@cybermem/cli 0.6.13 → 0.7.7

package/templates/auth-sidecar/server.js

@@ -97,7 +97,7 @@ function isLocalRequest(req) {
 }
 
 // ForwardAuth handler
-const server = http.createServer((req, res) => {
+const server = http.createServer(async (req, res) => {
   // Health check
   if (req.url === "/health") {
     res.writeHead(200, { "Content-Type": "application/json" });
@@ -108,9 +108,22 @@ const server = http.createServer((req, res) => {
   const authHeader = req.headers["authorization"];
   const apiKeyHeader = req.headers["x-api-key"];
 
-  // 1. Check JWT (Authorization: Bearer <token>)
+  // 1. Check Bearer token (JWT or API Key)
   if (authHeader?.startsWith("Bearer ")) {
     const token = authHeader.substring(7);
+
+    // 1a. Check if Bearer token is actually an API key (MCP clients like Claude Desktop)
+    const expectedKey = loadApiKey();
+    if (expectedKey && token === expectedKey) {
+      console.log("Auth OK: Bearer API Key");
+      res.writeHead(200, {
+        "X-Auth-Method": "bearer-api-key",
+      });
+      res.end();
+      return;
+    }
+
+    // 1b. Try JWT RS256 validation
     const payload = validateJwt(token);
 
     if (payload) {
@@ -124,6 +137,45 @@ const server = http.createServer((req, res) => {
       res.end();
       return;
     }
+
+    // 1c. Try GitHub OAuth token verification
+    try {
+      const https = require("https");
+      const ghRes = await new Promise((resolve, reject) => {
+        const req = https.get(
+          "https://api.github.com/user",
+          {
+            headers: {
+              Authorization: `Bearer ${token}`,
+              "User-Agent": "CyberMem-Auth-Sidecar/1.0",
+              Accept: "application/vnd.github+json",
+            },
+          },
+          (res) => {
+            let data = "";
+            res.on("data", (chunk) => (data += chunk));
+            res.on("end", () => resolve({ status: res.statusCode, data }));
+          },
+        );
+        req.on("error", reject);
+        req.end();
+      });
+
+      if (ghRes.status === 200) {
+        const user = JSON.parse(ghRes.data);
+        console.log(`Auth OK: GitHub OAuth (${user.login})`);
+        res.writeHead(200, {
+          "X-User-Id": String(user.id),
+          "X-User-Email": user.email || "",
+          "X-User-Name": user.login,
+          "X-Auth-Method": "github-oauth",
+        });
+        res.end();
+        return;
+      }
+    } catch (err) {
+      // GitHub verification failed, continue to other methods
+    }
   }
 
   // 2. Check API Key (deprecated fallback)

package/templates/docker-compose.yml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
 # CyberMem - OpenMemory + DevOps monitoring stack
 # For local development only
 # Production deployment: use Helm chart (charts/cybermem/)
@@ -24,28 +25,53 @@ services:
       - traefik-logs:/var/log/traefik
     labels:
       - traefik.enable=true
+      - traefik.http.middlewares.auth-check.forwardauth.address=http://auth-sidecar:3001/auth
+      - traefik.http.middlewares.auth-check.forwardauth.authResponseHeaders=X-User-Id,X-User-Email,X-User-Name,X-Auth-Method
     restart: unless-stopped
 
