agentic-mcp-tools/memora releases

Notable changes since v0.2.27

Fixes

• MCP schema sanitizer (memora/server.py) — strips Pydantic-generated nullable anyOf combinators from tool input schemas before serving tools/list. Anthropic's tool validator rejected these, which 400'd the entire MCP handshake and made Claude Code disconnect the server. Reviewed end-to-end by an inter-agent bus loop (claude-B audit + codex review). 19 of 41 memora tools were affected; all clean after sanitize.
• Embedding fallback observability (#457) — stops silent fallback to TF-IDF when the OpenAI embedding endpoint fails; warns visibly instead of degrading silently. Also adds explicit warn-on-fallback log path.
• API issue filter tightening — /api/memories issue filter now requires strict metadata.type match instead of fuzzy heuristic.
• Graph spin fixes (5 commits) — vis-network physics now disables after stabilization, force-disables 1.5s after drag, re-enables on dragStart for elasticity, explicitly starts simulation on drag events, and stops endless spinning after memory_update realtime reload.
• Favorites filter (#544) — fetches the full memory set from the server instead of filtering only the loaded page.

Features

• Issues tab in web UI — inline status / category editing for memories of type: issue.

Reverts

• Reverted Block 4 of duplicate-review UI action-buttons wiring (held back pending follow-up work).

What's New

Structured Document Storage

• memory_store_document — Store markdown documents as a root memory + searchable typed fragments (claims, plan items, references, risks, section chunks)
• memory_get_document — Retrieve documents by key with optional fragment type filtering
• memory_delete_document — Cascade delete a document and all its fragments
• Structure-aware parser (document.py) — splits by headings, tables, numbered lists, URL lists, and risk sections instead of blind token chunking
• Fragment integrity guards — protects document fragments from accidental delete, merge, absorb, duplicate detection, and supersession detection
• Graph UI — document fragments hidden from visualization (local + cloud); only the document root node is visible

Auto-categorization Improvements

• Auto-assign metadata.section from detected project at write time
• Normalize generic tags to project-prefixed tags automatically
• Backfill tag detection now catches subsection changes
• Derive subsections from bare tags when no prefixed tags exist
• Broader project detection with tag-based fallback and more content patterns

Bug Fixes

• Fix find_duplicate_candidates type error when crossref entries have mixed ID types
• Fix crossref computation to exclude document fragments from similarity graph
• Skip typed link entries (supersedes, extends, etc.) in duplicate candidate scanning

What's New

memory_detect_supersessions — Retroactive supersession detection

New MCP tool that scans existing memories for pairs where one updates/replaces another, then creates supersedes edges between them. Complements memory_absorb which only catches supersessions at write time.

• Neutral LLM classification with 6-way relation enum (a_supersedes_b, b_supersedes_a, duplicate, related, contradicts, neither)
• Conservative defaults: dry_run=True, min_confidence=0.75
• 30s rate limit cooldown
• No schema changes required

Bug fixes

• Fix three bugs in memory_absorb that broke LLM classification and fact grouping
• Consolidate related new facts into single richer memories via LLM synthesis
• Bump graph cluster thresholds back to 0.4

Other improvements

• Lineage-aware retrieval: follow parameter for supersession chain walking
• Context-efficient retrieval: compact defaults, fields projection, hybrid filter fix
• Add --version flag to memora-server CLI
• Add install script for server, skill, and MCP config guidance

Headline

`memory_create` / `memory_update` drop from 10s+ to ~2s per call on the D1 backend — 5× faster.

