<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Tang Weigang</title>
    <description>The latest articles on DEV Community by Tang Weigang (@doramagic).</description>
    <link>https://dev.to/doramagic</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3936036%2F9206ba55-8d8f-457e-a399-6e3316ef715f.png</url>
      <title>DEV Community: Tang Weigang</title>
      <link>https://dev.to/doramagic</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/doramagic"/>
    <language>en</language>
    <item>
      <title>An MCP Server Is Not Safe Just Because It Started</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Sat, 18 Jul 2026 00:03:42 +0000</pubDate>
      <link>https://dev.to/doramagic/an-mcp-server-is-not-safe-just-because-it-started-25i2</link>
      <guid>https://dev.to/doramagic/an-mcp-server-is-not-safe-just-because-it-started-25i2</guid>
      <description>&lt;p&gt;The first useful question after adding an MCP server is not “did the process start?” It is “what did the host actually expose, and what can I roll back?”&lt;/p&gt;

&lt;p&gt;modelcontextprotocol/servers is a reference-server monorepo covering filesystem, memory, git, fetch, everything, sequential thinking, and time. That makes it a map of MCP surfaces, not a production safety certificate. Doramagic lists npx -y @modelcontextprotocol/server-memory as a first entry point, but an install command is not runtime or permission evidence.&lt;/p&gt;

&lt;p&gt;My first-use check is deliberately boring: create a temporary host configuration, use no real credentials, verify the host transport and Node/Python runtime, then read back the tools, resources, and prompts the host actually discovers. Test one allowed action, one out-of-scope action, and a rollback to the previous configuration. Record the package/version, host, allowed paths, observed capabilities, and failure output.&lt;/p&gt;

&lt;p&gt;The boundary matters most for filesystem and repository-facing servers. “It can read a file” is not acceptance unless the allowed root, denied path behavior, and recovery path are recorded. Doramagic has recorded source, Quick Start, and sandbox-install checks for this pack; community evidence still needs a refresh, so this post does not claim every server/host/version combination works.&lt;/p&gt;

&lt;p&gt;Project page: &lt;a href="https://doramagic.ai/zh/projects/servers/" rel="noopener noreferrer"&gt;https://doramagic.ai/zh/projects/servers/&lt;/a&gt;&lt;br&gt;
Manual: &lt;a href="https://doramagic.ai/zh/projects/servers/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/zh/projects/servers/manual/&lt;/a&gt;&lt;br&gt;
Upstream: &lt;a href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer"&gt;https://github.com/modelcontextprotocol/servers&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Disclosure: this is an independent Doramagic resource package, not an upstream release, endorsement, or security certification.&lt;/p&gt;

</description>
      <category>devtools</category>
      <category>ai</category>
      <category>agents</category>
      <category>mcp</category>
    </item>
    <item>
      <title>Your AI Coding Policy Needs a Receipt, Not Just an AGENTS.md</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Thu, 16 Jul 2026 23:43:28 +0000</pubDate>
      <link>https://dev.to/doramagic/your-ai-coding-policy-needs-a-receipt-not-just-an-agentsmd-4h95</link>
      <guid>https://dev.to/doramagic/your-ai-coding-policy-needs-a-receipt-not-just-an-agentsmd-4h95</guid>
      <description>&lt;p&gt;An AGENTS.md file can explain a rule. It cannot prove that an agent saw the rule, that a proposed action was evaluated, or that a rejected change left a usable recovery trail. That is the useful question behind coding-ethos.&lt;/p&gt;

&lt;p&gt;coding-ethos splits the problem into policy, agents, hooks, and code intelligence. &lt;code&gt;coding_ethos.yml&lt;/code&gt; describes the mechanics; ETHOS.md and the coding-ethos standards carry the values; AGENTS.md and CLAUDE.md describe agent contracts. The hooks runner receives lifecycle events, routes them to the relevant evaluator or MCP tool, and normalizes the result.&lt;/p&gt;

&lt;p&gt;The v0.3.0 line is interesting for three concrete reasons: policy extension seams let downstream rules plug in without rewriting the compiler; routing is centralized instead of duplicated in every hook; and remediation evidence is persisted in the code-intel store. A denied action should be testable as a structured verdict plus a remediation payload, not just a red log line.&lt;/p&gt;

&lt;p&gt;My first-use check is deliberately small: run &lt;code&gt;uvx coding-ethos&lt;/code&gt; against a disposable repository, exercise one allowed action and one denied action, read the rule id and evidence payload, retry after remediation, then remove the temporary configuration and verify rollback. A visible MCP tool list is not proof of enforcement, and a legacy path that bypasses &lt;code&gt;hooks/runner&lt;/code&gt; can silently drop evidence.&lt;/p&gt;

&lt;p&gt;The Doramagic pack also records community reports about Bubblewrap provisioning, git amend policy, MCP stdio coverage, and agent-proxy work. Those are source-backed checks to revisit, not claims that Doramagic reproduced every issue. Project notes: &lt;a href="https://doramagic.ai/en/projects/coding-ethos/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/coding-ethos/manual/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Disclosure: this is an independent Doramagic capability pack, not an official coding-ethos release or endorsement.&lt;/p&gt;

</description>
      <category>mcp</category>
      <category>ai</category>
      <category>programming</category>
      <category>agents</category>
    </item>
    <item>
      <title>agent-workspace-linux Is Not Computer Use: Verify the Workspace Boundary First</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Thu, 16 Jul 2026 01:33:36 +0000</pubDate>
      <link>https://dev.to/doramagic/agent-workspace-linux-is-not-computer-use-verify-the-workspace-boundary-first-4mbp</link>
      <guid>https://dev.to/doramagic/agent-workspace-linux-is-not-computer-use-verify-the-workspace-boundary-first-4mbp</guid>
      <description>&lt;p&gt;Most computer-use failures start before the model acts: the agent is operating inside the user's real browser, clipboard, focus, or files. &lt;code&gt;agent-workspace-linux&lt;/code&gt; takes the opposite route. It creates an agent-owned Linux desktop backed by Xvfb and openbox, with a separate browser and clipboard.&lt;/p&gt;

