@contextableai/openclaw-memory-rebac 0.1.0 → 0.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
   "type": "module",
   "license": "MIT",
@@ -17,15 +17,9 @@
     "knowledge-graph",
     "authorization"
   ],
+  "main": "./dist/index.js",
   "files": [
-    "index.ts",
-    "cli.ts",
-    "config.ts",
-    "backend.ts",
-    "authorization.ts",
-    "search.ts",
-    "spicedb.ts",
-    "backends/",
+    "dist",
     "openclaw.plugin.json",
     "plugin.defaults.json",
     "schema.zed",
@@ -37,8 +31,10 @@
     "openclaw": "*"
   },
   "scripts": {
+    "build": "rm -rf dist && tsc -p tsconfig.build.json && cp plugin.defaults.json dist/ && mkdir -p dist/backends && cp backends/graphiti.defaults.json dist/backends/",
+    "prepublishOnly": "npm run build",
     "cli": "tsx bin/rebac-mem.ts",
-    "typecheck": "tsc --noEmit 2>&1 | grep -v '../openclaw/' | grep -c 'error TS' | xargs -I{} test {} -eq 0",
+    "typecheck": "tsc 2>&1 | grep -v '../openclaw/' | grep -c 'error TS' | xargs -I{} test {} -eq 0",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts"
@@ -51,6 +47,7 @@
   },
   "devDependencies": {
     "dotenv": "^17.3.1",
+    "openclaw": "*",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
   },
@@ -59,7 +56,7 @@
   },
   "openclaw": {
     "extensions": [
-      "./index.ts"
+      "./dist/index.js"
     ],
     "install": {
       "npmSpec": "@contextableai/openclaw-memory-rebac",

