doobidoo/mcp-memory-service v10.67.0 on GitHub

Special Thanks

Thank you to @filhocf (RFC #732 Phase 3 NLI implementation) and @laanwj (full v10 HTTP tool surface) for their contributions to this release.

fix(storage): sanitize BM25 log query (CodeQL #440): User-supplied query string was interpolated directly into a logger.debug call in sqlite_vec.py's BM25 search path. Now passes through the existing _sanitize_log_value() helper (strips \n, \r, ESC) to prevent log injection.

feat(reasoning): NLI-based contradiction detection — RFC #732 Phase 3 (PR #1027, @filhocf): Introduces reasoning/nli.py with a 4-stage pipeline — entity gate → embedding similarity pre-filter → heuristic NLI classifier → contradicts graph edge storage. detect_contradictions_nli() is called on every memory_store to check for conflicts with semantically similar memories. Kill-switch via MCP_NLI_ENABLED (default off); confidence threshold via MCP_NLI_CONFIDENCE_THRESHOLD (default 0.4). memory_resolve extended to accept a list of hashes for batch conflict resolution. transformers backend deferred to follow-up (tracked in issue #1033).
fix(mcp): expose full v10 tool surface over HTTP (PR #1017, @laanwj): /mcp tools/list previously advertised only 7 pre-v10 names (forked from stdio around v4, never resynced through the v10 consolidation). Now matches stdio's full v10 surface: memory_graph, memory_quality, memory_harvest, memory_conflicts, memory_resolve, memory_consolidate, memory_ingest, memory_update, memory_stats, memory_store_session, mistake_note_add, mistake_note_search are now reachable over HTTP. Pre-v10 names remain callable via the deprecation compat layer but are no longer advertised. serverInfo.version now reports the running package version instead of the stale 4.1.1 literal. Write-scope enforcement derived dynamically from readOnlyHint annotations.

See CHANGELOG.md for the complete entry.