ai-memory v0.9.0

ai-memory v0.9.0 — security-hardening (release notes)

Release procedure (operator-gated)

v0.9.0 inherits the v0.8.0 separation of CI verification from publish. ci.yml runs on every push + PR + tag (lint, check matrix, feature gates, dockerfile-validate, coverage). release.yml runs ONLY on explicit workflow_dispatch and handles the actual multi-channel fanout (binary builds + GitHub Release + crates.io + Homebrew tap + GHCR Docker + Fedora COPR).

To publish a tag:

# 1. Create the signed tag locally
git tag -s v0.9.0 -m "..."

# 2. Push the tag — fires ci.yml verification only
git push origin v0.9.0

# 3. Wait for ci.yml to land GREEN (Check matrix is the release gate)

# 4. Manually trigger publish — operator-gated, intentional
gh workflow run release.yml \
  --repo alphaonedev/ai-memory-mcp \
  -f tag=v0.9.0

Pre-release tags (SemVer - suffix, e.g. v0.9.0-rc.1) auto-skip the downstream stable channels (crates.io, Homebrew, Docker, COPR) so operator dry-runs are safe.

The language SDKs publish on their own dispatch — publish-sdks.yml handles the npm (@alphaone/ai-memory) + PyPI (ai-memory-mcp) fanout, distinct from the release.yml binary/crate channels.

The act of releasing is a deliberate, named action — not a side effect of green tests.

Status: RELEASED — GA 2026-07-08. v0.9.0 (security-hardening) is generally available. The full CI matrix is GREEN on the release commit; the post-feature multi-agent code-review and security-review loops are both closed (see §”Security review + code review” below). Published to every channel — GitHub Release, crates.io, Homebrew, Fedora COPR, GHCR, npm, and PyPI — with binaries for macOS / Linux / Windows / iOS / Android. The v0.9.0 tag is signed and promoted to main. SDK version nuance: the SDK 0.9.0 slots were burned by a withdrawn 2026-07-06 build — PyPI and npm permanently reserve deleted / unpublished version slots — so the SDK packages ship the 0.9.0 line under fresh versions: PyPI ai-memory-mcp 0.9.0.post1 and npm @alphaone/ai-memory 0.9.1, both wrapping the unchanged 0.9.0 core. The crates.io crate, the signed tag, the GitHub Release, the GHCR Docker image, the Homebrew formula, and the COPR package are all 0.9.0.

Headline

v0.9.0 is a security-hardening + code-review release: it turns v0.8.0’s promises into enforcement. Two secure-default flips make agent attestation and mandatory-hook enforcement the on-by-default posture, and a 5-lane adversarial review of the release branch produced 49 fixes across the code-review and security-review lanes — every one triaged legit and fixed in-release per the prime directive.

The release advances the schema v70 → v78 (all additive), separates the governance signing layer into three keys (Recorder / Judge / Stopper), wires macaroon capability tokens and a signed identity-lineage succession chain end-to-end, and adds first-class skill memories, a memory-derivation lineage-DAG, an opt-in vector-search slice, and a pure-by-default recall path with a periodic fold job.

Surface at v0.9.0 (SSOT: src/lib.rs EXPECTED_* consts + src/profile.rs):

Surface v0.9.0
MCP tools (--profile full) 101 advertised (100 callable + the always-on memory_capabilities bootstrap)
MCP tools (--profile core) 7 (original 5 + memory_load_family + memory_smart_load) + the memory_capabilities bootstrap
HTTP routes 92 production .route(...) registrations / 78 unique URL paths
CLI subcommands 87 default build / 89 under --features sal (the gap is Migrate + SchemaInit)
Memory struct 28 fields (adds cid)
Schema v78 (CURRENT_SCHEMA_VERSION, both adapters)

Two secure-default flips (breaking)

v0.9.0 flips two knobs that shipped OFF (or non-functional) at v0.8.0 to their secure on-by-default posture. Both are the deliberate follow-through on a v0.8.0 one-cycle deprecation.

The 5-lane code + security review — 49 fixes (#1885#1935)

The post-feature review of release/v0.9.0 ran two adversarial lanes — a codegraph multi-agent code review (32 findings under umbrella #1884) and a multi-agent security review (17 findings under umbrella #1918) — for a combined 49 fixes, all triaged legit and fixed in-release. Representative closures:

Governance signing-layer separation

The audit / governance signer is split into three physically-separable roles so no single compromised key can both record and adjudicate.

Additive surfaces

Security review + code review

The post-feature work followed the v0.8.0 testing-loop discipline, run as a five-step hardening program on release/v0.9.0:

  1. Codegraph multi-agent code review — surfaced 32 findings (umbrella #1884).
  2. Fixed 100% — every code-review finding closed in-release.
  3. Multi-agent security review — surfaced 17 findings (#1919#1935, umbrella #1918).
  4. Fixed 100% — every security finding closed in-release.
  5. DO crypto 3-green + dogfood 3-green on the hardened binary, then a docs-drift sweep.

Each finding was fixed, retested, and closed in-release per the prime directive (no deferrals). The review/validation loop closed green before the (operator-gated) tag cut.

The detailed per-issue write-ups for #1884–#1935 are tracked in the GitHub issues + the campaign memory rather than this CHANGELOG; they are summarized here for completeness and to record that both review lanes closed green.

Schema ladder v72 → v78

All additive (CLAUDE.md §Database is the SSOT). Both adapters mirror via src/store/postgres.rs::{migrate_v72 … migrate_v78}.

Schema Change
v72 signed memory_revisions append-only spine (#1823, G6)
v73 additive nullable signed_events.cause_hash audit cause-binding (#1822, G5a)
v74 additive BLAKE3 memories.cid / cid_genesis content-id (#1825, G8)
v75 memory_links.source_cid / target_cid lineage-DAG mirror (#1859, G13-mem)
v76 signed agent_lineage succession table (#1828, G13)
v77 recall_observations.folded recall-purity fold-state column (#1869, P0-1)
v78 model_attestations write-once TOFU table (#1870, §25.3 S1)