&lt;p&gt;The first run should be boring and observable. Install the Linux dependencies from the upstream README, then run &lt;code&gt;agent-workspace-linux doctor&lt;/code&gt;. Use &lt;code&gt;workspace start --dry-run&lt;/code&gt; before &lt;code&gt;workspace start --ack-hidden-workspace --purpose "QA run"&lt;/code&gt;. Open the viewer, launch one test app, save &lt;code&gt;workspace observe --screenshot --output /tmp/ws.png&lt;/code&gt;, and finish with &lt;code&gt;workspace stop&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Do not call the viewer a security boundary. &lt;code&gt;--permissions&lt;/code&gt; or &lt;code&gt;AGENT_WORKSPACE_PERMISSIONS&lt;/code&gt; is the hard ceiling for networks, mounts, and apps; without bubblewrap, those policies may only be declared. The project is pre-1.0, and issues #21 and #22 cover live-control and clipboard risks. I would use it first for GUI QA or disposable browser profiles, not production credentials.&lt;/p&gt;

&lt;p&gt;Project: &lt;a href="https://doramagic.ai/en/projects/agent-workspace-linux/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/agent-workspace-linux/&lt;/a&gt;&lt;br&gt;
Manual: &lt;a href="https://doramagic.ai/en/projects/agent-workspace-linux/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/agent-workspace-linux/manual/&lt;/a&gt;&lt;br&gt;
Upstream: &lt;a href="https://github.com/agent-sh/agent-workspace-linux" rel="noopener noreferrer"&gt;https://github.com/agent-sh/agent-workspace-linux&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Independent Doramagic resource pack; not an official upstream release or endorsement.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>linux</category>
      <category>mcp</category>
      <category>security</category>
    </item>
    <item>
      <title>Sverklo Is Not Just Grep with Embeddings: Verify the Code-Memory Evidence Chain</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Wed, 15 Jul 2026 01:57:05 +0000</pubDate>
      <link>https://dev.to/doramagic/sverklo-is-not-just-grep-with-embeddings-verify-the-code-memory-evidence-chain-3j69</link>
      <guid>https://dev.to/doramagic/sverklo-is-not-just-grep-with-embeddings-verify-the-code-memory-evidence-chain-3j69</guid>
      <description>&lt;p&gt;Many coding agents do not fail because a model forgot a sentence from the previous chat. They fail because the agent has no context layer that can explain where a code fact came from, how wide it applies, and whether it is still fresh. Sverklo is interesting as an engineering hypothesis: a local-first MCP server that combines repository indexing, symbol graphs, dependency tracing, diff-aware review, and persistent memory. The useful question is not whether it sounds like an intelligent search box. It is whether an agent can receive repository context that a human can replay and verify.&lt;/p&gt;

&lt;p&gt;The upstream entry point is &lt;code&gt;npm install -g sverklo&lt;/code&gt;, with Node.js &amp;gt;= 24 as the stated runtime. A successful install only proves that the CLI can be found. It does not prove that the index is complete, that the current repository is being served, or that the MCP client is calling the intended tool. I would start in a disposable test repository instead of binding the first run to a production workspace or the global registry.&lt;/p&gt;

&lt;p&gt;I would make the first acceptance run observable at four layers. First, file discovery: does the index include the expected paths, honor ignore rules, and produce a plausible file count after reindexing? Second, code structure: can &lt;code&gt;lookup&lt;/code&gt; find a known symbol, and do &lt;code&gt;refs&lt;/code&gt;, &lt;code&gt;deps&lt;/code&gt;, and &lt;code&gt;impact&lt;/code&gt; return relationships rather than a list of filenames? Third, context delivery: does the &lt;code&gt;context&lt;/code&gt; tool provide a useful onboarding bundle, and does a supplied token &lt;code&gt;budget&lt;/code&gt; produce a smaller PageRank-pruned repository map? Fourth, the memory ledger: can a memory with a project scope, kind, related file, and time metadata be recalled, and does changing that file make the memory visibly stale?&lt;/p&gt;

&lt;p&gt;Sverklo is not described as a single vector retriever. The Doramagic manual maps its retrieval surface to BM25 keywords, ONNX embeddings, and a PageRank symbol graph fused across signals. Search hits expose &lt;code&gt;found_by&lt;/code&gt;, which gives the operator a way to tell whether multiple retrievers agree. There is an important boundary here: exact strings still belong to Grep/Read. Sverklo is better suited to exploration, dependency graphs, refactor blast radius, and semantic questions. Sending every query through embeddings would make the workflow less predictable and contradict the server's own MCP guidance.&lt;/p&gt;

&lt;p&gt;An acceptance script can stay small and repeatable:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Create a temporary repository with a few modules, a test, a README, and one intentionally broken dependency.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;sverklo init&lt;/code&gt;, register the project, and wait for indexing. Record the Node version, project name, index timestamp, and file count.&lt;/li&gt;
&lt;li&gt;Call &lt;code&gt;context&lt;/code&gt; for onboarding and pass a small &lt;code&gt;budget&lt;/code&gt;; check whether the returned map actually contracts with the budget.&lt;/li&gt;
&lt;li&gt;Use &lt;code&gt;lookup&lt;/code&gt; on a known symbol, then use &lt;code&gt;refs&lt;/code&gt;, &lt;code&gt;deps&lt;/code&gt;, and &lt;code&gt;impact&lt;/code&gt; to trace callers, dependencies, and change scope.&lt;/li&gt;
&lt;li&gt;Write one file-pinned decision with &lt;code&gt;remember&lt;/code&gt;, edit that file, and inspect &lt;code&gt;sverklo://context&lt;/code&gt; or recall for an explicit stale signal.&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;review_diff&lt;/code&gt; on a small change and confirm that the result contains both readable Markdown and structured findings with path, line, and severity anchors.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The lifecycle is where a seemingly healthy setup can mislead an automation. Sverklo stores registered projects in &lt;code&gt;~/.sverklo/registry.json&lt;/code&gt;. The manual records issue #74: &lt;code&gt;reindex&lt;/code&gt; can finish while leaving &lt;code&gt;lastIndexed&lt;/code&gt; stale, so the timestamp in &lt;code&gt;sverklo list&lt;/code&gt; is advisory rather than proof that the current index is fresh. After reindexing, automation should register again or read the index status and file evidence directly. Issue #73 reports that unregister takes the internal project name, not an absolute path. A worktree cleanup script should therefore resolve the name from &lt;code&gt;sverklo list&lt;/code&gt; before unregistering.&lt;/p&gt;

&lt;p&gt;MCP naming has another quiet production boundary. Sverklo already exposes internal &lt;code&gt;sverklo_&lt;/code&gt; tool prefixes. If a host also prefixes tool names using the server key, a name such as &lt;code&gt;sverklo_sverklo_impact&lt;/code&gt; can appear. A connected badge is not enough. After integration, enumerate the tools and make one real call to &lt;code&gt;context&lt;/code&gt;, &lt;code&gt;lookup&lt;/code&gt;, or &lt;code&gt;status&lt;/code&gt; so the host's names and response shape are verified.&lt;/p&gt;

