# zettelforge

> Agentic memory for CTI in Python — STIX knowledge graphs, threat-actor alias resolution, offline-first RAG, MCP server for Claude Code and LangChain agents

- **URL**: https://www.freshcrate.ai/projects/zettelforge
- **Author**: rolandpg
- **Category**: MCP Servers
- **Latest version**: `packages-v0.1.0` (2026-05-26)
- **License**: MIT
- **Source**: https://github.com/rolandpg/zettelforge
- **Homepage**: https://threatrecall.ai
- **Language**: Python
- **GitHub**: 25 stars, 4 forks
- **Registry**: github (`rolandpg/zettelforge`)
- **Tags**: `agentic-memory`, `ai-agent`, `claude-code`, `cti`, `cybersecurity`, `knowledge-graph`, `langchain`, `llm`, `python`

## Description

Agentic memory for CTI in Python — STIX knowledge graphs, threat-actor alias resolution, offline-first RAG, MCP server for Claude Code and LangChain agents

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `packages-v0.1.0` | 2026-05-26 | High | Release tag for packages v0.1.0. |
| `v2.7.0` | 2026-05-26 | High | ## ZettelForge v2.7.0  Security-focused release adding write-time MemSAD memory defenses with audit, block, and quarantine modes; governance.memory_defense configuration; RFC-017 threat model and rollout plan; telemetry actor/caller compatibility; and regression coverage.  Validation before release: - Local full suite: 742 passed, 13 skipped - GitHub protected checks: CI, Snyk Security, lint, pip-audit, governance, Python 3.12/3.13 tests, package build - Package build and twine check passed for |
| `v2.6.2` | 2026-04-27 | High | UI/UX release. Fixes the `/config` page so the Apply button actually works and surfaces enum-style settings as dropdowns instead of free-text inputs. No data migration. No config changes. No API contract changes.  ## Fixed  - **`/config` "Save Changes" button is no longer dead.** The Quick Settings panel called `saveConfigForm()` and `reloadConfig()` — neither function was defined anywhere, so the button silently no-op'd and the panel rendered "Loading schema..." forever. Replaced with a real fo |
| `v2.4.1` | 2026-04-24 | High | **Operational telemetry (RFC-007), SQLite backend fixes, and TypeDB authentication hardening.**  ## Added  - **Operational telemetry (RFC-007)** ([#85](https://github.com/rolandpg/zettelforge/pull/85)) — new per-query metrics stream at `~/.amem/telemetry/telemetry_YYYY-MM-DD.jsonl` when `ZETTELFORGE_LOG_LEVEL=DEBUG`. Five shipped components:   - **`TelemetryCollector`** class with `start_query` / `log_recall` / `log_synthesis` / `log_feedback` / `auto_feedback_from_synthesis`. INFO/DEBUG-gated f |
| `v2.4.0` | 2026-04-19 | High | **Detection-rules-as-memory, MCP Registry publication, SQLite concurrency hardening, test-suite hygiene, and brand/docs polish.**  ## Added - **Sigma + YARA as first-class memory entities** with LLM rule explainer ([#70](https://github.com/rolandpg/zettelforge/pull/70)) - **Detection Rules as Memory** README section ([#74](https://github.com/rolandpg/zettelforge/pull/74)) - **MCP Registry publication infra** — \`server.json\` and PyPI \`mcp-name\` tag so ZettelForge can be published to [registry |
| `v2.3.0` | 2026-04-17 | High | ## [2.3.0] - 2026-04-17  Pluggable LLM provider infrastructure (RFC-002 Phase 1), MCP server as a first-class Python module, PyPI discoverability refresh, SEO foundations across the docs site, and a full docs-vs-code reconciliation. All additions are backward-compatible; no existing API changes. Supersedes the never-tagged 2.2.1 metadata patch — its PyPI classifier / keyword / image-URL changes are folded in below.  ### Added  - **Pluggable LLM provider infrastructure (RFC-002 Phase 1)** — new |
| `v2.2.0` | 2026-04-16 | High | ## What's New  **SQLite is now the default storage backend.** Zero-config, ACID guarantees, WAL mode. LanceDB stays for vector search. No Docker, no TypeDB, no external services required.  ### Highlights  - **SQLite default backend** — `StorageBackend` ABC (33 methods), `SQLiteBackend` (700+ lines), backend factory with auto-detection. Migration script for existing JSONL data. - **Causal chain retrieval** — Fixed critical bug where all LLM-extracted causal edges were invisible. Added reverse tra |
| `v2.1.1` | 2026-04-15 | High | ## What's New  ### Production Blockers Fixed - O(n) supersession scan replaced with O(E) entity index lookup - File locking on all JSONL writes (fcntl) - SQL injection sanitized (5 sites in VectorMemory) - LanceDB dedup guard prevents ghost rows - Entity index invalidated on supersession  ### Performance - Dual-stream write: remember() returns in ~45ms (was 700-3500ms) - Async entity index saves (5-second write-behind) - KG JSONL compaction added to rebuild_index.py - Batched access_count persis |
| `v2.1.0` | 2026-04-12 | Medium | <html> <body> <!--StartFragment--><div class="markdown-heading" dir="auto" style="box-sizing: border-box; position: relative; color: rgb(255, 255, 255); font-family: &quot;Mona Sans VF&quot;, -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, &quot;Noto Sans&quot;, Helvetica, Arial, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; |

## Citation

- HTML: https://www.freshcrate.ai/projects/zettelforge
- Markdown: https://www.freshcrate.ai/projects/zettelforge.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/zettelforge/deps

_Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._