@contextableai/openclaw-memory-rebac 0.3.7 → 0.4.0

package/docker/graphiti/Dockerfile

@@ -6,8 +6,8 @@
 #   1. Install sentence-transformers for BGE reranker
 #   2. Overlay per-component config + startup to wire separate clients
 #
-# UPGRADE AUDIT (vs upstream getzep/graphiti v0.28.2, audited 2026-03-21):
-#   Overlay patches in startup.py — 5 of 6 still needed:
+# UPGRADE AUDIT (vs upstream getzep/graphiti v0.28.2, audited 2026-03-24):
+#   Overlay patches in startup.py — 6 of 7 still needed:
 #   [NEEDED]  AsyncWorker crash-on-error recovery      (startup.py:109-126)
 #   [NEEDED]  Neo4j nested attribute sanitization       (startup.py:128-250)
 #   [SAFE]    None-index extract_edges fix              (startup.py:252-298)
@@ -15,6 +15,8 @@
 #   [NEEDED]  IS_DUPLICATE_OF edge filtering            (startup.py:152-169,216-227,310-318)
 #   [NEEDED]  Self-referential edge filtering           (startup.py:228-239)
 #   [NEEDED]  Singleton client / per-request fix        (startup.py:38-87)
+#   [NEEDED]  resolve_extracted_edge IndexError guard   (startup.py:325-349)
+#             — fixed upstream v0.28.2+; no Docker image published beyond 0.22.0
 ###############################################################################
 
 FROM zepai/graphiti:0.22.0

package/docker/graphiti/startup.py

@@ -322,6 +322,31 @@ def patch():
     # Patch the local binding in graphiti.py
     graphiti_mod.extract_edges = safe_extract_edges
 
+    # -- Guard resolve_extracted_edge against IndexError from out-of-bounds
+    # contradicted_facts indices (issue #22) --
+    # The LLM sometimes returns fact indices that exceed the existing_edges list
+    # length, crashing the list comprehension. Upstream v0.28.2+ adds bounds
+    # checking; this patch provides equivalent safety for pinned v0.22.0.
+    original_resolve_extracted_edge = edge_ops_mod.resolve_extracted_edge
+
+    async def safe_resolve_extracted_edge(*args, **kwargs):
+        try:
+            return await original_resolve_extracted_edge(*args, **kwargs)
+        except IndexError as e:
+            logger.warning(
+                "resolve_extracted_edge: IndexError caught (out-of-bounds "
+                "contradicted_facts index): %s — returning edge as-is with "
+                "no invalidations",
+                e,
+            )
+            # args[1] is extracted_edge per the function signature
+            extracted_edge = args[1] if len(args) > 1 else kwargs.get("extracted_edge")
+            if extracted_edge is None:
+                raise
+            return (extracted_edge, [], [])
+
+    edge_ops_mod.resolve_extracted_edge = safe_resolve_extracted_edge
+
     return app
 
 

package/docker/spicedb/docker-compose.yml

@@ -28,7 +28,7 @@ services:
       POSTGRES_PASSWORD: ${SPICEDB_POSTGRES_PASSWORD:-spicedb}
       POSTGRES_DB: spicedb
     volumes:
-      - graphiti_spicedb_postgres_data:/var/lib/postgresql/data
+      - spicedb_postgres_data:/var/lib/postgresql/data
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U spicedb"]
       interval: 5s
@@ -56,8 +56,8 @@ services:
     command: serve
     restart: unless-stopped
     ports:
-      - "127.0.0.1:${SPICEDB_GRPC_PORT:-50051}:50051"   # gRPC
-      - "127.0.0.1:${SPICEDB_HTTP_PORT:-8080}:8080"      # HTTP metrics / healthz
+      - "${SPICEDB_GRPC_PORT:-50051}:50051"   # gRPC
+      - "${SPICEDB_HTTP_PORT:-8180}:8080"      # HTTP metrics / healthz
     environment:
       SPICEDB_GRPC_PRESHARED_KEY: ${SPICEDB_PRESHARED_KEY:-dev_token}
       SPICEDB_DATASTORE_ENGINE: postgres
@@ -76,4 +76,4 @@ services:
       start_period: 10s
 
 volumes:
-  graphiti_spicedb_postgres_data:
+  spicedb_postgres_data:

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.3.7",
-  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
+  "version": "0.4.0",
+  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + pluggable storage (Graphiti, EverMemOS)",
   "type": "module",
   "license": "MIT",
   "repository": {
@@ -34,13 +34,15 @@
     "openclaw": "*"
   },
   "scripts": {
-    "build": "rm -rf dist && tsc -p tsconfig.build.json && cp plugin.defaults.json dist/ && mkdir -p dist/backends && cp backends/graphiti.defaults.json dist/backends/",
+    "build": "rm -rf dist && tsc -p tsconfig.build.json && cp plugin.defaults.json dist/ && mkdir -p dist/backends && cp backends/graphiti.defaults.json backends/evermemos.defaults.json dist/backends/",
     "prepublishOnly": "npm run build",
     "cli": "tsx bin/rebac-mem.ts",
     "typecheck": "tsc 2>&1 | grep -v '../openclaw/' | grep -c 'error TS' | xargs -I{} test {} -eq 0",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts"
+    "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts",
+    "test:e2e:backend": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts e2e-backend.test.ts",
+    "test:e2e:evermemos": "OPENCLAW_LIVE_TEST=1 E2E_BACKEND=evermemos vitest run --config vitest.e2e.config.ts e2e-evermemos.test.ts"
   },
   "dependencies": {
     "@authzed/authzed-node": "1.6.1",

package/schema.zed

@@ -10,8 +10,10 @@ definition agent {
 
 definition group {
     relation member: person | agent
-    permission access = member
-    permission contribute = member
+    relation owner: person | agent
+    permission access = member + owner
+    permission contribute = member + owner
+    permission admin = owner
 }
 
 definition memory_fragment {
@@ -24,4 +26,6 @@ definition memory_fragment {
     permission view = involves + shared_by + source_group->access + involves->represents
     // Can delete if: you shared it (owner-level control)
     permission delete = shared_by
+    // Can share if: you shared it, or you are an admin of the source group
+    permission share = shared_by + source_group->admin
 }