superlocalmemory 3.4.22 → 3.4.23

package/CHANGELOG.md

@@ -10,6 +10,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [3.4.23] - 2026-04-21
+
+Critical hotfix on top of 3.4.22 for two end-user-facing regressions.
+
+### Fixed
+- **Daemon error log no longer balloons.** A ternary passed as the
+  `logger.info` format string caused a `TypeError` on every startup in 24/7
+  mode. Python's logging module then dumped the full FastAPI
+  `merged_lifespan` stack to stderr; over a day the LaunchAgent log grew to
+  tens of MB. The call is now pre-formatted. A defensive log-rotation pass
+  at startup truncates any daemon log over 10 MB so users upgrading from
+  3.4.22 get a clean slate on first boot.
+- **Dashboard no longer hangs after a daemon upgrade.** Static JS/CSS/HTML
+  was served without cache headers, so browsers served stale modules after
+  `slm restart` and the dashboard showed an infinite spinner. All static
+  responses now ship `Cache-Control: no-cache, must-revalidate`, and
+  `index.html` embeds the server version; on mismatch the tab clears
+  `localStorage` (preserving theme) and hard-reloads once.
+- **Fetches can no longer hang forever.** A global `fetch` patch attaches a
+  15-second `AbortController` timeout to every relative-URL request, so a
+  dead socket surfaces as a rejection instead of leaving a spinner
+  spinning. No callsite changes required.
+
+### Added
+- `GET /api/version` — returns the running daemon version; consumed by the
+  dashboard version-fingerprint auto-reload.
+
+---
+
 ## [3.4.22] - 2026-04-18
 
 Hardening release — correctness, stability, and security fixes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "superlocalmemory",
-  "version": "3.4.22",
+  "version": "3.4.23",
   "description": "Information-geometric agent memory with mathematical guarantees. 4-channel retrieval, Fisher-Rao similarity, zero-LLM mode, EU AI Act compliant. Works with Claude, Cursor, Windsurf, and 17+ AI tools.",
   "keywords": [
     "ai-memory",

package/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "superlocalmemory"
-version = "3.4.22"
+version = "3.4.23"
 description = "Information-geometric agent memory with mathematical guarantees"
 readme = "README.md"
 license = {text = "AGPL-3.0-or-later"}

package/skills/slm-build-graph/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-build-graph
 description: Build or rebuild the knowledge graph from existing memories using TF-IDF entity extraction and Leiden clustering. Use when search results seem poor, after bulk imports, or to optimize performance. Automatically discovers relationships between memories and creates topic clusters.
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "Requires SuperLocalMemory V2 installed at ~/.claude-memory/, optional dependencies: python-igraph, leidenalg"
 attribution:

package/skills/slm-list-recent/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-list-recent
 description: List most recent memories in chronological order. Use when the user wants to see what was recently saved, review recent conversations, check what they worked on today, or browse memory history. Shows memories sorted by creation time (newest first).
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "Requires SuperLocalMemory V2 installed at ~/.claude-memory/"
 attribution:

package/skills/slm-recall/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-recall
 description: Search SuperLocalMemory for relevant facts, decisions, and past context. Use when the user asks to recall, search, find, or retrieve stored information. Invokes 5-channel retrieval with LightGBM reranking via MCP.
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "SuperLocalMemory v3.4.22 — MCP (preferred) or CLI fallback"
 attribution:

package/skills/slm-remember/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-remember
 description: Save content to SuperLocalMemory with intelligent indexing and knowledge graph integration. Use when the user wants to remember information, save context, store coding decisions, or persist knowledge for future sessions. Automatically indexes, graphs, and learns patterns.
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "Requires SuperLocalMemory V2 installed at ~/.claude-memory/"
 attribution:

package/skills/slm-status/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-status
 description: Check SuperLocalMemory system status, health, and statistics. Use when the user wants to know memory count, graph stats, patterns learned, database health, or system diagnostics. Shows comprehensive system health dashboard.
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "Requires SuperLocalMemory V2 installed at ~/.claude-memory/"
 attribution:

package/skills/slm-switch-profile/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: slm-switch-profile
 description: Switch between memory profiles for context isolation and management. Use when the user wants to change profile context, separate work/personal memories, or manage multiple independent memory spaces. Each profile has its own database, graph, and patterns.
-version: "3.4.22"
+version: "3.4.23"
 license: AGPL-3.0-or-later
 compatibility: "Requires SuperLocalMemory V2 installed at ~/.claude-memory/"
 attribution:

package/src/superlocalmemory/__init__.py

@@ -0,0 +1,3 @@
+"""SuperLocalMemory — information-geometric agent memory."""
+
+__version__ = "3.4.23"

package/src/superlocalmemory/core/context_cache.py

@@ -47,7 +47,7 @@ TTL_SECONDS: int = 120
 CLEANUP_HORIZON_SECONDS: int = 600
 MAX_BYTES: int = 50 * 1024 * 1024
 MAX_CONTENT_CHARS: int = 4000
-SCHEMA_VERSION: str = "3.4.22"
+SCHEMA_VERSION: str = "3.4.23"
 
 _HMAC_MATERIAL: bytes = b"active_brain_cache"
 _HMAC_HEX_LEN: int = 32

package/src/superlocalmemory/hooks/context_payload.py

@@ -22,7 +22,7 @@ from typing import Callable, Iterable
 from superlocalmemory.core.security_primitives import redact_secrets
 
 
-VERSION = "3.4.22"
+VERSION = "3.4.23"
 DEFAULT_TOP_K = 10
 DEFAULT_DECISIONS_K = 5
 DEFAULT_MEMORIES_K = 10

package/src/superlocalmemory/learning/database.py

@@ -395,7 +395,7 @@ class LearningDatabase:
         feature_names: list[str],
         trained_on_count: int,
         metrics: dict,
-        model_version: str = "3.4.22",
+        model_version: str = "3.4.23",
     ) -> int:
         """Persist a newly trained model and flip the active flag.
 

package/src/superlocalmemory/server/routes/brain.py

@@ -64,7 +64,7 @@ router = APIRouter(prefix="/api/v3", tags=["brain"])
 # LLD-03 v2 stratum space = 4 query types × 3 entity bins × 4 time buckets.
 _STRATA_TOTAL: int = 48
 
-_VERSION: str = "3.4.22"
+_VERSION: str = "3.4.23"
 
 # Banned metric names (LLD-04 U4). Kept as a tuple for grep visibility;
 # the source-level test asserts we don't accidentally reintroduce them.

package/src/superlocalmemory/server/security_middleware.py

@@ -56,9 +56,27 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         # Control referrer information leakage
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
-        # Prevent caching of sensitive data (for API endpoints)
-        if request.url.path.startswith("/api/"):
+        # v3.4.23: Cache-Control strategy
+        # ---------------------------------------------------------------
+        # Three classes of paths, three policies:
+        #
+        #   /api/*        -> no-store (sensitive data, never cache)
+        #   index.html    -> no-cache, must-revalidate (always revalidate)
+        #   /static/*     -> no-cache, must-revalidate (always revalidate
+        #                    with ETag; fast reloads but never stale-after-
+        #                    upgrade)
+        #
+        # Before v3.4.23 only /api/* had cache headers. Browsers then cached
+        # JS/CSS/HTML aggressively via default heuristics, and after a daemon
+        # upgrade the dashboard showed an infinite spinner because old cached
+        # JS was calling endpoints with stale response shapes. "no-cache"
+        # (not "no-store") still allows 304s on unchanged files, so reload
+        # cost stays low.
+        path = request.url.path
+        if path.startswith("/api/"):
             response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate"
             response.headers["Pragma"] = "no-cache"
+        elif path == "/" or path.endswith(".html") or path.startswith("/static/"):
+            response.headers["Cache-Control"] = "no-cache, must-revalidate"
 
