npm - @contextableai/openclaw-memory-rebac - Versions diffs - 0.4.2 → 0.5.1 - Mend

@contextableai/openclaw-memory-rebac 0.4.2 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +103 -78
package/dist/backend.d.ts +3 -20
package/dist/backends/evermemos.d.ts +5 -31
package/dist/backends/evermemos.defaults.json +1 -3
package/dist/backends/evermemos.js +5 -75
package/dist/config.d.ts +13 -1
package/dist/config.js +40 -6
package/dist/index.js +157 -42
package/docker/evermemos/Dockerfile +0 -7
package/package.json +2 -2
package/docker/evermemos/trace_overlay.py +0 -128

package/README.md CHANGED Viewed

@@ -1,65 +1,60 @@
 # @contextableai/openclaw-memory-rebac
-Two-layer memory plugin for OpenClaw: **SpiceDB** for authorization, **pluggable backends** for knowledge storage.
+Composite memory plugin for OpenClaw: **Graphiti** knowledge graph (primary) with optional **EverMemOS** liminal memory, authorized by **SpiceDB** ReBAC.
-Agents remember conversations as structured knowledge. SpiceDB enforces who can read and write which memories — authorization lives at the data layer, not in prompts. The backend is swappable: start with Graphiti's knowledge graph today, add new storage engines tomorrow.
+Agents remember conversations as structured knowledge. SpiceDB enforces who can read and write which memories — authorization lives at the data layer, not in prompts. Two operating modes: **unified** (Graphiti handles everything) or **hybrid** (Graphiti for tools, EverMemOS for conversational hooks, with a promotion bridge).
 ## Architecture
 ```
-┌──────────────────────────────────────────────────┐
-│                    OpenClaw Agent                 │
-│                                                  │
-│  memory_recall ──► SpiceDB ──► Backend Search    │
-│  memory_store  ──► SpiceDB ──► Backend Write     │
-│  memory_forget ──► SpiceDB ──► Backend Delete    │
-│  auto-recall   ──► SpiceDB ──► Backend Search    │
-│  auto-capture  ──► SpiceDB ──► Backend Write     │
-└──────────────────────────────────────────────────┘
-         │                           │
-    ┌────▼────┐                ┌─────▼─────┐
-    │ SpiceDB │                │  Backend   │
-    │ (authz) │                │ (storage)  │
-    └─────────┘                └───────────┘
+Unified mode (default):
+  Tools + hooks → Graphiti → SpiceDB auth on all fragments.
+Hybrid mode (liminal: "evermemos"):
+  ├── Tools → Graphiti (primary, ReBAC authorized)
+  │   ├── memory_recall, memory_store, memory_forget
+  │   ├── memory_share / unshare
+  │   └── memory_promote (reads EverMemOS, writes Graphiti)
+  ├── Hooks → EverMemOS only (liminal)
+  │   ├── before_agent_start → EverMemOS auto-recall (recent context)
+  │   └── agent_end → EverMemOS auto-capture (no SpiceDB writes)
+  └── SpiceDB (Graphiti fragments only)
 ```
-**SpiceDB** determines which `group_id`s a subject (agent or person) can access. The **backend** stores and searches memories scoped to those groups. Authorization is enforced before any read or write reaches the backend.
+**SpiceDB** determines which `group_id`s a subject (agent or person) can access. The **primary backend** (Graphiti) stores and searches memories scoped to those groups. In hybrid mode, the **liminal backend** (EverMemOS) handles conversational auto-recall and auto-capture without SpiceDB authorization — important memories are promoted to Graphiti via the `memory_promote` tool.
-### Why Two Layers?
+### Why This Design?
-Most memory systems bundle authorization with storage — you get dataset isolation, but it's tied to the storage engine's auth model. That creates conflicts when you need external authorization (like SpiceDB) or want to swap backends without re-implementing access control.
-openclaw-memory-rebac separates these concerns:
+Most memory systems bundle authorization with storage. openclaw-memory-rebac separates these concerns:
 - **SpiceDB** owns the authorization model (relationships, permissions, consistency)
-- **Backends** own the storage model (indexing, search, extraction)
-- The plugin orchestrates both — authorization check first, then backend operation
+- **Graphiti** owns the curated knowledge graph (entities, facts, structured retrieval)
+- **EverMemOS** (optional) owns conversational context (episodic memory, foresight, profiles)
+- The plugin orchestrates all three — routing tools to Graphiti with SpiceDB authorization, and hooks to the liminal backend
-This means you can change your storage engine without touching authorization, and vice versa.
+In unified mode, Graphiti handles everything (same as a single-backend plugin). In hybrid mode, EverMemOS captures conversational context automatically while Graphiti remains the authoritative knowledge store accessed via tools.
 ## Backends
-### Graphiti (default)
+### Graphiti (primary)
-[Graphiti](https://github.com/getzep/graphiti) builds a knowledge graph from conversations. It extracts entities, facts, and relationships, storing them in Neo4j for structured retrieval.
+[Graphiti](https://github.com/getzep/graphiti) builds a knowledge graph from conversations. It extracts entities, facts, and relationships, storing them in Neo4j for structured retrieval. Always serves as the primary backend for tools and SpiceDB-authorized operations.
 - **Storage**: Neo4j graph database
 - **Transport**: Direct REST API to Graphiti FastAPI server
 - **Extraction**: LLM-powered entity and relationship extraction (~300 embedding calls per episode)
 - **Search**: Dual-mode — searches both nodes (entities) and facts (relationships) in parallel
 - **Docker image**: Custom image (`docker/graphiti/`) with per-component LLM/embedder/reranker configuration, BGE reranker support, and runtime patches for local-model compatibility
-- **Best for**: Rich entity-relationship extraction, structured knowledge
-### EverMemOS
+### EverMemOS (liminal)
-[EverMemOS](https://github.com/EverMind-AI/EverMemOS) is a memory system with MemCell boundary detection and parallel LLM extraction. It produces richer memory types — episodic memories, user profiles, foresight (predictions), and event logs.
+[EverMemOS](https://github.com/EverMind-AI/EverMemOS) is a conversational memory system with MemCell boundary detection and parallel LLM extraction. In hybrid mode, it serves as the **liminal backend** — handling auto-recall and auto-capture hooks without SpiceDB authorization.
