@contextableai/openclaw-memory-rebac 0.3.3 → 0.3.5

package/dist/authorization.d.ts

@@ -55,6 +55,12 @@ export declare function canDeleteFragment(spicedb: SpiceDbClient, subject: Subje
  * Used to gate writes to non-session groups — prevents unauthorized memory injection.
  */
 export declare function canWriteToGroup(spicedb: SpiceDbClient, subject: Subject, groupId: string, zedToken?: string): Promise<boolean>;
+/**
+ * Discover which groups a set of memory fragments belong to.
+ * Reads the `source_group` relation for each fragment ID.
+ * Returns deduplicated group IDs.
+ */
+export declare function lookupFragmentSourceGroups(spicedb: SpiceDbClient, fragmentIds: string[], zedToken?: string): Promise<string[]>;
 /**
  * Ensure a subject is registered as a member of a group.
  * Idempotent (uses TOUCH operation).

package/dist/authorization.js

@@ -130,6 +130,27 @@ export async function canWriteToGroup(spicedb, subject, groupId, zedToken) {
         consistency: tokenConsistency(zedToken),
     });
 }
+/**
+ * Discover which groups a set of memory fragments belong to.
+ * Reads the `source_group` relation for each fragment ID.
+ * Returns deduplicated group IDs.
+ */
+export async function lookupFragmentSourceGroups(spicedb, fragmentIds, zedToken) {
+    const groupIds = new Set();
+    for (const fid of fragmentIds) {
+        const tuples = await spicedb.readRelationships({
+            resourceType: "memory_fragment",
+            resourceId: fid,
+            relation: "source_group",
+            consistency: tokenConsistency(zedToken),
+        });
+        for (const t of tuples) {
+            if (t.subjectType === "group")
+                groupIds.add(t.subjectId);
+        }
+    }
+    return Array.from(groupIds);
+}
 /**
  * Ensure a subject is registered as a member of a group.
  * Idempotent (uses TOUCH operation).

package/dist/backend.d.ts

@@ -74,7 +74,7 @@ export interface MemoryBackend {
     }): Promise<StoreResult>;
     /**
      * Search within a single group's storage partition.
-     * Called in parallel per-group by searchAuthorizedMemories() in search.ts.
+     * Fallback path when searchGroups() is not available.
      * Backends map their native result shape to SearchResult[].
      */
     searchGroup(params: {
@@ -83,6 +83,19 @@ export interface MemoryBackend {
         limit: number;
         sessionId?: string;
     }): Promise<SearchResult[]>;
+    /**
+     * Search across multiple groups in a single backend call.
+     * Preferred over per-group fan-out because the backend can apply its own
+     * cross-group relevance ranking (e.g. Graphiti's RRF: cosine + BM25).
+     * Results are ordered by relevance; response position is used as implicit score.
+     * Optional: falls back to per-group searchGroup() fan-out if not implemented.
+     */
+    searchGroups?(params: {
+        query: string;
+        groupIds: string[];
+        limit: number;
+        sessionId?: string;
+    }): Promise<SearchResult[]>;
     /**
      * Optional backend-specific session enrichment, called from agent_end
      * after store() for conversation auto-capture.
@@ -118,12 +131,6 @@ export interface MemoryBackend {
      * Returns true if deleted, false if the backend doesn't support it.
      */
     deleteFragment?(uuid: string, type?: string): Promise<boolean>;
-    /**
-     * Fetch fragment details by their IDs.
-     * Used for fragment-level recall (e.g., finding memories via `involves` permissions).
-     * Optional: not all backends support fetching individual fragments by ID.
-     */
-    getFragmentsByIds?(ids: string[]): Promise<SearchResult[]>;
     /**
      * Discover fragment (fact/edge) UUIDs that were extracted from a stored episode.
      * Called after store() resolves the episode ID to write per-fragment SpiceDB