   # MCP Server (Node.js/SDK)
   mcp-server:
+    build:
+      context: ../../mcp
+      dockerfile: Dockerfile
     image: ghcr.io/mikhailkogan17/cybermem-mcp:latest
+    # Note: platform omitted - docker auto-detects (amd64 for CI, arm64 for RPi)
     restart: unless-stopped
     container_name: cybermem-mcp
     environment:
+      OM_TIER: "hybrid"
       PORT: "8080"
+      OM_PORT: "0"
       OM_DB_PATH: /data/openmemory.sqlite
     volumes:
       - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env
       - ${HOME}/.cybermem/data:/data
+    depends_on:
+      - traefik
+      - auth-sidecar
     labels:
       - traefik.enable=true
-      - traefik.http.routers.mcp.rule=Host(`raspberrypi.local`) && (PathPrefix(`/mcp`) || PathPrefix(`/sse`))
+      # Middleware definitions (must be on a service that starts BEFORE routes reference them)
+      - traefik.http.middlewares.strip-cybermem.stripprefix.prefixes=/cybermem
+      # Authenticated routes
+      - traefik.http.routers.mcp.rule=PathPrefix(`/cybermem/mcp`) || PathPrefix(`/cybermem/sse`) || PathPrefix(`/mcp`) || PathPrefix(`/sse`)
       - traefik.http.routers.mcp.entrypoints=web
-      - traefik.http.services.mcp.loadbalancer.server.port=8080
+      - traefik.http.routers.mcp.priority=100
+      - traefik.http.routers.mcp.service=mcp-service
+      - traefik.http.routers.mcp.middlewares=auth-check,strip-cybermem
+      # Public routes (Health/Metrics)
+      - traefik.http.routers.mcp-public.rule=PathPrefix(`/cybermem/health`) || PathPrefix(`/cybermem/metrics`) || PathPrefix(`/health`) || PathPrefix(`/metrics`)
+      - traefik.http.routers.mcp-public.entrypoints=web
+      - traefik.http.routers.mcp-public.priority=100
+      - traefik.http.routers.mcp-public.service=mcp-service
+      - traefik.http.routers.mcp-public.middlewares=strip-cybermem
+      - traefik.http.services.mcp-service.loadbalancer.server.port=8080
       # Legacy API support (for simple REST clients)
-      - traefik.http.routers.legacy-api.rule=Host(`raspberrypi.local`) && (PathPrefix(`/add`) || PathPrefix(`/query`) || PathPrefix(`/all`))
+      - traefik.http.routers.legacy-api.rule=PathPrefix(`/cybermem/add`) || PathPrefix(`/cybermem/query`) || PathPrefix(`/cybermem/all`) || PathPrefix(`/add`) || PathPrefix(`/query`) || PathPrefix(`/all`)
       - traefik.http.routers.legacy-api.entrypoints=web
-      - traefik.http.services.legacy-api.loadbalancer.server.port=8080
+      - traefik.http.routers.legacy-api.priority=100
+      - traefik.http.routers.legacy-api.service=mcp-service
+      - traefik.http.routers.legacy-api.middlewares=auth-check,strip-cybermem
 
   # Auth sidecar for JWT/API key validation (ForwardAuth)
   auth-sidecar:
@@ -58,9 +84,6 @@ services:
       - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env:ro
     labels:
       - traefik.enable=true
-      # ForwardAuth middleware
-      - traefik.http.middlewares.auth-check.forwardauth.address=http://auth-sidecar:3001/auth
-      - traefik.http.middlewares.auth-check.forwardauth.authResponseHeaders=X-User-Id,X-User-Email,X-User-Name,X-Auth-Method
     healthcheck:
       test:
         [
@@ -76,9 +99,8 @@ services:
       retries: 3
     restart: unless-stopped
 
-  # NOTE: openmemory container REMOVED
-  # Memory now handled by @cybermem/mcp with embedded openmemory-js SDK
-  # SQLite stored at ~/.cybermem/data/openmemory.sqlite
+  # Memory engine (MCP + Persistence)
+  # Uses embedded SQLite stored at ~/.cybermem/data/openmemory.sqlite
 
   db-exporter:
     image: ghcr.io/mikhailkogan17/cybermem-db_exporter:latest
@@ -130,22 +152,6 @@ services:
     profiles:
       - postgres
 
-  postgres-exporter:
-    image: prometheuscommunity/postgres-exporter:v0.15.0
-    container_name: cybermem-postgres-exporter
-    environment:
-      DATA_SOURCE_NAME: postgresql://${PG_USER:-openmemory}:${PG_PASSWORD:-postgres}@postgres:5432/${PG_DB:-openmemory}?sslmode=disable
-      PG_EXPORTER_EXTEND_QUERY_PATH: /queries.yml
-    ports:
-      - "9187:9187"
-    volumes:
-      - ./monitoring/postgres_exporter/queries.yml:/queries.yml:ro
-    restart: unless-stopped
-    depends_on:
-      - postgres
-    profiles:
-      - postgres
-
   ollama:
     image: ollama/ollama:latest
     container_name: cybermem-ollama
@@ -157,55 +163,37 @@ services:
     profiles:
       - ollama
 
