npm - @contextableai/openclaw-memory-rebac - Versions diffs - 0.3.3 → 0.3.4 - Mend

@contextableai/openclaw-memory-rebac 0.3.3 → 0.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/authorization.d.ts +6 -0
package/dist/authorization.js +21 -0
package/dist/backend.d.ts +0 -6
package/dist/backends/graphiti.d.ts +0 -1
package/dist/backends/graphiti.js +0 -20
package/dist/cli.js +39 -28
package/dist/index.js +18 -3
package/package.json +1 -1

package/dist/authorization.d.ts CHANGED Viewed

@@ -55,6 +55,12 @@ export declare function canDeleteFragment(spicedb: SpiceDbClient, subject: Subje
  * Used to gate writes to non-session groups — prevents unauthorized memory injection.
  */
 export declare function canWriteToGroup(spicedb: SpiceDbClient, subject: Subject, groupId: string, zedToken?: string): Promise<boolean>;
+/**
+ * Discover which groups a set of memory fragments belong to.
+ * Reads the `source_group` relation for each fragment ID.
+ * Returns deduplicated group IDs.
+ */
+export declare function lookupFragmentSourceGroups(spicedb: SpiceDbClient, fragmentIds: string[], zedToken?: string): Promise<string[]>;
 /**
  * Ensure a subject is registered as a member of a group.
  * Idempotent (uses TOUCH operation).

package/dist/authorization.js CHANGED Viewed

@@ -130,6 +130,27 @@ export async function canWriteToGroup(spicedb, subject, groupId, zedToken) {
         consistency: tokenConsistency(zedToken),
     });
 }
+/**
+ * Discover which groups a set of memory fragments belong to.
+ * Reads the `source_group` relation for each fragment ID.
+ * Returns deduplicated group IDs.
+ */
+export async function lookupFragmentSourceGroups(spicedb, fragmentIds, zedToken) {
+    const groupIds = new Set();
+    for (const fid of fragmentIds) {
+        const tuples = await spicedb.readRelationships({
+            resourceType: "memory_fragment",
+            resourceId: fid,
+            relation: "source_group",
+            consistency: tokenConsistency(zedToken),
+        });
+        for (const t of tuples) {
+            if (t.subjectType === "group")
+                groupIds.add(t.subjectId);
+        }
+    }
+    return Array.from(groupIds);
+}
 /**
  * Ensure a subject is registered as a member of a group.
  * Idempotent (uses TOUCH operation).

package/dist/backend.d.ts CHANGED Viewed

@@ -118,12 +118,6 @@ export interface MemoryBackend {
      * Returns true if deleted, false if the backend doesn't support it.
      */
     deleteFragment?(uuid: string, type?: string): Promise<boolean>;
-    /**
-     * Fetch fragment details by their IDs.
-     * Used for fragment-level recall (e.g., finding memories via `involves` permissions).
-     * Optional: not all backends support fetching individual fragments by ID.
-     */
-    getFragmentsByIds?(ids: string[]): Promise<SearchResult[]>;
     /**
      * Discover fragment (fact/edge) UUIDs that were extracted from a stored episode.
      * Called after store() resolves the episode ID to write per-fragment SpiceDB

package/dist/backends/graphiti.d.ts CHANGED Viewed

@@ -63,7 +63,6 @@ export declare class GraphitiBackend implements MemoryBackend {
     listGroups(): Promise<BackendDataset[]>;
     deleteFragment(uuid: string, type?: string): Promise<boolean>;
     getEpisodes(groupId: string, lastN: number): Promise<GraphitiEpisode[]>;
-    getFragmentsByIds(ids: string[]): Promise<SearchResult[]>;
     discoverFragmentIds(episodeId: string): Promise<string[]>;
     getEntityEdge(uuid: string): Promise<FactResult>;
     registerCliCommands(cmd: Command): void;

package/dist/backends/graphiti.js CHANGED Viewed

@@ -159,26 +159,6 @@ export class GraphitiBackend {
     async getEpisodes(groupId, lastN) {
         return this.restCall("GET", `/episodes/${encodeURIComponent(groupId)}?last_n=${lastN}`);
     }
-    async getFragmentsByIds(ids) {
-        const results = [];
-        for (const id of ids) {
-            try {
-                const fact = await this.getEntityEdge(id);
-                results.push({
-                    type: "fact",
-                    uuid: id,
-                    group_id: "unknown",
-                    summary: fact.fact,
-                    context: fact.name,
-                    created_at: fact.created_at,
-                });
-            }
-            catch {
-                // Fragment not found or unreachable — skip
-            }
-        }
-        return results;
-    }
     async discoverFragmentIds(episodeId) {
         const edges = await this.restCall("GET", `/episodes/${encodeURIComponent(episodeId)}/edges`);
         return edges.map((e) => e.uuid);

