openclaw-v1.0.4-beta.0- 2026-04-03 (beta)

Added

• Interactive login flow: openclaw mem0 login with interactive menu (email verification or direct API key). Non-interactive modes: --api-key, --email, --email --code
• Config file fallback: Reads ~/.mem0/config.json (shared with Python CLI) when no API key in plugin config. Supports both camelCase and snake_case field names
• CLI subcommands: openclaw mem0 login, openclaw mem0 search, openclaw mem0 stats, openclaw mem0 status, openclaw mem0 dream
• memory_delete tool: Unified delete — single ID, search-then-delete, bulk, entity cascade. Replaces memory_forget and memory_delete_all
• Backend layer: backend/base.ts + backend/platform.ts with direct fetch() for platform mode, providerToBackend() adapter for OSS
• Plugin manifest: Added name, description, contracts.tools, baseUrl config field, CLI descriptors for lazy-loading

Changed

• Modular architecture: Extracted tools into tools/ directory (7 files) and CLI into cli/commands.ts — index.ts down from 1724 to ~780 lines
• WRITE_TOOLS updated: Dream gate tracks memory_delete instead of removed memory_forget / memory_delete_all
• Auto-recall timeout (#4634): Recall wrapped in 8-second Promise.race — if OSS/Ollama LLM takes too long, recall is skipped instead of stalling the gateway
• Auto-capture fire-and-forget (#4634): provider.add() now runs in the background via .then()/.catch() — the agent_end hook returns immediately, zero event loop blocking
• Auto-capture minimum content gate: Skips extraction when total user content is <50 chars after filtering — trivial conversations ("ok", "thanks") no longer trigger LLM calls
• CLI search: Removed source: "OPENCLAW" filter and lowered threshold to 0.3 so explicit searches find all memories, not just plugin-tagged ones

Removed

• memory_forget tool — replaced by memory_delete
• memory_delete_all tool — replaced by memory_delete
• memory_status tool — redundant with openclaw mem0 status CLI
• memory_import tool — bulk import, rarely needed by agents
• entity_list, entity_delete tools — niche, platform-only
• event_list, event_status tools — debugging tools, not agent tools
• Duplicate ToolContext interfaces from individual tool files — now imports from canonical tools/index.ts

@mem0/openclaw-mem0 v1.0.3

Patch release — security fix, regression revert, supply-chain hardening

Compatibility: OpenClaw Gateway >=2026.3.24-beta.2 | mem0ai 2.3.0

What's Changed

Security

• fix(openclaw): path traversal in skill-loader — readSkillFile and readDomainOverlay constructed file paths from user-controllable config values (config.domain) via path.join() without verifying the result stayed within the skills directory. A crafted domain value containing ../ could read arbitrary files on the host filesystem. Added safePath() containment helper that resolves and validates all paths before any fs.readFileSync call. The exported loadSkill API is now self-defending against traversal inputs.

• fix(openclaw): pin mem0ai to exact 2.3.0 — Changed "mem0ai": "^2.3.0" to "mem0ai": "2.3.0". The semver caret range accepted any 2.x.y >= 2.3.0, meaning a compromised minor or patch release would auto-install on npm install. Exact pinning eliminates this supply-chain vector.

Bug Fixes

• fix(openclaw): revert broken Post-Compaction regex rename — PR #4678 renamed Post-Compaction to After-Compaction in two noise-filter regex patterns in filtering.ts, claiming this cleared a security scanner false positive. The upstream system emits messages with the literal string "Post-Compaction Audit", so the renamed regex silently stopped matching real noise — leaking compaction audit messages into the memory extraction pipeline. Reverted to the correct Post-Compaction pattern.

• fix(openclaw): revert cosmetic comment change in recall.ts — Restored // Over-fetch for ranking comment (was changed to // Request more candidates for ranking to work around a scanner matching the substring fetch in a code comment).

Tests

• Added 12 new tests in skill-loader.test.ts:
  • 8 unit tests for safePath() covering parent traversal, deep traversal, nested segment traversal, bare .., valid paths, and disguised traversal
  • 4 integration tests for loadSkill() covering traversal rejection, valid skill loading, and malicious domain overlay with valid skill

Upgrade

openclaw plugins install @mem0/[email protected]

No configuration changes required. Fully backward-compatible with v1.0.2.

@mem0/openclaw-mem0 v1.0.2

Patch release that eliminates the OpenClaw security scanner warning by removing redundant process.env access from the plugin bundle.

What's Changed

Fixed

• fix(openclaw): remove process.env access to clear security scanner warning — removed resolveEnvVars() and resolveEnvVarsDeep() from config.ts; OpenClaw already resolves ${VAR} in openclaw.json before passing config to the plugin, so plugin-side env resolution was redundant and was triggering the "credential harvesting" static analysis warning by @chaithanyak42 in #4676

Compatibility

Upgrade

npm install @mem0/[email protected]

@mem0/openclaw-mem0 v1.0.1

Patch release with dream gate reliability fixes, graceful startup for key-less environments, and automated publishing infrastructure.