 - **Storage**: MongoDB + Milvus (vector) + Elasticsearch (keyword)
 - **Transport**: REST API to EverMemOS FastAPI server (port 1995)
-- **Extraction**: MemCell pipeline — automatic boundary detection, then parallel LLM extraction of multiple memory types
+- **Extraction**: MemCell pipeline — automatic boundary detection, then parallel LLM extraction of episodic memories, profiles, foresight, and event logs
 - **Search**: Hybrid (vector + keyword + reranking), configurable via `retrieveMethod`
 - **Docker image**: Built from source (`docker/evermemos/Dockerfile`), pinned to upstream release tag (v1.1.0)
-- **Best for**: Rich memory type diversity, foresight extraction, hybrid search
-- **Limitation**: No `involves` at ingestion — use `memory_share` for post-hoc cross-group sharing
+- **Role**: Liminal only — not used for tool-based operations. Important memories are promoted to Graphiti via `memory_promote`.
 #### EverMemOS-specific config
@@ -92,7 +87,7 @@ Then restart the gateway. On first start, the plugin automatically:
 ### 1. Start Infrastructure
-**Option A: Graphiti backend (default)**
+**Unified mode (Graphiti only — default)**
 ```bash
 cd docker
@@ -103,20 +98,23 @@ docker compose -f docker-compose.graphiti.yml up -d
 This starts: Neo4j (7687), Graphiti (8000), PostgreSQL (5432), SpiceDB (50051).
-**Option B: EverMemOS backend**
+**Hybrid mode (Graphiti + EverMemOS)**
 ```bash
+# Start Graphiti stack
+cd docker
+cp graphiti/.env.example graphiti/.env
+docker compose -f docker-compose.graphiti.yml up -d
+# Start EverMemOS stack (shares SpiceDB)
 cd docker/evermemos
 cp .env.example .env
 # Edit .env — set LLM_API_KEY, VECTORIZE_API_KEY, RERANK_API_KEY
-cd docker
+cd ..
 docker compose -f docker-compose.evermemos.yml up -d
 ```
-This starts: EverMemOS all-in-one container (1995), PostgreSQL (5432), SpiceDB (50051). First run builds the image from source (~5 min).
-Both options share the same SpiceDB instance with the same authorization schema.
+This starts both stacks. EverMemOS first run builds from source (~5 min). Both share the same SpiceDB instance.
 ### 2. Restart the Gateway
@@ -135,7 +133,7 @@ rebac-mem add-member family dad --type person
 ## Tools
-The plugin registers four tools available to the agent:
+The plugin registers the following tools (plus `memory_promote` in hybrid mode):
 ### memory_recall
@@ -177,24 +175,39 @@ Delete a memory fragment. Requires `delete` permission (only the subject who sto
 Check the health of the backend and SpiceDB services. No parameters.
+### memory_promote (hybrid mode only)
+Promote memories from the liminal backend (EverMemOS) into the primary knowledge graph (Graphiti) with full SpiceDB authorization.
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `query` | string | *required* | Search query to find memories to promote |
+| `groupId` | string | configured default | Target group in the knowledge graph |
+| `limit` | number | 3 | Max memories to promote |
+Searches EverMemOS for matching memories, stores each into Graphiti, and writes SpiceDB fragment relationships. This bridges short-term conversational context into the long-term authorized knowledge graph.
 ## Automatic Behaviors
 ### Auto-Recall
-When enabled (default: `true`), the plugin searches relevant memories before each agent turn and injects them into the conversation context as `<relevant-memories>` blocks.
+When enabled (default: `true`), the plugin searches relevant memories before each agent turn and injects them into context.
+**Unified mode**: Searches Graphiti via SpiceDB-authorized groups. Injects as `<relevant-memories>` blocks. Searches up to 5 long-term and 3 session memories per turn, deduplicates session results against long-term.
-- Searches up to 5 long-term memories and 3 session memories per turn
-- Deduplicates session results against long-term results
-- Only triggers when the user prompt is at least 5 characters
+**Hybrid mode**: Searches EverMemOS only (no SpiceDB). Injects as `<recent-context>` blocks. The agent accesses Graphiti knowledge on-demand via the `memory_recall` tool.
+Both modes only trigger when the user prompt is at least 5 characters.
 ### Auto-Capture
-When enabled (default: `true`), the plugin captures the last N messages from each completed agent turn and stores them as a batch episode.
+When enabled (default: `true`), the plugin captures the last N messages from each completed agent turn.
+**Unified mode**: Stores to Graphiti with full SpiceDB fragment authorization. Uses custom extraction instructions.
-- Captures up to `maxCaptureMessages` messages (default: 10)
-- Stores to the current session group by default
-- Skips messages shorter than 5 characters and injected context blocks
-- Uses custom extraction instructions for entity/fact extraction
+**Hybrid mode**: Stores to EverMemOS only (fire-and-forget, no SpiceDB writes). EverMemOS handles extraction internally via its MemCell pipeline. Important memories are promoted to Graphiti via `memory_promote`.
+Both modes capture up to `maxCaptureMessages` messages (default: 10), skip messages shorter than 5 characters, and skip injected context blocks.
 ### Session Filtering
@@ -308,7 +321,8 @@ Agents without an `identities` entry (like service agents) are not linked to any
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| `backend` | string | `graphiti` | Storage backend (`graphiti`) |
+| `backend` | string | `graphiti` | Primary backend for tools and SpiceDB-authorized operations |
+| `liminal` | string | *(same as backend)* | Liminal backend for auto-recall/capture hooks. Set to `"evermemos"` for hybrid mode |
 | `spicedb.endpoint` | string | `localhost:50051` | SpiceDB gRPC endpoint |
 | `spicedb.token` | string | *required* | SpiceDB pre-shared key (supports `${ENV_VAR}`) |
 | `spicedb.insecure` | boolean | `true` | Allow insecure gRPC (for localhost dev) |
@@ -417,36 +431,47 @@ npx tsx bin/rebac-mem.ts status
 OpenClaw has an exclusive `memory` slot — only one memory plugin is active at a time:
+**Unified mode** (Graphiti only):
+```json
+{
+  "plugins": {
+    "slots": { "memory": "openclaw-memory-rebac" },
+    "entries": {
+      "openclaw-memory-rebac": {
+        "enabled": true,
+        "config": {
+          "backend": "graphiti",
+          "spicedb": { "endpoint": "localhost:50051", "token": "dev_token", "insecure": true },
+          "graphiti": { "endpoint": "http://localhost:8000", "defaultGroupId": "main" },
+          "subjectType": "agent",
+          "subjectId": "my-agent",
+          "identities": { "my-agent": "U0123ABC" }
+        }
+      }
+    }
+  }
+}
+```
+**Hybrid mode** (Graphiti + EverMemOS):
 ```json
 {
   "plugins": {
-    "slots": {
-      "memory": "openclaw-memory-rebac"
-    },
+    "slots": { "memory": "openclaw-memory-rebac" },
     "entries": {
       "openclaw-memory-rebac": {
         "enabled": true,
         "config": {
           "backend": "graphiti",
-          "spicedb": {
-            "endpoint": "localhost:50051",
-            "token": "dev_token",
-            "insecure": true
-          },
-          "graphiti": {
-            "endpoint": "http://localhost:8000",
-            "defaultGroupId": "main"
-          },
+          "liminal": "evermemos",
+          "spicedb": { "endpoint": "localhost:50051", "token": "dev_token", "insecure": true },
+          "graphiti": { "endpoint": "http://localhost:8000", "defaultGroupId": "main" },
+          "evermemos": { "endpoint": "http://localhost:1995" },
           "subjectType": "agent",
           "subjectId": "my-agent",
-          "identities": {
-            "my-agent": "U0123ABC"
-          },
-          "autoCapture": true,
-          "autoRecall": true,
-          "sessionFilter": {
-            "excludePatterns": ["cron"]
-          }
+          "identities": { "my-agent": "U0123ABC" }
         }
       }
     }
@@ -479,17 +504,17 @@ rebac-mem import --include-sessions
 ## Docker Compose
-The `docker/` directory contains modular Docker Compose stacks. Two top-level compose files select which memory backend to pair with SpiceDB:
+The `docker/` directory contains modular Docker Compose stacks:
 ```bash
-# Graphiti + SpiceDB
+# Unified mode: Graphiti + SpiceDB
 cd docker && docker compose -f docker-compose.graphiti.yml up -d
-# EverMemOS + SpiceDB
+# Hybrid mode: add EverMemOS (shares SpiceDB with Graphiti stack)
 cd docker && docker compose -f docker-compose.evermemos.yml up -d
 ```
-Both share the same SpiceDB sub-stack — same authorization schema, same permissions model.
