auth-guard.test.ts` to preserve `--skip-auth` argument. Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Low	Adds 16 unit tests in `tests/cli/install-consent.test.ts` covering TTY accept/decline, paste fallback, device‑flow failure, non‑TTY cases, `--skip-auth`, and already‑logged‑in scenarios. Adds 16 unit tests in `tests/cli/install-consent.test.ts` covering TTY accept/decline, paste fallback, device‑flow failure, non‑TTY cases, `--skip-auth`, and already‑logged‑in scenarios. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—

Full changelog

Summary

Inserts a single 🐝 consent prompt between hivemind install and the device-flow browser open. Adds an API-key paste fallback when the user declines or the device flow fails to complete, and a non-interactive token path (--token / DEEPLAKE_API_TOKEN / HIVEMIND_TOKEN) for CI / scripted installs. Failed/declined sign-in no longer aborts install — hooks always land; auth becomes a separable concern.

Addresses the ~85% drop-off between hivemind install and completed sign-in (~30 → ~5).

Flow

Three paths, dispatched by runAuthGate() in src/cli/index.ts:

| Context | Token source | Outcome |
|---|---|---|
| TTY, no token | — | Show 🐝 banner → Yes runs device flow; No (or failed device flow) → API-key paste fallback. Empty paste = continue, skip sign-in. |
| TTY, --token / env token | flag/env | Validate via /me, save creds, skip consent (token = consent) |
| Non-TTY, token present | flag/env | Same as above, no prompt |
| Non-TTY, no token | — | Print "No TTY" + URL + retry command (DEEPLAKE_API_TOKEN=<key> hivemind install), continue install |
| Any context, --skip-auth | — | Bypass everything (unchanged) |

Banner copy

🐝 One more step to unlock Hivemind

To enable shared memory and auto-learning across your agents,
we need to sign you in. Your traces will be securely stored in
your private Hivemind, so all your agents can recall them.

You can later connect your own cloud storage like S3/GCS/Azure Blob.

Sign in now? [Y/n]

If N (or Y but device flow doesn't complete):

Alternatively, sign in at https://app.deeplake.ai/api-keys, create
an API key, and paste it here. Press Enter to skip and continue
installing without sign-in (you can run `hivemind login` later).

API key:

Autoupdate insulation (verified, no code change)

Autoupdate is triple-guarded against this new prompt:

Only fires when creds?.token exists (src/hooks/shared/autoupdate.ts:128-129)
Spawns hivemind install with --skip-auth (src/cli/update.ts:207)
Uses detached: true, stdio: "ignore" so child stdin is closed regardless

tests/cli/update-skip-auth-guard.test.ts source-greps + bundle-greps the --skip-auth arg so a future refactor can't silently route autoupdate through consent.

Structural changes

saveCredentialsFromToken(token, apiUrl, { skipTokenMint }) extracted in src/commands/auth.ts — single credentials-writer shared by device flow and env-var/flag path.
confirm() and new promptLine() lifted into src/cli/util.ts — reused by sessions prune and the new paste fallback.
New loginWithProvidedToken() in src/cli/auth.ts.
New parseToken() flag parser + runAuthGate() dispatcher in src/cli/index.ts.

Telemetry

Intentionally not in this PR. The existing signup_intent (deeplake-api PR #222, already merged) + signup_completed already measure the install→signup funnel. Granular consent-step events (declined / token-paste / device-flow outcome attribution) will land in a follow-up PR pair: (a) deeplake-api adds a value property to signup_intent plus a token-paste firing point on /me, (b) hivemind sends a X-Hivemind-Signin-Method header on the relevant calls.

Test plan

[x] 16 unit cases in tests/cli/install-consent.test.ts covering TTY accept/decline + paste fallback (empty + valid), accept + device-flow-fail + recovery paste, all non-TTY combinations, --skip-auth, already-logged-in
[x] 5 cases for confirm() in tests/cli/cli-util.test.ts
[x] 7 cases for loginWithProvidedToken() in tests/cli/cli-auth.test.ts
[x] 3 bundle smoke cases in tests/cli/install-consent-bundle.test.ts — drives bundle/cli.js with closed stdin against a mock /me, asserts no readline hang
[x] 2 regression cases in tests/cli/update-skip-auth-guard.test.ts — source AND bundle level --skip-auth literal preserved
[x] Existing tests/cli/cli-index.test.ts updated for the new contract; restores process.stdin.isTTY in teardown (CodeRabbit out-of-diff fix)
[x] Full per-file coverage thresholds met for src/cli/util.ts and src/cli/auth.ts (80%)
[x] Manual: TTY decline (pty), TTY accept (real prod browser sign-in), TTY + invalid token against mock 401, non-TTY + valid token against mock /me + /organizations, --skip-auth, already-logged-in — all green against the real built bundle

Out of scope

Telemetry events for consent_shown / accepted / declined / token_paste (follow-up PR pair).
Re-prompting consent at session-start if user said no.
A "remind me later" third option.

Confidence: 90%. Untested: real production /me + /organizations with a real beta token end-to-end (verified against mocked endpoints; shape was confirmed against deeplake-api source).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hivemind turns agent traces into skills and shares with your team

Get notified when new releases ship.

About Hivemind turns agent traces into skills and shares with your team

All releases →

Related context

Related tools

Earlier breaking changes

v0.7.52 Removes `hivemind tasks` CLI and related code surfaces.
v0.7.51 Removes `hivemind tasks` CLI and related code surfaces.
v0.7.19 Module name skilify replaced with skillify; affects all imports
v0.7.19 CLI command skilify removed; renamed to skillify without deprecation alias
v0.7.18 CLI subcommand renamed from `skilify` to `skillify`; no deprecation alias.