package/authorization.ts

@@ -1,191 +0,0 @@
-/**
- * Authorization Logic
- *
- * Bridges SpiceDB and the memory backend by managing:
- * - Looking up which group_ids a subject can access
- * - Writing fragment authorization relationships when memories are stored
- * - Checking delete permissions
- */
-
-import type { SpiceDbClient, RelationshipTuple, ConsistencyMode } from "./spicedb.js";
-
-// ============================================================================
-// Types
-// ============================================================================
-
-export type Subject = {
-  type: "agent" | "person";
-  id: string;
-};
-
-export type FragmentRelationships = {
-  fragmentId: string;
-  groupId: string;
-  sharedBy: Subject;
-  involves?: Subject[];
-};
-
-// ============================================================================
-// Helpers
-// ============================================================================
-
-function tokenConsistency(zedToken?: string): ConsistencyMode | undefined {
-  return zedToken ? { mode: "at_least_as_fresh", token: zedToken } : undefined;
-}
-
-// ============================================================================
-// Authorization Operations
-// ============================================================================
-
-/**
- * Look up all group IDs that a subject has access to.
- * Returns group resource IDs from SpiceDB where the subject has the "access" permission.
- */
-export async function lookupAuthorizedGroups(
-  spicedb: SpiceDbClient,
-  subject: Subject,
-  zedToken?: string,
-): Promise<string[]> {
-  return spicedb.lookupResources({
-    resourceType: "group",
-    permission: "access",
-    subjectType: subject.type,
-    subjectId: subject.id,
-    consistency: tokenConsistency(zedToken),
-  });
-}
-
-/**
- * Look up all memory fragment IDs that a subject can view.
- * Used for fine-grained post-filtering when needed.
- */
-export async function lookupViewableFragments(
-  spicedb: SpiceDbClient,
-  subject: Subject,
-  zedToken?: string,
-): Promise<string[]> {
-  return spicedb.lookupResources({
-    resourceType: "memory_fragment",
-    permission: "view",
-    subjectType: subject.type,
-    subjectId: subject.id,
-    consistency: tokenConsistency(zedToken),
-  });
-}
-
-/**
- * Write authorization relationships for a newly stored memory fragment.
- *
- * Creates:
- * - memory_fragment:<id> #source_group group:<groupId>
- * - memory_fragment:<id> #shared_by <sharedBy>
- * - memory_fragment:<id> #involves <person> (for each involved person)
- */
-export async function writeFragmentRelationships(
-  spicedb: SpiceDbClient,
-  params: FragmentRelationships,
-): Promise<string | undefined> {
-  const tuples: RelationshipTuple[] = [
-    {
-      resourceType: "memory_fragment",
-      resourceId: params.fragmentId,
-      relation: "source_group",
-      subjectType: "group",
-      subjectId: params.groupId,
-    },
-    {
-      resourceType: "memory_fragment",
-      resourceId: params.fragmentId,
-      relation: "shared_by",
-      subjectType: params.sharedBy.type,
-      subjectId: params.sharedBy.id,
-    },
-  ];
-
-  if (params.involves) {
-    for (const person of params.involves) {
-      tuples.push({
-        resourceType: "memory_fragment",
-        resourceId: params.fragmentId,
-        relation: "involves",
-        subjectType: person.type,
-        subjectId: person.id,
-      });
-    }
-  }
-
-  return spicedb.writeRelationships(tuples);
-}
-
-/**
- * Remove all authorization relationships for a memory fragment.
- * Uses filter-based deletion — no need to know the group, sharer, or involved parties.
- */
-export async function deleteFragmentRelationships(
-  spicedb: SpiceDbClient,
-  fragmentId: string,
-): Promise<string | undefined> {
-  return spicedb.deleteRelationshipsByFilter({
-    resourceType: "memory_fragment",
-    resourceId: fragmentId,
-  });
-}
-
-/**
- * Check if a subject has delete permission on a memory fragment.
- */
-export async function canDeleteFragment(
-  spicedb: SpiceDbClient,
-  subject: Subject,
-  fragmentId: string,
-  zedToken?: string,
-): Promise<boolean> {
-  return spicedb.checkPermission({
-    resourceType: "memory_fragment",
-    resourceId: fragmentId,
-    permission: "delete",
-    subjectType: subject.type,
-    subjectId: subject.id,
-    consistency: tokenConsistency(zedToken),
-  });
-}
-
-/**
- * Check if a subject has write (contribute) permission on a group.
- * Used to gate writes to non-session groups — prevents unauthorized memory injection.
- */
-export async function canWriteToGroup(
-  spicedb: SpiceDbClient,
-  subject: Subject,
-  groupId: string,
-  zedToken?: string,
-): Promise<boolean> {
-  return spicedb.checkPermission({
-    resourceType: "group",
-    resourceId: groupId,
-    permission: "contribute",
-    subjectType: subject.type,
-    subjectId: subject.id,
-    consistency: tokenConsistency(zedToken),
-  });
-}
-
-/**
- * Ensure a subject is registered as a member of a group.
- * Idempotent (uses TOUCH operation).
- */
-export async function ensureGroupMembership(
-  spicedb: SpiceDbClient,
-  groupId: string,
-  member: Subject,
-): Promise<string | undefined> {
-  return spicedb.writeRelationships([
-    {
-      resourceType: "group",
-      resourceId: groupId,
-      relation: "member",
-      subjectType: member.type,
-      subjectId: member.id,
-    },
-  ]);
-}