package/dist/backends/graphiti.d.ts

@@ -26,6 +26,7 @@ type FactResult = {
     invalid_at: string | null;
     created_at: string;
     expired_at: string | null;
+    group_id?: string;
 };
 export type GraphitiConfig = {
     endpoint: string;
@@ -56,6 +57,12 @@ export declare class GraphitiBackend implements MemoryBackend {
         limit: number;
         sessionId?: string;
     }): Promise<SearchResult[]>;
+    searchGroups(params: {
+        query: string;
+        groupIds: string[];
+        limit: number;
+        sessionId?: string;
+    }): Promise<SearchResult[]>;
     getConversationHistory(sessionId: string, lastN?: number): Promise<ConversationTurn[]>;
     healthCheck(): Promise<boolean>;
     getStatus(): Promise<Record<string, unknown>>;
@@ -63,7 +70,6 @@ export declare class GraphitiBackend implements MemoryBackend {
     listGroups(): Promise<BackendDataset[]>;
     deleteFragment(uuid: string, type?: string): Promise<boolean>;
     getEpisodes(groupId: string, lastN: number): Promise<GraphitiEpisode[]>;
-    getFragmentsByIds(ids: string[]): Promise<SearchResult[]>;
     discoverFragmentIds(episodeId: string): Promise<string[]>;
     getEntityEdge(uuid: string): Promise<FactResult>;
     registerCliCommands(cmd: Command): void;

package/dist/backends/graphiti.js

@@ -107,6 +107,29 @@ export class GraphitiBackend {
             created_at: f.created_at,
         }));
     }
+    async searchGroups(params) {
+        const { query, groupIds, limit } = params;
+        if (groupIds.length === 0)
+            return [];
+        const searchRequest = {
+            group_ids: groupIds,
+            query,
+            max_facts: limit,
+        };
+        const response = await this.restCall("POST", "/search", searchRequest);
+        const facts = response.facts ?? [];
+        // Derive implicit relevance score from response position —
+        // Graphiti's /search returns results ranked by RRF (cosine + BM25).
+        return facts.map((f, index) => ({
+            type: "fact",
+            uuid: f.uuid,
+            group_id: f.group_id ?? groupIds[0],
+            summary: f.fact,
+            context: f.name,
+            created_at: f.created_at,
+            score: 1.0 - index / Math.max(facts.length, 1),
+        }));
+    }
     async getConversationHistory(sessionId, lastN = 10) {
         const sessionGroup = `session-${sessionId.replace(/[^a-zA-Z0-9_-]/g, "-")}`;
         try {
@@ -159,26 +182,6 @@ export class GraphitiBackend {
     async getEpisodes(groupId, lastN) {
         return this.restCall("GET", `/episodes/${encodeURIComponent(groupId)}?last_n=${lastN}`);
     }
-    async getFragmentsByIds(ids) {
-        const results = [];
-        for (const id of ids) {
-            try {
-                const fact = await this.getEntityEdge(id);
-                results.push({
-                    type: "fact",
-                    uuid: id,
-                    group_id: "unknown",
-                    summary: fact.fact,
-                    context: fact.name,
-                    created_at: fact.created_at,
-                });
-            }
-            catch {
-                // Fragment not found or unreachable — skip
-            }
-        }
-        return results;
-    }
     async discoverFragmentIds(episodeId) {
         const edges = await this.restCall("GET", `/episodes/${encodeURIComponent(episodeId)}/edges`);
         return edges.map((e) => e.uuid);