+Both stacks share the same SpiceDB sub-stack — same authorization schema, same permissions model.
 ### Graphiti Stack (`docker/graphiti/`)
@@ -556,9 +581,9 @@ OPENCLAW_LIVE_TEST=1 npm run test:e2e
 ### Project Structure
 ```
-├── index.ts                  # Plugin entry: tools, hooks, CLI, service
-├── backend.ts                # MemoryBackend interface (all backends implement this)
-├── config.ts                 # Config schema, validation, backend factory
+├── index.ts                  # Plugin entry: tools, hooks, composite routing
+├── backend.ts                # MemoryBackend interface
+├── config.ts                 # Config schema, validation, backend + liminal factory
 ├── cli.ts                    # Shared CLI commands (plugin + standalone)
 ├── search.ts                 # Multi-group parallel search, dedup, formatting
 ├── authorization.ts          # Authorization logic (SpiceDB operations)
@@ -589,7 +614,7 @@ OPENCLAW_LIVE_TEST=1 npm run test:e2e
 │   │   └── .env.example       # LLM, vectorize, rerank API keys
 │   └── spicedb/
 │       └── docker-compose.yml
-├── *.test.ts                 # Unit tests (178)
+├── *.test.ts                 # Unit tests (186)
 ├── e2e.test.ts               # Graphiti E2E tests (14, live services)
 ├── e2e-backend.test.ts       # Backend-agnostic E2E contract (13)
 ├── e2e-evermemos.test.ts     # EverMemOS-specific E2E (7)

package/dist/backend.d.ts CHANGED Viewed

@@ -30,14 +30,11 @@ export type SearchResult = {
  * Returned by store(). The fragmentId resolves to the UUID that will be
  * registered in SpiceDB.
  *
- * - Graphiti: Resolves once the server has processed the episode (polled in the background).
- * - EverMemOS: Resolves immediately to our generated message_id UUID. This anchor is used
- *   for share/involves SpiceDB relationships. Note: search result IDs (MongoDB ObjectIds)
- *   differ from this anchor, so involves-based cross-group recall post-filtering won't
- *   match — group-level access handles the common path.
+ * Graphiti: Resolves once the server has processed the episode (polled in the background).
+ * EverMemOS (liminal mode): Resolves immediately to a generated message_id UUID.
  *
  * index.ts chains SpiceDB writeFragmentRelationships() to this Promise,
- * so it always fires at the right time.
+ * so it always fires at the right time (primary/unified mode only).
  */
 export type StoreResult = {
     fragmentId: Promise<string>;
@@ -142,20 +139,6 @@ export interface MemoryBackend {
      * Optional: not all backends separate episodes from fragments.
      */
     discoverFragmentIds?(episodeId: string): Promise<string[]>;
-    /**
-     * Resolve anchor IDs (e.g. message UUIDs written to SpiceDB during store)
-     * to actual searchable fragment IDs (e.g. MongoDB ObjectIds).
-     *
-     * Called during recall when viewable fragment IDs from SpiceDB don't match
-     * any search results — indicates the anchors were written before extraction
-     * completed (discoverFragmentIds timed out).
-     *
-     * Returns a Map of anchor → resolved fragment IDs. Only anchors that
-     * successfully resolved are included; unresolvable anchors are omitted.
-     *
-     * Optional: backends where store IDs match search IDs don't need this.
-     */
-    resolveAnchors?(anchorIds: string[]): Promise<Map<string, string[]>>;
     /**
      * Register backend-specific CLI subcommands onto the shared `rebac-mem` command.
      * Called once during CLI setup. Backend may register any commands it needs.

package/dist/backends/evermemos.d.ts CHANGED Viewed

@@ -5,16 +5,12 @@
  * Messages are processed through the MemCell pipeline: boundary detection →
  * parallel LLM extraction of episodic memories, foresight, event logs, and profiles.
  *
- * store() returns immediately with a generated message_id as the fragment anchor.
- * With @timeout_to_background(), store may return 202 Accepted for background processing.
- *
- * discoverFragmentIds() polls a custom trace overlay endpoint to resolve the message_id
- * to actual MongoDB ObjectIds of derived memories. These ObjectIds are what search
- * results return, enabling fragment-level SpiceDB authorization (involves, share).
+ * In the composite plugin architecture, EverMemOS serves as the **liminal** backend:
+ * hook-driven auto-recall and auto-capture with no SpiceDB fragment authorization.
+ * Graphiti remains the primary backend for tool-based operations with full ReBAC.
  *
- * resolveAnchors() provides lazy resolution at recall time: if discoverFragmentIds()
- * timed out during store, unresolved anchors can be resolved later when someone
- * actually tries to recall the involved fragments.
+ * store() returns immediately with a generated message_id.
+ * With @timeout_to_background(), store may return 202 Accepted for background processing.
