Skip to content

Add the Atlaso Memory plugin#157

Open
imashishkh21 wants to merge 2 commits into
cursor:mainfrom
imashishkh21:add-atlaso-plugin
Open

Add the Atlaso Memory plugin#157
imashishkh21 wants to merge 2 commits into
cursor:mainfrom
imashishkh21:add-atlaso-plugin

Conversation

@imashishkh21

@imashishkh21 imashishkh21 commented Jul 15, 2026

Copy link
Copy Markdown

Add the Atlaso Memory plugin

Adds Atlaso (atlaso/) — automatic long-term memory for Cursor. It recalls what
you've decided and remembers what matters across sessions, projects, and tools, so the
agent starts each session with the relevant context instead of a blank slate.

Homepage: atlaso.ai · Source: atlaso-labs/cursor

What it adds

Component
Hooks sessionStart recalls relevant notes into a rules file; stop/sessionEnd capture the exchange. The automatic loop, zero model involvement.
MCP server (atlaso) 5 tools — recall, remember, forget, recent, status — for deliberate moves.
Rule (alwaysApply, with frontmatter) Orients the agent: treat recall as known context.
Skill Curation judgment — what's worth keeping, personal vs project.

Self-contained — no external binary

The MCP server is lib/mcp.ts, which ships inside the plugin and runs on the bun
Cursor already provides (bun run ${CURSOR_PLUGIN_ROOT}/lib/mcp.ts). There is no
unpublished CLI or npm package to install
— the whole plugin is self-contained and
works on a fresh machine. Rule has valid description + alwaysApply frontmatter; the
skill has name + description; rule and skill are distinct (orientation vs judgment).

Privacy (a memory plugin should be explicit here)

  • Secrets are scrubbed on the user's machine before anything is sent — API keys,
    tokens, and credentialed URLs are redacted client-side (regex + entropy), and again
    server-side.
  • Per-tool credentials. The plugin holds its own token, so removing it revokes only
    Cursor — nothing else on the machine.
  • Fails open. If memory is unreachable, Cursor works exactly as usual — capture and
    recall never block or break a turn.
  • Users own their data and can view/delete any memory at
    app.atlaso.ai/dashboard.

Validation

  • Passes node scripts/validate-plugins.mjs (marketplace + plugin manifests).
  • The plugin is covered by 100+ unit tests plus an offline end-to-end harness in the
    source repo.

Maintained by Atlaso Labs (we ship the same memory for Claude Code, Codex, and
Antigravity). Happy to make any changes the team would like. Contact: hello@atlaso.ai


Note

Medium Risk
New third-party plugin runs hooks on every session/turn and can send scrubbed conversation excerpts to an external service; mitigations (fail-open, client redaction, per-tool creds) are explicit but warrant privacy/security review.

Overview
Adds a new Atlaso Memory marketplace plugin (atlaso/) plus a listing in .cursor-plugin/marketplace.json, giving Cursor automatic long-term memory backed by Atlaso’s cloud API.

Automatic loop (hooks): On sessionStart, recall.ts fetches memories and writes .cursor/rules/atlaso-recall.mdc (workaround for broken additional_context). On beforeSubmitPrompt / afterAgentResponse it stashes the turn; on stop / sessionEnd, capture.ts gates, scrubs secrets, scopes personal vs project, and deposits to the brain. First run can spawn a detached PKCE device-auth flow (connect.ts). Hooks always exit 0 so memory never blocks a session.

Deliberate control: Bundled stdio MCP server (lib/mcp.ts via mcp.json) exposes recall, remember, forget, recent, and status, sharing the same per-tool credential as the hooks. An alwaysApply rule and memory skill orient the agent and curation judgment; AGENTS.md mirrors the rule.

Client stack: Bun/TypeScript thin client (lib/atlaso.ts, credential mint under flock, entitlement cache, project keys from git origin, transcript fallbacks). Per-tool tokens at ~/.atlaso/tools/cursor.json; revokes only on verified x-atlaso-response from Atlaso’s server. v1 is online-first (no offline outbox).

Reviewed by Cursor Bugbot for commit cfe62fe. Bugbot is set up for automated code reviews on this repo. Configure here.

Automatic long-term memory for Cursor: recall + capture hooks, the self-contained
atlaso MCP server (recall/remember/forget/recent/status), a usage rule, and a
curation skill. Client-side secret scrub, per-tool credentials, fails open.
Passes scripts/validate-plugins.mjs.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 15 potential issues.