Three independent fixes, all landing together:

• Cached `ensure_schema()` per backend instance — previously ran 7–9 D1 round-trips on every MCP tool call (~4–8s wasted each). Now runs once per backend per process. [`memora/schema.py`]
• Single paginated LEFT JOIN for crossref/vector scan — replaces the old `list_memories(...) + _get_embeddings_for_ids(...)` two-step that cost ~10 sequential D1 round-trips on stores with many memories. [`memora/storage.py`]
• Per-instance D1 session token + backend-level keep-max bookmark mirror — the old class-level token could be stomped by cross-thread code (`cloud_sync`'s `threading.Timer`), corrupting read-your-writes. Now safe under concurrency. [`memora/backends.py`]

Also in this release

• Durable Object request reduction — WebSocket keepalive ping removed, broadcasts skipped when no clients connected, disconnect on hidden tab. Direct Cloudflare cost savings.
• Schema cache correctness — `CloudSQLiteBackend.sync_before_use()` can `shutil.move` a fresh DB file over `cache_path`; the cache now invalidates via inode-based signature so long-lived processes don't run against a post-replacement DB with stale schema assumptions.
• Security (merged from main) — XSS attribute injection fix in graph UI (#36), stale draft cancellation (#37).
• Docs — eventual-consistency model of the `related` graph documented in `memory_related` and `memory_rebuild_crossrefs` MCP tool docstrings.

Upgrade notes

• No schema migration required.
• No public API signature changes.
• No configuration changes required.
• New optional env var `MEMORA_VECTOR_SCAN_PAGE_SIZE` (default: 1000) — rarely needs tuning.
• 39/39 tests passing.

Verified performance

Measured against live D1 (steady-state, medium-length memory):

| Operation | Before | After |
|---|---|---|
| `storage.connect()` 1st | — | ~1.9s |
| `storage.connect()` 2nd+ | ~4–8s (schema probe) | ~0ms (cache hit) |
| `add_memory` | 10s+ | ~1.8s |
| `update_memory` | 10s+ | ~1.1s |

Security Hardening Release

Comprehensive security audit and fixes across critical, high, and medium severity findings.

R2 Proxy Lockdown

• images/ prefix restriction on both cloud and local proxies
• Path traversal (..) blocking
• Image extension allowlist + Content-Type validation from R2 metadata

MCP Tool Rate Limiting

• Single-flight + cooldown on 7 expensive operations (rebuild, export, import, insights, duplicates, migrate)
• Prevents resource exhaustion via repeated calls

Prompt Injection Mitigation

• Memory content moved from system prompt to user/context message across all 4 LLM callsites
• Defensive markers on all memory-to-LLM paths

Upload Hardening

• Symlink chain rejection, Pillow content verification
• MIME derived from image content (not filename), no path disclosure in responses
• Extension allowlist aligned with storage backend

Additional Fixes

• Origin validation (urlparse-based) on SSE and chat endpoints
• Chat rate limiting: 30 req/min per IP
• Secure dedup cache: ~/.cache/memora/, SHA-256 filenames, fcntl locking
• SQL hardening: alias-aware ORDER BY whitelist, LIMIT/OFFSET clamping
• Error sanitization: generic messages for infrastructure errors
• Dependencies: Pillow >= 10.4.0, openai >= 1.6.0, zod 3.24.2
• Lock files: requirements.lock, requirements-local.lock, requirements-dev.lock
• Security Model documentation in README

Codebase Health (from v0.2.23)

• Full XSS sweep in graph UI (escapeHtmlAttr, CSS.escape, data-* delegation)
• PATCH metadata shallow merge with null-delete semantics
• FTS/embedding reindex on tag/metadata changes
• Module extraction: embeddings.py, schema.py split from storage.py
• Duplicate detection aligned to 0.85 threshold across all paths
• 39 tests passing

Full Changelog: https://github.com/agentic-box/memora/compare/v0.2.23...v0.2.24

Changes

• Chat embeddings: Compute embeddings on memory create/update via chat UI, ensuring new memories appear in semantic search immediately
• Robust search: Run semantic + keyword search in parallel with isolated error handling; recent memories fallback preserved
• UI improvements: Pencil edit icon, hide complex metadata section by default
• Sync: sync-to-d1.py now syncs memories_embeddings table with transaction wrapping
• Query rewriting: Add RAG query rewriting for better retrieval

