Skip to content

Releases: shivampkumar/mastermode

v0.3.4 — Smoother first run

Choose a tag to compare

@shivampkumar shivampkumar released this 15 Jun 05:35

Smoother first run. This release fixes the rough edges a brand-new uv tool install mastermode user hit.

Install

uv tool install "mastermode[local]"   # or: pip install "mastermode[local]"
mastermode setup                       # pick a provider, add a key (Gemini has a free tier) — ~60s
source ~/.lifeos/mastermode.env
mastermode capture "Started learning Rust with my friend Dana."

What changed

  • Coherent branding. All user-facing CLI messages now say mastermode, not the internal lifeos / Life OS. mastermode init points you at the real next step — mastermode setup — instead of the wrong command.
  • Graceful keyless first run. Running capture before configuring an LLM or embedding backend used to dump a full Python traceback. Now:
    • missing embedding backend → one concise line, not a stack trace (writes still succeed);
    • missing API key → a clear "Capture needs an LLM. Run mastermode setup (Gemini has a free tier), then source the env."
  • Version bumped 0.3.3 → 0.3.4.

Notes

A personal AI advisor needs a brain: capture and chat call an LLM, and semantic recall needs an embedding backend. Neither can ship in a bare install — mastermode setup wires both in about a minute. The bare install now degrades gracefully and points you there instead of erroring out.

Everything from v0.3.3 (ChatGPT/Claude importers, MCP server, proactive Telegram bot, the full security-hardening pass) carries forward unchanged.

🤖 Generated with Claude Code

v0.3.3 — On PyPI, hardened for open source

Choose a tag to compare

@shivampkumar shivampkumar released this 11 Jun 05:34

Public PyPI release, hardened for open source. pip install mastermode and your personal AI advisor is one command away.

Install

pip install mastermode            # or: uv tool install mastermode
pip install "mastermode[local]"   # add offline local embeddings (default provider)
mastermode setup

Zero cold-start — import your chat history

Point MasterMode at a ChatGPT or Claude.ai export and it knows you on day one — no blank graph, no weeks of logging.

mastermode import-chatgpt ~/Downloads/chatgpt-export.zip
mastermode import-claude  ~/Downloads/claude-export.zip
  • Recovers the conversation you actually saw (walks ChatGPT's branching tree; Claude's flat thread).
  • Every message stored + embedded for semantic recall; your own turns mined for entities through the same dedup/provenance as live capture.
  • Cost guards: --no-extract (free, offline), --max N, --max-batches, --dry-run. Re-import is idempotent.

Use it from any MCP client

mastermode mcp exposes the life graph to Claude Desktop, Cursor, and other MCP clients — your memory, their LLM. No API key; touches only the local SQLite graph.

Telegram bot: proactive by default

/start hands you the chat ID needed to switch on daily briefings, open-loop nudges, and the weekly review — the part that keeps you coming back.

Security hardening (pre-open-source audit)

A four-pass adversarial audit ran before going public. Fixes in this release:

  • SSRF guard on all outbound fetches (/api/ingest/url, web reader/fetch): validates scheme and blocks private/loopback/link-local/cloud-metadata addresses, re-checked on every redirect hop.
  • CORS no longer wildcard-with-credentials; defaults to local origins, MASTERMODE_CORS_ORIGINS to override.
  • Hosted demo is default-deny: all mutating methods blocked except an explicit allowlist, and /api/demo/reset is token-gated so the public can't wipe the graph. Static file serving is containment-checked against path traversal.
  • Importers cap decompressed export size to defuse zip bombs.
  • XML parsed with defusedxml (billion-laughs / XXE).
  • config.toml written 0600.

Project hygiene

  • GitHub Actions CI: ruff + pytest on Python 3.11 / 3.12 (offline, no keys).
  • CONTRIBUTING.md + CODE_OF_CONDUCT.md.
  • Earlier fix: no first-run traceback when the local embedding extra is absent — one concise warning, writes still succeed.

Verified

Clean-venv install from PyPI: SSRF guard blocks hostile URLs, demo default-deny confirmed, init → import → real offline embeddings → semantic recall returns correct hits on paraphrased queries. Test suite green (64, incl. security regression tests).

🤖 Generated with Claude Code