package/dist/cli.js

@@ -14,7 +14,7 @@ import { join, dirname, basename, resolve } from "node:path";
 import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
 import { defaultGroupId } from "./config.js";
-import { lookupAuthorizedGroups, lookupAgentOwner, lookupViewableFragments, ensureGroupMembership, } from "./authorization.js";
+import { lookupAuthorizedGroups, lookupAgentOwner, lookupViewableFragments, lookupFragmentSourceGroups, ensureGroupMembership, } from "./authorization.js";
 import { searchAuthorizedMemories } from "./search.js";
 // ============================================================================
 // Session helper (mirrors index.ts — no shared module to avoid circular import)
@@ -71,39 +71,50 @@ export function registerCommands(cmd, ctx) {
             })
             : [];
         // Fragment-based recall via involves/view permission
+        // Uses search-then-post-filter: search source groups for query relevance,
+        // then intersect with authorized fragment set for security.
         let fragmentResults = [];
-        if (backend.getFragmentsByIds) {
-            try {
-                // Determine the person to search as
-                let personSubject;
-                if (subject.type === "person") {
-                    // Direct person search — look up fragments they can view
-                    personSubject = subject;
-                }
-                else if (subject.type === "agent") {
-                    // Agent search — resolve owner identity first
-                    const ownerId = await lookupAgentOwner(spicedb, subject.id, token);
-                    if (ownerId) {
-                        personSubject = { type: "person", id: ownerId };
-                    }
+        try {
+            // Determine the person to search as
+            let personSubject;
+            if (subject.type === "person") {
+                personSubject = subject;
+            }
+            else if (subject.type === "agent") {
+                const ownerId = await lookupAgentOwner(spicedb, subject.id, token);
+                if (ownerId) {
+                    personSubject = { type: "person", id: ownerId };
                 }
-                if (personSubject) {
-                    const viewableIds = await lookupViewableFragments(spicedb, personSubject, token);
-                    if (viewableIds.length > 0) {
-                        const groupResultIds = new Set(groupResults.map((r) => r.uuid));
-                        const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
-                        if (newIds.length > 0) {
-                            fragmentResults = await backend.getFragmentsByIds(newIds);
+            }
+            if (personSubject) {
+                const viewableIds = await lookupViewableFragments(spicedb, personSubject, token);
+                if (viewableIds.length > 0) {
+                    const groupResultIds = new Set(groupResults.map((r) => r.uuid));
+                    const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
+                    if (newIds.length > 0) {
+                        // Discover which groups the viewable fragments belong to
+                        const ownerGroups = await lookupFragmentSourceGroups(spicedb, newIds, token);
+                        const alreadySearched = new Set(authorizedGroups);
+                        const newGroups = ownerGroups.filter(g => !alreadySearched.has(g));
+                        if (newGroups.length > 0) {
+                            const candidateResults = await searchAuthorizedMemories(backend, {
+                                query,
+                                groupIds: newGroups,
+                                limit: parseInt(opts.limit),
+                            });
+                            // Post-filter: only keep results the person is authorized to view
+                            const viewableSet = new Set(newIds);
+                            fragmentResults = candidateResults.filter(r => viewableSet.has(r.uuid));
                         }
                     }
-                    if (fragmentResults.length > 0) {
-                        console.log(`  + ${fragmentResults.length} result(s) via involves (${personSubject.type}:${personSubject.id})`);
-                    }
+                }
+                if (fragmentResults.length > 0) {
+                    console.log(`  + ${fragmentResults.length} result(s) via involves (${personSubject.type}:${personSubject.id})`);
                 }
             }
-            catch {
-                // Fragment lookup failed — proceed with group results only
-            }
+        }
+        catch {
+            // Fragment lookup failed — proceed with group results only
         }
         const allResults = [...groupResults, ...fragmentResults];
         if (allResults.length === 0) {