-  prometheus:
-    image: prom/prometheus:v2.48.0
-    container_name: cybermem-prometheus
-    command:
-      - --config.file=/etc/prometheus/prometheus.yml
-      - --storage.tsdb.path=/prometheus
-      - --storage.tsdb.retention.time=${PROM_RETENTION:-7d}
-      - --web.console.libraries=/usr/share/prometheus/console_libraries
-      - --web.console.templates=/usr/share/prometheus/consoles
-    ports:
-      - "9092:9090"
-    volumes:
-      - ./monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
-      - prometheus-data:/prometheus
-    restart: unless-stopped
-    depends_on:
-      - db-exporter
-
   dashboard:
     image: ghcr.io/mikhailkogan17/cybermem-dashboard:latest
+    # Note: platform omitted - docker auto-detects (amd64 for CI, arm64 for RPi)
     container_name: cybermem-dashboard
     environment:
       DB_EXPORTER_URL: http://db-exporter:8000
-      NEXT_PUBLIC_PROMETHEUS_URL: http://prometheus:9090
-      PROMETHEUS_URL: http://prometheus:9090
+      # Required for Health Check to find the MCP API internally
+      CYBERMEM_URL: http://mcp-server:8080
+      OM_DB_PATH: /data/openmemory.sqlite
       OM_API_KEY: ${OM_API_KEY:-dev-secret-key}
-      # WATCHPACK_POLLING: "true" # Enable if hot reload blocks (high CPU usage)
     ports:
       - "3000:3000"
     volumes:
-      - openmemory-data:/data
+      - ${HOME}/.cybermem/data:/data
       - /var/run/docker.sock:/var/run/docker.sock
       - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/app/shared.env
     labels:
       - traefik.enable=true
       # Dashboard route: /cybermem -> dashboard on port 3000
       - traefik.http.routers.dashboard.entrypoints=web
-      - traefik.http.routers.dashboard.rule=PathPrefix(`/cybermem`)
-      - traefik.http.routers.dashboard.middlewares=strip-cybermem
-      - traefik.http.middlewares.strip-cybermem.stripprefix.prefixes=/cybermem
+      - traefik.http.routers.dashboard.rule=PathPrefix(`/cybermem`) && !PathPrefix(`/cybermem/mcp`) && !PathPrefix(`/cybermem/health`)
+      - traefik.http.routers.dashboard.priority=10
+      - traefik.http.routers.dashboard.middlewares=auth-check,strip-cybermem
       - traefik.http.services.dashboard.loadbalancer.server.port=3000
     restart: unless-stopped
     depends_on:
-      - prometheus
       - db-exporter
 
 volumes:
   openmemory-data:
-    name: cybermem-openmemory-data
+    name: cybermem-data
     driver: local
   postgres-data:
     name: cybermem-postgres-data
@@ -213,9 +201,6 @@ volumes:
   ollama-models:
     name: cybermem-ollama-models
     driver: local
-  prometheus-data:
-    name: cybermem-prometheus-data
-    driver: local
   traefik-logs:
     name: cybermem-traefik-logs
     driver: local

package/templates/envs/local.env

@@ -0,0 +1,17 @@
+# Environment: LOCAL (Dev)
+# No API key required for localhost access.
+# Used by: npx @cybermem/cli init --local
+
+# Application Settings
+LOG_LEVEL=info
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# Database (SQLite)
+# OM_DB_PATH is mounted to /data/openmemory.sqlite in Docker
+
+# Security
+# OM_API_KEY is intentionally empty for local development to bypass auth.
+OM_API_KEY=
+
+# Optional: Add your OpenAI Key if using cloud embeddings
+# OPENAI_API_KEY=

package/templates/envs/rpi-tailscale.env

@@ -0,0 +1,23 @@
+# Environment: RPi + Tailscale (Remote Access)
+# Secured via Tailscale Funnel.
+# Used by: npx @cybermem/cli init --rpi --remote-access
+
+# Application Settings
+LOG_LEVEL=info
+
+# Database (SQLite)
+# OM_DB_PATH is mounted to /data/openmemory.sqlite in Docker
+
+# Security
+# GENERATED AUTOMATICALLY BY CLI
+OM_API_KEY=
+
+# Tailscale Configuration
+# Ensure "tailscale serve" is running (handled by CLI)
+TS_HOSTNAME=raspberrypi
+
+# Dashboard
+NEXT_PUBLIC_APP_URL=https://raspberrypi.tailnet-name.ts.net
+
+# Optional: Local LLM
+OLLAMA_URL=http://ollama:11434

package/templates/envs/rpi.env

@@ -0,0 +1,22 @@
+# Environment: RPi (Local Network)
+# Internal API key required.
+# Used by: npx @cybermem/cli init --rpi
+
+# Application Settings
+LOG_LEVEL=info
+
+# Database (SQLite)
+# OM_DB_PATH is mounted to /data/openmemory.sqlite in Docker
+
+# Security
+# GENERATED AUTOMATICALLY BY CLI
+# DO NOT SHARE THIS KEY. It is for internal service communication.
+OM_API_KEY=
+
+# Dashboard
+# Clients connecting via MCP must use OAuth or this key (if configured for direct access).
+# OAUTH_CLIENT_ID=...
+# OAUTH_CLIENT_SECRET=...
+
+# Optional: Local LLM
+OLLAMA_URL=http://ollama:11434

