vestige/crates/vestige-mcp
Sam Valladares 8f7bed0463 fix(blackbox): address review blockers B1–B7 + re-capture proof bundle
A full multi-agent review found 7 real issues (4 blockers). All fixed + tested.

B1 (blocker): Promoting a Memory PR did not release the quarantined memory —
the UI said "promoted" while the memory stayed suppressed/out of retrieval.
act_on_memory_pr now calls reverse_suppression(subject_id) on accept actions;
MemoryPrAction::releases_memory() encodes the rule (promote/merge/supersede
release; forget/quarantine keep it held). Proven live: PR response
subjectReleased:true, SQLite suppression_count 0.

B2 (blocker): memory promote/demote (returns `action`, not `decision`) and
codebase remember_* writes bypassed the write-trace + PR gate. extract_writes
now reads `action` too, filtered by is_write_decision (reads like get/state
excluded); is_write_tool includes `codebase`.

B3 (blocker): receipt ids collided within a run (r_<date>_<runId> +
INSERT OR REPLACE overwrote earlier receipts). IDs are now
r_<date>_<runId8>_<unique6>; build() mints the suffix, build_with_unique()
keeps tests deterministic.

B4 (blocker): proof bundle was assembled from two runs (trace.json=run_proof,
websocket-events.jsonl=run_proof2). Re-captured the whole bundle from a single
run — trace, websocket, receipt, and memory_pr all carry run_proof now.

B5: Black Box receipts panel showed global latest, not the selected run.
Added list_receipts_for_run + /api/receipts?run= ; the page uses listForRun.

B6: SENSITIVE_TOPICS substring matching false-fired (tokenizer->token,
author->auth, secretary->secret). Switched to word-boundary matching; real
phrasings (auth token, security vulnerability, api key) still gate.

B7: set_review_mode now writes atomically (temp+rename via write_atomic);
export_trace sanitizes run_id in the Content-Disposition filename; memory-prs
static routes declared before the dynamic /{id} route.

Withdrawn: the /mode-vs-/{id} route order is NOT a functional bug (axum 0.8 /
matchit prioritizes static segments) — reordered for clarity only.

Gates: 999 lib tests pass (+9 new regressions), clippy -D warnings clean,
dashboard check + build clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 18:46:14 -05:00
..
src fix(blackbox): address review blockers B1–B7 + re-capture proof bundle 2026-06-22 18:46:14 -05:00
Cargo.toml feat(cloud-sync): HTTP managed-sync backend + vestige sync --cloud 2026-06-19 20:35:01 -05:00
README.md Add ComposedGraph composition ledger 2026-06-18 16:00:29 -05:00

Vestige MCP Server

Local cognitive memory for MCP-compatible AI agents.

This crate provides the vestige-mcp stdio MCP server plus the vestige CLI. The cognitive engine lives in vestige-core; this crate owns protocol handling, tool dispatch, optional dashboard serving, backups, restore, update, and portable import/export commands.

Install

For normal users, prefer the release package:

npm install -g vestige-mcp-server

For local development:

cargo build --release -p vestige-mcp

Register With An MCP Client

Use the command vestige-mcp in any stdio MCP client:

{
  "mcpServers": {
    "vestige": {
      "command": "vestige-mcp"
    }
  }
}

Examples:

claude mcp add vestige vestige-mcp -s user
codex mcp add vestige -- vestige-mcp

Transports

  • Default: JSON-RPC 2.0 over stdio.
  • Optional: MCP-over-HTTP on /mcp, enabled only with --http, --http-port, or VESTIGE_HTTP_ENABLED=1.
  • Dashboard: vestige dashboard or VESTIGE_DASHBOARD_ENABLED=1.

HTTP and dashboard bearer tokens are generated locally; see docs/CONFIGURATION.md.

Current Tool Surface

The server exposes the current unified MCP tools from src/server.rs, including:

  • session_context
  • search, smart_ingest, memory, codebase, intention
  • deep_reference, cross_reference, contradictions
  • dream, explore_connections, predict
  • memory_health, memory_graph, composed_graph, system_status
  • importance_score, find_duplicates
  • consolidate, memory_timeline, memory_changelog
  • backup, export, restore, gc, suppress

See the root README.md and docs/AGENT-MEMORY-PROTOCOL.md for agent instructions.

License

AGPL-3.0-only