&lt;p&gt;My operator rule is to treat Sverklo as an observable local code-context candidate, not as an agent brain that becomes trustworthy after installation. Before putting it in a real workspace, retain four kinds of readback: index scope and freshness, symbol/dependency results, stale-memory behavior, and structured diff-review output. Without those artifacts, the only defensible claim is that the CLI started.&lt;/p&gt;

&lt;p&gt;This is an independent Doramagic capability pack, not an official Sverklo release or endorsement. Project page: &lt;a href="https://doramagic.ai/en/projects/sverklo/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/sverklo/&lt;/a&gt;; Human Manual: &lt;a href="https://doramagic.ai/en/projects/sverklo/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/sverklo/manual/&lt;/a&gt;; upstream: &lt;a href="https://github.com/sverklo/sverklo" rel="noopener noreferrer"&gt;https://github.com/sverklo/sverklo&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>agents</category>
      <category>mcp</category>
    </item>
    <item>
      <title>OpenViking Is Not Just a Memory Folder: Verify Hierarchical Context Delivery First</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Tue, 14 Jul 2026 01:32:42 +0000</pubDate>
      <link>https://dev.to/doramagic/openviking-is-not-just-a-memory-folder-verify-hierarchical-context-delivery-first-487b</link>
      <guid>https://dev.to/doramagic/openviking-is-not-just-a-memory-folder-verify-hierarchical-context-delivery-first-487b</guid>
      <description>&lt;p&gt;OpenViking is interesting because it puts memory, resources, and skills behind one file-system-shaped context model for agents. That is a useful hypothesis, but an installation that completes does not prove the context database is ready to hold real agent memory.&lt;/p&gt;

&lt;p&gt;The documented entry point is &lt;code&gt;pip install openviking&lt;/code&gt;. I would still start in an isolated directory with three traceable fixtures: one short memory, one resource file, and one skill description. After ingestion, check whether the directory hierarchy and URI remain stable. Then compare a shallow retrieval with a deeper retrieval and inspect how much context is actually delivered at each level. The question is context delivery, not whether a demo returned one similar chunk.&lt;/p&gt;

&lt;p&gt;The project frames its design around a file-system paradigm, hierarchical context delivery, and self-evolving context. That creates three concrete engineering questions: can the hierarchy express relationships between resources, does retrieval move from summaries to deeper evidence, and what happens when a new memory conflicts with an old one? A single successful search is not evidence that long-term memory is safe.&lt;/p&gt;

&lt;p&gt;The upstream issue trail gives useful first-run boundaries. A reported &lt;code&gt;openviking-memory.ts&lt;/code&gt; autoRecall bug needs reproduction; a malformed memory can poison a semantic queue; and multi-user memory isolation needs an explicit test rather than an assumption. I would not start with real conversations or treat self-evolution as trusted automatic writes. Use synthetic records with an owner, source, and timestamp so isolation and rollback are observable.&lt;/p&gt;

&lt;p&gt;My first acceptance sequence would be: install &lt;code&gt;openviking&lt;/code&gt;; confirm Python and host compatibility; ingest one memory with source and owner fields; run one shallow and one deep retrieval; revoke or delete that record and query again; then inject one malformed record and check whether the failure is isolated instead of stopping the whole processing queue. Save the command output, returned URI, retrieved text, and error response at every step.&lt;/p&gt;

&lt;p&gt;The evidence boundary matters. The Doramagic capability pack supplies a quick start, manual, context pack, pitfall log, and eval route. It does not prove that OpenViking was installed or run on this machine. OpenViking also does not replace a permission model, tenant isolation, retention policy, or human correction loop.&lt;/p&gt;

&lt;p&gt;My operator rule is to treat OpenViking as an observable context-database candidate, not as an automatic replacement for an agent's memory layer. It earns a real workspace only after hierarchical retrieval, provenance, user isolation, revocation behavior, and malformed-data recovery are all recorded.&lt;/p&gt;

&lt;p&gt;This is an independent Doramagic capability pack, not an official OpenViking release or endorsement. Project page: &lt;a href="https://doramagic.ai/en/projects/openviking/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/openviking/&lt;/a&gt;; Human Manual: &lt;a href="https://doramagic.ai/en/projects/openviking/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/openviking/manual/&lt;/a&gt;; upstream: &lt;a href="https://github.com/volcengine/OpenViking" rel="noopener noreferrer"&gt;https://github.com/volcengine/OpenViking&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>opensource</category>
    </item>
    <item>
      <title>Notion MCP: Verify Page Access Before You Trust the Tool List</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Mon, 13 Jul 2026 01:28:36 +0000</pubDate>
      <link>https://dev.to/doramagic/notion-mcp-verify-page-access-before-you-trust-the-tool-list-47ef</link>
      <guid>https://dev.to/doramagic/notion-mcp-verify-page-access-before-you-trust-the-tool-list-47ef</guid>
      <description>&lt;p&gt;The first failure mode in a Notion MCP integration is rarely a missing tool. It is assuming that a visible tool name implies access to the whole workspace. &lt;code&gt;makenotion/notion-mcp-server&lt;/code&gt; exposes the official entry point &lt;code&gt;npx @notionhq/notion-mcp-server&lt;/code&gt;, while the independent Doramagic capability pack puts page access checks, workspace boundaries, and tool verification before any serious workflow.&lt;/p&gt;

&lt;p&gt;I would treat the first run as a permission-routing test, not as a successful plugin installation. Start with a temporary workspace or test page. Confirm that the host points at the intended MCP server, confirm that the Notion integration has access to that page, and prove the access with a read-only call. A page visible in the Notion UI is not evidence that the integration token can read it.&lt;/p&gt;

&lt;p&gt;The source map gives a useful debugging route. &lt;code&gt;src/init-server.ts&lt;/code&gt; and &lt;code&gt;scripts/start-server.ts&lt;/code&gt; describe startup; &lt;code&gt;src/openapi-mcp-server/mcp/proxy.ts&lt;/code&gt; maps the OpenAPI description into MCP tools; &lt;code&gt;src/openapi-mcp-server/openapi/parser.ts&lt;/code&gt; handles tool parsing; and &lt;code&gt;src/openapi-mcp-server/auth/&lt;/code&gt; plus &lt;code&gt;client/http-client.ts&lt;/code&gt; define authentication and request boundaries. When a tool appears but a call fails, inspect the layer: host configuration, auth, OpenAPI translation, or the Notion API's permission response.&lt;/p&gt;