  */
 import type { Command } from "commander";
 import type { MemoryBackend, SearchResult, StoreResult, ConversationTurn, BackendDataset } from "../backend.js";
@@ -25,18 +21,11 @@ export type EverMemOSConfig = {
     retrieveMethod: string;
     memoryTypes: string[];
     defaultSenderId: string;
-    discoveryPollIntervalMs: number;
-    discoveryTimeoutMs: number;
 };
 export declare class EverMemOSBackend implements MemoryBackend {
     private readonly config;
     readonly name = "evermemos";
     private readonly requestTimeoutMs;
-    /**
-     * Tracks pending stores: messageId → groupId.
-     * Populated by store(), consumed by discoverFragmentIds().
-     */
-    private readonly pendingStores;
     constructor(config: EverMemOSConfig);
     private restCall;
     store(params: {
@@ -63,21 +52,6 @@ export declare class EverMemOSBackend implements MemoryBackend {
     deleteGroup(groupId: string): Promise<void>;
     listGroups(): Promise<BackendDataset[]>;
     deleteFragment(uuid: string, _type?: string): Promise<boolean>;
-    /**
-     * Poll the trace overlay endpoint to discover MongoDB ObjectIds of derived
-     * memories (episodic, foresight, event_log) produced from a stored message.
-     *
-     * Called by index.ts after store() resolves the fragmentId Promise.
-     * Returns ObjectIds that match what search results return, enabling
-     * fragment-level SpiceDB authorization (involves, share/unshare).
-     */
-    discoverFragmentIds(messageId: string): Promise<string[]>;
-    /**
-     * Lazy resolution: resolve unmatched SpiceDB anchor UUIDs to actual
-     * searchable fragment IDs. Called during recall when viewable fragment IDs
-     * from SpiceDB don't match any search results.
-     */
-    resolveAnchors(anchorIds: string[]): Promise<Map<string, string[]>>;
     registerCliCommands(cmd: Command): void;
 }
 export declare const defaults: Record<string, unknown>;

package/dist/backends/evermemos.defaults.json CHANGED Viewed

@@ -4,7 +4,5 @@
   "requestTimeoutMs": 30000,
   "retrieveMethod": "hybrid",
   "memoryTypes": ["episodic_memory", "profile", "foresight", "event_log"],
-  "defaultSenderId": "system",
-  "discoveryPollIntervalMs": 3000,
-  "discoveryTimeoutMs": 120000
+  "defaultSenderId": "system"
 }

package/dist/backends/evermemos.js CHANGED Viewed

@@ -5,16 +5,12 @@
  * Messages are processed through the MemCell pipeline: boundary detection →
  * parallel LLM extraction of episodic memories, foresight, event logs, and profiles.
  *
- * store() returns immediately with a generated message_id as the fragment anchor.
- * With @timeout_to_background(), store may return 202 Accepted for background processing.
- *
- * discoverFragmentIds() polls a custom trace overlay endpoint to resolve the message_id
- * to actual MongoDB ObjectIds of derived memories. These ObjectIds are what search
- * results return, enabling fragment-level SpiceDB authorization (involves, share).
+ * In the composite plugin architecture, EverMemOS serves as the **liminal** backend:
+ * hook-driven auto-recall and auto-capture with no SpiceDB fragment authorization.
+ * Graphiti remains the primary backend for tool-based operations with full ReBAC.
  *
- * resolveAnchors() provides lazy resolution at recall time: if discoverFragmentIds()
- * timed out during store, unresolved anchors can be resolved later when someone
- * actually tries to recall the involved fragments.
+ * store() returns immediately with a generated message_id.
+ * With @timeout_to_background(), store may return 202 Accepted for background processing.
  */
 import { randomUUID } from "node:crypto";
 import { request as undiciRequest } from "undici";
@@ -66,11 +62,6 @@ export class EverMemOSBackend {
     config;
     name = "evermemos";
     requestTimeoutMs;
-    /**
-     * Tracks pending stores: messageId → groupId.
-     * Populated by store(), consumed by discoverFragmentIds().
-     */
-    pendingStores = new Map();
     constructor(config) {
         this.config = config;
         this.requestTimeoutMs = config.requestTimeoutMs ?? 30000;
@@ -140,11 +131,6 @@ export class EverMemOSBackend {
         await this.restCall("POST", "/api/v1/memories", request);
         // EverMemOS processes messages asynchronously through its MemCell pipeline.
         // customPrompt is ignored — EverMemOS handles extraction internally.
-        //
-        // We return our generated message_id as the fragment anchor for SpiceDB.
-        // discoverFragmentIds() will resolve this to actual MongoDB ObjectIds via
-        // the trace overlay endpoint, enabling fragment-level involves/share.
-        this.pendingStores.set(messageId, { groupId: params.groupId });
         return { fragmentId: Promise.resolve(messageId) };
     }
     async searchGroup(params) {
@@ -273,62 +259,6 @@ export class EverMemOSBackend {
         }
     }
     // --------------------------------------------------------------------------
-    // Fragment discovery via trace overlay
-    // --------------------------------------------------------------------------
-    /**
-     * Poll the trace overlay endpoint to discover MongoDB ObjectIds of derived
-     * memories (episodic, foresight, event_log) produced from a stored message.
-     *
-     * Called by index.ts after store() resolves the fragmentId Promise.
-     * Returns ObjectIds that match what search results return, enabling
-     * fragment-level SpiceDB authorization (involves, share/unshare).
-     */
-    async discoverFragmentIds(messageId) {
-        const pending = this.pendingStores.get(messageId);
-        if (!pending)
-            return [];
-        this.pendingStores.delete(messageId);
-        const pollInterval = this.config.discoveryPollIntervalMs ?? 3000;
-        const timeout = this.config.discoveryTimeoutMs ?? 120000;
-        const maxAttempts = Math.ceil(timeout / pollInterval);
-        for (let attempt = 0; attempt < maxAttempts; attempt++) {
-            await new Promise((r) => setTimeout(r, pollInterval));
-            try {
-                const trace = await this.restCall("GET", `/api/v1/memories/trace/${encodeURIComponent(messageId)}`);
-                if (trace.status === "not_found")
-                    return [];
-                if (trace.status === "complete" && trace.all_ids.length > 0) {
-                    return trace.all_ids;
-                }
-                // status === "processing" → keep polling
-            }
-            catch {
-                // Trace endpoint may not be available (older image) — keep trying
-            }
-        }
-        return []; // Timeout — fallback writes the messageId anchor to SpiceDB
-    }
-    /**
-     * Lazy resolution: resolve unmatched SpiceDB anchor UUIDs to actual
-     * searchable fragment IDs. Called during recall when viewable fragment IDs
-     * from SpiceDB don't match any search results.
