@contextableai/openclaw-memory-rebac 0.3.8 → 0.4.0

package/docker/evermemos/.env.example

@@ -0,0 +1,85 @@
+# =============================================================================
+# EverMemOS Configuration
+# =============================================================================
+#
+# Copy this file to .env and fill in your API keys.
+# Database connection settings are pre-configured for Docker — no changes needed.
+#
+#   cp .env.example .env
+#
+# SECURITY: Never commit .env to version control.
+# =============================================================================
+
+
+# ===================
+# LLM Configuration (required)
+# ===================
+# Used for memory extraction (MemCell pipeline).
+
+LLM_PROVIDER=openai
+LLM_MODEL=gpt-4o-mini
+LLM_BASE_URL=https://api.openai.com/v1
+LLM_API_KEY=sk-your-key-here
+LLM_TEMPERATURE=0.3
+LLM_MAX_TOKENS=32768
+
+# Alternative: OpenRouter (uncomment and set key)
+# LLM_MODEL=x-ai/grok-4-fast
+# LLM_BASE_URL=https://openrouter.ai/api/v1
+# LLM_API_KEY=sk-or-v1-your-key-here
+
+
+# ===================
+# Vectorize / Embedding (required)
+# ===================
+# Used for semantic search. Supports vLLM (self-hosted) or DeepInfra (commercial).
+
+VECTORIZE_PROVIDER=deepinfra
+VECTORIZE_API_KEY=your-deepinfra-key-here
+VECTORIZE_BASE_URL=https://api.deepinfra.com/v1/openai
+VECTORIZE_MODEL=Qwen/Qwen3-Embedding-4B
+VECTORIZE_DIMENSIONS=1024
+VECTORIZE_TIMEOUT=30
+VECTORIZE_MAX_RETRIES=3
+VECTORIZE_BATCH_SIZE=10
+VECTORIZE_MAX_CONCURRENT=5
+VECTORIZE_ENCODING_FORMAT=float
+
+# Alternative: self-hosted vLLM (uncomment)
+# VECTORIZE_PROVIDER=vllm
+# VECTORIZE_API_KEY=EMPTY
+# VECTORIZE_BASE_URL=http://host.docker.internal:8000/v1
+
+# Optional: fallback vectorize provider
+# VECTORIZE_FALLBACK_PROVIDER=deepinfra
+# VECTORIZE_FALLBACK_API_KEY=your-fallback-key
+# VECTORIZE_FALLBACK_BASE_URL=https://api.deepinfra.com/v1/openai
+
+
+# ===================
+# Rerank (required)
+# ===================
+# Used for search result reranking. Supports vLLM or DeepInfra.
+
+RERANK_PROVIDER=deepinfra
+RERANK_API_KEY=your-deepinfra-key-here
+RERANK_BASE_URL=https://api.deepinfra.com/v1/inference
+RERANK_MODEL=Qwen/Qwen3-Reranker-4B
+RERANK_TIMEOUT=30
+RERANK_MAX_RETRIES=3
+RERANK_BATCH_SIZE=10
+RERANK_MAX_CONCURRENT=5
+
+# Optional: fallback rerank provider
+# RERANK_FALLBACK_PROVIDER=none
+# RERANK_FALLBACK_API_KEY=
+# RERANK_FALLBACK_BASE_URL=
+
+
+# ===================
+# Application Settings
+# ===================
+
+LOG_LEVEL=INFO
+ENV=dev
+MEMORY_LANGUAGE=en