&lt;p&gt;My first verification sequence would be deliberately small: run &lt;code&gt;npx @notionhq/notion-mcp-server&lt;/code&gt; only through the documented entry path, read one test page, compare the returned page id with the expected id, then try one minimal update. Record the actual response and the page permission state after every step. Do not use a team knowledge base, private pages, or a production integration token as the first test fixture.&lt;/p&gt;

&lt;p&gt;There is an important evidence boundary here. The pack does not prove that Notion MCP has been installed, run, or successfully called on this machine. Its quick start, Human Manual, and eval files are routes for validation, not runtime output. The pack also flags configuration, installation, runtime, and permission risks, so the official quickstart should be reproduced in an isolated environment. A process that starts is not proof that the target page is readable, and readable is not proof that an agent can safely write.&lt;/p&gt;

&lt;p&gt;My operator rule is simple: give the agent one test page first, then expand the grant. Put the page id, workspace, integration permission, and exact error response into the acceptance record. Only connect a working knowledge base after read, minimal write, and revoked-permission failure are all observable.&lt;/p&gt;

&lt;p&gt;This is an independent Doramagic capability pack, not official Notion documentation or an endorsement. Project page: &lt;a href="https://doramagic.ai/en/projects/notion-mcp-server/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/notion-mcp-server/&lt;/a&gt;; upstream: &lt;a href="https://github.com/makenotion/notion-mcp-server" rel="noopener noreferrer"&gt;https://github.com/makenotion/notion-mcp-server&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>opensource</category>
    </item>
    <item>
      <title>Graphiti Is Not Just Another RAG Layer: Keep Time and Provenance</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Sun, 12 Jul 2026 03:59:32 +0000</pubDate>
      <link>https://dev.to/doramagic/graphiti-is-not-just-another-rag-layer-keep-time-and-provenance-idl</link>
      <guid>https://dev.to/doramagic/graphiti-is-not-just-another-rag-layer-keep-time-and-provenance-idl</guid>
      <description>&lt;p&gt;The hard part of agent memory is often not retrieving a similar sentence. It is deciding whether that sentence is still true. Graphiti approaches the problem as a temporal context graph: entities, relationships, and facts carry validity windows, and facts can be traced back to the episode that produced them.&lt;/p&gt;

&lt;p&gt;That changes the first engineering question. A preference, project configuration, customer relationship, or operational state can be true today and replaced tomorrow. A vector-only retrieval path can still return the old statement because it is semantically close. Graphiti combines semantic retrieval, BM25 keyword matching, and graph traversal, then keeps a path back to the source node used in the result.&lt;/p&gt;

&lt;p&gt;I would not treat it as a drop-in memory plugin. The official entry point is &lt;code&gt;pip install graphiti-core&lt;/code&gt;. The quickstart also involves a Neo4j or FalkorDB connection, index and constraint initialization, episode ingestion, and hybrid search. A wrong database name, driver URI, LLM endpoint, embedding model, or cross-encoder setting can turn an infrastructure mismatch into a misleading “memory did not update” symptom.&lt;/p&gt;

&lt;p&gt;The ontology surface matters too. Graphiti supports custom Pydantic models, while its MCP server includes typed entities such as Requirement, Preference, Procedure, Location, Event, Organization, and Document. That schema is part of the extraction and query contract. It is not a decoration to add after the first demo.&lt;/p&gt;

&lt;p&gt;My first verification pass would stay isolated: install the package; prove the Neo4j/FalkorDB connection and database name; add one episode with a known timeline; run a hybrid query; and verify that the result can be traced to its source node and distinguished from a superseded fact. Until write, retrieval, provenance, and contradiction behavior are observable, I would not connect production conversations or a real agent host. The Doramagic pack flags installation and permission risks as high-priority checks for exactly this reason.&lt;/p&gt;

&lt;p&gt;This is an independent Doramagic capability pack, not official Graphiti documentation or an endorsement. Project page: &lt;a href="https://doramagic.ai/en/projects/graphiti/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/graphiti/&lt;/a&gt;; Human Manual: &lt;a href="https://doramagic.ai/en/projects/graphiti/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/graphiti/manual/&lt;/a&gt;; upstream: &lt;a href="https://github.com/getzep/graphiti" rel="noopener noreferrer"&gt;https://github.com/getzep/graphiti&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>opensource</category>
    </item>
    <item>
      <title>FastMCP: tool discovery is not authorization</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Sat, 11 Jul 2026 00:45:39 +0000</pubDate>
      <link>https://dev.to/doramagic/fastmcp-tool-discovery-is-not-authorization-2124</link>
      <guid>https://dev.to/doramagic/fastmcp-tool-discovery-is-not-authorization-2124</guid>
      <description>&lt;p&gt;FastMCP makes it easy to expose Python functions as MCP tools, resources, and prompts. The production question is not whether a client can discover a tool, but what that discovery is allowed to trigger.&lt;/p&gt;

&lt;p&gt;My validation order is deliberately boring:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Start with a side-effect-free function and verify server, client, and host discovery.&lt;/li&gt;
&lt;li&gt;Test input/output contracts, authentication, timeouts, exception mapping, and recovery.&lt;/li&gt;
&lt;li&gt;Only then consider filesystem, network, credential, or production-write permissions.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;A working protocol path is evidence that the transport works. It is not evidence that the permission model is safe. Each real tool needs a bounded capability, a reproducible example, and a failure case that has been observed.&lt;/p&gt;

&lt;p&gt;Project: &lt;a href="https://doramagic.ai/en/projects/fastmcp/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/fastmcp/&lt;/a&gt;&lt;br&gt;
Human manual: &lt;a href="https://doramagic.ai/en/projects/fastmcp/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/fastmcp/manual/&lt;/a&gt;&lt;br&gt;
Upstream: &lt;a href="https://github.com/PrefectHQ/fastmcp" rel="noopener noreferrer"&gt;https://github.com/PrefectHQ/fastmcp&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mojo</category>
      <category>opensource</category>
      <category>python</category>
    </item>
    <item>
      <title>Before an AI agent edits a repo, give it evidence it can audit</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Fri, 10 Jul 2026 04:05:45 +0000</pubDate>
      <link>https://dev.to/doramagic/before-an-ai-agent-edits-a-repo-give-it-evidence-it-can-audit-56lm</link>
      <guid>https://dev.to/doramagic/before-an-ai-agent-edits-a-repo-give-it-evidence-it-can-audit-56lm</guid>
      <description>&lt;p&gt;A useful context pack for an AI coding agent should be boring in exactly the right places.&lt;/p&gt;