-     */
-    async resolveAnchors(anchorIds) {
-        const result = new Map();
-        for (const anchor of anchorIds) {
-            try {
-                const trace = await this.restCall("GET", `/api/v1/memories/trace/${encodeURIComponent(anchor)}`);
-                if (trace.status === "complete" && trace.all_ids.length > 0) {
-                    result.set(anchor, trace.all_ids);
-                }
-            }
-            catch {
-                // anchor may not be a message_id (e.g. already an ObjectId) — skip
-            }
-        }
-        return result;
-    }
-    // --------------------------------------------------------------------------
     // Backend-specific CLI commands
     // --------------------------------------------------------------------------
     registerCliCommands(cmd) {

package/dist/config.d.ts CHANGED Viewed

@@ -8,12 +8,18 @@
 import type { MemoryBackend } from "./backend.js";
 export type RebacMemoryConfig = {
     backend: string;
+    /** Liminal backend name for hook-driven auto-recall/capture. Defaults to `backend`. */
+    liminal: string;
+    /** True when liminal differs from backend (hybrid mode: separate backends for hooks vs tools). */
+    isHybrid: boolean;
     spicedb: {
         endpoint: string;
         token: string;
         insecure: boolean;
     };
     backendConfig: Record<string, unknown>;
+    /** Liminal backend config (same as backendConfig when unified, separate in hybrid mode). */
+    liminalConfig: Record<string, unknown>;
     subjectType: "agent" | "person";
     subjectId: string;
     /** Maps agent IDs to their owner person IDs (e.g., Slack user IDs). */
@@ -32,10 +38,16 @@ export declare const rebacMemoryConfigSchema: {
     parse(value: unknown): RebacMemoryConfig;
 };
 /**
- * Instantiate the configured MemoryBackend from the parsed config.
+ * Instantiate the primary MemoryBackend (used for tools + SpiceDB auth).
  * Call this once during plugin registration — the returned backend is stateful.
  */
 export declare function createBackend(cfg: RebacMemoryConfig): MemoryBackend;
+/**
+ * Instantiate the liminal MemoryBackend (used for hook-driven auto-recall/capture).
+ * In unified mode (liminal === backend), callers should reuse the primary instance.
+ * In hybrid mode, this creates a separate instance from the liminal backend's config.
+ */
+export declare function createLiminalBackend(cfg: RebacMemoryConfig): MemoryBackend;
 /**
  * Return the default group ID for the active backend.
  */

package/dist/config.js CHANGED Viewed

@@ -53,20 +53,40 @@ export const rebacMemoryConfigSchema = {
         const entry = backendRegistry[backendName];
         if (!entry)
             throw new Error(`Unknown backend: "${backendName}"`);
-        // Top-level allowed keys: shared keys + the backend name key
-        assertAllowedKeys(cfg, [
-            "backend", "spicedb",
+        // Liminal backend: defaults to the primary backend (unified mode).
+        // Set to a different backend name for hybrid mode (e.g., "evermemos").
+        const liminalName = typeof cfg.liminal === "string" ? cfg.liminal : backendName;
+        const liminalEntry = backendRegistry[liminalName];
+        if (!liminalEntry)
+            throw new Error(`Unknown liminal backend: "${liminalName}"`);
+        const isHybrid = liminalName !== backendName;
+        // Top-level allowed keys: shared keys + backend name keys
+        const allowedKeys = [
+            "backend", "liminal", "spicedb",
             "subjectType", "subjectId", "identities", "groupOwners",
             "autoCapture", "autoRecall", "maxCaptureMessages", "sessionFilter",
             backendName,
-        ], "openclaw-memory-rebac config");
+        ];
+        if (isHybrid)
+            allowedKeys.push(liminalName);
+        assertAllowedKeys(cfg, allowedKeys, "openclaw-memory-rebac config");
         // SpiceDB config (shared)
         const spicedb = cfg.spicedb ?? {};
         assertAllowedKeys(spicedb, ["endpoint", "token", "insecure"], "spicedb config");
-        // Backend config: user overrides merged over JSON defaults
+        // Primary backend config: user overrides merged over JSON defaults
         const backendRaw = cfg[backendName] ?? {};
         assertAllowedKeys(backendRaw, Object.keys(entry.defaults), `${backendName} config`);
         const backendConfig = { ...entry.defaults, ...backendRaw };
+        // Liminal backend config: same as primary in unified mode, separate in hybrid
+        let liminalConfig;
+        if (isHybrid) {
+            const liminalRaw = cfg[liminalName] ?? {};
+            assertAllowedKeys(liminalRaw, Object.keys(liminalEntry.defaults), `${liminalName} config`);
+            liminalConfig = { ...liminalEntry.defaults, ...liminalRaw };
+        }
+        else {
+            liminalConfig = backendConfig;
+        }
         const subjectType = cfg.subjectType === "person" ? "person" : pluginDefaults.subjectType;
         const subjectId = typeof cfg.subjectId === "string" ? resolveEnvVars(cfg.subjectId) : pluginDefaults.subjectId;
         // Parse identities: { "main": "U0123ABC", "work": "U0456DEF" }
@@ -94,6 +114,8 @@ export const rebacMemoryConfigSchema = {
         }
         return {
             backend: backendName,
+            liminal: liminalName,
+            isHybrid,
             spicedb: {
                 endpoint: typeof spicedb.endpoint === "string"
                     ? spicedb.endpoint
@@ -104,6 +126,7 @@ export const rebacMemoryConfigSchema = {
                     : pluginDefaults.spicedb.insecure,
             },
             backendConfig,
+            liminalConfig,
             subjectType,
             subjectId,
             identities,
@@ -121,7 +144,7 @@ export const rebacMemoryConfigSchema = {
 // Backend factory
 // ============================================================================
 /**
- * Instantiate the configured MemoryBackend from the parsed config.
+ * Instantiate the primary MemoryBackend (used for tools + SpiceDB auth).
  * Call this once during plugin registration — the returned backend is stateful.
  */
 export function createBackend(cfg) {
@@ -130,6 +153,17 @@ export function createBackend(cfg) {
         throw new Error(`Unknown backend: "${cfg.backend}"`);
     return entry.create(cfg.backendConfig);
 }
+/**
+ * Instantiate the liminal MemoryBackend (used for hook-driven auto-recall/capture).
+ * In unified mode (liminal === backend), callers should reuse the primary instance.
+ * In hybrid mode, this creates a separate instance from the liminal backend's config.
+ */
+export function createLiminalBackend(cfg) {
+    const entry = backendRegistry[cfg.liminal];
+    if (!entry)
+        throw new Error(`Unknown liminal backend: "${cfg.liminal}"`);
+    return entry.create(cfg.liminalConfig);
+}
 /**
  * Return the default group ID for the active backend.
  */

package/dist/index.js CHANGED Viewed

@@ -19,7 +19,7 @@ import { Type } from "@sinclair/typebox";
 import { readFileSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
-import { rebacMemoryConfigSchema, createBackend, defaultGroupId } from "./config.js";
+import { rebacMemoryConfigSchema, createBackend, createLiminalBackend, defaultGroupId } from "./config.js";
 import { SpiceDbClient } from "./spicedb.js";
 import { lookupAuthorizedGroups, lookupViewableFragments, lookupFragmentSourceGroups, lookupAgentOwner, writeFragmentRelationships, deleteFragmentRelationships, canDeleteFragment, canWriteToGroup, ensureGroupMembership, ensureGroupOwnership, canShareFragment, shareFragment, unshareFragment, } from "./authorization.js";
 import { searchAuthorizedMemories, formatDualResults, } from "./search.js";
@@ -95,8 +95,13 @@ const rebacMemoryPlugin = {
                 '  "config": { "spicedb": { "token": "<your-preshared-key>", "insecure": true } }');
         }
         const backend = createBackend(cfg);
+        const liminal = cfg.isHybrid ? createLiminalBackend(cfg) : backend;
+        const isHybrid = cfg.isHybrid;
         const spicedb = new SpiceDbClient(cfg.spicedb);
         const backendDefaultGroupId = defaultGroupId(cfg);
+        const liminalDefaultGroupId = isHybrid
+            ? (cfg.liminalConfig["defaultGroupId"] ?? "main")
+            : backendDefaultGroupId;
         // Suppress transient gRPC rejections from @grpc/grpc-js during connection setup
         const grpcRejectionHandler = (reason) => {
             const msg = String(reason);
@@ -140,7 +145,8 @@ const rebacMemoryPlugin = {
         api.registerTool((ctx) => ({
             name: "memory_recall",
             label: "Memory Recall",
-            description: "Search through memories using the knowledge graph. Returns results the current user is authorized to see. Supports session, long-term, or combined scope. REQUIRES a search query.",
+            description: "Search through memories using the knowledge graph. Returns results the current user is authorized to see. " +
+                "Supports session, long-term, or combined scope. REQUIRES a search query.",
             parameters: Type.Object({
                 query: Type.String({ description: "REQUIRED: Search query for semantic matching" }),
                 limit: Type.Optional(Type.Number({ description: "Max results (default: 10)" })),
@@ -218,40 +224,6 @@ const rebacMemoryPlugin = {
                                         // Post-filter: only keep results the owner is authorized to view
                                         const viewableSet = new Set(newIds);
                                         ownerFragmentResults = candidateResults.filter(r => viewableSet.has(r.uuid));
-                                        // Lazy resolution: if post-filter found nothing but we had viewable
-                                        // fragment IDs and candidate results, the IDs may be unresolved
-                                        // anchors (e.g. messageId UUIDs from a timed-out discoverFragmentIds).
-                                        // Try resolving them to actual searchable IDs via the backend.
-                                        if (ownerFragmentResults.length === 0 && candidateResults.length > 0 && backend.resolveAnchors) {
-                                            const resolved = await backend.resolveAnchors(newIds);
-                                            if (resolved.size > 0) {
-                                                const resolvedSet = new Set([...resolved.values()].flat());
-                                                ownerFragmentResults = candidateResults.filter(r => resolvedSet.has(r.uuid));
-                                                // Background: update SpiceDB so future recalls are fast
-                                                if (ownerFragmentResults.length > 0) {
-                                                    void (async () => {
-                                                        try {
-                                                            for (const [, objectIds] of resolved) {
-                                                                for (const objId of objectIds) {
-                                                                    const wt = await writeFragmentRelationships(spicedb, {
-                                                                        fragmentId: objId,
-                                                                        groupId: newGroups[0],
-                                                                        sharedBy: ownerSubject,
-                                                                        involves: [ownerSubject],
-                                                                    });
-                                                                    if (wt)
-                                                                        state.lastWriteToken = wt;
-                                                                }
-                                                            }
-                                                            api.logger.info(`openclaw-memory-rebac: lazy-resolved ${resolved.size} anchor(s) to ${ownerFragmentResults.length} fragment(s)`);
-                                                        }
-                                                        catch (lazyErr) {
-                                                            api.logger.warn(`openclaw-memory-rebac: lazy SpiceDB update failed: ${String(lazyErr)}`);
-                                                        }
-                                                    })();
-                                                }
-                                            }
-                                        }
                                     }
                                 }
                             }
@@ -605,6 +577,71 @@ const rebacMemoryPlugin = {
                 };
             },
         }), { name: "memory_status" });
+        // memory_promote: only available in hybrid mode (separate liminal backend)
+        if (isHybrid) {
+            api.registerTool((ctx) => ({
+                name: "memory_promote",
+                label: "Promote Memory",
+                description: "Promote memories from recent conversational context (liminal) into the long-term " +
+                    "knowledge graph with full ReBAC authorization. Searches the liminal backend and " +
+                    "stores matching results into the primary backend.",
+                parameters: Type.Object({
+                    query: Type.String({ description: "Search query to find memories to promote" }),
+                    groupId: Type.Optional(Type.String({ description: "Target group in the knowledge graph (default: primary default group)" })),
+                    limit: Type.Optional(Type.Number({ description: "Max memories to promote (default: 3)" })),
+                }),
+                async execute(_toolCallId, params) {
+                    const { query, groupId, limit: promoteLimit = 3 } = params;
+                    const subject = resolveSubject(ctx.agentId);
+                    const state = getState(ctx.agentId);
+                    const targetGroup = groupId ?? backendDefaultGroupId;
+                    // 1. Search the liminal backend
+                    const liminalResults = await searchAuthorizedMemories(liminal, {
+                        query,
+                        groupIds: [liminalDefaultGroupId],
+                        limit: promoteLimit,
+                    });
+                    if (liminalResults.length === 0) {
+                        return {
+                            content: [{ type: "text", text: "No matching memories found in recent context to promote." }],
+                            details: { promoted: 0 },
+                        };
+                    }
+                    // 2. Check write access to the target group
+                    const canWrite = await canWriteToGroup(spicedb, subject, targetGroup, state.lastWriteToken);
+                    if (!canWrite) {
+                        return {
+                            content: [{ type: "text", text: `Not authorized to write to group "${targetGroup}".` }],
+                            details: { promoted: 0, error: "authorization_denied" },
+                        };
+                    }
+                    // 3. Store each memory into the primary backend with full SpiceDB auth
+                    const promoted = [];
+                    for (const mem of liminalResults) {
+                        const storeResult = await backend.store({
+                            content: mem.summary,
+                            groupId: targetGroup,
+                            sourceDescription: `promoted from liminal (${mem.context || mem.type})`,
+                        });
+                        const fragmentId = await storeResult.fragmentId;
+                        const writeToken = await writeFragmentRelationships(spicedb, {
+                            fragmentId,
+                            groupId: targetGroup,
+                            sharedBy: subject,
+                        });
+                        if (writeToken)
+                            state.lastWriteToken = writeToken;
+                        promoted.push(fragmentId);
+                    }
+                    const summary = `Promoted ${promoted.length} memory/memories from recent context to "${targetGroup}":\n` +
+                        liminalResults.map((r, i) => `  ${i + 1}. [${r.type}] ${r.summary.slice(0, 100)}...`).join("\n");
+                    return {
+                        content: [{ type: "text", text: summary }],
+                        details: { promoted: promoted.length, fragmentIds: promoted, targetGroup },
+                    };
+                },
+            }), { name: "memory_promote" });
+        }
         // ========================================================================
         // CLI Commands
         // ========================================================================
@@ -635,6 +672,35 @@ const rebacMemoryPlugin = {
                 if (!event.prompt || event.prompt.length < 5)
                     return;
                 try {
+                    if (isHybrid) {
+                        // Hybrid mode: query liminal backend only (no SpiceDB auth).