package/docker/evermemos/Dockerfile

@@ -0,0 +1,133 @@
+###############################################################################
+# EverMemOS All-in-One Container
+#
+# Bundles all required services into a single container:
+#   - MongoDB 7.0      (port 27017)
+#   - Elasticsearch 8   (port 9200, internal only)
+#   - Milvus standalone (port 19530, with embedded etcd)
+#   - Redis 7           (port 6379, internal only)
+#   - EverMemOS API     (port 1995, exposed)
+#
+# Managed by supervisord. All data stored under /data.
+#
+# Pinned to EverMemOS commit SHA for reproducibility.
+# Update EVERMEMOS_COMMIT to upgrade.
+#
+# Build:
+#   docker compose build evermemos
+#
+# Override version at build time:
+#   docker compose build --build-arg EVERMEMOS_COMMIT=<sha> evermemos
+###############################################################################
+
+# Stage 1: Extract Milvus binaries from official image
+FROM milvusdb/milvus:v2.5.2 AS milvus-source
+
+# Stage 2: All-in-one container
+FROM ubuntu:22.04
+
+ARG EVERMEMOS_COMMIT=3c9a2d02460748310c7707048f7ed6b6bb078ab4
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# ---------------------------------------------------------------------------
+# Base packages + supervisord
+# ---------------------------------------------------------------------------
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      supervisor curl wget gnupg git ca-certificates \
+      python3 python3-pip python3-venv \
+      redis-server \
+    && rm -rf /var/lib/apt/lists/*
+
+# ---------------------------------------------------------------------------
+# MongoDB 7.0
+# ---------------------------------------------------------------------------
+RUN curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
+      gpg --dearmor -o /usr/share/keyrings/mongodb-server-7.0.gpg && \
+    echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] \
+      https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" \
+      > /etc/apt/sources.list.d/mongodb-org-7.0.list && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends mongodb-org && \
+    rm -rf /var/lib/apt/lists/*
+
+# ---------------------------------------------------------------------------
+# Elasticsearch 8.11 (no security, single-node)
+# ---------------------------------------------------------------------------
+RUN curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | \
+      gpg --dearmor -o /usr/share/keyrings/elasticsearch.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] \
+      https://artifacts.elastic.co/packages/8.x/apt stable main" \
+      > /etc/apt/sources.list.d/elasticsearch.list && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends elasticsearch && \
+    rm -rf /var/lib/apt/lists/*
+
+# ES config: single-node, no security, limit heap
+RUN sed -i 's/xpack.security.enabled: true/xpack.security.enabled: false/' /etc/elasticsearch/elasticsearch.yml && \
+    sed -i '/cluster.initial_master_nodes/d' /etc/elasticsearch/elasticsearch.yml && \
+    echo "discovery.type: single-node" >> /etc/elasticsearch/elasticsearch.yml && \
+    echo "network.host: 127.0.0.1" >> /etc/elasticsearch/elasticsearch.yml && \
+    echo "-Xms512m" > /etc/elasticsearch/jvm.options.d/heap.options && \
+    echo "-Xmx512m" >> /etc/elasticsearch/jvm.options.d/heap.options
+
+# ---------------------------------------------------------------------------
+# Milvus standalone (copied from official Docker image)
+# ---------------------------------------------------------------------------
+COPY --from=milvus-source /milvus /opt/milvus
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      libgomp1 libtbb2 libopenblas-dev libaio1 && \
+    rm -rf /var/lib/apt/lists/*
+
+# Milvus config for embedded etcd + local storage (no minio)
+RUN mkdir -p /data/milvus /opt/milvus/configs && \
+    printf '%s\n' \
+      'listen-client-urls: http://0.0.0.0:2379' \
+      'advertise-client-urls: http://0.0.0.0:2379' \
+      'quota-backend-bytes: 4294967296' \
+      'auto-compaction-mode: revision' \
+      "auto-compaction-retention: '1000'" \
+      > /opt/milvus/configs/embedEtcd.yaml
+
+ENV LD_LIBRARY_PATH=/opt/milvus/lib:$LD_LIBRARY_PATH
+ENV PATH=/opt/milvus/bin:$PATH
+
+# ---------------------------------------------------------------------------
+# EverMemOS (Python app from source)
+# ---------------------------------------------------------------------------
+RUN pip install --no-cache-dir uv
+
+WORKDIR /app
+RUN git clone https://github.com/EverMind-AI/EverMemOS.git . && \
+    git checkout "$EVERMEMOS_COMMIT" && \
+    uv sync --no-dev
+
+# ---------------------------------------------------------------------------
+# Data directories
+# ---------------------------------------------------------------------------
+RUN mkdir -p /data/mongodb /data/elasticsearch /data/milvus /data/redis
+
+# ---------------------------------------------------------------------------
+# Supervisord configuration
+# ---------------------------------------------------------------------------
+COPY supervisord.conf /etc/supervisor/conf.d/evermemos.conf
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# ---------------------------------------------------------------------------
+# Trace overlay: read-only endpoint for message_id → derived memory ObjectIds
+# Same pattern as Graphiti's startup.py overlay — extends our image, not upstream.
+# ---------------------------------------------------------------------------
+COPY trace_overlay.py /app/trace_overlay.py
+RUN echo 'from trace_overlay import router as _trace_router; app.include_router(_trace_router)' >> /app/src/app.py
+
+# ---------------------------------------------------------------------------
+# Healthcheck — verify the EverMemOS API responds
+# ---------------------------------------------------------------------------
+HEALTHCHECK --interval=15s --timeout=10s --retries=10 --start-period=60s \
+  CMD curl -sf http://localhost:1995/health || exit 1
+
+EXPOSE 1995
+
+CMD ["/entrypoint.sh"]

