@contextableai/openclaw-memory-rebac 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +6 -2
  2. package/dist/cli.js +24 -6
  3. package/dist/index.js +12 -3
  4. package/package.json +1 -1
  5. package/schema.zed +7 -3
package/README.md CHANGED
@@ -168,7 +168,10 @@ When enabled (default: `true`), the plugin captures the last N messages from eac
168
168
  The SpiceDB schema defines four object types:
169
169
 
170
170
  ```
171
- definition person {}
171
+ definition person {
172
+ relation agent: agent
173
+ permission represents = agent
174
+ }
172
175
 
173
176
  definition agent {
174
177
  relation owner: person
@@ -186,7 +189,8 @@ definition memory_fragment {
186
189
  relation involves: person | agent
187
190
  relation shared_by: person | agent
188
191
 
189
- permission view = involves + shared_by + source_group->access
192
+ // involves->represents: if a person is involved, their agent can also view
193
+ permission view = involves + shared_by + source_group->access + involves->represents
190
194
  permission delete = shared_by
191
195
  }
192
196
  ```
package/dist/cli.js CHANGED
@@ -563,14 +563,23 @@ export function registerCommands(cmd, ctx) {
563
563
  .argument("<person-id>", "Owner person ID")
564
564
  .action(async (agentId, personId) => {
565
565
  try {
566
- await spicedb.writeRelationships([{
566
+ await spicedb.writeRelationships([
567
+ {
567
568
  resourceType: "agent",
568
569
  resourceId: agentId,
569
570
  relation: "owner",
570
571
  subjectType: "person",
571
572
  subjectId: personId,
572
- }]);
573
- console.log(`Linked agent:${agentId} → person:${personId}`);
573
+ },
574
+ {
575
+ resourceType: "person",
576
+ resourceId: personId,
577
+ relation: "agent",
578
+ subjectType: "agent",
579
+ subjectId: agentId,
580
+ },
581
+ ]);
582
+ console.log(`Linked agent:${agentId} ↔ person:${personId}`);
574
583
  }
575
584
  catch (err) {
576
585
  console.error(`Failed to write identity link: ${err instanceof Error ? err.message : String(err)}`);
@@ -590,14 +599,23 @@ export function registerCommands(cmd, ctx) {
590
599
  console.log(`No owner link found for agent:${agentId}`);
591
600
  return;
592
601
  }
593
- await spicedb.deleteRelationships([{
602
+ await spicedb.deleteRelationships([
603
+ {
594
604
  resourceType: "agent",
595
605
  resourceId: agentId,
596
606
  relation: "owner",
597
607
  subjectType: "person",
598
608
  subjectId: ownerId,
599
- }]);
600
- console.log(`Unlinked agent:${agentId} (was → person:${ownerId})`);
609
+ },
610
+ {
611
+ resourceType: "person",
612
+ resourceId: ownerId,
613
+ relation: "agent",
614
+ subjectType: "agent",
615
+ subjectId: agentId,
616
+ },
617
+ ]);
618
+ console.log(`Unlinked agent:${agentId} (was ↔ person:${ownerId})`);
601
619
  }
602
620
  catch (err) {
603
621
  console.error(`Failed to remove identity link: ${err instanceof Error ? err.message : String(err)}`);
package/dist/index.js CHANGED
@@ -686,16 +686,25 @@ const rebacMemoryPlugin = {
686
686
  // Write agent → owner relationships from identities config
687
687
  for (const [agentId, personId] of Object.entries(cfg.identities)) {
688
688
  try {
689
- const token = await spicedb.writeRelationships([{
689
+ const token = await spicedb.writeRelationships([
690
+ {
690
691
  resourceType: "agent",
691
692
  resourceId: agentId,
692
693
  relation: "owner",
693
694
  subjectType: "person",
694
695
  subjectId: personId,
695
- }]);
696
+ },
697
+ {
698
+ resourceType: "person",
699
+ resourceId: personId,
700
+ relation: "agent",
701
+ subjectType: "agent",
702
+ subjectId: agentId,
703
+ },
704
+ ]);
696
705
  if (token)
697
706
  defaultState.lastWriteToken = token;
698
- api.logger.info(`openclaw-memory-rebac: linked agent:${agentId} person:${personId}`);
707
+ api.logger.info(`openclaw-memory-rebac: linked agent:${agentId} person:${personId}`);
699
708
  }
700
709
  catch (err) {
701
710
  api.logger.warn(`openclaw-memory-rebac: failed to write owner for agent:${agentId}: ${err}`);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contextableai/openclaw-memory-rebac",
3
- "version": "0.3.2",
3
+ "version": "0.3.3",
4
4
  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
5
5
  "type": "module",
6
6
  "license": "MIT",
package/schema.zed CHANGED
@@ -1,4 +1,7 @@
1
- definition person {}
1
+ definition person {
2
+ relation agent: agent
3
+ permission represents = agent
4
+ }
2
5
 
3
6
  definition agent {
4
7
  relation owner: person
@@ -16,8 +19,9 @@ definition memory_fragment {
16
19
  relation involves: person | agent
17
20
  relation shared_by: person | agent
18
21
 
19
- // Can view if: directly involved, shared it, or have access to the source group
20
- permission view = involves + shared_by + source_group->access
22
+ // Can view if: directly involved, shared it, have access to the source group,
23
+ // or are an agent whose owner is involved (involves->agent traversal)
24
+ permission view = involves + shared_by + source_group->access + involves->represents
21
25
  // Can delete if: you shared it (owner-level control)
22
26
  permission delete = shared_by
23
27
  }