+                        // Graphiti knowledge is accessed on-demand via memory_recall tool.
+                        const autoRecallLimit = 8;
+                        const liminalResults = await searchAuthorizedMemories(liminal, {
+                            query: event.prompt,
+                            groupIds: [liminalDefaultGroupId],
+                            limit: autoRecallLimit,
+                            sessionId: state.sessionId,
+                        });
+                        const toolHint = "<memory-tools>\n" +
+                            "You have memory tools:\n" +
+                            "- memory_recall: Use this BEFORE saying you don't know or remember something. Search the long-term knowledge graph for facts, preferences, people, decisions.\n" +
+                            "- memory_store: Save important new information to the knowledge graph.\n" +
+                            "- memory_share: Share a specific memory with other people/agents by ID.\n" +
+                            "- memory_unshare: Revoke view access to a memory from people/agents.\n" +
+                            "- memory_promote: Promote recent memories into the long-term knowledge graph.\n" +
+                            "</memory-tools>";
+                        if (liminalResults.length === 0)
+                            return { prependContext: toolHint };
+                        const memoryContext = liminalResults
+                            .map((r) => `[${r.type}:${r.uuid}] ${r.summary}${r.context ? ` (${r.context})` : ""}`)
+                            .join("\n");
+                        api.logger.info?.(`openclaw-memory-rebac: injecting ${liminalResults.length} liminal memories`);
+                        return {
+                            prependContext: `${toolHint}\n\n<recent-context>\nRecent conversational memory:\n${memoryContext}\n</recent-context>`,
+                        };
+                    }
+                    // Unified mode: query primary backend via SpiceDB-authorized groups (unchanged)
                     const authorizedGroups = await lookupAuthorizedGroups(spicedb, subject, state.lastWriteToken);
                     const longTermGroups = authorizedGroups.filter((g) => !isSessionGroup(g));
                     const sessionGroups = authorizedGroups.filter(isSessionGroup);
@@ -658,9 +724,11 @@ const rebacMemoryPlugin = {
                     const sessionResults = allResults.filter((r) => sessionGroupSet.has(r.group_id));
                     const totalCount = allResults.length;
                     const toolHint = "<memory-tools>\n" +
-                        "You have knowledge-graph memory tools. Use them proactively:\n" +
-                        "- memory_recall: Search for facts, preferences, people, decisions, or past context. Use this BEFORE saying you don't know or remember something.\n" +
+                        "You have memory tools:\n" +
+                        "- memory_recall: Use this BEFORE saying you don't know or remember something. Search for facts, preferences, people, decisions.\n" +
                         "- memory_store: Save important new information (preferences, decisions, facts about people).\n" +
+                        "- memory_share: Share a specific memory with other people/agents by ID.\n" +
+                        "- memory_unshare: Revoke view access to a memory from people/agents.\n" +
                         "</memory-tools>";
                     if (totalCount === 0)
                         return { prependContext: toolHint };
@@ -727,6 +795,53 @@ const rebacMemoryPlugin = {
                     if (conversationLines.length === 0)
                         return;
                     const episodeBody = conversationLines.join("\n");
+                    if (isHybrid) {
+                        // Hybrid mode: store to liminal backend only (fire-and-forget, no SpiceDB).
+                        // Primary backend (Graphiti) gets data only via explicit memory_store or memory_promote.
+                        const liminalGroupId = liminalDefaultGroupId;
+                        await liminal.store({
+                            content: episodeBody,
+                            groupId: liminalGroupId,
+                            sourceDescription: "auto-captured conversation",
+                        });
+                        // Liminal session enrichment
+                        if (liminal.enrichSession && state.sessionId) {
+                            const lastUserMsg = [...event.messages]
+                                .reverse()
+                                .find((m) => m.role === "user");
+                            const lastAssistMsg = [...event.messages]
+                                .reverse()
+                                .find((m) => m.role === "assistant");
+                            const extractText = (m) => {
+                                if (!m || typeof m !== "object")
+                                    return "";
+                                const obj = m;
+                                if (typeof obj.content === "string")
+                                    return obj.content;
+                                if (Array.isArray(obj.content)) {
+                                    return obj.content
+                                        .filter((b) => typeof b === "object" && b !== null &&
+                                        b.type === "text")
+                                        .map((b) => b.text)
+                                        .join("\n");
+                                }
+                                return "";
+                            };
+                            const userMsg = stripEnvelopeMetadata(extractText(lastUserMsg));
+                            const assistantMsg = extractText(lastAssistMsg);
+                            if (userMsg && assistantMsg) {
+                                liminal.enrichSession({
+                                    sessionId: state.sessionId,
+                                    groupId: liminalGroupId,
+                                    userMsg,
+                                    assistantMsg,
+                                }).catch(() => { });
+                            }
+                        }
+                        api.logger.info(`openclaw-memory-rebac: auto-captured ${conversationLines.length} messages to liminal (${liminalGroupId})`);
+                        return;
+                    }
+                    // Unified mode: store to primary with full SpiceDB write chain
                     const targetGroupId = state.sessionId
                         ? sessionGroupId(state.sessionId)
                         : backendDefaultGroupId;
@@ -839,10 +954,10 @@ const rebacMemoryPlugin = {
                 try {
                     const existing = await spicedb.readSchema();
                     spicedbOk = true;
-                    if (!existing || !existing.includes("memory_fragment")) {
-                        api.logger.info("openclaw-memory-rebac: writing SpiceDB schema (first run)");
-                        const schemaPath = join(dirname(fileURLToPath(import.meta.url)), "schema.zed");
-                        const schema = readFileSync(schemaPath, "utf-8");
+                    const schemaPath = join(dirname(fileURLToPath(import.meta.url)), "schema.zed");
+                    const schema = readFileSync(schemaPath, "utf-8");
+                    if (!existing || existing.trim() !== schema.trim()) {
+                        api.logger.info("openclaw-memory-rebac: writing SpiceDB schema (first run or update)");
                         await spicedb.writeSchema(schema);
                         api.logger.info("openclaw-memory-rebac: SpiceDB schema written successfully");
                     }

package/docker/evermemos/Dockerfile CHANGED Viewed

@@ -115,13 +115,6 @@ COPY supervisord.conf /etc/supervisor/conf.d/evermemos.conf
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
-# ---------------------------------------------------------------------------
-# Trace overlay: read-only endpoint for message_id → derived memory ObjectIds
-# Same pattern as Graphiti's startup.py overlay — extends our image, not upstream.