package/docker/evermemos/docker-compose.yml

@@ -0,0 +1,52 @@
+###############################################################################
+# openclaw-memory-rebac — EverMemOS memory backend (all-in-one container)
+#
+# Single container bundles: MongoDB, Elasticsearch, Milvus, Redis, EverMemOS.
+# Managed by supervisord internally.
+#
+# Usage:
+#   cp .env.example .env          # configure LLM, vectorize, rerank API keys
+#   docker compose up -d          # builds image on first run (~5 min)
+#
+# EverMemOS endpoint:  http://localhost:1995
+#
+# Resource requirements: ~4 GB RAM (Elasticsearch + Milvus are memory-heavy)
+###############################################################################
+
+name: openclaw-evermemos
+
+services:
+  evermemos:
+    build:
+      context: .
+      args:
+        EVERMEMOS_COMMIT: 3c9a2d02460748310c7707048f7ed6b6bb078ab4
+    restart: unless-stopped
+    ports:
+      - "1995:1995"
+    env_file:
+      - .env
+    environment:
+      # All backing services run inside the container on localhost
+      MONGODB_HOST: 127.0.0.1
+      MONGODB_PORT: "27017"
+      MONGODB_USERNAME: ""
+      MONGODB_PASSWORD: ""
+      MONGODB_DATABASE: memsys
+      MONGODB_URI_PARAMS: "socketTimeoutMS=15000"
+      ES_HOSTS: http://127.0.0.1:9200
+      MILVUS_HOST: 127.0.0.1
+      MILVUS_PORT: "19530"
+      REDIS_HOST: 127.0.0.1
+      REDIS_PORT: "6379"
+    volumes:
+      - evermemos_data:/data
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:1995/health"]
+      interval: 15s
+      timeout: 10s
+      retries: 10
+      start_period: 60s
+
+volumes:
+  evermemos_data:

package/docker/evermemos/trace_overlay.py

@@ -0,0 +1,128 @@
+"""
+Read-only tracing endpoint: message_id → derived memory ObjectIds.
+
+Mounted on the EverMemOS FastAPI app at startup via Dockerfile append.
+This is NOT a monkeypatch — it adds a new read-only endpoint to our Docker
+image, following the same pattern as the Graphiti startup.py overlay.
+
+Endpoint:
+    GET /api/v1/memories/trace/{message_id}
+
+Returns the MongoDB ObjectIds of all derived memories (episodic, foresight,
+event_log) produced from a given ingestion message. Used by the
+openclaw-memory-rebac plugin to write SpiceDB fragment relationships
+against the actual IDs that appear in search results.
+
+Response:
+    {
+        "message_id": "uuid-123",
+        "status": "complete|processing|not_found",
+        "memcell_ids": ["ObjectId-A"],
+        "derived_memories": {
+            "episodic_memory": ["ObjectId-B", ...],
+            "foresight": ["ObjectId-D", ...],
+            "event_log": ["ObjectId-E", ...],
+        },
+        "all_ids": ["ObjectId-B", "ObjectId-D", "ObjectId-E", ...]
+    }
+
+Uses pymongo (synchronous) since motor is not installed in EverMemOS.
+Blocking MongoDB calls are wrapped in asyncio.to_thread for FastAPI compat.
+"""
+
+import asyncio
+import os
+from pymongo import MongoClient
+from fastapi import APIRouter
+
+router = APIRouter(tags=["trace"])
+
+_db = None
+
+
+def _get_db():
+    global _db
+    if _db is None:
+        host = os.environ.get("MONGODB_HOST", "127.0.0.1")
+        port = os.environ.get("MONGODB_PORT", "27017")
+        username = os.environ.get("MONGODB_USERNAME", "")
+        password = os.environ.get("MONGODB_PASSWORD", "")
+        db_name = os.environ.get("MONGODB_DATABASE", "memsys")
+        if username and password:
+            mongo_uri = f"mongodb://{username}:{password}@{host}:{port}"
+        else:
+            mongo_uri = f"mongodb://{host}:{port}"
+        client = MongoClient(mongo_uri)
+        _db = client[db_name]
+    return _db
+
+
+def _trace_sync(message_id: str) -> dict:
+    """Synchronous MongoDB trace — run via asyncio.to_thread."""
+    db = _get_db()
+
+    # Step 1: Check if message_id exists in memory_request_logs
+    log_entry = db.memory_request_logs.find_one({"message_id": message_id})
+    if not log_entry:
+        return {
+            "message_id": message_id,
+            "status": "not_found",
+            "memcell_ids": [],
+            "derived_memories": {},
+            "all_ids": [],
+        }
+
+    # Step 2: Find memcell that contains this message_id in its original_data
+    # The message_id is stored at: original_data[*].messages[*].extend.message_id
+    memcell = db.memcells.find_one(
+        {"original_data.messages.extend.message_id": message_id}
+    )
+    if not memcell:
+        # Log exists but memcell not yet created — still in boundary detection
+        return {
+            "message_id": message_id,
+            "status": "processing",
+            "memcell_ids": [],
+            "derived_memories": {},
+            "all_ids": [],
+        }
+
+    memcell_id = str(memcell["_id"])
+
+    # Step 3: Query derived memory collections
+    derived = {
+        "episodic_memory": [],
+        "foresight": [],
+        "event_log": [],
+    }
+
+    for doc in db.episodic_memories.find(
+        {"memcell_event_id_list": memcell_id}, {"_id": 1}
+    ):
+        derived["episodic_memory"].append(str(doc["_id"]))
+
+    for doc in db.foresight_records.find(
+        {"parent_id": memcell_id, "parent_type": "memcell"}, {"_id": 1}
+    ):
+        derived["foresight"].append(str(doc["_id"]))
+
+    for doc in db.event_log_records.find(
+        {"parent_id": memcell_id, "parent_type": "memcell"}, {"_id": 1}
+    ):
+        derived["event_log"].append(str(doc["_id"]))
+
+    all_ids = [id_ for ids in derived.values() for id_ in ids]
+    status = "complete" if all_ids else "processing"
+
+    return {
+        "message_id": message_id,
+        "status": status,
+        "memcell_ids": [memcell_id],
+        "derived_memories": derived,
+        "all_ids": all_ids,
+    }
+
+
+@router.get("/api/v1/memories/trace/{message_id}")
+async def trace_message(message_id: str):
+    return await asyncio.to_thread(_trace_sync, message_id)