What's Changed

Fixed

• fix(openclaw): dream gate correctness — cheap-first ordering, session isolation, verified completion by @chaithanyak42 in #4666
• fix(openclaw): graceful startup without API key — plugin now initializes cleanly when no API key is configured by @chaithanyak42 in #4669

Added

• fix(openclaw): plugin configuration — added compat and build metadata to package.json, specifying minimum gateway version (>=2026.3.24-beta.2) and OpenClaw SDK compatibility; added Apache-2.0 LICENSE file by @kartik-mem0 in #4667
• ci: add CD workflow for @mem0/openclaw-mem0 — continuous deployment with OIDC trusted publishing by @whysosaket in #4672

Compatibility

Upgrade

npm install @mem0/[email protected]

mem0-cli v0.2.1

Documentation

• Expanded README with comprehensive command reference — all 13 commands with flags, examples, agent mode, output formats, global flags, and environment variables

Fixes

• Restored purple brand color palette (#8b5cf6 / #a78bfa)
• Synced __init__.py version with pyproject.toml
• Removed hardcoded version assertion tests that broke on every version bump

Other

• Version aligned with Node SDK (both now 0.2.1)

mem0-cli python v0.2.0

New Features

• Event commands — mem0 event list and mem0 event status <id> to track background processing events (#4649)
• --json / --agent flag — global flag that switches all output to a structured JSON envelope for programmatic/agent consumption (#4649)
• Agent output sanitization — raw API responses are projected to only relevant fields per command, removing noise like graph_status and duplicate scope fields (#4649)

Bug Fixes

• Fix status command — now uses lightweight /v1/ping/ endpoint instead of heavyweight entity/memory checks (#4649)
• Fix double error printing — cmd_add was printing errors twice (once explicitly, once via timed_status) (#4636)
• Fix entity delete — switched from v1 to v2 API (DELETE /v2/entities/{type}/{id}/), all entity types now work (#4649)
• Deduplicate PENDING results in mem0 add — shows "1 event pending" instead of misleading "2 memories extracted" (#4649)
• Fix mem0 init in non-TTY — --api-key alone now defaults user_id to $USER; warns before overwriting existing config with --force flag (#4649)
• Fix stdin hang — add, search, update no longer hang waiting for stdin when called with no input (#4649)

Improvements

• Full UUIDs in tables — no longer truncated, so mem0 get <id> works directly from table output (#4636)
• Score column in search — search results now show relevance scores (#4636)
• Short config aliases — config get api_key, user_id, etc. now work (#4636)
• Client-side validation — validates --expires, --page-size, --page, --top-k, --threshold, and empty content before hitting the API (#4636)
• Better API error messages — shows full response detail instead of bare "Bad Request" (#4636)
• Auth error UX — all commands show a helpful mem0 init hint when unauthenticated (#4649)
• mem0 version registered as a proper subcommand (#4636)
• list -o json returns a pagination envelope instead of a bare array (#4636)

@mem0/cli v0.2.1

Documentation

• Expanded README with comprehensive command reference — all 13 commands with flags, examples, agent mode, output formats, global flags, and environment variables

Fixes

• Restored purple brand color palette (#8b5cf6 / #a78bfa)
• Added repository field to package.json for npm provenance verification

CI/CD

• Added CD workflows with OIDC trusted publishing

Other

• Version aligned with Python SDK (both now 0.2.1)

@mem0/cli Changelog

0.1.2

New Features

• Event commands — mem0 event list and mem0 event status <id> to track background processing events (#4649)
• --json / --agent global flag — switches all command output to a structured JSON envelope for programmatic and agent consumption (#4649)
• Email verification login — mem0 init now supports email-based verification code login in addition to API key (#4623)
• Brand refresh — updated color palette from purple to golden (#4664)

Bug Fixes

• Fix critical crash on startup in certain environments (#4636)
• Fix status command — now uses lightweight /v1/ping/ endpoint instead of heavyweight entity/memory checks (#4649)
• Fix double error printing — cmd_add was printing errors twice (once explicitly, once via timed_status) (#4636)
• Fix entity delete — switched from v1 to v2 API (DELETE /v2/entities/{type}/{id}/), all entity types now work (#4649)
• Fix mem0 init in non-TTY — --api-key alone now defaults user_id to $USER; warns before overwriting existing config with --force flag (#4649)
• Fix stdin hang — add, search, update no longer hang waiting for stdin when called with no input (#4649)
• Deduplicate PENDING results — shows "1 event pending" instead of misleading "2 memories extracted" in mem0 add (#4649)
• Auth error UX — all commands show a helpful mem0 init hint when unauthenticated (#4649)

