roampal-ai/roampal-core

Sidecar privacy — explicit configuration

No silent cascade. Previous versions silently tried Zen cloud (opencode.ai), then localhost Ollama:11434, then localhost LM Studio:1234 if no sidecar was configured — sending exchange text off your machine without opt-in. Now: if you haven't configured a sidecar, scoring is disabled. Retrieval from existing memories still works.

To enable scoring, run roampal sidecar setup. The picker shows detected local models as first-class options. You can also pick "free Zen cloud models" explicitly (clearly labeled as rate-limited with data sent to opencode.ai), configure a custom API endpoint, or skip setup entirely.

roampal sidecar disable now says "scoring, summaries, and fact extraction are now disabled" instead of the misleading "Reverted to free community models", and clears ROAMPAL_SIDECAR_PRIORITY so a prior Zen opt-in doesn't survive disable.

Scope-aware sidecar CLI

OpenCode merges project-local opencode.json over user-global config. Previously roampal sidecar only saw the user-global file — project-local stale configs would silently shadow your changes.

• roampal sidecar status now reports both scopes and flags when a project-local config OVERRIDES user-global in the cwd.
• roampal sidecar setup --scope {user,project,both} and roampal sidecar disable --scope {user,project,both}.
• Interactive prompt when a project-local shadow is detected.

opencode.json safety

roampal init --opencode no longer silently clobbers an existing opencode.json when the file has a JSON syntax error (which previously destroyed every provider, every other MCP, and every other top-level key — issue #6).

• Parse errors abort with a clear message; no write attempted.
• Successful writes are atomic (temp + rename) with a timestamped .bak of the pre-write contents.

Retrieval and scoring quality fixes

• TagCascade $contains filter was silently broken and falling back to cosine-only retrieval. Tag prefiltering now actually works; tag-conditioned recall improves correspondingly.
• memory_bank multi-key where-clause filters are now $and-wrapped; summary lane no longer logs ChromaDB query errors on every retrieval.
• Exchange summaries and extracted facts stored via the OpenCode plugin now carry noun_tags. A server-side extraction fallback was wired into both /record-outcome and /api/hooks/stop; previously tags were silently dropped because neither the plugin nor the server extracted them.

Sidecar robustness

• Sidecar tolerance for small local models: 3B-class checkpoints (qwen2.5:3b etc.) that return bare JSON arrays instead of the schema-wrapped shape no longer crash tag + fact extraction (mirrors Roampal Desktop v0.3.2 Section 0k).
• Pre-store fact dedup ported from Roampal Desktop v0.3.2. Core's write paths (add_to_memory_bank, record_response) now skip writes that would create a near-duplicate (cosine > 0.95) of a fact already in working / history / patterns / memory_bank. Closes the shared-ChromaDB hole where core writes bypassed desktop's existing dedup.

State-file safety

• New roampal/utils/atomic_json.py with write_json_atomic(). Crashes or power loss mid-save no longer corrupt machine-managed JSON state files (profiles.json, session completion state).

Defense-in-depth

• TagService.extract_tags() guards against async llm_extract_fn callers — previously silent empty results; now logs WARNING and returns [] explicitly.

Migration

No config change. No data migration. Memories already stored with empty noun_tags stay that way until re-scored; roampal retag (v0.4.9+) can backfill tags on historical memories if desired. Historical duplicate facts also stay — a future roampal dedup one-shot will clean those.

560 backend unit tests passing.

Full release notes: https://github.com/roampal-ai/roampal-core/blob/main/dev/docs/releases/v0.5.3/RELEASE_NOTES.md (gitignored — see commit dc595f7 for context)