package/dist/index.js

@@ -21,8 +21,8 @@ import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { rebacMemoryConfigSchema, createBackend, defaultGroupId } from "./config.js";
 import { SpiceDbClient } from "./spicedb.js";
-import { lookupAuthorizedGroups, lookupViewableFragments, lookupAgentOwner, writeFragmentRelationships, deleteFragmentRelationships, canDeleteFragment, canWriteToGroup, ensureGroupMembership, } from "./authorization.js";
-import { searchAuthorizedMemories, formatDualResults, deduplicateSessionResults, } from "./search.js";
+import { lookupAuthorizedGroups, lookupViewableFragments, lookupFragmentSourceGroups, lookupAgentOwner, writeFragmentRelationships, deleteFragmentRelationships, canDeleteFragment, canWriteToGroup, ensureGroupMembership, } from "./authorization.js";
+import { searchAuthorizedMemories, formatDualResults, } from "./search.js";
 import { registerCommands } from "./cli.js";
 // ============================================================================
 // Session helpers
@@ -131,31 +131,27 @@ const rebacMemoryPlugin = {
                             sessionGroups.push(sg);
                     }
                 }
-                // Group-based search (existing path)
-                const [longTermResults, rawSessionResults] = await Promise.all([
-                    longTermGroups.length > 0
-                        ? searchAuthorizedMemories(backend, {
-                            query,
-                            groupIds: longTermGroups,
-                            limit,
-                            sessionId: state.sessionId,
-                        })
-                        : Promise.resolve([]),
-                    sessionGroups.length > 0
-                        ? searchAuthorizedMemories(backend, {
-                            query,
-                            groupIds: sessionGroups,
-                            limit,
-                            sessionId: state.sessionId,
-                        })
-                        : Promise.resolve([]),
-                ]);
-                const sessionResults = deduplicateSessionResults(longTermResults, rawSessionResults);
-                const groupResults = [...longTermResults, ...sessionResults];
+                // Single multi-group search — lets the backend rank all results together
+                const allGroups = [...longTermGroups, ...sessionGroups];
+                const allGroupResults = allGroups.length > 0
+                    ? await searchAuthorizedMemories(backend, {
+                        query,
+                        groupIds: allGroups,
+                        limit,
+                        sessionId: state.sessionId,
+                    })
+                    : [];
+                // Split results by group type for formatting
+                const sessionGroupSet = new Set(sessionGroups);
+                const longTermResults = allGroupResults.filter((r) => !sessionGroupSet.has(r.group_id));
+                const sessionResults = allGroupResults.filter((r) => sessionGroupSet.has(r.group_id));
+                const groupResults = allGroupResults;
                 // Owner-aware fragment search: if the subject is an agent with an owner,
                 // also find fragments where the owner is in `involves`.
+                // Uses search-then-post-filter: search the source groups for query relevance,
+                // then intersect with the authorized fragment set for security.
                 let ownerFragmentResults = [];
-                if (subject.type === "agent" && backend.getFragmentsByIds) {
+                if (subject.type === "agent") {
                     try {
                         const ownerId = await lookupAgentOwner(spicedb, subject.id, state.lastWriteToken);
                         if (ownerId) {
@@ -165,7 +161,20 @@ const rebacMemoryPlugin = {
                                 const groupResultIds = new Set(groupResults.map((r) => r.uuid));
                                 const newIds = viewableIds.filter((id) => !groupResultIds.has(id));
                                 if (newIds.length > 0) {
-                                    ownerFragmentResults = await backend.getFragmentsByIds(newIds);
+                                    // Discover which groups the viewable fragments belong to
+                                    const ownerGroups = await lookupFragmentSourceGroups(spicedb, newIds, state.lastWriteToken);
+                                    const alreadySearched = new Set([...longTermGroups, ...sessionGroups]);
+                                    const newGroups = ownerGroups.filter(g => !alreadySearched.has(g));
+                                    if (newGroups.length > 0) {
+                                        const candidateResults = await searchAuthorizedMemories(backend, {
+                                            query,
+                                            groupIds: newGroups,
+                                            limit,
+                                        });
+                                        // Post-filter: only keep results the owner is authorized to view
+                                        const viewableSet = new Set(newIds);
+                                        ownerFragmentResults = candidateResults.filter(r => viewableSet.has(r.uuid));
+                                    }
                                 }
                             }
                         }
@@ -462,26 +471,20 @@ const rebacMemoryPlugin = {
                         if (!sessionGroups.includes(sg))
                             sessionGroups.push(sg);
                     }
-                    const [longTermResults, rawSessionResults] = await Promise.all([
-                        longTermGroups.length > 0
-                            ? searchAuthorizedMemories(backend, {
-                                query: event.prompt,
-                                groupIds: longTermGroups,
-                                limit: 5,
-                                sessionId: state.sessionId,
-                            })
-                            : Promise.resolve([]),
-                        sessionGroups.length > 0
-                            ? searchAuthorizedMemories(backend, {
-                                query: event.prompt,
-                                groupIds: sessionGroups,
-                                limit: 3,
-                                sessionId: state.sessionId,
-                            })
-                            : Promise.resolve([]),
-                    ]);
-                    const sessionResults = deduplicateSessionResults(longTermResults, rawSessionResults);
-                    const totalCount = longTermResults.length + sessionResults.length;
+                    const autoRecallLimit = 8;
+                    const allGroups = [...longTermGroups, ...sessionGroups];
+                    const allResults = allGroups.length > 0
+                        ? await searchAuthorizedMemories(backend, {
+                            query: event.prompt,
+                            groupIds: allGroups,
+                            limit: autoRecallLimit,
+                            sessionId: state.sessionId,
+                        })
+                        : [];
+                    const sessionGroupSet = new Set(sessionGroups);
+                    const longTermResults = allResults.filter((r) => !sessionGroupSet.has(r.group_id));
+                    const sessionResults = allResults.filter((r) => sessionGroupSet.has(r.group_id));
+                    const totalCount = allResults.length;
                     const toolHint = "<memory-tools>\n" +
                         "You have knowledge-graph memory tools. Use them proactively:\n" +
                         "- memory_recall: Search for facts, preferences, people, decisions, or past context. Use this BEFORE saying you don't know or remember something.\n" +

