Skip to content

Mneme

v0.0.3 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 15d LLM Frameworks
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai ai-memory bun encryption local-first mcp
+5 more
memory open-protocol privacy sdk typescript

Affected surfaces

crypto_tls breaking_upgrade

Summary

AI summary

Updates Highlights, Known gaps, and deferred across a mixed release.

Full changelog

Highlights

  • @mneme/sdk v0.0.3 ships AES-256-GCM encryption at rest. await Mneme.open({ passphrase: '...' }) derives a master key via Argon2id, persists a salt and verifier, and seals every plaintext body with a per-record data key wrapped under the master key. AAD binds the record id so ciphertexts can't be swapped between records.
  • Sync new Mneme() stays plaintext-only and now throws if you pass a passphrase — encryption requires the explicit Mneme.open() factory.
  • Embeddings still work under encryption (computed pre-encryption, stored separately) so @mneme/embedder-local + a passphrase gives semantic recall over encrypted memory in one call.
  • ADR 0005 captures cipher choice, KDF parameters, on-disk format, and the explicit deferral of recovery phrase / signed writes / multi-device wrapping to v0.0.4+.

What's in the repo today

  • packages/protocol — open spec types (v0.1 draft)
  • packages/sdk — encrypted-at-rest local SQLite reference SDK
  • packages/embedder-local — on-device embeddings
  • tests/conformance — cross-implementation v0.1 conformance suite
  • docs/protocol/v0.1.md — public wire spec (now fully exercised by code)
  • decisions/ — 5 ADRs

Known gaps (deferred)

  • No recovery phrase yet. A lost passphrase = lost data. BIP-39 recovery + Ed25519 signed writes land together in v0.0.4.
  • Lexical recall under encryption silently returns [] (FTS5 cannot index ciphertext). v0.0.4 will surface a clearer error; for now use the embedder for recall over encrypted memory.
  • CRDT sync engine, MCP server, hosted Mneme Cloud API still ahead.

Try it

git clone https://github.com/ppserapiao/mneme
cd mneme
bun install
bun test    # 60 pass, 2 skip

import { Mneme } from '@mneme/sdk'
import { LocalEmbedder } from '@mneme/embedder-local'

const mneme = await Mneme.open({
  passphrase: 'correct horse battery staple',
  embedder: new LocalEmbedder(),
})

await mneme.remember({ kind: 'fact', body: 'london resident' })
const matches = await mneme.recall('where they live')

Breaking Changes

  • `new Mneme()` now throws if a passphrase is provided; encrypted stores must use `await Mneme.open({ passphrase: ... })`.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Mneme

Get notified when new releases ship.

Sign up free

About Mneme

All releases →

Related context

Beta — feedback welcome: [email protected]