ai-memory  /  v0.7.0 CHANGELOG synthesis
v0.7.0 attested-cortex · user-facing impact

What v0.7.0 changes for you.

This page is the public-facing CHANGELOG synthesis — organised by user-facing impact, not PR sequence. For the full per-PR release notes (every issue closed, every commit cited), read v0.7.0/release-notes.md. For the architecture-level surface diff, read v070-architecture.html.

release/v0.7.0 @ 1cb95bbe7 SHIP-RECOMMENDED 2026-05-22 schema v33 → v55 capabilities v2 → v3
Headline

The attested-cortex release.

ai-memory v0.7.0 closes two long-standing gaps in one release. The substrate says what it can do — capabilities v3 pre-computes the calibration strings LLMs would otherwise improvise — and signs what it remembers — per-agent Ed25519 keypairs sign every memory link, with an append-only signed_events audit chain. Plus the K1/G1 namespace-inheritance cutline, a programmable 25-event hook pipeline, sidechain transcripts, an opt-in Apache AGE acceleration path, and a vendor-agnostic LLM substrate covering 15 frontier providers.

New primitives

What you can do that you couldn't before.

NEW

Provider-agnostic LLM substrate #1067

Pre-#1067 the LLM client was Ollama-only and gated by feature tier. v0.7.0 ships a 15-vendor substrate (ollama, openai, xai, anthropic, gemini, deepseek, kimi, qwen, mistral, groq, together, cerebras, openrouter, fireworks, lmstudio, plus the generic openai-compatible escape hatch). Tier no longer dictates LLM vendor — every tier can speak to any provider via AI_MEMORY_LLM_BACKEND. Per-vendor env-var fallback (XAI_API_KEY, OPENAI_API_KEY, ...) honored automatically.

NEW

Ed25519 attestation + signed-events V-4 chain

Per-agent Ed25519 keypairs (ai-memory identity generate) sign every memory link write. Inbound verification against observed_by. Append-only signed_events audit table with V-4 cross-row hash chain (prev_hash + sequence) shipped at schema v34, part of the v33 → v55 migration ladder. The audit chain compliance teams have been asking for.

NEW

25-event programmable hook pipeline

Substrate-native hook surface fires on store, update, link, reflect, consolidate, promote, archive, restore, and 17 other lifecycle events. Hooks can be HTTP webhooks (HMAC-signed, mandatory at v0.7.0 post R3-S1.HMAC) or built-in (auto-tag, contradiction detection). DLQ + replay primitives for missed events.

NEW

Sidechain transcripts + memory_replay

Compressed conversation replay: zstd-3 BLOBs preserve full conversation context out-of-band from the memory row. memory_replay reconstructs the original interaction without bloating the recall pipeline. Optional; off by default.

NEW

Apache AGE graph backend (postgres path)

ai-memory serve --store-url postgres://... selects the Postgres SAL adapter with optional Apache AGE for depth-N knowledge-graph queries. pgvector 0.8.2 pin handles the semantic surface. Lan-parity test topology under infra/lan-parity-test/ covers PG16 + AGE 1.6.0 + pgvector 0.8.2 against the same 7,321-test suite the sqlite path runs.

NEW

Recursive-learning primitive (memory_reflect depth gate)

Substrate-native recursive refinement: memory_reflect writes a reflection row with reflection_depth tracked through the new reflects_on link variant. Depth cap (default 3) refuses with REFLECTION_DEPTH_EXCEEDED. The conceptual primer + reproduction script under scripts/reproduce-recursive-learning.sh.

NEW

Persona-as-artifact (memory_persona)

QW-2 persona generator: produces a versioned persona artefact bound to an entity_id, threaded through the typed memory_kind = "Persona" row. Persona handoffs across NHI sessions become first-class rows rather than free-form summaries.

NEW

Context-offload primitive (memory_offload)

QW-3: surfaces under-utilised context as a TTL-swept short-tier row for re-recall later. Reduces in-conversation context pressure for long sessions without losing the offloaded payload.

NEW

Form-4 fact provenance + Form-5 confidence calibration

The Memory struct gains citations + source_uri + source_span (Form-4), and confidence_source + confidence_signals + confidence_decayed_at (Form-5). Auto-confidence calibration and confidence-decay opt-in via env (AI_MEMORY_AUTO_CONFIDENCE=1, AI_MEMORY_CONFIDENCE_DECAY=1).

Security defaults

Secure-by-default at v0.7.0.