&lt;p&gt;The Doramagic AI Context Pack Benchmark is built around one constraint: before an agent edits a repository, it must be able to separate claims from evidence.&lt;/p&gt;

&lt;p&gt;The package contains:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;CLAIM_GRAPH.json: what the project claims, and how those claims relate.&lt;/li&gt;
&lt;li&gt;EVIDENCE_INDEX.json: where each claim is supported in files or reports.&lt;/li&gt;
&lt;li&gt;CAPABILITY_CONTRACT.json: what the pack says the agent can and cannot assume.&lt;/li&gt;
&lt;li&gt;AI_CONTEXT_PACK.md: the human-readable operating context.&lt;/li&gt;
&lt;li&gt;CONTINUE_CHECK.md: the handoff check for the next agent run.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The important part is the negative space. The pack does not pretend to install or execute the target project if that was not verified. It does not turn a README into runtime proof. It keeps source packaging, evidence indexing, and validation reports separate so a downstream agent can say: this is proven, this is inferred, and this still needs a real run.&lt;/p&gt;

&lt;p&gt;That changes the repo handoff loop. Instead of asking the model to “understand the codebase”, ask it to answer a smaller set of questions first:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Which claims are source-backed?&lt;/li&gt;
&lt;li&gt;Which files are evidence, and which are just narrative?&lt;/li&gt;
&lt;li&gt;Which capabilities are explicitly out of scope?&lt;/li&gt;
&lt;li&gt;What was not executed?&lt;/li&gt;
&lt;li&gt;What should be checked before making a code change?&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Repo: &lt;a href="https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark" rel="noopener noreferrer"&gt;https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>programming</category>
      <category>opensource</category>
      <category>devops</category>
    </item>
    <item>
      <title>Before an AI agent touches a repo, give it a verifiable context pack</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Thu, 09 Jul 2026 00:59:43 +0000</pubDate>
      <link>https://dev.to/doramagic/before-an-ai-agent-touches-a-repo-give-it-a-verifiable-context-pack-4pdc</link>
      <guid>https://dev.to/doramagic/before-an-ai-agent-touches-a-repo-give-it-a-verifiable-context-pack-4pdc</guid>
      <description>&lt;p&gt;I published one Doramagic internal tool as a public repository:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark" rel="noopener noreferrer"&gt;https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The project is not trying to make an AI read more code. It is trying to solve a narrower problem: before an AI agent takes over a repository, compile the facts, boundaries, evidence links, risk cards, and continuation checks into assets that can be inspected.&lt;/p&gt;

&lt;p&gt;That boundary matters.&lt;/p&gt;

&lt;p&gt;This benchmark does not install the target project. It does not simulate runtime behavior. It does not claim that the target project works in production. Repomix is only used as the source packaging layer. Doramagic owns the schema, rendering, validation, and consumer-facing contract above it.&lt;/p&gt;

&lt;p&gt;I think of it as a pre-install handoff pack for AI agents, not a universal repo summarizer.&lt;/p&gt;

&lt;p&gt;For each project, the compiler can produce:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;CLAIM_GRAPH.json&lt;/code&gt;: separates claims from evidence instead of treating README language as fact.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;EVIDENCE_INDEX.json&lt;/code&gt;: keeps evidence snippets and source paths available for review.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;CAPABILITY_CONTRACT.json&lt;/code&gt;: describes capabilities under evidence constraints.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;AI_CONTEXT_PACK.md&lt;/code&gt;: host-AI readable context.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;CONTINUE_CHECK.md&lt;/code&gt;: a decision card for “should I continue now?”&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;PROMPT_PREVIEW.md&lt;/code&gt;: a consumer prompt to try once before installation.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;HOST_CONSUMPTION_REPORT.json&lt;/code&gt;: checks whether the host AI received enough structure.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;validation_report.json&lt;/code&gt; and &lt;code&gt;human_ai_consistency_report.json&lt;/code&gt;: schema, evidence, positioning, and Human Manual consistency checks.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The design choice is simple: compress noise, not judgment-critical context.&lt;/p&gt;

&lt;p&gt;Many repo summary tools optimize for shorter descriptions. In practice, agents usually fail because the context is under-structured rather than merely too long. Boundaries are vague. Evidence is detached from claims. Risk cards are missing. The entry prompt is not reusable. The agent moves quickly, but it crosses lines it should have been forced to see.&lt;/p&gt;

&lt;p&gt;So the benchmark keeps task routes, role and Skill indexes, prompt recipes, evidence snippets, boundaries, risk cards, and Continue Check decisions. The goal is not to look complete. The goal is to make downstream agents do fewer plausible-but-unsupported jumps.&lt;/p&gt;

&lt;p&gt;For this public release I kept the checks explicit:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The target GitHub repository was checked before creation.&lt;/li&gt;
&lt;li&gt;The staging copy was scanned for real API keys, PATs, PEM private keys, and &lt;code&gt;.env&lt;/code&gt; files.&lt;/li&gt;
&lt;li&gt;Runtime artifacts, private operator state, caches, and local environment files were excluded.&lt;/li&gt;
&lt;li&gt;Python unit and syntax checks passed; the AI Context Pack suite passed 41 tests.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;My current view: context engineering should not mean dumping larger folders into larger windows. The useful layer is a compiler that decides which facts can be consumed, which claims need evidence, and which operations should stop until a human or stronger check intervenes.&lt;/p&gt;

&lt;p&gt;Repository:&lt;br&gt;
&lt;a href="https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark" rel="noopener noreferrer"&gt;https://github.com/tangweigang-jpg/doramagic-ai-context-pack-benchmark&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Before Adopting OpenAI Agents SDK, Write the Runtime Contract First</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Wed, 08 Jul 2026 03:26:20 +0000</pubDate>
      <link>https://dev.to/doramagic/before-adopting-openai-agents-sdk-write-the-runtime-contract-first-cgb</link>
      <guid>https://dev.to/doramagic/before-adopting-openai-agents-sdk-write-the-runtime-contract-first-cgb</guid>
      <description>&lt;p&gt;OpenAI Agents SDK is easy to misread as a faster way to build "more agents." That is the shallow interpretation. The more useful reason to evaluate it is that it puts agents, tools, handoffs, guardrails, sessions, tracing, sandbox execution, and human approval into one Python SDK surface. That gives a team a chance to move agent workflows from prompt scripts into inspectable engineering units.&lt;/p&gt;

