feat: Release v3.5.0 - Memory API Security Hardening

## Security Hardening
- Input validation for pattern IDs, agent IDs, and classifications
  - Prevents path traversal attacks (../, ..\)
  - Validates format with regex patterns
  - Rejects null bytes and dangerous characters
- API Key authentication (Bearer token or X-API-Key header)
  - Set via --api-key CLI flag or EMPATHY_MEMORY_API_KEY env var
  - Constant-time comparison using SHA-256 hash
- Rate limiting (default: 100 requests/minute per IP)
  - Configurable via --rate-limit and --no-rate-limit CLI flags
  - Returns X-RateLimit-Remaining and X-RateLimit-Limit headers
- HTTPS support via --ssl-cert and --ssl-key CLI flags
- CORS restricted to localhost by default (configurable via --cors-origins)
- Request body size limit (1MB) prevents DoS attacks

## Memory Control Panel
- View Patterns button displays pattern list with classification badges
- Project-level auto_start_redis config in empathy.config.yml
- Visual feedback for button actions (Check Status, Export)
- Fixed config key mismatch (empathyMemory → empathy.memory)
- Fixed API response parsing for Redis status display

## Tests
- Added 37 unit tests for security features
  - Input validation, rate limiting, API key auth tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: 2 people

CHANGELOG.md

@@ -5,7 +5,54 @@ All notable changes to the Empathy Framework will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [3.5.0] - 2025-12-29
+
+### Added
+
+- Memory Control Panel: View Patterns button now displays pattern list with classification badges
+- Memory Control Panel: Project-level `auto_start_redis` config option in `empathy.config.yml`
+- Memory Control Panel: Visual feedback for button actions (Check Status, Export show loading states)
+- Memory Control Panel: "Check Status" button for manual status refresh (renamed from Refresh)
+- VSCode Settings: `empathy.memory.autoRefresh` - Enable/disable auto-refresh (default: true)
+- VSCode Settings: `empathy.memory.autoRefreshInterval` - Refresh interval in seconds (default: 30)
+- VSCode Settings: `empathy.memory.showNotifications` - Show operation notifications (default: true)
+
+### Security
+
+**Memory API Security Hardening** (v2.2.0)
+
+- **Input Validation**: Pattern IDs, agent IDs, and classifications are now validated on both client and server
+  - Prevents path traversal attacks (`../`, `..\\`)
+  - Validates format with regex patterns
+  - Length bounds checking (3-64 chars)
+  - Rejects null bytes and dangerous characters
+- **API Key Authentication**: Optional Bearer token or X-API-Key header authentication
+  - Set via `--api-key` CLI flag or `EMPATHY_MEMORY_API_KEY` environment variable
+  - Constant-time comparison using SHA-256 hash
+- **Rate Limiting**: Per-IP rate limiting (default: 100 requests/minute)
+  - Configurable via `--rate-limit` and `--no-rate-limit` CLI flags
+  - Returns `X-RateLimit-Remaining` and `X-RateLimit-Limit` headers
+- **HTTPS Support**: Optional TLS encryption
+  - Set via `--ssl-cert` and `--ssl-key` CLI flags
+- **CORS Restrictions**: CORS now restricted to localhost by default
+  - Configurable via `--cors-origins` CLI flag
+- **Request Body Size Limit**: 1MB limit prevents DoS attacks
+- **TypeScript Client**: Added input validation matching backend rules
+
+### Fixed
+
+- Memory Control Panel: Fixed config key mismatch (`empathyMemory` → `empathy.memory`) preventing settings from loading
+- Memory Control Panel: Fixed API response parsing for Redis status display
+- Memory Control Panel: Fixed pattern statistics not updating correctly
+- Memory Control Panel: View Patterns now properly displays pattern list instead of just count
+
+### Tests
+
+- Added 37 unit tests for Memory API security features
+  - Input validation tests (pattern IDs, agent IDs, classifications)
+  - Rate limiter tests (limits, window expiration, per-IP tracking)
+  - API key authentication tests (enable/disable, env vars, constant-time comparison)
+  - Integration tests for security features
 
 ---
 

empathy.config.yml

@@ -1,5 +1,5 @@
 # Empathy Framework Configuration
-# Generated by Initialize Wizard on 2025-12-28T20:24:33.996Z
+# Generated by Initialize Wizard on 2025-12-29T05:50:14.865Z
 
 # Primary LLM provider
 provider: google
@@ -18,11 +18,55 @@ workflows:
   # Enable XML-structured outputs for workflows
   xml_enhanced: true
 
+# =============================================================================
+# COMPLIANCE MODE & PII SCRUBBING
+# =============================================================================
+# Choose from: "standard" (default) or "hipaa" (healthcare)
+#
+# standard mode:
+#   - PII scrubbing: DISABLED by default
+#   - All workflows enabled (test-gen, code-review, etc.)
+#   - Audit level: standard
+#
+# hipaa mode (for healthcare applications):
+#   - PII scrubbing: ENABLED by default (HIPAA-compliant data handling)
+#   - Audit level: hipaa (enhanced logging for compliance)
+#   - 90-day data retention policies enforced
+#
+compliance_mode: standard
+
+# =============================================================================
+# PII SCRUBBING (Security Feature)
+# =============================================================================
+# PII scrubbing removes sensitive data (SSNs, emails, medical records, etc.)
+# from LLM prompts and responses.
+#
+# - In standard mode: disabled by default (opt-in below)
+# - In hipaa mode: enabled by default (required for compliance)
+#
+# To enable PII scrubbing without full HIPAA mode, uncomment:
+# pii_scrubbing_enabled: true
+
+# =============================================================================
+# WORKFLOW CONTROLS
+# =============================================================================
+# All workflows are enabled by default, including test-gen.
+# Use disabled_workflows to turn off specific workflows:
+#
+# disabled_workflows:
+#   - bug-predict
+#   - perf-audit
+
+# Audit logging level: "standard", "enhanced", or "hipaa"
+# audit_level: standard
+
 # Memory settings
 memory:
   # Enable Redis-backed short-term memory
   enabled: true
   redis_url: redis://localhost:6379
+  # Auto-start Redis when Memory panel opens (project-level setting)
+  auto_start_redis: true
 
 # Telemetry settings
 telemetry:

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "empathy-framework"
-version = "3.4.0"
+version = "3.5.0"
 description = "AI collaboration framework with persistent memory, anticipatory intelligence, code inspection, and multi-agent orchestration"
 readme = {file = "README.md", content-type = "text/markdown"}
 requires-python = ">=3.10"
@@ -379,6 +379,8 @@ branch = true
 precision = 2
 show_missing = true
 skip_covered = false
+# Coverage threshold - increase as tests improve (target: 75%)
+fail_under = 40
 exclude_lines = [
     "pragma: no cover",
     "def __repr__",