package/dist/search.d.ts

@@ -1,9 +1,9 @@
 /**
- * Parallel Multi-Group Search + Merge/Re-rank
+ * Multi-Group Search with backend-native relevance ranking.
  *
- * Backend-agnostic: delegates per-group search to MemoryBackend.searchGroup().
- * Issues parallel calls (one per authorized group_id), merges results,
- * deduplicates by UUID, and re-ranks by score then recency.
+ * Prefers MemoryBackend.searchGroups() — a single call with all group_ids
+ * so the backend applies cross-group relevance ranking (e.g. Graphiti RRF).
+ * Falls back to per-group fan-out via searchGroup() when unavailable.
  */
 import type { MemoryBackend, SearchResult } from "./backend.js";
 export type { SearchResult };
@@ -14,9 +14,14 @@ export type SearchOptions = {
     sessionId?: string;
 };
 /**
- * Search across multiple authorized group_ids in parallel.
- * Merges and deduplicates results, returning up to `limit` items sorted by
- * score (desc) then recency (desc).
+ * Search across multiple authorized group_ids.
+ *
+ * Prefers backend.searchGroups() when available — sends all group_ids in a
+ * single call so the backend can apply cross-group relevance ranking
+ * (e.g. Graphiti's RRF: cosine similarity + BM25).
+ *
+ * Falls back to per-group fan-out via backend.searchGroup() when the backend
+ * doesn't implement multi-group search.
  */
 export declare function searchAuthorizedMemories(backend: MemoryBackend, options: SearchOptions): Promise<SearchResult[]>;
 /**
@@ -28,7 +33,3 @@ export declare function formatResultsForContext(results: SearchResult[]): string
  * Session group_ids start with "session-".
  */
 export declare function formatDualResults(longTermResults: SearchResult[], sessionResults: SearchResult[]): string;
-/**
- * Deduplicate session results against long-term results (by UUID).
- */
-export declare function deduplicateSessionResults(longTermResults: SearchResult[], sessionResults: SearchResult[]): SearchResult[];