package/backend.ts

@@ -1,176 +0,0 @@
-/**
- * MemoryBackend interface
- *
- * All storage-engine specifics live here. The rest of the plugin
- * (SpiceDB auth, search orchestration, tool registration, CLI skeleton)
- * is backend-agnostic and never imports from backends/.
- *
- * Implementing a new backend means satisfying this interface and adding
- * an entry to the factory in config.ts. That's it.
- */
-
-import type { Command } from "commander";
-
-// ============================================================================
-// Shared result types (returned by all backends in a uniform shape)
-// ============================================================================
-
-/**
- * A single memory item returned by searchGroup().
- * Backends are responsible for mapping their native result shape to this.
- */
-export type SearchResult = {
-  /** "node"/"fact" for graph backends; "chunk"/"summary"/"completion" for doc backends */
-  type: "node" | "fact" | "chunk" | "summary" | "completion";
-  /** Stable ID used by memory_forget. Must be unique within the backend. */
-  uuid: string;
-  group_id: string;
-  summary: string;
-  /** Human-readable context hint (entity names, dataset, etc.) */
-  context: string;
-  created_at: string;
-  /** Relevance score [0,1] when available */
-  score?: number;
-};
-
-/**
- * Returned by store(). The fragmentId resolves to the UUID that will be
- * registered in SpiceDB.
- *
- * - Graphiti: Resolves once the server has processed the episode (polled in the background).
- *
- * index.ts chains SpiceDB writeFragmentRelationships() to this Promise,
- * so it always fires at the right time.
- */
-export type StoreResult = {
-  fragmentId: Promise<string>;
-};
-
-/**
- * A single conversation turn, used for episodic recall.
- * Backends that don't support conversation history return [].
- */
-export type ConversationTurn = {
-  query: string;
-  answer: string;
-  context?: string;
-  created_at?: string;
-};
-
-/**
- * Minimal dataset descriptor for the CLI `datasets` command.
- */
-export type BackendDataset = {
-  name: string;
-  /** Group ID this dataset maps to (backend-specific derivation) */
-  groupId: string;
-  /** Optional backend-specific dataset ID */
-  id?: string;
-};
-
-// ============================================================================
-// MemoryBackend interface
-// ============================================================================
-
-export interface MemoryBackend {
-  /** Human-readable backend name for logs and status output */
-  readonly name: string;
-
-  // --------------------------------------------------------------------------
-  // Core write
-  // Backends MUST return immediately — graph/index construction is async.
-  // --------------------------------------------------------------------------
-
-  /**
-   * Ingest content into the group's storage partition.
-   * The returned StoreResult.fragmentId resolves when the backend has
-   * produced a stable UUID suitable for SpiceDB registration.
-   */
-  store(params: {
-    content: string;
-    groupId: string;
-    sourceDescription?: string;
-    customPrompt?: string;
-  }): Promise<StoreResult>;
-
-  // --------------------------------------------------------------------------
-  // Core read
-  // --------------------------------------------------------------------------
-
-  /**
-   * Search within a single group's storage partition.
-   * Called in parallel per-group by searchAuthorizedMemories() in search.ts.
-   * Backends map their native result shape to SearchResult[].
-   */
-  searchGroup(params: {
-    query: string;
-    groupId: string;
-    limit: number;
-    sessionId?: string;
-  }): Promise<SearchResult[]>;
-
-  // --------------------------------------------------------------------------
-  // Session / episodic memory
-  // --------------------------------------------------------------------------
-
-  /**
-   * Optional backend-specific session enrichment, called from agent_end
-   * after store() for conversation auto-capture.
-   *
-   * Graphiti: no-op (addEpisode already handles episodic memory).
-   */
-  enrichSession?(params: {
-    sessionId: string;
-    groupId: string;
-    userMsg: string;
-    assistantMsg: string;
-  }): Promise<void>;
-
-  /**
-   * Retrieve conversation history for a session.
-   * Graphiti maps getEpisodes() to this shape.
-   * Backends that don't support it return [].
-   */
-  getConversationHistory(sessionId: string, lastN?: number): Promise<ConversationTurn[]>;
-
-  // --------------------------------------------------------------------------
-  // Lifecycle
-  // --------------------------------------------------------------------------
-
-  healthCheck(): Promise<boolean>;
-  getStatus(): Promise<Record<string, unknown>>;
-
-  // --------------------------------------------------------------------------
-  // Management
-  // --------------------------------------------------------------------------
-
-  /**
-   * Delete a group's entire storage partition.
-   * Used by `rebac-mem clear-group --confirm`.
-   */
-  deleteGroup(groupId: string): Promise<void>;
-
-  /**
-   * List all storage partitions (datasets/groups) managed by this backend.
-   */
-  listGroups(): Promise<BackendDataset[]>;
-
-  /**
-   * Delete a single memory fragment by UUID.
-   * Optional: not all backends support sub-dataset deletion.
-   * Returns true if deleted, false if the backend doesn't support it.
-   */
-  deleteFragment?(uuid: string): Promise<boolean>;
-
-  // --------------------------------------------------------------------------
-  // CLI extension point
-  // --------------------------------------------------------------------------
-
-  /**
-   * Register backend-specific CLI subcommands onto the shared `rebac-mem` command.
-   * Called once during CLI setup. Backend may register any commands it needs.
-   *
-   * Example: Graphiti registers episodes, fact, clear-graph
-   */
-  registerCliCommands?(cmd: Command): void;
-}

package/backends/backends.json

@@ -1,3 +0,0 @@
-{
-  "graphiti": "./graphiti.js"
-}