Improvements

• Agent output sanitization — raw API responses are projected to only relevant fields per command, removing noise like graph_status and duplicate scope fields (#4649)
• Full UUIDs in tables — no longer truncated, so mem0 get <id> works directly from table output (#4636)
• Score column in search — search results now show relevance scores (#4636)
• Short config aliases — config get api_key, user_id, etc. now work (#4636)
• Client-side validation — validates --expires, --page-size, --page, --top-k, --threshold, and empty content before hitting the API (#4636)
• Better API error messages — shows full response detail instead of bare "Bad Request" (#4636)
• mem0 version registered as a proper subcommand (#4636)
• list -o json returns a pagination envelope instead of a bare array (#4636)

What's Changed

• fix: make AsyncMemory.from_config a regular classmethod by @Br1an67 in #4183
• fix: reset graph database in Memory.reset() by @Br1an67 in #4185
• fix(ts): extract JSON from chatty LLM responses in fact retrieval by @Krishnachaitanyakc in #4533
• feat(bedrock): add MiniMax provider support for AWS Bedrock by @norrishuang in #4609
• redesign docs introduction page with compact 3x2 grid layout by @prathameshagrawal in #4598
• Link fix by @prathameshagrawal in #4631
• fix(vllm): forward response_format to OpenAI-compatible API by @rakheesingh in #4608
• feat(cli): add email verification code login to mem0 init by @kk2211 in #4623
• fix(deepseek): forward response_format to OpenAI-compatible API by @rakheesingh in #4635
• fix(cli): fix critical crashes, improve error messages, UX and validation in Node.js and Python SDKs by @whysosaket in #4636
• ci(cli): add CI pipelines for Node and Python CLI SDKs by @whysosaket in #4640
• docs: update Twitter references to X (formerly Twitter) by @Genarojrsanchez in #4432
• fix: only list authorized collections when listing MongoDB collections by @NoahStapp in #3888
• fix(configs): migrate CassandraConfig and AzureMySQLConfig to pydantic v2 ConfigDict by @Prithvi1994 in #4646
• fix: pass dimensions parameter to OpenAI embeddings API by @wobushixiaoj in #4632
• fix: replace .single() with .maybeSingle() in SupabaseDB.get() to handle missing rows by @SaharshPatel24 in #4599
• feat(cli): add event commands, --json/--agent flag, agent output sanitization, and edge-case hardening for CLI SDKs by @whysosaket in #4649
• feat(cli): add CD workflow and bump version to 0.2.0b1 by @whysosaket in #4653
• fix(cd): restrict PyPI publish to main SDK tags only by @whysosaket in #4654
• feat(openclaw): skills-based memory architecture with batched extraction by @chaithanyak42 in #4624
• chore: release by @kartik-mem0 in #4657

New Contributors

• @Krishnachaitanyakc made their first contribution in #4533
• @norrishuang made their first contribution in #4609
• @rakheesingh made their first contribution in #4608
• @Genarojrsanchez made their first contribution in #4432
• @Prithvi1994 made their first contribution in #4646
• @wobushixiaoj made their first contribution in #4632
• @SaharshPatel24 made their first contribution in #4599

Full Changelog: v1.0.9...v1.0.10

mem0-cli v0.2.0b1

New Features

• Event commands — mem0 event list and mem0 event status <id> to track background processing events (#4649)
• --json / --agent flag — global flag that switches all output to a structured JSON envelope for programmatic/agent consumption (#4649)
• Agent output sanitization — raw API responses are projected to only relevant fields per command, removing noise like graph_status and duplicate scope fields (#4649)

Bug Fixes

• Fix status command — now uses lightweight /v1/ping/ endpoint instead of heavyweight entity/memory checks (#4649)
• Fix double error printing — cmd_add was printing errors twice (once explicitly, once via timed_status) (#4636)
• Fix entity delete — switched from v1 to v2 API (DELETE /v2/entities/{type}/{id}/), all entity types now work (#4649)
• Deduplicate PENDING results in mem0 add — shows "1 event pending" instead of misleading "2 memories extracted" (#4649)
• Fix mem0 init in non-TTY — --api-key alone now defaults user_id to $USER; warns before overwriting existing config with --force flag (#4649)
• Fix stdin hang — add, search, update no longer hang waiting for stdin when called with no input (#4649)

Improvements

• Full UUIDs in tables — no longer truncated, so mem0 get <id> works directly from table output (#4636)
• Score column in search — search results now show relevance scores (#4636)
• Short config aliases — config get api_key, user_id, etc. now work (#4636)
• Client-side validation — validates --expires, --page-size, --page, --top-k, --threshold, and empty content before hitting the API (#4636)
• Better API error messages — shows full response detail instead of bare "Bad Request" (#4636)
• Auth error UX — all commands show a helpful mem0 init hint when unauthenticated (#4649)
• mem0 version registered as a proper subcommand (#4636)
• list -o json returns a pagination envelope instead of a bare array (#4636)