Fix All in Cursor

Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/atlaso.ts
const results = Array.isArray(data.results) ? data.results : [];
const row = results.find((r: any) => r?.client_id === client_id) ?? results[0];
return row?.id ?? client_id; // durable server id when settled, else the idempotency key
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remember skips client scrub

High Severity · Security Issue

The remember function sends raw text to the brain without client-side scrubbing, unlike auto-capture. This allows secrets like API keys and tokens to be exfiltrated, violating the plugin's on-device scrubbing guarantee.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/mcp.ts
return { results: results.map((r) => ({ id: r.id, content: r.content })) };
}
case "recent":
return { memories: await recent(auth, Number(args?.limit ?? 10)) };

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MCP leaks cross-project memory

High Severity · Logic Bug

The recall and recent MCP tools omit project-specific filtering and visibleInProject checks. This can expose project-scoped memories from one repository within another, a behavior that differs from how these memories are handled elsewhere.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/connect.ts
token: string,
user_id: string,
device_id: string | null,
): string {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ambiguous auth write arguments

Medium Severity · Bugbot Rules

writeAuth takes multiple consecutive string arguments (server, token, user_id, and nullable device_id). Call sites can swap token and user_id without a TypeScript error, which would persist a malformed credential. This violates the review rule that same-type parameters must use a named-args object.

Additional Locations (1)
Fix in Cursor Fix in Web

Triggered by team rule: No ambiguous args at callsite in typescript

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/credential.ts
return (
!!a.server && !!a.user_id && !!a.device_id &&
a.server === b.server && a.user_id === b.user_id && a.device_id === b.device_id
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Null device blocks credential reuse

High Severity · Logic Bug

The sameIdentity function requires device_id to be truthy for both credentials, but the connect process can persist device_id: null. This causes sameIdentity to incorrectly fail, treating valid tool credentials as foreign. Consequently, resolveCredential repeatedly clears and re-mints tool tokens, leading to increased latency and unnecessary token churn.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/connect.ts
detached: true,
env: { ...process.env, ATLASO_TOOL: tool },
}).unref();
return true;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spawn error leaves connect lock

Medium Severity · Logic Bug

maybeAutoconnect and openBrowser spawn child processes without handling asynchronous error events. If spawn fails (e.g., command not found), the try/catch block is bypassed, leaving the .connecting lock unreleased and blocking subsequent autoconnect attempts until its TTL expires. This can also lead to uncaught errors during authorization.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/mcp.ts
case "status": {
const h = await health(auth);
return { connected: true, fmi: h?.fmi ?? null, total: h?.deposit_count ?? null };
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Status ignores failed health

Medium Severity · Logic Bug

The MCP status tool always returns connected: true even when health() returns null after a network or API failure. There is no check of the health result, so the agent is told memory is connected while fmi and total are null and the brain is actually unreachable.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/pending.ts
if (!name.endsWith(".json")) continue;
const full = join(dir, name);
try {
if (now - statSync(full).mtimeMs > STALE_MS) rmSync(full, { force: true });

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prune drops active turn stash

Medium Severity · Logic Bug

takePending runs prune() before reading the current conversation’s stash, and prune deletes any *.json older than one hour by mtime—including the file about to be read. Long turns that only stashed via beforeSubmitPrompt (no later afterAgentResponse refresh) can lose the pending user text and workspace before deposit, so capture falls back or skips entirely.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/hooks/capture.ts
if (scope === "project" && pk) tags.push(`project:${pk}`);

const item: DepositItem = {
client_id: turnKey(scrubbedUser, scope, scope === "project" ? pk : null),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Divergent project keys duplicate deposits

Medium Severity · Logic Bug

stop often deposits with pending.ws from prompt time, while a later sessionEnd with an empty stash falls back to workspaceRoot(payload) (and possibly transcript text). turnKey includes the project key, so when those workspace resolutions disagree the same turn gets two different client_ids and server-side dedupe does not collapse them.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/lib/connect.ts
return false;
}
}
return false;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Connect lock expires mid-authorize

Medium Severity · Potential Edge Case

The .connecting lock is written once and never refreshed, while waitForCode can wait for the server’s expires_in (default 10 minutes, but not capped to the 15-minute lock TTL). After the TTL, another sessionStart can reclaim the lock and spawn a second browser authorize flow concurrently with the first.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Comment thread atlaso/hooks/hooks.json
{
"command": "bun run ${CURSOR_PLUGIN_ROOT}/hooks/capture.ts",
"timeout": 30
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hook timeouts undercut network budget

Medium Severity · Logic Bug

sessionStart is capped at 20s and stop at 30s, but a cold path can run entitlement, tool claim, credential exchange, then recall+recent or deposit sequentially—each already bounded at 8–15s. Cursor can kill the hook before atlaso-recall.mdc is written or before a deposit finishes, so first-session recall and slow-link capture fail silently even though the client’s own fetches would still be in flight.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 19e8f32. Configure here.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant