@awareness-sdk/local 0.1.3 → 0.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@awareness-sdk/local",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Local-first AI agent memory system. No account needed.",
   "license": "Apache-2.0",
   "type": "module",

package/src/core/cloud-sync.mjs

@@ -475,6 +475,12 @@ export class CloudSync {
 
       res.on('data', (chunk) => {
         buffer += chunk;
+        // SECURITY C7: Cap SSE buffer to prevent unbounded memory growth
+        if (buffer.length > 1024 * 1024) {
+          console.warn(`${LOG_PREFIX} SSE buffer overflow (>1MB) — dropping`);
+          buffer = '';
+          return;
+        }
         const { parsed, remainder } = parseSSE(buffer);
         buffer = remainder;
 

package/src/core/config.mjs

@@ -181,7 +181,10 @@ export function initLocalConfig(projectDir) {
   config.device.id = deviceId;
   config.device.name = deviceName;
 
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+  // SECURITY C6: Atomic write (tmp+rename) to prevent corruption on crash
+  const tmpPath = configPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2), 'utf-8');
+  fs.renameSync(tmpPath, configPath);
   return config;
 }
 
@@ -235,9 +238,11 @@ export function saveCloudConfig(projectDir, { apiKey, memoryId, apiBase }) {
   }
 
   const configPath = getConfigPath(projectDir);
-  // Ensure dirs exist before writing
   ensureLocalDirs(projectDir);
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+  // SECURITY C6: Atomic write
+  const tmpPath = configPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2), 'utf-8');
+  fs.renameSync(tmpPath, configPath);
 
   return config;
 }
@@ -283,6 +288,8 @@ function deepClone(obj) {
  */
 function deepMerge(target, source) {
   for (const key of Object.keys(source)) {
+    // SECURITY H7: Prevent prototype pollution
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue;
     const srcVal = source[key];
     const tgtVal = target[key];
 

package/src/core/indexer.mjs

@@ -634,13 +634,21 @@ export class Indexer {
    *
    * @param {number} [limit=5]
    */
-  getOpenTasks(limit = 5) {
+  getOpenTasks(limit = 0) {
+    if (limit > 0) {
+      return this.db
+        .prepare(
+          `SELECT * FROM tasks WHERE status = 'open'
+           ORDER BY created_at DESC LIMIT ?`
+        )
+        .all(limit);
+    }
     return this.db
       .prepare(
         `SELECT * FROM tasks WHERE status = 'open'
-         ORDER BY created_at DESC LIMIT ?`
+         ORDER BY created_at DESC`
       )
-      .all(limit);
+      .all();
   }
 
   /**

package/src/core/knowledge-extractor.mjs

@@ -154,7 +154,18 @@ export class KnowledgeExtractor {
       }
     }
 
-    return { cards, tasks, risks };
+    // Collect completed_tasks for auto-completion processing
+    const completedTasks = [];
+    if (insights.completed_tasks) {
+      for (const ct of insights.completed_tasks) {
+        const taskId = (ct.task_id || '').trim();
+        if (taskId) {
+          completedTasks.push({ task_id: taskId, reason: ct.reason || '' });
+        }
+      }
+    }
+
+    return { cards, tasks, risks, completedTasks };
   }
 
   // -------------------------------------------------------------------------
@@ -480,6 +491,26 @@ export class KnowledgeExtractor {
     }
 
     await Promise.all(promises);
+
+    // Auto-complete tasks identified by the LLM
+    if (result.completedTasks && this.indexer) {
+      for (const ct of result.completedTasks) {
+        try {
+          const existing = this.indexer.db
+            .prepare('SELECT * FROM tasks WHERE id = ?')
+            .get(ct.task_id);
+          if (existing && existing.status !== 'done') {
+            this.indexer.indexTask({
+              ...existing,
+              status: 'done',
+              updated_at: new Date().toISOString(),
+            });
+          }
+        } catch (err) {
+          console.warn(`[KnowledgeExtractor] Failed to auto-complete task ${ct.task_id}:`, err.message);
+        }
+      }
+    }
   }
 
   /**

package/src/daemon.mjs

@@ -50,23 +50,38 @@ function nowISO() {
  */
 function jsonResponse(res, data, status = 200) {
   const body = JSON.stringify(data);
+  // SECURITY: Only allow requests from localhost dashboard (not arbitrary websites)
+  const origin = 'http://localhost:37800';
   res.writeHead(status, {
     'Content-Type': 'application/json',
     'Content-Length': Buffer.byteLength(body),
-    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Origin': origin,
   });
   res.end(body);
 }
 
+/** Max request body size (10 MB) — prevents memory exhaustion DoS. */
+const MAX_BODY_BYTES = 10 * 1024 * 1024;
+
 /**
  * Read the full request body as a string.
+ * Rejects with 413 if body exceeds MAX_BODY_BYTES.
  * @param {http.IncomingMessage} req
  * @returns {Promise<string>}
  */
 function readBody(req) {
   return new Promise((resolve, reject) => {
     const chunks = [];
-    req.on('data', (chunk) => chunks.push(chunk));
+    let totalBytes = 0;
+    req.on('data', (chunk) => {
+      totalBytes += chunk.length;
+      if (totalBytes > MAX_BODY_BYTES) {
+        req.destroy();
+        reject(new Error('Payload too large (max 10MB)'));
+        return;
+      }
+      chunks.push(chunk);
+    });
     req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
     req.on('error', reject);
   });
@@ -151,6 +166,11 @@ export class AwarenessLocalDaemon {
    *   7. Start fs.watch on memories dir
    */
   async start() {
+    // SECURITY C4: Prevent unhandled rejections from crashing the daemon
+    process.on('unhandledRejection', (err) => {
+      console.error('[awareness-local] unhandled rejection:', err?.message || err);
+    });
+
     if (await this.isRunning()) {
       console.log(
         `[awareness-local] daemon already running on port ${this.port}`
@@ -623,10 +643,31 @@ export class AwarenessLocalDaemon {
         const session = this._createSession(args.source);
         const stats = this.indexer.getStats();
         const recentCards = this.indexer.getRecentKnowledge(args.max_cards ?? 5);
-        const openTasks = this.indexer.getOpenTasks(args.max_tasks ?? 5);
+        const openTasks = this.indexer.getOpenTasks(args.max_tasks ?? 0);
         const recentSessions = this.indexer.getRecentSessions(args.days ?? 7);
         const spec = this._loadSpec();
 
+        // Compute attention_summary for LLM-side triage
+        const now = Date.now();
+        const staleDays = 3;
+        const staleCutoff = now - staleDays * 86400000;
+        const staleTasks = openTasks.filter(t => {
+          const created = t.created_at ? new Date(t.created_at).getTime() : now;
+          return created < staleCutoff;
+        }).length;
+        const riskCards = this.indexer.db
+          .prepare("SELECT COUNT(*) as cnt FROM knowledge_cards WHERE (category = 'risk' OR category = 'pitfall') AND status = 'active'")
+          .get();
+        const highRisks = riskCards?.cnt || 0;
+
+        const attentionSummary = {
+          stale_tasks: staleTasks,
+          high_risks: highRisks,
+          total_open_tasks: openTasks.length,
+          total_knowledge_cards: recentCards.length,
+          needs_attention: staleTasks > 0 || highRisks > 0,
+        };
+
         return {
           content: [{
             type: 'text',
@@ -637,6 +678,7 @@ export class AwarenessLocalDaemon {
               open_tasks: openTasks,
               recent_sessions: recentSessions,
               stats,
+              attention_summary: attentionSummary,
               synthesized_rules: spec.core_lines?.join('\n') || '',
               init_guides: spec.init_guides || {},
               agent_profiles: [],
@@ -653,31 +695,20 @@ export class AwarenessLocalDaemon {
           const items = this.search
             ? await this.search.getFullContent(args.ids)
             : [];
+          // Return as readable text (no JSON noise for the Agent)
+          const sections = items.map(r => {
+            const header = r.title ? `## ${r.title}` : '';
+            return `${header}\n\n${r.content || '(no content)'}`;
+          });
           return {
-            content: [{
-              type: 'text',
-              text: JSON.stringify({
-                results: items,
-                total: items.length,
-                mode: 'local',
-                detail: 'full',
-              }),
-            }],
+            content: [{ type: 'text', text: sections.join('\n\n---\n\n') || '(no results)' }],
           };
         }
 
         // Phase 1: search + summary
         if (!args.semantic_query && !args.keyword_query) {
           return {
-            content: [{
-              type: 'text',
-              text: JSON.stringify({
-                results: [],
-                total: 0,
-                mode: 'local',
-                detail: 'summary',
-              }),
-            }],
+            content: [{ type: 'text', text: 'No query provided. Use semantic_query or keyword_query to search.' }],
           };
         }
 
@@ -685,17 +716,32 @@ export class AwarenessLocalDaemon {
           ? await this.search.recall(args)
           : [];
 
+        if (!summaries.length) {
+          return {
+            content: [{ type: 'text', text: 'No matching memories found.' }],
+          };
+        }
+
+        // Format as readable text for the Agent (not raw JSON)
+        const lines = summaries.map((r, i) => {
+          const type = r.type ? `[${r.type}]` : '';
+          const title = r.title || '(untitled)';
+          const summary = r.summary ? `\n   ${r.summary}` : '';
+          return `${i + 1}. ${type} ${title}${summary}`;
+        });
+        const readableText = `Found ${summaries.length} memories:\n\n${lines.join('\n\n')}`;
+
+        // IDs in a separate content block for Phase 2 expansion
+        const idsMeta = JSON.stringify({
+          _ids: summaries.map(r => r.id),
+          _hint: 'To see full content, call awareness_recall(detail="full", ids=[...]) with IDs above.',
+        });
+
         return {
-          content: [{
-            type: 'text',
-            text: JSON.stringify({
-              results: summaries,
-              total: summaries.length,
-              mode: 'local',
-              detail: args.detail || 'summary',
-              search_method: 'hybrid',
-            }),
-          }],
+          content: [
+            { type: 'text', text: readableText },
+            { type: 'text', text: idsMeta },
+          ],
         };
       }
 
@@ -920,7 +966,8 @@ export class AwarenessLocalDaemon {
    */
   _apiListTasks(_req, res, url) {
     const status = url.searchParams.get('status') || null;
-    const limit = parseInt(url.searchParams.get('limit') || '100', 10);
+    const limitParam = url.searchParams.get('limit');
+    const limit = limitParam ? parseInt(limitParam, 10) : 0;
 
     if (!this.indexer) {
       return jsonResponse(res, { items: [], total: 0 });
@@ -939,8 +986,11 @@ export class AwarenessLocalDaemon {
       sql += ' WHERE ' + conditions.join(' AND ');
     }
 
-    sql += ` ORDER BY CASE priority WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 ELSE 4 END, created_at DESC LIMIT ?`;
-    params.push(limit);
+    sql += ` ORDER BY CASE priority WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 ELSE 4 END, created_at DESC`;
+    if (limit > 0) {
+      sql += ` LIMIT ?`;
+      params.push(limit);
+    }
 
     const rows = this.indexer.db.prepare(sql).all(...params);
     return jsonResponse(res, { items: rows, total: rows.length });
@@ -1043,7 +1093,9 @@ export class AwarenessLocalDaemon {
     }
 
     try {
-      fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+      const tmpCfg = configPath + '.tmp';
+      fs.writeFileSync(tmpCfg, JSON.stringify(config, null, 2), 'utf-8');
+      fs.renameSync(tmpCfg, configPath);
     } catch (err) {
       return jsonResponse(res, { error: 'Failed to save config: ' + err.message }, 500);
     }
@@ -1078,9 +1130,13 @@ export class AwarenessLocalDaemon {
     let params;
     try { params = JSON.parse(body); } catch { return jsonResponse(res, { error: 'Invalid JSON' }, 400); }
 
-    const apiBase = this.config?.cloud?.api_base || 'https://awareness.market/api/v1';
-    const interval = (params.interval || 5) * 1000;
-    const maxPolls = 60; // 5 minutes max
+    const config = this._loadConfig();
+    const apiBase = config?.cloud?.api_base || 'https://awareness.market/api/v1';
+
+    // SECURITY C5: Don't hold connection for 5 minutes.
+    // Poll a few times (max 30s), then return pending for client to retry.
+    const interval = Math.max((params.interval || 5) * 1000, 3000);
+    const maxPolls = Math.min(Math.floor(30000 / interval), 6);
 
     for (let i = 0; i < maxPolls; i++) {
       try {
@@ -1100,8 +1156,10 @@ export class AwarenessLocalDaemon {
   }
 
   async _apiCloudListMemories(req, res, url) {
-    const apiKey = url.searchParams.get('api_key');
-    if (!apiKey) return jsonResponse(res, { error: 'api_key required' }, 400);
+    // SECURITY C3: Use cloud config API key instead of query param (avoid log/referer leaks)
+    const config = this._loadConfig();
+    const apiKey = config?.cloud?.api_key;
+    if (!apiKey) return jsonResponse(res, { error: 'Cloud not configured. Connect via /api/v1/cloud/connect first.' }, 400);
 
     const apiBase = this.config?.cloud?.api_base || 'https://awareness.market/api/v1';
     try {
@@ -1248,11 +1306,18 @@ export class AwarenessLocalDaemon {
     return this.indexer.createSession(source || 'local');
   }
 
+  /** Max content size per memory (1 MB). */
+  static MAX_CONTENT_BYTES = 1024 * 1024;
+
   /** Write a single memory, index it, and trigger knowledge extraction. */
   async _remember(params) {
     if (!params.content) {
       return { error: 'content is required for remember action' };
     }
+    // SECURITY H1: Reject oversized content to prevent FTS5/embedding freeze
+    if (typeof params.content === 'string' && params.content.length > AwarenessLocalDaemon.MAX_CONTENT_BYTES) {
+      return { error: `Content too large (${params.content.length} bytes, max ${AwarenessLocalDaemon.MAX_CONTENT_BYTES})` };
+    }
 
     // Auto-generate title from content if not provided
     let title = params.title || '';
@@ -1444,10 +1509,35 @@ ${item.description || item.title || ''}
       }
     }
 
+    // Auto-complete tasks identified by the LLM
+    let tasksAutoCompleted = 0;
+    if (Array.isArray(insights.completed_tasks)) {
+      for (const completed of insights.completed_tasks) {
+        const taskId = (completed.task_id || '').trim();
+        if (!taskId) continue;
+        try {
+          const existing = this.indexer.db
+            .prepare('SELECT * FROM tasks WHERE id = ?')
+            .get(taskId);
+          if (existing && existing.status !== 'done') {
+            this.indexer.indexTask({
+              ...existing,
+              status: 'done',
+              updated_at: nowISO(),
+            });
+            tasksAutoCompleted++;
+          }
+        } catch (err) {
+          console.warn(`[AwarenessDaemon] Failed to auto-complete task '${taskId}':`, err.message);
+        }
+      }
+    }
+
     return {
       status: 'ok',
       cards_created: cardsCreated,
       tasks_created: tasksCreated,
+      tasks_auto_completed: tasksAutoCompleted,
       mode: 'local',
     };
   }
@@ -1461,7 +1551,7 @@ ${item.description || item.title || ''}
         // Full context dump
         const stats = this.indexer.getStats();
         const knowledge = this.indexer.getRecentKnowledge(limit);
-        const tasks = this.indexer.getOpenTasks(limit);
+        const tasks = this.indexer.getOpenTasks(0);
         const sessions = this.indexer.getRecentSessions(7);
         return { stats, knowledge_cards: knowledge, open_tasks: tasks, recent_sessions: sessions, mode: 'local' };
       }
@@ -1487,8 +1577,11 @@ ${item.description || item.title || ''}
         }
 
         if (conditions.length) sql += ' WHERE ' + conditions.join(' AND ');
-        sql += ' ORDER BY created_at DESC LIMIT ?';
-        sqlParams.push(limit);
+        sql += ' ORDER BY created_at DESC';
+        if (limit > 0) {
+          sql += ' LIMIT ?';
+          sqlParams.push(limit);
+        }
 
         const tasks = this.indexer.db.prepare(sql).all(...sqlParams);
         return { tasks, total: tasks.length, mode: 'local' };

package/src/mcp-server.mjs

@@ -206,11 +206,48 @@ export class LocalMcpServer {
             ids: params.ids,
           });
 
+          const effectiveDetail = params.detail || 'summary';
+
+          if (effectiveDetail === 'summary' && summaries.length > 0) {
+            // Format summary as readable text for the Agent, with IDs hidden
+            // but available for Phase 2 expansion
+            const lines = summaries.map((r, i) => {
+              const title = r.title || '(untitled)';
+              const type = r.type ? `[${r.type}]` : '';
+              const summary = r.summary ? `\n   ${r.summary}` : '';
+              return `${i + 1}. ${type} ${title}${summary}`;
+            });
+            const readableText = `Found ${summaries.length} memories:\n\n${lines.join('\n\n')}`;
+
+            // Return readable text + structured data for programmatic use
+            return {
+              content: [
+                { type: 'text', text: readableText },
+                { type: 'text', text: JSON.stringify({
+                  _ids: summaries.map(r => r.id),
+                  _meta: { detail: 'summary', total: summaries.length, mode: 'local' },
+                }) },
+              ],
+            };
+          }
+
+          if (effectiveDetail === 'full' && summaries.length > 0) {
+            // Full content — return as readable text
+            const sections = summaries.map(r => {
+              const header = r.title ? `## ${r.title}` : '';
+              return `${header}\n\n${r.content || '(no content)'}`;
+            });
+            return {
+              content: [{ type: 'text', text: sections.join('\n\n---\n\n') }],
+            };
+          }
+
+          // Fallback / empty results
           return mcpResult({
             results: summaries,
             total: summaries.length,
             mode: 'local',
-            detail: params.detail || 'summary',
+            detail: effectiveDetail,
             search_method: 'hybrid',
           });
         } catch (err) {

package/src/spec/awareness-spec.json

@@ -58,7 +58,7 @@
     {
       "name": "awareness_init",
       "short_desc": "Load cross-session project memory and context",
-      "long_desc": "Load cross-session project memory. Returns session_id, context (narratives, tasks, knowledge, active_skills), and usage rules. Call ONCE at session start."
+      "long_desc": "Load cross-session project memory. Returns session_id, context (narratives, tasks, knowledge, active_skills, attention_summary), and usage rules. Call ONCE at session start. ATTENTION PROTOCOL: When context.attention_summary.needs_attention is true, review all attention items (stale tasks, high risks) and automatically: (1) remind the user about stale tasks, (2) warn about high risks before starting work, (3) update resolved items via awareness_record."
     },
     {
       "name": "awareness_get_agent_prompt",
@@ -385,7 +385,8 @@
       "notes_lines": [
         "## OpenClaw Notes",
         "- OpenClaw uses a plugin-based configuration via ~/.openclaw/openclaw.json.",
-        "- Install the Awareness plugin: openclaw plugins install @awareness-sdk/openclaw-memory",
+        "- Install as plugin: openclaw plugins install @awareness-sdk/openclaw-memory",
+        "- Or install as skill: npx clawhub@latest install awareness-memory",
         "- MCP tools are exposed through the plugin system, no rules file needed."
       ]
     }