&lt;p&gt;But that also changes the adoption question. Do not start by asking how many agents you can chain together. Start with the harder question: when an agent can call tools, delegate to another agent, preserve session history, enter a sandbox, and emit traces, who owns each step and how will a failure be reconstructed?&lt;/p&gt;

&lt;p&gt;Doramagic project page: &lt;a href="https://doramagic.ai/en/projects/openai-agents-python/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/openai-agents-python/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Doramagic manual: &lt;a href="https://doramagic.ai/en/projects/openai-agents-python/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/openai-agents-python/manual/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upstream project: &lt;a href="https://github.com/openai/openai-agents-python" rel="noopener noreferrer"&gt;https://github.com/openai/openai-agents-python&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What is verified
&lt;/h2&gt;

&lt;p&gt;On 2026-07-08 Bangkok time, there was no previous local &lt;code&gt;daily-publish-*&lt;/code&gt; artifact for &lt;code&gt;openai-agents-python&lt;/code&gt;. The Doramagic English and Chinese project/manual pages returned HTTP 200. The PROJECT_PACK was reachable and listed the expected assets, including quick start, prompt preview, human manual, AI context pack, boundary risk card, pitfall log, repo inspection, capability contract, evidence index, and claim graph.&lt;/p&gt;

&lt;p&gt;The upstream repository is active. GitHub API data collected on 2026-07-08 showed 27,726 stars, 4,272 forks, 65 open issues, MIT license, a push timestamp of 2026-07-07T23:47:16Z, and an update timestamp of 2026-07-08T03:16:59Z. The latest GitHub release was &lt;code&gt;v0.18.0&lt;/code&gt;, published on 2026-07-07T06:01:55Z.&lt;/p&gt;

&lt;p&gt;The package metadata matters. &lt;code&gt;pyproject.toml&lt;/code&gt; declares &lt;code&gt;openai-agents&lt;/code&gt; version &lt;code&gt;0.18.0&lt;/code&gt;, Python &lt;code&gt;&amp;gt;=3.10&lt;/code&gt;, MIT license, and dependencies including &lt;code&gt;openai&amp;gt;=2.36.0,&amp;lt;3&lt;/code&gt;, &lt;code&gt;pydantic&amp;gt;=2.12.2,&amp;lt;3&lt;/code&gt;, &lt;code&gt;requests&lt;/code&gt;, &lt;code&gt;websockets&lt;/code&gt;, and &lt;code&gt;mcp&amp;gt;=1.19.0,&amp;lt;2&lt;/code&gt;. Optional extras cover voice, realtime, Redis, SQLAlchemy, Dapr, MongoDB, and several sandbox/provider integrations.&lt;/p&gt;

&lt;p&gt;The local smoke test exposed a practical adoption boundary. The default macOS &lt;code&gt;python3&lt;/code&gt; on this machine is 3.9.6, and pip refused to install &lt;code&gt;openai-agents==0.18.0&lt;/code&gt; because the package requires Python &lt;code&gt;&amp;gt;=3.10&lt;/code&gt;. Using &lt;code&gt;python3.12&lt;/code&gt; in an isolated venv succeeded, and &lt;code&gt;Agent&lt;/code&gt; and &lt;code&gt;Runner&lt;/code&gt; imported correctly. The first step is not writing an agent. The first step is pinning the runtime.&lt;/p&gt;

&lt;h2&gt;
  
  
  Do not start with multi-agent architecture
&lt;/h2&gt;

&lt;p&gt;Multi-agent workflows create a tempting illusion: if the task is split into several roles, the system must be more capable. In engineering practice, more roles usually mean more state ownership, tool permission, handoff criteria, failure recovery, trace evidence, and accountability to define.&lt;/p&gt;

&lt;p&gt;I would start with one agent and one low-risk tool. That tool should have three properties:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Serializable inputs and outputs, so traces are useful.&lt;/li&gt;
&lt;li&gt;No production write permission, so the first trial cannot mutate real state.&lt;/li&gt;
&lt;li&gt;Clear failure modes, such as timeout, empty result, permission denial, or schema mismatch.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;After that works, add a second agent. The second agent should not be a vague "expert." It should own one verifiable responsibility: reviewing a tool output, generating test cases, deciding whether human approval is required, or classifying a failure.&lt;/p&gt;

&lt;h2&gt;
  
  
  The runtime contract matters more than the quickstart
&lt;/h2&gt;

&lt;p&gt;The README lists the core concepts clearly: Agents, Sandbox Agents, Agents as tools / Handoffs, Tools, Guardrails, Human in the loop, Sessions, Tracing, and Realtime Agents. The real implementation work is turning those concepts into a team contract.&lt;/p&gt;

&lt;p&gt;For each agent workflow, I would require at least eight decisions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Tool boundary: which tools the agent can call, and which are read-only or write-capable.&lt;/li&gt;
&lt;li&gt;Handoff owner: who owns the final answer after delegation, and whether the original agent can still modify it.&lt;/li&gt;
&lt;li&gt;Session scope: whether session history belongs to a user, task, workspace, or run.&lt;/li&gt;
&lt;li&gt;Guardrail action: whether a guardrail failure means reject, retry, degrade, ask for human approval, or file an incident.&lt;/li&gt;
&lt;li&gt;Trace retention: how long traces are kept, who can see them, and whether they contain private data or secret fragments.&lt;/li&gt;
&lt;li&gt;Sandbox permission: which directories are readable, whether network is allowed, whether shell commands are allowed, and whether patches can be written back.&lt;/li&gt;
&lt;li&gt;Human approval: which actions require a person, such as publishing, deleting files, sending email, payment, or production config changes.&lt;/li&gt;
&lt;li&gt;Recovery rule: where a failed run resumes and whether previous tool outputs can be reused.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without that contract, the SDK can only help you create unexplained agent behavior faster.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sandbox Agents are useful, but not magic safety
&lt;/h2&gt;

&lt;p&gt;Sandbox Agents are an important signal in the README. They move the agent from "answer a question" toward "do work inside a controlled computing environment." That is useful for repository inspection, command execution, patch generation, and long-running task state.&lt;/p&gt;