         return response

package/src/superlocalmemory/server/unified_daemon.py

@@ -495,9 +495,20 @@ async def lifespan(application: FastAPI):
     global _start_time
     _start_time = time.monotonic()
     _last_activity = time.monotonic()
-    logger.info("Unified daemon ready on port %d (24/7 mode)" if idle_timeout <= 0
-                else "Unified daemon ready on port %d (idle timeout: %ds)",
-                _DEFAULT_PORT, idle_timeout)
+    # v3.4.23: pre-format the ready message. Previous code passed a ternary as
+    # the log format string with a fixed 2-arg tuple; when idle_timeout<=0 the
+    # chosen branch had only one %d, triggering a TypeError on every startup.
+    # Python's logging module then wrote the full stack to stderr. Because the
+    # call runs inside FastAPI's stacked merged_lifespan, each dump was ~30 KB
+    # and the error log grew to tens of MB within a day.
+    if idle_timeout <= 0:
+        _ready_msg = f"Unified daemon ready on port {_DEFAULT_PORT} (24/7 mode)"
+    else:
+        _ready_msg = (
+            f"Unified daemon ready on port {_DEFAULT_PORT} "
+            f"(idle timeout: {idle_timeout}s)"
+        )
+    logger.info(_ready_msg)
 
     yield
 
@@ -850,7 +861,18 @@ def _register_dashboard_routes(application: FastAPI) -> None:
     _data_io_mod.ws_manager = ws_manager
 
     # Root page
-    from fastapi.responses import HTMLResponse
+    from fastapi.responses import HTMLResponse, JSONResponse
+
+    # v3.4.23: /api/version — dashboard polls this to detect daemon upgrades
+    # and auto-reload stale tabs (see ui/js/core.js::checkVersionFingerprint).
+    try:
+        from superlocalmemory import __version__ as _SLM_VERSION
+    except Exception:  # pragma: no cover — defensive
+        _SLM_VERSION = "unknown"
+
+    @application.get("/api/version")
+    async def api_version():
+        return JSONResponse({"version": _SLM_VERSION})
 
     @application.get("/", response_class=HTMLResponse)
     async def root():
@@ -863,7 +885,11 @@ def _register_dashboard_routes(application: FastAPI) -> None:
                 "<p><a href='/docs'>API Documentation</a></p>"
                 "</body></html>"
             )
-        return index_path.read_text()
+        # v3.4.23: substitute version placeholder so the dashboard can detect
+        # upgrades and auto-reload. Read fresh each request (daemon uptime is
+        # days, but we want zero caching surprises during development).
+        html = index_path.read_text()
+        return html.replace("__SLM_VERSION__", _SLM_VERSION)
 
     # Startup event for event listener
     @application.on_event("startup")
@@ -1066,6 +1092,13 @@ def start_server(port: int = _DEFAULT_PORT) -> None:
     global _start_time
     import uvicorn
 
+    # v3.4.23: rotate oversized logs before anything else so both the CLI
+    # path (`slm serve`) and the LaunchAgent path (__main__) are covered.
+    try:
+        rotate_oversized_logs()
+    except Exception:
+        pass  # never block startup on log housekeeping
+
     _PID_FILE.parent.mkdir(parents=True, exist_ok=True)
     _PID_FILE.write_text(str(os.getpid()))
     _PORT_FILE.write_text(str(port))
@@ -1094,11 +1127,80 @@ def start_server(port: int = _DEFAULT_PORT) -> None:
         _PORT_FILE.unlink(missing_ok=True)
 