package/dist/cli.js CHANGED Viewed

@@ -14,7 +14,7 @@ import { join, dirname, basename, resolve } from "node:path";
 import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
 import { defaultGroupId } from "./config.js";
-import { lookupAuthorizedGroups, lookupAgentOwner, lookupViewableFragments, ensureGroupMembership, } from "./authorization.js";
+import { lookupAuthorizedGroups, lookupAgentOwner, lookupViewableFragments, lookupFragmentSourceGroups, ensureGroupMembership, } from "./authorization.js";
 import { searchAuthorizedMemories } from "./search.js";
 // ============================================================================
 // Session helper (mirrors index.ts — no shared module to avoid circular import)
@@ -71,39 +71,50 @@ export function registerCommands(cmd, ctx) {
             })
             : [];
         // Fragment-based recall via involves/view permission
+        // Uses search-then-post-filter: search source groups for query relevance,
+        // then intersect with authorized fragment set for security.
         let fragmentResults = [];
-        if (backend.getFragmentsByIds) {
-            try {
-                // Determine the person to search as
-                let personSubject;
-                if (subject.type === "person") {
-                    // Direct person search — look up fragments they can view
-                    personSubject = subject;
-                }
-                else if (subject.type === "agent") {
-                    // Agent search — resolve owner identity first
-                    const ownerId = await lookupAgentOwner(spicedb, subject.id, token);
-                    if (ownerId) {
-                        personSubject = { type: "person", id: ownerId };
-                    }
+        try {
+            // Determine the person to search as
+            let personSubject;
+            if (subject.type === "person") {
+                personSubject = subject;
+            }
+            else if (subject.type === "agent") {
+                const ownerId = await lookupAgentOwner(spicedb, subject.id, token);
+                if (ownerId) {
+                    personSubject = { type: "person", id: ownerId };
                 }
-                if (personSubject) {
-                    const viewableIds = await lookupViewableFragments(spicedb, personSubject, token);
-                    if (viewableIds.length > 0) {
-                        const groupResultIds = new Set(groupResults.map((r) => r.uuid));
-                        const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
-                        if (newIds.length > 0) {
-                            fragmentResults = await backend.getFragmentsByIds(newIds);
+            }
+            if (personSubject) {
+                const viewableIds = await lookupViewableFragments(spicedb, personSubject, token);
+                if (viewableIds.length > 0) {
+                    const groupResultIds = new Set(groupResults.map((r) => r.uuid));
+                    const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
+                    if (newIds.length > 0) {
+                        // Discover which groups the viewable fragments belong to
+                        const ownerGroups = await lookupFragmentSourceGroups(spicedb, newIds, token);
+                        const alreadySearched = new Set(authorizedGroups);
+                        const newGroups = ownerGroups.filter(g => !alreadySearched.has(g));
+                        if (newGroups.length > 0) {
+                            const candidateResults = await searchAuthorizedMemories(backend, {
+                                query,
+                                groupIds: newGroups,
+                                limit: parseInt(opts.limit),
+                            });
+                            // Post-filter: only keep results the person is authorized to view
+                            const viewableSet = new Set(newIds);
+                            fragmentResults = candidateResults.filter(r => viewableSet.has(r.uuid));
                         }
                     }
-                    if (fragmentResults.length > 0) {
-                        console.log(`  + ${fragmentResults.length} result(s) via involves (${personSubject.type}:${personSubject.id})`);
-                    }
+                }
+                if (fragmentResults.length > 0) {
+                    console.log(`  + ${fragmentResults.length} result(s) via involves (${personSubject.type}:${personSubject.id})`);
                 }
             }
-            catch {
-                // Fragment lookup failed — proceed with group results only
-            }
+        }
+        catch {
+            // Fragment lookup failed — proceed with group results only
         }
         const allResults = [...groupResults, ...fragmentResults];
         if (allResults.length === 0) {

package/dist/index.js CHANGED Viewed

@@ -21,7 +21,7 @@ import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { rebacMemoryConfigSchema, createBackend, defaultGroupId } from "./config.js";
 import { SpiceDbClient } from "./spicedb.js";
-import { lookupAuthorizedGroups, lookupViewableFragments, lookupAgentOwner, writeFragmentRelationships, deleteFragmentRelationships, canDeleteFragment, canWriteToGroup, ensureGroupMembership, } from "./authorization.js";
+import { lookupAuthorizedGroups, lookupViewableFragments, lookupFragmentSourceGroups, lookupAgentOwner, writeFragmentRelationships, deleteFragmentRelationships, canDeleteFragment, canWriteToGroup, ensureGroupMembership, } from "./authorization.js";
 import { searchAuthorizedMemories, formatDualResults, deduplicateSessionResults, } from "./search.js";
 import { registerCommands } from "./cli.js";
 // ============================================================================
@@ -154,8 +154,10 @@ const rebacMemoryPlugin = {
                 const groupResults = [...longTermResults, ...sessionResults];
                 // Owner-aware fragment search: if the subject is an agent with an owner,
                 // also find fragments where the owner is in `involves`.
+                // Uses search-then-post-filter: search the source groups for query relevance,
+                // then intersect with the authorized fragment set for security.
                 let ownerFragmentResults = [];
-                if (subject.type === "agent" && backend.getFragmentsByIds) {
+                if (subject.type === "agent") {
                     try {
                         const ownerId = await lookupAgentOwner(spicedb, subject.id, state.lastWriteToken);
                         if (ownerId) {
@@ -165,7 +167,20 @@ const rebacMemoryPlugin = {
                                 const groupResultIds = new Set(groupResults.map((r) => r.uuid));
                                 const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
                                 if (newIds.length > 0) {
-                                    ownerFragmentResults = await backend.getFragmentsByIds(newIds);
+                                    // Discover which groups the viewable fragments belong to
+                                    const ownerGroups = await lookupFragmentSourceGroups(spicedb, newIds, state.lastWriteToken);
+                                    const alreadySearched = new Set([...longTermGroups, ...sessionGroups]);
+                                    const newGroups = ownerGroups.filter(g => !alreadySearched.has(g));
+                                    if (newGroups.length > 0) {
+                                        const candidateResults = await searchAuthorizedMemories(backend, {
+                                            query,
+                                            groupIds: newGroups,
+                                            limit,
+                                        });
+                                        // Post-filter: only keep results the owner is authorized to view
+                                        const viewableSet = new Set(newIds);
+                                        ownerFragmentResults = candidateResults.filter(r => viewableSet.has(r.uuid));
+                                    }
                                 }
                             }
                         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.3.3",
+  "version": "0.3.4",
   "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
   "type": "module",
   "license": "MIT",