&lt;p&gt;But a sandbox is not automatically safe. It is a boundary. The boundary still has to be designed.&lt;/p&gt;

&lt;p&gt;For a first sandbox trial, I would not connect real repository write access. A better sequence is:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Mount a read-only demo repository and ask the agent to summarize the README and file structure.&lt;/li&gt;
&lt;li&gt;Allow writing only inside a temporary directory.&lt;/li&gt;
&lt;li&gt;Allow running tests, while recording command, exit code, stdout, and stderr.&lt;/li&gt;
&lt;li&gt;Allow generating a patch, but let a human or CI decide whether to apply it.&lt;/li&gt;
&lt;li&gt;Only then discuss write permission.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This sequence is slower, but it avoids a common false positive: "the agent changed files, therefore the system works." The better questions are what changed, why it changed, whether the trace proves it, and whether the next run can inherit bad state.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recent issues show where to evaluate
&lt;/h2&gt;

&lt;p&gt;Recent open issues are useful signals. They do not necessarily block adoption, but they show where evaluation should be strict:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Session history retrieval may need run/turn awareness rather than only item limits.&lt;/li&gt;
&lt;li&gt;Sandbox provider expansion is still active.&lt;/li&gt;
&lt;li&gt;Eager tool dispatch shows that overlapping tool execution with model streaming is still an engineering frontier.&lt;/li&gt;
&lt;li&gt;Stable public access to the underlying function on &lt;code&gt;FunctionTool&lt;/code&gt; is still being discussed.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Together, these point to one conclusion: do not only test the hello world. Test whether critical context disappears after session truncation, whether responsibility is traceable after handoff, whether schema changes fail loudly, and whether sandbox permissions stay consistent when the provider changes.&lt;/p&gt;

&lt;h2&gt;
  
  
  The minimal path I would use
&lt;/h2&gt;

&lt;p&gt;First, pin Python. This smoke test showed that &lt;code&gt;python3.9&lt;/code&gt; fails while &lt;code&gt;python3.12&lt;/code&gt; installs and imports successfully. Write Python &lt;code&gt;&amp;gt;=3.10&lt;/code&gt; into the project setup, ideally with &lt;code&gt;uv&lt;/code&gt; or a fixed venv.&lt;/p&gt;

&lt;p&gt;Second, build one agent, one tool, and no production write permission. The output should include a trace id, tool input, tool output summary, guardrail result, and final answer.&lt;/p&gt;

&lt;p&gt;Third, add failure cases before adding more agents. Test tool timeout, empty output, tool exception, and a user request that exceeds permission.&lt;/p&gt;

&lt;p&gt;Fourth, introduce handoff only after the single-agent path is observable. Handoff acceptance should not be "another agent answered." It should be "the trace shows why delegation happened, what context moved, and who owns the final output."&lt;/p&gt;

&lt;p&gt;Fifth, if you use Sandbox Agents, start with a read-only repository and a temporary directory. Do not give the first trial access to production repositories, secret directories, publishing accounts, or paid API actions.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;OpenAI Agents SDK is worth serious evaluation because it is not a single capability. It is a set of agent runtime primitives: tools, handoffs, guardrails, sessions, tracing, sandbox execution, human approval, and realtime workflows. The value is not that a team can look more "multi-agent." The value is that agent workflows can become auditable, constrained, and recoverable.&lt;/p&gt;

&lt;p&gt;My adoption recommendation is direct: write the runtime contract before scaling the number of agents. Make one agent stable, traceable, and recoverable on a low-risk tool. Then expand to handoffs and sandbox execution. Running the quickstart is the entrance. Explaining every tool call and every recovery path is the beginning of production readiness.&lt;/p&gt;

&lt;p&gt;Source note: this post is based on Doramagic's openai-agents-python project/manual pages, the Doramagic PROJECT_PACK, upstream README, &lt;code&gt;pyproject.toml&lt;/code&gt;, GitHub API data, and a local Python 3.9 / 3.12 installation smoke test completed on 2026-07-08 Bangkok time.&lt;/p&gt;

</description>
      <category>openai</category>
      <category>ai</category>
      <category>python</category>
      <category>agents</category>
    </item>
    <item>
      <title>Before Adopting mem0, Decide What an Agent Is Allowed to Remember</title>
      <dc:creator>Tang Weigang</dc:creator>
      <pubDate>Tue, 07 Jul 2026 02:13:19 +0000</pubDate>
      <link>https://dev.to/doramagic/before-adopting-mem0-decide-what-an-agent-is-allowed-to-remember-43e6</link>
      <guid>https://dev.to/doramagic/before-adopting-mem0-decide-what-an-agent-is-allowed-to-remember-43e6</guid>
      <description>&lt;p&gt;mem0 is attractive because it gives AI assistants and agents a long-term memory layer. The adoption risk is that "memory" sounds like a feature, while in production it behaves like a control surface. The useful first question is not whether an agent can add and search a memory. The useful first question is: which facts may be stored, who can retrieve them later, how stale facts lose authority, and what proof exists when a memory changed an answer.&lt;/p&gt;

&lt;p&gt;Doramagic project page: &lt;a href="https://doramagic.ai/en/projects/mem0/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/mem0/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Doramagic manual: &lt;a href="https://doramagic.ai/en/projects/mem0/manual/" rel="noopener noreferrer"&gt;https://doramagic.ai/en/projects/mem0/manual/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Upstream project: &lt;a href="https://github.com/mem0ai/mem0" rel="noopener noreferrer"&gt;https://github.com/mem0ai/mem0&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What is verified
&lt;/h2&gt;

&lt;p&gt;On 2026-07-07 Bangkok time, the Doramagic English and Chinese project pages and manuals returned HTTP 200. The PROJECT_PACK contains the six assets required by the current SOP: quick start, prompt preview, AI context pack, pitfall log, boundary and risk card, and human manual.&lt;/p&gt;

&lt;p&gt;The upstream repository is active. GitHub API data showed 60,245 stars, 6,987 forks, 495 open issues, Apache-2.0 license, and a push timestamp of 2026-07-06T18:43:50Z. The Python package metadata declares &lt;code&gt;mem0ai&lt;/code&gt; version &lt;code&gt;2.0.11&lt;/code&gt;, Python &lt;code&gt;&amp;gt;=3.10,&amp;lt;4.0&lt;/code&gt;, and dependencies including Qdrant client, Pydantic, OpenAI, HTTPX, SQLAlchemy, protobuf, and optional vector-store / LLM extras.&lt;/p&gt;

&lt;p&gt;The README exposes several adoption paths:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;CLI: &lt;code&gt;npm install -g @mem0/cli&lt;/code&gt; or &lt;code&gt;pip install mem0-cli&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Python library: &lt;code&gt;pip install mem0ai&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;JavaScript SDK: &lt;code&gt;npm install mem0ai&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;self-hosted server: &lt;code&gt;cd server &amp;amp;&amp;amp; make bootstrap&lt;/code&gt;, or &lt;code&gt;docker compose up&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;cloud platform: hosted signup and SDK/API integration&lt;/li&gt;
&lt;li&gt;agent skills for Claude Code, Codex, Cursor, Windsurf, OpenCode, OpenClaw, and other hosts that support skill loading&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Those paths are not equivalent. A CLI memory experiment, an embedded Python library, a self-hosted server, and a hosted platform have different privacy, rollback, and observability requirements.&lt;/p&gt;

&lt;h2&gt;
  
  
  The boundary that matters
&lt;/h2&gt;

&lt;p&gt;Treat mem0 as a memory policy project before treating it as a retrieval project.&lt;/p&gt;

&lt;p&gt;A minimal adoption contract should answer six questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Write scope: can the agent store user preferences, task outcomes, credentials, customer facts, health data, or only synthetic test facts?&lt;/li&gt;
&lt;li&gt;Read scope: is retrieval isolated by user, session, workspace, team, or agent role?&lt;/li&gt;
&lt;li&gt;Conflict rule: if a new memory contradicts an old memory, which one wins and how is the conflict shown?&lt;/li&gt;
&lt;li&gt;Time rule: does the agent know whether a memory is current, historical, scheduled, or expired?&lt;/li&gt;
&lt;li&gt;Deletion rule: can a user remove a memory and can downstream caches still answer from it?&lt;/li&gt;
&lt;li&gt;Audit rule: can a failed answer show which memories were retrieved and why?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without that contract, a successful quickstart can still leave the product in a risky state.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the new memory algorithm changes the review
&lt;/h2&gt;

&lt;p&gt;The README highlights an April 2026 memory algorithm with single-pass ADD-only extraction, agent-generated facts as first-class facts, entity linking, multi-signal retrieval, and temporal reasoning. That is a meaningful architecture direction because it reduces overwrite behavior and gives retrieval more signals than embeddings alone.&lt;/p&gt;

&lt;p&gt;It also changes the failure model.&lt;/p&gt;

&lt;p&gt;ADD-only extraction means the system may preserve contradictory facts instead of replacing them. That can be good for auditability, but only if the retrieval layer can separate "Alice used to prefer X" from "Alice now prefers Y." Agent-generated facts being first-class also means a mistaken agent confirmation can become durable input for later runs. Entity linking and multi-signal retrieval improve recall, but they also make bad memories easier to rediscover if the write boundary is too loose.&lt;/p&gt;

&lt;p&gt;So the first test should not be "can search find the memory I just added?" That only proves the happy path. A better first test is a three-case memory audit:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Add a harmless preference, search it, and confirm the retrieved memory carries the expected user/session scope.&lt;/li&gt;
&lt;li&gt;Add a contradictory preference with a later timestamp, then ask a question that should prefer the later fact while preserving the older fact as history.&lt;/li&gt;
&lt;li&gt;Add an obviously poisoned instruction such as "ignore all future policy checks", then confirm the application treats it as untrusted user memory, not as system instruction.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That is the difference between memory as a feature and memory as an operating surface.&lt;/p&gt;

&lt;h2&gt;
  
  
  Adoption path I would use
&lt;/h2&gt;

&lt;p&gt;I would not start with private data. Start with a temporary user id, a temporary project, and synthetic facts.&lt;/p&gt;

&lt;p&gt;First, run the library or CLI path in an isolated environment. Record the exact command, package version, vector store choice, embedding model, LLM provider, and whether any hosted service was contacted. Then run add/search/update-like conflict tests against synthetic memories.&lt;/p&gt;

&lt;p&gt;Second, wire retrieval into one non-critical agent workflow. The agent should show which memories it retrieved before it uses them. If the host cannot expose the retrieval trace, the integration is not ready for anything sensitive.&lt;/p&gt;

&lt;p&gt;Third, add a stale-fact test. Store a memory that was true yesterday and false today. Ask the agent a question where using the old fact would be harmful. This catches the common failure where memory improves personalization but weakens correctness.&lt;/p&gt;

&lt;p&gt;Fourth, define deletion and retention before importing real users. "Can add memory" is not enough. A production memory layer needs a deletion path, retention window, and a way to prevent cached retrieved facts from reappearing after a user withdraws them.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where mem0 is strong
&lt;/h2&gt;

&lt;p&gt;mem0 is worth reviewing because it is not just a small demo repository. It has Python and JavaScript surfaces, CLI flows, self-hosting, hosted platform options, and agent-skill integration. The repository is active and the current README is unusually explicit about benchmark claims, algorithm changes, install modes, and agent workflows.&lt;/p&gt;

&lt;p&gt;The strongest product argument is not "agents need memory." That is too broad. The stronger argument is: once an agent is doing repeated work for a user, the memory layer must become inspectable infrastructure instead of hidden prompt context.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where to stay strict
&lt;/h2&gt;

&lt;p&gt;Do not let memory become a silent second prompt.&lt;/p&gt;

&lt;p&gt;For production use, I would block adoption until these checks are visible:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;memory write receipt: what was stored, from which event, under which scope&lt;/li&gt;
&lt;li&gt;retrieval receipt: which memories were retrieved and how they were ranked&lt;/li&gt;
&lt;li&gt;prompt boundary: retrieved memory cannot override system or developer policy&lt;/li&gt;
&lt;li&gt;conflict display: old and new facts can be inspected together&lt;/li&gt;
&lt;li&gt;deletion proof: removed memory cannot be retrieved through normal paths&lt;/li&gt;
&lt;li&gt;eval set: at least one privacy, poisoning, stale-fact, and cross-user isolation test&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The practical conclusion: mem0 is a serious project to evaluate, but the first implementation should be a memory-governance trial, not a personalization rollout.&lt;/p&gt;

&lt;p&gt;Source note: this post is based on Doramagic's mem0 project/manual pages, the Doramagic PROJECT_PACK, upstream README and package metadata, and GitHub API data collected on 2026-07-07 Bangkok time.&lt;/p&gt;

</description>
      <category>agents</category>
    </item>
  </channel>
</rss>