package/docker/spicedb/docker-compose.yml

@@ -28,7 +28,7 @@ services:
       POSTGRES_PASSWORD: ${SPICEDB_POSTGRES_PASSWORD:-spicedb}
       POSTGRES_DB: spicedb
     volumes:
-      - graphiti_spicedb_postgres_data:/var/lib/postgresql/data
+      - spicedb_postgres_data:/var/lib/postgresql/data
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U spicedb"]
       interval: 5s
@@ -56,8 +56,8 @@ services:
     command: serve
     restart: unless-stopped
     ports:
-      - "127.0.0.1:${SPICEDB_GRPC_PORT:-50051}:50051"   # gRPC
-      - "127.0.0.1:${SPICEDB_HTTP_PORT:-8080}:8080"      # HTTP metrics / healthz
+      - "${SPICEDB_GRPC_PORT:-50051}:50051"   # gRPC
+      - "${SPICEDB_HTTP_PORT:-8180}:8080"      # HTTP metrics / healthz
     environment:
       SPICEDB_GRPC_PRESHARED_KEY: ${SPICEDB_PRESHARED_KEY:-dev_token}
       SPICEDB_DATASTORE_ENGINE: postgres
@@ -76,4 +76,4 @@ services:
       start_period: 10s
 
 volumes:
-  graphiti_spicedb_postgres_data:
+  spicedb_postgres_data:

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.3.8",
-  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + Graphiti knowledge graph",
+  "version": "0.4.0",
+  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + pluggable storage (Graphiti, EverMemOS)",
   "type": "module",
   "license": "MIT",
   "repository": {
@@ -34,13 +34,15 @@
     "openclaw": "*"
   },
   "scripts": {
-    "build": "rm -rf dist && tsc -p tsconfig.build.json && cp plugin.defaults.json dist/ && mkdir -p dist/backends && cp backends/graphiti.defaults.json dist/backends/",
+    "build": "rm -rf dist && tsc -p tsconfig.build.json && cp plugin.defaults.json dist/ && mkdir -p dist/backends && cp backends/graphiti.defaults.json backends/evermemos.defaults.json dist/backends/",
     "prepublishOnly": "npm run build",
     "cli": "tsx bin/rebac-mem.ts",
     "typecheck": "tsc 2>&1 | grep -v '../openclaw/' | grep -c 'error TS' | xargs -I{} test {} -eq 0",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts"
+    "test:e2e": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts",
+    "test:e2e:backend": "OPENCLAW_LIVE_TEST=1 vitest run --config vitest.e2e.config.ts e2e-backend.test.ts",
+    "test:e2e:evermemos": "OPENCLAW_LIVE_TEST=1 E2E_BACKEND=evermemos vitest run --config vitest.e2e.config.ts e2e-evermemos.test.ts"
   },
   "dependencies": {
     "@authzed/authzed-node": "1.6.1",

package/schema.zed

@@ -10,8 +10,10 @@ definition agent {
 
 definition group {
     relation member: person | agent
-    permission access = member
-    permission contribute = member
+    relation owner: person | agent
+    permission access = member + owner
+    permission contribute = member + owner
+    permission admin = owner
 }
 
 definition memory_fragment {
@@ -24,4 +26,6 @@ definition memory_fragment {
     permission view = involves + shared_by + source_group->access + involves->represents
     // Can delete if: you shared it (owner-level control)
     permission delete = shared_by
+    // Can share if: you shared it, or you are an admin of the source group
+    permission share = shared_by + source_group->admin
 }