v1.8.9-ce — Agent memory that can change its mind + a security hardening batch¶
Released: 2026-07-10 · Tag: v1.8.9-ce · Docker: synapcores/community:v1.8.9-ce
MEMORY_STORE (v1.8.5) could only append — an agent that learned "the user is now pescatarian"
couldn't supersede its earlier "vegetarian", and storing the same fact twice made two rows. This
release adds MEMORY_UPSERT, which lets an in-database agent revise or retract what it believes.
Alongside it: per-call limits for AGENT_RUN, and a batch of gateway security hardening.
MEMORY_UPSERT — idempotent, policy-driven memory¶
-- Revise a belief, but only if you're now more confident
SELECT MEMORY_UPSERT('default', 'User is pescatarian',
json_object('key', 'dietary',
'policy', 'replace_higher_confidence',
'confidence', 0.95)) AS action; -- 'UPDATE'
-- Retract a fact the agent no longer holds
SELECT MEMORY_UPSERT('default', 'User is vegetarian',
json_object('key', 'dietary', 'deleted', true)) AS action; -- 'DELETE'
Returns the action taken — 'ADD' | 'UPDATE' | 'DELETE' | 'NOOP'.
- Five policies:
replace,replace_higher_confidence(a low-confidence guess never clobbers a high-confidence fact),merge_max_confidence,append_history(keeps the belief timeline),noop_if_equal. - Semantic keying: with no explicit
key, it matches the row whose embedding is withinsimilarity_threshold(default0.95) — an agent can revise a belief it never explicitly named. - Retraction:
deleted: trueorconfidence: 0; retracting a belief never held is aNOOP, not an error. - Audit: every non-
NOOPchange lands in_system_agent_memory_audit.
No migration needed
Confidence, key and version live under reserved metadata keys, so namespaces created by v1.8.5
MEMORY_STORE keep working unchanged. And MEMORY_STORE(ns, content, NULL, json_object('dedup', true))
now routes through the upsert path — returning the existing row's id instead of duplicating — while
the 2- and 3-argument forms are byte-for-byte unchanged.
AGENT_RUN(persona, task, options) — bound a single agent call¶
SELECT AGENT_RUN('aidb-assistant', 'Investigate the slowest query',
json_object('max_iterations', 3, 'timeout_ms', 60000)) AS reply;
max_iterations (clamped 1..10) and timeout_ms (clamped 1000..600000). Out-of-range values are
clamped; unknown keys error so typos surface.
The agent's tools stay read-only from SQL
allow_writes is rejected, not accepted — a per-query flag would let any caller escalate a
read-only agent. Write capability is an operator decision (coming with durable agents in v1.9).
model is also rejected this release: the engine resolves the model persona-then-config, so a
per-call override would be silently ignored — set it in [query.ai_service] or on the persona.
Security hardening (P1 batch)¶
Seven gateway findings from an internal audit. None is a live exploit in Community Edition (CE is single-tenant), but one is operator-visible:
Behind a reverse proxy? Set trusted_proxies.
X-Forwarded-For / X-Real-IP are now honored only from IPs listed in the new
server.trusted_proxies (default empty). A plain docker run install is unaffected — a
direct client sends no XFF, so the socket peer is used as before. But if you front the gateway
with nginx / k8s ingress, add the proxy's IP to trusted_proxies or per-client rate-limiting,
threat-detection, and audit granularity collapse onto the proxy's IP. This closes an XFF-spoofing
rate-limit bypass.
Also: WebSocket JWT via Authorization / Sec-WebSocket-Protocol (the ?token= query string is
deprecated and warns), a server.allowed_origins WS Origin allowlist (empty = allow all, so OOB is
unchanged), tenant-scoped query execution (Enterprise defense-in-depth), an admin gate on
filesystem-collection ingest, and an atomic-write fix for the vision-config secret file.
Upgrade¶
No data migration. All existing SQL keeps working; the memory-upsert and agent-run options are additive.
Validation¶
Released against the release artifact (--release --features bundled-ui): state-asserting
feature_validator.py 88/88, recipe-cert 152/158 (zero regressions vs v1.8.7-ce, pristine
data dirs), non-AVX-512 canary PASS on an i5-10400F, plus a post-publish canary against the
published GHCR image.
Full SQL reference: SQL Reference · Releases overview