What's Changed

• Fix focused node centering — nodes no longer appear shifted left when the detail panel opens
• Memora favicon — tab icon now uses the memora logo
• Wider detail panel — default width increased from 450px to 560px
• Scrubbed private data — removed hardcoded Cloudflare DB IDs from example scripts

What's New

• Favorite star toggle — Click ☆/★ on any memory in the timeline to mark it as a favorite, persisted in metadata
• Favorites filter — Filter timeline to show only favorited memories
• Action history tab — New History tab showing create/update/delete/boost/link/merge actions with grouping
• Disable auto memory — CLAUDE.md now directs all memory operations through Memora MCP tools

Details

• PATCH endpoints for favorite toggle on both local server and D1 Pages
• Action history with D1 support and deleted memory link handling
• Inline cache update so favorites reflect immediately without reload

What's New

Memory Insights Tool

New memory_insights tool that analyzes stored memories and produces actionable insights:

• Activity summary — memories created in a time period, grouped by type and tag
• Open items — open TODOs and issues with stale detection (configurable via MEMORA_STALE_DAYS)
• Consolidation candidates — similar memory pairs that could be merged
• LLM analysis — themes, focus areas, knowledge gaps, and summary (optional, requires OPENAI_API_KEY)

memory_insights(period="7d", include_llm_analysis=True)
memory_insights(period="1m", include_llm_analysis=False)

Other Changes

• Fix D1 SQL variable limit by batching IN clauses
• Add Claude Code skill for Memora memory behavior

What's New

• Auto-hierarchy inference — New memories without explicit hierarchy metadata are automatically assigned a hierarchy path based on similar existing memories (confidence threshold: 0.5)
• README improvements — Reorganized features into grouped categories, added missing nav links (Cloud Graph, Linking, Neovim), reordered sections
• Updated demo GIF — New demo from source video at 3x speed

Louvain Cluster Visualization

• Content-based clustering using Louvain community detection on embedding similarity
• Smooth convex hull boundaries (Catmull-Rom splines) drawn around clusters on the graph canvas
• Nodes seeded into cluster-grouped positions before physics simulation
• Available on both local graph server and cloud D1 frontend

Cloudflare D1 Backend

• Full Cloudflare D1 serverless database backend
• Real-time UI sync for all memory write operations
• Cloud-hosted graph visualization on Cloudflare Pages
• D1 update persistence and optimization fixes

Graph & UI Improvements

• Timeline tab with memory list in right panel
• Time slider for filtering memories by date range
• Stale styling for old closed issues/TODOs
• Hierarchy section highlighting from timeline
• Search box supports ID search
• Mermaid diagram rendering in memory content

Fixes

• Fix LIKE pattern too complex error on D1 hybrid search
• Disable FTS5 for D1 backend (unsupported)
• Fix legend highlighting for closed issues/TODOs
• Fix markdown link rendering in graph panel

Memory automation, Mermaid rendering, LLM deduplication

Features in this release:

• Auto-redact secrets (API keys, tokens, passwords)
• Content validation & type inference
• Tag suggestions based on content patterns
• Duplicate detection (≥85% warning)
• Explicit typed links (memory_link/memory_unlink)
• Edge types: references, implements, supersedes, extends, contradicts
• Cluster detection (memory_clusters)
• Bug fix for NoneType in metadata.get()

What's New

Graph UI Improvements

• Consistent legend styling: todos/issues font reduced to 11px with muted color to match subsections
• Node selection highlighting: clicking a node highlights its section/subsection or status in left pane
• Custom styled hover tooltip with smaller description font and type indicator (e.g., "#123 - Issue")
• Tooltip hides on node click to prevent stale positioning

Full Changelog

https://github.com/agentic-mcp-tools/memora/compare/v0.2.13...v0.2.14