SECURITY

Permissions enforce-mode by default

permissions.mode = "enforce" from v0.7.0 onward (was advisory at v0.6.x). Advisory / off requires explicit opt-out. K3/K9 governance gate now blocks writes that fail the L1-6 rule consultation.

SECURITY

Governance fail-CLOSED on rule-consultation errors #1054

Pre-v0.7.0 a transient rule-provider timeout would silently fall through to permissive behaviour. v0.7.0 fails CLOSED — the write blocks until the rule consultation succeeds. Escape hatch: AI_MEMORY_GOVERNANCE_FAIL_OPEN_ON_ERROR=1 (operator-advisory, only set if you accept the risk).

SECURITY

SSRF guard fail-CLOSED on DNS failure #1053

Webhook + federation dispatches whose target URL fails DNS resolution now refuse the dispatch. Pre-v0.7.0 they would proceed and rely on TCP-connect failure as the defence; a sketchy resolver could trick the daemon into bypassing the loopback / private-range guard. Escape hatch: AI_MEMORY_SSRF_GUARD_ALLOW_DNS_FAIL=1.

SECURITY

Strict passphrase-file permissions on sqlcipher #1055

The daemon rejects --db-passphrase-file with bits set in mode & 0o077 (group / world readable). Operators upgrading from v0.6.x must chmod 0400 ./passphrase.txt before first start. Escape hatch: AI_MEMORY_PASSPHRASE_FILE_ALLOW_LAX_PERMS=1.

SECURITY

HMAC-signed webhook dispatch mandatory

Post R3-S1.HMAC: unsigned webhook dispatch is DISABLED. Every outbound webhook carries an HMAC-SHA256 signature bound to the subscription secret. Subscribers without HMAC verification will reject the dispatch.

SECURITY

Federation peer signing + nonce enforcement #791, #922

/sync/push rejects missing / invalid X-Memory-Sig headers (#791) and enforces per-message nonce freshness via X-Memory-Nonce against a per-peer bounded LRU (#922). Signature bound to the nonce so a captured (body, sig) pair cannot be replayed under a fresh nonce without the private key.

Changed

Things that look different.

CHANGED

Capabilities envelope schema_version 2 → 3

The substrate's self-describing capabilities envelope now reports schema_version: "3". v2 still served via Accept-Capabilities: 2 HTTP header / accept: 2 on the memory_capabilities MCP tool — pinned SDKs keep working. v3 is additive over v2 (no fields removed). v0.6.4 SDKs that ignore unknown top-level keys need no changes.

CHANGED

K1/G1 namespace-inheritance cutline

Parent namespace policies now enforce on child writes — enables N-level governance hierarchies. Pre-v0.7.0 G1 inheritance was silently broken in some configurations. Mitigation for callers who want the pre-v0.7.0 behaviour: set inherit = false on child policies.

CHANGED

Sectioned config schema (#1146)

v0.7.x adopts a sectioned [llm] / [embeddings] / [reranker] / [storage] shape with schema_version = 2. Legacy v0.6.x flat fields (llm_model, ollama_url, embed_url, embedding_model, cross_encoder, default_namespace, archive_on_gc, archive_max_days, max_memory_mb, auto_tag_model) continue to parse. Migrate with ai-memory config migrate. Legacy fields removed in v0.8.0.

CHANGED

Per-namespace K8 quota dimension (#1156)

Schema v50 extends agent_quotas PRIMARY KEY from (agent_id) to (agent_id, namespace). Per-namespace K8 quota allotments hold even when a single agent operates across many namespaces. Pre-v50 rows backfill to the _global sentinel namespace.

ADDED

Federation nonce persistence (#1255 / PR #1296)

Schema v51 adds the federation_nonce_cache table so peer-replay-prevention nonces survive daemon restarts. Pre-v51 the per-peer nonce LRU was in-memory only, so every restart re-opened a replay window; v51 collapses that window to zero across restarts.

ADDED

Transcript line-dedup persistence (#1389, closes #1388)

Schema v52 adds the transcript_line_dedup table backing the sha256-keyed idempotency layer for the four-layer capture architecture (L2 recover-on-boot + L3 substrate watcher + L4 memory_capture_turn). A crashed or restarted capture pipeline can no longer double-ingest the same transcript line.

