v0.42.3

• Remove keep collections CLI command (leaked ChromaDB implementation detail)
• Remove collections from keep config output
• Add Dependabot + pip-audit security scanning

v0.42.2

Provider generate() method, protocol fixes

• Add generate(system, user) to SummarizationProvider protocol — clean method for sending raw prompts to the configured LLM without introspecting provider internals
• Implement across all providers: Anthropic, OpenAI, Ollama, Gemini, MLX, Passthrough
• Replace brittle hasattr-based _call_decomposition_llm() with a single provider.generate() call
• Add get_status() to PendingQueueProtocol and all queue implementations (NullPendingQueue, PendingSummaryQueue)
• Remove hasattr duck-typing from Keeper.pending_status()

v0.42.1

Add Keeper.pending_status() public method for per-note queue status lookup.

v0.42.0 — Interface refactor: unified put() and find()

Interface refactor

Unified put() — remember() and update() merged into a single put(content, uri, id, summary, tags) method. Cleaner API surface, same capabilities.

Unified find() — find(), find_similar(), and query_fulltext() merged into find(query, similar_to, fulltext, ...). One method, three search modes.

Net -104 lines across 24 files.

Security & correctness

• Error log created with 0o600 permissions (was world-readable)
• Binary stdin handling in put and now commands (clean error instead of crash)
• Tag validation on all put() paths (was missing on inline content path)
• REST API: include_hidden parameter now correctly passed through in list_notes and query_tag
• REST API: ValueError → HTTP 400 (was 500)
• REST API: Pydantic validator on SearchRequest for mutual exclusion

Protocol alignment

• KeeperProtocol fully aligned with Keeper and RemoteKeeper
• Added missing resolve_inline_meta, include_hidden params, fixed move() default

Docs

• Updated OUTPUT.md with parts: section documentation
• Fixed stale method references across ARCHITECTURE.md, SYSTEM-TAGS.md, PYTHON-API.md
• SSRF check TOCTOU documented for hosted service awareness

pip install --upgrade keep-skill

v0.41.0

Constrained tags & case-insensitive tags

Constrained tags: Tag docs (.tag/act, .tag/status) now enforce valid values via sub-docs at .tag/KEY/VALUE. Invalid values produce a hard error listing valid options. Add custom values by creating sub-docs: keep remember "" --id .tag/status/working.

Case-insensitive tags: All tag keys and values are casefolded on write and query. act=Commitment stores as act=commitment; keep list -t ACT=commitment matches it.

CLI error handling: Constrained tag errors now display cleanly instead of propagating as stack traces.

v0.40.0 — Structural decomposition (analyze/parts), memory pressure fix

New: keep analyze — structural decomposition into parts

Decompose documents and version strings into meaningful parts (@P{N}), each with its own summary, tags, and embedding. Parts appear in search results, context assembly, and can be accessed directly.

• keep analyze ID — LLM-driven decomposition (background by default, --fg to wait)
• keep put URL --analyze / keep move NAME --analyze — analyze after put/move
• keep get ID --parts / keep list --parts — view structural parts
• Guidance tags (-t topic) fetch .tag/KEY descriptions for better decomposition
• Fallback to simple chunking when LLM is unavailable

Fix: MLX memory pressure during process-pending

Both embedding (~1-2GB) and summarization (~2-4GB) MLX models stayed resident in unified memory simultaneously. Now releases summarization model before loading embedding in analyze(), and releases models between items in process-pending batches.

Docs

Updated all per-command docs (KEEP-*.md) and REFERENCE.md to reflect current CLI flags including --analyze, --fg, --parts, -a/--all, -R/--resolve.

pip install --upgrade keep-skill

v0.39.2

• PyPI project links now point to keepnotes.ai and docs.keepnotes.ai
• README: hosted service callout

v0.39.1

• Remove backend-specific references (ChromaDB, SQLite, MLX) from public API docstrings
• Rename reconcile return keys to backend-agnostic names
• Clean up module and protocol documentation

v0.39.0

What's New

• Directory put: keep put /path/to/folder/ indexes all files in a directory (non-recursive, skips hidden files and symlinks, continues on errors)
• Bare file paths: keep put ~/report.pdf now works — automatically normalizes to file:// URI
• Safety cap: directories with more than 1000 files are rejected with a clear message
• Improved provider setup guidance

v0.38.5 — Pluggable store hardening

Pluggable Store Hardening

Fixes security and correctness issues in the pluggable storage backend introduced in v0.38.4.

Fixed

• SQLite-specific recovery guarded — exception handling in get() now catches generic Exception instead of sqlite3.DatabaseError, and guards _try_runtime_recover() behind _is_local + hasattr check. Non-local backends no longer hit AttributeError on DB errors.
• Resource leak on partial init — _create_local_stores() now uses try/finally to close already-opened stores if a later store fails to initialize.
• Factory return type validated — _load_backend() verifies the external factory returns a StoreBundle, giving clear TypeError instead of cryptic failures.
• Config file permissions — save_config() now sets chmod 0o600 when backend_params is present (not just for remote configs), protecting credentials on multi-user systems.
• backend_params type validated — rejects non-dict values during config load with a clear error.
• Typed dequeue() — PendingQueueProtocol.dequeue() now returns list[PendingSummary] instead of bare list.