package/dist/search.js

@@ -1,24 +1,41 @@
 /**
- * Parallel Multi-Group Search + Merge/Re-rank
+ * Multi-Group Search with backend-native relevance ranking.
  *
- * Backend-agnostic: delegates per-group search to MemoryBackend.searchGroup().
- * Issues parallel calls (one per authorized group_id), merges results,
- * deduplicates by UUID, and re-ranks by score then recency.
+ * Prefers MemoryBackend.searchGroups() — a single call with all group_ids
+ * so the backend applies cross-group relevance ranking (e.g. Graphiti RRF).
+ * Falls back to per-group fan-out via searchGroup() when unavailable.
  */
 // ============================================================================
 // Search
 // ============================================================================
 /**
- * Search across multiple authorized group_ids in parallel.
- * Merges and deduplicates results, returning up to `limit` items sorted by
- * score (desc) then recency (desc).
+ * Search across multiple authorized group_ids.
+ *
+ * Prefers backend.searchGroups() when available — sends all group_ids in a
+ * single call so the backend can apply cross-group relevance ranking
+ * (e.g. Graphiti's RRF: cosine similarity + BM25).
+ *
+ * Falls back to per-group fan-out via backend.searchGroup() when the backend
+ * doesn't implement multi-group search.
  */
 export async function searchAuthorizedMemories(backend, options) {
     const { query, groupIds, limit = 10, sessionId } = options;
     if (groupIds.length === 0) {
         return [];
     }
-    // Fan out parallel searches across all authorized groups
+    // Prefer single multi-group search — preserves backend relevance ranking
+    if (backend.searchGroups) {
+        const results = await backend.searchGroups({ query, groupIds, limit, sessionId });
+        // Deduplicate by UUID (defensive — single call shouldn't produce dupes)
+        const seen = new Set();
+        return results.filter((r) => {
+            if (seen.has(r.uuid))
+                return false;
+            seen.add(r.uuid);
+            return true;
+        }).slice(0, limit);
+    }
+    // Fallback: fan out parallel searches across all authorized groups
     const promises = groupIds.map((groupId) => backend.searchGroup({ query, groupId, limit, sessionId }));
     const resultSets = await Promise.allSettled(promises);
     // Collect all successful results — silently skip failed group searches
@@ -89,10 +106,3 @@ function formatResultLine(r, idx) {
                     "completion";
     return `${idx}. [${typeLabel}:${r.uuid}] ${r.summary} (${r.context})`;
 }
-/**
- * Deduplicate session results against long-term results (by UUID).
- */
-export function deduplicateSessionResults(longTermResults, sessionResults) {
-    const longTermIds = new Set(longTermResults.map((r) => r.uuid));
-    return sessionResults.filter((r) => !longTermIds.has(r.uuid));
-}

package/docker/graphiti/Dockerfile

@@ -5,9 +5,19 @@
 # Extends the base zepai/graphiti image to:
 #   1. Install sentence-transformers for BGE reranker
 #   2. Overlay per-component config + startup to wire separate clients
+#
+# UPGRADE AUDIT (vs upstream getzep/graphiti v0.28.2, audited 2026-03-21):
+#   Overlay patches in startup.py — 5 of 6 still needed:
+#   [NEEDED]  AsyncWorker crash-on-error recovery      (startup.py:109-126)
+#   [NEEDED]  Neo4j nested attribute sanitization       (startup.py:128-250)
+#   [SAFE]    None-index extract_edges fix              (startup.py:252-298)
+#             — fixed upstream (name-based model); patch self-disables
+#   [NEEDED]  IS_DUPLICATE_OF edge filtering            (startup.py:152-169,216-227,310-318)
+#   [NEEDED]  Self-referential edge filtering           (startup.py:228-239)
+#   [NEEDED]  Singleton client / per-request fix        (startup.py:38-87)
 ###############################################################################
 
-FROM zepai/graphiti:latest
+FROM zepai/graphiti:0.22.0
 
 # Base image runs as non-root "app" user; switch to root to install packages
 USER root

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
   "type": "module",
   "license": "MIT",
@@ -43,16 +43,16 @@
     "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts"
   },
   "dependencies": {
-    "@authzed/authzed-node": "^1.2.0",
-    "@grpc/grpc-js": "^1.14.3",
+    "@authzed/authzed-node": "1.6.1",
+    "@grpc/grpc-js": "1.14.3",
     "@sinclair/typebox": "0.34.48",
-    "commander": "^13.1.0"
+    "commander": "13.1.0"
   },
   "devDependencies": {
-    "dotenv": "^17.3.1",
+    "dotenv": "17.3.1",
     "openclaw": "*",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
+    "typescript": "5.9.3",
+    "vitest": "4.0.18"
   },
   "publishConfig": {
     "access": "public"
@@ -62,7 +62,7 @@
       "./dist/index.js"
     ],
     "install": {
-      "npmSpec": "@contextableai/openclaw-memory-rebac",
+      "npmSpec": "@contextableai/openclaw-memory-rebac@0.3.5",
       "localPath": "extensions/openclaw-memory-rebac",
       "defaultChoice": "npm"
     }