Bump to v1.7.3 — security hardening release

STARGA Inc · STARGA Inc · commit abbe342c1c9e · 2026-02-27T06:52:02.000-08:00
- 30 audit findings fixed (6 critical, 11 high, 9 medium, 4 low)
- All docs/badges aligned to v1.7.3
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,24 @@
 
 All notable changes to mind-mem are documented in this file.
 
+## 1.7.3 (2026-02-27)
+
+**Comprehensive security hardening and production reliability**
+
+### Fixed
+- **6 CRITICAL**: chunk_block off-by-one (#435), FTS5 wildcard injection (#436), CLI token exposure (#437), WAL post-check recovery (#438), DDL dimension validation (#439), intel state race condition (#440)
+- **11 HIGH**: read-only pragma crash (#442), connection leaks in block_metadata (#444) and build_index (#446), PRF O(N*M) performance (#448), non-atomic proposal status write (#449), missing DB indexes (#450), block_metadata missing pragmas (#451), ACL startup warning (#441), plaintext API key removal (#443), export_memory caps (#447)
+- **9 MEDIUM**: SSRF localhost validation (#452), block-header injection (#453), mid-block truncation (#454), sys.path restoration (#455), bare exception handlers (#456), index_status crash on fresh workspace (#457), intel_scan TOCTOU race (#458), vec_meta.json atomic write (#459), block_id validation (#460)
+- **4 LOW**: kernel field weight passthrough (#461), delete audit log (#462), workspace permissions (#463), CI SHA pinning (#464)
+
+### Security
+- All CI actions pinned to immutable commit SHAs (supply chain hardening)
+- Pinecone API key now requires env var only (removed config fallback)
+- Workspace directories created with restrictive 0o700 permissions
+- export_memory moved to ADMIN_TOOLS with 10k block cap
+- HTTP transport warns when admin token is not set
+- Deleted blocks now logged to deleted_blocks.jsonl for audit trail
+
 ## 1.7.2 (2026-02-27)
 
 **Baseline snapshot, contradiction detection, and full type safety**
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@
   </p>
   <p align="center">
     <a href="https://github.com/star-ga/mind-mem/actions/workflows/ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/star-ga/mind-mem/ci.yml?branch=main&style=flat-square&label=CI" alt="CI"></a>
-    <a href="https://pypi.org/project/mind-mem/"><img src="https://img.shields.io/pypi/v/mind_mem?style=flat-square&color=blue&v=1.7.2" alt="PyPI"></a>
+    <a href="https://pypi.org/project/mind-mem/"><img src="https://img.shields.io/pypi/v/mind_mem?style=flat-square&color=blue&v=1.7.3" alt="PyPI"></a>
     <a href="https://pypi.org/project/mind-mem/"><img src="https://img.shields.io/pypi/pyversions/mind_mem?style=flat-square" alt="Python Versions"></a>
     <a href="https://github.com/star-ga/mind-mem/blob/main/LICENSE"><img src="https://img.shields.io/pypi/l/mind_mem?style=flat-square" alt="License"></a>
     <a href="https://github.com/star-ga/mind-mem/releases"><img src="https://img.shields.io/github/v/release/star-ga/mind-mem?style=flat-square&color=green" alt="Release"></a>
@@ -1018,7 +1018,7 @@ All settings in `mind-mem.json` (created by `init_workspace.py`):
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "workspace_path": ".",
   "auto_capture": true,
   "auto_recall": true,
diff --git a/docs/benchmarks.md b/docs/benchmarks.md
@@ -2,7 +2,7 @@
 
 ## LoCoMo Benchmark Results
 
-mind-mem v1.7.2, evaluated with Mistral Large (LoCoMo, 10 conversations):
+mind-mem v1.7.3, evaluated with Mistral Large (LoCoMo, 10 conversations):
 
 | Metric | Score |
 |--------|-------|
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -8,7 +8,7 @@ mind-mem is configured via `mind-mem.json` in your workspace root. This file is
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "schema_version": "2.1.0",
   "workspace_path": ".",
   "auto_capture": true,
@@ -87,7 +87,7 @@ mind-mem is configured via `mind-mem.json` in your workspace root. This file is
 
 | Key | Type | Default | Description |
 | --- | --- | --- | --- |
-| `version` | string | `"1.7.2"` | Config file version. Set automatically by `init_workspace.py`. |
+| `version` | string | `"1.7.3"` | Config file version. Set automatically by `init_workspace.py`. |
 | `schema_version` | string | `"2.1.0"` | Workspace schema version. Used by `schema_version.py` for migrations. Falls back to `version` if absent. |
 | `workspace_path` | string | `"."` | Workspace root directory. Relative paths are resolved from the config file location. |
 | `auto_capture` | bool | `true` | Run the capture engine automatically on session-end hooks. When `false`, the session-end hook exits without capturing signals. |
@@ -372,7 +372,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "governance_mode": "detect_only",
   "recall": {
     "backend": "scan"
@@ -384,7 +384,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "governance_mode": "propose",
   "recall": {
     "backend": "hybrid",
@@ -404,7 +404,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "governance_mode": "enforce",
   "recall": {
     "backend": "hybrid",
@@ -426,7 +426,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "recall": {
     "backend": "vector",
     "provider": "qdrant",
@@ -441,7 +441,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "auto_capture": true,
   "auto_ingest": {
     "enabled": true,
@@ -456,7 +456,7 @@ Kernel parameters override in-code defaults when present. The `get_mind_kernel`
 
 ```json
 {
-  "version": "1.7.2",
+  "version": "1.7.3",
   "governance_mode": "propose",
   "categories": {
     "enabled": true,
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "mind-mem"
-version = "1.7.2"
+version = "1.7.3"
 description = "Drop-in memory for Claude Code, OpenClaw, and any MCP-compatible agent."
 readme = "README.md"
 license = "MIT"
diff --git a/scripts/__init__.py b/scripts/__init__.py
@@ -20,4 +20,4 @@
     transcript_capture — Transcript JSONL signal extraction
 """
 
-__version__ = "1.7.2"
+__version__ = "1.7.3"
