Hivemind turns agent traces into skills and shares with your team

v0.7.54 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai ai-agents ai-memory anthropic artificial-intelligence claude

+12 more

claude-agent-sdk claude-agents claude-code-plugin claude-skills codex embeddings long-term-memory memory-engine openclaw openclaw-skills postgresql llm

Affected surfaces

auth

Summary

AI summary

Updates Summary by CodeRabbit, Test plan, and sql across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Refactor	Medium	open-goals.ts now reuses listOpenGoals, removing substring SQL and JS includes guard. open-goals.ts now reuses listOpenGoals, removing substring SQL and JS includes guard. Source: llm_adapter@2026-05-26 Confidence: high	—
Other	Low	Updated notifications-open-goals-source.test.ts to assert canonical-forms query shape; all 18 tests pass. Updated notifications-open-goals-source.test.ts to assert canonical-forms query shape; all 18 tests pass. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

Summary

The open-goals SessionStart banner (src/notifications/sources/open-goals.ts) filtered goals with owner LIKE '%${userName}%'. That substring match has two real failure modes — the same ones CodeRabbit flagged on #203 for the SessionStart context block:

Substring collision — '%ali%' matches malice@…, leaking another user's goals into the banner.
Reverse-alias miss — a full-email userName never matches a row whose owner is the short form.

The context-renderer already fixed this with listOpenGoals (exact full / exact short / short@% alias), but the banner was never ported and kept the worse query plus a loose bidirectional includes() JS guard.

This PR makes the banner reuse listOpenGoals instead of duplicating its own SQL. Net change is a deletion: the substring query and the JS guard both go away.

Changes

open-goals.ts: drop the owner LIKE '%…%' SQL + includes() guard; call listOpenGoals(sql => api.query(sql), goalsTable, userName, { limit: 25 }).
Updated notifications-open-goals-source.test.ts SQL-shape assertions to the canonical-forms query. 18/18 pass.

Verified

Built the bundle, installed locally, and ran the actual SessionStart hook against the live API. It now issues:

WHERE (owner = 'sasun' OR owner = 'sasun' OR owner LIKE 'sasun@%')

exact owner match, no substring scan — rendered the banner correctly, exit 0.

⚠️ Note / follow-up (NOT fixed here)

While testing I confirmed the "N goals open" double-count is a separate bug that this PR does not fix. listOpenGoals carries a version = MAX(version) filter, but version is vestigial — always 1 (deeplake-fs.ts:459-461), so it never dedups. The duplicate rows come from Deeplake's UPDATE-coalescing quirk (deeplake-fs.ts:466-468): a single logical goal can have 2+ rows with the same (goal_id, version). A real fix needs DISTINCT ON (goal_id) / GROUP BY goal_id in both readers (open-goals and context-renderer). Happy to do that in a follow-up.

Test plan

[x] vitest run tests/claude-code/notifications-open-goals-source.test.ts (18/18)
[x] tsc --noEmit --skipLibCheck
[x] Live SessionStart hook emits canonical-forms query, exit 0

Summary by CodeRabbit

Refactor
- Enhanced open goals notification fetching with more precise canonical owner-form matching instead of substring patterns, improving accuracy and security while maintaining existing deduplication and filtering.
Tests
- Updated tests to verify canonical owner-form matching and edge-case filtering behavior.

Security Fixes

Removed insecure `owner LIKE '%…%'` substring match and JS guard from SessionStart banner, eliminating goal leakage between users.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hivemind turns agent traces into skills and shares with your team

Get notified when new releases ship.

About Hivemind turns agent traces into skills and shares with your team

All releases →

Related context

Related tools

Earlier breaking changes

v0.7.52 Removes `hivemind tasks` CLI and related code surfaces.
v0.7.51 Removes `hivemind tasks` CLI and related code surfaces.
v0.7.19 Module name skilify replaced with skillify; affects all imports
v0.7.19 CLI command skilify removed; renamed to skillify without deprecation alias
v0.7.18 CLI subcommand renamed from `skilify` to `skillify`; no deprecation alias.