 
+# ---------------------------------------------------------------------------
+# v3.4.23 — Startup log rotation
+# ---------------------------------------------------------------------------
+# The LaunchAgent plist redirects stdout/stderr to daemon.log and
+# daemon-error.log. Those files are managed by launchd, not Python, so
+# Python's RotatingFileHandler cannot prune them. If any bug ever writes
+# large amounts of data to stderr (the v3.4.22 logger-format bug produced
+# ~30 KB per startup and the file grew to 69 MB), end users end up with a
+# disk-eating log they never knew existed.
+#
+# rotate_oversized_logs() is a belt-and-suspenders guard: every time the
+# daemon starts, if either log exceeds MAX_LOG_BYTES we rename the current
+# file to ".1" (keeping one rotated copy) and truncate the original so
+# launchd's open file descriptor keeps working. This is cheap, stateless,
+# and independent of whatever caused the overflow.
+# ---------------------------------------------------------------------------
+
+_MAX_LOG_BYTES = 10 * 1024 * 1024  # 10 MB
+
+
+def rotate_oversized_logs(log_dir: Optional[Path] = None,
+                          max_bytes: int = _MAX_LOG_BYTES) -> None:
+    """Rotate daemon.log and daemon-error.log at startup if oversized.
+
+    Keeps one rotated copy (.1). Safe under concurrent start attempts:
+    rename is atomic on POSIX, and truncation is idempotent.
+    """
+    log_dir = log_dir or (Path.home() / ".superlocalmemory" / "logs")
+    try:
+        log_dir.mkdir(parents=True, exist_ok=True)
+    except Exception:
+        return
+    for name in ("daemon.log", "daemon-error.log", "daemon.json.log"):
+        path = log_dir / name
+        try:
+            if not path.exists() or path.stat().st_size <= max_bytes:
+                continue
+            rotated = log_dir / f"{name}.1"
+            try:
+                if rotated.exists():
+                    rotated.unlink()
+            except Exception:
+                pass
+            try:
+                path.rename(rotated)
+            except Exception:
+                # If rename fails (e.g., file is the open stderr fd under
+                # launchd), fall back to truncation so we at least reclaim
+                # disk without breaking the redirect.
+                try:
+                    with open(path, "w"):
+                        pass
+                except Exception:
+                    pass
+                continue
+            # Re-create the original path as empty so launchd's redirect
+            # keeps appending to a fresh file.
+            try:
+                path.touch()
+            except Exception:
+                pass
+        except Exception:
+            # Log rotation must never prevent daemon startup.
+            continue
+
+
 # ---------------------------------------------------------------------------
 # CLI entry point
 # ---------------------------------------------------------------------------
 
 if __name__ == "__main__":
+    # Rotate first, then configure logging, so the first log line lands in a
+    # freshly-sized file.
+    rotate_oversized_logs()
     logging.basicConfig(level=logging.INFO, format="%(asctime)s %(message)s")
     port = _DEFAULT_PORT
     for arg in sys.argv:

package/src/superlocalmemory/ui/index.html

@@ -3,6 +3,10 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <!-- v3.4.23: server substitutes __SLM_VERSION__ at serve time. core.js
+         compares this to /api/version and hard-reloads + clears localStorage
+         on mismatch, so the browser cannot show stale UI after an upgrade. -->
+    <meta name="slm-version" content="__SLM_VERSION__">
     <title>SuperLocalMemory V3 — Dashboard</title>
 
     <!-- Bootstrap CSS (vendored locally v3.4.21 — no CDN calls, works offline) -->

package/src/superlocalmemory/ui/js/core.js

@@ -3,6 +3,97 @@
 // Security: All dynamic text MUST pass through escapeHtml() before DOM insertion.
 // Data originates from our own trusted local SQLite database (localhost only).
 