package/templates/envs/vps.env

@@ -0,0 +1,29 @@
+# Environment: VPS (Public Cloud)
+# High security setup.
+# Used by: npx @cybermem/cli init --vps
+
+# Application Settings
+LOG_LEVEL=warn
+# Set your domain here
+NEXT_PUBLIC_APP_URL=https://cybermem.yourdomain.com
+
+# Database (PostgreSQL recommended for VPS, but SQLite default)
+# To use Postgres:
+# DB_TYPE=postgres
+# POSTGRES_URL=postgresql://user:pass@db:5432/cybermem
+
+# Security
+# GENERATED AUTOMATICALLY BY CLI
+OM_API_KEY=
+
+# Auth Sidecar (JWT)
+# Generate a random secret: openssl rand -hex 32
+JWT_SECRET=
+JWT_PRIVATE_KEY=
+
+# GitHub OAuth (Recommended for dashboard access)
+OAUTH_CLIENT_ID=
+OAUTH_CLIENT_SECRET=
+
+# OpenAI (Recommended for VPS performance)
+OPENAI_API_KEY=

package/templates/monitoring/db_exporter/exporter.py

@@ -123,11 +123,16 @@ def collect_metrics():
             FROM memories
             GROUP BY user_id
         """)
-        for row in cursor.fetchall():
-            client = row["client"] or "anonymous"
-            memories_total.labels(client=client).set(row["count"])
+        rows = cursor.fetchall()
+        if not rows:
+            # Emit a default anonymous:0 if no data
+            memories_total.labels(client="anonymous").set(0)
+        else:
+            for row in rows:
+                client = row["client"] or "anonymous"
+                memories_total.labels(client=client).set(row["count"])
 
-        logger.debug(f"Collected total memories for {cursor.rowcount} clients")
+        logger.debug(f"Collected total memories for {len(rows)} clients")
 
         # Metric 2: Recent memories (24h)
         # Note: created_at is stored as milliseconds since epoch

package/templates/envs/local.example

@@ -1,27 +0,0 @@
-# Example environment configuration
-# Copy to .env and customize
-
-# Embeddings provider: ollama (local) or openai (cloud)
-EMBEDDINGS_PROVIDER=ollama
-OLLAMA_URL=http://ollama:11434
-OPENAI_API_KEY=
-
-# Database backend: sqlite (local/rpi) or postgres (vps)
-DB_BACKEND=sqlite
-DB_PATH=/data/openmemory.sqlite
-VECTOR_BACKEND=sqlite
-
-# PostgreSQL settings (only for DB_BACKEND=postgres)
-PG_HOST=postgres
-PG_PORT=5432
-PG_DB=openmemory
-PG_USER=openmemory
-PG_PASSWORD=change-me
-
-# OpenMemory API key (Optional for local mode)
-# OM_API_KEY=
-
-# Monitoring
-PROM_RETENTION=7d
-GRAFANA_USER=admin
-GRAFANA_PASSWORD=admin

package/templates/envs/rpi.example

@@ -1,27 +0,0 @@
-# Raspberry Pi environment
-# Optimized for low memory (1GB total)
-DOCKER_PLATFORM=linux/arm64
-
-
-# Embeddings (use Ollama with small models)
-EMBEDDINGS_PROVIDER=ollama
-OLLAMA_URL=http://ollama:11434
-OPENAI_API_KEY=
-
-# Database (SQLite for RPi - low memory footprint)
-DB_BACKEND=sqlite
-DB_PATH=/data/openmemory.sqlite
-
-# PostgreSQL (not used)
-PG_HOST=postgres
-PG_DB=openmemory
-PG_USER=openmemory
-PG_PASSWORD=not-used
-
-# OpenMemory
-OM_API_KEY=key-change-me
-
-# Monitoring (short retention for disk space)
-PROM_RETENTION=3d
-GRAFANA_USER=admin
-GRAFANA_PASSWORD=admin

package/templates/envs/vps.example

@@ -1,25 +0,0 @@
-# VPS production environment
-# For Hetzner CX22 or similar (2 vCPU, 4GB RAM)
-
-# Embeddings (use OpenAI for production)
-EMBEDDINGS_PROVIDER=openai
-OPENAI_API_KEY=sk-change-me-in-production
-OLLAMA_URL=
-
-# Database (PostgreSQL for production)
-DB_BACKEND=postgres
-VECTOR_BACKEND=postgres
-
-# PostgreSQL
-PG_HOST=postgres
-PG_DB=openmemory
-PG_USER=openmemory
-PG_PASSWORD=change-me-in-production-use-secrets
-
-# OpenMemory
-OM_API_KEY=change-me-in-production-use-secrets
-
-# Monitoring
-PROM_RETENTION=30d
-GRAFANA_USER=admin
-GRAFANA_PASSWORD=change-me-in-production-use-secrets