Changelog

Notable changes in each Sugar release.

v3.9.1 - April 9, 2026

Security fixes, documentation overhaul, and new positioning as an autonomous issue resolution tool.

Security

• Fix SQL injection via dynamic column names in WorkQueue.update_work()
• Fix grep flag injection in MCP _search_codebase
• Fix shell injection in HookExecutor task field substitutions

Fixed

• Add missing thread locks to MemoryStore.list_memories, count, and prune_expired
• Replace silent exception swallowing with logger.warning() for vector deletion and unknown memory types
• Fix .gitignore duplicate entries

Changed

• Pin all dependencies to exact versions
• New positioning: "Autonomous issue resolution for AI-assisted development"

Added

• Architecture.md - contributor-focused architecture overview with system diagram
• Workflow examples - security auto-fix, bug triage, test coverage, code quality, feature development
• Document hold, release, logs, and opencode CLI commands

Removed

• Unused billing module

v3.9.0 - March 17, 2026

Global memory layer and concurrency fixes.

Added

• Global memory store at ~/.sugar/memory.db for cross-project knowledge
• New guideline memory type for standards that apply everywhere
• --global flag for remember, recall, memories, forget, and memory-stats
• sugar://global/guidelines MCP resource
• Project-first tiered search strategy with reserved guideline slots

Fixed

• Six concurrency fixes across storage layer and core loop
• Thread-safety improvements for subagent manager, issue response manager, and work queue

v3.8.0 - January 22, 2026

Goose integration guide and improved MCP setup.

Added

• Dedicated Goose integration guide
• Goose setup instructions in README, installation guide, and quick start

v3.7.0 and earlier

See the full changelog on GitHub for earlier releases.