-# ---------------------------------------------------------------------------
-COPY trace_overlay.py /app/trace_overlay.py
-RUN echo 'from trace_overlay import router as _trace_router; app.include_router(_trace_router)' >> /app/src/app.py
 # ---------------------------------------------------------------------------
 # Healthcheck — verify the EverMemOS API responds
 # ---------------------------------------------------------------------------

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@contextableai/openclaw-memory-rebac",
-  "version": "0.4.2",
-  "description": "OpenClaw two-layer memory plugin: SpiceDB ReBAC authorization + pluggable storage (Graphiti, EverMemOS)",
+  "version": "0.5.1",
+  "description": "OpenClaw composite memory plugin: SpiceDB ReBAC authorization with Graphiti knowledge graph (primary) and optional EverMemOS liminal memory",
   "type": "module",
   "license": "MIT",
   "repository": {

package/docker/evermemos/trace_overlay.py DELETED Viewed

@@ -1,128 +0,0 @@
-"""
-Read-only tracing endpoint: message_id → derived memory ObjectIds.
-Mounted on the EverMemOS FastAPI app at startup via Dockerfile append.
-This is NOT a monkeypatch — it adds a new read-only endpoint to our Docker
-image, following the same pattern as the Graphiti startup.py overlay.
-Endpoint:
-    GET /api/v1/memories/trace/{message_id}
-Returns the MongoDB ObjectIds of all derived memories (episodic, foresight,
-event_log) produced from a given ingestion message. Used by the
-openclaw-memory-rebac plugin to write SpiceDB fragment relationships
-against the actual IDs that appear in search results.
-Response:
-    {
-        "message_id": "uuid-123",
-        "status": "complete|processing|not_found",
-        "memcell_ids": ["ObjectId-A"],
-        "derived_memories": {
-            "episodic_memory": ["ObjectId-B", ...],
-            "foresight": ["ObjectId-D", ...],
-            "event_log": ["ObjectId-E", ...],
-        },
-        "all_ids": ["ObjectId-B", "ObjectId-D", "ObjectId-E", ...]
-    }
-Uses pymongo (synchronous) since motor is not installed in EverMemOS.
-Blocking MongoDB calls are wrapped in asyncio.to_thread for FastAPI compat.
-"""
-import asyncio
-import os
-from pymongo import MongoClient
-from fastapi import APIRouter
-router = APIRouter(tags=["trace"])
-_db = None
-def _get_db():
-    global _db
-    if _db is None:
-        host = os.environ.get("MONGODB_HOST", "127.0.0.1")
-        port = os.environ.get("MONGODB_PORT", "27017")
-        username = os.environ.get("MONGODB_USERNAME", "")
-        password = os.environ.get("MONGODB_PASSWORD", "")
-        db_name = os.environ.get("MONGODB_DATABASE", "memsys")
-        if username and password:
-            mongo_uri = f"mongodb://{username}:{password}@{host}:{port}"
-        else:
-            mongo_uri = f"mongodb://{host}:{port}"
-        client = MongoClient(mongo_uri)
-        _db = client[db_name]
-    return _db
-def _trace_sync(message_id: str) -> dict:
-    """Synchronous MongoDB trace — run via asyncio.to_thread."""
-    db = _get_db()
-    # Step 1: Check if message_id exists in memory_request_logs
-    log_entry = db.memory_request_logs.find_one({"message_id": message_id})
-    if not log_entry:
-        return {
-            "message_id": message_id,
-            "status": "not_found",
-            "memcell_ids": [],
-            "derived_memories": {},
-            "all_ids": [],
-        }
-    # Step 2: Find memcell that contains this message_id in its original_data
-    # The message_id is stored at: original_data[*].messages[*].extend.message_id
-    memcell = db.memcells.find_one(
-        {"original_data.messages.extend.message_id": message_id}
-    )
-    if not memcell:
-        # Log exists but memcell not yet created — still in boundary detection
-        return {
-            "message_id": message_id,
-            "status": "processing",
-            "memcell_ids": [],
-            "derived_memories": {},
-            "all_ids": [],
-        }
-    memcell_id = str(memcell["_id"])
-    # Step 3: Query derived memory collections
-    derived = {
-        "episodic_memory": [],
-        "foresight": [],
-        "event_log": [],
-    }
-    for doc in db.episodic_memories.find(
-        {"memcell_event_id_list": memcell_id}, {"_id": 1}
-    ):
-        derived["episodic_memory"].append(str(doc["_id"]))
-    for doc in db.foresight_records.find(
-        {"parent_id": memcell_id, "parent_type": "memcell"}, {"_id": 1}
-    ):
-        derived["foresight"].append(str(doc["_id"]))
-    for doc in db.event_log_records.find(
-        {"parent_id": memcell_id, "parent_type": "memcell"}, {"_id": 1}
-    ):
-        derived["event_log"].append(str(doc["_id"]))
-    all_ids = [id_ for ids in derived.values() for id_ in ids]
-    status = "complete" if all_ids else "processing"
-    return {
-        "message_id": message_id,
-        "status": status,
-        "memcell_ids": [memcell_id],
-        "derived_memories": derived,
-        "all_ids": all_ids,
-    }
-@router.get("/api/v1/memories/trace/{message_id}")
-async def trace_message(message_id: str):
-    return await asyncio.to_thread(_trace_sync, message_id)