CHANGED

FTS5 update-trigger scoping (#1418)

Schema v53 (R5.F5.2 perf-audit closeout) scopes the memories_au FTS5 sync trigger to AFTER UPDATE OF title, content, tags so hot-path UPDATEs touching only non-FTS columns (embedding, access_count, last_accessed_at, confidence_decayed_at, version) no longer pay 2 spurious FTS5 row ops apiece. A 100k-row embed backfill sheds 200k wasted ops; touch_many for K=10 recalls drops 5–10× wall cost. Pure DDL, idempotent.

CHANGED

Tier-default expiry backfill (#1466)

Schema v54 backfills expires_at = created_at + tier.default_ttl_secs() onto legacy NULL-expiry mid/short rows left immortal by a pre-TTL daemon, closing the TTL-leak immortal-rows class so GC reclaims them on schedule. In-code backfill arm (no new .sql file); idempotent — rows that already carry an expires_at or are long-tier are untouched.

CHANGED

Sargable federation-catchup query + idx_memories_updated_at (#1476)

Schema v55 makes the W=2 peer-catchup query WHERE updated_at > ?1 ORDER BY updated_at ASC LIMIT ?2 (driving every GET /api/v1/sync/since) sargable by splitting the former (?1 IS NULL OR updated_at > ?1) OR-NULL predicate into a None path (no predicate) and a Some path (bare range bound). SQLite adds idx_memories_updated_at ON memories(updated_at) so the planner range-scans the index instead of full-scan + sort; postgres adds NO new index because its bootstrap memories_updated_at_idx (updated_at DESC) already serves the range via Index Scan Backward, so migrate_v55() is a postgres version-stamp no-op. Measured ~3× cost reduction (EXPLAIN GENERIC_PLAN 7177 → 2396 on a 200k-row probe). Idempotent.

CHANGED

Vendor-neutrality lint-gated (#1174 PR10)

Vendor identifiers ("claude", "openai", "xai", ...) are legitimate ONLY in the substrate carve-outs enumerated in scripts/check-vendor-literals.sh::ALLOWED_FILES (9 at v0.7.0 release: llm.rs, config.rs, mine.rs, validate.rs, cli/wrap.rs, llm_cli_wrap.rs, harness.rs, plus the #1389 L2 vendor-routing pair recover/transcript_paths.rs + cli/commands/recover_previous_session.rs). Every other production-code site MUST read from crate::llm::BACKEND_* constants. CI enforces. Self-test in scripts/check-vendor-literals.sh.

Breaking changes

You need to know.

BREAKING

HMAC-only webhook dispatch

Subscribers that don't verify HMAC-SHA256 signatures will reject dispatches. Most existing subscribers will Just Work because they already verified; the rest need to add the verifier per MIGRATION_v0.7.md.

BREAKING

Permissions enforce is the new default

v0.6.x operators with policies they hadn't fully exercised will see writes that were previously advisory-mode-permitted now blocked. Recommended pre-upgrade: run ai-memory governance migrate-to-permissions + dry-run-test the policy under the new default.

BREAKING

SQLCipher passphrase-file permissions strict

If you use --db-passphrase-file with a non-0400 passphrase file, the daemon refuses to start. chmod 0400 ./passphrase.txt before first start.

Upgrade path

How to get to v0.7.0 safely.

  1. Back up the DB. cp ai-memory.db ai-memory.db.bak.
  2. Stop the daemon, install the new binary. Migrations run automatically on first open of the new binary. The migration ladder is dry-run-tested against the operator's own DB by scripts/dogfood-rebuild.sh.
  3. Migrate the config. ai-memory config migrate rewrites ~/.config/ai-memory/config.toml in the new sectioned shape. Idempotent — running against a v2 file is a no-op INFO log.
  4. If you use SQLCipher, chmod 0400 on your passphrase file before starting.
  5. If you have subscribers, verify they handle HMAC-signed dispatches.
  6. Restart the daemon.
  7. Validate post-upgrade: ai-memory stats && ai-memory verify --since 24h.

Full migration recipe with field-by-field schema-shape table: MIGRATION_v0.7.md.

Test evidence

The verdict, in numbers.

The 2026-05-22 release-gate-final campaign returned SHIP-RECOMMENDED on 7,321 PASS / 0 FAIL across 269 test binaries at tip fd172f2cf. 22 release-gate defects (#1120-#1141) filed, fixed, retested + re-checked, and CLOSED in-campaign — no deferrals to v0.8.0. Two QC passes (a92308816df776eb7 + a561ae68f0605cb1e) verified the batch against the C1-C8 orchestrator-safeguard set.

Read the full campaign dossier: 2026-05-22 release-gate-final campaign. The audience-specific summaries:

Next

Where to go from here.