Skip to content

roampal-ai/roampal-core

v0.4.9 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

agent-memory ai-assistant ai-coding ai-coding-assistant ai-memory ai-tools
+14 more
chromadb claude-code coding-assistant developer-tools llm long-term-memory mcp mcp-server memory model-context-protocol opencode persistent-memory python semantic-search

Affected surfaces

crypto_tls auth

Summary

AI summary

Removed regex tag extraction; LLM-only tags now used with no fallback.

Full changelog

Summary

Fixes critical sidecar robustness issues and achieves full benchmark alignment for tag extraction.

Key Changes

  • Wire TagService to sidecar LLM — v0.4.8 had extract_tags() in code but never called it. Tags were silently falling back to regex. Now properly wired for OpenCode sidecar scoring.
  • Remove regex tag extraction — LLM-only tags matching benchmark behavior. If LLM fails, returns [] (no fallback). Use roampal retag to clean up existing memories.
  • Robust backend selection — Health tracking, circuit breakers, priority-based fallbacks for sidecar scoring models.
  • Unified onboarding — One-step model picker for roampal init and roampal sidecar setup. Auto-detects Ollama/LM Studio models, shows RAM requirements.
  • Better failure handling — Once-per-session hints instead of repetitive popups when sidecar unavailable.
  • roampal retag command — Re-extract tags on existing memories using your sidecar LLM. Supports --dry-run, --limit, --collection.
  • Security hardening — SSL/TLS verification on external calls, input validation on /api/retag, URL validation for custom sidecar endpoints.

Stats

  • 489 tests passing
  • 6 files changed, +3447/-1223 lines

Breaking Changes

  • Removed regex-based tag extraction; `extract_tags()` now LLM‑only with no fallback (returns [] if LLM fails).
  • Wired TagService to sidecar LLM for OpenCode scoring, replacing previous silent fallback.
  • Sidecar backend selection robustness changes: health tracking, circuit breakers, priority‑based fallbacks.

Security Fixes

  • Enabled SSL/TLS verification on external calls and added input validation for `/api/retag` plus URL validation for custom sidecar endpoints.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track roampal-ai/roampal-core

Get notified when new releases ship.

Sign up free

About roampal-ai/roampal-core

Outcome-based persistent memory for AI coding tools. Memories that help get promoted, memories that mislead get demoted. Works with Claude Code and OpenCode via hooks + MCP.

All releases →

Related context

Beta — feedback welcome: [email protected]