+// ============================================================================
+// v3.4.23 — slmFetch(): fetch with 15s abort timeout
+// ----------------------------------------------------------------------------
+// Bare fetch() never resolves when the daemon dies mid-request (socket kept
+// open, Promise pending). That leaves dashboard spinners running forever and
+// stacks up orphan fetches that make hard-refresh hang. slmFetch wraps every
+// request in an AbortController with a 15 s ceiling, so a dead daemon
+// surfaces as a normal rejection and the UI can show a clear error.
+// ============================================================================
+
+window.SLM_FETCH_TIMEOUT_MS = 15000;
+
+// Global fetch patch: apply the abort timeout to every relative-URL request
+// automatically. 17 UI modules call bare fetch() — patching here avoids
+// touching each one and guarantees no future callsite can regress to an
+// un-timed fetch that holds the spinner forever. Absolute URLs (external
+// resources) are passed through unchanged. Callers that already supply
+// `signal` keep their own behavior. `init.timeoutMs` lets callers override
+// the default per-request.
+(function patchFetch() {
+    if (window.__slmFetchPatched) return;
+    window.__slmFetchPatched = true;
+    var _origFetch = window.fetch.bind(window);
+    window.fetch = function (input, init) {
+        init = init || {};
+        var urlStr = typeof input === 'string' ? input : (input && input.url) || '';
+        var isRelative = !(/^https?:\/\//i.test(urlStr));
+        if (!isRelative || init.signal) {
+            return _origFetch(input, init);
+        }
+        var controller = new AbortController();
+        var timeoutMs = init.timeoutMs || window.SLM_FETCH_TIMEOUT_MS;
+        var timer = setTimeout(function () { controller.abort(); }, timeoutMs);
+        init.signal = controller.signal;
+        return _origFetch(input, init).finally(function () { clearTimeout(timer); });
+    };
+})();
+
+// Thin named wrapper for callsites that want explicit timeout control.
+// Equivalent to the patched fetch above but accepts `init.timeoutMs`.
+async function slmFetch(input, init) {
+    return fetch(input, init || {});
+}
+
+// ============================================================================
+// v3.4.23 — version fingerprint + auto-reload on daemon upgrade
+// ----------------------------------------------------------------------------
+// index.html ships with <meta name="slm-version" content="__SLM_VERSION__">
+// that the server fills in at serve time. After page load we ask the daemon
+// for its current version via /api/version; on mismatch we clear localStorage
+// and hard-reload once, so a stale tab never lingers after `slm restart` or
+// a package upgrade. Guarded by sessionStorage to avoid reload loops.
+// ============================================================================
+
+async function checkVersionFingerprint() {
+    try {
+        var metaEl = document.querySelector('meta[name="slm-version"]');
+        var pageVersion = metaEl ? metaEl.getAttribute('content') : null;
+        if (!pageVersion || pageVersion === '__SLM_VERSION__') return;
+        var resp = await slmFetch('/api/version', { timeoutMs: 5000 });
+        if (!resp.ok) return;
+        var data = await resp.json();
+        var serverVersion = data && data.version;
+        if (!serverVersion || serverVersion === pageVersion) return;
+        try {
+            if (sessionStorage.getItem('slm-version-reload-done') === serverVersion) {
+                console.warn('[slm] version mismatch persists after reload:',
+                    pageVersion, '!=', serverVersion);
+                return;
+            }
+            sessionStorage.setItem('slm-version-reload-done', serverVersion);
+        } catch (e) {
+            // sessionStorage blocked (private mode, quota, etc.) — fall through
+            // to reload. Worst case: we reload twice instead of once, still
+            // safe because server version converges on second attempt.
+        }
+        try {
+            // Preserve theme; drop everything else that might be stale.
+            var theme = localStorage.getItem('slm-theme');
+            localStorage.clear();
+            if (theme) localStorage.setItem('slm-theme', theme);
+        } catch (e) { /* localStorage may be blocked */ }
+        console.info('[slm] daemon upgraded', pageVersion, '->', serverVersion,
+            '— reloading');
+        location.reload();
+    } catch (err) {
+        // Network error or daemon down: don't reload, just log.
+        console.debug('[slm] version check skipped:', err && err.message);
+    }
+}
+
 // ============================================================================
 // Dark Mode
 // ============================================================================
@@ -180,7 +271,7 @@ function formatDateFull(dateString) {
 
 async function loadStats() {
     try {
-        var response = await fetch('/api/stats');
+        var response = await slmFetch('/api/stats');
         var data = await response.json();
         var ov = data.overview || {};
         animateCounter('stat-memories', ov.total_memories || 0);
@@ -235,6 +326,10 @@ function populateFilters(categories, projects) {
 
 window.addEventListener('DOMContentLoaded', function() {
     initDarkMode();
+    // v3.4.23: version check runs first and non-blocking. If a mismatch is
+    // detected it triggers location.reload(), so the rest of init on the
+    // stale page becomes a no-op.
+    checkVersionFingerprint();
     loadProfiles();
     loadStats();
     loadGraph();